package org.iplass.mtp.impl.auth.authenticate.oidc;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.core.type.TypeReference;
import java.io.IOException;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.HttpServletRequest;
import org.iplass.mtp.ManagerLocator;
import org.iplass.mtp.auth.AuthContext;
import org.iplass.mtp.auth.User;
import org.iplass.mtp.auth.oidc.AutoUserProvisioningHandler;
import org.iplass.mtp.auth.oidc.definition.ClientAuthenticationType;
import org.iplass.mtp.auth.oidc.definition.OpenIdConnectDefinition;
import org.iplass.mtp.auth.oidc.definition.ResponseMode;
import org.iplass.mtp.command.RequestContext;
import org.iplass.mtp.entity.DeleteOption;
import org.iplass.mtp.entity.Entity;
import org.iplass.mtp.entity.EntityManager;
import org.iplass.mtp.entity.GenericEntity;
import org.iplass.mtp.entity.query.Query;
import org.iplass.mtp.entity.query.condition.Condition;
import org.iplass.mtp.entity.query.condition.expr.And;
import org.iplass.mtp.entity.query.condition.predicate.Equals;
import org.iplass.mtp.impl.auth.authenticate.builtin.policy.MetaAuthenticationPolicy;
import org.iplass.mtp.impl.auth.authenticate.oidc.jwks.Jwks;
import org.iplass.mtp.impl.auth.authenticate.oidc.jwks.LocalJwks;
import org.iplass.mtp.impl.auth.authenticate.oidc.jwks.RemoteJwks;
import org.iplass.mtp.impl.auth.oauth.jwt.InvalidJwtException;
import org.iplass.mtp.impl.auth.oauth.jwt.Jwt;
import org.iplass.mtp.impl.auth.oauth.jwt.JwtProcessor;
import org.iplass.mtp.impl.auth.oauth.util.IdTokenConstants;
import org.iplass.mtp.impl.auth.oauth.util.OAuthConstants;
import org.iplass.mtp.impl.auth.oauth.util.OAuthEndpointConstants;
import org.iplass.mtp.impl.auth.oauth.util.OAuthUtil;
import org.iplass.mtp.impl.core.ExecuteContext;
import org.iplass.mtp.impl.definition.DefinableMetaData;
import org.iplass.mtp.impl.i18n.I18nUtil;
import org.iplass.mtp.impl.metadata.BaseMetaDataRuntime;
import org.iplass.mtp.impl.metadata.BaseRootMetaData;
import org.iplass.mtp.impl.metadata.MetaDataConfig;
import org.iplass.mtp.impl.metadata.MetaDataRuntime;
import org.iplass.mtp.impl.script.ScriptEngine;
import org.iplass.mtp.impl.script.ScriptRuntimeException;
import org.iplass.mtp.impl.script.template.GroovyTemplate;
import org.iplass.mtp.impl.script.template.GroovyTemplateBinding;
import org.iplass.mtp.impl.script.template.GroovyTemplateCompiler;
import org.iplass.mtp.impl.util.ObjectUtil;
import org.iplass.mtp.impl.util.random.SecureRandomGenerator;
import org.iplass.mtp.impl.util.random.SecureRandomService;
import org.iplass.mtp.spi.ServiceRegistry;
import org.iplass.mtp.utilityclass.definition.UtilityClassDefinitionManager;
import org.iplass.mtp.web.template.TemplateUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/iplass/mtp/impl/auth/authenticate/oidc/MetaOpenIdConnect.class */
public class MetaOpenIdConnect extends BaseRootMetaData implements DefinableMetaData<OpenIdConnectDefinition> {
    private static final long serialVersionUID = -4429152263057997180L;
    private static Logger logger = LoggerFactory.getLogger(MetaOpenIdConnect.class);
    private String issuer;
    private String authorizationEndpoint;
    private String tokenEndpoint;
    private String userInfoEndpoint;
    private String jwksEndpoint;
    private String jwksContents;
    private String clientId;
    private List<String> scopes;
    private ClientAuthenticationType clientAuthenticationType;
    private boolean validateSign;
    private String autoUserProvisioningHandler;
    private boolean enableTransientUser;
    private String backUrlAfterAuth;
    private String backUrlAfterConnect;
    private boolean useNonce = true;
    private boolean enablePKCE = true;
    private boolean issParameterSupported = true;
    private ResponseMode responseMode = ResponseMode.FORM_POST;
    private String subjectNameClaim = "preferred_username";

    /* loaded from: input_file:org/iplass/mtp/impl/auth/authenticate/oidc/MetaOpenIdConnect$OpenIdConnectRuntime.class */
    public class OpenIdConnectRuntime extends BaseMetaDataRuntime {
        private AutoUserProvisioningHandler aup;
        private String scopeParamValue;
        private HashSet<String> scopeParamSet;
        private OpenIdConnectService opService;
        private EntityManager em;
        private String clientSecret;
        private Jwks jwks;
        private OPEndpoint opEndpoint;
        private ScriptEngine scriptEngine;
        private GroovyTemplate backUrlAfterAuthTmpl;
        private GroovyTemplate backUrlAfterConnectTmpl;

        private OpenIdConnectRuntime() {
            this.scriptEngine = ExecuteContext.getCurrentContext().getTenantContext().getScriptEngine();
            try {
                if (MetaOpenIdConnect.this.autoUserProvisioningHandler != null) {
                    try {
                        this.aup = (AutoUserProvisioningHandler) ManagerLocator.getInstance().getManager(UtilityClassDefinitionManager.class).createInstanceAs(AutoUserProvisioningHandler.class, MetaOpenIdConnect.this.autoUserProvisioningHandler);
                        this.aup.init(MetaOpenIdConnect.this.m13currentConfig());
                    } catch (ClassNotFoundException e) {
                        throw new IllegalStateException(e);
                    }
                }
                this.scopeParamSet = new HashSet<>();
                StringBuilder sb = new StringBuilder();
                sb.append(OAuthConstants.SCOPE_OPENID);
                this.scopeParamSet.add(OAuthConstants.SCOPE_OPENID);
                if (MetaOpenIdConnect.this.scopes != null && MetaOpenIdConnect.this.scopes.size() > 0) {
                    for (String str : MetaOpenIdConnect.this.scopes) {
                        if (!OAuthConstants.SCOPE_OPENID.equals(str)) {
                            sb.append(' ').append(str);
                            this.scopeParamSet.add(str);
                        }
                    }
                }
                this.scopeParamValue = sb.toString();
                this.opService = (OpenIdConnectService) ServiceRegistry.getRegistry().getService(OpenIdConnectService.class);
                this.em = ManagerLocator.manager(EntityManager.class);
                this.clientSecret = this.opService.getClientSecret(MetaOpenIdConnect.this.getId());
                if (this.clientSecret == null) {
                    throw new IllegalStateException("Client Secret unspecified.");
                }
                if (MetaOpenIdConnect.this.jwksContents != null && !MetaOpenIdConnect.this.jwksContents.isEmpty()) {
                    this.jwks = new LocalJwks(MetaOpenIdConnect.this.jwksContents, this.opService);
                } else if (MetaOpenIdConnect.this.jwksEndpoint != null) {
                    this.jwks = new RemoteJwks(MetaOpenIdConnect.this.jwksEndpoint, this.opService);
                } else if (MetaOpenIdConnect.this.validateSign) {
                    throw new IllegalStateException("jwks endpoint or contents must specified");
                }
                this.opEndpoint = new OPEndpoint(MetaOpenIdConnect.this.tokenEndpoint, MetaOpenIdConnect.this.userInfoEndpoint, this.opService);
                if (MetaOpenIdConnect.this.issuer == null) {
                    throw new NullPointerException("issuer must specified");
                }
                if (MetaOpenIdConnect.this.authorizationEndpoint == null) {
                    throw new NullPointerException("authorizationEndpoint must specified");
                }
                if (MetaOpenIdConnect.this.tokenEndpoint == null) {
                    throw new NullPointerException("tokenEndpoint must specified");
                }
                if (MetaOpenIdConnect.this.clientId == null) {
                    throw new NullPointerException("clientId must specified");
                }
                if (MetaOpenIdConnect.this.clientAuthenticationType == null) {
                    throw new NullPointerException("clientAuthenticationType must specified");
                }
                if (MetaOpenIdConnect.this.subjectNameClaim == null) {
                    new NullPointerException("subjectNameClaim must specified");
                }
                if (MetaOpenIdConnect.this.backUrlAfterAuth != null) {
                    this.backUrlAfterAuthTmpl = GroovyTemplateCompiler.compile(MetaOpenIdConnect.this.backUrlAfterAuth, "OpenIdConnect_backUrlAfterAuth_" + MetaOpenIdConnect.this.getName(), this.scriptEngine);
                }
                if (MetaOpenIdConnect.this.backUrlAfterConnect != null) {
                    this.backUrlAfterConnectTmpl = GroovyTemplateCompiler.compile(MetaOpenIdConnect.this.backUrlAfterConnect, "OpenIdConnect_backUrlAfterConnect_" + MetaOpenIdConnect.this.getName(), this.scriptEngine);
                }
            } catch (RuntimeException e2) {
                setIllegalStateException(e2);
            }
        }

        void setOPEndpoint(OPEndpoint oPEndpoint) {
            this.opEndpoint = oPEndpoint;
        }

        OPEndpoint getOPEndpoint() {
            return this.opEndpoint;
        }

        /* renamed from: getMetaData, reason: merged with bridge method [inline-methods] */
        public MetaOpenIdConnect m14getMetaData() {
            return MetaOpenIdConnect.this;
        }

        public AutoUserProvisioningHandler getAutoUserProvisioningHandler() {
            return this.aup;
        }

        public String backUrlAfterAuth(RequestContext requestContext) {
            return doTmpl(this.backUrlAfterAuthTmpl, requestContext);
        }

        private String doTmpl(GroovyTemplate groovyTemplate, RequestContext requestContext) {
            if (groovyTemplate == null) {
                return null;
            }
            HashMap hashMap = new HashMap();
            hashMap.put("request", requestContext);
            StringWriter stringWriter = new StringWriter();
            try {
                groovyTemplate.doTemplate(new GroovyTemplateBinding(stringWriter, hashMap));
                return stringWriter.toString();
            } catch (IOException e) {
                throw new ScriptRuntimeException(e);
            }
        }

        public String backUrlAfterConnect(RequestContext requestContext) {
            return doTmpl(this.backUrlAfterConnectTmpl, requestContext);
        }

        public String createRedirectUri(RequestContext requestContext, String str) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) requestContext.getAttribute("servletRequest");
            StringBuilder sb = new StringBuilder();
            if (httpServletRequest.isSecure()) {
                sb.append("https://");
            } else {
                sb.append("http://");
            }
            sb.append(httpServletRequest.getServerName());
            int serverPort = httpServletRequest.getServerPort();
            if ((httpServletRequest.isSecure() && serverPort != 443) || (!httpServletRequest.isSecure() && serverPort != 80)) {
                sb.append(':').append(serverPort);
            }
            sb.append(TemplateUtil.getTenantContextPath());
            sb.append("/").append(str);
            if (!"DEFAULT".equals(MetaOpenIdConnect.this.getName())) {
                sb.append("/").append(MetaOpenIdConnect.this.getName());
            }
            return sb.toString();
        }

        public OIDCState newOIDCState(String str, String str2, String str3) {
            checkState();
            OIDCState oIDCState = new OIDCState();
            oIDCState.setToken(RandomHolder.randomForState.secureRandomToken());
            oIDCState.setBackUrlAfterAuth(str);
            oIDCState.setIssuer(MetaOpenIdConnect.this.issuer);
            oIDCState.setRedirectUri(str2);
            oIDCState.setErrorTemplateName(str3);
            if (MetaOpenIdConnect.this.useNonce) {
                oIDCState.setNonce(RandomHolder.randomForNonce.secureRandomToken());
            }
            if (MetaOpenIdConnect.this.enablePKCE) {
                oIDCState.setCodeVerifier(RandomHolder.randomForCodeVerifier.secureRandomToken());
            }
            return oIDCState;
        }

        private boolean validateState(OIDCState oIDCState, String str, String str2, String str3) {
            if (oIDCState == null || str == null) {
                return false;
            }
            if (!oIDCState.getRedirectUri().equals(str3)) {
                if (!MetaOpenIdConnect.logger.isDebugEnabled()) {
                    return false;
                }
                MetaOpenIdConnect.logger.debug("redirectUri unmatch:expected=" + oIDCState.getRedirectUri() + ", actual=" + str3);
                return false;
            }
            if (!str.equals(oIDCState.getToken())) {
                if (!MetaOpenIdConnect.logger.isDebugEnabled()) {
                    return false;
                }
                MetaOpenIdConnect.logger.debug("state unmatch:expected=" + oIDCState.getToken() + ", actual=" + str);
                return false;
            }
            if (!MetaOpenIdConnect.this.issParameterSupported || oIDCState.getIssuer().equals(str2)) {
                return true;
            }
            if (!MetaOpenIdConnect.logger.isDebugEnabled()) {
                return false;
            }
            MetaOpenIdConnect.logger.debug("issuer unmatch:expected=" + oIDCState.getIssuer() + ", actual=" + str2);
            return false;
        }

        /* JADX WARN: Multi-variable type inference failed */
        /* JADX WARN: Type inference failed for: r0v53, types: [java.util.Set] */
        public OIDCValidateResult validate(OIDCCredential oIDCCredential) {
            Map<String, Object> userInfo;
            checkState();
            if (!validateState(oIDCCredential.getState(), oIDCCredential.getStateToken(), oIDCCredential.getIss(), oIDCCredential.getRedirectUri())) {
                return new OIDCValidateResult("invalid_state", "Invalid client state.", null, null);
            }
            Map<String, Object> map = this.opEndpoint.token(MetaOpenIdConnect.this.clientAuthenticationType, MetaOpenIdConnect.this.clientId, this.clientSecret, oIDCCredential.getCode(), oIDCCredential.getRedirectUri(), oIDCCredential.getState().getCodeVerifier());
            Long l = null;
            String str = (String) map.get(OAuthEndpointConstants.PARAM_ERROR);
            if (str != null) {
                return new OIDCValidateResult(str, (String) map.get(OAuthEndpointConstants.PARAM_ERROR_DESCRIPTION), (String) map.get(OAuthEndpointConstants.PARAM_ERROR_URI), null);
            }
            String str2 = (String) map.get(OAuthEndpointConstants.PARAM_ID_TOKEN);
            String str3 = (String) map.get(OAuthEndpointConstants.PARAM_TOKEN_TYPE);
            String str4 = (String) map.get("access_token");
            Number number = (Number) map.get(OAuthEndpointConstants.PARAM_EXPIRES_IN);
            if (number != null) {
                l = Long.valueOf(number.longValue());
            }
            String str5 = (String) map.get("refresh_token");
            String str6 = (String) map.get(OAuthEndpointConstants.PARAM_SCOPE);
            if (str3 == null || str4 == null) {
                if (MetaOpenIdConnect.logger.isDebugEnabled()) {
                    MetaOpenIdConnect.logger.debug("invalid token response:" + map);
                }
                return new OIDCValidateResult("invalid_token_response", "Invalid Token Response.token_type and access_token required.", null, null);
            }
            if (!"Bearer".equalsIgnoreCase(str3)) {
                if (MetaOpenIdConnect.logger.isDebugEnabled()) {
                    MetaOpenIdConnect.logger.debug("received token type is unknown:" + str3);
                }
                return new OIDCValidateResult("unknown_token_type", "The token type is unknown.", null, null);
            }
            HashSet hashSet = new HashSet();
            if (str6 != null) {
                hashSet.addAll(Arrays.asList(str6.split(" ")));
                if (!this.scopeParamSet.equals(hashSet)) {
                    return new OIDCValidateResult("scope_not_granted", "The requested scope is not granted.", null, null);
                }
            } else {
                hashSet = (Set) this.scopeParamSet.clone();
            }
            try {
                Jwt decodeIdToken = decodeIdToken(str2);
                if (MetaOpenIdConnect.logger.isDebugEnabled()) {
                    MetaOpenIdConnect.logger.debug("received id token:hader=" + decodeIdToken.getHeader() + ", payload=" + decodeIdToken.getClaims());
                }
                validateIdToken(decodeIdToken, str4, oIDCCredential);
                HashMap hashMap = new HashMap(decodeIdToken.getClaims());
                if (MetaOpenIdConnect.this.userInfoEndpoint != null && (userInfo = this.opEndpoint.userInfo(str3, str4)) != null) {
                    hashMap.putAll(userInfo);
                }
                return new OIDCValidateResult((String) hashMap.get(IdTokenConstants.CLAIM_SUB), (String) hashMap.get(MetaOpenIdConnect.this.subjectNameClaim), hashMap, str3, str4, l, str5, hashSet);
            } catch (RuntimeException e) {
                return new OIDCValidateResult("invalid_id_token", "Invalid IdToken.", null, e);
            }
        }

        private Jwt decodeIdToken(String str) {
            if (MetaOpenIdConnect.this.validateSign) {
                return JwtProcessor.getInstance().decode(str, this.opService.getAllowedClockSkewMinutes(), str2 -> {
                    return this.jwks.get(str2);
                });
            }
            int indexOf = str.indexOf(46);
            int indexOf2 = str.indexOf(46, indexOf + 1);
            if (indexOf == indexOf2 || indexOf2 != str.lastIndexOf(46)) {
                throw new InvalidJwtException("invalid JWT format");
            }
            try {
                String str3 = new String(Base64.getUrlDecoder().decode(str.substring(0, indexOf)), "UTF-8");
                String str4 = new String(Base64.getUrlDecoder().decode(str.substring(indexOf + 1, indexOf2)), "UTF-8");
                Map map = (Map) this.opService.getObjectMapper().readValue(str3, new TypeReference<Map<String, Object>>() { // from class: org.iplass.mtp.impl.auth.authenticate.oidc.MetaOpenIdConnect.OpenIdConnectRuntime.1
                });
                Map map2 = (Map) this.opService.getObjectMapper().readValue(str4, new TypeReference<Map<String, Object>>() { // from class: org.iplass.mtp.impl.auth.authenticate.oidc.MetaOpenIdConnect.OpenIdConnectRuntime.2
                });
                long currentTimeMillis = System.currentTimeMillis();
                Number number = (Number) map2.get(IdTokenConstants.CLAIM_EXP);
                if (number == null || currentTimeMillis < TimeUnit.SECONDS.toMillis(number.longValue()) + TimeUnit.MINUTES.toMillis(this.opService.getAllowedClockSkewMinutes())) {
                    return new Jwt(map, map2);
                }
                throw new InvalidJwtException("JWT expired");
            } catch (UnsupportedEncodingException | JsonProcessingException e) {
                throw new InvalidJwtException(e);
            }
        }

        private void validateIdToken(Jwt jwt, String str, OIDCCredential oIDCCredential) {
            String str2 = (String) jwt.getClaims().get("iss");
            if (str2 == null) {
                throw new InvalidJwtException("iss required");
            }
            if (!str2.equals(oIDCCredential.getState().getIssuer())) {
                throw new InvalidJwtException("iss unmatch");
            }
            if (((String) jwt.getClaims().get(IdTokenConstants.CLAIM_SUB)) == null) {
                throw new InvalidJwtException("sub required");
            }
            Object obj = jwt.getClaims().get(IdTokenConstants.CLAIM_AUD);
            if (obj == null) {
                throw new InvalidJwtException("aud required");
            }
            if (obj instanceof String) {
                if (!((String) obj).equals(MetaOpenIdConnect.this.clientId)) {
                    throw new InvalidJwtException("aud unmatch");
                }
            } else if (!((List) obj).contains(MetaOpenIdConnect.this.clientId)) {
                throw new InvalidJwtException("aud unmatch");
            }
            if (((Number) jwt.getClaims().get(IdTokenConstants.CLAIM_EXP)) == null) {
                throw new InvalidJwtException("exp required");
            }
            Number number = (Number) jwt.getClaims().get(IdTokenConstants.CLAIM_IAT);
            if (number == null) {
                throw new InvalidJwtException("iat required");
            }
            if (oIDCCredential.getState().getCreateTime() > TimeUnit.SECONDS.toMillis(number.longValue()) + TimeUnit.MINUTES.toMillis(this.opService.getAllowedClockSkewMinutes())) {
                throw new InvalidJwtException("invalid iat");
            }
            if (oIDCCredential.getState().getNonce() != null) {
                String str3 = (String) jwt.getClaims().get("nonce");
                if (str3 == null) {
                    throw new InvalidJwtException("nonce required");
                }
                if (!str3.equals(oIDCCredential.getState().getNonce())) {
                    throw new InvalidJwtException("invalid nonce");
                }
            }
            String str4 = (String) jwt.getClaims().get(IdTokenConstants.CLAIM_AZP);
            if ((obj instanceof List) && str4 == null) {
                throw new InvalidJwtException("azp required");
            }
            if (str4 != null && !str4.equals(MetaOpenIdConnect.this.clientId)) {
                throw new InvalidJwtException("invalid azp");
            }
            String str5 = (String) jwt.getClaims().get(IdTokenConstants.CLAIM_AT_HASH);
            if (str5 != null && !str5.equals(OAuthUtil.atHash(str, (String) jwt.getHeader().get(IdTokenConstants.HEAER_ALG)))) {
                throw new InvalidJwtException("invalid at_hash");
            }
            String str6 = (String) jwt.getClaims().get(IdTokenConstants.CLAIM_C_HASH);
            if (str6 != null && !str6.equals(OAuthUtil.cHash(oIDCCredential.getCode(), (String) jwt.getHeader().get(IdTokenConstants.HEAER_ALG)))) {
                throw new InvalidJwtException("invalid c_hash");
            }
        }

        public String authorizeUrl(OIDCState oIDCState) {
            String str;
            StringBuilder sb = new StringBuilder();
            sb.append(MetaOpenIdConnect.this.authorizationEndpoint);
            if (MetaOpenIdConnect.this.authorizationEndpoint.indexOf(63) <= -1) {
                sb.append("?");
            } else if (MetaOpenIdConnect.this.authorizationEndpoint.charAt(MetaOpenIdConnect.this.authorizationEndpoint.length() - 1) != '?') {
                sb.append("&");
            }
            sb.append(OAuthEndpointConstants.PARAM_CLIENT_ID).append("=").append(OAuthUtil.encodeRfc3986(MetaOpenIdConnect.this.clientId));
            sb.append("&");
            sb.append(OAuthEndpointConstants.PARAM_RESPONSE_TYPE).append("=").append("code");
            sb.append("&");
            sb.append(OAuthEndpointConstants.PARAM_SCOPE).append("=").append(OAuthUtil.encodeRfc3986(this.scopeParamValue));
            sb.append("&");
            sb.append(OAuthEndpointConstants.PARAM_REDIRECT_URI).append("=").append(OAuthUtil.encodeRfc3986(oIDCState.getRedirectUri()));
            sb.append("&");
            sb.append("state").append("=").append(OAuthUtil.encodeRfc3986(oIDCState.getToken()));
            if (MetaOpenIdConnect.this.responseMode != null) {
                sb.append("&");
                if (MetaOpenIdConnect.this.responseMode == ResponseMode.FORM_POST) {
                    str = OAuthConstants.RESPONSE_MODE_FORM_POST;
                } else {
                    if (MetaOpenIdConnect.this.responseMode != ResponseMode.QUERY) {
                        throw new IllegalArgumentException();
                    }
                    str = "query";
                }
                sb.append(OAuthEndpointConstants.PARAM_RESPONSE_MODE).append("=").append(OAuthUtil.encodeRfc3986(str));
            }
            if (MetaOpenIdConnect.this.useNonce) {
                sb.append("&");
                sb.append("nonce").append("=").append(OAuthUtil.encodeRfc3986(oIDCState.getNonce()));
            }
            if (MetaOpenIdConnect.this.enablePKCE) {
                sb.append("&");
                sb.append(OAuthEndpointConstants.PARAM_CODE_CHALLENGE_METHOD).append("=").append(OAuthConstants.CODE_CHALLENGE_METHOD_S256);
                sb.append("&");
                sb.append(OAuthEndpointConstants.PARAM_CODE_CHALLENGE).append("=").append(OAuthUtil.calcCodeChallenge(OAuthConstants.CODE_CHALLENGE_METHOD_S256, oIDCState.getCodeVerifier()));
            }
            return sb.toString();
        }

        public void connect(String str, OIDCValidateResult oIDCValidateResult) {
            connect(str, oIDCValidateResult.getSubjectId(), oIDCValidateResult.getSubjectName());
        }

        public void connect(String str, String str2, String str3) {
            GenericEntity genericEntity = new GenericEntity(OpenIdProviderAccountEntityEventListener.DEFINITION_NAME);
            genericEntity.setValue("openIdConnectDefinitionName", MetaOpenIdConnect.this.getName());
            genericEntity.setValue(OpenIdProviderAccountEntityEventListener.SUBJECT_ID, str2);
            genericEntity.setValue(OpenIdProviderAccountEntityEventListener.SUBJECT_NAME, str3);
            genericEntity.setValue(OpenIdProviderAccountEntityEventListener.USER, new User(str, (String) null, false));
            AuthContext.doPrivileged(() -> {
                return this.em.insert(genericEntity);
            });
        }

        public void disconnect(String str) {
            AuthContext.doPrivileged(() -> {
                Entity entity = (Entity) this.em.searchEntity(new Query().select(new Object[]{"oid"}).from(OpenIdProviderAccountEntityEventListener.DEFINITION_NAME).where(new And(new Condition[]{new Equals(OpenIdProviderAccountEntityEventListener.USER_OID, str), new Equals("openIdConnectDefinitionName", MetaOpenIdConnect.this.getName())}))).getFirst();
                if (entity != null) {
                    this.em.delete(entity, new DeleteOption());
                }
            });
        }

        public boolean isAllowedOnPolicy(MetaAuthenticationPolicy.AuthenticationPolicyRuntime authenticationPolicyRuntime) {
            if (authenticationPolicyRuntime.getMetaData().getOpenIdConnectDefinition() == null) {
                return false;
            }
            for (String str : authenticationPolicyRuntime.getMetaData().getOpenIdConnectDefinition()) {
                if (m14getMetaData().getName().equals(str)) {
                    return true;
                }
                int indexOf = str.indexOf(42);
                if (indexOf >= 0) {
                    if (m14getMetaData().getName().startsWith(str.substring(0, indexOf))) {
                        return true;
                    }
                }
            }
            return false;
        }
    }

    /* loaded from: input_file:org/iplass/mtp/impl/auth/authenticate/oidc/MetaOpenIdConnect$RandomHolder.class */
    private static class RandomHolder {
        static final SecureRandomGenerator randomForState = ServiceRegistry.getRegistry().getService(SecureRandomService.class).createGenerator("stateTokenGenerator");
        static final SecureRandomGenerator randomForNonce = ServiceRegistry.getRegistry().getService(SecureRandomService.class).createGenerator("nonceGenerator");
        static final SecureRandomGenerator randomForCodeVerifier = ServiceRegistry.getRegistry().getService(SecureRandomService.class).createGenerator("codeVerifierGenerator");

        private RandomHolder() {
        }
    }

    public String getBackUrlAfterAuth() {
        return this.backUrlAfterAuth;
    }

    public void setBackUrlAfterAuth(String str) {
        this.backUrlAfterAuth = str;
    }

    public String getBackUrlAfterConnect() {
        return this.backUrlAfterConnect;
    }

    public void setBackUrlAfterConnect(String str) {
        this.backUrlAfterConnect = str;
    }

    public String getIssuer() {
        return this.issuer;
    }

    public void setIssuer(String str) {
        this.issuer = str;
    }

    public String getAuthorizationEndpoint() {
        return this.authorizationEndpoint;
    }

    public void setAuthorizationEndpoint(String str) {
        this.authorizationEndpoint = str;
    }

    public String getTokenEndpoint() {
        return this.tokenEndpoint;
    }

    public void setTokenEndpoint(String str) {
        this.tokenEndpoint = str;
    }

    public String getUserInfoEndpoint() {
        return this.userInfoEndpoint;
    }

    public void setUserInfoEndpoint(String str) {
        this.userInfoEndpoint = str;
    }

    public String getJwksEndpoint() {
        return this.jwksEndpoint;
    }

    public void setJwksEndpoint(String str) {
        this.jwksEndpoint = str;
    }

    public String getJwksContents() {
        return this.jwksContents;
    }

    public void setJwksContents(String str) {
        this.jwksContents = str;
    }

    public String getClientId() {
        return this.clientId;
    }

    public void setClientId(String str) {
        this.clientId = str;
    }

    public List<String> getScopes() {
        return this.scopes;
    }

    public void setScopes(List<String> list) {
        this.scopes = list;
    }

    public ClientAuthenticationType getClientAuthenticationType() {
        return this.clientAuthenticationType;
    }

    public void setClientAuthenticationType(ClientAuthenticationType clientAuthenticationType) {
        this.clientAuthenticationType = clientAuthenticationType;
    }

    public boolean isUseNonce() {
        return this.useNonce;
    }

    public void setUseNonce(boolean z) {
        this.useNonce = z;
    }

    public boolean isEnablePKCE() {
        return this.enablePKCE;
    }

    public void setEnablePKCE(boolean z) {
        this.enablePKCE = z;
    }

    public boolean isIssParameterSupported() {
        return this.issParameterSupported;
    }

    public void setIssParameterSupported(boolean z) {
        this.issParameterSupported = z;
    }

    public boolean isValidateSign() {
        return this.validateSign;
    }

    public void setValidateSign(boolean z) {
        this.validateSign = z;
    }

    public ResponseMode getResponseMode() {
        return this.responseMode;
    }

    public void setResponseMode(ResponseMode responseMode) {
        this.responseMode = responseMode;
    }

    public String getSubjectNameClaim() {
        return this.subjectNameClaim;
    }

    public void setSubjectNameClaim(String str) {
        this.subjectNameClaim = str;
    }

    public String getAutoUserProvisioningHandler() {
        return this.autoUserProvisioningHandler;
    }

    public void setAutoUserProvisioningHandler(String str) {
        this.autoUserProvisioningHandler = str;
    }

    public boolean isEnableTransientUser() {
        return this.enableTransientUser;
    }

    public void setEnableTransientUser(boolean z) {
        this.enableTransientUser = z;
    }

    public MetaDataRuntime createRuntime(MetaDataConfig metaDataConfig) {
        return new OpenIdConnectRuntime();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* renamed from: copy, reason: merged with bridge method [inline-methods] and merged with bridge method [inline-methods] */
    public MetaOpenIdConnect m12copy() {
        return (MetaOpenIdConnect) ObjectUtil.deepCopy(this);
    }

    public void applyConfig(OpenIdConnectDefinition openIdConnectDefinition) {
        this.name = openIdConnectDefinition.getName();
        this.description = openIdConnectDefinition.getDescription();
        this.displayName = openIdConnectDefinition.getDisplayName();
        this.localizedDisplayNameList = I18nUtil.toMeta(openIdConnectDefinition.getLocalizedDisplayNameList());
        this.issuer = openIdConnectDefinition.getIssuer();
        this.authorizationEndpoint = openIdConnectDefinition.getAuthorizationEndpoint();
        this.tokenEndpoint = openIdConnectDefinition.getTokenEndpoint();
        this.userInfoEndpoint = openIdConnectDefinition.getUserInfoEndpoint();
        this.jwksEndpoint = openIdConnectDefinition.getJwksEndpoint();
        this.jwksContents = openIdConnectDefinition.getJwksContents();
        this.clientId = openIdConnectDefinition.getClientId();
        this.scopes = openIdConnectDefinition.getScopes() == null ? null : new ArrayList(openIdConnectDefinition.getScopes());
        this.clientAuthenticationType = openIdConnectDefinition.getClientAuthenticationType();
        this.useNonce = openIdConnectDefinition.isUseNonce();
        this.enablePKCE = openIdConnectDefinition.isEnablePKCE();
        this.issParameterSupported = openIdConnectDefinition.isIssParameterSupported();
        this.validateSign = openIdConnectDefinition.isValidateSign();
        this.responseMode = openIdConnectDefinition.getResponseMode();
        this.subjectNameClaim = openIdConnectDefinition.getSubjectNameClaim();
        this.autoUserProvisioningHandler = openIdConnectDefinition.getAutoUserProvisioningHandler();
        this.enableTransientUser = openIdConnectDefinition.isEnableTransientUser();
        this.backUrlAfterAuth = openIdConnectDefinition.getBackUrlAfterAuth();
        this.backUrlAfterConnect = openIdConnectDefinition.getBackUrlAfterConnect();
    }

    /* renamed from: currentConfig, reason: merged with bridge method [inline-methods] */
    public OpenIdConnectDefinition m13currentConfig() {
        OpenIdConnectDefinition openIdConnectDefinition = new OpenIdConnectDefinition();
        openIdConnectDefinition.setName(this.name);
        openIdConnectDefinition.setDescription(this.description);
        openIdConnectDefinition.setDisplayName(this.displayName);
        openIdConnectDefinition.setLocalizedDisplayNameList(I18nUtil.toDef(this.localizedDisplayNameList));
        openIdConnectDefinition.setIssuer(this.issuer);
        openIdConnectDefinition.setAuthorizationEndpoint(this.authorizationEndpoint);
        openIdConnectDefinition.setTokenEndpoint(this.tokenEndpoint);
        openIdConnectDefinition.setUserInfoEndpoint(this.userInfoEndpoint);
        openIdConnectDefinition.setJwksEndpoint(this.jwksEndpoint);
        openIdConnectDefinition.setJwksContents(this.jwksContents);
        openIdConnectDefinition.setClientId(this.clientId);
        if (this.scopes != null) {
            openIdConnectDefinition.setScopes(new ArrayList(this.scopes));
        }
        openIdConnectDefinition.setClientAuthenticationType(this.clientAuthenticationType);
        openIdConnectDefinition.setUseNonce(this.useNonce);
        openIdConnectDefinition.setEnablePKCE(this.enablePKCE);
        openIdConnectDefinition.setIssParameterSupported(this.issParameterSupported);
        openIdConnectDefinition.setValidateSign(this.validateSign);
        openIdConnectDefinition.setResponseMode(this.responseMode);
        openIdConnectDefinition.setSubjectNameClaim(this.subjectNameClaim);
        openIdConnectDefinition.setAutoUserProvisioningHandler(this.autoUserProvisioningHandler);
        openIdConnectDefinition.setEnableTransientUser(this.enableTransientUser);
        openIdConnectDefinition.setBackUrlAfterAuth(this.backUrlAfterAuth);
        openIdConnectDefinition.setBackUrlAfterConnect(this.backUrlAfterConnect);
        return openIdConnectDefinition;
    }
}
