package com.sap.xs2.security.container;

import com.sap.xsa.security.container.XSTokenRequest;
import com.sap.xsa.security.container.XSUserInfo;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Base64;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:com/sap/xs2/security/container/UserInfo.class */
public class UserInfo implements XSUserInfo {
    private static final String USER_NAME = "user_name";
    private static final String GIVEN_NAME = "given_name";
    private static final String FAMILY_NAME = "family_name";
    private static final String EMAIL = "email";
    private static final String EXP = "exp";
    private static final String CID = "cid";
    private static final String ORIGIN = "origin";
    private static final String GRANT_TYPE = "grant_type";
    private static final String ADDITIONAL_AZ_ATTR = "az_attr";
    private static final String ZONE_ID = "zid";
    private static final String EXTERNAL_ATTR = "ext_attr";
    private static final String XS_SYSTEM_ATTRIBUTES = "xs.system.attributes";
    private static final String HDB_NAMEDUSER_SAML = "hdb.nameduser.saml";
    private static final String SERVICEINSTANCEID = "serviceinstanceid";
    private static final String ZDN = "zdn";
    private static final String SYSTEM = "SYSTEM";
    private static final String HDB = "HDB";
    private static final String ISSUER = "iss";
    public static final String XS_USER_ATTRIBUTES = "xs.user.attributes";
    public static final String SCOPE = "scope";
    public static final String GRANTTYPE_CLIENTCREDENTIAL = "client_credentials";
    public static final String GRANTTYPE_SAML2BEARER = "urn:ietf:params:oauth:grant-type:saml2-bearer";
    public static final String GRANTTYPE_PASSWORD = "password";
    public static final String GRANTTYPE_AUTHCODE = "authorization_code";
    public static final String GRANTTYPE_USERTOKEN = "user_token";
    public static final String EXTERNAL_CONTEXT = "ext_ctx";
    private String xsappname;
    private Jwt jwt;
    protected final Log logger = LogFactory.getLog(getClass());
    private boolean foreignMode = false;

    protected UserInfo(Jwt jwt, String str) {
        this.xsappname = null;
        this.xsappname = str;
        this.jwt = jwt;
    }

    public String getLogonName() throws UserInfoException {
        if (getGrantType().equals("client_credentials")) {
            throw new UserInfoException("Method getLogonName is not supported for grant type client_credentials");
        }
        return getJsonValueInternal("user_name");
    }

    public String getGivenName() throws UserInfoException {
        if (getGrantType().equals("client_credentials")) {
            throw new UserInfoException("Method getGivenName is not supported for grant type client_credentials");
        }
        return getExternalAttributeWithFallback("given_name");
    }

    public String getFamilyName() throws UserInfoException {
        if (getGrantType().equals("client_credentials")) {
            throw new UserInfoException("Method getFamilyName is not supported for grant type client_credentials");
        }
        return getExternalAttributeWithFallback("family_name");
    }

    public String getIdentityZone() throws UserInfoException {
        return getJsonValueInternal("zid");
    }

    public String getSubdomain() throws UserInfoException {
        try {
            return getExternalAttribute("zdn");
        } catch (Exception e) {
            return null;
        }
    }

    public String getClientId() throws UserInfoException {
        return getJsonValueInternal("cid");
    }

    public Date getExpirationDate() throws UserInfoException {
        return Date.from(this.jwt.getExpiresAt());
    }

    private String getJsonValueInternal(String str) throws UserInfoException {
        String claimAsString = this.jwt.getClaimAsString(str);
        if (claimAsString == null) {
            throw new UserInfoException("Invalid user attribute " + str);
        }
        return claimAsString;
    }

    @Deprecated
    public String getJsonValue(String str) throws UserInfoException {
        return getJsonValueInternal(str);
    }

    public String getEmail() throws UserInfoException {
        if (getGrantType().equals("client_credentials")) {
            throw new UserInfoException("Method getEmail is not supported for grant type client_credentials");
        }
        return getJsonValueInternal("email");
    }

    @Deprecated
    public String getDBToken() throws UserInfoException {
        return getHdbToken();
    }

    public String getHdbToken() throws UserInfoException {
        return getToken(SYSTEM, HDB);
    }

    public String getAppToken() {
        return this.jwt.getTokenValue();
    }

    @Deprecated
    public String getToken(String str, String str2) throws UserInfoException {
        if (!getGrantType().equals("client_credentials") && hasAttributes() && isInForeignMode()) {
            throw new UserInfoException("The Spring Security Context has been initialized with an access token of a\nforeign OAuth Client Id and/or Identity Zone. Furthermore, the\naccess token contains attributes. Due to the fact that we want to\nrestrict attribute access to the application that provided the \nattributes, the getToken function does not return a valid token");
        }
        if (!str.equals(SYSTEM)) {
            throw new UserInfoException("Invalid namespace " + str);
        }
        if (str2.equals(HDB)) {
            return this.jwt.getClaimAsMap(EXTERNAL_CONTEXT) != null ? this.jwt.getClaimAsMap(EXTERNAL_CONTEXT).getAsString(HDB_NAMEDUSER_SAML) : getJsonValueInternal(HDB_NAMEDUSER_SAML);
        }
        if (str2.equals("JobScheduler")) {
            return this.jwt.getTokenValue();
        }
        throw new UserInfoException("Invalid name " + str2 + " for namespace " + str);
    }

    public String[] getAttribute(String str) throws UserInfoException {
        if (getGrantType().equals("client_credentials")) {
            throw new UserInfoException("Method getAttribute is not supported for grant type client_credentials");
        }
        return getMultiValueAttributeFromExtObject(str, "xs.user.attributes");
    }

    public boolean hasAttributes() throws UserInfoException {
        if (getGrantType().equals("client_credentials")) {
            throw new UserInfoException("Method hasAttributes is not supported for grant type client_credentials");
        }
        Map claimAsMap = this.jwt.containsClaim(EXTERNAL_CONTEXT).booleanValue() ? (Map) this.jwt.getClaimAsMap(EXTERNAL_CONTEXT).get("xs.user.attributes") : this.jwt.getClaimAsMap("xs.user.attributes");
        if (claimAsMap == null) {
            return false;
        }
        Iterator it = claimAsMap.keySet().iterator();
        while (it.hasNext()) {
            if (((JSONArray) claimAsMap.get((String) it.next())).size() > 0) {
                return true;
            }
        }
        return false;
    }

    public String[] getSystemAttribute(String str) throws UserInfoException {
        return getMultiValueAttributeFromExtObject(str, XS_SYSTEM_ATTRIBUTES);
    }

    public boolean checkScope(String str) throws UserInfoException {
        return this.jwt.getClaimAsStringList("scope").contains(str);
    }

    public boolean checkLocalScope(String str) throws UserInfoException {
        if (this.xsappname == null) {
            throw new UserInfoException("Property xsappname not found in VCAP_SERVICES, must be declared in xs-security.json");
        }
        return checkScope(this.xsappname + "." + str);
    }

    protected void setXSAppname(String str) {
        this.xsappname = str;
    }

    protected void setForeignMode(boolean z) {
        this.foreignMode = z;
    }

    public String getAdditionalAuthAttribute(String str) throws UserInfoException {
        return getAttributeFromObject(str, ADDITIONAL_AZ_ATTR);
    }

    public String getCloneServiceInstanceId() throws UserInfoException {
        return getExternalAttribute(SERVICEINSTANCEID);
    }

    public String getGrantType() throws UserInfoException {
        return getJsonValueInternal("grant_type");
    }

    public boolean isInForeignMode() throws UserInfoException {
        return this.foreignMode;
    }

    private String getExternalAttribute(String str) throws UserInfoException {
        return getAttributeFromObject(str, EXTERNAL_ATTR);
    }

    private String getExternalAttributeWithFallback(String str) throws UserInfoException {
        try {
            return getExternalAttribute(str);
        } catch (UserInfoException e) {
            return getJsonValueInternal(str);
        }
    }

    private String getAttributeFromObject(String str, String str2) throws UserInfoException {
        if (this.jwt.getClaimAsMap(str2) == null) {
            throw new UserInfoException("Invalid value of " + str2);
        }
        String str3 = (String) this.jwt.getClaimAsMap(str2).get(str);
        if (str3 == null) {
            throw new UserInfoException("Invalid value of " + str2);
        }
        return str3;
    }

    private String[] getMultiValueAttributeFromExtObject(String str, String str2) throws UserInfoException {
        if (!this.jwt.containsClaim(EXTERNAL_CONTEXT).booleanValue()) {
            return getMultiValueAttributeFromObject(str, str2);
        }
        JSONArray jSONArray = (JSONArray) ((JSONObject) this.jwt.getClaimAsMap(EXTERNAL_CONTEXT).get(str2)).get(str);
        int size = jSONArray.size();
        String[] strArr = new String[size];
        for (int i = 0; i < size; i++) {
            strArr[i] = (String) jSONArray.get(i);
        }
        return strArr;
    }

    private String[] getMultiValueAttributeFromObject(String str, String str2) throws UserInfoException {
        String[] strArr = new String[0];
        Map claimAsMap = this.jwt.getClaimAsMap(str2);
        if (claimAsMap == null) {
            throw new UserInfoException("Invalid value of " + str2);
        }
        JSONArray jSONArray = (JSONArray) claimAsMap.get(str);
        if (jSONArray == null) {
            throw new UserInfoException("Invalid value of " + str2);
        }
        int size = jSONArray.size();
        String[] strArr2 = new String[size];
        for (int i = 0; i < size; i++) {
            strArr2[i] = (String) jSONArray.get(i);
        }
        return strArr2;
    }

    public String getSubaccountId() throws UserInfoException {
        return getIdentityZone();
    }

    public String getOrigin() throws UserInfoException {
        if (getGrantType().equals("client_credentials")) {
            throw new UserInfoException("Method getOrigin is not supported for grant type client_credentials");
        }
        return getJsonValueInternal("origin");
    }

    public String requestToken(XSTokenRequest xSTokenRequest) throws UserInfoException {
        if (!xSTokenRequest.isValid()) {
            throw new UserInfoException("Invalid grant type or missing parameters for requested grant type.");
        }
        String str = null;
        if (xSTokenRequest.getAdditionalAuthorizationAttributes() != null) {
            HashMap hashMap = new HashMap();
            hashMap.put(ADDITIONAL_AZ_ATTR, xSTokenRequest.getAdditionalAuthorizationAttributes());
            StringBuilder sb = new StringBuilder();
            try {
                JSONObject.writeJSON(hashMap, sb);
                str = sb.toString();
            } catch (IOException e) {
                throw new UserInfoException("Error creating json representation", e);
            }
        }
        String subdomain = getSubdomain();
        String subdomain2 = getSubdomain(xSTokenRequest.getTokenEndpoint().toString());
        if (subdomain != null && subdomain2 != null && !subdomain.equals(subdomain2)) {
            xSTokenRequest.setTokenEndpoint(replaceSubdomain(xSTokenRequest.getTokenEndpoint(), subdomain));
        }
        switch (xSTokenRequest.getType()) {
            case XSTokenRequestImpl.TYPE_USER_TOKEN /* 0 */:
                return requestTokenNamedUser(xSTokenRequest.getClientId(), xSTokenRequest.getClientSecret(), xSTokenRequest.getTokenEndpoint().toString(), str);
            case XSTokenRequestImpl.TYPE_CLIENT_CREDENTIALS_TOKEN /* 1 */:
                return requestTokenTechnicalUser(xSTokenRequest, str);
            default:
                throw new UserInfoException("Invalid grant type.");
        }
    }

    private String requestTokenTechnicalUser(XSTokenRequest xSTokenRequest, String str) throws UserInfoException {
        UriComponentsBuilder queryParam = UriComponentsBuilder.fromUri(xSTokenRequest.getTokenEndpoint()).queryParam("grant_type", new Object[]{"client_credentials"});
        if (str != null) {
            queryParam.queryParam("authorities", new Object[]{str});
        }
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.add("Accept", "application/json");
        httpHeaders.add("Authorization", "Basic " + Base64.getEncoder().encodeToString((xSTokenRequest.getClientId() + ":" + xSTokenRequest.getClientSecret()).getBytes()));
        ResponseEntity postForEntity = new RestTemplate().postForEntity(queryParam.build().encode().toUri(), new HttpEntity(httpHeaders), Map.class);
        if (postForEntity.getStatusCode() == HttpStatus.UNAUTHORIZED) {
            throw new UserInfoException("Call to /oauth/token was not successful (grant_type: client_credentials). Client credentials invalid");
        }
        if (postForEntity.getStatusCode() != HttpStatus.OK) {
            throw new UserInfoException("Call to /oauth/token was not successful (grant_type: client_credentials). HTTP status code: " + postForEntity.getStatusCode());
        }
        return ((Map) postForEntity.getBody()).get("access_token").toString();
    }

    private String requestTokenNamedUser(String str, String str2, String str3, String str4) throws UserInfoException {
        if (str == null || str2 == null) {
            throw new UserInfoException("Invalid service credentials: Missing clientid/clientsecret.");
        }
        if (str3 == null) {
            throw new UserInfoException("Invalid service credentials: Missing url.");
        }
        if (!checkScope("uaa.user")) {
            throw new UserInfoException("JWT token does not include scope 'uaa.user'.");
        }
        UriComponentsBuilder queryParam = UriComponentsBuilder.fromHttpUrl(str3).queryParam("grant_type", new Object[]{GRANTTYPE_USERTOKEN}).queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{str});
        if (str4 != null) {
            queryParam.queryParam("authorities", new Object[]{str4});
        }
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.add("Accept", "application/json");
        httpHeaders.add("Authorization", "Bearer " + this.jwt.getTokenValue());
        HttpEntity httpEntity = new HttpEntity(httpHeaders);
        RestTemplate restTemplate = new RestTemplate();
        ResponseEntity postForEntity = restTemplate.postForEntity(queryParam.build().encode().toUri(), httpEntity, Map.class);
        if (postForEntity.getStatusCode() == HttpStatus.UNAUTHORIZED) {
            throw new UserInfoException("Call to /oauth/token was not successful (grant_type: user_token). Bearer token invalid, requesting client does not have grant_type=user_token or no scopes were granted.");
        }
        if (postForEntity.getStatusCode() != HttpStatus.OK) {
            throw new UserInfoException("Call to /oauth/token was not successful (grant_type: user_token). HTTP status code: " + postForEntity.getStatusCode());
        }
        UriComponentsBuilder queryParam2 = UriComponentsBuilder.fromHttpUrl(str3).queryParam("grant_type", new Object[]{"refresh_token"}).queryParam("refresh_token", new Object[]{((Map) postForEntity.getBody()).get("refresh_token").toString()});
        httpHeaders.clear();
        String encodeToString = Base64.getEncoder().encodeToString((str + ":" + str2).getBytes());
        httpHeaders.add("Accept", "application/json");
        httpHeaders.add("Authorization", "Basic " + encodeToString);
        ResponseEntity postForEntity2 = restTemplate.postForEntity(queryParam2.build().encode().toUri(), new HttpEntity(httpHeaders), Map.class);
        if (postForEntity2.getStatusCode() == HttpStatus.UNAUTHORIZED) {
            throw new UserInfoException("Call to /oauth/token was not successful (grant_type: refresh_token). Client credentials invalid");
        }
        if (postForEntity2.getStatusCode() != HttpStatus.OK) {
            throw new UserInfoException("Call to /oauth/token was not successful (grant_type: refresh_token). HTTP status code: " + postForEntity2.getStatusCode());
        }
        return ((Map) postForEntity2.getBody()).get("access_token").toString();
    }

    @Deprecated
    public String requestTokenForClient(String str, String str2, String str3) throws UserInfoException {
        return requestTokenNamedUser(str, str2, str3 != null ? str3 + "/oauth/token" : null, null);
    }

    private String getSubdomain(String str) {
        try {
            String host = new URI(str).getHost();
            if (host == null || !host.contains(".")) {
                return null;
            }
            return host.split("\\.")[0];
        } catch (URISyntaxException e) {
            return null;
        }
    }

    private URI replaceSubdomain(URI uri, String str) {
        if (uri == null || str == null || !uri.getHost().contains(".")) {
            return null;
        }
        return uri.resolve(UriComponentsBuilder.newInstance().scheme(uri.getScheme()).host(str + uri.getHost().substring(uri.getHost().indexOf("."))).port(uri.getPort()).path(uri.getPath()).build().toString());
    }
}
