package org.mitre.discovery.web;

import com.google.common.base.Function;
import com.google.common.base.Strings;
import com.google.common.collect.Collections2;
import com.google.common.collect.Lists;
import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JWSAlgorithm;
import java.util.ArrayList;
import java.util.HashMap;
import org.mitre.discovery.util.WebfingerURLNormalizer;
import org.mitre.jwt.encryption.service.JWTEncryptionAndDecryptionService;
import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
import org.mitre.oauth2.model.PKCEAlgorithm;
import org.mitre.oauth2.model.RegisteredClientFields;
import org.mitre.oauth2.service.SystemScopeService;
import org.mitre.oauth2.token.ChainedTokenGranter;
import org.mitre.oauth2.token.DeviceTokenGranter;
import org.mitre.oauth2.web.DeviceEndpoint;
import org.mitre.oauth2.web.IntrospectionEndpoint;
import org.mitre.oauth2.web.RevocationEndpoint;
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
import org.mitre.openid.connect.model.DefaultUserInfo;
import org.mitre.openid.connect.service.UserInfoService;
import org.mitre.openid.connect.view.HttpCodeView;
import org.mitre.openid.connect.view.JsonEntityView;
import org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint;
import org.mitre.openid.connect.web.EndSessionEndpoint;
import org.mitre.openid.connect.web.JWKSetPublishingEndpoint;
import org.mitre.openid.connect.web.UserInfoEndpoint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader;
import org.springframework.http.HttpStatus;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.i18n.LocaleChangeInterceptor;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;

@Controller
/* loaded from: input_file:WEB-INF/lib/openid-connect-server-1.3.4.jar:org/mitre/discovery/web/DiscoveryEndpoint.class */
public class DiscoveryEndpoint {
    public static final String WELL_KNOWN_URL = ".well-known";
    public static final String OPENID_CONFIGURATION_URL = ".well-known/openid-configuration";
    public static final String WEBFINGER_URL = ".well-known/webfinger";
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) DiscoveryEndpoint.class);

    @Autowired
    private ConfigurationPropertiesBean config;

    @Autowired
    private SystemScopeService scopeService;

    @Autowired
    private JWTSigningAndValidationService signService;

    @Autowired
    private JWTEncryptionAndDecryptionService encService;

    @Autowired
    private UserInfoService userService;
    private Function<Algorithm, String> toAlgorithmName = new Function<Algorithm, String>() { // from class: org.mitre.discovery.web.DiscoveryEndpoint.1
        @Override // com.google.common.base.Function, java.util.function.Function
        public String apply(Algorithm algorithm) {
            if (algorithm == null) {
                return null;
            }
            return algorithm.getName();
        }
    };

    @RequestMapping(value = {"/.well-known/webfinger"}, produces = {"application/json"})
    public String webfinger(@RequestParam("resource") String str, @RequestParam(value = "rel", required = false) String str2, Model model) {
        if (!Strings.isNullOrEmpty(str2) && !str2.equals("http://openid.net/specs/connect/1.0/issuer")) {
            logger.warn("Responding to webfinger request for non-OIDC relation: " + str2);
        }
        if (!str.equals(this.config.getIssuer())) {
            UriComponents normalizeResource = WebfingerURLNormalizer.normalizeResource(str);
            if (normalizeResource == null || normalizeResource.getScheme() == null || !normalizeResource.getScheme().equals("acct")) {
                logger.info("Unknown URI format: " + str);
                model.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND);
                return HttpCodeView.VIEWNAME;
            }
            if (this.userService.getByEmailAddress(normalizeResource.getUserInfo() + "@" + normalizeResource.getHost()) == null) {
                if (this.userService.getByUsername(normalizeResource.getUserInfo()) == null) {
                    logger.info("User not found: " + str);
                    model.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND);
                    return HttpCodeView.VIEWNAME;
                }
                UriComponents build = UriComponentsBuilder.fromHttpUrl(this.config.getIssuer()).build();
                if (!Strings.nullToEmpty(build.getHost()).equals(Strings.nullToEmpty(normalizeResource.getHost()))) {
                    logger.info("Host mismatch, expected " + build.getHost() + " got " + normalizeResource.getHost());
                    model.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND);
                    return HttpCodeView.VIEWNAME;
                }
            }
        }
        model.addAttribute("resource", str);
        model.addAttribute("issuer", this.config.getIssuer());
        return "webfingerView";
    }

    @RequestMapping({"/.well-known/openid-configuration"})
    public String providerConfiguration(Model model) {
        String issuer = this.config.getIssuer();
        if (!issuer.endsWith("/")) {
            logger.debug("Configured issuer doesn't end in /, adding for discovery: {}", issuer);
            issuer = issuer.concat("/");
        }
        this.signService.getAllSigningAlgsSupported();
        Lists.newArrayList(JWSAlgorithm.HS256, JWSAlgorithm.HS384, JWSAlgorithm.HS512);
        ArrayList newArrayList = Lists.newArrayList(JWSAlgorithm.HS256, JWSAlgorithm.HS384, JWSAlgorithm.HS512, JWSAlgorithm.RS256, JWSAlgorithm.RS384, JWSAlgorithm.RS512, JWSAlgorithm.ES256, JWSAlgorithm.ES384, JWSAlgorithm.ES512, JWSAlgorithm.PS256, JWSAlgorithm.PS384, JWSAlgorithm.PS512);
        ArrayList newArrayList2 = Lists.newArrayList(JWSAlgorithm.HS256, JWSAlgorithm.HS384, JWSAlgorithm.HS512, JWSAlgorithm.RS256, JWSAlgorithm.RS384, JWSAlgorithm.RS512, JWSAlgorithm.ES256, JWSAlgorithm.ES384, JWSAlgorithm.ES512, JWSAlgorithm.PS256, JWSAlgorithm.PS384, JWSAlgorithm.PS512, Algorithm.NONE);
        ArrayList newArrayList3 = Lists.newArrayList("authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "client_credentials", ChainedTokenGranter.GRANT_TYPE, DeviceTokenGranter.GRANT_TYPE, OAuth2AccessToken.REFRESH_TOKEN);
        HashMap hashMap = new HashMap();
        hashMap.put("issuer", this.config.getIssuer());
        hashMap.put("authorization_endpoint", issuer + "authorize");
        hashMap.put("token_endpoint", issuer + "token");
        hashMap.put("userinfo_endpoint", issuer + UserInfoEndpoint.URL);
        hashMap.put("end_session_endpoint", issuer + EndSessionEndpoint.URL);
        hashMap.put(RegisteredClientFields.JWKS_URI, issuer + JWKSetPublishingEndpoint.URL);
        hashMap.put("registration_endpoint", issuer + DynamicClientRegistrationEndpoint.URL);
        hashMap.put("scopes_supported", this.scopeService.toStrings(this.scopeService.getUnrestricted()));
        hashMap.put("response_types_supported", Lists.newArrayList(HttpCodeView.CODE, "token"));
        hashMap.put("grant_types_supported", newArrayList3);
        hashMap.put("subject_types_supported", Lists.newArrayList("public", "pairwise"));
        hashMap.put("userinfo_signing_alg_values_supported", Collections2.transform(newArrayList, this.toAlgorithmName));
        hashMap.put("userinfo_encryption_alg_values_supported", Collections2.transform(this.encService.getAllEncryptionAlgsSupported(), this.toAlgorithmName));
        hashMap.put("userinfo_encryption_enc_values_supported", Collections2.transform(this.encService.getAllEncryptionEncsSupported(), this.toAlgorithmName));
        hashMap.put("id_token_signing_alg_values_supported", Collections2.transform(newArrayList2, this.toAlgorithmName));
        hashMap.put("id_token_encryption_alg_values_supported", Collections2.transform(this.encService.getAllEncryptionAlgsSupported(), this.toAlgorithmName));
        hashMap.put("id_token_encryption_enc_values_supported", Collections2.transform(this.encService.getAllEncryptionEncsSupported(), this.toAlgorithmName));
        hashMap.put("request_object_signing_alg_values_supported", Collections2.transform(newArrayList, this.toAlgorithmName));
        hashMap.put("request_object_encryption_alg_values_supported", Collections2.transform(this.encService.getAllEncryptionAlgsSupported(), this.toAlgorithmName));
        hashMap.put("request_object_encryption_enc_values_supported", Collections2.transform(this.encService.getAllEncryptionEncsSupported(), this.toAlgorithmName));
        hashMap.put("token_endpoint_auth_methods_supported", Lists.newArrayList("client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt", "none"));
        hashMap.put("token_endpoint_auth_signing_alg_values_supported", Collections2.transform(newArrayList, this.toAlgorithmName));
        hashMap.put("claim_types_supported", Lists.newArrayList("normal"));
        hashMap.put("claims_supported", Lists.newArrayList("sub", "name", "preferred_username", "given_name", "family_name", "middle_name", "nickname", DefaultBeanDefinitionDocumentReader.PROFILE_ATTRIBUTE, "picture", "website", "gender", "zoneinfo", LocaleChangeInterceptor.DEFAULT_PARAM_NAME, "updated_at", "birthdate", DefaultUserInfo.PARAM_EMAIL, "email_verified", "phone_number", "phone_number_verified", "address"));
        hashMap.put("service_documentation", issuer + "about");
        hashMap.put("claims_parameter_supported", false);
        hashMap.put("request_parameter_supported", true);
        hashMap.put("request_uri_parameter_supported", false);
        hashMap.put("require_request_uri_registration", false);
        hashMap.put("op_policy_uri", issuer + "about");
        hashMap.put("op_tos_uri", issuer + "about");
        hashMap.put("introspection_endpoint", issuer + IntrospectionEndpoint.URL);
        hashMap.put("revocation_endpoint", issuer + RevocationEndpoint.URL);
        hashMap.put("code_challenge_methods_supported", Lists.newArrayList(PKCEAlgorithm.plain.getName(), PKCEAlgorithm.S256.getName()));
        hashMap.put("device_authorization_endpoint", issuer + DeviceEndpoint.URL);
        model.addAttribute(JsonEntityView.ENTITY, hashMap);
        return JsonEntityView.VIEWNAME;
    }
}
