package org.forgerock.openam.sts.rest.operation;

import com.google.common.collect.Iterables;
import com.sun.identity.shared.encode.Base64;
import java.io.ByteArrayInputStream;
import java.io.UnsupportedEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.inject.Inject;
import javax.inject.Named;
import org.apache.commons.lang.ArrayUtils;
import org.forgerock.json.JsonValue;
import org.forgerock.json.resource.http.HttpContext;
import org.forgerock.openam.sts.TokenMarshalException;
import org.forgerock.openam.sts.TokenType;
import org.forgerock.openam.sts.TokenTypeId;
import org.forgerock.openam.sts.config.user.CustomTokenOperation;
import org.forgerock.openam.sts.rest.operation.translate.CustomRestTokenProviderParametersImpl;
import org.forgerock.openam.sts.rest.operation.translate.OpenIdConnectRestTokenProviderParameters;
import org.forgerock.openam.sts.rest.operation.translate.Saml2RestTokenProviderParameters;
import org.forgerock.openam.sts.rest.token.canceller.RestIssuedTokenCancellerParameters;
import org.forgerock.openam.sts.rest.token.provider.RestTokenProviderParameters;
import org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenCreationState;
import org.forgerock.openam.sts.rest.token.provider.saml.Saml2TokenCreationState;
import org.forgerock.openam.sts.rest.token.validator.RestIssuedTokenValidatorParameters;
import org.forgerock.openam.sts.rest.token.validator.RestTokenTransformValidatorParameters;
import org.forgerock.openam.sts.token.SAML2SubjectConfirmation;
import org.forgerock.openam.sts.token.model.OpenAMSessionToken;
import org.forgerock.openam.sts.token.model.OpenIdConnectIdToken;
import org.forgerock.openam.sts.token.model.RestUsernameToken;
import org.forgerock.openam.sts.user.invocation.ProofTokenState;
import org.forgerock.openam.sts.user.invocation.SAML2TokenCreationState;
import org.forgerock.openam.sts.user.invocation.SAML2TokenState;
import org.forgerock.openam.utils.ClientUtils;
import org.forgerock.openam.utils.Time;
import org.forgerock.services.context.ClientContext;
import org.forgerock.services.context.Context;
import org.slf4j.Logger;

/* loaded from: input_file:org/forgerock/openam/sts/rest/operation/TokenRequestMarshallerImpl.class */
public class TokenRequestMarshallerImpl implements TokenRequestMarshaller {
    private static final String X509_CERTIFICATE_ATTRIBUTE = "javax.servlet.request.X509Certificate";
    private static final String ANY_HOST = "any";
    private final String offloadedTlsClientCertKey;
    private final Set<String> tlsOffloadEngineHosts;
    private final Set<CustomTokenOperation> customTokenValidators;
    private final Set<CustomTokenOperation> customTokenProviders;
    private final Logger logger;

    @Inject
    TokenRequestMarshallerImpl(@Named("deployment-offloaded-two-way-tls-header-key") String str, @Named("deployment-tls-offload-engine-hosts") Set<String> set, @Named("rest_custom_token_validators") Set<CustomTokenOperation> set2, @Named("rest_custom_token_providers") Set<CustomTokenOperation> set3, Logger logger) {
        this.offloadedTlsClientCertKey = str;
        this.tlsOffloadEngineHosts = set;
        this.customTokenValidators = set2;
        this.customTokenProviders = set3;
        this.logger = logger;
    }

    @Override // org.forgerock.openam.sts.rest.operation.TokenRequestMarshaller
    public RestTokenTransformValidatorParameters<?> buildTokenTransformValidatorParameters(JsonValue jsonValue, Context context) throws TokenMarshalException {
        if (!jsonValue.get("token_type").isString()) {
            throw new TokenMarshalException(400, "The to-be-translated token does not contain a token_type entry. The token: " + jsonValue);
        }
        String asString = jsonValue.get("token_type").asString();
        if (TokenType.USERNAME.name().equals(asString)) {
            return buildUsernameTokenTransformValidatorParameters(jsonValue);
        }
        if (TokenType.OPENAM.name().equals(asString)) {
            return buildAMSessionTokenTransformValidatorParameters(jsonValue);
        }
        if (TokenType.OPENIDCONNECT.name().equals(asString)) {
            return buildOpenIdConnectIdTokenTransformValidatorParameters(jsonValue);
        }
        if (TokenType.X509.name().equals(asString)) {
            return buildX509CertTokenTransformValidatorParameters(context);
        }
        Iterator<CustomTokenOperation> it = this.customTokenValidators.iterator();
        while (it.hasNext()) {
            if (asString.equals(it.next().getCustomTokenName())) {
                return buildCustomTokenTransformValidatorParameters(jsonValue);
            }
        }
        throw new TokenMarshalException(400, "Unsupported input token type: " + asString);
    }

    @Override // org.forgerock.openam.sts.rest.operation.TokenRequestMarshaller
    public RestIssuedTokenValidatorParameters<?> buildIssuedTokenValidatorParameters(JsonValue jsonValue) throws TokenMarshalException {
        if (!jsonValue.get("token_type").isString()) {
            throw new TokenMarshalException(400, "The to-be-validated token does not contain a token_type entry. The token: " + jsonValue);
        }
        String asString = jsonValue.get("token_type").asString();
        if (TokenType.OPENIDCONNECT.getId().equals(asString)) {
            return buildOpenIdConnectIssuedTokenValidatorParameters(jsonValue);
        }
        if (TokenType.SAML2.getId().equals(asString)) {
            return buildSAML2IssuedTokenValidatorParameters(jsonValue);
        }
        if (asString == null) {
            throw new TokenMarshalException(400, "Invalid invocation state: invocation must specify a validated_token_state key containing json which specifies a token_type of either OPENIDCONNECT or SAML2, and the corresponding token value. See RestSTSTokenValidationInvocationState for details.");
        }
        throw new TokenMarshalException(400, "Unsupported to-be-validated token type: " + asString);
    }

    @Override // org.forgerock.openam.sts.rest.operation.TokenRequestMarshaller
    public RestIssuedTokenCancellerParameters<?> buildIssuedTokenCancellerParameters(JsonValue jsonValue) throws TokenMarshalException {
        if (!jsonValue.get("token_type").isString()) {
            throw new TokenMarshalException(400, "The to-be-cancelled token does not contain a token_type entry. The token: " + jsonValue);
        }
        String asString = jsonValue.get("token_type").asString();
        if (TokenType.OPENIDCONNECT.getId().equals(asString)) {
            return buildOpenIdConnectIssuedTokenCancellerParameters(jsonValue);
        }
        if (TokenType.SAML2.getId().equals(asString)) {
            return buildSAML2IssuedTokenCancellerParameters(jsonValue);
        }
        if (asString == null) {
            throw new TokenMarshalException(400, "Invalid invocation state: invocation must specify a cancelled_token_state key containing json which specifies a token_type of either OPENIDCONNECT or SAML2, and the corresponding token value. See RestSTSTokenCancellationInvocationState for details.");
        }
        throw new TokenMarshalException(400, "Unsupported to-be-cancelled token type: " + asString);
    }

    @Override // org.forgerock.openam.sts.rest.operation.TokenRequestMarshaller
    public RestTokenProviderParameters<?> buildTokenProviderParameters(TokenTypeId tokenTypeId, JsonValue jsonValue, TokenTypeId tokenTypeId2, JsonValue jsonValue2) throws TokenMarshalException {
        if (TokenType.SAML2.getId().equals(tokenTypeId2.getId())) {
            return createSAML2TokenProviderParameters(tokenTypeId, jsonValue, jsonValue2);
        }
        if (TokenType.OPENIDCONNECT.getId().equals(tokenTypeId2.getId())) {
            return createOpenIdConnectTokenProviderParameters(tokenTypeId, jsonValue, jsonValue2);
        }
        Iterator<CustomTokenOperation> it = this.customTokenProviders.iterator();
        while (it.hasNext()) {
            if (tokenTypeId2.getId().equals(it.next().getCustomTokenName())) {
                return buildCustomTokenProviderParameters(tokenTypeId, jsonValue, jsonValue2);
            }
        }
        throw new TokenMarshalException(400, "Unsupported output token type: " + tokenTypeId2);
    }

    @Override // org.forgerock.openam.sts.rest.operation.TokenRequestMarshaller
    public TokenTypeId getTokenType(JsonValue jsonValue) throws TokenMarshalException {
        JsonValue jsonValue2 = jsonValue.get("token_type");
        if (jsonValue2.isNull() || !jsonValue2.isString()) {
            throw new TokenMarshalException(400, "REST STS invocation does not contain token_type String entry. The json token: " + jsonValue);
        }
        final String asString = jsonValue2.asString();
        return new TokenTypeId() { // from class: org.forgerock.openam.sts.rest.operation.TokenRequestMarshallerImpl.1
            public String getId() {
                return asString;
            }
        };
    }

    private SAML2SubjectConfirmation getSubjectConfirmation(JsonValue jsonValue) throws TokenMarshalException {
        try {
            return SAML2TokenCreationState.fromJson(jsonValue).getSubjectConfirmation();
        } catch (TokenMarshalException e) {
            try {
                return SAML2SubjectConfirmation.valueOf(jsonValue.get("subject_confirmation").asString());
            } catch (IllegalArgumentException e2) {
                throw new TokenMarshalException(400, "Invalid subjectConfirmation specified in the JsonValue corresponding to SAML2TokenCreationState. The JsonValue: " + jsonValue.toString());
            } catch (NullPointerException e3) {
                throw new TokenMarshalException(400, "No subjectConfirmation specified in the JsonValue corresponding to SAML2TokenCreationState. The JsonValue: " + jsonValue.toString());
            }
        }
    }

    private ProofTokenState getProofTokenState(JsonValue jsonValue) throws TokenMarshalException {
        ProofTokenState proofTokenState = SAML2TokenCreationState.fromJson(jsonValue).getProofTokenState();
        if (proofTokenState == null) {
            throw new TokenMarshalException(400, "No ProofTokenState specified in the SAML2TokenCreationState. The JsonValue: " + jsonValue);
        }
        return proofTokenState;
    }

    private RestIssuedTokenValidatorParameters<OpenIdConnectIdToken> buildOpenIdConnectIssuedTokenValidatorParameters(JsonValue jsonValue) throws TokenMarshalException {
        if (!jsonValue.get("oidc_id_token").isString()) {
            throw new TokenMarshalException(400, "Exception: json representation of a to-be-validated OIDC token does not contain a oidc_id_token field containing the to-be-validated token. The representation: " + jsonValue);
        }
        final OpenIdConnectIdToken openIdConnectIdToken = new OpenIdConnectIdToken(jsonValue.get("oidc_id_token").asString());
        return new RestIssuedTokenValidatorParameters<OpenIdConnectIdToken>() { // from class: org.forgerock.openam.sts.rest.operation.TokenRequestMarshallerImpl.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.forgerock.openam.sts.rest.token.validator.RestIssuedTokenValidatorParameters
            public OpenIdConnectIdToken getInputToken() {
                return openIdConnectIdToken;
            }
        };
    }

    private RestIssuedTokenValidatorParameters<SAML2TokenState> buildSAML2IssuedTokenValidatorParameters(JsonValue jsonValue) throws TokenMarshalException {
        if (!jsonValue.get("saml2_token").isString()) {
            throw new TokenMarshalException(400, "Exception: json representation of a to-be-validated SAML2 token does not contain a saml2_token field containing the to-be-validated token. The representation: " + jsonValue);
        }
        final SAML2TokenState build = SAML2TokenState.builder().tokenValue(jsonValue.get("saml2_token").asString()).build();
        return new RestIssuedTokenValidatorParameters<SAML2TokenState>() { // from class: org.forgerock.openam.sts.rest.operation.TokenRequestMarshallerImpl.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.forgerock.openam.sts.rest.token.validator.RestIssuedTokenValidatorParameters
            public SAML2TokenState getInputToken() {
                return build;
            }
        };
    }

    private RestIssuedTokenCancellerParameters<OpenIdConnectIdToken> buildOpenIdConnectIssuedTokenCancellerParameters(JsonValue jsonValue) throws TokenMarshalException {
        if (!jsonValue.get("oidc_id_token").isString()) {
            throw new TokenMarshalException(400, "Exception: json representation of a to-be-cancelled OIDC token does not contain a oidc_id_token field containing the to-be-cancelled token. The representation: " + jsonValue);
        }
        final OpenIdConnectIdToken openIdConnectIdToken = new OpenIdConnectIdToken(jsonValue.get("oidc_id_token").asString());
        return new RestIssuedTokenCancellerParameters<OpenIdConnectIdToken>() { // from class: org.forgerock.openam.sts.rest.operation.TokenRequestMarshallerImpl.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.forgerock.openam.sts.rest.token.canceller.RestIssuedTokenCancellerParameters
            public OpenIdConnectIdToken getInputToken() {
                return openIdConnectIdToken;
            }
        };
    }

    private RestIssuedTokenCancellerParameters<SAML2TokenState> buildSAML2IssuedTokenCancellerParameters(JsonValue jsonValue) throws TokenMarshalException {
        if (!jsonValue.get("saml2_token").isString()) {
            throw new TokenMarshalException(400, "Exception: json representation of a to-be-cancelled SAML2 token does not contain a saml2_token field containing the to-be-cancelled token. The representation: " + jsonValue);
        }
        final SAML2TokenState build = SAML2TokenState.builder().tokenValue(jsonValue.get("saml2_token").asString()).build();
        return new RestIssuedTokenCancellerParameters<SAML2TokenState>() { // from class: org.forgerock.openam.sts.rest.operation.TokenRequestMarshallerImpl.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.forgerock.openam.sts.rest.token.canceller.RestIssuedTokenCancellerParameters
            public SAML2TokenState getInputToken() {
                return build;
            }
        };
    }

    private RestTokenTransformValidatorParameters<RestUsernameToken> buildUsernameTokenTransformValidatorParameters(JsonValue jsonValue) throws TokenMarshalException {
        if (!jsonValue.get("username").isString()) {
            throw new TokenMarshalException(400, "Exception: json representation of UNT does not contain a username field. The representation: " + jsonValue);
        }
        if (!jsonValue.get("password").isString()) {
            throw new TokenMarshalException(400, "Exception: json representation of UNT does not contain a password field. The representation: \n" + jsonValue);
        }
        try {
            final RestUsernameToken restUsernameToken = new RestUsernameToken(jsonValue.get("username").asString().getBytes("UTF-8"), jsonValue.get("password").asString().getBytes("UTF-8"));
            return new RestTokenTransformValidatorParameters<RestUsernameToken>() { // from class: org.forgerock.openam.sts.rest.operation.TokenRequestMarshallerImpl.6
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // org.forgerock.openam.sts.rest.token.validator.RestTokenTransformValidatorParameters
                public RestUsernameToken getInputToken() {
                    return restUsernameToken;
                }
            };
        } catch (UnsupportedEncodingException e) {
            throw new TokenMarshalException(500, "Unable to marshal username token state to strings: " + e.getMessage(), e);
        }
    }

    private RestTokenTransformValidatorParameters<OpenAMSessionToken> buildAMSessionTokenTransformValidatorParameters(JsonValue jsonValue) throws TokenMarshalException {
        if (!jsonValue.get("session_id").isString()) {
            throw new TokenMarshalException(400, "Exception: json representation of AM Session Token does not contain a session_id field. The representation: " + jsonValue);
        }
        final OpenAMSessionToken openAMSessionToken = new OpenAMSessionToken(jsonValue.get("session_id").asString());
        return new RestTokenTransformValidatorParameters<OpenAMSessionToken>() { // from class: org.forgerock.openam.sts.rest.operation.TokenRequestMarshallerImpl.7
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.forgerock.openam.sts.rest.token.validator.RestTokenTransformValidatorParameters
            public OpenAMSessionToken getInputToken() {
                return openAMSessionToken;
            }
        };
    }

    private RestTokenTransformValidatorParameters<OpenIdConnectIdToken> buildOpenIdConnectIdTokenTransformValidatorParameters(JsonValue jsonValue) throws TokenMarshalException {
        if (!jsonValue.get("oidc_id_token").isString()) {
            throw new TokenMarshalException(400, "Exception: json representation of Open ID Connect ID Token does not contain a oidc_id_token field. The representation: " + jsonValue);
        }
        final OpenIdConnectIdToken openIdConnectIdToken = new OpenIdConnectIdToken(jsonValue.get("oidc_id_token").asString());
        return new RestTokenTransformValidatorParameters<OpenIdConnectIdToken>() { // from class: org.forgerock.openam.sts.rest.operation.TokenRequestMarshallerImpl.8
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.forgerock.openam.sts.rest.token.validator.RestTokenTransformValidatorParameters
            public OpenIdConnectIdToken getInputToken() {
                return openIdConnectIdToken;
            }
        };
    }

    private RestTokenTransformValidatorParameters<X509Certificate[]> buildX509CertTokenTransformValidatorParameters(Context context) throws TokenMarshalException {
        X509Certificate[] pullClientCertFromRequestAttribute;
        if ("".equals(this.offloadedTlsClientCertKey)) {
            pullClientCertFromRequestAttribute = pullClientCertFromRequestAttribute((ClientContext) context.asContext(ClientContext.class));
        } else {
            String clientIPAddress = ClientUtils.getClientIPAddress(context);
            if (!this.tlsOffloadEngineHosts.contains(clientIPAddress) && !this.tlsOffloadEngineHosts.contains(ANY_HOST)) {
                this.logger.error("A x509-based token transformation is being rejected because the client cert was to be referenced in the  " + this.offloadedTlsClientCertKey + " header, but the caller was not in the list of TLS offload engines. The caller: " + clientIPAddress + "; The list of TLS offload engine hosts: " + this.tlsOffloadEngineHosts);
                throw new TokenMarshalException(400, "In a x509 Certificate token transformation,  the caller was not among the list of IP addresses corresponding to the TLS offload-engine hosts. Insure that your published rest-sts instance is configured with a complete list of TLS offload-engine hosts.");
            }
            pullClientCertFromRequestAttribute = pullClientCertFromHeader((HttpContext) context.asContext(HttpContext.class));
        }
        if (!ArrayUtils.isEmpty(pullClientCertFromRequestAttribute)) {
            return marshalX509CertIntoTokenValidatorParameters(pullClientCertFromRequestAttribute);
        }
        if ("".equals(this.offloadedTlsClientCertKey)) {
            throw new TokenMarshalException(400, "A token transformation specifying an x509 token as input must be consumed via two-way-tls. No header was specified referencing the certificate, and the client's certificate was not found in the javax.servlet.request.X509Certificate attribute.");
        }
        throw new TokenMarshalException(400, "A token transformation specifying an x509 token as input must be consumed via two-way-tls. The " + this.offloadedTlsClientCertKey + " header was specified in the rest-sts instance configuration as referencing the certificate, yet no certificate was found referenced by this header value.");
    }

    private X509Certificate[] pullClientCertFromRequestAttribute(ClientContext clientContext) throws TokenMarshalException {
        return (X509Certificate[]) Iterables.toArray(Iterables.filter(clientContext.getCertificates(), X509Certificate.class), X509Certificate.class);
    }

    private X509Certificate[] pullClientCertFromHeader(HttpContext httpContext) throws TokenMarshalException {
        List header = httpContext.getHeader(this.offloadedTlsClientCertKey);
        if (header.isEmpty()) {
            return null;
        }
        int i = 0;
        X509Certificate[] x509CertificateArr = new X509Certificate[header.size()];
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            Iterator it = header.iterator();
            while (it.hasNext()) {
                try {
                    int i2 = i;
                    i++;
                    x509CertificateArr[i2] = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(Base64.decode(((String) it.next()).getBytes("UTF-8"))));
                } catch (UnsupportedEncodingException | CertificateException e) {
                    throw new TokenMarshalException(400, "Exception caught marshalling X509 cert from value set in " + this.offloadedTlsClientCertKey + " header: " + e, e);
                }
            }
            return x509CertificateArr;
        } catch (CertificateException e2) {
            throw new TokenMarshalException(500, "Exception caught creating X.509 CertificateFactory: " + e2, e2);
        }
    }

    private RestTokenTransformValidatorParameters<X509Certificate[]> marshalX509CertIntoTokenValidatorParameters(final X509Certificate[] x509CertificateArr) throws TokenMarshalException {
        return new RestTokenTransformValidatorParameters<X509Certificate[]>() { // from class: org.forgerock.openam.sts.rest.operation.TokenRequestMarshallerImpl.9
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.forgerock.openam.sts.rest.token.validator.RestTokenTransformValidatorParameters
            public X509Certificate[] getInputToken() {
                return x509CertificateArr;
            }
        };
    }

    private RestTokenTransformValidatorParameters<JsonValue> buildCustomTokenTransformValidatorParameters(final JsonValue jsonValue) {
        return new RestTokenTransformValidatorParameters<JsonValue>() { // from class: org.forgerock.openam.sts.rest.operation.TokenRequestMarshallerImpl.10
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.forgerock.openam.sts.rest.token.validator.RestTokenTransformValidatorParameters
            public JsonValue getInputToken() {
                return jsonValue;
            }
        };
    }

    private RestTokenProviderParameters<Saml2TokenCreationState> createSAML2TokenProviderParameters(TokenTypeId tokenTypeId, JsonValue jsonValue, JsonValue jsonValue2) throws TokenMarshalException {
        SAML2SubjectConfirmation subjectConfirmation = getSubjectConfirmation(jsonValue2);
        return SAML2SubjectConfirmation.HOLDER_OF_KEY.equals(subjectConfirmation) ? new Saml2RestTokenProviderParameters(new Saml2TokenCreationState(subjectConfirmation, getProofTokenState(jsonValue2)), tokenTypeId, jsonValue) : new Saml2RestTokenProviderParameters(new Saml2TokenCreationState(subjectConfirmation), tokenTypeId, jsonValue);
    }

    private RestTokenProviderParameters<OpenIdConnectTokenCreationState> createOpenIdConnectTokenProviderParameters(TokenTypeId tokenTypeId, JsonValue jsonValue, JsonValue jsonValue2) throws TokenMarshalException {
        org.forgerock.openam.sts.user.invocation.OpenIdConnectTokenCreationState fromJson = org.forgerock.openam.sts.user.invocation.OpenIdConnectTokenCreationState.fromJson(jsonValue2);
        if (fromJson.getAllowAccess()) {
            return new OpenIdConnectRestTokenProviderParameters(new OpenIdConnectTokenCreationState(fromJson.getNonce(), Time.currentTimeMillis() / 1000), tokenTypeId, jsonValue);
        }
        throw new TokenMarshalException(400, "The OpenIdConnectTokenCreation state must indicate access to the caller's identity with a field of allow_access:true.");
    }

    private RestTokenProviderParameters<JsonValue> buildCustomTokenProviderParameters(TokenTypeId tokenTypeId, JsonValue jsonValue, JsonValue jsonValue2) {
        return new CustomRestTokenProviderParametersImpl(jsonValue2, tokenTypeId, jsonValue);
    }
}
