package org.apereo.cas.support.oauth.web;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.nimbusds.jwt.JWTClaimsSet;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.hc.core5.net.URIBuilder;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseModeTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.views.OAuth20UserProfileViewRenderer;
import org.apereo.cas.token.JwtBuilder;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.util.serialization.JacksonObjectMapperFactory;
import org.hjson.JsonValue;
import org.jooq.lambda.Unchecked;
import org.pac4j.core.context.CallContext;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.WebContextHelper;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.credentials.extractor.BasicAuthExtractor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/oauth/web/DefaultOAuth20RequestParameterResolver.class */
public class DefaultOAuth20RequestParameterResolver implements OAuth20RequestParameterResolver {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultOAuth20RequestParameterResolver.class);
    private static final ObjectMapper MAPPER = JacksonObjectMapperFactory.builder().singleArrayElementUnwrapped(true).build().toObjectMapper();
    private final JwtBuilder jwtBuilder;

    public OAuth20ResponseTypes resolveResponseType(WebContext webContext) {
        List responseTypesSupported = this.jwtBuilder.getCasProperties().getAuthn().getOidc().getDiscovery().getResponseTypesSupported();
        String str = (String) resolveRequestParameter(webContext, "response_type").map((v0) -> {
            return String.valueOf(v0);
        }).filter(str2 -> {
            return responseTypesSupported.stream().anyMatch(str2 -> {
                return str2.equalsIgnoreCase(str2);
            });
        }).orElse("");
        OAuth20ResponseTypes oAuth20ResponseTypes = (OAuth20ResponseTypes) Arrays.stream(OAuth20ResponseTypes.values()).filter(oAuth20ResponseTypes2 -> {
            return oAuth20ResponseTypes2.getType().equalsIgnoreCase(str);
        }).findFirst().orElse(OAuth20ResponseTypes.CODE);
        LOGGER.debug("OAuth response type is [{}]", oAuth20ResponseTypes);
        return oAuth20ResponseTypes;
    }

    public OAuth20GrantTypes resolveGrantType(WebContext webContext) {
        List grantTypesSupported = this.jwtBuilder.getCasProperties().getAuthn().getOidc().getDiscovery().getGrantTypesSupported();
        String str = (String) resolveRequestParameter(webContext, "grant_type").map((v0) -> {
            return String.valueOf(v0);
        }).filter(str2 -> {
            return grantTypesSupported.stream().anyMatch(str2 -> {
                return str2.equalsIgnoreCase(str2);
            });
        }).orElse("");
        OAuth20GrantTypes oAuth20GrantTypes = (OAuth20GrantTypes) Arrays.stream(OAuth20GrantTypes.values()).filter(oAuth20GrantTypes2 -> {
            return oAuth20GrantTypes2.getType().equalsIgnoreCase(str);
        }).findFirst().orElse(OAuth20GrantTypes.NONE);
        LOGGER.debug("OAuth grant type is [{}]", oAuth20GrantTypes);
        return oAuth20GrantTypes;
    }

    public OAuth20ResponseModeTypes resolveResponseModeType(WebContext webContext) {
        List responseModesSupported = this.jwtBuilder.getCasProperties().getAuthn().getOidc().getDiscovery().getResponseModesSupported();
        String str = (String) resolveRequestParameter(webContext, "response_mode").map((v0) -> {
            return String.valueOf(v0);
        }).filter(str2 -> {
            return responseModesSupported.stream().anyMatch(str2 -> {
                return str2.equalsIgnoreCase(str2);
            });
        }).orElse("");
        OAuth20ResponseModeTypes oAuth20ResponseModeTypes = (OAuth20ResponseModeTypes) Arrays.stream(OAuth20ResponseModeTypes.values()).filter(oAuth20ResponseModeTypes2 -> {
            return oAuth20ResponseModeTypes2.getType().equalsIgnoreCase(str);
        }).findFirst().orElse(OAuth20ResponseModeTypes.NONE);
        LOGGER.debug("OAuth response type is [{}]", oAuth20ResponseModeTypes);
        return oAuth20ResponseModeTypes;
    }

    public <T> T resolveJwtRequestParameter(String str, RegisteredService registeredService, String str2, Class<T> cls) throws Exception {
        JWTClaimsSet unpack = this.jwtBuilder.unpack(Optional.ofNullable(registeredService), str);
        return cls.isArray() ? cls.cast(unpack.getStringArrayClaim(str2)) : Collection.class.isAssignableFrom(cls) ? cls.cast(unpack.getStringListClaim(str2)) : cls.cast(unpack.getStringClaim(str2));
    }

    public <T> T resolveJwtRequestParameter(WebContext webContext, String str, String str2, Class<T> cls) {
        OAuthRegisteredService registeredOAuthServiceByClientId = OAuth20Utils.getRegisteredOAuthServiceByClientId(this.jwtBuilder.getServicesManager(), (String) webContext.getRequestParameter(OAuth20UserProfileViewRenderer.MODEL_ATTRIBUTE_CLIENT_ID).orElse(""));
        return (T) FunctionUtils.doUnchecked(() -> {
            return resolveJwtRequestParameter(str, (RegisteredService) registeredOAuthServiceByClientId, str2, cls);
        });
    }

    public Map<String, Object> resolveRequestParameters(Collection<String> collection, WebContext webContext) {
        return (Map) collection.stream().map(str -> {
            return Pair.of(str, (Set) resolveRequestParameter(webContext, str).map(EncodingUtils::urlDecode).map(str -> {
                return (Set) Arrays.stream(str.split(" ")).collect(Collectors.toSet());
            }).orElseGet(Set::of));
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    public Optional<String> resolveRequestParameter(WebContext webContext, String str) {
        return resolveRequestParameter(webContext, str, String.class);
    }

    public <T> Optional<T> resolveRequestParameter(WebContext webContext, String str, Class<T> cls) {
        boolean isRequestParameterSupported = this.jwtBuilder.getCasProperties().getAuthn().getOidc().getDiscovery().isRequestParameterSupported();
        return webContext.getRequestParameter("request").filter(str2 -> {
            return isRequestParameterSupported;
        }).map(Unchecked.function(str3 -> {
            return resolveJwtRequestParameter(webContext, str3, str, cls);
        })).or(() -> {
            String[] strArr = (String[]) webContext.getRequestParameters().get(str);
            if (strArr == null || strArr.length <= 0) {
                return Optional.empty();
            }
            if (cls.isArray()) {
                return Optional.of(cls.cast(strArr));
            }
            if (Collection.class.isAssignableFrom(cls)) {
                return Optional.of(cls.cast(CollectionUtils.wrapArrayList(strArr)));
            }
            Optional ofNullable = Optional.ofNullable(EncodingUtils.urlDecode(strArr[0]));
            Objects.requireNonNull(cls);
            return ofNullable.map((v1) -> {
                return r1.cast(v1);
            });
        });
    }

    public Collection<String> resolveRequestedScopes(WebContext webContext) {
        Map<String, Object> resolveRequestParameters = resolveRequestParameters(CollectionUtils.wrap("scope"), webContext);
        if (resolveRequestParameters == null || resolveRequestParameters.isEmpty()) {
            return new ArrayList(0);
        }
        List scopes = this.jwtBuilder.getCasProperties().getAuthn().getOidc().getDiscovery().getScopes();
        LinkedHashSet linkedHashSet = new LinkedHashSet((Collection) resolveRequestParameters.get("scope"));
        linkedHashSet.retainAll(scopes);
        return linkedHashSet;
    }

    public boolean isAuthorizedGrantTypeForService(WebContext webContext, OAuthRegisteredService oAuthRegisteredService) {
        return OAuth20RequestParameterResolver.isAuthorizedGrantTypeForService((String) resolveRequestParameter(webContext, "grant_type").map((v0) -> {
            return String.valueOf(v0);
        }).orElse(""), oAuthRegisteredService);
    }

    public boolean isAuthorizedResponseTypeForService(WebContext webContext, OAuthRegisteredService oAuthRegisteredService) {
        if (oAuthRegisteredService.getSupportedResponseTypes() == null || oAuthRegisteredService.getSupportedResponseTypes().isEmpty()) {
            LOGGER.warn("Registered service [{}] does not define any authorized/supported response types. It is STRONGLY recommended that you authorize and assign response types to the service definition. While just a warning for now, this behavior will be enforced by CAS in future versions.", oAuthRegisteredService.getName());
            return true;
        }
        String str = (String) resolveRequestParameter(webContext, "response_type").map((v0) -> {
            return String.valueOf(v0);
        }).orElse("");
        if (oAuthRegisteredService.getSupportedResponseTypes().stream().anyMatch(str2 -> {
            return str2.equalsIgnoreCase(str);
        })) {
            return true;
        }
        LOGGER.warn("Response type not authorized for service: [{}] not listed in supported response types: [{}]", str, oAuthRegisteredService.getSupportedResponseTypes());
        return false;
    }

    public Pair<String, String> resolveClientIdAndClientSecret(CallContext callContext) {
        Optional extract = new BasicAuthExtractor().extract(callContext);
        if (!extract.isPresent()) {
            return Pair.of((String) resolveRequestParameter(callContext.webContext(), OAuth20UserProfileViewRenderer.MODEL_ATTRIBUTE_CLIENT_ID).map((v0) -> {
                return String.valueOf(v0);
            }).orElse(""), (String) resolveRequestParameter(callContext.webContext(), "client_secret").map((v0) -> {
                return String.valueOf(v0);
            }).orElse(""));
        }
        UsernamePasswordCredentials usernamePasswordCredentials = (UsernamePasswordCredentials) extract.get();
        return Pair.of(usernamePasswordCredentials.getUsername(), usernamePasswordCredentials.getPassword());
    }

    public Set<String> resolveRequestScopes(WebContext webContext) {
        Optional<String> resolveRequestParameter = resolveRequestParameter(webContext, "scope");
        if (resolveRequestParameter.isEmpty()) {
            return new HashSet(0);
        }
        List scopes = this.jwtBuilder.getCasProperties().getAuthn().getOidc().getDiscovery().getScopes();
        Set<String> wrapSet = CollectionUtils.wrapSet(resolveRequestParameter.get().split(" "));
        wrapSet.retainAll(scopes);
        return wrapSet;
    }

    public Map<String, Map<String, Object>> resolveRequestClaims(WebContext webContext) throws Exception {
        String str = (String) FunctionUtils.doIf(this.jwtBuilder.getCasProperties().getAuthn().getOidc().getDiscovery().isClaimsParameterSupported(), () -> {
            return (String) resolveRequestParameter(webContext, "claims").map((v0) -> {
                return String.valueOf(v0);
            }).orElse("");
        }, () -> {
            return "";
        }).get();
        return StringUtils.isBlank(str) ? new HashMap(0) : (Map) MAPPER.readValue(JsonValue.readHjson(str).toString(), Map.class);
    }

    public Set<String> resolveUserInfoRequestClaims(WebContext webContext) throws Exception {
        return resolveRequestClaims(webContext).getOrDefault("userinfo", new HashMap(0)).keySet();
    }

    public Set<String> resolveRequestedPromptValues(WebContext webContext) {
        String fullRequestURL = webContext.getFullRequestURL();
        return (Set) FunctionUtils.doUnchecked(() -> {
            return (Set) new URIBuilder(fullRequestURL).getQueryParams().stream().filter(nameValuePair -> {
                return "prompt".equals(nameValuePair.getName());
            }).map(nameValuePair2 -> {
                return nameValuePair2.getValue().split(" ");
            }).flatMap((v0) -> {
                return Arrays.stream(v0);
            }).collect(Collectors.toSet());
        });
    }

    public Set<String> resolveSupportedPromptValues(String str) {
        List promptValuesSupported = this.jwtBuilder.getCasProperties().getAuthn().getOidc().getDiscovery().getPromptValuesSupported();
        return (Set) FunctionUtils.doUnchecked(() -> {
            Stream flatMap = new URIBuilder(str).getQueryParams().stream().filter(nameValuePair -> {
                return "prompt".equals(nameValuePair.getName());
            }).map(nameValuePair2 -> {
                return nameValuePair2.getValue().split(" ");
            }).flatMap((v0) -> {
                return Arrays.stream(v0);
            });
            Objects.requireNonNull(promptValuesSupported);
            return (Set) flatMap.filter((v1) -> {
                return r1.contains(v1);
            }).collect(Collectors.toSet());
        });
    }

    public boolean isParameterOnQueryString(WebContext webContext, String str) {
        return WebContextHelper.isQueryStringParameter(webContext, str);
    }

    @Generated
    public DefaultOAuth20RequestParameterResolver(JwtBuilder jwtBuilder) {
        this.jwtBuilder = jwtBuilder;
    }
}
