package org.jboss.resteasy.skeleton.key.as7;

import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.ObjectWriter;
import com.fasterxml.jackson.databind.SerializationFeature;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicLong;
import javax.security.auth.login.LoginException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.client.Entity;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.UriBuilder;
import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener;
import org.apache.catalina.authenticator.FormAuthenticator;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.realm.GenericPrincipal;
import org.bouncycastle.openssl.PEMWriter;
import org.jboss.resteasy.client.jaxrs.ResteasyClient;
import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
import org.jboss.resteasy.jose.jws.JWSBuilder;
import org.jboss.resteasy.jose.jws.JWSInput;
import org.jboss.resteasy.jose.jws.crypto.RSAProvider;
import org.jboss.resteasy.jwt.JsonSerialization;
import org.jboss.resteasy.plugins.providers.RegisterBuiltin;
import org.jboss.resteasy.plugins.server.servlet.ServletUtil;
import org.jboss.resteasy.skeleton.key.EnvUtil;
import org.jboss.resteasy.skeleton.key.PemUtils;
import org.jboss.resteasy.skeleton.key.ResourceMetadata;
import org.jboss.resteasy.skeleton.key.SkeletonKeySession;
import org.jboss.resteasy.skeleton.key.as7.i18n.LogMessages;
import org.jboss.resteasy.skeleton.key.as7.i18n.Messages;
import org.jboss.resteasy.skeleton.key.config.AuthServerConfig;
import org.jboss.resteasy.skeleton.key.config.ManagedResourceConfig;
import org.jboss.resteasy.skeleton.key.representations.AccessTokenResponse;
import org.jboss.resteasy.skeleton.key.representations.SkeletonKeyToken;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.jboss.resteasy.spi.ResteasyUriInfo;
import org.jboss.resteasy.util.BasicAuthHelper;

/* loaded from: input_file:org/jboss/resteasy/skeleton/key/as7/OAuthAuthenticationServerValve.class */
public class OAuthAuthenticationServerValve extends FormAuthenticator implements LifecycleListener {
    private static AtomicLong counter = new AtomicLong(1);
    protected AuthServerConfig skeletonKeyConfig;
    protected PrivateKey realmPrivateKey;
    protected PublicKey realmPublicKey;
    protected String realmPublicKeyPem;
    protected ResteasyProviderFactory providers;
    protected ResourceMetadata resourceMetadata;
    protected ObjectMapper mapper;
    protected ObjectWriter accessTokenResponseWriter;
    protected ObjectWriter mapWriter;
    protected ConcurrentHashMap<String, AccessCode> accessCodeMap = new ConcurrentHashMap<>();
    protected UserSessionManagement userSessionManagement = new UserSessionManagement();

    /* loaded from: input_file:org/jboss/resteasy/skeleton/key/as7/OAuthAuthenticationServerValve$AccessCode.class */
    public static class AccessCode {
        protected String id = UUID.randomUUID().toString() + System.currentTimeMillis();
        protected long expiration;
        protected SkeletonKeyToken token;
        protected String client;
        protected boolean sso;
        protected String redirect;

        public boolean isExpired() {
            return this.expiration != 0 && System.currentTimeMillis() / 1000 > this.expiration;
        }

        public String getId() {
            return this.id;
        }

        public long getExpiration() {
            return this.expiration;
        }

        public void setExpiration(long j) {
            this.expiration = j;
        }

        public SkeletonKeyToken getToken() {
            return this.token;
        }

        public void setToken(SkeletonKeyToken skeletonKeyToken) {
            this.token = skeletonKeyToken;
        }

        public String getClient() {
            return this.client;
        }

        public void setClient(String str) {
            this.client = str;
        }

        public boolean isSso() {
            return this.sso;
        }

        public void setSso(boolean z) {
            this.sso = z;
        }

        public String getRedirect() {
            return this.redirect;
        }

        public void setRedirect(String str) {
            this.redirect = str;
        }
    }

    private static String generateId() {
        return counter.getAndIncrement() + "." + UUID.randomUUID().toString();
    }

    private static KeyStore loadKeyStore(String str, String str2) throws Exception {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        FileInputStream fileInputStream = new FileInputStream(new File(str));
        keyStore.load(fileInputStream, str2.toCharArray());
        fileInputStream.close();
        return keyStore;
    }

    public void start() throws LifecycleException {
        super.start();
        this.context.addLifecycleListener(this);
    }

    public void lifecycleEvent(LifecycleEvent lifecycleEvent) {
        if (lifecycleEvent.getType() == "after_start") {
            init();
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v126, types: [java.io.InputStream] */
    protected void init() {
        FileInputStream fileInputStream;
        this.mapper = new ObjectMapper();
        this.mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
        this.accessTokenResponseWriter = this.mapper.writerWithType(AccessTokenResponse.class);
        this.mapWriter = this.mapper.writerWithType(this.mapper.getTypeFactory().constructMapType(Map.class, String.class, String.class));
        String initParameter = this.context.getServletContext().getInitParameter("skeleton.key.config.file");
        if (initParameter == null) {
            fileInputStream = this.context.getServletContext().getResourceAsStream("/WEB-INF/resteasy-oauth.json");
        } else {
            try {
                fileInputStream = new FileInputStream(initParameter);
            } catch (FileNotFoundException e) {
                throw new RuntimeException(e);
            }
        }
        try {
            this.skeletonKeyConfig = (AuthServerConfig) this.mapper.readValue(fileInputStream, AuthServerConfig.class);
            if (this.skeletonKeyConfig.getLoginRole() == null) {
                throw new RuntimeException(Messages.MESSAGES.mustDefineLoginRole());
            }
            if (this.skeletonKeyConfig.getClientRole() == null) {
                throw new RuntimeException(Messages.MESSAGES.mustDefineOauthClientRole());
            }
            if (this.skeletonKeyConfig.getRealmPrivateKey() != null) {
                try {
                    this.realmPrivateKey = PemUtils.decodePrivateKey(this.skeletonKeyConfig.getRealmPrivateKey());
                } catch (Exception e2) {
                    throw new RuntimeException(e2);
                }
            }
            if (this.skeletonKeyConfig.getRealmPublicKey() != null) {
                try {
                    this.realmPublicKey = PemUtils.decodePublicKey(this.skeletonKeyConfig.getRealmPublicKey());
                    this.realmPublicKeyPem = this.skeletonKeyConfig.getRealmPublicKey();
                } catch (Exception e3) {
                    throw new RuntimeException(e3);
                }
            }
            if (this.skeletonKeyConfig.getRealmKeyStore() != null) {
                if (this.skeletonKeyConfig.getRealmKeyAlias() == null) {
                    throw new RuntimeException(Messages.MESSAGES.mustDefineRealmKeyAlias());
                }
                try {
                    KeyStore loadKeyStore = loadKeyStore(EnvUtil.replace(this.skeletonKeyConfig.getRealmKeyStore()), this.skeletonKeyConfig.getRealmKeystorePassword());
                    if (this.realmPrivateKey == null) {
                        this.realmPrivateKey = (PrivateKey) loadKeyStore.getKey(this.skeletonKeyConfig.getRealmKeyAlias(), this.skeletonKeyConfig.getRealmPrivateKeyPassword().toCharArray());
                    }
                    if (this.realmPublicKey == null) {
                        this.realmPublicKey = loadKeyStore.getCertificate(this.skeletonKeyConfig.getRealmKeyAlias()).getPublicKey();
                    }
                } catch (Exception e4) {
                    throw new RuntimeException(e4);
                }
            }
            if (this.realmPublicKey == null) {
                throw new RuntimeException(Messages.MESSAGES.mustDeclareKeystoreOrPublicKey());
            }
            if (this.realmPrivateKey == null) {
                throw new RuntimeException(Messages.MESSAGES.mustDeclareKeystoreOrPublicKey());
            }
            if (this.realmPublicKeyPem == null) {
                StringWriter stringWriter = new StringWriter();
                PEMWriter pEMWriter = new PEMWriter(stringWriter);
                try {
                    pEMWriter.writeObject(this.realmPublicKey);
                    pEMWriter.flush();
                    this.realmPublicKeyPem = stringWriter.toString();
                    this.realmPublicKeyPem = PemUtils.removeBeginEnd(this.realmPublicKeyPem);
                } catch (IOException e5) {
                    throw new RuntimeException(e5);
                }
            }
            this.providers = new ResteasyProviderFactory();
            ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
            Thread.currentThread().setContextClassLoader(OAuthAuthenticationServerValve.class.getClassLoader());
            try {
                ResteasyProviderFactory.getInstance();
                RegisterBuiltin.register(this.providers);
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                this.resourceMetadata = new ResourceMetadata();
                this.resourceMetadata.setRealm(this.skeletonKeyConfig.getRealm());
                this.resourceMetadata.setRealmKey(this.realmPublicKey);
                String truststore = this.skeletonKeyConfig.getTruststore();
                if (truststore != null) {
                    try {
                        this.resourceMetadata.setTruststore(loadKeyStore(EnvUtil.replace(truststore), this.skeletonKeyConfig.getTruststorePassword()));
                    } catch (Exception e6) {
                        throw new RuntimeException(Messages.MESSAGES.failedToLoadTruststore(), e6);
                    }
                }
                String clientKeystore = this.skeletonKeyConfig.getClientKeystore();
                if (clientKeystore != null) {
                    try {
                        this.resourceMetadata.setClientKeystore(loadKeyStore(EnvUtil.replace(clientKeystore), this.skeletonKeyConfig.getClientKeystorePassword()));
                        this.resourceMetadata.setClientKeyPassword(this.skeletonKeyConfig.getClientKeyPassword());
                    } catch (Exception e7) {
                        throw new RuntimeException(Messages.MESSAGES.failedToLoadKeystore(), e7);
                    }
                }
            } catch (Throwable th) {
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                throw th;
            }
        } catch (IOException e8) {
            throw new RuntimeException(e8);
        }
    }

    public void invoke(Request request, Response response) throws IOException, ServletException {
        SkeletonKeySession skeletonKeySession;
        try {
            String contextPath = request.getContextPath();
            String decodedRequestURI = request.getDecodedRequestURI();
            LogMessages.LOGGER.debug(Messages.MESSAGES.invoke(decodedRequestURI));
            if (request.getMethod().equalsIgnoreCase("GET") && this.context.getLoginConfig().getLoginPage().equals(request.getRequestPathMB().toString())) {
                if (handleLoginPage(request, response)) {
                    return;
                }
            } else {
                if (request.getMethod().equalsIgnoreCase("GET") && decodedRequestURI.endsWith("j_oauth_logout")) {
                    logoutCurrentUser(request, response);
                    return;
                }
                if (request.getMethod().equalsIgnoreCase("POST") && decodedRequestURI.endsWith("j_oauth_admin_forced_logout")) {
                    adminLogout(request, response);
                    return;
                }
                if (request.getMethod().equalsIgnoreCase("POST") && decodedRequestURI.startsWith(contextPath) && decodedRequestURI.endsWith("/j_security_check") && request.getParameter("client_id") != null) {
                    handleOAuth(request, response);
                    return;
                }
                if (request.getMethod().equalsIgnoreCase("POST") && decodedRequestURI.endsWith("j_oauth_token_grant")) {
                    tokenGrant(request, response);
                    return;
                }
                if (request.getMethod().equalsIgnoreCase("POST") && decodedRequestURI.startsWith(contextPath) && decodedRequestURI.endsWith("j_oauth_resolve_access_code")) {
                    resolveAccessCode(request, response);
                    return;
                } else if (request.getMethod().equalsIgnoreCase("GET") && decodedRequestURI.startsWith(contextPath) && decodedRequestURI.endsWith("j_oauth_realm_info.html")) {
                    publishRealmInfoHtml(request, response);
                    return;
                }
            }
            if (!this.skeletonKeyConfig.isCancelPropagation() && request.getAttribute(SkeletonKeySession.class.getName()) == null && request.getSessionInternal() != null && (skeletonKeySession = (SkeletonKeySession) request.getSessionInternal().getNote(SkeletonKeySession.class.getName())) != null) {
                request.setAttribute(SkeletonKeySession.class.getName(), skeletonKeySession);
                ResteasyProviderFactory.pushContext(SkeletonKeySession.class, skeletonKeySession);
            }
            request.setAttribute("OAUTH_FORM_ACTION", "j_security_check");
            super.invoke(request, response);
        } finally {
            ResteasyProviderFactory.clearContextData();
        }
    }

    protected boolean handleLoginPage(Request request, Response response) throws IOException, ServletException {
        String parameter = request.getParameter("client_id");
        if (parameter == null) {
            return false;
        }
        String parameter2 = request.getParameter("redirect_uri");
        String parameter3 = request.getParameter("state");
        if (parameter2 == null) {
            response.sendError(400, Messages.MESSAGES.noOauthRedirectQueryParameterSet());
            return true;
        }
        if (!this.skeletonKeyConfig.isSsoDisabled() && request.getSessionInternal() != null && request.getSessionInternal().getPrincipal() != null && request.getParameter("login") != null) {
            LogMessages.LOGGER.debug(Messages.MESSAGES.alreadyLoggedIn());
            redirectAccessCode(true, response, parameter2, parameter, parameter3, (GenericPrincipal) request.getSessionInternal().getPrincipal());
            return true;
        }
        UriBuilder queryParam = UriBuilder.fromUri("j_security_check").queryParam("redirect_uri", new Object[]{parameter2}).queryParam("client_id", new Object[]{parameter});
        if (parameter3 != null) {
            queryParam.queryParam("state", new Object[]{parameter3});
        }
        request.setAttribute("OAUTH_FORM_ACTION", queryParam.build(new Object[0]).toString());
        getNext().invoke(request, response);
        return true;
    }

    protected GenericPrincipal checkLoggedIn(Request request, HttpServletResponse httpServletResponse) {
        if (request.getPrincipal() != null) {
            return request.getPrincipal();
        }
        if (request.getSessionInternal() == null || request.getSessionInternal().getPrincipal() == null) {
            return null;
        }
        return request.getSessionInternal().getPrincipal();
    }

    protected void adminLogout(Request request, HttpServletResponse httpServletResponse) throws IOException {
        LogMessages.LOGGER.debug(Messages.MESSAGES.adminLogout());
        GenericPrincipal checkLoggedIn = checkLoggedIn(request, httpServletResponse);
        if (checkLoggedIn == null) {
            if (!bearer(request, httpServletResponse, false)) {
                httpServletResponse.sendError(403);
                return;
            }
            checkLoggedIn = (GenericPrincipal) request.getPrincipal();
        }
        if (!checkLoggedIn.hasRole(this.skeletonKeyConfig.getAdminRole())) {
            httpServletResponse.sendError(403);
            return;
        }
        String parameter = request.getParameter("user");
        if (parameter != null) {
            this.userSessionManagement.logout(parameter);
            logoutResources(parameter, checkLoggedIn.getName());
        } else {
            this.userSessionManagement.logoutAllBut(checkLoggedIn.getName());
            logoutResources(null, checkLoggedIn.getName());
        }
        String parameter2 = request.getParameter("forward");
        if (parameter2 == null) {
            httpServletResponse.setStatus(204);
            return;
        }
        try {
            this.context.getServletContext().getRequestDispatcher(parameter2).forward(request.getRequest(), httpServletResponse);
        } catch (Throwable th) {
            request.setAttribute("javax.servlet.error.exception", th);
            httpServletResponse.sendError(500, Messages.MESSAGES.failedToForward());
        }
    }

    protected void logoutCurrentUser(Request request, HttpServletResponse httpServletResponse) throws IOException {
        if (request.getSessionInternal() == null || request.getSessionInternal().getPrincipal() == null) {
            redirectToWelcomePage(request, httpServletResponse);
            return;
        }
        String name = request.getSessionInternal().getPrincipal().getName();
        this.userSessionManagement.logout(name);
        request.setUserPrincipal((Principal) null);
        request.setAuthType((String) null);
        logoutResources(name, name);
        redirectToWelcomePage(request, httpServletResponse);
    }

    protected void logoutResources(String str, String str2) {
        if (this.skeletonKeyConfig.getResources().size() != 0) {
            SkeletonKeyToken skeletonKeyToken = new SkeletonKeyToken();
            skeletonKeyToken.id(generateId());
            skeletonKeyToken.principal(str2);
            skeletonKeyToken.audience(this.skeletonKeyConfig.getRealm());
            SkeletonKeyToken.Access access = new SkeletonKeyToken.Access();
            access.addRole(this.skeletonKeyConfig.getAdminRole());
            skeletonKeyToken.setRealmAccess(access);
            String buildTokenString = buildTokenString(this.realmPrivateKey, skeletonKeyToken);
            ResteasyClient build = new ResteasyClientBuilder().providerFactory(this.providers).hostnameVerification(ResteasyClientBuilder.HostnameVerificationPolicy.ANY).trustStore(this.resourceMetadata.getTruststore()).keyStore(this.resourceMetadata.getClientKeystore(), this.resourceMetadata.getClientKeyPassword()).build();
            try {
                for (String str3 : this.skeletonKeyConfig.getResources()) {
                    try {
                        LogMessages.LOGGER.debug(Messages.MESSAGES.loggingOut(str3));
                        WebTarget path = build.target(str3).path("j_oauth_remote_logout");
                        if (str != null) {
                            path = path.queryParam("user", new Object[]{str});
                        }
                        javax.ws.rs.core.Response put = path.request().header("Authorization", "Bearer " + buildTokenString).put((Entity) null);
                        if (put.getStatus() != 204) {
                            LogMessages.LOGGER.error(Messages.MESSAGES.failedToLogout());
                        }
                        put.close();
                    } catch (Exception e) {
                        LogMessages.LOGGER.error(Messages.MESSAGES.failedToLogout(), e);
                    }
                }
            } finally {
                build.close();
            }
        }
    }

    protected void redirectToWelcomePage(Request request, HttpServletResponse httpServletResponse) throws IOException {
        ResteasyUriInfo extractUriInfo = ServletUtil.extractUriInfo(request, (String) null);
        String[] findWelcomeFiles = this.context.findWelcomeFiles();
        if (findWelcomeFiles.length > 0) {
            httpServletResponse.sendRedirect(extractUriInfo.getBaseUriBuilder().path(findWelcomeFiles[0]).toTemplate());
        } else {
            httpServletResponse.setStatus(204);
        }
    }

    protected void publishRealmInfoHtml(Request request, HttpServletResponse httpServletResponse) throws IOException {
        ManagedResourceConfig realmRepresentation = getRealmRepresentation(request);
        ObjectMapper objectMapper = new ObjectMapper();
        objectMapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
        objectMapper.enable(SerializationFeature.INDENT_OUTPUT);
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("<html><body bgcolor=\"#CED8F6\">");
        stringBuffer.append("<h1>Realm: ").append(realmRepresentation.getRealm()).append("</h1>");
        ManagedResourceConfig managedResourceConfig = new ManagedResourceConfig();
        managedResourceConfig.setRealm(realmRepresentation.getRealm());
        managedResourceConfig.setRealmKey(realmRepresentation.getRealmKey());
        StringWriter stringWriter = new StringWriter();
        objectMapper.writeValue(stringWriter, managedResourceConfig);
        String stringWriter2 = stringWriter.toString();
        stringBuffer.append("<h3>BearerTokenAuthValve Json Config</h3>");
        stringBuffer.append("<form><textarea rows=\"7\" cols=\"80\">").append(stringWriter2).append("</textarea></form>");
        stringBuffer.append("<br>");
        StringWriter stringWriter3 = new StringWriter();
        realmRepresentation.getClientCredentials().put("password", "REQUIRED");
        realmRepresentation.setClientId("REQUIRED");
        realmRepresentation.setTruststore("REQUIRED");
        realmRepresentation.setTruststorePassword("REQUIRED");
        objectMapper.writeValue(stringWriter3, realmRepresentation);
        String stringWriter4 = stringWriter3.toString();
        stringBuffer.append("<h3>OAuthManagedResourceValve Json Config</h3>");
        stringBuffer.append("<form><textarea rows=\"20\" cols=\"80\">").append(stringWriter4).append("</textarea></form>");
        stringBuffer.append("</body></html>");
        httpServletResponse.setStatus(200);
        httpServletResponse.setContentType("text/html");
        httpServletResponse.getOutputStream().println(stringBuffer.toString());
        httpServletResponse.getOutputStream().flush();
    }

    protected ManagedResourceConfig getRealmRepresentation(Request request) {
        ManagedResourceConfig managedResourceConfig = new ManagedResourceConfig();
        ResteasyUriInfo extractUriInfo = ServletUtil.extractUriInfo(request, (String) null);
        UriBuilder path = extractUriInfo.getBaseUriBuilder().path(this.context.getLoginConfig().getLoginPage());
        UriBuilder path2 = extractUriInfo.getBaseUriBuilder().path("j_oauth_resolve_access_code");
        managedResourceConfig.setRealm(this.skeletonKeyConfig.getRealm());
        managedResourceConfig.setRealmKey(this.realmPublicKeyPem);
        managedResourceConfig.setAuthUrl(path.toTemplate());
        managedResourceConfig.setCodeUrl(path2.toTemplate());
        managedResourceConfig.setAdminRole(this.skeletonKeyConfig.getAdminRole());
        return managedResourceConfig;
    }

    public boolean bearer(Request request, HttpServletResponse httpServletResponse, boolean z) throws IOException {
        if (request.getHeader("Authorization") == null) {
            return false;
        }
        try {
            return new CatalinaBearerTokenAuthenticator(this.resourceMetadata, true, false).login(request, httpServletResponse);
        } catch (LoginException e) {
            return false;
        }
    }

    protected void register(Request request, HttpServletResponse httpServletResponse, Principal principal, String str, String str2, String str3) {
        GenericPrincipal genericPrincipal;
        super.register(request, httpServletResponse, principal, str, str2, str3);
        LogMessages.LOGGER.debug(Messages.MESSAGES.authenticateUserSession(principal.getName()));
        this.userSessionManagement.login(request.getSessionInternal(), principal.getName());
        if (this.skeletonKeyConfig.isCancelPropagation() || (genericPrincipal = (GenericPrincipal) request.getPrincipal()) == null) {
            return;
        }
        SkeletonKeySession skeletonKeySession = new SkeletonKeySession(buildTokenString(this.realmPrivateKey, buildToken(genericPrincipal)), this.resourceMetadata);
        request.setAttribute(SkeletonKeySession.class.getName(), skeletonKeySession);
        ResteasyProviderFactory.pushContext(SkeletonKeySession.class, skeletonKeySession);
        request.getSessionInternal(true).setNote(SkeletonKeySession.class.getName(), skeletonKeySession);
    }

    public boolean authenticate(Request request, HttpServletResponse httpServletResponse, LoginConfig loginConfig) throws IOException {
        if (bearer(request, httpServletResponse, true)) {
            return true;
        }
        return super.authenticate(request, httpServletResponse, loginConfig);
    }

    protected void resolveAccessCode(Request request, Response response) throws IOException {
        if (!request.isSecure()) {
            response.sendError(400);
            return;
        }
        String parameter = request.getParameter("code");
        JWSInput jWSInput = new JWSInput(parameter, this.providers);
        boolean z = false;
        try {
            z = RSAProvider.verify(jWSInput, this.realmPublicKey);
        } catch (Exception e) {
            LogMessages.LOGGER.error(Messages.MESSAGES.failedToVerifySignature(), e);
        }
        if (!z) {
            HashMap hashMap = new HashMap();
            hashMap.put("error", "invalid_grant");
            hashMap.put("error_description", Messages.MESSAGES.unableToVerifyCodeSignature());
            response.sendError(400);
            response.setContentType("application/json");
            this.mapWriter.writeValue(response.getOutputStream(), hashMap);
            response.getOutputStream().flush();
            return;
        }
        AccessCode remove = this.accessCodeMap.remove((String) jWSInput.readContent(String.class));
        String parameter2 = request.getParameter("redirect_uri");
        GenericPrincipal basicAuth = basicAuth(request, response);
        if (basicAuth == null) {
            LogMessages.LOGGER.error(Messages.MESSAGES.failedToAuthenticateClientId());
            return;
        }
        if (remove == null) {
            LogMessages.LOGGER.error(Messages.MESSAGES.noAccessCode(parameter));
            response.sendError(400);
            return;
        }
        if (remove.isExpired()) {
            LogMessages.LOGGER.debug(Messages.MESSAGES.accessCodeExpired());
            HashMap hashMap2 = new HashMap();
            hashMap2.put("error", "invalid_grant");
            hashMap2.put("error_description", Messages.MESSAGES.codeIsExpired());
            response.setStatus(400);
            response.setContentType("application/json");
            this.mapWriter.writeValue(response.getOutputStream(), hashMap2);
            response.getOutputStream().flush();
            return;
        }
        if (!remove.getToken().isActive()) {
            LogMessages.LOGGER.debug(Messages.MESSAGES.tokenNotActive());
            HashMap hashMap3 = new HashMap();
            hashMap3.put("error", "invalid_grant");
            hashMap3.put("error_description", Messages.MESSAGES.tokenExpired());
            response.setStatus(400);
            response.setContentType("application/json");
            this.mapWriter.writeValue(response.getOutputStream(), hashMap3);
            response.getOutputStream().flush();
            return;
        }
        if (!basicAuth.getName().equals(remove.getClient())) {
            LogMessages.LOGGER.debug(Messages.MESSAGES.notEqualClient());
            HashMap hashMap4 = new HashMap();
            hashMap4.put("error", "invalid_grant");
            hashMap4.put("error_description", Messages.MESSAGES.authError());
            response.setStatus(400);
            response.setContentType("application/json");
            this.mapWriter.writeValue(response.getOutputStream(), hashMap4);
            response.getOutputStream().flush();
            return;
        }
        if (!remove.getRedirect().equals(parameter2)) {
            LogMessages.LOGGER.debug(Messages.MESSAGES.notEqualRedirect());
            HashMap hashMap5 = new HashMap();
            hashMap5.put("error", "invalid_grant");
            hashMap5.put("error_description", Messages.MESSAGES.authError());
            response.setStatus(400);
            response.setContentType("application/json");
            this.mapWriter.writeValue(response.getOutputStream(), hashMap5);
            response.getOutputStream().flush();
            return;
        }
        if (remove.isSso() && !basicAuth.hasRole(this.skeletonKeyConfig.getLoginRole())) {
            LogMessages.LOGGER.debug(Messages.MESSAGES.doesNotHaveLoginPermission());
            HashMap hashMap6 = new HashMap();
            hashMap6.put("error", "invalid_grant");
            hashMap6.put("error_description", Messages.MESSAGES.authError());
            response.setStatus(400);
            response.setContentType("application/json");
            this.mapWriter.writeValue(response.getOutputStream(), hashMap6);
            response.getOutputStream().flush();
            return;
        }
        if (!basicAuth.hasRole(this.skeletonKeyConfig.getClientRole()) && !basicAuth.hasRole(this.skeletonKeyConfig.getLoginRole())) {
            LogMessages.LOGGER.debug(Messages.MESSAGES.doesNotHaveLoginOrClientPermission());
            HashMap hashMap7 = new HashMap();
            hashMap7.put("error", "invalid_grant");
            hashMap7.put("error_description", Messages.MESSAGES.authError());
            response.setStatus(400);
            response.setContentType("application/json");
            this.mapWriter.writeValue(response.getOutputStream(), hashMap7);
            response.getOutputStream().flush();
            return;
        }
        String wildcardRole = this.skeletonKeyConfig.getWildcardRole() == null ? "*" : this.skeletonKeyConfig.getWildcardRole();
        Set roles = remove.getToken().getRealmAccess().getRoles();
        if (roles != null && (roles.contains(this.skeletonKeyConfig.getClientRole()) || roles.contains(this.skeletonKeyConfig.getLoginRole()))) {
            HashSet hashSet = new HashSet();
            if (roles.contains(this.skeletonKeyConfig.getClientRole())) {
                hashSet.add(this.skeletonKeyConfig.getClientRole());
            }
            if (roles.contains(this.skeletonKeyConfig.getLoginRole())) {
                hashSet.add(this.skeletonKeyConfig.getLoginRole());
            }
            if (roles.contains(wildcardRole)) {
                hashSet.add(wildcardRole);
            }
            roles.clear();
            roles.addAll(hashSet);
        }
        if (roles != null && !basicAuth.hasRole(wildcardRole) && !basicAuth.hasRole(this.skeletonKeyConfig.getLoginRole())) {
            HashSet hashSet2 = new HashSet();
            for (String str : basicAuth.getRoles()) {
                hashSet2.add(str);
            }
            HashSet<String> hashSet3 = new HashSet();
            hashSet3.addAll(roles);
            for (String str2 : hashSet3) {
                if (!hashSet2.contains(str2)) {
                    roles.remove(str2);
                }
            }
        }
        AccessTokenResponse accessTokenResponse = accessTokenResponse(this.realmPrivateKey, remove.getToken());
        response.setStatus(200);
        response.setContentType("application/json");
        this.accessTokenResponseWriter.writeValue(response.getOutputStream(), accessTokenResponse);
        response.getOutputStream().flush();
    }

    protected AccessTokenResponse accessTokenResponse(PrivateKey privateKey, SkeletonKeyToken skeletonKeyToken) {
        String buildTokenString = buildTokenString(privateKey, skeletonKeyToken);
        AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
        accessTokenResponse.setToken(buildTokenString);
        accessTokenResponse.setTokenType("bearer");
        if (skeletonKeyToken.getExpiration() != 0) {
            accessTokenResponse.setExpiresIn(skeletonKeyToken.getExpiration() - (System.currentTimeMillis() / 1000));
        }
        return accessTokenResponse;
    }

    protected String buildTokenString(PrivateKey privateKey, SkeletonKeyToken skeletonKeyToken) {
        try {
            return new JWSBuilder().content(JsonSerialization.toByteArray(skeletonKeyToken, false)).rsa256(privateKey);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    protected void handleOAuth(Request request, Response response) throws IOException {
        LogMessages.LOGGER.debug(Messages.MESSAGES.beginOauthAuthenticate());
        String parameter = request.getParameter("redirect_uri");
        String parameter2 = request.getParameter("client_id");
        String parameter3 = request.getParameter("state");
        String parameter4 = request.getParameter("j_username");
        String parameter5 = request.getParameter("j_password");
        Principal authenticate = this.context.getRealm().authenticate(parameter4, parameter5);
        if (authenticate != null) {
            register(request, response, authenticate, "FORM", parameter4, parameter5);
            this.userSessionManagement.login(request.getSessionInternal(), parameter4);
            redirectAccessCode(false, response, parameter, parameter2, parameter3, (GenericPrincipal) authenticate);
        } else {
            UriBuilder queryParam = UriBuilder.fromUri(parameter).queryParam("error", new Object[]{"unauthorized_client"});
            if (parameter3 != null) {
                queryParam.queryParam("state", new Object[]{parameter3});
            }
            response.sendRedirect(queryParam.toTemplate());
        }
    }

    protected void tokenGrant(Request request, Response response) throws IOException {
        if (!request.isSecure()) {
            response.sendError(400);
            return;
        }
        GenericPrincipal basicAuth = basicAuth(request, response);
        if (basicAuth == null) {
            return;
        }
        AccessTokenResponse accessTokenResponse = accessTokenResponse(this.realmPrivateKey, buildToken(basicAuth));
        response.setStatus(200);
        response.setContentType("application/json");
        this.accessTokenResponseWriter.writeValue(response.getOutputStream(), accessTokenResponse);
        response.getOutputStream().flush();
    }

    protected GenericPrincipal basicAuth(Request request, Response response) throws IOException {
        String header = request.getHeader("Authorization");
        if (header == null) {
            basicAuthError(response);
            return null;
        }
        String[] parseHeader = BasicAuthHelper.parseHeader(header);
        if (parseHeader == null) {
            basicAuthError(response);
            return null;
        }
        GenericPrincipal authenticate = this.context.getRealm().authenticate(parseHeader[0], parseHeader[1]);
        if (authenticate != null) {
            return authenticate;
        }
        basicAuthError(response);
        return null;
    }

    protected void basicAuthError(Response response) throws IOException {
        response.setHeader("WWW-Authenticate", "Basic realm=\"" + this.context.getLoginConfig().getRealmName() + "\"");
        response.sendError(401);
    }

    protected void redirectAccessCode(boolean z, Response response, String str, String str2, String str3, GenericPrincipal genericPrincipal) throws IOException {
        SkeletonKeyToken buildToken = buildToken(genericPrincipal);
        AccessCode accessCode = new AccessCode();
        accessCode.setToken(buildToken);
        accessCode.setClient(str2);
        accessCode.setSso(z);
        accessCode.setRedirect(str);
        accessCode.setExpiration((System.currentTimeMillis() / 1000) + (this.skeletonKeyConfig.getAccessCodeLifetime() == 0 ? 300 : this.skeletonKeyConfig.getAccessCodeLifetime()));
        this.accessCodeMap.put(accessCode.getId(), accessCode);
        LogMessages.LOGGER.debug(Messages.MESSAGES.signAccessCode());
        String rsa256 = new JWSBuilder().content(accessCode.getId().getBytes(StandardCharsets.UTF_8)).rsa256(this.realmPrivateKey);
        LogMessages.LOGGER.debug(Messages.MESSAGES.buildRedirect());
        UriBuilder queryParam = UriBuilder.fromUri(str).queryParam("code", new Object[]{rsa256});
        if (str3 != null) {
            queryParam.queryParam("state", new Object[]{str3});
        }
        response.sendRedirect(queryParam.toTemplate());
        LogMessages.LOGGER.debug(Messages.MESSAGES.endOAuthAuthenticate());
    }

    protected SkeletonKeyToken buildToken(GenericPrincipal genericPrincipal) {
        SkeletonKeyToken skeletonKeyToken = new SkeletonKeyToken();
        skeletonKeyToken.id(generateId());
        skeletonKeyToken.principal(genericPrincipal.getName());
        skeletonKeyToken.audience(this.skeletonKeyConfig.getRealm());
        int accessCodeLifetime = this.skeletonKeyConfig.getAccessCodeLifetime() == 0 ? 3600 : this.skeletonKeyConfig.getAccessCodeLifetime();
        if (this.skeletonKeyConfig.getTokenLifetime() > 0) {
            skeletonKeyToken.expiration((System.currentTimeMillis() / 1000) + accessCodeLifetime);
        }
        SkeletonKeyToken.Access access = new SkeletonKeyToken.Access();
        for (String str : genericPrincipal.getRoles()) {
            access.addRole(str);
        }
        skeletonKeyToken.setRealmAccess(access);
        return skeletonKeyToken;
    }
}
