package org.forgerock.openam.oauth2;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.common.configuration.AgentConfiguration;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.AMIdentityRepository;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdSearchControl;
import com.sun.identity.idm.IdSearchResults;
import com.sun.identity.idm.IdType;
import com.sun.identity.shared.debug.Debug;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Collections;
import java.util.Set;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import org.forgerock.i18n.LocalizedIllegalArgumentException;
import org.forgerock.jaspi.modules.openid.resolvers.service.OpenIdResolverService;
import org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory;
import org.forgerock.oauth2.core.OAuth2Request;
import org.forgerock.oauth2.core.PEMDecoder;
import org.forgerock.oauth2.core.exceptions.ClientAuthenticationFailureFactory;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.openam.identity.idm.AMIdentityRepositoryFactory;
import org.forgerock.openam.utils.RealmNormaliser;
import org.forgerock.openidconnect.OpenIdConnectClientRegistration;
import org.forgerock.openidconnect.OpenIdConnectClientRegistrationStore;
import org.forgerock.services.context.Context;

@Singleton
/* loaded from: input_file:org/forgerock/openam/oauth2/OpenAMClientRegistrationStore.class */
public class OpenAMClientRegistrationStore implements OpenIdConnectClientRegistrationStore {
    private static final String AUTHENTICATION_FAILURE_MESSAGE = "Client authentication failed";
    private final Debug logger = Debug.getInstance("OAuth2Provider");
    private final RealmNormaliser realmNormaliser;
    private final PEMDecoder pemDecoder;
    private final OpenIdResolverService resolverService;
    private final OAuth2ProviderSettingsFactory providerSettingsFactory;
    private final ClientAuthenticationFailureFactory failureFactory;
    private final AMIdentityRepositoryFactory identityRepositoryFactory;
    private final PrivilegedAction<SSOToken> adminTokenAction;

    @Inject
    public OpenAMClientRegistrationStore(RealmNormaliser realmNormaliser, PEMDecoder pEMDecoder, @Named("jwk-resolver") OpenIdResolverService openIdResolverService, OAuth2ProviderSettingsFactory oAuth2ProviderSettingsFactory, ClientAuthenticationFailureFactory clientAuthenticationFailureFactory, AMIdentityRepositoryFactory aMIdentityRepositoryFactory, PrivilegedAction<SSOToken> privilegedAction) {
        this.realmNormaliser = realmNormaliser;
        this.pemDecoder = pEMDecoder;
        this.resolverService = openIdResolverService;
        this.providerSettingsFactory = oAuth2ProviderSettingsFactory;
        this.failureFactory = clientAuthenticationFailureFactory;
        this.identityRepositoryFactory = aMIdentityRepositoryFactory;
        this.adminTokenAction = privilegedAction;
    }

    @Override // org.forgerock.openidconnect.OpenIdConnectClientRegistrationStore, org.forgerock.oauth2.core.ClientRegistrationStore
    public OpenIdConnectClientRegistration get(String str, OAuth2Request oAuth2Request) throws NotFoundException, InvalidClientException {
        OpenIdConnectClientRegistration openIdConnectClientRegistration = (OpenIdConnectClientRegistration) oAuth2Request.getClientRegistration();
        return openIdConnectClientRegistration != null ? openIdConnectClientRegistration : getClientRegistration(str, (String) oAuth2Request.getParameter("realm"), oAuth2Request);
    }

    @Override // org.forgerock.openidconnect.OpenIdConnectClientRegistrationStore, org.forgerock.oauth2.core.ClientRegistrationStore
    public OpenIdConnectClientRegistration get(String str, String str2, Context context) throws InvalidClientException, NotFoundException {
        return getClientRegistration(str, str2, null);
    }

    private OpenIdConnectClientRegistration getClientRegistration(String str, String str2, OAuth2Request oAuth2Request) throws InvalidClientException, NotFoundException {
        try {
            try {
                String normalise = this.realmNormaliser.normalise(str2);
                AMIdentity identity = getIdentity(str, normalise, oAuth2Request);
                if (isJ2eeAgent(identity) || isWebAgent(identity)) {
                    return new AgentClientRegistration(identity);
                }
                return new OpenAMClientRegistration(identity, this.pemDecoder, this.resolverService, this.providerSettingsFactory.getRealmProviderSettings(normalise), this.failureFactory);
            } catch (SSOException | IdRepoException e) {
                throw this.failureFactory.getException(oAuth2Request, AUTHENTICATION_FAILURE_MESSAGE);
            }
        } catch (org.forgerock.json.resource.NotFoundException e2) {
            throw new NotFoundException(e2.getMessage());
        }
    }

    private AMIdentity getIdentity(String str, String str2, OAuth2Request oAuth2Request) throws InvalidClientException {
        try {
            AMIdentity searchIdentity = searchIdentity(str, str2, (SSOToken) AccessController.doPrivileged(this.adminTokenAction), oAuth2Request);
            if (searchIdentity.isActive() && str.equals(searchIdentity.getName())) {
                return searchIdentity;
            }
            throw this.failureFactory.getException(oAuth2Request, AUTHENTICATION_FAILURE_MESSAGE);
        } catch (SSOException | IdRepoException | LocalizedIllegalArgumentException e) {
            this.logger.error("Unable to get client AMIdentity: ", e);
            throw this.failureFactory.getException(oAuth2Request, AUTHENTICATION_FAILURE_MESSAGE);
        }
    }

    private AMIdentity searchIdentity(String str, String str2, SSOToken sSOToken, OAuth2Request oAuth2Request) throws IdRepoException, SSOException, InvalidClientException {
        AMIdentityRepository create = this.identityRepositoryFactory.create(str2, sSOToken);
        Set emptySet = Collections.emptySet();
        IdSearchResults searchIdentities = create.searchIdentities(IdType.AGENT, str, getSearchOptions());
        if (searchIdentities != null) {
            emptySet = searchIdentities.getSearchResults();
        }
        if (emptySet == null || emptySet.size() != 1) {
            throw this.failureFactory.getException(oAuth2Request, AUTHENTICATION_FAILURE_MESSAGE);
        }
        return (AMIdentity) emptySet.iterator().next();
    }

    private IdSearchControl getSearchOptions() {
        IdSearchControl idSearchControl = new IdSearchControl();
        idSearchControl.setRecursive(true);
        idSearchControl.setAllReturnAttributes(true);
        idSearchControl.setMaxResults(0);
        return idSearchControl;
    }

    private boolean isJ2eeAgent(AMIdentity aMIdentity) throws IdRepoException, SSOException {
        return "J2EEAgent".equalsIgnoreCase(AgentConfiguration.getAgentType(aMIdentity));
    }

    private boolean isWebAgent(AMIdentity aMIdentity) throws IdRepoException, SSOException {
        return "WebAgent".equalsIgnoreCase(AgentConfiguration.getAgentType(aMIdentity));
    }
}
