package pl.edu.icm.unity.oauth.as;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.google.gwt.thirdparty.guava.common.collect.Lists;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationSuccessResponse;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.id.Subject;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.OIDCResponseTypeValue;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSet;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import java.security.PrivateKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.oauth.as.OAuthSystemAttributesProvider;
import pl.edu.icm.unity.server.api.internal.TokensManagement;
import pl.edu.icm.unity.server.translation.out.TranslationResult;
import pl.edu.icm.unity.types.basic.Attribute;
import pl.edu.icm.unity.types.basic.EntityParam;
import pl.edu.icm.unity.types.basic.IdentityParam;

/* loaded from: input_file:pl/edu/icm/unity/oauth/as/OAuthProcessor.class */
public class OAuthProcessor {
    public static final String INTERNAL_CODE_TOKEN = "oauth2Code";
    public static final String INTERNAL_ACCESS_TOKEN = "oauth2Access";

    public Set<Attribute<?>> filterAttributes(TranslationResult translationResult, Set<String> set) {
        return filterUnsupportedAttributes(filterNotRequestedAttributes(translationResult, set));
    }

    public AuthorizationSuccessResponse prepareAuthzResponseAndRecordInternalState(Collection<Attribute<?>> collection, IdentityParam identityParam, OAuthAuthzContext oAuthAuthzContext, TokensManagement tokensManagement) throws EngineException, JsonProcessingException, ParseException, JOSEException {
        OAuthToken oAuthToken = new OAuthToken();
        oAuthToken.setScope(oAuthAuthzContext.getEffectiveRequestedScopesList());
        oAuthToken.setClientId(oAuthAuthzContext.getClientEntityId());
        oAuthToken.setRedirectUri(oAuthAuthzContext.getReturnURI().toASCIIString());
        oAuthToken.setClientName(oAuthAuthzContext.getClientName());
        oAuthToken.setClientUsername(oAuthAuthzContext.getClientUsername());
        oAuthToken.setSubject(identityParam.getValue());
        oAuthToken.setMaxExtendedValidity(oAuthAuthzContext.getConfig().getMaxExtendedAccessTokenValidity());
        oAuthToken.setTokenValidity(oAuthAuthzContext.getConfig().getAccessTokenValidity());
        Date date = new Date();
        JWT jwt = null;
        ResponseType responseType = oAuthAuthzContext.getRequest().getResponseType();
        UserInfo prepareUserInfoClaimSet = prepareUserInfoClaimSet(identityParam.getValue(), collection);
        oAuthToken.setUserInfo(prepareUserInfoClaimSet.toJSONObject().toJSONString());
        if (oAuthAuthzContext.isOpenIdMode()) {
            jwt = signIdToken(prepareIdInfoClaimSet(identityParam.getValue(), oAuthAuthzContext, prepareUserInfoClaimSet, date), oAuthAuthzContext);
            oAuthToken.setOpenidToken(jwt.serialize());
            if (!responseType.contains(OIDCResponseTypeValue.ID_TOKEN)) {
                jwt = null;
            }
        }
        AuthorizationSuccessResponse authorizationSuccessResponse = null;
        if (OAuthSystemAttributesProvider.GrantFlow.authorizationCode == oAuthAuthzContext.getFlow()) {
            AuthorizationCode authorizationCode = new AuthorizationCode();
            oAuthToken.setAuthzCode(authorizationCode.getValue());
            authorizationSuccessResponse = new AuthorizationSuccessResponse(oAuthAuthzContext.getReturnURI(), authorizationCode, (AccessToken) null, oAuthAuthzContext.getRequest().getState(), oAuthAuthzContext.getRequest().impliedResponseMode());
            tokensManagement.addToken(INTERNAL_CODE_TOKEN, authorizationCode.getValue(), new EntityParam(identityParam), oAuthToken.getSerialized(), date, new Date(date.getTime() + (oAuthAuthzContext.getConfig().getCodeTokenValidity() * 1000)));
        } else if (OAuthSystemAttributesProvider.GrantFlow.implicit == oAuthAuthzContext.getFlow()) {
            if (responseType.contains(OIDCResponseTypeValue.ID_TOKEN) && responseType.size() == 1) {
                return new AuthenticationSuccessResponse(oAuthAuthzContext.getReturnURI(), (AuthorizationCode) null, jwt, (AccessToken) null, oAuthAuthzContext.getRequest().getState(), (State) null, oAuthAuthzContext.getRequest().impliedResponseMode());
            }
            BearerAccessToken bearerAccessToken = new BearerAccessToken();
            oAuthToken.setAccessToken(bearerAccessToken.getValue());
            Date date2 = new Date(date.getTime() + (oAuthAuthzContext.getConfig().getAccessTokenValidity() * 1000));
            authorizationSuccessResponse = new AuthenticationSuccessResponse(oAuthAuthzContext.getReturnURI(), (AuthorizationCode) null, jwt, bearerAccessToken, oAuthAuthzContext.getRequest().getState(), (State) null, oAuthAuthzContext.getRequest().impliedResponseMode());
            tokensManagement.addToken(INTERNAL_ACCESS_TOKEN, bearerAccessToken.getValue(), new EntityParam(identityParam), oAuthToken.getSerialized(), date, date2);
        } else if (OAuthSystemAttributesProvider.GrantFlow.openidHybrid == oAuthAuthzContext.getFlow()) {
            AuthorizationCode authorizationCode2 = new AuthorizationCode();
            oAuthToken.setAuthzCode(authorizationCode2.getValue());
            tokensManagement.addToken(INTERNAL_CODE_TOKEN, authorizationCode2.getValue(), new EntityParam(identityParam), oAuthToken.getSerialized(), date, new Date(date.getTime() + (oAuthAuthzContext.getConfig().getCodeTokenValidity() * 1000)));
            AccessToken accessToken = null;
            if (responseType.contains(ResponseType.Value.TOKEN)) {
                accessToken = new BearerAccessToken();
                oAuthToken.setAccessToken(accessToken.getValue());
                tokensManagement.addToken(INTERNAL_ACCESS_TOKEN, accessToken.getValue(), new EntityParam(identityParam), oAuthToken.getSerialized(), date, new Date(date.getTime() + (oAuthAuthzContext.getConfig().getAccessTokenValidity() * 1000)));
            }
            authorizationSuccessResponse = new AuthenticationSuccessResponse(oAuthAuthzContext.getReturnURI(), authorizationCode2, jwt, accessToken, oAuthAuthzContext.getRequest().getState(), (State) null, oAuthAuthzContext.getRequest().impliedResponseMode());
        }
        return authorizationSuccessResponse;
    }

    private Set<Attribute<?>> filterUnsupportedAttributes(Set<Attribute<?>> set) {
        HashSet hashSet = new HashSet();
        DefaultOAuthAttributeMapper defaultOAuthAttributeMapper = new DefaultOAuthAttributeMapper();
        for (Attribute<?> attribute : set) {
            if (defaultOAuthAttributeMapper.isHandled(attribute)) {
                hashSet.add(attribute);
            }
        }
        return hashSet;
    }

    private Set<Attribute<?>> filterNotRequestedAttributes(TranslationResult translationResult, Set<String> set) {
        Collection<Attribute> attributes = translationResult.getAttributes();
        HashSet hashSet = new HashSet();
        for (Attribute attribute : attributes) {
            if (set.contains(attribute.getName())) {
                hashSet.add(attribute);
            }
        }
        return hashSet;
    }

    private IDTokenClaimsSet prepareIdInfoClaimSet(String str, OAuthAuthzContext oAuthAuthzContext, ClaimsSet claimsSet, Date date) {
        AuthenticationRequest request = oAuthAuthzContext.getRequest();
        IDTokenClaimsSet iDTokenClaimsSet = new IDTokenClaimsSet(new Issuer(oAuthAuthzContext.getConfig().getIssuerName()), new Subject(str), Lists.newArrayList(new Audience[]{new Audience(request.getClientID().getValue())}), new Date(date.getTime() + (oAuthAuthzContext.getConfig().getIdTokenValidity() * 1000)), date);
        ResponseType responseType = request.getResponseType();
        if (responseType.contains(OIDCResponseTypeValue.ID_TOKEN) && responseType.size() == 1) {
            iDTokenClaimsSet.putAll(claimsSet);
        }
        if (request.getNonce() != null) {
            iDTokenClaimsSet.setNonce(request.getNonce());
        }
        return iDTokenClaimsSet;
    }

    public UserInfo prepareUserInfoClaimSet(String str, Collection<Attribute<?>> collection) {
        UserInfo userInfo = new UserInfo(new Subject(str));
        DefaultOAuthAttributeMapper defaultOAuthAttributeMapper = new DefaultOAuthAttributeMapper();
        for (Attribute<?> attribute : collection) {
            if (defaultOAuthAttributeMapper.isHandled(attribute)) {
                userInfo.setClaim(defaultOAuthAttributeMapper.getJsonKey(attribute), defaultOAuthAttributeMapper.getJsonValue(attribute));
            }
        }
        return userInfo;
    }

    private JWT signIdToken(IDTokenClaimsSet iDTokenClaimsSet, OAuthAuthzContext oAuthAuthzContext) throws JOSEException, ParseException {
        SignedJWT signedJWT;
        RSASSASigner eCDSASigner;
        PrivateKey key = oAuthAuthzContext.getConfig().getCredential().getKey();
        if (key instanceof RSAPrivateKey) {
            signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), iDTokenClaimsSet.toJWTClaimsSet());
            eCDSASigner = new RSASSASigner((RSAPrivateKey) key);
        } else {
            signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.ES256), iDTokenClaimsSet.toJWTClaimsSet());
            eCDSASigner = new ECDSASigner((ECPrivateKey) key);
        }
        signedJWT.sign(eCDSASigner);
        return signedJWT;
    }
}
