package com.liferay.oauth2.provider.rest.internal.endpoint.access.token.grant.handler;

import com.liferay.oauth2.provider.configuration.OAuth2ProviderConfiguration;
import com.liferay.oauth2.provider.rest.internal.configuration.OAuth2InAssertionConfiguration;
import com.liferay.oauth2.provider.rest.internal.endpoint.constants.OAuth2ProviderRESTEndpointConstants;
import com.liferay.oauth2.provider.rest.internal.endpoint.liferay.LiferayOAuthDataProvider;
import com.liferay.petra.string.StringBundler;
import com.liferay.portal.configuration.metatype.bnd.util.ConfigurableUtil;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.util.GetterUtil;
import java.util.Collections;
import java.util.Dictionary;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.ws.rs.core.MultivaluedMap;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
import org.apache.cxf.rs.security.jose.jwk.PublicKeyUse;
import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.grants.jwt.Constants;
import org.apache.cxf.rs.security.oauth2.grants.jwt.JwtBearerGrantHandler;
import org.apache.cxf.rs.security.oauth2.provider.AccessTokenGrantHandler;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.osgi.service.cm.ConfigurationException;
import org.osgi.service.cm.ManagedServiceFactory;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;

@Component(configurationPid = {"com.liferay.oauth2.provider.configuration.OAuth2ProviderConfiguration"}, property = {"service.pid=com.liferay.oauth2.provider.rest.internal.configuration.OAuth2InAssertionConfiguration"}, service = {AccessTokenGrantHandler.class, ManagedServiceFactory.class})
/* loaded from: input_file:com/liferay/oauth2/provider/rest/internal/endpoint/access/token/grant/handler/LiferayJWTBearerGrantHandler.class */
public class LiferayJWTBearerGrantHandler extends BaseAccessTokenGrantHandler implements ManagedServiceFactory {
    private static final Log _log = LogFactoryUtil.getLog(LiferayJWTBearerGrantHandler.class);

    @Reference
    private LiferayOAuthDataProvider _liferayOAuthDataProvider;
    private OAuth2ProviderConfiguration _oAuth2ProviderConfiguration;
    private final Map<String, Dictionary<String, ?>> _configurationPidsProperties = Collections.synchronizedMap(new LinkedHashMap());
    private final Map<Long, Map<String, Map<String, JwsSignatureVerifier>>> _jwsSignatureVerifiers = Collections.synchronizedMap(new LinkedHashMap());
    private final Map<Long, Map<String, String>> _userAuthTypes = Collections.synchronizedMap(new LinkedHashMap());

    /* loaded from: input_file:com/liferay/oauth2/provider/rest/internal/endpoint/access/token/grant/handler/LiferayJWTBearerGrantHandler$CustomJWTBearerGrantHandler.class */
    private class CustomJWTBearerGrantHandler extends JwtBearerGrantHandler {
        private CustomJWTBearerGrantHandler() {
        }

        @Override // org.apache.cxf.rs.security.oauth2.grants.jwt.JwtBearerGrantHandler, org.apache.cxf.rs.security.oauth2.provider.AccessTokenGrantHandler
        public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> multivaluedMap) throws OAuthServiceException {
            String str = (String) multivaluedMap.getFirst(Constants.CLIENT_GRANT_ASSERTION_PARAM);
            long j = GetterUtil.getLong(client.getProperties().get(OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_COMPANY_ID));
            try {
                JwsJwtCompactConsumer jwsReader = getJwsReader(str);
                JwtToken jwtToken = jwsReader.getJwtToken();
                JwtClaims claims = jwtToken.getClaims();
                JwsHeaders jwsHeaders = jwtToken.getJwsHeaders();
                _initGrantHandler(j, claims, jwsHeaders);
                validateSignature(new JwsHeaders(jwsHeaders), jwsReader.getUnsignedEncodedSequence(), jwsReader.getDecodedSignature());
                validateClaims(client, claims);
                return doCreateAccessToken(client, _createUserSubject(j, claims.getIssuer(), claims.getSubject()), Constants.JWT_BEARER_GRANT, OAuthUtils.parseScope((String) multivaluedMap.getFirst("scope")));
            } catch (Exception e) {
                throw new OAuthServiceException(e);
            }
        }

        private UserSubject _createUserSubject(long j, String str, String str2) {
            String str3 = LiferayJWTBearerGrantHandler.this.getUserAuthTypes(j).get(str);
            UserSubject userSubject = new UserSubject("");
            if (str3.equals("userId")) {
                userSubject.setId(str2);
                return userSubject;
            }
            Map<String, String> properties = userSubject.getProperties();
            properties.put(OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_COMPANY_ID, String.valueOf(j));
            properties.put(str3, str2);
            return userSubject;
        }

        private void _initGrantHandler(long j, JwtClaims jwtClaims, JwsHeaders jwsHeaders) {
            Map<String, JwsSignatureVerifier> map = LiferayJWTBearerGrantHandler.this.getJwsSignatureVerifiers(j).get(jwtClaims.getIssuer());
            if (map != null && map.containsKey(jwsHeaders.getKeyId())) {
                setJwsVerifier(map.get(jwsHeaders.getKeyId()));
            } else {
                if (LiferayJWTBearerGrantHandler._log.isWarnEnabled()) {
                    LiferayJWTBearerGrantHandler._log.warn(StringBundler.concat(new String[]{"No in assertion configuration for ", jwtClaims.getIssuer(), " with key ID ", jwsHeaders.getKeyId()}));
                }
                throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
            }
        }
    }

    public void deleted(String str) {
        long j = GetterUtil.getLong(this._configurationPidsProperties.remove(str).get("companyId"));
        if (j == 0) {
            _rebuild();
        } else {
            _rebuild(j);
        }
    }

    public String getName() {
        return "";
    }

    public void updated(String str, Dictionary<String, ?> dictionary) throws ConfigurationException {
        Dictionary<String, ?> put = this._configurationPidsProperties.put(str, dictionary);
        long j = GetterUtil.getLong(dictionary.get("companyId"), 0L);
        if (j == 0) {
            _rebuild();
            return;
        }
        if (put != null) {
            long j2 = GetterUtil.getLong(put.get("companyId"));
            if (j2 == 0) {
                _rebuild();
                return;
            } else if (j2 != j) {
                _rebuild(j2);
            }
        }
        _rebuild(j);
    }

    @Activate
    protected void activate(Map<String, Object> map) {
        this._oAuth2ProviderConfiguration = (OAuth2ProviderConfiguration) ConfigurableUtil.createConfigurable(OAuth2ProviderConfiguration.class, map);
        this._jwsSignatureVerifiers.put(0L, Collections.emptyMap());
        this._userAuthTypes.put(0L, Collections.emptyMap());
    }

    @Override // com.liferay.oauth2.provider.rest.internal.endpoint.access.token.grant.handler.BaseAccessTokenGrantHandler
    protected AccessTokenGrantHandler getAccessTokenGrantHandler() {
        CustomJWTBearerGrantHandler customJWTBearerGrantHandler = new CustomJWTBearerGrantHandler();
        customJWTBearerGrantHandler.setDataProvider(this._liferayOAuthDataProvider);
        return customJWTBearerGrantHandler;
    }

    protected Map<String, Map<String, JwsSignatureVerifier>> getJwsSignatureVerifiers(long j) {
        return this._jwsSignatureVerifiers.getOrDefault(Long.valueOf(j), this._jwsSignatureVerifiers.get(0L));
    }

    protected Map<String, String> getUserAuthTypes(long j) {
        return this._userAuthTypes.getOrDefault(Long.valueOf(j), this._userAuthTypes.get(0L));
    }

    @Override // com.liferay.oauth2.provider.rest.internal.endpoint.access.token.grant.handler.BaseAccessTokenGrantHandler
    protected boolean hasPermission(Client client, MultivaluedMap<String, String> multivaluedMap) {
        return multivaluedMap.getFirst(Constants.CLIENT_GRANT_ASSERTION_PARAM) != null;
    }

    @Override // com.liferay.oauth2.provider.rest.internal.endpoint.access.token.grant.handler.BaseAccessTokenGrantHandler
    protected boolean isGrantHandlerEnabled() {
        return this._oAuth2ProviderConfiguration.allowJWTBearerGrant();
    }

    private <U, V> void _addDefaults(Map<U, V> map, Map<U, V> map2) {
        if (map2 != null) {
            map.getClass();
            map2.forEach(map::putIfAbsent);
        }
    }

    private void _rebuild() {
        _rebuild(0L);
        for (Long l : this._jwsSignatureVerifiers.keySet()) {
            if (l.longValue() != 0) {
                _rebuild(l.longValue());
            }
        }
    }

    private void _rebuild(long j) {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        for (Dictionary<String, ?> dictionary : this._configurationPidsProperties.values()) {
            if (j == GetterUtil.getLong(dictionary.get("companyId"))) {
                OAuth2InAssertionConfiguration oAuth2InAssertionConfiguration = (OAuth2InAssertionConfiguration) ConfigurableUtil.createConfigurable(OAuth2InAssertionConfiguration.class, dictionary);
                String issuer = oAuth2InAssertionConfiguration.issuer();
                if (!hashMap.containsKey(issuer)) {
                    hashMap.put(issuer, new HashMap());
                    hashMap2.put(issuer, oAuth2InAssertionConfiguration.userAuthType());
                    Map map = (Map) hashMap.get(issuer);
                    for (JsonWebKey jsonWebKey : JwkUtils.readJwkSet(oAuth2InAssertionConfiguration.signatureJSONWebKeySet()).getKeys()) {
                        PublicKeyUse publicKeyUse = jsonWebKey.getPublicKeyUse();
                        if (publicKeyUse == null || publicKeyUse.compareTo(PublicKeyUse.ENCRYPT) != 0) {
                            if (!map.containsKey(jsonWebKey.getKeyId())) {
                                map.put(jsonWebKey.getKeyId(), JwsUtils.getSignatureVerifier(jsonWebKey));
                            } else if (_log.isWarnEnabled()) {
                                _log.warn(StringBundler.concat(new String[]{"Duplicate assertion signature key ", jsonWebKey.getKeyId(), " will be discarded. Check your OAuth ", "configuration."}));
                            }
                        } else if (_log.isInfoEnabled()) {
                            _log.info("Encryption key " + jsonWebKey.getKeyId());
                        }
                    }
                } else if (_log.isWarnEnabled()) {
                    _log.warn(StringBundler.concat(new String[]{"Duplicate issuer name ", issuer, " will be ", "discarded. Check your OAuth configuration."}));
                }
            }
        }
        if (j != 0) {
            _addDefaults(hashMap, this._jwsSignatureVerifiers.get(0L));
            _addDefaults(hashMap2, this._userAuthTypes.get(0L));
        }
        this._jwsSignatureVerifiers.put(Long.valueOf(j), hashMap);
        this._userAuthTypes.put(Long.valueOf(j), hashMap2);
    }
}
