package pl.edu.icm.unity.oauth.rp;

import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.unicore.util.configuration.ConfigurationException;
import eu.unicore.util.configuration.DocumentationReferenceMeta;
import eu.unicore.util.configuration.DocumentationReferencePrefix;
import eu.unicore.util.configuration.PropertiesHelper;
import eu.unicore.util.configuration.PropertyMD;
import eu.unicore.util.httpclient.ServerHostnameCheckingMode;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import org.apache.log4j.Logger;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.engine.api.token.TokensManagement;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.oauth.BaseRemoteASProperties;
import pl.edu.icm.unity.oauth.client.config.CustomProviderProperties;
import pl.edu.icm.unity.oauth.rp.verificator.InternalTokenVerificator;
import pl.edu.icm.unity.oauth.rp.verificator.MitreTokenVerificator;
import pl.edu.icm.unity.oauth.rp.verificator.TokenVerificatorProtocol;
import pl.edu.icm.unity.oauth.rp.verificator.UnityTokenVerificator;

/* loaded from: input_file:pl/edu/icm/unity/oauth/rp/OAuthRPProperties.class */
public class OAuthRPProperties extends PropertiesHelper implements BaseRemoteASProperties {
    public static final int DEFAULT_CACHE_TTL = 60;

    @DocumentationReferencePrefix
    public static final String PREFIX = "unity.oauth2-rp.";
    public static final String CACHE_TIME = "cacheTime";
    public static final String VERIFICATION_PROTOCOL = "verificationProtocol";
    public static final String VERIFICATION_ENDPOINT = "verificationEndpoint";
    public static final String OPENID_MODE = "openidConnectMode";
    public static final String OPENID_MODE_WITH_TYPO = "opeinidConnectMode";
    public static final String TRANSLATION_PROFILE = "translationProfile";
    public static final String REQUIRED_SCOPES = "requiredScopes.";
    private X509CertChainValidator validator;
    private TokensManagement tokensMan;
    private static final Logger log = Log.getLegacyLogger("unity.server.config", OAuthRPProperties.class);

    @DocumentationReferenceMeta
    public static final Map<String, PropertyMD> META = new HashMap();

    /* loaded from: input_file:pl/edu/icm/unity/oauth/rp/OAuthRPProperties$VerificationProtocol.class */
    public enum VerificationProtocol {
        mitre,
        unity,
        internal
    }

    public OAuthRPProperties(Properties properties, PKIManagement pKIManagement, TokensManagement tokensManagement) throws ConfigurationException {
        super(PREFIX, properties, META, log);
        this.validator = null;
        this.tokensMan = tokensManagement;
        String value = getValue(BaseRemoteASProperties.CLIENT_TRUSTSTORE);
        if (value != null) {
            try {
                if (!pKIManagement.getValidatorNames().contains(value)) {
                    throw new ConfigurationException("The validator " + value + " for the OAuth verification client does not exist");
                }
                this.validator = pKIManagement.getValidator(value);
            } catch (EngineException e) {
                throw new ConfigurationException("Can not establish the validator " + value + " for the OAuth verification client", e);
            }
        }
        if (((VerificationProtocol) getEnumValue(VERIFICATION_PROTOCOL, VerificationProtocol.class)) != VerificationProtocol.internal && !isSet(VERIFICATION_ENDPOINT)) {
            throw new ConfigurationException("The " + getKeyDescription(VERIFICATION_ENDPOINT) + " property is mandatory unless the '" + VerificationProtocol.internal + "' verification protocol is used");
        }
    }

    @Override // pl.edu.icm.unity.oauth.BaseRemoteASProperties
    public CustomProviderProperties.ClientAuthnMode getClientAuthModeForProfileAccess() {
        CustomProviderProperties.ClientAuthnMode clientAuthnMode = (CustomProviderProperties.ClientAuthnMode) getEnumValue(BaseRemoteASProperties.CLIENT_AUTHN_MODE_FOR_PROFILE_ACCESS, CustomProviderProperties.ClientAuthnMode.class);
        return clientAuthnMode != null ? clientAuthnMode : (CustomProviderProperties.ClientAuthnMode) getEnumValue(BaseRemoteASProperties.CLIENT_AUTHN_MODE, CustomProviderProperties.ClientAuthnMode.class);
    }

    @Override // pl.edu.icm.unity.oauth.BaseRemoteASProperties
    public HTTPRequest.Method getClientHttpMethodForProfileAccess() {
        return getEnumValue(BaseRemoteASProperties.CLIENT_HTTP_METHOD_FOR_PROFILE_ACCESS, CustomProviderProperties.ClientHttpMethod.class) == CustomProviderProperties.ClientHttpMethod.get ? HTTPRequest.Method.GET : HTTPRequest.Method.POST;
    }

    public boolean isSetOpenIdMode() {
        return (isSet(OPENID_MODE) ? getBooleanValue(OPENID_MODE) : getBooleanValue(OPENID_MODE_WITH_TYPO)).booleanValue();
    }

    public Properties getProperties() {
        return this.properties;
    }

    @Override // pl.edu.icm.unity.oauth.BaseRemoteASProperties
    public X509CertChainValidator getValidator() {
        return this.validator;
    }

    public TokenVerificatorProtocol getTokenChecker() {
        switch ((VerificationProtocol) getEnumValue(VERIFICATION_PROTOCOL, VerificationProtocol.class)) {
            case mitre:
                return new MitreTokenVerificator(this);
            case unity:
                return new UnityTokenVerificator(this);
            case internal:
                return new InternalTokenVerificator(this.tokensMan);
            default:
                throw new IllegalStateException("Bug: unhandled protocol");
        }
    }

    static {
        META.put(CACHE_TIME, new PropertyMD().setInt().setNonNegative().setDescription("Per-token validation result cache time in seconds. If unset then the cache time will be equal to the discovered token lifetime or to 60s if it is impossible to establish the lifetime. Set to zero to disable caching."));
        META.put(BaseRemoteASProperties.PROFILE_ENDPOINT, new PropertyMD().setDescription("Location (URL) of OAuth2 provider's user's profile endpoint. It is used to obtain token issuer's attributes."));
        META.put(VERIFICATION_PROTOCOL, new PropertyMD(VerificationProtocol.unity).setDescription("OAuth token verification is not standardised. Unity supports several protocols, you can set the proper one here."));
        META.put(VERIFICATION_ENDPOINT, new PropertyMD().setDescription("OAuth token verification endpoint address."));
        META.put(BaseRemoteASProperties.CLIENT_ID, new PropertyMD().setDescription("Client identifier, used to authenticate when performing validation. If not defined then only the access token is used to authorize the call."));
        META.put(BaseRemoteASProperties.CLIENT_SECRET, new PropertyMD().setSecret().setMandatory().setDescription("Client secret,  used to authenticate when performing validation. If not defined then only the access token is used to authorize the call."));
        META.put(BaseRemoteASProperties.CLIENT_AUTHN_MODE, new PropertyMD(CustomProviderProperties.ClientAuthnMode.secretBasic).setDescription("Defines how the client access token should be passed to the AS."));
        META.put(BaseRemoteASProperties.CLIENT_AUTHN_MODE_FOR_PROFILE_ACCESS, new PropertyMD().setDescription("Defines how the client secret and id should be passed to the provider's user's profile endpoint. If not set the clientAuthenticationMode is used"));
        META.put(BaseRemoteASProperties.CLIENT_HTTP_METHOD_FOR_PROFILE_ACCESS, new PropertyMD(CustomProviderProperties.ClientHttpMethod.get).setDescription("Http method used in query to profile endpoint"));
        META.put(REQUIRED_SCOPES, new PropertyMD().setList(false).setDescription("Optional list of scopes which must be associated with the validated access token to make the authentication successful"));
        META.put(OPENID_MODE, new PropertyMD("false").setDescription("If true then the profile is fetched from the profile endpoint with assumption that the server is working in the OpenID Connect compatible way."));
        META.put(OPENID_MODE_WITH_TYPO, new PropertyMD("false").setDeprecated().setDescription("Use the option without type - this one is provided for backwards compatibility only."));
        META.put(BaseRemoteASProperties.CLIENT_HOSTNAME_CHECKING, new PropertyMD(ServerHostnameCheckingMode.FAIL).setDescription("Controls how to react on the DNS name mismatch with the server's certificate. Unless in testing environment should be left on the default setting."));
        META.put(BaseRemoteASProperties.CLIENT_TRUSTSTORE, new PropertyMD().setDescription("Name of the truststore which should be used to validate TLS peer's certificates. If undefined then the system Java tuststore is used."));
        META.put(TRANSLATION_PROFILE, new PropertyMD().setMandatory().setDescription("Name of a translation profile, which will be used to map remotely obtained attributes and identity to the local counterparts. The profile should at least map the remote identity."));
    }
}
