package org.apereo.cas.support.oauth.util;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.nimbusds.jwt.JWTClaimsSet;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import lombok.NonNull;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceMatchingStrategy;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.oauth.OAuth20Constants;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseModeTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.ticket.OAuth20Token;
import org.apereo.cas.token.JwtBuilder;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.util.serialization.JacksonObjectMapperFactory;
import org.apereo.cas.web.flow.CasWebflowConstants;
import org.hjson.JsonValue;
import org.jooq.lambda.Unchecked;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.credentials.extractor.BasicAuthExtractor;
import org.pac4j.core.profile.ProfileManager;
import org.pac4j.core.profile.UserProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.view.json.MappingJackson2JsonView;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oauth-core-api-6.5.5.jar:org/apereo/cas/support/oauth/util/OAuth20Utils.class */
public final class OAuth20Utils {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OAuth20Utils.class);
    private static final ObjectMapper MAPPER = JacksonObjectMapperFactory.builder().singleArrayElementUnwrapped(true).build().toObjectMapper();

    public static ModelAndView writeError(HttpServletResponse httpServletResponse, String str) {
        ModelAndView modelAndView = new ModelAndView(new MappingJackson2JsonView(MAPPER), (Map<String, ?>) CollectionUtils.wrap("error", str));
        modelAndView.setStatus(HttpStatus.BAD_REQUEST);
        httpServletResponse.setStatus(HttpStatus.BAD_REQUEST.value());
        return modelAndView;
    }

    public static OAuthRegisteredService getRegisteredOAuthServiceByClientId(ServicesManager servicesManager, String str) {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        return getRegisteredOAuthServiceByPredicate(servicesManager, oAuthRegisteredService -> {
            return oAuthRegisteredService.getClientId().equalsIgnoreCase(str);
        });
    }

    public static OAuthRegisteredService getRegisteredOAuthServiceByRedirectUri(ServicesManager servicesManager, String str) {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        return getRegisteredOAuthServiceByPredicate(servicesManager, oAuthRegisteredService -> {
            return oAuthRegisteredService.matches(str);
        });
    }

    private static OAuthRegisteredService getRegisteredOAuthServiceByPredicate(ServicesManager servicesManager, Predicate<OAuthRegisteredService> predicate) {
        return (OAuthRegisteredService) servicesManager.getAllServicesOfType(OAuthRegisteredService.class).stream().filter(predicate).findFirst().orElse(null);
    }

    public static Map<String, Object> getRequestParameters(Collection<String> collection, WebContext webContext) {
        return (Map) collection.stream().map(str -> {
            return Pair.of(str, (Set) getRequestParameter(webContext, str).map(str -> {
                return (Set) Arrays.stream(str.split(" ")).collect(Collectors.toSet());
            }).orElseGet(Set::of));
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    public static Optional<String> getRequestParameter(WebContext webContext, String str) {
        return getRequestParameter(webContext, str, String.class);
    }

    public static <T> Optional<T> getRequestParameter(WebContext webContext, String str, Class<T> cls) {
        return webContext.getRequestParameter("request").map(Unchecked.function(str2 -> {
            return getJwtRequestParameter(str2, str, cls);
        })).or(() -> {
            Object[] objArr = (String[]) webContext.getRequestParameters().get(str);
            return (objArr == null || objArr.length <= 0) ? Optional.empty() : cls.isArray() ? Optional.of(cls.cast(objArr)) : Collection.class.isAssignableFrom(cls) ? Optional.of(cls.cast(CollectionUtils.wrapArrayList(objArr))) : Optional.of(cls.cast(objArr[0]));
        });
    }

    public static <T> T getJwtRequestParameter(String str, String str2, Class<T> cls) throws Exception {
        JWTClaimsSet parse = JwtBuilder.parse(str);
        return cls.isArray() ? cls.cast(parse.getStringArrayClaim(str2)) : Collection.class.isAssignableFrom(cls) ? cls.cast(parse.getStringListClaim(str2)) : cls.cast(parse.getStringClaim(str2));
    }

    public static Collection<String> getRequestedScopes(WebContext webContext) {
        Map<String, Object> requestParameters = getRequestParameters(CollectionUtils.wrap("scope"), webContext);
        return (requestParameters == null || requestParameters.isEmpty()) ? new ArrayList(0) : new LinkedHashSet((Collection) requestParameters.get("scope"));
    }

    public static ModelAndView produceUnauthorizedErrorView() {
        return produceUnauthorizedErrorView(HttpStatus.UNAUTHORIZED);
    }

    public static ModelAndView produceUnauthorizedErrorView(HttpStatus httpStatus) {
        return produceErrorView(new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, ""), httpStatus);
    }

    public static ModelAndView produceErrorView(Exception exc) {
        return produceErrorView(exc, HttpStatus.UNAUTHORIZED);
    }

    public static ModelAndView produceErrorView(Exception exc, HttpStatus httpStatus) {
        ModelAndView modelAndView = new ModelAndView(CasWebflowConstants.VIEW_ID_SERVICE_ERROR, (Map<String, ?>) CollectionUtils.wrap("rootCauseException", exc));
        modelAndView.setStatus(httpStatus);
        return modelAndView;
    }

    public static String casOAuthCallbackUrl(String str) {
        return str.concat("/oauth2.0/callbackAuthorize");
    }

    public static String toJson(Object obj) {
        return MAPPER.writeValueAsString(obj);
    }

    public static boolean isResponseModeTypeFormPost(OAuthRegisteredService oAuthRegisteredService, OAuth20ResponseModeTypes oAuth20ResponseModeTypes) {
        return oAuth20ResponseModeTypes == OAuth20ResponseModeTypes.FORM_POST || (oAuthRegisteredService != null && StringUtils.equalsIgnoreCase("post", oAuthRegisteredService.getResponseType()));
    }

    public static OAuth20ResponseTypes getResponseType(WebContext webContext) {
        String str = (String) getRequestParameter(webContext, "response_type").map((v0) -> {
            return String.valueOf(v0);
        }).orElse("");
        OAuth20ResponseTypes oAuth20ResponseTypes = (OAuth20ResponseTypes) Arrays.stream(OAuth20ResponseTypes.values()).filter(oAuth20ResponseTypes2 -> {
            return oAuth20ResponseTypes2.getType().equalsIgnoreCase(str);
        }).findFirst().orElse(OAuth20ResponseTypes.CODE);
        LOGGER.debug("OAuth response type is [{}]", oAuth20ResponseTypes);
        return oAuth20ResponseTypes;
    }

    public static OAuth20GrantTypes getGrantType(WebContext webContext) {
        String str = (String) getRequestParameter(webContext, "grant_type").map((v0) -> {
            return String.valueOf(v0);
        }).orElse("");
        OAuth20GrantTypes oAuth20GrantTypes = (OAuth20GrantTypes) Arrays.stream(OAuth20GrantTypes.values()).filter(oAuth20GrantTypes2 -> {
            return oAuth20GrantTypes2.getType().equalsIgnoreCase(str);
        }).findFirst().orElse(OAuth20GrantTypes.NONE);
        LOGGER.debug("OAuth grant type is [{}]", oAuth20GrantTypes);
        return oAuth20GrantTypes;
    }

    public static OAuth20ResponseModeTypes getResponseModeType(WebContext webContext) {
        String str = (String) getRequestParameter(webContext, "response_mode").map((v0) -> {
            return String.valueOf(v0);
        }).orElse("");
        OAuth20ResponseModeTypes oAuth20ResponseModeTypes = (OAuth20ResponseModeTypes) Arrays.stream(OAuth20ResponseModeTypes.values()).filter(oAuth20ResponseModeTypes2 -> {
            return oAuth20ResponseModeTypes2.getType().equalsIgnoreCase(str);
        }).findFirst().orElse(OAuth20ResponseModeTypes.NONE);
        LOGGER.debug("OAuth response type is [{}]", oAuth20ResponseModeTypes);
        return oAuth20ResponseModeTypes;
    }

    public static boolean isGrantType(String str, OAuth20GrantTypes oAuth20GrantTypes) {
        return oAuth20GrantTypes.name().equalsIgnoreCase(str);
    }

    public static boolean isResponseType(String str, OAuth20ResponseTypes oAuth20ResponseTypes) {
        return oAuth20ResponseTypes.getType().equalsIgnoreCase(str);
    }

    public static boolean isResponseModeType(String str, OAuth20ResponseModeTypes oAuth20ResponseModeTypes) {
        return oAuth20ResponseModeTypes.getType().equalsIgnoreCase(str);
    }

    public static boolean isAuthorizedResponseTypeForService(WebContext webContext, OAuthRegisteredService oAuthRegisteredService) {
        if (oAuthRegisteredService.getSupportedResponseTypes() == null || oAuthRegisteredService.getSupportedResponseTypes().isEmpty()) {
            LOGGER.warn("Registered service [{}] does not define any authorized/supported response types. It is STRONGLY recommended that you authorize and assign response types to the service definition. While just a warning for now, this behavior will be enforced by CAS in future versions.", oAuthRegisteredService.getName());
            return true;
        }
        String str = (String) getRequestParameter(webContext, "response_type").map((v0) -> {
            return String.valueOf(v0);
        }).orElse("");
        if (oAuthRegisteredService.getSupportedResponseTypes().stream().anyMatch(str2 -> {
            return str2.equalsIgnoreCase(str);
        })) {
            return true;
        }
        LOGGER.warn("Response type not authorized for service: [{}] not listed in supported response types: [{}]", str, oAuthRegisteredService.getSupportedResponseTypes());
        return false;
    }

    public static boolean isAuthorizedGrantTypeForService(String str, OAuthRegisteredService oAuthRegisteredService) {
        if (oAuthRegisteredService.getSupportedGrantTypes() == null || oAuthRegisteredService.getSupportedGrantTypes().isEmpty()) {
            LOGGER.warn("Registered service [{}] does not define any authorized/supported grant types. It is STRONGLY recommended that you authorize and assign grant types to the service definition. While just a warning for now, this behavior will be enforced by CAS in future versions.", oAuthRegisteredService.getName());
            return true;
        }
        LOGGER.debug("Checking grant type [{}] against supported grant types [{}]", str, oAuthRegisteredService.getSupportedGrantTypes());
        return oAuthRegisteredService.getSupportedGrantTypes().stream().anyMatch(str2 -> {
            return str2.equalsIgnoreCase(str);
        });
    }

    public static boolean isAuthorizedGrantTypeForService(WebContext webContext, OAuthRegisteredService oAuthRegisteredService) {
        return isAuthorizedGrantTypeForService((String) getRequestParameter(webContext, "grant_type").map((v0) -> {
            return String.valueOf(v0);
        }).orElse(""), oAuthRegisteredService);
    }

    public static Set<String> parseRequestScopes(WebContext webContext) {
        Optional<String> requestParameter = getRequestParameter(webContext, "scope");
        return requestParameter.isEmpty() ? new HashSet(0) : CollectionUtils.wrapSet((Object[]) requestParameter.get().split(" "));
    }

    public static String getServiceRequestHeaderIfAny(WebContext webContext) {
        return webContext.getRequestHeader("service").or(() -> {
            return webContext.getRequestHeader("X-".concat("service"));
        }).orElse("");
    }

    public static boolean checkCallbackValid(@NonNull RegisteredService registeredService, String str) {
        if (registeredService == null) {
            throw new NullPointerException("registeredService is marked non-null but is null");
        }
        RegisteredServiceMatchingStrategy matchingStrategy = registeredService != null ? registeredService.getMatchingStrategy() : null;
        if (matchingStrategy != null && matchingStrategy.matches(registeredService, str)) {
            return true;
        }
        LOGGER.error("Unsupported [{}]: [{}] does not match what is defined for registered service: [{}]. Service is considered unauthorized. Verify the service matching strategy used in the service definition is correct and does in fact match the client [{}]", "redirect_uri", str, registeredService.getServiceId(), str);
        return false;
    }

    public static boolean checkClientSecret(OAuthRegisteredService oAuthRegisteredService, String str, CipherExecutor<Serializable, String> cipherExecutor) {
        LOGGER.debug("Found: [{}] in secret check", oAuthRegisteredService);
        String clientSecret = oAuthRegisteredService.getClientSecret();
        if (StringUtils.isBlank(clientSecret)) {
            LOGGER.debug("The client secret is not defined for the registered service [{}]", oAuthRegisteredService.getName());
            return true;
        }
        if (StringUtils.equals(cipherExecutor.decode((CipherExecutor<Serializable, String>) clientSecret, new Object[]{oAuthRegisteredService}), str)) {
            return true;
        }
        LOGGER.error("Wrong client secret for service: [{}]", oAuthRegisteredService.getServiceId());
        return false;
    }

    public static boolean checkResponseTypes(String str, OAuth20ResponseTypes... oAuth20ResponseTypesArr) {
        LOGGER.debug("Response type: [{}]", str);
        boolean anyMatch = Stream.of((Object[]) oAuth20ResponseTypesArr).anyMatch(oAuth20ResponseTypes -> {
            return isResponseType(str, oAuth20ResponseTypes);
        });
        if (!anyMatch) {
            LOGGER.error("Unsupported response type: [{}]", str);
        }
        return anyMatch;
    }

    public static String getClientIdFromAuthenticatedProfile(UserProfile userProfile) {
        HashMap hashMap = new HashMap(userProfile.getAttributes());
        if (hashMap.containsKey("client_id")) {
            return ((ArrayList) CollectionUtils.toCollection(hashMap.get("client_id"), ArrayList.class)).get(0).toString();
        }
        return null;
    }

    public static Map<String, Map<String, Object>> parseRequestClaims(WebContext webContext) throws Exception {
        String str = (String) getRequestParameter(webContext, "claims").map((v0) -> {
            return String.valueOf(v0);
        }).orElse("");
        return StringUtils.isBlank(str) ? new HashMap(0) : (Map) MAPPER.readValue(JsonValue.readHjson(str).toString(), Map.class);
    }

    public static Set<String> parseUserInfoRequestClaims(OAuth20Token oAuth20Token) {
        return oAuth20Token.getClaims().getOrDefault(OAuth20Constants.CLAIMS_USERINFO, new HashMap(0)).keySet();
    }

    public static Set<String> parseUserInfoRequestClaims(WebContext webContext) throws Exception {
        return parseRequestClaims(webContext).getOrDefault(OAuth20Constants.CLAIMS_USERINFO, new HashMap(0)).keySet();
    }

    public static Pair<String, String> getClientIdAndClientSecret(WebContext webContext, SessionStore sessionStore) {
        Optional<Credentials> extract = new BasicAuthExtractor().extract(webContext, sessionStore);
        if (!extract.isPresent()) {
            return Pair.of((String) getRequestParameter(webContext, "client_id").map((v0) -> {
                return String.valueOf(v0);
            }).orElse(""), (String) getRequestParameter(webContext, "client_secret").map((v0) -> {
                return String.valueOf(v0);
            }).orElse(""));
        }
        UsernamePasswordCredentials usernamePasswordCredentials = (UsernamePasswordCredentials) extract.get();
        return Pair.of(usernamePasswordCredentials.getUsername(), usernamePasswordCredentials.getPassword());
    }

    public static UserProfile getAuthenticatedUserProfile(WebContext webContext, SessionStore sessionStore) {
        return new ProfileManager(webContext, sessionStore).getProfile().orElseThrow(() -> {
            return new IllegalArgumentException("Unable to determine the user profile from the context");
        });
    }

    public static boolean doesServiceNeedAuthentication(OAuthRegisteredService oAuthRegisteredService) {
        return StringUtils.isNotBlank(oAuthRegisteredService.getClientSecret());
    }

    @Generated
    private OAuth20Utils() {
        throw new UnsupportedOperationException("This is a utility class and cannot be instantiated");
    }
}
