package org.mitre.openid.connect;

import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.ReadOnlyJWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.Serializable;
import java.text.ParseException;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import org.mitre.jwt.encryption.service.JwtEncryptionAndDecryptionService;
import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
import org.mitre.jwt.signer.service.impl.JWKSetCacheService;
import org.mitre.jwt.signer.service.impl.SymmetricCacheService;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.oauth2.service.SystemScopeService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.DefaultOAuth2RequestFactory;
import org.springframework.stereotype.Component;

@Component("connectOAuth2RequestFactory")
/* loaded from: input_file:org/mitre/openid/connect/ConnectOAuth2RequestFactory.class */
public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory {
    private static Logger logger = LoggerFactory.getLogger(ConnectOAuth2RequestFactory.class);
    private ClientDetailsEntityService clientDetailsService;

    @Autowired
    private JWKSetCacheService validators;

    @Autowired
    private SymmetricCacheService symmetricCacheService;

    @Autowired
    private SystemScopeService systemScopes;

    @Autowired
    private JwtEncryptionAndDecryptionService encryptionService;
    private JsonParser parser;

    @Autowired
    public ConnectOAuth2RequestFactory(ClientDetailsEntityService clientDetailsEntityService) {
        super(clientDetailsEntityService);
        this.parser = new JsonParser();
        this.clientDetailsService = clientDetailsEntityService;
    }

    public AuthorizationRequest createAuthorizationRequest(Map<String, String> map) {
        JsonObject parseClaimRequest;
        AuthorizationRequest authorizationRequest = new AuthorizationRequest(map, Collections.emptyMap(), map.get("client_id"), OAuth2Utils.parseParameterList(map.get("scope")), (Set) null, (Collection) null, false, map.get("state"), map.get("redirect_uri"), OAuth2Utils.parseParameterList(map.get("response_type")));
        if (map.containsKey("prompt")) {
            authorizationRequest.getExtensions().put("prompt", map.get("prompt"));
        }
        if (map.containsKey("nonce")) {
            authorizationRequest.getExtensions().put("nonce", map.get("nonce"));
        }
        if (map.containsKey("claims") && (parseClaimRequest = parseClaimRequest(map.get("claims"))) != null) {
            authorizationRequest.getExtensions().put("claims", parseClaimRequest.toString());
        }
        if (map.containsKey("max_age")) {
            authorizationRequest.getExtensions().put("max_age", map.get("max_age"));
        }
        if (map.containsKey("request")) {
            authorizationRequest.getExtensions().put("request", map.get("request"));
            processRequestObject(map.get("request"), authorizationRequest);
        }
        if (authorizationRequest.getClientId() != null) {
            try {
                ClientDetailsEntity loadClientByClientId = this.clientDetailsService.loadClientByClientId(authorizationRequest.getClientId());
                if (authorizationRequest.getScope() == null || authorizationRequest.getScope().isEmpty()) {
                    authorizationRequest.setScope(loadClientByClientId.getScope());
                }
                if (authorizationRequest.getExtensions().get("max_age") == null && loadClientByClientId.getDefaultMaxAge() != null) {
                    authorizationRequest.getExtensions().put("max_age", loadClientByClientId.getDefaultMaxAge().toString());
                }
            } catch (OAuth2Exception e) {
                logger.error("Caught OAuth2 exception trying to test client scopes and max age:", e);
            }
        }
        authorizationRequest.getExtensions().put("csrf", UUID.randomUUID().toString());
        return authorizationRequest;
    }

    private void processRequestObject(String str, AuthorizationRequest authorizationRequest) {
        try {
            SignedJWT parse = JWTParser.parse(str);
            if (parse instanceof SignedJWT) {
                SignedJWT signedJWT = parse;
                if (authorizationRequest.getClientId() == null) {
                    authorizationRequest.setClientId(signedJWT.getJWTClaimsSet().getStringClaim("client_id"));
                }
                ClientDetailsEntity loadClientByClientId = this.clientDetailsService.loadClientByClientId(authorizationRequest.getClientId());
                if (loadClientByClientId == null) {
                    throw new InvalidClientException("Client not found: " + authorizationRequest.getClientId());
                }
                JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
                if (loadClientByClientId.getRequestObjectSigningAlg() == null || !loadClientByClientId.getRequestObjectSigningAlg().equals(algorithm)) {
                    throw new InvalidClientException("Client's registered request object signing algorithm (" + loadClientByClientId.getRequestObjectSigningAlg() + ") does not match request object's actual algorithm (" + algorithm.getName() + ")");
                }
                if (algorithm.equals(JWSAlgorithm.RS256) || algorithm.equals(JWSAlgorithm.RS384) || algorithm.equals(JWSAlgorithm.RS512)) {
                    if (loadClientByClientId.getJwksUri() == null) {
                        throw new InvalidClientException("Client must have a JWKS URI registered to use signed request objects.");
                    }
                    JwtSigningAndValidationService validator = this.validators.getValidator(loadClientByClientId.getJwksUri());
                    if (validator == null) {
                        throw new InvalidClientException("Unable to create signature validator for client's JWKS URI: " + loadClientByClientId.getJwksUri());
                    }
                    if (!validator.validateSignature(signedJWT)) {
                        throw new InvalidClientException("Signature did not validate for presented JWT request object.");
                    }
                } else if (algorithm.equals(JWSAlgorithm.HS256) || algorithm.equals(JWSAlgorithm.HS384) || algorithm.equals(JWSAlgorithm.HS512)) {
                    JwtSigningAndValidationService symmetricValidtor = this.symmetricCacheService.getSymmetricValidtor(loadClientByClientId);
                    if (symmetricValidtor == null) {
                        throw new InvalidClientException("Unable to create signature validator for client's secret: " + loadClientByClientId.getClientSecret());
                    }
                    if (!symmetricValidtor.validateSignature(signedJWT)) {
                        throw new InvalidClientException("Signature did not validate for presented JWT request object.");
                    }
                }
            } else if (parse instanceof PlainJWT) {
                PlainJWT plainJWT = (PlainJWT) parse;
                if (authorizationRequest.getClientId() == null) {
                    authorizationRequest.setClientId(plainJWT.getJWTClaimsSet().getStringClaim("client_id"));
                }
                ClientDetailsEntity loadClientByClientId2 = this.clientDetailsService.loadClientByClientId(authorizationRequest.getClientId());
                if (loadClientByClientId2 == null) {
                    throw new InvalidClientException("Client not found: " + authorizationRequest.getClientId());
                }
                if (loadClientByClientId2.getRequestObjectSigningAlg() == null) {
                    throw new InvalidClientException("Client is not registered for unsigned request objects (no request_object_signing_alg registered)");
                }
                if (!loadClientByClientId2.getRequestObjectSigningAlg().equals(Algorithm.NONE)) {
                    throw new InvalidClientException("Client is not registered for unsigned request objects (request_object_signing_alg is " + loadClientByClientId2.getRequestObjectSigningAlg() + ")");
                }
            } else if (parse instanceof EncryptedJWT) {
                EncryptedJWT encryptedJWT = (EncryptedJWT) parse;
                this.encryptionService.decryptJwt(encryptedJWT);
                if (!encryptedJWT.getState().equals(JWEObject.State.DECRYPTED)) {
                    throw new InvalidClientException("Unable to decrypt the request object");
                }
                if (authorizationRequest.getClientId() == null) {
                    authorizationRequest.setClientId(encryptedJWT.getJWTClaimsSet().getStringClaim("client_id"));
                }
                if (this.clientDetailsService.loadClientByClientId(authorizationRequest.getClientId()) == null) {
                    throw new InvalidClientException("Client not found: " + authorizationRequest.getClientId());
                }
            }
            ReadOnlyJWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
            Set parseParameterList = OAuth2Utils.parseParameterList(jWTClaimsSet.getStringClaim("response_type"));
            if (parseParameterList != null && !parseParameterList.isEmpty()) {
                if (!parseParameterList.equals(authorizationRequest.getResponseTypes())) {
                    logger.info("Mismatch between request object and regular parameter for response_type, using request object");
                }
                authorizationRequest.setResponseTypes(parseParameterList);
            }
            String stringClaim = jWTClaimsSet.getStringClaim("redirect_uri");
            if (stringClaim != null) {
                if (!stringClaim.equals(authorizationRequest.getRedirectUri())) {
                    logger.info("Mismatch between request object and regular parameter for redirect_uri, using request object");
                }
                authorizationRequest.setRedirectUri(stringClaim);
            }
            String stringClaim2 = jWTClaimsSet.getStringClaim("state");
            if (stringClaim2 != null) {
                if (!stringClaim2.equals(authorizationRequest.getState())) {
                    logger.info("Mismatch between request object and regular parameter for state, using request object");
                }
                authorizationRequest.setState(stringClaim2);
            }
            String stringClaim3 = jWTClaimsSet.getStringClaim("nonce");
            if (stringClaim3 != null) {
                if (!stringClaim3.equals(authorizationRequest.getExtensions().get("nonce"))) {
                    logger.info("Mismatch between request object and regular parameter for nonce, using request object");
                }
                authorizationRequest.getExtensions().put("nonce", stringClaim3);
            }
            String stringClaim4 = jWTClaimsSet.getStringClaim("display");
            if (stringClaim4 != null) {
                if (!stringClaim4.equals(authorizationRequest.getExtensions().get("display"))) {
                    logger.info("Mismatch between request object and regular parameter for display, using request object");
                }
                authorizationRequest.getExtensions().put("display", stringClaim4);
            }
            String stringClaim5 = jWTClaimsSet.getStringClaim("prompt");
            if (stringClaim5 != null) {
                if (!stringClaim5.equals(authorizationRequest.getExtensions().get("prompt"))) {
                    logger.info("Mismatch between request object and regular parameter for prompt, using request object");
                }
                authorizationRequest.getExtensions().put("prompt", stringClaim5);
            }
            Set parseParameterList2 = OAuth2Utils.parseParameterList(jWTClaimsSet.getStringClaim("scope"));
            if (parseParameterList2 != null && !parseParameterList2.isEmpty()) {
                if (!parseParameterList2.equals(authorizationRequest.getScope())) {
                    logger.info("Mismatch between request object and regular parameter for scope, using request object");
                }
                authorizationRequest.setScope(parseParameterList2);
            }
            JsonObject parseClaimRequest = parseClaimRequest(jWTClaimsSet.getStringClaim("claims"));
            if (parseClaimRequest != null) {
                if (!parseClaimRequest.equals(parseClaimRequest(((Serializable) authorizationRequest.getExtensions().get("claims")).toString()))) {
                    logger.info("Mismatch between request object and regular parameter for claims, using request object");
                }
                authorizationRequest.getExtensions().put("claims", parseClaimRequest.toString());
            }
        } catch (ParseException e) {
            logger.error("ParseException while parsing RequestObject:", e);
        }
    }

    private JsonObject parseClaimRequest(String str) {
        JsonElement parse = this.parser.parse(str);
        if (parse == null || !parse.isJsonObject()) {
            return null;
        }
        return parse.getAsJsonObject();
    }
}
