package org.apache.cxf.rs.security.oauth2.utils;

import java.lang.reflect.Method;
import java.security.MessageDigest;
import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Properties;
import javax.servlet.http.HttpSession;
import javax.ws.rs.core.SecurityContext;
import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.jaxrs.impl.MetadataMap;
import org.apache.cxf.jaxrs.model.URITemplate;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
import org.apache.cxf.rs.security.jose.jwe.JweUtils;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.oauth2.common.AuthenticationMethod;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rt.security.crypto.CryptoUtils;
import org.apache.cxf.rt.security.crypto.MessageDigestUtils;
import org.apache.cxf.security.LoginSecurityContext;
import org.apache.cxf.security.transport.TLSSessionInfo;

/* loaded from: input_file:org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.class */
public final class OAuthUtils {
    private OAuthUtils() {
    }

    public static byte[] createCertificateThumbprint(X509Certificate x509Certificate) throws Exception {
        return MessageDigestUtils.createDigest(x509Certificate.getEncoded(), "SHA-256");
    }

    public static void setCertificateThumbprintConfirmation(MessageContext messageContext, X509Certificate x509Certificate) {
        try {
            messageContext.put("x5t#S256", Base64UrlUtility.encode(createCertificateThumbprint(x509Certificate)));
        } catch (Exception e) {
            throw new OAuthServiceException(e);
        }
    }

    public static boolean compareCertificateThumbprints(X509Certificate x509Certificate, String str) {
        try {
            return MessageDigest.isEqual(createCertificateThumbprint(x509Certificate), Base64UrlUtility.decode(str));
        } catch (Exception e) {
            return false;
        }
    }

    public static boolean compareTlsCertificates(TLSSessionInfo tLSSessionInfo, List<String> list) {
        Certificate[] peerCertificates = tLSSessionInfo.getPeerCertificates();
        if (peerCertificates.length != list.size()) {
            return false;
        }
        for (int i = 0; i < peerCertificates.length; i++) {
            try {
                if (!Arrays.equals(((X509Certificate) peerCertificates[i]).getEncoded(), Base64Utility.decode(list.get(i)))) {
                    return false;
                }
            } catch (Exception e) {
                return false;
            }
        }
        return true;
    }

    public static boolean isMutualTls(SecurityContext securityContext, TLSSessionInfo tLSSessionInfo) {
        return (tLSSessionInfo == null || !StringUtils.isEmpty(securityContext.getAuthenticationScheme()) || getRootTLSCertificate(tLSSessionInfo) == null) ? false : true;
    }

    public static String getSubjectDnFromTLSCertificates(X509Certificate x509Certificate) {
        return x509Certificate.getSubjectX500Principal().getName();
    }

    public static String getIssuerDnFromTLSCertificates(X509Certificate x509Certificate) {
        return x509Certificate.getIssuerX500Principal().getName();
    }

    public static X509Certificate getRootTLSCertificate(TLSSessionInfo tLSSessionInfo) {
        Certificate[] peerCertificates = tLSSessionInfo.getPeerCertificates();
        if (peerCertificates == null || peerCertificates.length <= 0) {
            return null;
        }
        return (X509Certificate) peerCertificates[0];
    }

    public static void injectContextIntoOAuthProvider(MessageContext messageContext, Object obj) {
        Method method = null;
        try {
            method = obj.getClass().getMethod("setMessageContext", MessageContext.class);
        } catch (Throwable th) {
        }
        if (method != null) {
            try {
                method.invoke(obj, messageContext);
            } catch (Throwable th2) {
                throw new RuntimeException(th2);
            }
        }
    }

    public static String setSessionToken(MessageContext messageContext) {
        return setSessionToken(messageContext, 0);
    }

    public static String setSessionToken(MessageContext messageContext, int i) {
        return setSessionToken(messageContext, generateRandomTokenKey(), i);
    }

    public static String setSessionToken(MessageContext messageContext, String str) {
        return setSessionToken(messageContext, str, 0);
    }

    public static String setSessionToken(MessageContext messageContext, String str, int i) {
        return setSessionToken(messageContext, str, null, i);
    }

    public static String setSessionToken(MessageContext messageContext, String str, String str2, int i) {
        HttpSession session = messageContext.getHttpServletRequest().getSession();
        if (i > 0) {
            session.setMaxInactiveInterval(i);
        }
        session.setAttribute(str2 == null ? OAuthConstants.SESSION_AUTHENTICITY_TOKEN : str2, str);
        return str;
    }

    public static String getSessionToken(MessageContext messageContext) {
        return getSessionToken(messageContext, null);
    }

    public static String getSessionToken(MessageContext messageContext, String str) {
        return getSessionToken(messageContext, str, true);
    }

    public static String getSessionToken(MessageContext messageContext, String str, boolean z) {
        HttpSession session = messageContext.getHttpServletRequest().getSession();
        String str2 = str == null ? OAuthConstants.SESSION_AUTHENTICITY_TOKEN : str;
        String str3 = (String) session.getAttribute(str2);
        if (str3 != null && z) {
            session.removeAttribute(str2);
        }
        return str3;
    }

    public static UserSubject createSubject(MessageContext messageContext, org.apache.cxf.security.SecurityContext securityContext) {
        UserSubject userSubject = (UserSubject) messageContext.getContent(UserSubject.class);
        return userSubject != null ? userSubject : createSubject(securityContext);
    }

    public static UserSubject createSubject(org.apache.cxf.security.SecurityContext securityContext) {
        List emptyList = Collections.emptyList();
        if (securityContext instanceof LoginSecurityContext) {
            emptyList = new ArrayList();
            Iterator it = ((LoginSecurityContext) securityContext).getUserRoles().iterator();
            while (it.hasNext()) {
                emptyList.add(((Principal) it.next()).getName());
            }
        }
        UserSubject userSubject = new UserSubject(securityContext.getUserPrincipal().getName(), (List<String>) emptyList);
        Message currentMessage = JAXRSUtils.getCurrentMessage();
        if (currentMessage != null && currentMessage.get(AuthenticationMethod.class) != null) {
            userSubject.setAuthenticationMethod((AuthenticationMethod) currentMessage.get(AuthenticationMethod.class));
        }
        return userSubject;
    }

    public static String convertPermissionsToScope(List<OAuthPermission> list) {
        StringBuilder sb = new StringBuilder();
        for (OAuthPermission oAuthPermission : list) {
            if (!oAuthPermission.isInvisibleToClient() && oAuthPermission.getPermission() != null) {
                if (sb.length() > 0) {
                    sb.append(" ");
                }
                sb.append(oAuthPermission.getPermission());
            }
        }
        return sb.toString();
    }

    public static List<String> convertPermissionsToScopeList(List<OAuthPermission> list) {
        LinkedList linkedList = new LinkedList();
        Iterator<OAuthPermission> it = list.iterator();
        while (it.hasNext()) {
            linkedList.add(it.next().getPermission());
        }
        return linkedList;
    }

    public static boolean isGrantSupportedForClient(Client client, boolean z, String str) {
        if (str == null) {
            return false;
        }
        if (!client.isConfidential() && !z) {
            return false;
        }
        List<String> allowedGrantTypes = client.getAllowedGrantTypes();
        return allowedGrantTypes.isEmpty() || allowedGrantTypes.contains(str);
    }

    public static List<String> parseScope(String str) {
        LinkedList linkedList = new LinkedList();
        if (str != null) {
            for (String str2 : str.split(" ")) {
                if (!StringUtils.isEmpty(str2)) {
                    linkedList.add(str2);
                }
            }
        }
        return linkedList;
    }

    public static String generateRandomTokenKey() throws OAuthServiceException {
        return generateRandomTokenKey(16);
    }

    public static String generateRandomTokenKey(int i) {
        if (i < 16) {
            throw new OAuthServiceException();
        }
        return StringUtils.toHexString(CryptoUtils.generateSecureRandomBytes(i));
    }

    public static long getIssuedAt() {
        return System.currentTimeMillis() / 1000;
    }

    public static boolean isExpired(Long l, Long l2) {
        return l2 == null || l2.longValue() < -1 || (l2.longValue() > 0 && l.longValue() + l2.longValue() < System.currentTimeMillis() / 1000);
    }

    public static boolean validateAudience(String str, List<String> list) {
        return str == null || validateAudiences(Collections.singletonList(str), list);
    }

    public static boolean validateAudiences(List<String> list, List<String> list2) {
        return (StringUtils.isEmpty(list) && StringUtils.isEmpty(list2)) || list2.containsAll(list);
    }

    public static boolean checkRequestURI(String str, String str2) {
        boolean endsWith = str2.endsWith(OAuthConstants.ALL_AUTH_SCHEMES);
        try {
            URITemplate uRITemplate = new URITemplate(endsWith ? str2.substring(0, str2.length() - 1) : str2);
            MetadataMap metadataMap = new MetadataMap();
            if (!uRITemplate.match(str, metadataMap)) {
                return false;
            }
            String str3 = (String) metadataMap.getFirst("FINAL_MATCH_GROUP");
            if (endsWith || StringUtils.isEmpty(str3)) {
                return true;
            }
            return "/".equals(str3);
        } catch (Exception e) {
            return false;
        }
    }

    public static List<String> getRequestedScopes(Client client, String str, boolean z, boolean z2) {
        List<String> parseScope = parseScope(str);
        List<String> registeredScopes = client.getRegisteredScopes();
        if (parseScope.isEmpty()) {
            parseScope.addAll(registeredScopes);
            return parseScope;
        }
        if (!validateScopes(parseScope, registeredScopes, z2)) {
            throw new OAuthServiceException("Unexpected scope");
        }
        if (z) {
            for (String str2 : registeredScopes) {
                if (!parseScope.contains(str2)) {
                    parseScope.add(str2);
                }
            }
        }
        return parseScope;
    }

    public static boolean validateScopes(List<String> list, List<String> list2, boolean z) {
        if (list2.isEmpty()) {
            return true;
        }
        if (!z) {
            return list2.containsAll(list);
        }
        for (String str : list) {
            boolean z2 = false;
            Iterator<String> it = list2.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (str.startsWith(it.next())) {
                    z2 = true;
                    break;
                }
            }
            if (!z2) {
                return false;
            }
        }
        return true;
    }

    public static ClientAccessToken toClientAccessToken(ServerAccessToken serverAccessToken, boolean z) {
        ClientAccessToken clientAccessToken = new ClientAccessToken(serverAccessToken.getTokenType(), serverAccessToken.getEncodedToken() != null ? serverAccessToken.getEncodedToken() : serverAccessToken.getTokenKey());
        clientAccessToken.setRefreshToken(serverAccessToken.getRefreshToken());
        if (z) {
            clientAccessToken.setExpiresIn(serverAccessToken.getExpiresIn());
            String convertPermissionsToScope = convertPermissionsToScope(serverAccessToken.getScopes());
            if (!StringUtils.isEmpty(convertPermissionsToScope)) {
                clientAccessToken.setApprovedScope(convertPermissionsToScope);
            }
            clientAccessToken.setParameters(new HashMap(serverAccessToken.getParameters()));
        }
        return clientAccessToken;
    }

    public static JwsSignatureProvider getClientSecretSignatureProvider(String str) {
        return JwsUtils.getHmacSignatureProvider(str, getClientSecretSignatureAlgorithm(JwsUtils.loadSignatureOutProperties(false)));
    }

    public static JwsSignatureVerifier getClientSecretSignatureVerifier(String str) {
        return JwsUtils.getHmacSignatureVerifier(str, getClientSecretSignatureAlgorithm(JwsUtils.loadSignatureOutProperties(false)));
    }

    public static JweDecryptionProvider getClientSecretDecryptionProvider(String str) {
        return JweUtils.getDirectKeyJweDecryption(StringUtils.toBytesUTF8(str), getClientSecretContentAlgorithm(JweUtils.loadEncryptionInProperties(false)));
    }

    public static JweEncryptionProvider getClientSecretEncryptionProvider(String str) {
        return JweUtils.getDirectKeyJweEncryption(StringUtils.toBytesUTF8(str), getClientSecretContentAlgorithm(JweUtils.loadEncryptionInProperties(false)));
    }

    private static ContentAlgorithm getClientSecretContentAlgorithm(Properties properties) {
        String property = properties.getProperty(OAuthConstants.CLIENT_SECRET_CONTENT_ENCRYPTION_ALGORITHM);
        if (property == null) {
            property = properties.getProperty("rs.security.encryption.content.algorithm");
        }
        ContentAlgorithm algorithm = ContentAlgorithm.getAlgorithm(property);
        return algorithm != null ? algorithm : ContentAlgorithm.A128GCM;
    }

    public static SignatureAlgorithm getClientSecretSignatureAlgorithm(Properties properties) {
        String property = properties.getProperty(OAuthConstants.CLIENT_SECRET_SIGNATURE_ALGORITHM);
        if (property == null) {
            String property2 = properties.getProperty("rs.security.signature.algorithm");
            if (AlgorithmUtils.isHmacSign(property2)) {
                property = property2;
            }
        }
        SignatureAlgorithm algorithm = SignatureAlgorithm.getAlgorithm(property);
        SignatureAlgorithm signatureAlgorithm = algorithm != null ? algorithm : SignatureAlgorithm.HS256;
        if (AlgorithmUtils.isHmacSign(signatureAlgorithm)) {
            return signatureAlgorithm;
        }
        throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);
    }

    public static String convertListOfScopesToString(List<String> list) {
        return String.join(", ", list);
    }
}
