package org.forgerock.openam.upgrade.steps;

import com.iplanet.sso.SSOToken;
import com.sun.identity.sm.SMSUtils;
import com.sun.identity.sm.ServiceConfig;
import com.sun.identity.sm.ServiceConfigManager;
import com.sun.identity.sm.ServiceNotFoundException;
import com.sun.identity.sm.ServiceSchema;
import com.sun.identity.sm.ServiceSchemaManager;
import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.inject.Inject;
import org.forgerock.json.jose.jws.JwsAlgorithm;
import org.forgerock.openam.sm.datalayer.api.ConnectionFactory;
import org.forgerock.openam.sm.datalayer.api.ConnectionType;
import org.forgerock.openam.sm.datalayer.api.DataLayer;
import org.forgerock.openam.upgrade.UpgradeException;
import org.forgerock.openam.upgrade.UpgradeProgress;
import org.forgerock.openam.upgrade.UpgradeServices;
import org.forgerock.openam.upgrade.UpgradeStepInfo;
import org.forgerock.openam.utils.CollectionUtils;

@UpgradeStepInfo(dependsOn = {"org.forgerock.openam.upgrade.steps.UpgradeServiceSchemaStep"})
/* loaded from: input_file:org/forgerock/openam/upgrade/steps/UpgradeOAuth2ProviderStep.class */
public class UpgradeOAuth2ProviderStep extends AbstractUpgradeStep {
    public static final Map<String, String> ALGORITHM_NAMES = new HashMap();
    public static final Set<String> DEFAULT_CLAIMS = new HashSet();
    private static final Map<String, String> RESPONSE_TYPE_PLUGINS_UPGRADE_MAPPINGS = new HashMap();
    private static final String OLD_SCOPE_PLUGIN = "org.forgerock.openam.oauth2.provider.impl.ScopeImpl";
    private static final String NEW_SCOPE_PLUGIN = "org.forgerock.openam.oauth2.OpenAMScopeValidator";
    private static final String REPORT_DATA = "%REPORT_DATA%";
    private static final String OAUTH2_PROVIDER = "OAuth2Provider";
    private final Map<String, Map<String, Set<String>>> attributesToUpdate;
    private ServiceConfigManager scm;
    private ServiceSchemaManager ssm;

    @Inject
    public UpgradeOAuth2ProviderStep(PrivilegedAction<SSOToken> privilegedAction, @DataLayer(ConnectionType.DATA_LAYER) ConnectionFactory connectionFactory) {
        super(privilegedAction, connectionFactory);
        this.attributesToUpdate = new HashMap();
    }

    @Override // org.forgerock.openam.upgrade.steps.UpgradeStep
    public boolean isApplicable() {
        return !this.attributesToUpdate.isEmpty();
    }

    @Override // org.forgerock.openam.upgrade.steps.UpgradeStep
    public void initialize() throws UpgradeException {
        SSOToken adminToken = getAdminToken();
        try {
            this.scm = new ServiceConfigManager(OAUTH2_PROVIDER, adminToken);
            this.ssm = new ServiceSchemaManager(OAUTH2_PROVIDER, adminToken);
            findUpgradableProviders();
        } catch (ServiceNotFoundException e) {
            DEBUG.message("OAuth2Provider service not found. Nothing to upgrade", e);
        } catch (Exception e2) {
            DEBUG.error("An error occurred while trying to create Service Config and Schema Managers.", e2);
            throw new UpgradeException("Unable to create Service Config and Schema Managers.", e2);
        }
    }

    private void findUpgradableProviders() throws UpgradeException {
        try {
            ServiceSchema organizationSchema = this.ssm.getOrganizationSchema();
            for (String str : getRealmNames()) {
                ServiceConfig organizationConfig = this.scm.getOrganizationConfig(str, (String) null);
                if (organizationConfig.exists()) {
                    Map<String, Set<String>> attributesForRead = organizationConfig.getAttributesForRead();
                    Map<String, Set<String>> attributesWithoutDefaultsForRead = organizationConfig.getAttributesWithoutDefaultsForRead();
                    Map<String, Set<String>> removeValidators = SMSUtils.removeValidators(attributesForRead, organizationSchema);
                    if (isProviderRelyingOnDefaults(attributesWithoutDefaultsForRead, removeValidators)) {
                        this.attributesToUpdate.put(str, removeValidators);
                    } else if (shouldUpgradeClaims(attributesForRead)) {
                        this.attributesToUpdate.put(str, removeValidators);
                    } else if (shouldUpgradeAlgorithmName(attributesWithoutDefaultsForRead)) {
                        this.attributesToUpdate.put(str, null);
                    } else if (shouldUpgradeResponseTypePlugins(attributesWithoutDefaultsForRead)) {
                        this.attributesToUpdate.put(str, null);
                    } else if (shouldUpgradeScopePlugin(attributesWithoutDefaultsForRead)) {
                        this.attributesToUpdate.put(str, null);
                    }
                }
            }
        } catch (Exception e) {
            DEBUG.error("An error occurred while trying to look for upgradable OAuth2 Providers.", e);
            throw new UpgradeException("Unable to retrieve OAuth2 Providers.", e);
        }
    }

    private boolean shouldUpgradeClaims(Map<String, Set<String>> map) {
        Set<String> set = map.get("forgerock-oauth2-provider-supported-scopes");
        return set == null || set.isEmpty();
    }

    private boolean isProviderRelyingOnDefaults(Map<String, Set<String>> map, Map<String, Set<String>> map2) throws UpgradeException {
        return !map.isEmpty() && map.size() < map2.size();
    }

    private boolean shouldUpgradeAlgorithmName(Map<String, Set<String>> map) {
        Set<String> set = map.get("forgerock-oauth2-provider-id-token-signing-algorithms-supported");
        if (set == null) {
            return false;
        }
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (ALGORITHM_NAMES.containsKey(it.next())) {
                return true;
            }
        }
        return false;
    }

    private boolean shouldUpgradeResponseTypePlugins(Map<String, Set<String>> map) {
        Set<String> set = map.get("forgerock-oauth2-provider-response-type-map-class");
        if (set == null) {
            return false;
        }
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (RESPONSE_TYPE_PLUGINS_UPGRADE_MAPPINGS.containsKey(it.next().split("\\|")[1])) {
                return true;
            }
        }
        return false;
    }

    private boolean shouldUpgradeScopePlugin(Map<String, Set<String>> map) {
        return map.get("forgerock-oauth2-provider-scope-implementation-class").contains(OLD_SCOPE_PLUGIN);
    }

    @Override // org.forgerock.openam.upgrade.steps.UpgradeStep
    public void perform() throws UpgradeException {
        persistDefaultsForProviders();
    }

    private void persistDefaultsForProviders() throws UpgradeException {
        try {
            for (Map.Entry<String, Map<String, Set<String>>> entry : this.attributesToUpdate.entrySet()) {
                String key = entry.getKey();
                UpgradeProgress.reportStart("upgrade.oauth2.provider.start", key);
                ServiceConfig organizationConfig = this.scm.getOrganizationConfig(key, (String) null);
                Map<String, Set<String>> value = entry.getValue();
                if (value == null) {
                    value = organizationConfig.getAttributesWithoutDefaults();
                }
                migrateResponseTypePlugins(value);
                renameAlgorithms(value);
                sortScopes(value);
                migrateScopeValidatorPlugin(value);
                organizationConfig.setAttributes(value);
                UpgradeProgress.reportEnd("upgrade.success", new Object[0]);
            }
        } catch (Exception e) {
            UpgradeProgress.reportEnd("upgrade.failed", new Object[0]);
            DEBUG.error("An error occurred while trying to upgrade an OAuth2 Provider", e);
            throw new UpgradeException("Unable to upgrade OAuth2 Providers.", e);
        }
    }

    private void sortScopes(Map<String, Set<String>> map) {
        Set<String> set = map.get("forgerock-oauth2-provider-supported-scopes");
        Set<String> set2 = map.get("forgerock-oauth2-provider-supported-claims");
        if (set == null || set.isEmpty()) {
            map.put("forgerock-oauth2-provider-supported-scopes", set2);
            map.put("forgerock-oauth2-provider-supported-claims", DEFAULT_CLAIMS);
        }
    }

    private void renameAlgorithms(Map<String, Set<String>> map) {
        Set<String> set = map.get("forgerock-oauth2-provider-id-token-signing-algorithms-supported");
        if (set != null) {
            Set<String> hashSet = new HashSet<>();
            for (String str : set) {
                if (ALGORITHM_NAMES.containsKey(str)) {
                    hashSet.add(ALGORITHM_NAMES.get(str));
                } else {
                    hashSet.add(str);
                }
            }
            map.put("forgerock-oauth2-provider-id-token-signing-algorithms-supported", hashSet);
        }
    }

    private void migrateScopeValidatorPlugin(Map<String, Set<String>> map) {
        if (map.get("forgerock-oauth2-provider-scope-implementation-class").contains(OLD_SCOPE_PLUGIN)) {
            map.put("forgerock-oauth2-provider-scope-implementation-class", CollectionUtils.asSet(new String[]{NEW_SCOPE_PLUGIN}));
        }
    }

    private void migrateResponseTypePlugins(Map<String, Set<String>> map) {
        Set<String> set = map.get("forgerock-oauth2-provider-response-type-map-class");
        if (set != null) {
            HashSet hashSet = new HashSet();
            for (String str : set) {
                String str2 = str.split("\\|")[1];
                if (RESPONSE_TYPE_PLUGINS_UPGRADE_MAPPINGS.containsKey(str2)) {
                    hashSet.add(str.replace(str2, RESPONSE_TYPE_PLUGINS_UPGRADE_MAPPINGS.get(str2)));
                } else {
                    hashSet.add(str);
                }
            }
            map.put("forgerock-oauth2-provider-response-type-map-class", hashSet);
        }
    }

    @Override // org.forgerock.openam.upgrade.steps.UpgradeStep
    public String getShortReport(String str) {
        return this.attributesToUpdate.size() == 0 ? "" : BUNDLE.getString("upgrade.oauth2.provider.persisted.short") + " (" + this.attributesToUpdate.size() + ')' + str;
    }

    @Override // org.forgerock.openam.upgrade.steps.UpgradeStep
    public String getDetailedReport(String str) {
        HashMap hashMap = new HashMap();
        hashMap.put(UpgradeServices.LF, str);
        StringBuilder sb = new StringBuilder();
        sb.append(BUNDLE.getString("upgrade.oauth2.provider.persisted.detail")).append(": ").append(str);
        Iterator<Map.Entry<String, Map<String, Set<String>>>> it = this.attributesToUpdate.entrySet().iterator();
        while (it.hasNext()) {
            sb.append("\t").append(it.next().getKey()).append(str);
        }
        hashMap.put(REPORT_DATA, sb.toString());
        return UpgradeServices.tagSwapReport(hashMap, "upgrade.oauth2.provider.report");
    }

    static {
        ALGORITHM_NAMES.put(JwsAlgorithm.HS256.getAlgorithm(), JwsAlgorithm.HS256.name());
        ALGORITHM_NAMES.put(JwsAlgorithm.HS384.getAlgorithm(), JwsAlgorithm.HS384.name());
        ALGORITHM_NAMES.put(JwsAlgorithm.HS512.getAlgorithm(), JwsAlgorithm.HS512.name());
        DEFAULT_CLAIMS.add("email");
        DEFAULT_CLAIMS.add("address");
        DEFAULT_CLAIMS.add("phone_number");
        DEFAULT_CLAIMS.add("given_name");
        DEFAULT_CLAIMS.add("zoneinfo");
        DEFAULT_CLAIMS.add("family_name");
        DEFAULT_CLAIMS.add("locale");
        DEFAULT_CLAIMS.add("name");
        RESPONSE_TYPE_PLUGINS_UPGRADE_MAPPINGS.put("org.forgerock.restlet.ext.oauth2.flow.responseTypes.TokenResponseType", "org.forgerock.oauth2.core.TokenResponseTypeHandler");
        RESPONSE_TYPE_PLUGINS_UPGRADE_MAPPINGS.put("org.forgerock.restlet.ext.oauth2.flow.responseTypes.CodeResponseType", "org.forgerock.oauth2.core.AuthorizationCodeResponseTypeHandler");
        RESPONSE_TYPE_PLUGINS_UPGRADE_MAPPINGS.put("org.forgerock.restlet.ext.oauth2.flow.responseTypes.IDTokenResponseType", "org.forgerock.openidconnect.IdTokenResponseTypeHandler");
    }
}
