package org.mitre.oauth2.service.impl;

import com.google.common.base.Strings;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.util.concurrent.UncheckedExecutionException;
import com.google.gson.JsonElement;
import com.google.gson.JsonParser;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.UUID;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import org.apache.commons.codec.binary.Base64;
import org.apache.http.client.HttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.repository.OAuth2ClientRepository;
import org.mitre.oauth2.repository.OAuth2TokenRepository;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.oauth2.service.SystemScopeService;
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
import org.mitre.openid.connect.model.WhitelistedSite;
import org.mitre.openid.connect.service.ApprovedSiteService;
import org.mitre.openid.connect.service.BlacklistedSiteService;
import org.mitre.openid.connect.service.StatsService;
import org.mitre.openid.connect.service.WhitelistedSiteService;
import org.mitre.uma.model.ResourceSet;
import org.mitre.uma.service.ResourceSetService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.stereotype.Service;
import org.springframework.web.client.RestTemplate;

@Service
/* loaded from: input_file:org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.class */
public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEntityService {
    private static final Logger logger = LoggerFactory.getLogger(DefaultOAuth2ClientDetailsEntityService.class);

    @Autowired
    private OAuth2ClientRepository clientRepository;

    @Autowired
    private OAuth2TokenRepository tokenRepository;

    @Autowired
    private ApprovedSiteService approvedSiteService;

    @Autowired
    private WhitelistedSiteService whitelistedSiteService;

    @Autowired
    private BlacklistedSiteService blacklistedSiteService;

    @Autowired
    private SystemScopeService scopeService;

    @Autowired
    private StatsService statsService;

    @Autowired
    private ResourceSetService resourceSetService;

    @Autowired
    private ConfigurationPropertiesBean config;
    private LoadingCache<String, List<String>> sectorRedirects = CacheBuilder.newBuilder().expireAfterAccess(1, TimeUnit.HOURS).maximumSize(100).build(new SectorIdentifierLoader());

    /* loaded from: input_file:org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService$SectorIdentifierLoader.class */
    private class SectorIdentifierLoader extends CacheLoader<String, List<String>> {
        private HttpClient httpClient;
        private HttpComponentsClientHttpRequestFactory httpFactory;
        private RestTemplate restTemplate;
        private JsonParser parser;

        private SectorIdentifierLoader() {
            this.httpClient = HttpClientBuilder.create().useSystemProperties().build();
            this.httpFactory = new HttpComponentsClientHttpRequestFactory(this.httpClient);
            this.restTemplate = new RestTemplate(this.httpFactory);
            this.parser = new JsonParser();
        }

        public List<String> load(String str) throws Exception {
            if (!str.startsWith("https")) {
                if (DefaultOAuth2ClientDetailsEntityService.this.config.isForceHttps()) {
                    throw new IllegalArgumentException("Sector identifier must start with https: " + str);
                }
                DefaultOAuth2ClientDetailsEntityService.logger.error("Sector identifier doesn't start with https, loading anyway...");
            }
            JsonElement parse = this.parser.parse((String) this.restTemplate.getForObject(str, String.class, new Object[0]));
            if (!parse.isJsonArray()) {
                throw new IllegalArgumentException("JSON Format Error");
            }
            ArrayList arrayList = new ArrayList();
            Iterator it = parse.getAsJsonArray().iterator();
            while (it.hasNext()) {
                arrayList.add(((JsonElement) it.next()).getAsString());
            }
            DefaultOAuth2ClientDetailsEntityService.logger.info("Found " + arrayList + " for sector " + str);
            return arrayList;
        }
    }

    public ClientDetailsEntity saveNewClient(ClientDetailsEntity clientDetailsEntity) {
        if (clientDetailsEntity.getId() != null) {
            throw new IllegalArgumentException("Tried to save a new client with an existing ID: " + clientDetailsEntity.getId());
        }
        if (clientDetailsEntity.getRegisteredRedirectUri() != null) {
            for (String str : clientDetailsEntity.getRegisteredRedirectUri()) {
                if (this.blacklistedSiteService.isBlacklisted(str)) {
                    throw new IllegalArgumentException("Client URI is blacklisted: " + str);
                }
            }
        }
        if (Strings.isNullOrEmpty(clientDetailsEntity.getClientId())) {
            clientDetailsEntity = generateClientId(clientDetailsEntity);
        }
        ensureRefreshTokenConsistency(clientDetailsEntity);
        ensureKeyConsistency(clientDetailsEntity);
        clientDetailsEntity.setCreatedAt(new Date());
        checkSectorIdentifierUri(clientDetailsEntity);
        ensureNoReservedScopes(clientDetailsEntity);
        ClientDetailsEntity saveClient = this.clientRepository.saveClient(clientDetailsEntity);
        this.statsService.resetCache();
        return saveClient;
    }

    private void ensureKeyConsistency(ClientDetailsEntity clientDetailsEntity) {
        if (clientDetailsEntity.getJwksUri() != null && clientDetailsEntity.getJwks() != null) {
            throw new IllegalArgumentException("A client cannot have both JWKS URI and JWKS value");
        }
    }

    private void ensureNoReservedScopes(ClientDetailsEntity clientDetailsEntity) {
        clientDetailsEntity.setScope(this.scopeService.toStrings(this.scopeService.removeReservedScopes(this.scopeService.fromStrings(clientDetailsEntity.getScope()))));
    }

    private void checkSectorIdentifierUri(ClientDetailsEntity clientDetailsEntity) {
        if (Strings.isNullOrEmpty(clientDetailsEntity.getSectorIdentifierUri())) {
            return;
        }
        try {
            List list = (List) this.sectorRedirects.get(clientDetailsEntity.getSectorIdentifierUri());
            if (clientDetailsEntity.getRegisteredRedirectUri() != null) {
                for (String str : clientDetailsEntity.getRegisteredRedirectUri()) {
                    if (!list.contains(str)) {
                        throw new IllegalArgumentException("Requested Redirect URI " + str + " is not listed at sector identifier " + list);
                    }
                }
            }
        } catch (UncheckedExecutionException | ExecutionException e) {
            throw new IllegalArgumentException("Unable to load sector identifier URI " + clientDetailsEntity.getSectorIdentifierUri() + ": " + e.getMessage());
        }
    }

    private void ensureRefreshTokenConsistency(ClientDetailsEntity clientDetailsEntity) {
        if (clientDetailsEntity.getAuthorizedGrantTypes().contains("refresh_token") || clientDetailsEntity.getScope().contains("offline_access")) {
            clientDetailsEntity.getScope().add("offline_access");
            clientDetailsEntity.getAuthorizedGrantTypes().add("refresh_token");
        }
    }

    public ClientDetailsEntity getClientById(Long l) {
        return this.clientRepository.getById(l);
    }

    /* renamed from: loadClientByClientId, reason: merged with bridge method [inline-methods] */
    public ClientDetailsEntity m5loadClientByClientId(String str) throws OAuth2Exception, InvalidClientException, IllegalArgumentException {
        if (Strings.isNullOrEmpty(str)) {
            throw new IllegalArgumentException("Client id must not be empty!");
        }
        ClientDetailsEntity clientByClientId = this.clientRepository.getClientByClientId(str);
        if (clientByClientId == null) {
            throw new InvalidClientException("Client with id " + str + " was not found");
        }
        return clientByClientId;
    }

    public void deleteClient(ClientDetailsEntity clientDetailsEntity) throws InvalidClientException {
        if (this.clientRepository.getById(clientDetailsEntity.getId()) == null) {
            throw new InvalidClientException("Client with id " + clientDetailsEntity.getClientId() + " was not found");
        }
        this.tokenRepository.clearTokensForClient(clientDetailsEntity);
        this.approvedSiteService.clearApprovedSitesForClient(clientDetailsEntity);
        WhitelistedSite byClientId = this.whitelistedSiteService.getByClientId(clientDetailsEntity.getClientId());
        if (byClientId != null) {
            this.whitelistedSiteService.remove(byClientId);
        }
        Iterator it = this.resourceSetService.getAllForClient(clientDetailsEntity).iterator();
        while (it.hasNext()) {
            this.resourceSetService.remove((ResourceSet) it.next());
        }
        this.clientRepository.deleteClient(clientDetailsEntity);
        this.statsService.resetCache();
    }

    public ClientDetailsEntity updateClient(ClientDetailsEntity clientDetailsEntity, ClientDetailsEntity clientDetailsEntity2) throws IllegalArgumentException {
        if (clientDetailsEntity == null || clientDetailsEntity2 == null) {
            throw new IllegalArgumentException("Neither old client or new client can be null!");
        }
        for (String str : clientDetailsEntity2.getRegisteredRedirectUri()) {
            if (this.blacklistedSiteService.isBlacklisted(str)) {
                throw new IllegalArgumentException("Client URI is blacklisted: " + str);
            }
        }
        ensureRefreshTokenConsistency(clientDetailsEntity2);
        ensureKeyConsistency(clientDetailsEntity2);
        checkSectorIdentifierUri(clientDetailsEntity2);
        ensureNoReservedScopes(clientDetailsEntity2);
        return this.clientRepository.updateClient(clientDetailsEntity.getId(), clientDetailsEntity2);
    }

    public Collection<ClientDetailsEntity> getAllClients() {
        return this.clientRepository.getAllClients();
    }

    public ClientDetailsEntity generateClientId(ClientDetailsEntity clientDetailsEntity) {
        clientDetailsEntity.setClientId(UUID.randomUUID().toString());
        return clientDetailsEntity;
    }

    public ClientDetailsEntity generateClientSecret(ClientDetailsEntity clientDetailsEntity) {
        clientDetailsEntity.setClientSecret(Base64.encodeBase64URLSafeString(new BigInteger(512, new SecureRandom()).toByteArray()).replace("=", ""));
        return clientDetailsEntity;
    }
}
