package org.apache.cxf.rs.security.oauth2.services;

import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.PUT;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.SecurityContext;
import jakarta.ws.rs.core.UriBuilder;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.OAuthError;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.provider.ClientRegistrationProvider;
import org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.rt.security.crypto.CryptoUtils;
import org.apache.openjpa.meta.SequenceMetaData;

@Path("register")
/* loaded from: input_file:lib/cxf-rt-rs-security-oauth2-3.4.3.jar:org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.class */
public class DynamicRegistrationService {
    private static final String DEFAULT_APPLICATION_TYPE = "web";
    private static final Integer DEFAULT_CLIENT_ID_SIZE = 10;
    private ClientRegistrationProvider clientProvider;
    private String initialAccessToken;
    private MessageContext mc;
    private String userRole;
    private int clientIdSizeInBytes = DEFAULT_CLIENT_ID_SIZE.intValue();
    private boolean supportRegistrationAccessTokens = true;

    @POST
    @Produces({MediaType.APPLICATION_JSON})
    @Consumes({MediaType.APPLICATION_JSON})
    public Response register(ClientRegistration clientRegistration) {
        checkInitialAuthentication();
        Client createNewClient = createNewClient(clientRegistration);
        createRegAccessToken(createNewClient);
        this.clientProvider.setClient(createNewClient);
        return Response.status(201).entity(fromClientToRegistrationResponse(createNewClient)).build();
    }

    protected void checkInitialAuthentication() {
        if (this.initialAccessToken == null) {
            checkSecurityContext();
            return;
        }
        if (!this.initialAccessToken.equals(getRequestAccessToken())) {
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
    }

    protected void checkSecurityContext() {
        SecurityContext securityContext = this.mc.getSecurityContext();
        if (securityContext.getUserPrincipal() == null) {
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
        if (this.userRole != null && !securityContext.isUserInRole(this.userRole)) {
            throw ExceptionUtils.toForbiddenException(null, null);
        }
    }

    protected String createRegAccessToken(Client client) {
        String generateRandomTokenKey = OAuthUtils.generateRandomTokenKey();
        client.getProperties().put(ClientRegistrationResponse.REG_ACCESS_TOKEN, generateRandomTokenKey);
        return generateRandomTokenKey;
    }

    protected void checkRegistrationAccessToken(Client client, String str) {
        String str2 = client.getProperties().get(ClientRegistrationResponse.REG_ACCESS_TOKEN);
        if (str2 == null || !str2.equals(str)) {
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
    }

    @Produces({MediaType.APPLICATION_JSON})
    @GET
    public ClientRegistration readClientRegistrationWithQuery(@QueryParam("client_id") String str) {
        return doReadClientRegistration(str);
    }

    @Produces({MediaType.APPLICATION_JSON})
    @GET
    @Path("{clientId}")
    public ClientRegistration readClientRegistrationWithPath(@PathParam("clientId") String str) {
        return doReadClientRegistration(str);
    }

    @Produces({MediaType.APPLICATION_JSON})
    @PUT
    @Path("{clientId}")
    @Consumes({MediaType.APPLICATION_JSON})
    public ClientRegistration updateClientRegistration(@PathParam("clientId") String str, ClientRegistration clientRegistration) {
        Client readClient = readClient(str);
        fromClientRegistrationToClient(clientRegistration, readClient);
        this.clientProvider.setClient(readClient);
        return fromClientToClientRegistration(readClient);
    }

    @DELETE
    @Path("{clientId}")
    public Response deleteClientRegistration(@PathParam("clientId") String str) {
        if (readClient(str) != null) {
            this.clientProvider.removeClient(str);
        }
        return Response.ok().build();
    }

    protected ClientRegistrationResponse fromClientToRegistrationResponse(Client client) {
        ClientRegistrationResponse clientRegistrationResponse = new ClientRegistrationResponse();
        clientRegistrationResponse.setClientId(client.getClientId());
        if (client.getClientSecret() != null) {
            clientRegistrationResponse.setClientSecret(client.getClientSecret());
            clientRegistrationResponse.setClientSecretExpiresAt(0L);
        }
        clientRegistrationResponse.setClientIdIssuedAt(Long.valueOf(client.getRegisteredAt()));
        clientRegistrationResponse.setGrantTypes(client.getAllowedGrantTypes());
        UriBuilder absolutePathBuilder = getMessageContext().getUriInfo().getAbsolutePathBuilder();
        if (this.supportRegistrationAccessTokens) {
            clientRegistrationResponse.setRegistrationClientUri(absolutePathBuilder.path(client.getClientId()).build(new Object[0]).toString());
            clientRegistrationResponse.setRegistrationAccessToken(client.getProperties().get(ClientRegistrationResponse.REG_ACCESS_TOKEN));
        }
        return clientRegistrationResponse;
    }

    protected ClientRegistration doReadClientRegistration(String str) {
        return fromClientToClientRegistration(readClient(str));
    }

    protected ClientRegistration fromClientToClientRegistration(Client client) {
        ClientRegistration clientRegistration = new ClientRegistration();
        clientRegistration.setClientName(client.getApplicationName());
        clientRegistration.setGrantTypes(client.getAllowedGrantTypes());
        clientRegistration.setApplicationType(client.isConfidential() ? DEFAULT_APPLICATION_TYPE : SequenceMetaData.IMPL_NATIVE);
        if (!client.getRedirectUris().isEmpty()) {
            clientRegistration.setRedirectUris(client.getRedirectUris());
        }
        if (!client.getRegisteredScopes().isEmpty()) {
            clientRegistration.setScope(OAuthUtils.convertListOfScopesToString(client.getRegisteredScopes()));
        }
        if (client.getApplicationWebUri() != null) {
            clientRegistration.setClientUri(client.getApplicationWebUri());
        }
        if (client.getApplicationLogoUri() != null) {
            clientRegistration.setLogoUri(client.getApplicationLogoUri());
        }
        if (!client.getRegisteredAudiences().isEmpty()) {
            clientRegistration.setResourceUris(client.getRegisteredAudiences());
        }
        if (client.getTokenEndpointAuthMethod() != null) {
            clientRegistration.setTokenEndpointAuthMethod(client.getTokenEndpointAuthMethod());
            if (OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS.equals(client.getTokenEndpointAuthMethod())) {
                String str = client.getProperties().get(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN);
                if (str != null) {
                    clientRegistration.setProperty(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN, str);
                }
                String str2 = client.getProperties().get(OAuthConstants.TLS_CLIENT_AUTH_ISSUER_DN);
                if (str2 != null) {
                    clientRegistration.setProperty(OAuthConstants.TLS_CLIENT_AUTH_ISSUER_DN, str2);
                }
            }
        }
        return clientRegistration;
    }

    protected Client readClient(String str) {
        String requestAccessToken = getRequestAccessToken();
        Client client = this.clientProvider.getClient(str);
        if (client == null) {
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
        checkRegistrationAccessToken(client, requestAccessToken);
        return client;
    }

    public String getInitialAccessToken() {
        return this.initialAccessToken;
    }

    public void setInitialAccessToken(String str) {
        this.initialAccessToken = str;
    }

    protected Client createNewClient(ClientRegistration clientRegistration) {
        String generateClientId = generateClientId();
        String clientName = clientRegistration.getClientName();
        if (StringUtils.isEmpty(clientName)) {
            clientName = generateClientId;
        }
        List<String> grantTypes = clientRegistration.getGrantTypes();
        if (grantTypes == null) {
            grantTypes = Collections.singletonList(OAuthConstants.AUTHORIZATION_CODE_GRANT);
        }
        String tokenEndpointAuthMethod = clientRegistration.getTokenEndpointAuthMethod();
        boolean isPasswordRequired = isPasswordRequired(grantTypes, tokenEndpointAuthMethod);
        String applicationType = clientRegistration.getApplicationType();
        if (applicationType == null) {
            applicationType = DEFAULT_APPLICATION_TYPE;
        }
        Client client = new Client(generateClientId, isPasswordRequired ? generateClientSecret(clientRegistration) : null, DEFAULT_APPLICATION_TYPE.equals(applicationType) && (isPasswordRequired || OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS.equals(tokenEndpointAuthMethod)), clientName);
        client.setAllowedGrantTypes(grantTypes);
        client.setTokenEndpointAuthMethod(tokenEndpointAuthMethod);
        if (OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS.equals(tokenEndpointAuthMethod)) {
            String str = (String) clientRegistration.getProperty(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN);
            if (str != null) {
                client.getProperties().put(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN, str);
            }
            String str2 = (String) clientRegistration.getProperty(OAuthConstants.TLS_CLIENT_AUTH_ISSUER_DN);
            if (str2 != null) {
                client.getProperties().put(OAuthConstants.TLS_CLIENT_AUTH_ISSUER_DN, str2);
            }
        }
        client.setRegisteredAt(System.currentTimeMillis() / 1000);
        fromClientRegistrationToClient(clientRegistration, client);
        SecurityContext securityContext = this.mc.getSecurityContext();
        if (securityContext != null && securityContext.getUserPrincipal() != null && securityContext.getUserPrincipal().getName() != null) {
            client.setResourceOwnerSubject(new UserSubject(securityContext.getUserPrincipal().getName()));
        }
        client.setRegisteredDynamically(true);
        return client;
    }

    protected void fromClientRegistrationToClient(ClientRegistration clientRegistration, Client client) {
        List<String> allowedGrantTypes = client.getAllowedGrantTypes();
        List<String> redirectUris = clientRegistration.getRedirectUris();
        if (redirectUris != null) {
            String applicationType = clientRegistration.getApplicationType();
            if (applicationType == null) {
                applicationType = DEFAULT_APPLICATION_TYPE;
            }
            Iterator<String> it = redirectUris.iterator();
            while (it.hasNext()) {
                validateRequestUri(it.next(), applicationType, allowedGrantTypes);
            }
            client.setRedirectUris(redirectUris);
        }
        if (client.getRedirectUris().isEmpty() && (allowedGrantTypes.contains(OAuthConstants.AUTHORIZATION_CODE_GRANT) || allowedGrantTypes.contains(OAuthConstants.IMPLICIT_GRANT))) {
            reportInvalidRequestError(new OAuthError(OAuthConstants.INVALID_REQUEST, "A Redirection URI is required"));
        }
        List<String> resourceUris = clientRegistration.getResourceUris();
        if (resourceUris != null) {
            client.setRegisteredAudiences(resourceUris);
        }
        String scope = clientRegistration.getScope();
        if (!StringUtils.isEmpty(scope)) {
            client.setRegisteredScopes(OAuthUtils.parseScope(scope));
        }
        String clientUri = clientRegistration.getClientUri();
        if (clientUri != null) {
            client.setApplicationWebUri(clientUri);
        }
        String logoUri = clientRegistration.getLogoUri();
        if (logoUri != null) {
            client.setApplicationLogoUri(logoUri);
        }
    }

    protected boolean isPasswordRequired(List<String> list, String str) {
        if (list.contains(OAuthConstants.IMPLICIT_GRANT)) {
            return false;
        }
        if (str == null) {
            return true;
        }
        return !"none".equals(str) && (OAuthConstants.TOKEN_ENDPOINT_AUTH_BASIC.equals(str) || OAuthConstants.TOKEN_ENDPOINT_AUTH_POST.equals(str));
    }

    protected void validateRequestUri(String str, String str2, List<String> list) {
    }

    public void setClientProvider(ClientRegistrationProvider clientRegistrationProvider) {
        this.clientProvider = clientRegistrationProvider;
    }

    protected String generateClientId() {
        return Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(getClientIdSizeInBytes()));
    }

    public int getClientIdSizeInBytes() {
        return this.clientIdSizeInBytes;
    }

    public void setClientIdSizeInBytes(int i) {
        this.clientIdSizeInBytes = i;
    }

    protected String generateClientSecret(ClientRegistration clientRegistration) {
        return Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(getClientSecretSizeInBytes(clientRegistration)));
    }

    protected String getRequestAccessToken() {
        return AuthorizationUtils.getAuthorizationParts(getMessageContext(), Collections.singleton("Bearer"))[1];
    }

    protected int getClientSecretSizeInBytes(ClientRegistration clientRegistration) {
        return 32;
    }

    @Context
    public void setMessageContext(MessageContext messageContext) {
        this.mc = messageContext;
    }

    public MessageContext getMessageContext() {
        return this.mc;
    }

    public void setSupportRegistrationAccessTokens(boolean z) {
        this.supportRegistrationAccessTokens = z;
    }

    public void setUserRole(String str) {
        this.userRole = str;
    }

    private void reportInvalidRequestError(OAuthError oAuthError) {
        reportInvalidRequestError(oAuthError, MediaType.APPLICATION_JSON_TYPE);
    }

    private void reportInvalidRequestError(OAuthError oAuthError, MediaType mediaType) {
        Response.ResponseBuilder responseBuilder = JAXRSUtils.toResponseBuilder(400);
        if (mediaType != null) {
            responseBuilder.type(mediaType);
        }
        throw ExceptionUtils.toBadRequestException(null, responseBuilder.entity(oAuthError).build());
    }
}
