package org.forgerock.openam.authentication.modules.oauth2;

import com.iplanet.am.util.SystemProperties;
import com.iplanet.dpro.session.service.InternalSession;
import com.iplanet.sso.SSOException;
import com.sun.identity.authentication.client.AuthClientUtils;
import com.sun.identity.authentication.service.AuthUtils;
import com.sun.identity.authentication.service.LoginState;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.spi.RedirectCallback;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.encode.Base64;
import com.sun.identity.shared.encode.CookieUtils;
import com.sun.identity.shared.encode.URLEncDec;
import java.lang.reflect.InvocationTargetException;
import java.net.URI;
import java.security.Principal;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.RandomStringUtils;
import org.apache.commons.lang.StringUtils;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.json.jose.jwt.JwtClaimsSet;
import org.forgerock.openam.authentication.modules.common.mapping.AccountProvider;
import org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper;
import org.forgerock.openam.authentication.modules.oauth2.profile.ProfileProviderFactory;
import org.forgerock.openam.authentication.modules.oidc.JwtHandler;
import org.forgerock.openam.authentication.modules.oidc.JwtHandlerConfig;
import org.forgerock.openam.cts.CTSPersistentStore;
import org.forgerock.openam.cts.api.tokens.Token;
import org.forgerock.openam.cts.exceptions.CoreTokenException;
import org.forgerock.openam.tokens.CoreTokenField;
import org.forgerock.openam.tokens.TokenType;
import org.forgerock.openam.utils.CollectionUtils;
import org.forgerock.openam.utils.Time;
import org.forgerock.openam.utils.TimeUtils;
import org.forgerock.openam.xui.XUIState;
import org.json.JSONException;
import org.json.JSONObject;
import org.owasp.esapi.ESAPI;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/forgerock/openam/authentication/modules/oauth2/OAuth.class */
public class OAuth extends AMLoginModule {
    public static final String PROFILE_SERVICE_RESPONSE = "ATTRIBUTES";
    public static final String OPENID_TOKEN = "OPENID_TOKEN";
    public static final String REFRESH_TOKEN_ATTRIBUTE_CUSTOM_PROPERTY = "[refresh_token_attribute]";
    private Map sharedState;
    private OAuthConf config;
    private JwtHandlerConfig jwtHandlerConfig;
    private final CTSPersistentStore ctsStore;
    private static Debug DEBUG = Debug.getInstance("amAuthOAuth2");
    private static final SecureRandom random = new SecureRandom();
    private static final long maxDefaultIdleTime = SystemProperties.getAsLong("com.iplanet.am.session.invalidsessionmaxtime", 3);
    public static Logger logger = LoggerFactory.getLogger(OAuth.class);
    private String authenticatedUser = null;
    String serverName = "";
    private ResourceBundle bundle = null;
    String data = "";
    String userPassword = "";
    String proxyURL = "";
    private String refreshToken = null;

    public OAuth() {
        OAuthUtil.debugMessage("OAuth()");
        this.ctsStore = (CTSPersistentStore) InjectorHolder.getInstance(CTSPersistentStore.class);
    }

    public void init(Subject subject, Map map, Map map2) {
        this.sharedState = map;
        this.config = new OAuthConf(map2);
        this.jwtHandlerConfig = new JwtHandlerConfig(map2);
        this.bundle = amCache.getResBundle(OAuthParam.BUNDLE_NAME, getLoginLocale());
        setAuthLevel(this.config.getAuthnLevel());
    }

    public int process(Callback[] callbackArr, int i) throws LoginException {
        LoginState loginState;
        InternalSession oldSession;
        int process2 = process2(callbackArr, i);
        if (process2 == -1 && (oldSession = (loginState = getLoginState(getClass().getName())).getOldSession()) != null && !this.authenticatedUser.equalsIgnoreCase(oldSession.getProperty("Principal"))) {
            loginState.setForceAuth(false);
            loginState.setSessionUpgrade(false);
            logger.info("upgrade user from {} to {}", new Object[]{oldSession.getProperty("Principal"), this.authenticatedUser});
            setUserSessionProperty("am.protected.old.".concat("Principal"), oldSession.getProperty("Principal"));
            oldSession.putProperty("Principal", this.authenticatedUser);
        }
        return process2;
    }

    public int process2(Callback[] callbackArr, int i) throws LoginException {
        OAuthUtil.debugMessage("process: state = " + i);
        HttpServletRequest httpServletRequest = getHttpServletRequest();
        HttpServletResponse httpServletResponse = getHttpServletResponse();
        if (httpServletRequest == null) {
            OAuthUtil.debugError("OAuth.process(): The request was null, this is an interactive module");
            return 0;
        }
        String parameter = httpServletRequest.getParameter(OAuthParam.PARAM_CODE);
        if (parameter != null && i < 3) {
            OAuthUtil.debugMessage("OAuth.process(): GOT CODE: " + parameter);
            i = 2;
        }
        this.proxyURL = this.config.getProxyURL();
        httpServletRequest.setAttribute("SafeURL.ignore", true);
        switch (i) {
            case OAuthParam.LOGIN_START /* 1 */:
                this.config.validateConfiguration();
                this.serverName = httpServletRequest.getServerName();
                StringBuilder sb = new StringBuilder();
                String queryString = httpServletRequest.getQueryString();
                String str = null;
                String authCookieName = AuthUtils.getAuthCookieName();
                XUIState xUIState = (XUIState) InjectorHolder.getInstance(XUIState.class);
                boolean z = false;
                if (httpServletRequest.getHeader("Referer") != null) {
                    try {
                        z = new URI(httpServletRequest.getHeader("Referer")).getPath().contains("/XUI/");
                    } catch (Exception e) {
                    }
                }
                if (xUIState.isXUIEnabled() || z) {
                    sb.append(httpServletRequest.getContextPath().concat("/XUI/"));
                    if (queryString != null && !queryString.contains("realm=")) {
                        str = httpServletRequest.getParameter(OAuthParam.PARAM_REALM);
                    }
                } else {
                    sb.append(httpServletRequest.getRequestURI());
                }
                if (StringUtils.isNotEmpty(str)) {
                    sb.append("?realm=").append(URLEncDec.encode(str));
                }
                if (queryString != null) {
                    if (queryString.endsWith(authCookieName + "=")) {
                        queryString = queryString.substring(0, (queryString.length() - authCookieName.length()) - 1);
                    }
                    sb.append(sb.indexOf("?") == -1 ? '?' : '&');
                    sb.append(queryString);
                }
                Set<String> cookieDomainsForRequest = AuthClientUtils.getCookieDomainsForRequest(httpServletRequest);
                String logoutServiceUrl = this.config.getLogoutServiceUrl();
                String randomAlphanumeric = RandomStringUtils.randomAlphanumeric(32);
                String createAuthorizationState = createAuthorizationState();
                Token token = new Token(randomAlphanumeric, TokenType.GENERIC);
                token.setAttribute(CoreTokenField.STRING_ONE, createAuthorizationState);
                token.setExpiryTimestamp(TimeUtils.fromUnixTime(Time.currentTimeMillis() + TimeUnit.MINUTES.toMillis(maxDefaultIdleTime), TimeUnit.MILLISECONDS));
                try {
                    this.ctsStore.create(token);
                    for (String str2 : cookieDomainsForRequest) {
                        CookieUtils.addCookieToResponse(httpServletResponse, CookieUtils.newCookie(OAuthParam.COOKIE_PROXY_URL, this.proxyURL, "/", str2));
                        CookieUtils.addCookieToResponse(httpServletResponse, CookieUtils.newCookie(OAuthParam.COOKIE_ORIG_URL, sb.toString(), "/", str2));
                        CookieUtils.addCookieToResponse(httpServletResponse, CookieUtils.newCookie(OAuthParam.NONCE_TOKEN_ID, randomAlphanumeric, "/", str2));
                        if (logoutServiceUrl != null && !logoutServiceUrl.isEmpty()) {
                            CookieUtils.addCookieToResponse(httpServletResponse, CookieUtils.newCookie(OAuthParam.COOKIE_LOGOUT_URL, logoutServiceUrl, "/", str2));
                        }
                    }
                    setUserSessionProperty("FullLoginURL", sb.toString());
                    setUserSessionProperty(OAuthParam.SESSION_LOGOUT_BEHAVIOUR, this.config.getLogoutBhaviour());
                    String authServiceUrl = this.config.getAuthServiceUrl(this.proxyURL, createAuthorizationState);
                    OAuthUtil.debugMessage("OAuth.process(): New RedirectURL=" + authServiceUrl);
                    RedirectCallback redirectCallback = getCallback(2)[0];
                    RedirectCallback redirectCallback2 = new RedirectCallback(authServiceUrl, (Map) null, "GET", redirectCallback.getStatusParameter(), redirectCallback.getRedirectBackUrlCookieName());
                    redirectCallback2.setTrackingCookie(true);
                    replaceCallback(2, 0, redirectCallback2);
                    return 2;
                } catch (CoreTokenException e2) {
                    OAuthUtil.debugError("OAuth.process(): Authorization redirect failed to be sent because the state could not be stored");
                    throw new AuthLoginException("OAuth.process(): Authorization redirect failed to be sent because the state could not be stored", e2);
                }
            case OAuthParam.GET_OAUTH_TOKEN_STATE /* 2 */:
                String parameter2 = httpServletRequest.getParameter("state");
                String parameter3 = httpServletRequest.getParameter(OAuthParam.PARAM_CODE);
                if (parameter2 == null) {
                    OAuthUtil.debugError("OAuth.process(): Authorization call-back failed because there was no state parameter");
                    throw new AuthLoginException(OAuthParam.BUNDLE_NAME, "noState", (Object[]) null);
                }
                try {
                    Token read = this.ctsStore.read(OAuthUtil.findCookie(httpServletRequest, OAuthParam.NONCE_TOKEN_ID));
                    this.ctsStore.deleteAsync(read);
                    if (!((String) read.getAttribute(CoreTokenField.STRING_ONE)).equals(parameter2)) {
                        OAuthUtil.debugError("OAuth.process(): Authorization call-back failed because the state parameter contained an unexpected value");
                        throw new AuthLoginException(OAuthParam.BUNDLE_NAME, "incorrectState", (Object[]) null);
                    }
                    if (parameter3 == null || parameter3.isEmpty()) {
                        OAuthUtil.debugMessage("OAuth.process(): LOGIN_IGNORE");
                        return 1;
                    }
                    validateInput(OAuthParam.PARAM_CODE, parameter3, "HTTPParameterValue", 2000, false);
                    OAuthUtil.debugMessage("OAuth.process(): code parameter: " + parameter3);
                    String contentUsingPOST = HttpRequestContent.getInstance().getContentUsingPOST(this.config.getTokenServiceUrl(), null, this.config.getTokenServiceGETParameters(parameter3, this.proxyURL), this.config.getTokenServicePOSTparameters(parameter3, this.proxyURL));
                    OAuthUtil.debugMessage("OAuth.process(): token=" + contentUsingPOST);
                    JwtClaimsSet jwtClaimsSet = null;
                    String str3 = null;
                    if (this.config.isOpenIDConnect() && StringUtils.isNotEmpty(this.jwtHandlerConfig.getConfiguredIssuer())) {
                        str3 = extractToken(OAuthParam.ID_TOKEN, contentUsingPOST);
                        try {
                            jwtClaimsSet = new JwtHandler(this.jwtHandlerConfig).validateJwt(str3);
                            if (!JwtHandler.isIntendedForAudience(this.config.getClientId(), jwtClaimsSet)) {
                                OAuthUtil.debugError("OAuth.process(): ID token is not for this client as audience.");
                                throw new AuthLoginException(OAuthParam.BUNDLE_NAME, "audience", (Object[]) null);
                            }
                        } catch (RuntimeException | AuthLoginException e3) {
                            DEBUG.warning("Cannot validate JWT", e3);
                            throw e3;
                        }
                    }
                    String extractToken = extractToken(OAuthParam.PARAM_ACCESS_TOKEN, contentUsingPOST);
                    this.refreshToken = extractToken(OAuthParam.PARAM_REFRESH_TOKEN, contentUsingPOST);
                    setUserSessionProperty(OAuthParam.SESSION_OAUTH_TOKEN, extractToken);
                    setUserSessionProperty(OAuthParam.SESSION_OAUTH_SCOPE, this.config.getScope());
                    String str4 = null;
                    if (StringUtils.isNotEmpty(this.config.getProfileServiceUrl())) {
                        str4 = ProfileProviderFactory.getProfileProvider(this.config).getProfile(this.config, extractToken);
                        OAuthUtil.debugMessage("OAuth.process(): Profile Svc response: " + str4);
                    }
                    String requestOrg = getRequestOrg();
                    if (requestOrg == null) {
                        requestOrg = "/";
                    }
                    AccountProvider instantiateAccountProvider = instantiateAccountProvider();
                    Map attributes = getAttributes(str4, this.config.getAccountMapperConfig(), instantiateAccountMapper(), jwtClaimsSet);
                    String user = attributes.isEmpty() ? null : getUser(requestOrg, instantiateAccountProvider, attributes);
                    if (user == null && !this.config.getCreateAccountFlag()) {
                        this.authenticatedUser = getDynamicUser(attributes);
                        if (this.authenticatedUser == null) {
                            throw new AuthLoginException("No user mapped!");
                        }
                        if (this.config.getSaveAttributesToSessionFlag()) {
                            saveAttributes(getAttributesMap(str4, jwtClaimsSet));
                        }
                        OAuthUtil.debugMessage("OAuth.process(): LOGIN_SUCCEED with user " + this.authenticatedUser);
                        storeUsernamePasswd(this.authenticatedUser, null);
                        return -1;
                    }
                    if (user != null || !this.config.getCreateAccountFlag()) {
                        if (user == null) {
                            throw new AuthLoginException(OAuthParam.BUNDLE_NAME, "unknownState", (Object[]) null);
                        }
                        this.authenticatedUser = user;
                        OAuthUtil.debugMessage("OAuth.process(): LOGIN_SUCCEED with user " + this.authenticatedUser);
                        if (this.config.getSaveAttributesToSessionFlag()) {
                            saveAttributes(getAttributesMap(str4, jwtClaimsSet));
                        }
                        updateAccount(instantiateAccountProvider, requestOrg, attributes, str4, user, jwtClaimsSet);
                        storeUsernamePasswd(this.authenticatedUser, null);
                        return -1;
                    }
                    if (this.config.getPromptPasswordFlag()) {
                        setUserSessionProperty(PROFILE_SERVICE_RESPONSE, str4);
                        if (!this.config.isOpenIDConnect()) {
                            return 3;
                        }
                        setUserSessionProperty(OPENID_TOKEN, str3);
                        return 3;
                    }
                    this.authenticatedUser = provisionAccountNow(instantiateAccountProvider, requestOrg, str4, getRandomData(), jwtClaimsSet);
                    if (this.authenticatedUser == null) {
                        return 0;
                    }
                    OAuthUtil.debugMessage("User created: " + this.authenticatedUser);
                    storeUsernamePasswd(this.authenticatedUser, null);
                    return -1;
                } catch (IdRepoException e4) {
                    OAuthUtil.debugError("OAuth.process(): IdRepoException: " + e4.getMessage());
                    throw new AuthLoginException(OAuthParam.BUNDLE_NAME, "ire", (Object[]) null, e4);
                } catch (JSONException e5) {
                    OAuthUtil.debugError("OAuth.process(): JSONException: " + e5.getMessage());
                    throw new AuthLoginException(OAuthParam.BUNDLE_NAME, "json", (Object[]) null, e5);
                } catch (CoreTokenException e6) {
                    OAuthUtil.debugError("OAuth.process(): Authorization call-back failed because the state parameter contained an unexpected value");
                    throw new AuthLoginException(OAuthParam.BUNDLE_NAME, "incorrectState", (Object[]) null, e6);
                } catch (SSOException e7) {
                    OAuthUtil.debugError("OAuth.process(): SSOException: " + e7.getMessage());
                    throw new AuthLoginException(OAuthParam.BUNDLE_NAME, "ssoe", (Object[]) null, e7);
                }
            case OAuthParam.SET_PASSWORD_STATE /* 3 */:
                if (!this.config.getCreateAccountFlag()) {
                    return 0;
                }
                this.userPassword = httpServletRequest.getParameter(OAuthParam.PARAM_TOKEN1);
                validateInput(OAuthParam.PARAM_TOKEN1, this.userPassword, "HTTPParameterValue", 512, false);
                String parameter4 = httpServletRequest.getParameter(OAuthParam.PARAM_TOKEN2);
                validateInput(OAuthParam.PARAM_TOKEN2, parameter4, "HTTPParameterValue", 512, false);
                if (!this.userPassword.equals(parameter4)) {
                    OAuthUtil.debugWarning("OAuth.process(): Passwords did not match!");
                    return 3;
                }
                if (!httpServletRequest.getParameter("terms").equalsIgnoreCase("accept")) {
                    return 3;
                }
                String userSessionProperty = getUserSessionProperty(PROFILE_SERVICE_RESPONSE);
                this.data = getRandomData();
                String mail = getMail(userSessionProperty, this.config.getMailAttribute());
                OAuthUtil.debugMessage("Mail found = " + mail);
                try {
                    OAuthUtil.sendEmail(this.config.getEmailFrom(), mail, this.data, this.config.getSMTPConfig(), this.bundle, this.proxyURL);
                    OAuthUtil.debugMessage("User to be created, we need to activate: " + this.data);
                    return 4;
                } catch (NoEmailSentException e8) {
                    OAuthUtil.debugError("No mail sent due to error", e8);
                    throw new AuthLoginException("Aborting authentication, because the mail could not be sent due to a mail sending error");
                }
            case OAuthParam.CREATE_USER_STATE /* 4 */:
                String parameter5 = httpServletRequest.getParameter(OAuthParam.PARAM_ACTIVATION);
                validateInput(OAuthParam.PARAM_ACTIVATION, parameter5, "HTTPParameterValue", 512, false);
                OAuthUtil.debugMessage("code entered by the user: " + parameter5);
                if (parameter5 == null || parameter5.isEmpty() || !parameter5.trim().equals(this.data.trim())) {
                    return 4;
                }
                String userSessionProperty2 = getUserSessionProperty(PROFILE_SERVICE_RESPONSE);
                String userSessionProperty3 = getUserSessionProperty(OAuthParam.ID_TOKEN);
                String requestOrg2 = getRequestOrg();
                if (requestOrg2 == null) {
                    requestOrg2 = "/";
                }
                OAuthUtil.debugMessage("Got Attributes: " + userSessionProperty2);
                this.authenticatedUser = provisionAccountNow(instantiateAccountProvider(), requestOrg2, userSessionProperty2, this.userPassword, userSessionProperty3 != null ? new JwtHandler(this.jwtHandlerConfig).getJwtClaims(userSessionProperty3) : null);
                if (this.authenticatedUser == null) {
                    return 0;
                }
                OAuthUtil.debugMessage("User created: " + this.authenticatedUser);
                storeUsernamePasswd(this.authenticatedUser, null);
                return -1;
            default:
                OAuthUtil.debugError("OAuth.process(): Illegal State");
                return 0;
        }
    }

    private String createAuthorizationState() {
        return UUID.randomUUID().toString();
    }

    private String getUser(String str, AccountProvider accountProvider, Map<String, Set<String>> map) throws AuthLoginException, JSONException, SSOException, IdRepoException {
        AMIdentity searchUser;
        String str2 = null;
        if (map != null && !map.isEmpty() && (searchUser = accountProvider.searchUser(getAMIdentityRepository(str), map)) != null) {
            str2 = searchUser.getName();
        }
        return str2;
    }

    private String getRandomData() {
        byte[] bArr = new byte[20];
        random.nextBytes(bArr);
        return Base64.encode(bArr);
    }

    private AttributeMapper<?> instantiateAccountMapper() throws AuthLoginException {
        try {
            return (AttributeMapper) getConfiguredType(AttributeMapper.class, this.config.getAccountMapper());
        } catch (ClassCastException e) {
            DEBUG.error("Account Mapper is not an implementation of AttributeMapper.", e);
            throw new AuthLoginException("Problem when trying to instantiate the account provider", e);
        } catch (Exception e2) {
            throw new AuthLoginException("Problem when trying to instantiate the account mapper", e2);
        }
    }

    private AccountProvider instantiateAccountProvider() throws AuthLoginException {
        try {
            return (AccountProvider) getConfiguredType(AccountProvider.class, this.config.getAccountProvider());
        } catch (ClassCastException e) {
            DEBUG.error("Account Provider is not actually an implementation of AccountProvider.", e);
            throw new AuthLoginException("Problem when trying to instantiate the account provider", e);
        } catch (Exception e2) {
            throw new AuthLoginException("Problem when trying to instantiate the account provider", e2);
        }
    }

    private Map<String, Set<String>> getAttributesMap(String str, JwtClaimsSet jwtClaimsSet) {
        HashMap hashMap = new HashMap();
        Map<String, String> attributeMapperConfig = this.config.getAttributeMapperConfig();
        Iterator<String> it = this.config.getAttributeMappers().iterator();
        while (it.hasNext()) {
            try {
                AttributeMapper attributeMapper = (AttributeMapper) getConfiguredType(AttributeMapper.class, it.next());
                attributeMapper.init(OAuthParam.BUNDLE_NAME);
                hashMap.putAll(getAttributes(str, attributeMapperConfig, attributeMapper, jwtClaimsSet));
            } catch (ClassCastException e) {
                DEBUG.error("Attribute Mapper is not actually an implementation of AttributeMapper.", e);
            } catch (Exception e2) {
                OAuthUtil.debugError("OAuth.getUser: Problem when trying to get the Attribute Mapper", e2);
            }
        }
        if (this.config.getCustomProperties().containsKey(REFRESH_TOKEN_ATTRIBUTE_CUSTOM_PROPERTY) && StringUtils.isNotBlank(this.refreshToken)) {
            hashMap.put(this.config.getCustomProperties().get(REFRESH_TOKEN_ATTRIBUTE_CUSTOM_PROPERTY), Collections.singleton(this.refreshToken));
        }
        OAuthUtil.debugMessage("OAuth.getUser: creating new user; attributes = " + hashMap);
        return hashMap;
    }

    private <T> T getConfiguredType(Class<T> cls, String str) throws ClassNotFoundException, InstantiationException, IllegalAccessException, InvocationTargetException, NoSuchMethodException {
        String[] strArr = new String[0];
        int indexOf = str.indexOf(124);
        if (indexOf > -1) {
            strArr = str.substring(indexOf + 1).split("\\|");
            str = str.substring(0, indexOf);
        }
        Class<? extends U> asSubclass = Class.forName(str).asSubclass(cls);
        Class<?>[] clsArr = new Class[strArr.length];
        Arrays.fill(clsArr, String.class);
        return (T) asSubclass.getConstructor(clsArr).newInstance(strArr);
    }

    private Map getAttributes(String str, Map<String, String> map, AttributeMapper attributeMapper, JwtClaimsSet jwtClaimsSet) throws AuthLoginException {
        try {
            attributeMapper.getClass().getDeclaredMethod("getAttributes", Map.class, String.class);
            return attributeMapper.getAttributes(map, str);
        } catch (NoSuchMethodException e) {
            return attributeMapper.getAttributes(map, jwtClaimsSet);
        }
    }

    public void saveAttributes(Map<String, Set<String>> map) throws AuthLoginException {
        if (map == null || map.isEmpty()) {
            OAuthUtil.debugMessage("OAuth.saveAttributes: NO attributes to set");
            return;
        }
        for (String str : map.keySet()) {
            String str2 = map.get(str).iterator().next().toString();
            setUserSessionProperty(str, str2);
            OAuthUtil.debugMessage("OAuth.saveAttributes: " + str + "=" + str2);
        }
    }

    private String getDynamicUser(Map<String, Set<String>> map) throws AuthLoginException {
        String str = null;
        if (this.config.getUseAnonymousUserFlag()) {
            String anonymousUser = this.config.getAnonymousUser();
            if (anonymousUser != null && !anonymousUser.isEmpty()) {
                str = anonymousUser;
            }
        } else if (map != null && !map.isEmpty()) {
            str = map.values().iterator().next().iterator().next();
        }
        return str;
    }

    public String provisionAccountNow(AccountProvider accountProvider, String str, String str2, String str3, JwtClaimsSet jwtClaimsSet) throws AuthLoginException {
        Map<String, Set<String>> attributesMap = getAttributesMap(str2, jwtClaimsSet);
        if (this.config.getSaveAttributesToSessionFlag()) {
            saveAttributes(attributesMap);
        }
        attributesMap.put("userPassword", CollectionUtils.asSet(new String[]{str3}));
        attributesMap.put("inetuserstatus", CollectionUtils.asSet(new String[]{"Active"}));
        AMIdentity provisionUser = accountProvider.provisionUser(getAMIdentityRepository(str), attributesMap);
        if (provisionUser != null) {
            return provisionUser.getName().trim();
        }
        return null;
    }

    protected void updateAccount(AccountProvider accountProvider, String str, Map<String, Set<String>> map, String str2, String str3, JwtClaimsSet jwtClaimsSet) throws AuthLoginException {
        Map<String, Set<String>> attributesMap = getAttributesMap(str2, jwtClaimsSet);
        attributesMap.put("userPassword", CollectionUtils.asSet(new String[]{str3}));
        attributesMap.put("inetuserstatus", CollectionUtils.asSet(new String[]{"Active"}));
        AMIdentity searchUser = accountProvider.searchUser(getAMIdentityRepository(str), map);
        if (searchUser != null) {
            try {
                searchUser.setAttributes(attributesMap);
                searchUser.store();
            } catch (Exception e) {
                logger.warn("error update attributes for identity {0}", searchUser, e);
            }
        }
    }

    public String extractToken(String str, String str2) {
        String str3 = "";
        try {
            JSONObject jSONObject = new JSONObject(str2);
            if (jSONObject != null && !jSONObject.isNull(str)) {
                str3 = jSONObject.getString(str);
                OAuthUtil.debugMessage(str + ": " + str3);
            }
        } catch (JSONException e) {
            OAuthUtil.debugMessage("OAuth.extractToken: Not in JSON format" + e);
            str3 = OAuthUtil.getParamValue(str2, str);
        }
        return str3;
    }

    public String getMail(String str, String str2) {
        String str3 = "";
        OAuthUtil.debugMessage("mailAttribute: " + str2);
        try {
            JSONObject jSONObject = new JSONObject(str);
            if (str2 == null || str2.indexOf(".") == -1) {
                str3 = jSONObject.getString(str2);
            } else {
                StringTokenizer stringTokenizer = new StringTokenizer(str2, ".");
                str3 = jSONObject.getJSONObject(stringTokenizer.nextToken()).getString(stringTokenizer.nextToken());
            }
            OAuthUtil.debugMessage("mail: " + str3);
        } catch (JSONException e) {
            OAuthUtil.debugMessage("OAuth.getMail: Not in JSON format" + e);
        }
        return str3;
    }

    public void validateInput(String str, String str2, String str3, int i, boolean z) throws AuthLoginException {
        if (ESAPI.validator().isValidInput(str, str2, str3, i, z)) {
            return;
        }
        OAuthUtil.debugError("OAuth.validateInput(): OAuth 2.0 Not valid input !");
        throw new AuthLoginException(OAuthParam.BUNDLE_NAME, "invalidField", new String[]{str, str2});
    }

    public Principal getPrincipal() {
        if (this.authenticatedUser != null) {
            return new OAuthPrincipal(this.authenticatedUser);
        }
        return null;
    }

    public void destroyModuleState() {
        this.authenticatedUser = null;
    }

    public void nullifyUsedVars() {
        this.config = null;
        this.sharedState = null;
    }
}
