package org.mitre.openid.connect.request;

import com.google.common.base.Strings;
import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.ReadOnlyJWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.Serializable;
import java.text.ParseException;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import org.mitre.jwt.encryption.service.JWTEncryptionAndDecryptionService;
import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
import org.mitre.jwt.signer.service.impl.ClientKeyCacheService;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.oauth2.service.SystemScopeService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory;
import org.springframework.stereotype.Component;

@Component("connectOAuth2RequestFactory")
/* loaded from: input_file:org/mitre/openid/connect/request/ConnectOAuth2RequestFactory.class */
public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory {
    private static final Logger logger = LoggerFactory.getLogger(ConnectOAuth2RequestFactory.class);
    private ClientDetailsEntityService clientDetailsService;

    @Autowired
    private ClientKeyCacheService validators;

    @Autowired
    private SystemScopeService systemScopes;

    @Autowired
    private JWTEncryptionAndDecryptionService encryptionService;
    private JsonParser parser;

    @Autowired
    public ConnectOAuth2RequestFactory(ClientDetailsEntityService clientDetailsEntityService) {
        super(clientDetailsEntityService);
        this.parser = new JsonParser();
        this.clientDetailsService = clientDetailsEntityService;
    }

    public AuthorizationRequest createAuthorizationRequest(Map<String, String> map) {
        JsonObject parseClaimRequest;
        AuthorizationRequest authorizationRequest = new AuthorizationRequest(map, Collections.emptyMap(), map.get(ConnectRequestParameters.CLIENT_ID), OAuth2Utils.parseParameterList(map.get("scope")), (Set) null, (Collection) null, false, map.get(ConnectRequestParameters.STATE), map.get(ConnectRequestParameters.REDIRECT_URI), OAuth2Utils.parseParameterList(map.get(ConnectRequestParameters.RESPONSE_TYPE)));
        if (map.containsKey(ConnectRequestParameters.PROMPT)) {
            authorizationRequest.getExtensions().put(ConnectRequestParameters.PROMPT, map.get(ConnectRequestParameters.PROMPT));
        }
        if (map.containsKey(ConnectRequestParameters.NONCE)) {
            authorizationRequest.getExtensions().put(ConnectRequestParameters.NONCE, map.get(ConnectRequestParameters.NONCE));
        }
        if (map.containsKey(ConnectRequestParameters.CLAIMS) && (parseClaimRequest = parseClaimRequest(map.get(ConnectRequestParameters.CLAIMS))) != null) {
            authorizationRequest.getExtensions().put(ConnectRequestParameters.CLAIMS, parseClaimRequest.toString());
        }
        if (map.containsKey(ConnectRequestParameters.MAX_AGE)) {
            authorizationRequest.getExtensions().put(ConnectRequestParameters.MAX_AGE, map.get(ConnectRequestParameters.MAX_AGE));
        }
        if (map.containsKey(ConnectRequestParameters.LOGIN_HINT)) {
            authorizationRequest.getExtensions().put(ConnectRequestParameters.LOGIN_HINT, map.get(ConnectRequestParameters.LOGIN_HINT));
        }
        if (map.containsKey(ConnectRequestParameters.REQUEST)) {
            authorizationRequest.getExtensions().put(ConnectRequestParameters.REQUEST, map.get(ConnectRequestParameters.REQUEST));
            processRequestObject(map.get(ConnectRequestParameters.REQUEST), authorizationRequest);
        }
        if (authorizationRequest.getClientId() != null) {
            try {
                ClientDetailsEntity loadClientByClientId = this.clientDetailsService.loadClientByClientId(authorizationRequest.getClientId());
                if (authorizationRequest.getScope() == null || authorizationRequest.getScope().isEmpty()) {
                    authorizationRequest.setScope(loadClientByClientId.getScope());
                }
                if (authorizationRequest.getExtensions().get(ConnectRequestParameters.MAX_AGE) == null && loadClientByClientId.getDefaultMaxAge() != null) {
                    authorizationRequest.getExtensions().put(ConnectRequestParameters.MAX_AGE, loadClientByClientId.getDefaultMaxAge().toString());
                }
            } catch (OAuth2Exception e) {
                logger.error("Caught OAuth2 exception trying to test client scopes and max age:", e);
            }
        }
        authorizationRequest.getExtensions().put(ConnectRequestParameters.CSRF, UUID.randomUUID().toString());
        return authorizationRequest;
    }

    private void processRequestObject(String str, AuthorizationRequest authorizationRequest) {
        try {
            SignedJWT parse = JWTParser.parse(str);
            if (parse instanceof SignedJWT) {
                SignedJWT signedJWT = parse;
                if (authorizationRequest.getClientId() == null) {
                    authorizationRequest.setClientId(signedJWT.getJWTClaimsSet().getStringClaim(ConnectRequestParameters.CLIENT_ID));
                }
                ClientDetailsEntity loadClientByClientId = this.clientDetailsService.loadClientByClientId(authorizationRequest.getClientId());
                if (loadClientByClientId == null) {
                    throw new InvalidClientException("Client not found: " + authorizationRequest.getClientId());
                }
                JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
                if (loadClientByClientId.getRequestObjectSigningAlg() == null || !loadClientByClientId.getRequestObjectSigningAlg().equals(algorithm)) {
                    throw new InvalidClientException("Client's registered request object signing algorithm (" + loadClientByClientId.getRequestObjectSigningAlg() + ") does not match request object's actual algorithm (" + algorithm.getName() + ")");
                }
                JWTSigningAndValidationService validator = this.validators.getValidator(loadClientByClientId, algorithm);
                if (validator == null) {
                    throw new InvalidClientException("Unable to create signature validator for client " + loadClientByClientId + " and algorithm " + algorithm);
                }
                if (!validator.validateSignature(signedJWT)) {
                    throw new InvalidClientException("Signature did not validate for presented JWT request object.");
                }
            } else if (parse instanceof PlainJWT) {
                PlainJWT plainJWT = (PlainJWT) parse;
                if (authorizationRequest.getClientId() == null) {
                    authorizationRequest.setClientId(plainJWT.getJWTClaimsSet().getStringClaim(ConnectRequestParameters.CLIENT_ID));
                }
                ClientDetailsEntity loadClientByClientId2 = this.clientDetailsService.loadClientByClientId(authorizationRequest.getClientId());
                if (loadClientByClientId2 == null) {
                    throw new InvalidClientException("Client not found: " + authorizationRequest.getClientId());
                }
                if (loadClientByClientId2.getRequestObjectSigningAlg() == null) {
                    throw new InvalidClientException("Client is not registered for unsigned request objects (no request_object_signing_alg registered)");
                }
                if (!loadClientByClientId2.getRequestObjectSigningAlg().equals(Algorithm.NONE)) {
                    throw new InvalidClientException("Client is not registered for unsigned request objects (request_object_signing_alg is " + loadClientByClientId2.getRequestObjectSigningAlg() + ")");
                }
            } else if (parse instanceof EncryptedJWT) {
                EncryptedJWT encryptedJWT = (EncryptedJWT) parse;
                this.encryptionService.decryptJwt(encryptedJWT);
                if (!encryptedJWT.getState().equals(JWEObject.State.DECRYPTED)) {
                    throw new InvalidClientException("Unable to decrypt the request object");
                }
                if (authorizationRequest.getClientId() == null) {
                    authorizationRequest.setClientId(encryptedJWT.getJWTClaimsSet().getStringClaim(ConnectRequestParameters.CLIENT_ID));
                }
                if (this.clientDetailsService.loadClientByClientId(authorizationRequest.getClientId()) == null) {
                    throw new InvalidClientException("Client not found: " + authorizationRequest.getClientId());
                }
            }
            ReadOnlyJWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
            Set parseParameterList = OAuth2Utils.parseParameterList(jWTClaimsSet.getStringClaim(ConnectRequestParameters.RESPONSE_TYPE));
            if (parseParameterList != null && !parseParameterList.isEmpty()) {
                if (!parseParameterList.equals(authorizationRequest.getResponseTypes())) {
                    logger.info("Mismatch between request object and regular parameter for response_type, using request object");
                }
                authorizationRequest.setResponseTypes(parseParameterList);
            }
            String stringClaim = jWTClaimsSet.getStringClaim(ConnectRequestParameters.REDIRECT_URI);
            if (stringClaim != null) {
                if (!stringClaim.equals(authorizationRequest.getRedirectUri())) {
                    logger.info("Mismatch between request object and regular parameter for redirect_uri, using request object");
                }
                authorizationRequest.setRedirectUri(stringClaim);
            }
            String stringClaim2 = jWTClaimsSet.getStringClaim(ConnectRequestParameters.STATE);
            if (stringClaim2 != null) {
                if (!stringClaim2.equals(authorizationRequest.getState())) {
                    logger.info("Mismatch between request object and regular parameter for state, using request object");
                }
                authorizationRequest.setState(stringClaim2);
            }
            String stringClaim3 = jWTClaimsSet.getStringClaim(ConnectRequestParameters.NONCE);
            if (stringClaim3 != null) {
                if (!stringClaim3.equals(authorizationRequest.getExtensions().get(ConnectRequestParameters.NONCE))) {
                    logger.info("Mismatch between request object and regular parameter for nonce, using request object");
                }
                authorizationRequest.getExtensions().put(ConnectRequestParameters.NONCE, stringClaim3);
            }
            String stringClaim4 = jWTClaimsSet.getStringClaim(ConnectRequestParameters.DISPLAY);
            if (stringClaim4 != null) {
                if (!stringClaim4.equals(authorizationRequest.getExtensions().get(ConnectRequestParameters.DISPLAY))) {
                    logger.info("Mismatch between request object and regular parameter for display, using request object");
                }
                authorizationRequest.getExtensions().put(ConnectRequestParameters.DISPLAY, stringClaim4);
            }
            String stringClaim5 = jWTClaimsSet.getStringClaim(ConnectRequestParameters.PROMPT);
            if (stringClaim5 != null) {
                if (!stringClaim5.equals(authorizationRequest.getExtensions().get(ConnectRequestParameters.PROMPT))) {
                    logger.info("Mismatch between request object and regular parameter for prompt, using request object");
                }
                authorizationRequest.getExtensions().put(ConnectRequestParameters.PROMPT, stringClaim5);
            }
            Set parseParameterList2 = OAuth2Utils.parseParameterList(jWTClaimsSet.getStringClaim("scope"));
            if (parseParameterList2 != null && !parseParameterList2.isEmpty()) {
                if (!parseParameterList2.equals(authorizationRequest.getScope())) {
                    logger.info("Mismatch between request object and regular parameter for scope, using request object");
                }
                authorizationRequest.setScope(parseParameterList2);
            }
            JsonObject parseClaimRequest = parseClaimRequest(jWTClaimsSet.getStringClaim(ConnectRequestParameters.CLAIMS));
            if (parseClaimRequest != null) {
                if (!parseClaimRequest.equals(parseClaimRequest(((Serializable) authorizationRequest.getExtensions().get(ConnectRequestParameters.CLAIMS)).toString()))) {
                    logger.info("Mismatch between request object and regular parameter for claims, using request object");
                }
                authorizationRequest.getExtensions().put(ConnectRequestParameters.CLAIMS, parseClaimRequest.toString());
            }
            String stringClaim6 = jWTClaimsSet.getStringClaim(ConnectRequestParameters.LOGIN_HINT);
            if (stringClaim6 != null) {
                if (!stringClaim6.equals(authorizationRequest.getExtensions().get(ConnectRequestParameters.LOGIN_HINT))) {
                    logger.info("Mistmatch between request object and regular parameter for login_hint, using requst object");
                }
                authorizationRequest.getExtensions().put(ConnectRequestParameters.LOGIN_HINT, stringClaim6);
            }
        } catch (ParseException e) {
            logger.error("ParseException while parsing RequestObject:", e);
        }
    }

    private JsonObject parseClaimRequest(String str) {
        JsonElement parse;
        if (Strings.isNullOrEmpty(str) || (parse = this.parser.parse(str)) == null || !parse.isJsonObject()) {
            return null;
        }
        return parse.getAsJsonObject();
    }
}
