package org.forgerock.oauth2.core;

import com.iplanet.sso.SSOException;
import com.sun.identity.authentication.AuthContext;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.encode.Hash;
import com.sun.identity.sm.DNMapper;
import com.sun.identity.sm.SMSException;
import com.sun.identity.sm.ServiceListener;
import freemarker.core.TemplateClassResolver;
import freemarker.template.Configuration;
import freemarker.template.Template;
import java.io.IOException;
import java.io.StringReader;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.PublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.json.JsonValue;
import org.forgerock.json.jose.jwk.KeyUse;
import org.forgerock.json.jose.jws.JwsAlgorithm;
import org.forgerock.json.jose.jws.SupportedEllipticCurve;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.InvalidRequestException;
import org.forgerock.oauth2.core.exceptions.InvalidScopeException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.forgerock.oauth2.core.exceptions.UnauthorizedClientException;
import org.forgerock.oauth2.core.exceptions.UnsupportedResponseTypeException;
import org.forgerock.oauth2.resources.ResourceSetStore;
import org.forgerock.openam.oauth2.OAuth2Utils;
import org.forgerock.openam.oauth2.OAuthProblemException;
import org.forgerock.openam.oauth2.OpenAMAuthenticationMethod;
import org.forgerock.openam.sm.ServiceConfigManagerFactory;
import org.forgerock.openam.utils.OpenAMSettings;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.openidconnect.Client;
import org.forgerock.openidconnect.OpenIdPrompt;
import org.forgerock.util.annotations.VisibleForTesting;
import org.forgerock.util.encode.Base64url;
import org.json.JSONException;
import org.json.JSONObject;

/* loaded from: input_file:org/forgerock/oauth2/core/RealmOAuth2ProviderSettings.class */
public class RealmOAuth2ProviderSettings implements OAuth2ProviderSettings {
    private final OpenAMSettings settings;
    private final String realm;
    private final ResourceSetStore resourceSetStore;
    private final ServiceConfigManagerFactory serviceConfigManagerFactory;
    private ScopeValidator scopeValidator;
    private volatile Template loginUrlTemplate;
    private Set<String> supportedScopesWithoutTranslations;
    private Set<String> supportedClaimsWithoutTranslations;
    private final Debug logger = Debug.getInstance("OAuth2Provider");
    private final Map<String, Set<String>> attributeCache = new HashMap();
    private final List<Map<String, Object>> jwks = new ArrayList();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/forgerock/oauth2/core/RealmOAuth2ProviderSettings$OAuth2ProviderSettingsChangeListener.class */
    public final class OAuth2ProviderSettingsChangeListener implements ServiceListener {
        private OAuth2ProviderSettingsChangeListener() {
        }

        public void schemaChanged(String str, String str2) {
            RealmOAuth2ProviderSettings.this.logger.warning("The schemaChanged ServiceListener method was invoked for service " + str + ". This is unexpected.");
        }

        public void globalConfigChanged(String str, String str2, String str3, String str4, int i) {
            RealmOAuth2ProviderSettings.this.logger.warning("The globalConfigChanged ServiceListener method was invoked for service " + str);
        }

        public void organizationConfigChanged(String str, String str2, String str3, String str4, String str5, int i) {
            if (!currentRealmTargetedByOrganizationUpdate(str, str2, str3, i)) {
                if (RealmOAuth2ProviderSettings.this.logger.messageEnabled()) {
                    RealmOAuth2ProviderSettings.this.logger.message("Got service update message, but update did not target OAuth2Provider in " + RealmOAuth2ProviderSettings.this.realm + " realm. ServiceName: " + str + " version: " + str2 + " orgName: " + str3 + " groupName: " + str4 + " serviceComponent: " + str5 + " type (modified=4, delete=2, add=1): " + i + " realm as DN: " + DNMapper.orgNameToDN(RealmOAuth2ProviderSettings.this.realm));
                    return;
                }
                return;
            }
            if (RealmOAuth2ProviderSettings.this.logger.messageEnabled()) {
                RealmOAuth2ProviderSettings.this.logger.message("Updating OAuth service configuration state for realm " + RealmOAuth2ProviderSettings.this.realm);
            }
            synchronized (RealmOAuth2ProviderSettings.this.attributeCache) {
                RealmOAuth2ProviderSettings.this.attributeCache.clear();
                RealmOAuth2ProviderSettings.this.jwks.clear();
                RealmOAuth2ProviderSettings.this.loginUrlTemplate = null;
                RealmOAuth2ProviderSettings.this.supportedClaimsWithoutTranslations = null;
                RealmOAuth2ProviderSettings.this.supportedScopesWithoutTranslations = null;
            }
        }

        private boolean currentRealmTargetedByOrganizationUpdate(String str, String str2, String str3, int i) {
            return "OAuth2Provider".equals(str) && "1.0".equals(str2) && str3 != null && str3.equalsIgnoreCase(DNMapper.orgNameToDN(RealmOAuth2ProviderSettings.this.realm));
        }
    }

    public RealmOAuth2ProviderSettings(OpenAMSettings openAMSettings, String str, ResourceSetStore resourceSetStore, ServiceConfigManagerFactory serviceConfigManagerFactory) {
        this.settings = openAMSettings;
        this.realm = str;
        this.resourceSetStore = resourceSetStore;
        this.serviceConfigManagerFactory = serviceConfigManagerFactory;
        addServiceListener();
    }

    private void addServiceListener() {
        try {
            if (this.serviceConfigManagerFactory.create("OAuth2Provider", "1.0").addListener(new OAuth2ProviderSettingsChangeListener()) == null) {
                this.logger.error("Could not add listener to ServiceConfigManager instance. OAuth2 provider service changes will not be dynamically updated for realm " + this.realm);
            }
        } catch (Exception e) {
            String str = "OAuth2Utils::Unable to construct ServiceConfigManager: " + e;
            this.logger.error(str, e);
            throw OAuthProblemException.OAuthError.SERVER_ERROR.handle(null, str);
        }
    }

    private Set<String> getSetting(String str, String str2) throws SSOException, SMSException {
        Set<String> set;
        synchronized (this.attributeCache) {
            Set<String> set2 = this.attributeCache.get(str2);
            if (set2 == null) {
                set2 = this.settings.getSetting(str, str2);
                this.attributeCache.put(str2, set2);
            }
            set = set2;
        }
        return set;
    }

    private Set<String> getSettingStrings(String str) throws ServerException {
        try {
            return getSetting(this.realm, str);
        } catch (SMSException e) {
            this.logger.error(e.getMessage());
            throw new ServerException((Throwable) e);
        } catch (SSOException e2) {
            this.logger.error(e2.getMessage());
            throw new ServerException((Throwable) e2);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public boolean isStatelessTokensEnabled() throws ServerException {
        try {
            return this.settings.getBooleanSetting(this.realm, "statelessTokensEnabled").booleanValue();
        } catch (SSOException e) {
            this.logger.error(e.getMessage());
            throw new ServerException((Throwable) e);
        } catch (SMSException e2) {
            this.logger.error(e2.getMessage());
            throw new ServerException((Throwable) e2);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public boolean isIdTokenInfoClientAuthenticationEnabled() throws ServerException {
        try {
            return this.settings.getBooleanSetting(this.realm, "idTokenInfoClientAuthenticationEnabled").booleanValue();
        } catch (SSOException e) {
            this.logger.error(e.getMessage());
            throw new ServerException((Throwable) e);
        } catch (SMSException e2) {
            this.logger.error(e2.getMessage());
            throw new ServerException((Throwable) e2);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public String getTokenSigningAlgorithm() throws ServerException {
        try {
            return this.settings.getStringSetting(this.realm, "tokenSigningAlgorithm");
        } catch (SSOException e) {
            this.logger.error(e.getMessage());
            throw new ServerException((Throwable) e);
        } catch (SMSException e2) {
            this.logger.error(e2.getMessage());
            throw new ServerException((Throwable) e2);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public boolean isTokenCompressionEnabled() throws ServerException {
        try {
            return this.settings.getBooleanSetting(this.realm, "tokenCompressionEnabled").booleanValue();
        } catch (SSOException | SMSException e) {
            this.logger.error("Error determining if token compression is enabled: {}", e);
            throw new ServerException((Throwable) e);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public String getTokenHmacSharedSecret() throws ServerException {
        try {
            return this.settings.getStringSetting(this.realm, "tokenSigningHmacSharedSecret");
        } catch (SSOException e) {
            this.logger.error(e.getMessage());
            throw new ServerException((Throwable) e);
        } catch (SMSException e2) {
            this.logger.error(e2.getMessage());
            throw new ServerException((Throwable) e2);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Map<String, ResponseTypeHandler> getAllowedResponseTypes() throws UnsupportedResponseTypeException, ServerException {
        try {
            Set<String> setting = getSetting(this.realm, "forgerock-oauth2-provider-response-type-map-class");
            if (setting == null || setting.isEmpty()) {
                return Collections.emptyMap();
            }
            HashMap hashMap = new HashMap();
            Iterator<String> it = setting.iterator();
            while (it.hasNext()) {
                String[] split = it.next().split("\\|");
                if (split.length != 2) {
                    this.logger.error("Response type wrong format for realm: " + this.realm);
                } else {
                    hashMap.put(split[0], wrap(split[0], split[1]));
                }
            }
            return hashMap;
        } catch (SMSException e) {
            this.logger.error(e.getMessage());
            throw new ServerException((Throwable) e);
        } catch (SSOException e2) {
            this.logger.error(e2.getMessage());
            throw new ServerException((Throwable) e2);
        }
    }

    private ResponseTypeHandler wrap(String str, String str2) throws UnsupportedResponseTypeException {
        if (str2 == null || str2.isEmpty()) {
            this.logger.warning("Requested a response type that is not configured. response_type=" + str);
            throw new UnsupportedResponseTypeException("Response type is not supported");
        }
        if (str2.equalsIgnoreCase(OpenIdPrompt.PROMPT_NONE)) {
            return new NoneResponseTypeHandler();
        }
        try {
            return (ResponseTypeHandler) InjectorHolder.getInstance(Class.forName(str2).asSubclass(ResponseTypeHandler.class));
        } catch (ClassNotFoundException e) {
            this.logger.error(e.getMessage());
            throw new UnsupportedResponseTypeException("Response type is not supported");
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public boolean isSaveConsentEnabled() {
        try {
            return this.settings.getStringSetting(this.realm, "forgerock-oauth2-provider-saved-consent-attribute") != null;
        } catch (SMSException | SSOException e) {
            this.logger.error("There was a problem getting the consent configuration for realm:" + this.realm, e);
            return false;
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public boolean isConsentSaved(ResourceOwner resourceOwner, String str, Set<String> set) {
        try {
            if (isSaveConsentEnabled()) {
                String stringSetting = this.settings.getStringSetting(this.realm, "forgerock-oauth2-provider-saved-consent-attribute");
                AMIdentity identity = resourceOwner.getIdentity();
                if (identity != null) {
                    Set<String> attribute = identity.getAttribute(stringSetting);
                    if (attribute != null) {
                        if (this.logger.messageEnabled()) {
                            this.logger.message("Existing saved consent value for resourceOwner: " + resourceOwner.getId() + " in attribute:" + stringSetting + " in realm:" + this.realm + " is:" + attribute);
                        }
                        for (String str2 : attribute) {
                            int indexOf = str2.indexOf(OAuth2Utils.SCOPE_DELIMITER);
                            String substring = str2.substring(0, indexOf);
                            String[] split = indexOf + 1 < str2.length() ? str2.substring(indexOf + 1, str2.length()).split(OAuth2Utils.SCOPE_DELIMITER) : null;
                            HashSet hashSet = (split == null || split.length <= 0) ? new HashSet() : new HashSet(Arrays.asList(split));
                            if (str.equals(substring) && set.equals(hashSet)) {
                                return true;
                            }
                        }
                    } else if (this.logger.messageEnabled()) {
                        this.logger.message("No existing saved consent value for resourceOwner: " + resourceOwner.getId() + " in attribute:" + stringSetting + " in realm:" + this.realm);
                    }
                }
            } else {
                this.logger.error("Can't save consent as it is not configured properly for the realm:" + this.realm);
            }
            return false;
        } catch (Exception e) {
            this.logger.error("There was a problem getting the saved consent from the attribute:  for realm:" + this.realm, e);
            return false;
        }
    }

    private synchronized ScopeValidator getScopeValidator() throws ServerException {
        if (this.scopeValidator == null) {
            try {
                String stringSettingValue = getStringSettingValue("forgerock-oauth2-provider-scope-implementation-class");
                if (Utils.isEmpty(stringSettingValue)) {
                    this.logger.message("Scope Validator class not set.");
                    throw new ServerException("Scope Validator class not set.");
                }
                this.scopeValidator = (ScopeValidator) InjectorHolder.getInstance(Class.forName(stringSettingValue).asSubclass(ScopeValidator.class));
            } catch (ClassNotFoundException e) {
                this.logger.error(e.getMessage());
                throw new ServerException(e);
            }
        }
        return this.scopeValidator;
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Set<String> validateAuthorizationScope(ClientRegistration clientRegistration, Set<String> set, OAuth2Request oAuth2Request) throws ServerException, InvalidScopeException {
        return getScopeValidator().validateAuthorizationScope(clientRegistration, set, oAuth2Request);
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Set<String> validateAccessTokenScope(ClientRegistration clientRegistration, Set<String> set, OAuth2Request oAuth2Request) throws ServerException, InvalidScopeException {
        return getScopeValidator().validateAccessTokenScope(clientRegistration, set, oAuth2Request);
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Set<String> validateRefreshTokenScope(ClientRegistration clientRegistration, Set<String> set, Set<String> set2, OAuth2Request oAuth2Request) throws ServerException, InvalidScopeException {
        return getScopeValidator().validateRefreshTokenScope(clientRegistration, set, set2, oAuth2Request);
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public UserInfoClaims getUserInfo(ClientRegistration clientRegistration, AccessToken accessToken, OAuth2Request oAuth2Request) throws ServerException, UnauthorizedClientException, NotFoundException {
        return getScopeValidator().getUserInfo(clientRegistration, accessToken, oAuth2Request);
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Map<String, Object> evaluateScope(AccessToken accessToken) throws ServerException {
        return getScopeValidator().evaluateScope(accessToken);
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Map<String, String> additionalDataToReturnFromAuthorizeEndpoint(Map<String, Token> map, OAuth2Request oAuth2Request) throws ServerException {
        return getScopeValidator().additionalDataToReturnFromAuthorizeEndpoint(map, oAuth2Request);
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public void additionalDataToReturnFromTokenEndpoint(AccessToken accessToken, OAuth2Request oAuth2Request) throws ServerException, InvalidClientException, NotFoundException {
        getScopeValidator().additionalDataToReturnFromTokenEndpoint(accessToken, oAuth2Request);
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public void saveConsent(ResourceOwner resourceOwner, String str, Set<String> set) {
        try {
            String stringSetting = this.settings.getStringSetting(this.realm, "forgerock-oauth2-provider-saved-consent-attribute");
            if (stringSetting != null) {
                AMIdentity identity = resourceOwner.getIdentity();
                Set attribute = identity.getAttribute(stringSetting);
                HashSet hashSet = attribute != null ? new HashSet(attribute) : new HashSet(1);
                StringBuilder sb = new StringBuilder();
                if (set == null || set.isEmpty()) {
                    sb.append(str.trim()).append(OAuth2Utils.SCOPE_DELIMITER);
                } else {
                    sb.append(str.trim()).append(OAuth2Utils.SCOPE_DELIMITER).append(Utils.joinScope(set));
                }
                hashSet.add(sb.toString());
                if (this.logger.messageEnabled()) {
                    this.logger.message("Saving consents:" + hashSet + " for resourceOwner: " + resourceOwner.getId() + " in attribute:" + stringSetting + " in realm:" + this.realm);
                }
                updateConsentValues(stringSetting, identity, hashSet);
            } else {
                this.logger.error("Cannot save consent as no saved consent attribute defined in realm:" + this.realm);
            }
        } catch (Exception e) {
            this.logger.error("There was a problem saving the consent into the attribute: {} for realm: {}", new Object[]{null, this.realm, e});
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public void revokeConsent(String str, String str2) {
        String str3 = null;
        try {
            str3 = this.settings.getStringSetting(this.realm, "forgerock-oauth2-provider-saved-consent-attribute");
            if (str3 != null) {
                AMIdentity identity = IdUtils.getIdentity(str, this.realm);
                Set<String> attribute = identity.getAttribute(str3);
                if (attribute == null) {
                    return;
                }
                Iterator<String> it = attribute.iterator();
                while (it.hasNext()) {
                    if (it.next().startsWith(str2 + OAuth2Utils.SCOPE_DELIMITER)) {
                        it.remove();
                    }
                }
                updateConsentValues(str3, identity, attribute);
            }
        } catch (SMSException | SSOException | IdRepoException e) {
            this.logger.warning("There was a problem revoking consent from the attribute: {} for realm: {}", new Object[]{str3, this.realm, e});
        }
    }

    private void updateConsentValues(String str, AMIdentity aMIdentity, Set<String> set) throws IdRepoException, SSOException {
        HashMap hashMap = new HashMap(1);
        hashMap.put(str, set);
        aMIdentity.setAttributes(hashMap);
        aMIdentity.store();
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public boolean issueRefreshTokens() throws ServerException {
        try {
            return this.settings.getBooleanSetting(this.realm, "forgerock-oauth2-provider-issue-refresh-token").booleanValue();
        } catch (SSOException e) {
            this.logger.error(e.getMessage());
            throw new ServerException((Throwable) e);
        } catch (SMSException e2) {
            this.logger.error(e2.getMessage());
            throw new ServerException((Throwable) e2);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public boolean issueRefreshTokensOnRefreshingToken() throws ServerException {
        try {
            return this.settings.getBooleanSetting(this.realm, "forgerock-oauth2-provider-issue-refresh-token-on-refreshing-token").booleanValue();
        } catch (SSOException e) {
            this.logger.error(e.getMessage());
            throw new ServerException((Throwable) e);
        } catch (SMSException e2) {
            this.logger.error(e2.getMessage());
            throw new ServerException((Throwable) e2);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public long getAuthorizationCodeLifetime() throws ServerException {
        return getLongSettingValue("forgerock-oauth2-provider-authorization-code-lifetime");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public long getAccessTokenLifetime() throws ServerException {
        return getLongSettingValue("forgerock-oauth2-provider-access-token-lifetime");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public long getOpenIdTokenLifetime() throws ServerException {
        return getLongSettingValue("forgerock-oauth2-provider-jwt-token-lifetime");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public long getRefreshTokenLifetime() throws ServerException {
        return getLongSettingValue("forgerock-oauth2-provider-refresh-token-lifetime");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public KeyPair getSigningKeyPair(JwsAlgorithm jwsAlgorithm) throws ServerException {
        try {
            return this.settings.getSigningKeyPair(this.realm, jwsAlgorithm);
        } catch (SMSException e) {
            this.logger.error(e.getMessage());
            throw new ServerException((Throwable) e);
        } catch (SSOException e2) {
            this.logger.error(e2.getMessage());
            throw new ServerException((Throwable) e2);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Set<String> getResourceOwnerAuthenticatedAttributes() throws ServerException {
        return getSettingStrings("forgerock-oauth2-provider-authentication-attributes");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Set<String> getSupportedClaims() throws ServerException {
        Set<String> withoutTranslations = getWithoutTranslations("forgerock-oauth2-provider-supported-claims", this.supportedClaimsWithoutTranslations);
        this.supportedClaimsWithoutTranslations = withoutTranslations;
        return withoutTranslations;
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Set<String> getSupportedClaimsWithTranslations() throws ServerException {
        return getSettingStrings("forgerock-oauth2-provider-supported-claims");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Set<String> getSupportedScopes() throws ServerException {
        Set<String> withoutTranslations = getWithoutTranslations("forgerock-oauth2-provider-supported-scopes", this.supportedScopesWithoutTranslations);
        this.supportedScopesWithoutTranslations = withoutTranslations;
        return withoutTranslations;
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Set<String> getSupportedScopesWithTranslations() throws ServerException {
        return getSettingStrings("forgerock-oauth2-provider-supported-scopes");
    }

    private Set<String> getWithoutTranslations(String str, Set<String> set) throws ServerException {
        if (set != null) {
            return set;
        }
        HashSet hashSet = new HashSet();
        try {
            synchronized (this.attributeCache) {
                for (String str2 : getSetting(this.realm, str)) {
                    int indexOf = str2.indexOf(124);
                    if (indexOf > -1) {
                        hashSet.add(str2.substring(0, indexOf));
                    } else {
                        hashSet.add(str2);
                    }
                }
            }
            return hashSet;
        } catch (SSOException e) {
            this.logger.error(e.getMessage());
            throw new ServerException((Throwable) e);
        } catch (SMSException e2) {
            this.logger.error(e2.getMessage());
            throw new ServerException((Throwable) e2);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Set<String> getDefaultScopes() throws ServerException {
        return getSettingStrings("forgerock-oauth2-provider-default-scopes");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Set<String> getSupportedIDTokenSigningAlgorithms() throws ServerException {
        return getSettingStrings("forgerock-oauth2-provider-id-token-signing-algorithms-supported");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Set<String> getSupportedIDTokenEncryptionAlgorithms() throws ServerException {
        return getSettingStrings("supportedIDTokenEncryptionAlgorithms");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Set<String> getSupportedIDTokenEncryptionMethods() throws ServerException {
        return getSettingStrings("supportedIDTokenEncryptionMethods");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public String getOpenIDConnectVersion() {
        return "3.0";
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public JsonValue getJWKSet() throws ServerException {
        synchronized (this.jwks) {
            if (this.jwks.isEmpty()) {
                try {
                    PublicKey publicKey = this.settings.getSigningKeyPair(this.realm, JwsAlgorithm.RS256).getPublic();
                    if (publicKey == null || !"RSA".equals(publicKey.getAlgorithm())) {
                        this.logger.error("Incorrect Public Key type for RSA signing algorithm");
                    } else {
                        this.jwks.add(createRSAJWK(getTokenSigningRSAKeyAlias(), (RSAPublicKey) publicKey, KeyUse.SIG, JwsAlgorithm.RS256.name()));
                    }
                    for (String str : getSetting(this.realm, "tokenSigningECDSAKeyAlias")) {
                        if (StringUtils.isEmpty(str)) {
                            this.logger.warning("Empty ECDSA signing key alias");
                        } else {
                            String[] split = str.split("\\|");
                            if (split.length != 2) {
                                this.logger.warning("Invalid ECDSA signing key alias mapping: " + str);
                            } else {
                                String str2 = split[1];
                                PublicKey publicKey2 = this.settings.getSigningKeyPair(this.realm, JwsAlgorithm.valueOf(split[0].toUpperCase())).getPublic();
                                if (publicKey2 != null) {
                                    if ("EC".equals(publicKey2.getAlgorithm())) {
                                        this.jwks.add(createECJWK(str2, (ECPublicKey) publicKey2, KeyUse.SIG));
                                    } else {
                                        this.logger.error("Incorrect Public Key type for ECDSA signing algorithm. Alias: " + str);
                                    }
                                }
                            }
                        }
                    }
                } catch (SMSException | SSOException e) {
                    throw new ServerException((Throwable) e);
                }
            }
        }
        return new JsonValue(Collections.singletonMap("keys", this.jwks));
    }

    private static byte[] integerToOctetString(BigInteger bigInteger, int i) {
        if (bigInteger.signum() < 0) {
            throw new IllegalArgumentException("argument i should not be negative");
        }
        if (i <= 0) {
            throw new IllegalArgumentException("octetStringSize argument (" + i + ") should be higher than 0 to store any integer");
        }
        if (bigInteger.bitLength() > i * 8) {
            throw new IllegalArgumentException("argument i (" + bigInteger + ") does not fit into " + i + " octets");
        }
        byte[] byteArray = bigInteger.toByteArray();
        int length = byteArray.length;
        if (length == i) {
            return byteArray;
        }
        byte[] bArr = new byte[i];
        if (byteArray[0] == 0) {
            System.arraycopy(byteArray, 1, bArr, (i - length) + 1, length - 1);
        } else {
            System.arraycopy(byteArray, 0, bArr, i - length, length);
        }
        return bArr;
    }

    private static byte[] integerToOctetString(BigInteger bigInteger) {
        return integerToOctetString(bigInteger, (bigInteger.bitLength() / 8) + (bigInteger.bitLength() % 8 > 0 ? 1 : 0));
    }

    @VisibleForTesting
    static Map<String, Object> createRSAJWK(String str, RSAPublicKey rSAPublicKey, KeyUse keyUse, String str2) throws ServerException {
        return JsonValue.json(JsonValue.object(new Map.Entry[]{JsonValue.field("kty", "RSA"), JsonValue.field("kid", Hash.hash(str + rSAPublicKey.getModulus().toString() + rSAPublicKey.getPublicExponent().toString())), JsonValue.field("use", keyUse.toString()), JsonValue.field("alg", str2), JsonValue.field("n", Base64url.encode(integerToOctetString(rSAPublicKey.getModulus()))), JsonValue.field("e", Base64url.encode(rSAPublicKey.getPublicExponent().toByteArray()))})).asMap();
    }

    @VisibleForTesting
    static Map<String, Object> createECJWK(String str, ECPublicKey eCPublicKey, KeyUse keyUse) throws ServerException {
        BigInteger affineX = eCPublicKey.getW().getAffineX();
        BigInteger affineY = eCPublicKey.getW().getAffineY();
        SupportedEllipticCurve forKey = SupportedEllipticCurve.forKey(eCPublicKey);
        return JsonValue.json(JsonValue.object(new Map.Entry[]{JsonValue.field("kty", "EC"), JsonValue.field("kid", Hash.hash(str + ':' + forKey.getStandardName() + ':' + affineX.toString() + ':' + affineY.toString())), JsonValue.field("use", keyUse.toString()), JsonValue.field("alg", forKey.getJwsAlgorithm().name()), JsonValue.field("x", Base64url.encode(affineX.toByteArray())), JsonValue.field("y", Base64url.encode(affineY.toByteArray())), JsonValue.field("crv", forKey.getStandardName())})).asMap();
    }

    private String getTokenSigningRSAKeyAlias() throws ServerException {
        try {
            String stringSetting = this.settings.getStringSetting(this.realm, "forgerock-oauth2-provider-keypair-name");
            if (StringUtils.isBlank(stringSetting)) {
                this.logger.error("Alias of Token Signing Key not set.");
                throw new ServerException("Alias of Token Signing Key not set.");
            }
            if ("test".equals(stringSetting)) {
                this.logger.warning("Alias of Token Signing Key should be changed from default, 'test'.");
            }
            return stringSetting;
        } catch (SSOException | SMSException e) {
            this.logger.error(e.getMessage());
            throw new ServerException((Throwable) e);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public String getCreatedTimestampAttributeName() throws ServerException {
        return getStringSettingValue("forgerock-oauth2-provider-created-attribute-name");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public String getModifiedTimestampAttributeName() throws ServerException {
        return getStringSettingValue("forgerock-oauth2-provider-modified-attribute-name");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Set<String> getSupportedSubjectTypes() throws ServerException {
        return getSettingStrings("forgerock-oauth2-provider-subject-types-supported");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public boolean isOpenDynamicClientRegistrationAllowed() throws ServerException {
        try {
            return this.settings.getBooleanSetting(this.realm, "forgerock-oauth2-provider-allow-open-dynamic-registration").booleanValue();
        } catch (SMSException e) {
            this.logger.message(e.getMessage());
            throw new ServerException((Throwable) e);
        } catch (SSOException e2) {
            this.logger.message(e2.getMessage());
            throw new ServerException((Throwable) e2);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public boolean isRegistrationAccessTokenGenerationEnabled() throws ServerException {
        try {
            return this.settings.getBooleanSetting(this.realm, "forgerock-oauth2-provider-generate-registration-access-tokens").booleanValue();
        } catch (SMSException e) {
            this.logger.message(e.getMessage());
            throw new ServerException((Throwable) e);
        } catch (SSOException e2) {
            this.logger.message(e2.getMessage());
            throw new ServerException((Throwable) e2);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Map<String, AuthenticationMethod> getAcrMapping() throws ServerException {
        try {
            Map mapSetting = this.settings.getMapSetting(this.realm, "forgerock-oauth2-provider-loa-mapping");
            HashMap hashMap = new HashMap(mapSetting.size());
            for (Map.Entry entry : mapSetting.entrySet()) {
                hashMap.put(entry.getKey(), new OpenAMAuthenticationMethod((String) entry.getValue(), AuthContext.IndexType.SERVICE));
            }
            return hashMap;
        } catch (SMSException e) {
            this.logger.message(e.getMessage());
            throw new ServerException((Throwable) e);
        } catch (SSOException e2) {
            this.logger.message(e2.getMessage());
            throw new ServerException((Throwable) e2);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public String getDefaultAcrValues() throws ServerException {
        return getStringSettingValue("forgerock-oauth2-provider-default-acr");
    }

    private String getStringSettingValue(String str) throws ServerException {
        try {
            return this.settings.getStringSetting(this.realm, str);
        } catch (SSOException | SMSException e) {
            this.logger.message("Could not get value of " + str, e);
            throw new ServerException((Throwable) e);
        }
    }

    private long getLongSettingValue(String str) throws ServerException {
        try {
            return this.settings.getLongSetting(this.realm, str).longValue();
        } catch (SSOException | SMSException e) {
            this.logger.error("Could not get value of " + str, e);
            throw new ServerException((Throwable) e);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Map<String, String> getAMRAuthModuleMappings() throws ServerException {
        try {
            return this.settings.getMapSetting(this.realm, "forgerock-oauth2-provider-amr-mappings");
        } catch (SSOException e) {
            this.logger.message(e.getMessage());
            throw new ServerException((Throwable) e);
        } catch (SMSException e2) {
            this.logger.message(e2.getMessage());
            throw new ServerException((Throwable) e2);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public boolean exists() {
        try {
            return this.settings.hasConfig(this.realm);
        } catch (Exception e) {
            this.logger.message("Could not access realm config", e);
            return false;
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public ResourceSetStore getResourceSetStore() {
        return this.resourceSetStore;
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public boolean getClaimsParameterSupported() throws ServerException {
        try {
            return this.settings.getBooleanSetting(this.realm, "forgerock-oauth2-provider-claims-parameter-supported").booleanValue();
        } catch (SMSException e) {
            this.logger.error(e.getMessage());
            return false;
        } catch (SSOException e2) {
            this.logger.error(e2.getMessage());
            throw new ServerException((Throwable) e2);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public String validateRequestedClaims(String str) throws InvalidRequestException, ServerException {
        if (!getClaimsParameterSupported() || StringUtils.isBlank(str)) {
            return null;
        }
        HashSet hashSet = new HashSet();
        try {
            JSONObject jSONObject = new JSONObject(str);
            JSONObject optJSONObject = jSONObject.optJSONObject("userinfo");
            JSONObject optJSONObject2 = jSONObject.optJSONObject("id_token");
            if (optJSONObject != null) {
                Iterator<String> keys = optJSONObject.keys();
                while (keys.hasNext()) {
                    hashSet.add(keys.next());
                }
            }
            if (optJSONObject2 != null) {
                Iterator<String> keys2 = optJSONObject2.keys();
                while (keys2.hasNext()) {
                    hashSet.add(keys2.next());
                }
            }
            if (getSupportedClaims().containsAll(hashSet)) {
                return str;
            }
            throw new InvalidRequestException("Requested claims must be allowed by the client's configuration");
        } catch (JSONException e) {
            throw new InvalidRequestException("Requested claims must be valid json.");
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Set<String> getEndpointAuthMethodsSupported() {
        HashSet hashSet = new HashSet();
        for (Client.TokenEndpointAuthMethod tokenEndpointAuthMethod : Client.TokenEndpointAuthMethod.values()) {
            hashSet.add(tokenEndpointAuthMethod.getType());
        }
        return hashSet;
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public boolean isCodeVerifierRequired() throws ServerException {
        try {
            return this.settings.getBooleanSetting(this.realm, "forgerock-oauth2-provider-code-verifier-enforced").booleanValue();
        } catch (SSOException | SMSException e) {
            this.logger.error(e.getMessage());
            throw new ServerException((Throwable) e);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public String getHashSalt() throws ServerException {
        return getStringSettingValue("forgerock-oauth2-provider-hash-salt");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public boolean isAlwaysAddClaimsToToken() throws ServerException {
        try {
            return this.settings.getBooleanSetting(this.realm, "alwaysAddClaimsToToken").booleanValue();
        } catch (SSOException | SMSException e) {
            this.logger.error(e.getMessage());
            throw new ServerException((Throwable) e);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public String getUserDisplayNameAttribute() throws ServerException {
        return getStringSettingValue("displayNameAttribute");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public String getJWKSUri() throws ServerException {
        return getStringSettingValue("forgerock-oauth2-provider-jkws-uri");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public Template getCustomLoginUrlTemplate() throws ServerException {
        try {
            String stringSetting = this.settings.getStringSetting(this.realm, "customLoginUrlTemplate");
            if (stringSetting != null) {
                this.loginUrlTemplate = new Template("customLoginUrlTemplate", new StringReader(stringSetting), new Configuration());
                this.loginUrlTemplate.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
            }
            return this.loginUrlTemplate;
        } catch (SSOException | IOException | SMSException e) {
            this.logger.message(e.getMessage());
            throw new ServerException((Throwable) e);
        }
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public String getVerificationUrl() throws ServerException {
        return getStringSettingValue("verificationUrl");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public String getCompletionUrl() throws ServerException {
        return getStringSettingValue("completionUrl");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public int getDeviceCodeLifetime() throws ServerException {
        return (int) getLongSettingValue("deviceCodeLifetime");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public int getDeviceCodePollInterval() throws ServerException {
        return (int) getLongSettingValue("devicePollInterval");
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public boolean shouldStoreOpsTokens() throws ServerException {
        return Boolean.parseBoolean(getStringSettingValue("storeOpsTokens"));
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public boolean clientsCanSkipConsent() throws ServerException {
        return Boolean.parseBoolean(getStringSettingValue("clientsCanSkipConsent"));
    }

    @Override // org.forgerock.oauth2.core.OAuth2ProviderSettings
    public boolean isOpenIDConnectSSOProviderEnabled() throws ServerException {
        return Boolean.parseBoolean(getStringSettingValue("oidcSsoProviderEnabled"));
    }
}
