package org.apereo.cas.support.oauth.util;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.nimbusds.oauth2.sdk.client.RedirectURIValidator;
import jakarta.servlet.http.HttpServletResponse;
import java.net.URI;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Stream;
import lombok.Generated;
import lombok.NonNull;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceMatchingStrategy;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.services.query.RegisteredServiceQuery;
import org.apereo.cas.support.oauth.OAuth20ClientAuthenticationMethods;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseModeTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.web.views.OAuth20UserProfileViewRenderer;
import org.apereo.cas.ticket.OAuth20Token;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.util.serialization.JacksonObjectMapperFactory;
import org.pac4j.core.context.CallContext;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.profile.ProfileManager;
import org.pac4j.core.profile.UserProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.view.json.MappingJackson2JsonView;

/* loaded from: input_file:org/apereo/cas/support/oauth/util/OAuth20Utils.class */
public final class OAuth20Utils {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20Utils.class);
    private static final ObjectMapper MAPPER = JacksonObjectMapperFactory.builder().singleArrayElementUnwrapped(true).build().toObjectMapper();

    public static ModelAndView writeError(HttpServletResponse httpServletResponse, String str) {
        return writeError(httpServletResponse, str, null);
    }

    public static ModelAndView writeError(HttpServletResponse httpServletResponse, String str, String str2) {
        ModelAndView modelAndView = new ModelAndView(new MappingJackson2JsonView(MAPPER), getErrorResponseBody(str, str2));
        modelAndView.setStatus(HttpStatus.BAD_REQUEST);
        httpServletResponse.setStatus(HttpStatus.BAD_REQUEST.value());
        return modelAndView;
    }

    public static Map<String, Object> getErrorResponseBody(String str, String str2) {
        Map<String, Object> wrap = CollectionUtils.wrap("error", str);
        if (StringUtils.isNotBlank(str2)) {
            wrap.put("error_description", str2);
        }
        return wrap;
    }

    public static OAuthRegisteredService getRegisteredOAuthServiceByClientId(ServicesManager servicesManager, String str) {
        return (OAuthRegisteredService) FunctionUtils.doIfNotBlank(str, () -> {
            Optional findFirst = servicesManager.findServicesBy(new RegisteredServiceQuery[]{RegisteredServiceQuery.of(OAuthRegisteredService.class, "clientId", str).withIncludeAssignableTypes(true)}).findFirst();
            Class<OAuthRegisteredService> cls = OAuthRegisteredService.class;
            Objects.requireNonNull(OAuthRegisteredService.class);
            return (OAuthRegisteredService) findFirst.map((v1) -> {
                return r1.cast(v1);
            }).orElse(null);
        }, () -> {
            return null;
        });
    }

    public static OAuthRegisteredService getRegisteredOAuthServiceByRedirectUri(ServicesManager servicesManager, String str) {
        validateRedirectUri(str);
        return (OAuthRegisteredService) FunctionUtils.doIfNotBlank(str, () -> {
            return getRegisteredOAuthServiceByPredicate(servicesManager, oAuthRegisteredService -> {
                return oAuthRegisteredService.matches(str);
            });
        }, () -> {
            return null;
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static OAuthRegisteredService getRegisteredOAuthServiceByPredicate(ServicesManager servicesManager, Predicate<OAuthRegisteredService> predicate) {
        return (OAuthRegisteredService) servicesManager.getAllServicesOfType(OAuthRegisteredService.class).stream().filter(predicate).findFirst().orElse(null);
    }

    public static ModelAndView produceUnauthorizedErrorView() {
        return produceUnauthorizedErrorView(HttpStatus.UNAUTHORIZED);
    }

    public static ModelAndView produceUnauthorizedErrorView(HttpStatus httpStatus) {
        return produceErrorView(UnauthorizedServiceException.denied("Rejected: %s".formatted(httpStatus)), httpStatus);
    }

    public static ModelAndView produceErrorView(Exception exc) {
        return produceErrorView(exc, HttpStatus.UNAUTHORIZED);
    }

    public static ModelAndView produceErrorView(Exception exc, HttpStatus httpStatus) {
        ModelAndView modelAndView = new ModelAndView("error/casServiceErrorView", CollectionUtils.wrap("rootCauseException", exc));
        modelAndView.setStatus(httpStatus);
        return modelAndView;
    }

    public static String casOAuthCallbackUrl(String str) {
        return str.concat("/oauth2.0/callbackAuthorize");
    }

    public static String toJson(Object obj) {
        return (String) FunctionUtils.doUnchecked(() -> {
            return MAPPER.writeValueAsString(obj);
        });
    }

    public static boolean isGrantType(String str, OAuth20GrantTypes oAuth20GrantTypes) {
        return oAuth20GrantTypes.getType().equalsIgnoreCase(str);
    }

    public static boolean isResponseType(String str, OAuth20ResponseTypes oAuth20ResponseTypes) {
        return oAuth20ResponseTypes.getType().equalsIgnoreCase(str);
    }

    public static boolean isResponseModeType(String str, OAuth20ResponseModeTypes oAuth20ResponseModeTypes) {
        return oAuth20ResponseModeTypes.getType().equalsIgnoreCase(str);
    }

    public static String getServiceRequestHeaderIfAny(WebContext webContext) {
        return (String) webContext.getRequestHeader("service").or(() -> {
            return webContext.getRequestHeader("X-".concat("service"));
        }).orElse("");
    }

    public static boolean checkCallbackValid(@NonNull RegisteredService registeredService, String str) {
        if (registeredService == null) {
            throw new NullPointerException("registeredService is marked non-null but is null");
        }
        RegisteredServiceMatchingStrategy registeredServiceMatchingStrategy = (RegisteredServiceMatchingStrategy) Optional.of(registeredService).map((v0) -> {
            return v0.getMatchingStrategy();
        }).orElse(null);
        validateRedirectUri(str);
        if (registeredServiceMatchingStrategy != null && registeredServiceMatchingStrategy.matches(registeredService, str)) {
            return true;
        }
        LOGGER.error("Unsupported [{}]: [{}] does not match what is defined for registered service: [{}]. Service is considered unauthorized. Verify the service matching strategy used in the service definition is correct and does in fact match the client [{}]", new Object[]{"redirect_uri", str, registeredService.getServiceId(), str});
        return false;
    }

    public static boolean checkResponseTypes(String str, OAuth20ResponseTypes... oAuth20ResponseTypesArr) {
        LOGGER.debug("Response type: [{}]", str);
        boolean anyMatch = Stream.of((Object[]) oAuth20ResponseTypesArr).anyMatch(oAuth20ResponseTypes -> {
            return isResponseType(str, oAuth20ResponseTypes);
        });
        if (!anyMatch) {
            LOGGER.error("Unsupported response type: [{}]", str);
        }
        return anyMatch;
    }

    public static String getClientIdFromAuthenticatedProfile(UserProfile userProfile) {
        HashMap hashMap = new HashMap(userProfile.getAttributes());
        if (hashMap.containsKey(OAuth20UserProfileViewRenderer.MODEL_ATTRIBUTE_CLIENT_ID)) {
            return ((ArrayList) CollectionUtils.toCollection(hashMap.get(OAuth20UserProfileViewRenderer.MODEL_ATTRIBUTE_CLIENT_ID), ArrayList.class)).getFirst().toString();
        }
        return null;
    }

    public static Set<String> parseUserInfoRequestClaims(OAuth20Token oAuth20Token) {
        return ((Map) oAuth20Token.getClaims().getOrDefault("userinfo", new HashMap(0))).keySet();
    }

    public static UserProfile getAuthenticatedUserProfile(WebContext webContext, SessionStore sessionStore) {
        return (UserProfile) new ProfileManager(webContext, sessionStore).getProfile().orElseThrow(() -> {
            return new IllegalArgumentException("Unable to determine the user profile from the context");
        });
    }

    public static boolean doesServiceNeedAuthentication(OAuthRegisteredService oAuthRegisteredService) {
        return StringUtils.isNotBlank(oAuthRegisteredService.getClientSecret());
    }

    public static void validateRedirectUri(String str) {
        if (StringUtils.isNotBlank(str)) {
            RedirectURIValidator.ensureLegal(URI.create(str));
        }
    }

    public static boolean isAccessTokenRequest(WebContext webContext) {
        return ((Boolean) webContext.getRequestAttribute("oauth.request.access-token").orElse(false)).booleanValue();
    }

    public static boolean isTokenAuthenticationMethodSupportedFor(CallContext callContext, OAuthRegisteredService oAuthRegisteredService, OAuth20ClientAuthenticationMethods... oAuth20ClientAuthenticationMethodsArr) {
        return !isAccessTokenRequest(callContext.webContext()) || StringUtils.isBlank(oAuthRegisteredService.getTokenEndpointAuthenticationMethod()) || Arrays.stream(oAuth20ClientAuthenticationMethodsArr).anyMatch(oAuth20ClientAuthenticationMethods -> {
            return StringUtils.equalsIgnoreCase(oAuthRegisteredService.getTokenEndpointAuthenticationMethod(), oAuth20ClientAuthenticationMethods.getType());
        });
    }

    @Generated
    private OAuth20Utils() {
        throw new UnsupportedOperationException("This is a utility class and cannot be instantiated");
    }
}
