package org.apereo.cas.oidc.web.controllers.dynareg;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.InputStream;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpResponse;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.oidc.OidcConfigurationContext;
import org.apereo.cas.oidc.dynareg.OidcClientRegistrationRequest;
import org.apereo.cas.services.DefaultRegisteredServiceContact;
import org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.services.OidcSubjectTypes;
import org.apereo.cas.services.PairwiseOidcRegisteredServiceUsernameAttributeProvider;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.HttpUtils;
import org.apereo.cas.util.RandomUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.util.serialization.JacksonObjectMapperFactory;
import org.hjson.JsonValue;
import org.jose4j.jwk.JsonWebKeySet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpMethod;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oidc-core-api-6.6.15.jar:org/apereo/cas/oidc/web/controllers/dynareg/OidcClientRegistrationRequestTranslator.class */
public class OidcClientRegistrationRequestTranslator {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OidcClientRegistrationRequestTranslator.class);
    private static final ObjectMapper MAPPER = JacksonObjectMapperFactory.builder().defaultTypingEnabled(false).build().toObjectMapper();
    private static final int GENERATED_CLIENT_NAME_LENGTH = 8;
    private final OidcConfigurationContext context;

    public OidcRegisteredService translate(OidcClientRegistrationRequest oidcClientRegistrationRequest, Optional<OidcRegisteredService> optional) throws Exception {
        if (oidcClientRegistrationRequest.getRedirectUris().stream().anyMatch(str -> {
            return str.contains("#");
        })) {
            throw new IllegalArgumentException("Redirect URI cannot contain a fragment");
        }
        ServicesManager servicesManager = this.context.getServicesManager();
        OidcRegisteredService orElseGet = optional.orElseGet(() -> {
            return (OidcRegisteredService) oidcClientRegistrationRequest.getRedirectUris().stream().map(str2 -> {
                return (OidcRegisteredService) OAuth20Utils.getRegisteredOAuthServiceByRedirectUri(servicesManager, str2);
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).findFirst().orElseGet(OidcRegisteredService::new);
        });
        if (StringUtils.isNotBlank(oidcClientRegistrationRequest.getClientName())) {
            orElseGet.setName(oidcClientRegistrationRequest.getClientName());
        } else if (StringUtils.isBlank(orElseGet.getName())) {
            orElseGet.setName(RandomUtils.randomAlphabetic(8));
        }
        orElseGet.setServiceId(String.join("|", oidcClientRegistrationRequest.getRedirectUris()));
        orElseGet.setSectorIdentifierUri(oidcClientRegistrationRequest.getSectorIdentifierUri());
        orElseGet.setSubjectType(oidcClientRegistrationRequest.getSubjectType());
        if (StringUtils.equalsIgnoreCase(OidcSubjectTypes.PAIRWISE.getType(), orElseGet.getSubjectType())) {
            orElseGet.setUsernameAttributeProvider(new PairwiseOidcRegisteredServiceUsernameAttributeProvider());
        }
        if (StringUtils.isNotBlank(oidcClientRegistrationRequest.getJwksUri())) {
            orElseGet.setJwks(oidcClientRegistrationRequest.getJwksUri());
        } else {
            JsonWebKeySet jwks = oidcClientRegistrationRequest.getJwks();
            if (jwks != null && !jwks.getJsonWebKeys().isEmpty()) {
                jwks.getJsonWebKeys().stream().filter(jsonWebKey -> {
                    return StringUtils.isBlank(jsonWebKey.getKeyId());
                }).forEach(jsonWebKey2 -> {
                    jsonWebKey2.setKeyId(RandomUtils.randomAlphabetic(6));
                });
                orElseGet.setJwks(jwks.toJson());
            }
        }
        if (StringUtils.isNotBlank(oidcClientRegistrationRequest.getTokenEndpointAuthMethod())) {
            orElseGet.setTokenEndpointAuthenticationMethod(oidcClientRegistrationRequest.getTokenEndpointAuthMethod());
        }
        if (StringUtils.isBlank(orElseGet.getClientId())) {
            orElseGet.setClientId(this.context.getClientIdGenerator().getNewString());
        }
        if (StringUtils.isBlank(orElseGet.getClientSecret())) {
            orElseGet.setClientSecret(this.context.getClientSecretGenerator().getNewString());
        }
        orElseGet.setEvaluationOrder(0);
        orElseGet.setLogoutUrl(org.springframework.util.StringUtils.collectionToCommaDelimitedString(oidcClientRegistrationRequest.getPostLogoutRedirectUris()));
        if (StringUtils.isNotBlank(oidcClientRegistrationRequest.getLogo())) {
            orElseGet.setLogo(oidcClientRegistrationRequest.getLogo());
        }
        if (StringUtils.isNotBlank(oidcClientRegistrationRequest.getPolicyUri())) {
            orElseGet.setInformationUrl(oidcClientRegistrationRequest.getPolicyUri());
        }
        if (StringUtils.isNotBlank(oidcClientRegistrationRequest.getTermsOfUseUri())) {
            orElseGet.setPrivacyUrl(oidcClientRegistrationRequest.getTermsOfUseUri());
        }
        FunctionUtils.doIfNotNull(oidcClientRegistrationRequest.getGrantTypes(), list -> {
            orElseGet.setSupportedGrantTypes(new HashSet(oidcClientRegistrationRequest.getGrantTypes()));
        });
        FunctionUtils.doIfNotNull(oidcClientRegistrationRequest.getResponseTypes(), list2 -> {
            orElseGet.setSupportedResponseTypes(new HashSet(oidcClientRegistrationRequest.getResponseTypes()));
        });
        if (orElseGet.getSupportedGrantTypes().isEmpty()) {
            orElseGet.setSupportedGrantTypes(CollectionUtils.wrapHashSet(OAuth20GrantTypes.AUTHORIZATION_CODE.getType()));
        }
        if (orElseGet.getSupportedResponseTypes().isEmpty()) {
            orElseGet.setSupportedResponseTypes(CollectionUtils.wrapHashSet(OAuth20ResponseTypes.CODE.getType()));
        }
        if (!StringUtils.equalsIgnoreCase("none", oidcClientRegistrationRequest.getUserInfoSignedReponseAlg())) {
            orElseGet.setUserInfoSigningAlg(oidcClientRegistrationRequest.getUserInfoSignedReponseAlg());
        }
        orElseGet.setUserInfoEncryptedResponseAlg(oidcClientRegistrationRequest.getUserInfoEncryptedResponseAlg());
        if (StringUtils.isNotBlank(orElseGet.getUserInfoEncryptedResponseAlg())) {
            if (StringUtils.isBlank(oidcClientRegistrationRequest.getUserInfoEncryptedResponseEncoding())) {
                orElseGet.setUserInfoEncryptedResponseEncoding("A128CBC-HS256");
            } else {
                orElseGet.setUserInfoEncryptedResponseEncoding(oidcClientRegistrationRequest.getUserInfoEncryptedResponseEncoding());
            }
        }
        Set<String> hashSet = new HashSet<>(this.context.getCasProperties().getAuthn().getOidc().getDiscovery().getScopes());
        orElseGet.setScopes(hashSet);
        orElseGet.setScopes(new LinkedHashSet<>(hashSet));
        if (!oidcClientRegistrationRequest.getDefaultAcrValues().isEmpty()) {
            DefaultRegisteredServiceMultifactorPolicy defaultRegisteredServiceMultifactorPolicy = new DefaultRegisteredServiceMultifactorPolicy();
            defaultRegisteredServiceMultifactorPolicy.setMultifactorAuthenticationProviders(new HashSet(oidcClientRegistrationRequest.getDefaultAcrValues()));
            orElseGet.setMultifactorAuthenticationPolicy(defaultRegisteredServiceMultifactorPolicy);
        }
        if (StringUtils.isNotBlank(oidcClientRegistrationRequest.getIdTokenSignedResponseAlg())) {
            orElseGet.setIdTokenSigningAlg(oidcClientRegistrationRequest.getIdTokenSignedResponseAlg());
            orElseGet.setSignIdToken(true);
        }
        if (StringUtils.isNotBlank(oidcClientRegistrationRequest.getIdTokenEncryptedResponseAlg())) {
            orElseGet.setIdTokenEncryptionAlg(oidcClientRegistrationRequest.getIdTokenEncryptedResponseAlg());
            orElseGet.setEncryptIdToken(true);
        }
        if (StringUtils.isNotBlank(oidcClientRegistrationRequest.getIdTokenEncryptedResponseEncoding())) {
            orElseGet.setIdTokenEncryptionEncoding(oidcClientRegistrationRequest.getIdTokenEncryptedResponseEncoding());
            orElseGet.setEncryptIdToken(true);
        }
        orElseGet.getContacts().clear();
        oidcClientRegistrationRequest.getContacts().forEach(str2 -> {
            DefaultRegisteredServiceContact defaultRegisteredServiceContact = new DefaultRegisteredServiceContact();
            if (str2.contains("@")) {
                defaultRegisteredServiceContact.setEmail(str2);
                defaultRegisteredServiceContact.setName(str2.substring(0, str2.indexOf(64)));
            } else {
                defaultRegisteredServiceContact.setName(str2);
            }
            orElseGet.getContacts().add(defaultRegisteredServiceContact);
        });
        long seconds = Beans.newDuration(this.context.getCasProperties().getAuthn().getOidc().getRegistration().getClientSecretExpiration()).toSeconds();
        if (seconds > 0 && orElseGet.getClientSecretExpiration() <= 0) {
            ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
            ZonedDateTime plusSeconds = now.plusSeconds(seconds);
            LOGGER.debug("Client secret shall expire at [{}] while now is [{}]", plusSeconds, now);
            orElseGet.setClientSecretExpiration(plusSeconds.toEpochSecond());
        }
        orElseGet.setDescription("Registered service ".concat(orElseGet.getName()));
        validate(oidcClientRegistrationRequest, orElseGet);
        return orElseGet;
    }

    /* JADX WARN: Type inference failed for: r0v44, types: [org.apereo.cas.util.HttpUtils$HttpExecutionRequest$HttpExecutionRequestBuilder] */
    private void validate(OidcClientRegistrationRequest oidcClientRegistrationRequest, OidcRegisteredService oidcRegisteredService) throws Exception {
        if (StringUtils.isNotBlank(oidcRegisteredService.getSectorIdentifierUri())) {
            HttpResponse httpResponse = null;
            try {
                httpResponse = HttpUtils.execute(HttpUtils.HttpExecutionRequest.builder().method(HttpMethod.GET).url(oidcRegisteredService.getSectorIdentifierUri()).build());
                if (httpResponse != null && httpResponse.getStatusLine().getStatusCode() == 200) {
                    InputStream content = httpResponse.getEntity().getContent();
                    try {
                        if (!MAPPER.readValue(JsonValue.readHjson(IOUtils.toString(content, StandardCharsets.UTF_8)).toString(), MAPPER.getTypeFactory().constructParametricType(List.class, String.class)).equals(oidcClientRegistrationRequest.getRedirectUris())) {
                            throw new IllegalArgumentException("Invalid sector identifier uri");
                        }
                        if (content != null) {
                            content.close();
                        }
                    } finally {
                    }
                }
                HttpUtils.close(httpResponse);
            } catch (Throwable th) {
                HttpUtils.close(httpResponse);
                throw th;
            }
        }
        if (this.context.getCasProperties().getAuthn().getOidc().getRegistration().getDynamicClientRegistrationMode().isProtected()) {
            return;
        }
        if (StringUtils.isNotBlank(oidcClientRegistrationRequest.getPolicyUri()) || StringUtils.isNotBlank(oidcClientRegistrationRequest.getLogo())) {
            List list = (List) oidcClientRegistrationRequest.getRedirectUris().stream().map(str -> {
                return (String) FunctionUtils.doUnchecked(() -> {
                    return new URI(str).getHost();
                });
            }).collect(Collectors.toList());
            if (StringUtils.isNotBlank(oidcClientRegistrationRequest.getLogo()) && !list.contains(new URI(oidcClientRegistrationRequest.getLogo()).getHost())) {
                throw new IllegalArgumentException("Invalid logo uri from an unknown host");
            }
            if (StringUtils.isNotBlank(oidcClientRegistrationRequest.getPolicyUri()) && !list.contains(new URI(oidcClientRegistrationRequest.getPolicyUri()).getHost())) {
                throw new IllegalArgumentException("Invalid policy uri from an unknown host");
            }
        }
    }

    @Generated
    public OidcClientRegistrationRequestTranslator(OidcConfigurationContext oidcConfigurationContext) {
        this.context = oidcConfigurationContext;
    }
}
