package org.forgerock.openam.sts.rest.operation.translate;

import java.net.MalformedURLException;
import java.security.cert.X509Certificate;
import java.util.Set;
import javax.inject.Inject;
import javax.inject.Named;
import org.forgerock.json.JsonValue;
import org.forgerock.openam.sts.HttpURLConnectionWrapperFactory;
import org.forgerock.openam.sts.STSInitializationException;
import org.forgerock.openam.sts.TokenCreationException;
import org.forgerock.openam.sts.TokenType;
import org.forgerock.openam.sts.TokenTypeId;
import org.forgerock.openam.sts.TokenValidationException;
import org.forgerock.openam.sts.config.user.CustomTokenOperation;
import org.forgerock.openam.sts.rest.config.user.TokenTransformConfig;
import org.forgerock.openam.sts.rest.operation.validate.IssuedTokenValidatorFactory;
import org.forgerock.openam.sts.rest.token.provider.RestTokenProvider;
import org.forgerock.openam.sts.rest.token.provider.RestTokenProviderParameters;
import org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthMethodReferencesMapper;
import org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthnContextMapper;
import org.forgerock.openam.sts.rest.token.provider.oidc.RestOpenIdConnectTokenProvider;
import org.forgerock.openam.sts.rest.token.provider.saml.RestSamlTokenProvider;
import org.forgerock.openam.sts.rest.token.provider.saml.Saml2JsonTokenAuthnContextMapper;
import org.forgerock.openam.sts.rest.token.provider.saml.Saml2TokenCreationState;
import org.forgerock.openam.sts.rest.token.validator.OpenIdConnectIdTokenTransformValidator;
import org.forgerock.openam.sts.rest.token.validator.RestAMTokenTransformValidator;
import org.forgerock.openam.sts.rest.token.validator.RestCertificateTokenTransformValidator;
import org.forgerock.openam.sts.rest.token.validator.RestTokenTransformValidator;
import org.forgerock.openam.sts.rest.token.validator.RestTokenTransformValidatorParameters;
import org.forgerock.openam.sts.rest.token.validator.RestTokenTransformValidatorResult;
import org.forgerock.openam.sts.rest.token.validator.RestUsernameTokenTransformValidator;
import org.forgerock.openam.sts.token.ThreadLocalAMTokenCache;
import org.forgerock.openam.sts.token.UrlConstituentCatenator;
import org.forgerock.openam.sts.token.model.OpenAMSessionToken;
import org.forgerock.openam.sts.token.model.OpenIdConnectIdToken;
import org.forgerock.openam.sts.token.model.RestUsernameToken;
import org.forgerock.openam.sts.token.provider.AMSessionInvalidatorImpl;
import org.forgerock.openam.sts.token.provider.TokenServiceConsumer;
import org.forgerock.openam.sts.token.validator.AuthenticationHandler;
import org.forgerock.openam.sts.token.validator.PrincipalFromSession;
import org.forgerock.openam.sts.token.validator.ValidationInvocationContext;
import org.slf4j.Logger;

/* loaded from: input_file:org/forgerock/openam/sts/rest/operation/translate/TokenTransformFactoryImpl.class */
public class TokenTransformFactoryImpl implements TokenTransformFactory {
    private final String amDeploymentUrl;
    private final String jsonRestRoot;
    private final String restLogoutUriElement;
    private final String amSessionCookieName;
    private final String realm;
    private final String stsInstanceId;
    private final ThreadLocalAMTokenCache threadLocalAMTokenCache;
    private final PrincipalFromSession principalFromSession;
    private final AuthenticationHandler<OpenIdConnectIdToken> openIdConnectIdTokenAuthenticationHandler;
    private final AuthenticationHandler<X509Certificate[]> x509TokenAuthenticationHandler;
    private final AuthenticationHandler<RestUsernameToken> usernameTokenAuthenticationHandler;
    private final UrlConstituentCatenator urlConstituentCatenator;
    private final TokenServiceConsumer tokenServiceConsumer;
    private final Saml2JsonTokenAuthnContextMapper saml2JsonTokenAuthnContextMapper;
    private final HttpURLConnectionWrapperFactory connectionWrapperFactory;
    private final String crestVersionSessionService;
    private final OpenIdConnectTokenAuthnContextMapper oidcAuthnContextMapper;
    private final OpenIdConnectTokenAuthMethodReferencesMapper oidcAuthModeReferencesMapper;
    private final Set<CustomTokenOperation> customTokenValidators;
    private final Set<CustomTokenOperation> customTokenProviders;
    private final IssuedTokenValidatorFactory issuedTokenValidatorFactory;
    private final Logger logger;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/forgerock/openam/sts/rest/operation/translate/TokenTransformFactoryImpl$CustomTokenProviderWrapper.class */
    public static class CustomTokenProviderWrapper implements RestTokenProvider<JsonValue> {
        private final RestTokenProvider customDelegate;

        private CustomTokenProviderWrapper(RestTokenProvider restTokenProvider) {
            this.customDelegate = restTokenProvider;
        }

        @Override // org.forgerock.openam.sts.rest.token.provider.RestTokenProvider
        public JsonValue createToken(RestTokenProviderParameters<JsonValue> restTokenProviderParameters) throws TokenCreationException {
            return this.customDelegate.createToken(restTokenProviderParameters);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/forgerock/openam/sts/rest/operation/translate/TokenTransformFactoryImpl$CustomTokenTransformValidatorWrapper.class */
    public static class CustomTokenTransformValidatorWrapper implements RestTokenTransformValidator<JsonValue> {
        private final RestTokenTransformValidator customDelegate;
        private final ThreadLocalAMTokenCache threadLocalAMTokenCache;
        private final ValidationInvocationContext validationInvocationContext;
        private final boolean invalidateInterimAMSession;

        private CustomTokenTransformValidatorWrapper(RestTokenTransformValidator restTokenTransformValidator, ThreadLocalAMTokenCache threadLocalAMTokenCache, ValidationInvocationContext validationInvocationContext, boolean z) {
            this.customDelegate = restTokenTransformValidator;
            this.threadLocalAMTokenCache = threadLocalAMTokenCache;
            this.validationInvocationContext = validationInvocationContext;
            this.invalidateInterimAMSession = z;
        }

        @Override // org.forgerock.openam.sts.rest.token.validator.RestTokenTransformValidator
        public RestTokenTransformValidatorResult validateToken(RestTokenTransformValidatorParameters<JsonValue> restTokenTransformValidatorParameters) throws TokenValidationException {
            RestTokenTransformValidatorResult validateToken = this.customDelegate.validateToken(restTokenTransformValidatorParameters);
            if (ValidationInvocationContext.REST_TOKEN_TRANSFORMATION.equals(this.validationInvocationContext) || ValidationInvocationContext.TOKEN_RENEW_OPERATION.equals(this.validationInvocationContext)) {
                if (validateToken.getAMSessionId() == null) {
                    throw new TokenValidationException(409, "The custom rest token validator of class " + this.customDelegate.getClass().getCanonicalName() + " invoked as part of token transformation, did not set the am session string resulting from successful token validation.");
                }
                this.threadLocalAMTokenCache.cacheSessionIdForContext(ValidationInvocationContext.REST_TOKEN_TRANSFORMATION, validateToken.getAMSessionId(), this.invalidateInterimAMSession);
            }
            return validateToken;
        }
    }

    @Inject
    TokenTransformFactoryImpl(@Named("am_deployment_url") String str, @Named("am_rest_authn_json_root") String str2, @Named("am_rest_logout") String str3, @Named("am_session_cookie_name") String str4, @Named("am_realm") String str5, @Named("sts_instance_id") String str6, ThreadLocalAMTokenCache threadLocalAMTokenCache, PrincipalFromSession principalFromSession, AuthenticationHandler<OpenIdConnectIdToken> authenticationHandler, AuthenticationHandler<X509Certificate[]> authenticationHandler2, AuthenticationHandler<RestUsernameToken> authenticationHandler3, UrlConstituentCatenator urlConstituentCatenator, TokenServiceConsumer tokenServiceConsumer, Saml2JsonTokenAuthnContextMapper saml2JsonTokenAuthnContextMapper, HttpURLConnectionWrapperFactory httpURLConnectionWrapperFactory, @Named("crest_version_session_service") String str7, OpenIdConnectTokenAuthnContextMapper openIdConnectTokenAuthnContextMapper, OpenIdConnectTokenAuthMethodReferencesMapper openIdConnectTokenAuthMethodReferencesMapper, @Named("rest_custom_token_validators") Set<CustomTokenOperation> set, @Named("rest_custom_token_providers") Set<CustomTokenOperation> set2, IssuedTokenValidatorFactory issuedTokenValidatorFactory, Logger logger) {
        this.amDeploymentUrl = str;
        this.jsonRestRoot = str2;
        this.restLogoutUriElement = str3;
        this.amSessionCookieName = str4;
        this.realm = str5;
        this.stsInstanceId = str6;
        this.threadLocalAMTokenCache = threadLocalAMTokenCache;
        this.principalFromSession = principalFromSession;
        this.openIdConnectIdTokenAuthenticationHandler = authenticationHandler;
        this.x509TokenAuthenticationHandler = authenticationHandler2;
        this.usernameTokenAuthenticationHandler = authenticationHandler3;
        this.urlConstituentCatenator = urlConstituentCatenator;
        this.tokenServiceConsumer = tokenServiceConsumer;
        this.saml2JsonTokenAuthnContextMapper = saml2JsonTokenAuthnContextMapper;
        this.connectionWrapperFactory = httpURLConnectionWrapperFactory;
        this.crestVersionSessionService = str7;
        this.oidcAuthnContextMapper = openIdConnectTokenAuthnContextMapper;
        this.oidcAuthModeReferencesMapper = openIdConnectTokenAuthMethodReferencesMapper;
        this.customTokenValidators = set;
        this.customTokenProviders = set2;
        this.issuedTokenValidatorFactory = issuedTokenValidatorFactory;
        this.logger = logger;
    }

    @Override // org.forgerock.openam.sts.rest.operation.translate.TokenTransformFactory
    public TokenTransform<?, ? extends TokenTypeId> buildTokenTransform(TokenTransformConfig tokenTransformConfig) throws STSInitializationException {
        TokenTypeId inputTokenType = tokenTransformConfig.getInputTokenType();
        TokenTypeId outputTokenType = tokenTransformConfig.getOutputTokenType();
        return new TokenTransformImpl(TokenType.USERNAME.getId().equals(inputTokenType.getId()) ? buildUsernameTokenValidator(tokenTransformConfig.invalidateInterimOpenAMSession()) : TokenType.OPENAM.getId().equals(inputTokenType.getId()) ? buildOpenAMTokenValidator(tokenTransformConfig.invalidateInterimOpenAMSession()) : TokenType.OPENIDCONNECT.getId().equals(inputTokenType.getId()) ? buildOpenIdConnectValidator(tokenTransformConfig.invalidateInterimOpenAMSession()) : TokenType.X509.getId().equals(inputTokenType.getId()) ? buildX509TokenValidator(tokenTransformConfig.invalidateInterimOpenAMSession()) : buildCustomTokenValidator(inputTokenType, ValidationInvocationContext.REST_TOKEN_TRANSFORMATION, tokenTransformConfig.invalidateInterimOpenAMSession()), TokenType.SAML2.getId().equals(outputTokenType.getId()) ? buildOpenSAMLTokenProvider() : TokenType.OPENIDCONNECT.getId().equals(outputTokenType.getId()) ? buildOpenIdConnectTokenProvider() : buildCustomTokenProvider(outputTokenType), inputTokenType, outputTokenType);
    }

    private RestTokenTransformValidator<RestUsernameToken> buildUsernameTokenValidator(boolean z) {
        return new RestUsernameTokenTransformValidator(this.usernameTokenAuthenticationHandler, this.threadLocalAMTokenCache, this.principalFromSession, ValidationInvocationContext.REST_TOKEN_TRANSFORMATION, z);
    }

    private RestTokenTransformValidator<OpenIdConnectIdToken> buildOpenIdConnectValidator(boolean z) {
        return new OpenIdConnectIdTokenTransformValidator(this.openIdConnectIdTokenAuthenticationHandler, this.threadLocalAMTokenCache, this.principalFromSession, ValidationInvocationContext.REST_TOKEN_TRANSFORMATION, this.issuedTokenValidatorFactory, z);
    }

    private RestTokenTransformValidator<X509Certificate[]> buildX509TokenValidator(boolean z) {
        return new RestCertificateTokenTransformValidator(this.x509TokenAuthenticationHandler, this.threadLocalAMTokenCache, this.principalFromSession, ValidationInvocationContext.REST_TOKEN_TRANSFORMATION, z);
    }

    private RestTokenTransformValidator<OpenAMSessionToken> buildOpenAMTokenValidator(boolean z) {
        return new RestAMTokenTransformValidator(this.principalFromSession, this.threadLocalAMTokenCache, ValidationInvocationContext.REST_TOKEN_TRANSFORMATION, z);
    }

    private RestTokenTransformValidator<JsonValue> buildCustomTokenValidator(TokenTypeId tokenTypeId, ValidationInvocationContext validationInvocationContext, boolean z) throws STSInitializationException {
        for (CustomTokenOperation customTokenOperation : this.customTokenValidators) {
            if (customTokenOperation.getCustomTokenName().equals(tokenTypeId.getId())) {
                try {
                    return new CustomTokenTransformValidatorWrapper((RestTokenTransformValidator) Class.forName(customTokenOperation.getCustomOperationClassName()).asSubclass(RestTokenTransformValidator.class).newInstance(), this.threadLocalAMTokenCache, validationInvocationContext, z);
                } catch (ClassNotFoundException | IllegalAccessException | InstantiationException e) {
                    throw new STSInitializationException(409, "Custom token validator instantiation of class " + customTokenOperation.getCustomOperationClassName() + " failed. Correct class name, or expose in classpath, and republish sts instance. Exception: " + e, e);
                }
            }
        }
        throw new STSInitializationException(409, "No custom token validator found for token type " + tokenTypeId.getId() + ". Republish rest-sts instance with custom token validator specified for custom token type.");
    }

    private RestTokenProvider<Saml2TokenCreationState> buildOpenSAMLTokenProvider() throws STSInitializationException {
        try {
            return new RestSamlTokenProvider(this.tokenServiceConsumer, new AMSessionInvalidatorImpl(this.amDeploymentUrl, this.jsonRestRoot, this.realm, this.restLogoutUriElement, this.amSessionCookieName, this.urlConstituentCatenator, this.crestVersionSessionService, this.connectionWrapperFactory, this.logger), this.threadLocalAMTokenCache, this.stsInstanceId, this.realm, this.saml2JsonTokenAuthnContextMapper, ValidationInvocationContext.REST_TOKEN_TRANSFORMATION, this.logger);
        } catch (MalformedURLException e) {
            throw new STSInitializationException(500, e.getMessage(), e);
        }
    }

    private RestOpenIdConnectTokenProvider buildOpenIdConnectTokenProvider() throws STSInitializationException {
        try {
            return new RestOpenIdConnectTokenProvider(this.tokenServiceConsumer, new AMSessionInvalidatorImpl(this.amDeploymentUrl, this.jsonRestRoot, this.realm, this.restLogoutUriElement, this.amSessionCookieName, this.urlConstituentCatenator, this.crestVersionSessionService, this.connectionWrapperFactory, this.logger), this.threadLocalAMTokenCache, this.stsInstanceId, this.realm, this.oidcAuthnContextMapper, this.oidcAuthModeReferencesMapper, ValidationInvocationContext.REST_TOKEN_TRANSFORMATION, this.logger);
        } catch (MalformedURLException e) {
            throw new STSInitializationException(500, e.getMessage(), e);
        }
    }

    private RestTokenProvider<JsonValue> buildCustomTokenProvider(TokenTypeId tokenTypeId) throws STSInitializationException {
        for (CustomTokenOperation customTokenOperation : this.customTokenProviders) {
            if (customTokenOperation.getCustomTokenName().equals(tokenTypeId.getId())) {
                try {
                    return new CustomTokenProviderWrapper((RestTokenProvider) Class.forName(customTokenOperation.getCustomOperationClassName()).asSubclass(RestTokenProvider.class).newInstance());
                } catch (ClassNotFoundException | IllegalAccessException | InstantiationException e) {
                    throw new STSInitializationException(409, "Custom token provider instantiation of class " + customTokenOperation.getCustomOperationClassName() + " failed. Correct class name, or expose in classpath, and republish sts instance. Exception: " + e, e);
                }
            }
        }
        throw new STSInitializationException(409, "No custom token provider found for token type " + tokenTypeId.getId() + ". Republish rest-sts instance with custom token provider specified for custom token type.");
    }
}
