package org.ovirt.engine.core.sso.utils;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import javax.net.ssl.TrustManagerFactory;
import javax.servlet.ServletContext;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;
import org.codehaus.jackson.map.DeserializationConfig;
import org.codehaus.jackson.map.ObjectMapper;
import org.ovirt.engine.api.extensions.ExtMap;
import org.ovirt.engine.api.extensions.aaa.Authn;
import org.ovirt.engine.api.extensions.aaa.Authz;
import org.ovirt.engine.core.sso.utils.SsoSession;
import org.ovirt.engine.core.uutils.crypto.EnvelopeEncryptDecrypt;
import org.ovirt.engine.core.uutils.crypto.EnvelopePBE;
import org.ovirt.engine.core.uutils.net.HttpClientBuilder;
import org.ovirt.engine.core.uutils.net.URLBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/ovirt/engine/core/sso/utils/SsoUtils.class */
public class SsoUtils {
    private static Logger log = LoggerFactory.getLogger(SsoUtils.class);
    private static SecureRandom secureRandom = new SecureRandom();
    private static final Map<String, CloseableHttpClient> CLIENTS = new HashMap();

    public static boolean isUserAuthenticated(HttpServletRequest httpServletRequest) {
        return getSsoSession(httpServletRequest).getStatus() == SsoSession.Status.authenticated;
    }

    public static void redirectToModule(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        log.debug("Entered redirectToModule");
        try {
            try {
                SsoSession ssoSession = getSsoSession(httpServletRequest);
                URLBuilder addParameter = new URLBuilder(getRedirectUrl(httpServletRequest)).addParameter(SsoConstants.HTTP_PARAM_AUTHORIZATION_CODE, ssoSession.getAuthorizationCode());
                String appUrl = ssoSession.getAppUrl();
                if (StringUtils.isNotEmpty(appUrl)) {
                    addParameter.addParameter(SsoConstants.HTTP_PARAM_APP_URL, appUrl);
                }
                String state = ssoSession.getState();
                if (StringUtils.isNotEmpty(state)) {
                    addParameter.addParameter(SsoConstants.HTTP_PARAM_STATE, state);
                }
                String build = addParameter.build();
                httpServletResponse.sendRedirect(build);
                log.debug("Redirecting back to module: {}", build);
                getSsoSession(httpServletRequest).cleanup();
            } catch (Exception e) {
                log.error("Error redirecting back to module: {}", e.getMessage());
                log.debug("Exception", e);
                throw new RuntimeException(e);
            }
        } catch (Throwable th) {
            getSsoSession(httpServletRequest).cleanup();
            throw th;
        }
    }

    public static String getRedirectUrl(HttpServletRequest httpServletRequest) throws Exception {
        String redirectUri = getSsoSession(httpServletRequest, true).getRedirectUri();
        return StringUtils.isEmpty(redirectUri) ? new URLBuilder(getSsoContext(httpServletRequest).getEngineUrl(), "/oauth2-callback").build() : redirectUri;
    }

    public static void redirectToErrorPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Exception exc) {
        log.error(exc.getMessage());
        log.debug("Exception", exc);
        redirectToErrorPageImpl(httpServletRequest, httpServletResponse, exc instanceof OAuthException ? (OAuthException) exc : new OAuthException(SsoConstants.ERR_CODE_SERVER_ERROR, exc.getMessage(), exc));
    }

    public static void redirectToErrorPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuthException oAuthException) {
        log.error("OAuthException {}: {}", oAuthException.getCode(), oAuthException.getMessage());
        log.debug("Exception", oAuthException);
        redirectToErrorPageImpl(httpServletRequest, httpServletResponse, oAuthException);
    }

    private static void redirectToErrorPageImpl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuthException oAuthException) {
        log.debug("Entered redirectToErrorPage");
        SsoSession ssoSession = null;
        try {
            try {
                ssoSession = getSsoSession(httpServletRequest, true);
                if (ssoSession.getStatus() != SsoSession.Status.authenticated) {
                    ssoSession.setStatus(SsoSession.Status.unauthenticated);
                }
                URLBuilder uRLBuilder = new URLBuilder(getRedirectUrl(httpServletRequest));
                uRLBuilder.addParameter(SsoConstants.ERROR, oAuthException.getCode()).addParameter(SsoConstants.ERROR_DESCRIPTION, oAuthException.getMessage());
                String requestParameter = getRequestParameter(httpServletRequest, SsoConstants.HTTP_PARAM_STATE, "");
                if (StringUtils.isNotEmpty(requestParameter)) {
                    uRLBuilder.addParameter(SsoConstants.HTTP_PARAM_STATE, requestParameter);
                }
                httpServletResponse.setStatus(400);
                String build = uRLBuilder.build();
                httpServletResponse.sendRedirect(build);
                log.debug("Redirecting back to module: {}", build);
                if (ssoSession != null) {
                    ssoSession.cleanup();
                }
            } catch (Exception e) {
                log.error("Error redirecting to error page: {}", e.getMessage());
                log.debug("Exception", e);
                throw new RuntimeException(oAuthException);
            }
        } catch (Throwable th) {
            if (ssoSession != null) {
                ssoSession.cleanup();
            }
            throw th;
        }
    }

    public static String generateAuthorizationToken() {
        byte[] bArr = new byte[64];
        secureRandom.nextBytes(bArr);
        return new Base64(0, new byte[0], true).encodeToString(bArr);
    }

    public static String getJson(Object obj) throws IOException {
        ObjectMapper enableDefaultTyping = new ObjectMapper().configure(DeserializationConfig.Feature.FAIL_ON_UNKNOWN_PROPERTIES, false).enableDefaultTyping(ObjectMapper.DefaultTyping.OBJECT_AND_NON_CONCRETE);
        enableDefaultTyping.getSerializationConfig().addMixInAnnotations(ExtMap.class, JsonExtMapMixIn.class);
        return enableDefaultTyping.writeValueAsString(obj);
    }

    public static String[] getClientIdClientSecret(HttpServletRequest httpServletRequest) throws Exception {
        String[] strArr = {httpServletRequest.getParameter("client_id"), httpServletRequest.getParameter(SsoConstants.HTTP_PARAM_CLIENT_SECRET)};
        if (StringUtils.isEmpty(strArr[0]) && StringUtils.isEmpty(strArr[1])) {
            strArr = getClientIdClientSecretFromHeader(httpServletRequest);
        }
        if (StringUtils.isEmpty(strArr[0])) {
            throw new OAuthException(SsoConstants.ERR_CODE_INVALID_REQUEST, String.format(SsoConstants.ERR_CODE_INVALID_REQUEST_MSG, "client_id"));
        }
        if (StringUtils.isEmpty(strArr[1])) {
            throw new OAuthException(SsoConstants.ERR_CODE_INVALID_REQUEST, String.format(SsoConstants.ERR_CODE_INVALID_REQUEST_MSG, SsoConstants.HTTP_PARAM_CLIENT_SECRET));
        }
        return strArr;
    }

    public static String getClientId(HttpServletRequest httpServletRequest) {
        String str = null;
        String[] clientIdClientSecretFromHeader = getClientIdClientSecretFromHeader(httpServletRequest);
        if (clientIdClientSecretFromHeader != null && StringUtils.isNotEmpty(clientIdClientSecretFromHeader[0]) && getSsoContext(httpServletRequest).getClienInfo(clientIdClientSecretFromHeader[0]) != null) {
            str = clientIdClientSecretFromHeader[0];
        }
        return str;
    }

    public static String[] getClientIdClientSecretFromHeader(HttpServletRequest httpServletRequest) {
        String[] strArr = new String[2];
        String header = httpServletRequest.getHeader(SsoConstants.HEADER_AUTHORIZATION);
        if (StringUtils.isNotEmpty(header) && header.startsWith("Basic")) {
            String[] split = new String(Base64.decodeBase64(header.substring("Basic".length())), StandardCharsets.UTF_8).split(":", 2);
            if (split.length == 2) {
                strArr = split;
            }
        }
        return strArr;
    }

    public static String getFormParameter(HttpServletRequest httpServletRequest, String str) throws UnsupportedEncodingException {
        String parameter = httpServletRequest.getParameter(str);
        if (parameter == null) {
            return null;
        }
        return new String(parameter.getBytes(StandardCharsets.ISO_8859_1));
    }

    public static String getRequestParameter(HttpServletRequest httpServletRequest, String str) throws Exception {
        return getRequestParameter(httpServletRequest, str, false);
    }

    public static String getRequestParameter(HttpServletRequest httpServletRequest, String str, boolean z) throws Exception {
        String parameter = httpServletRequest.getParameter(str);
        if (parameter == null) {
            throw (z ? new OAuthBadRequestException(SsoConstants.ERR_CODE_INVALID_REQUEST, String.format(SsoConstants.ERR_CODE_INVALID_REQUEST_MSG, str)) : new OAuthException(SsoConstants.ERR_CODE_INVALID_REQUEST, String.format(SsoConstants.ERR_CODE_INVALID_REQUEST_MSG, str)));
        }
        return parameter;
    }

    public static String getRequestParameters(HttpServletRequest httpServletRequest) {
        StringBuilder sb = new StringBuilder("");
        try {
            Enumeration parameterNames = httpServletRequest.getParameterNames();
            while (parameterNames.hasMoreElements()) {
                String str = (String) parameterNames.nextElement();
                Object[] objArr = new Object[2];
                objArr[0] = str;
                objArr[1] = "password".equals(str) ? "***" : getRequestParameter(httpServletRequest, str);
                sb.append(String.format("%s = %s, ", objArr));
            }
        } catch (Exception e) {
            log.debug("Unable to get parameters from request");
        }
        return sb.toString();
    }

    public static String getRequestParameter(HttpServletRequest httpServletRequest, String str, String str2) {
        String str3;
        try {
            str3 = getRequestParameter(httpServletRequest, str);
        } catch (Exception e) {
            log.debug("Parameter {} not found request, using default value", str);
            str3 = str2;
        }
        return str3;
    }

    public static String getScopeRequestParameter(HttpServletRequest httpServletRequest, String str) {
        return resolveScopeWithDependencies(getSsoContext(httpServletRequest), getRequestParameter(httpServletRequest, "scope", str));
    }

    public static String resolveScopeWithDependencies(SsoContext ssoContext, String str) {
        TreeSet treeSet = new TreeSet();
        for (String str2 : scopeAsList(str)) {
            treeSet.add(str2);
            treeSet.addAll(ssoContext.getScopeDependencies(str2));
        }
        return StringUtils.join(treeSet, " ");
    }

    public static SsoContext getSsoContext(HttpServletRequest httpServletRequest) {
        return (SsoContext) httpServletRequest.getServletContext().getAttribute(SsoConstants.OVIRT_SSO_CONTEXT);
    }

    public static SsoContext getSsoContext(ServletContext servletContext) {
        return (SsoContext) servletContext.getAttribute(SsoConstants.OVIRT_SSO_CONTEXT);
    }

    public static SsoSession getSsoSessionFromRequest(HttpServletRequest httpServletRequest, String str) {
        return getSsoSession(httpServletRequest, null, str, false);
    }

    public static SsoSession getSsoSession(HttpServletRequest httpServletRequest, String str, boolean z) {
        return getSsoSession(httpServletRequest, null, str, z);
    }

    public static SsoSession getSsoSession(HttpServletRequest httpServletRequest, String str, String str2, boolean z) {
        TokenCleanupUtility.cleanupExpiredTokens(httpServletRequest.getServletContext());
        SsoContext ssoContext = getSsoContext(httpServletRequest);
        SsoSession ssoSession = null;
        if (StringUtils.isNotEmpty(str2)) {
            ssoSession = getSsoContext(httpServletRequest).getSsoSession(str2);
            if (ssoSession != null) {
                ssoSession.touch();
            }
        }
        if (z && ssoSession == null) {
            throw new OAuthException(SsoConstants.ERR_CODE_INVALID_GRANT, ssoContext.getLocalizationUtils().localize(SsoConstants.APP_ERROR_INVALID_GRANT, (Locale) httpServletRequest.getAttribute(SsoConstants.LOCALE)));
        }
        if (StringUtils.isNotEmpty(str) && StringUtils.isNotEmpty(ssoSession.getClientId()) && !ssoSession.getClientId().equals(str)) {
            throw new OAuthException(SsoConstants.ERR_CODE_UNAUTHORIZED_CLIENT, SsoConstants.ERR_CODE_UNAUTHORIZED_CLIENT);
        }
        return ssoSession;
    }

    public static SsoSession getSsoSession(HttpServletRequest httpServletRequest) {
        SsoSession ssoSession;
        SsoContext ssoContext = getSsoContext(httpServletRequest);
        String parameter = httpServletRequest.getParameter("sso_token");
        if (!StringUtils.isNotEmpty(parameter) || getSsoContext(httpServletRequest).getSsoSession(parameter) == null) {
            ssoSession = httpServletRequest.getSession(false) == null ? null : (SsoSession) httpServletRequest.getSession().getAttribute(SsoConstants.OVIRT_SSO_SESSION);
        } else {
            ssoSession = getSsoContext(httpServletRequest).getSsoSession(parameter);
            HttpSession session = httpServletRequest.getSession(true);
            session.setAttribute(SsoConstants.OVIRT_SSO_SESSION, ssoSession);
            ssoSession.setHttpSession(session);
        }
        if (ssoSession == null) {
            try {
                String formParameter = getFormParameter(httpServletRequest, "sessionIdToken");
                if (StringUtils.isNotEmpty(formParameter)) {
                    ssoSession = getSsoContext(httpServletRequest).getSsoSessionById(formParameter);
                }
                if (ssoSession == null) {
                    throw new OAuthException(SsoConstants.ERR_CODE_INVALID_GRANT, ssoContext.getLocalizationUtils().localize(SsoConstants.APP_ERROR_SESSION_EXPIRED, (Locale) httpServletRequest.getAttribute(SsoConstants.LOCALE)));
                }
                HttpSession session2 = httpServletRequest.getSession(true);
                session2.setAttribute(SsoConstants.OVIRT_SSO_SESSION, ssoSession);
                ssoSession.setHttpSession(session2);
            } catch (UnsupportedEncodingException e) {
                throw new OAuthException(SsoConstants.ERR_CODE_SERVER_ERROR, ssoContext.getLocalizationUtils().localize(SsoConstants.APP_ERROR_UNABLE_TO_DECODE_SESSION_ID_TOKEN, (Locale) httpServletRequest.getAttribute(SsoConstants.LOCALE)));
            }
        }
        return ssoSession;
    }

    public static String generateIdToken() throws NoSuchAlgorithmException {
        byte[] bArr = new byte[8];
        secureRandom.nextBytes(bArr);
        return new Base64(0, new byte[0], true).encodeToString(bArr);
    }

    public static SsoSession getSsoSession(HttpServletRequest httpServletRequest, boolean z) throws UnsupportedEncodingException {
        SsoSession ssoSession = httpServletRequest.getSession(false) == null ? null : (SsoSession) httpServletRequest.getSession().getAttribute(SsoConstants.OVIRT_SSO_SESSION);
        if ((ssoSession == null || StringUtils.isEmpty(ssoSession.getClientId())) && z) {
            ssoSession = ssoSession == null ? new SsoSession() : ssoSession;
            ssoSession.setAppUrl(getRequestParameter(httpServletRequest, SsoConstants.HTTP_PARAM_APP_URL, ""));
            ssoSession.setClientId(getClientId(httpServletRequest));
            ssoSession.setScope(getScopeRequestParameter(httpServletRequest, ""));
            ssoSession.setRedirectUri(httpServletRequest.getParameter(SsoConstants.HTTP_PARAM_REDIRECT_URI));
        }
        return ssoSession;
    }

    public static Credentials getUserCredentialsFromHeader(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(SsoConstants.HEADER_AUTHORIZATION);
        Credentials credentials = null;
        if (StringUtils.isNotEmpty(header)) {
            String[] split = new String(Base64.decodeBase64(header.substring("Basic".length())), StandardCharsets.UTF_8).split(":", 2);
            if (split.length == 2) {
                credentials = translateUser(split[0], split[1], getSsoContext(httpServletRequest));
            }
        }
        return credentials;
    }

    public static boolean areCredentialsValid(HttpServletRequest httpServletRequest, Credentials credentials) throws AuthenticationException {
        return areCredentialsValid(httpServletRequest, credentials, false);
    }

    public static boolean areCredentialsValid(HttpServletRequest httpServletRequest, Credentials credentials, boolean z) throws AuthenticationException {
        SsoContext ssoContext = getSsoContext(httpServletRequest);
        if (StringUtils.isEmpty(credentials.getUsername())) {
            throw new AuthenticationException(ssoContext.getLocalizationUtils().localize(z ? SsoConstants.APP_ERROR_NO_USER_NAME_IN_CREDENTIALS_INTERACTIVE_AUTH : SsoConstants.APP_ERROR_NO_USER_NAME_IN_CREDENTIALS, (Locale) httpServletRequest.getAttribute(SsoConstants.LOCALE)));
        }
        if (!credentials.isProfileValid()) {
            throw new AuthenticationException(ssoContext.getLocalizationUtils().localize(SsoConstants.APP_ERROR_NO_VALID_PROFILE_IN_CREDENTIALS, (Locale) httpServletRequest.getAttribute(SsoConstants.LOCALE)));
        }
        if (StringUtils.isEmpty(credentials.getProfile())) {
            throw new AuthenticationException(ssoContext.getLocalizationUtils().localize(SsoConstants.APP_ERROR_NO_PROFILE_IN_CREDENTIALS, (Locale) httpServletRequest.getAttribute(SsoConstants.LOCALE)));
        }
        return true;
    }

    public static Credentials translateUser(String str, String str2, SsoContext ssoContext) {
        Credentials credentials = new Credentials();
        String str3 = str;
        int lastIndexOf = str.lastIndexOf("@");
        if (lastIndexOf != -1) {
            str3 = str.substring(0, lastIndexOf);
            String substring = str.substring(lastIndexOf + 1);
            if (StringUtils.isNotEmpty(substring)) {
                credentials.setProfile(substring);
                credentials.setProfileValid(ssoContext.getSsoProfiles().contains(substring));
            }
        }
        credentials.setUsername(str3);
        credentials.setPassword(str2);
        return credentials;
    }

    public static String getUserId(ExtMap extMap) {
        String str = (String) extMap.get(Authz.PrincipalRecord.PRINCIPAL);
        return str != null ? str : (String) extMap.get(Authz.PrincipalRecord.NAME);
    }

    public static void persistUserPassword(HttpServletRequest httpServletRequest, SsoSession ssoSession, String str) {
        try {
            if (ssoSession.getScopeAsList().contains(SsoConstants.PASSWORD_ACCESS_SCOPE) && str != null) {
                ssoSession.setPassword(encrypt(httpServletRequest.getServletContext(), str));
            }
        } catch (Exception e) {
            log.error("Unable to encrypt password: {}", e.getMessage());
            log.debug("Exception", e);
        }
    }

    public static SsoSession persistAuthInfoInContextWithToken(HttpServletRequest httpServletRequest, String str, String str2, ExtMap extMap, ExtMap extMap2) throws Exception {
        long time;
        String str3 = (String) extMap.get(Authn.AuthRecord.VALID_TO);
        String generateAuthorizationToken = generateAuthorizationToken();
        String generateAuthorizationToken2 = generateAuthorizationToken();
        SsoSession ssoSession = getSsoSession(httpServletRequest, true);
        ssoSession.setAccessToken(generateAuthorizationToken2);
        ssoSession.setAuthorizationCode(generateAuthorizationToken);
        httpServletRequest.setAttribute("access_token", generateAuthorizationToken2);
        ssoSession.setActive(true);
        ssoSession.setAuthRecord(extMap);
        ssoSession.setAutheticatedCredentials(ssoSession.getTempCredentials());
        getSsoContext(httpServletRequest).registerSsoSession(ssoSession);
        ssoSession.setPrincipalRecord(extMap2);
        ssoSession.setProfile(str2);
        ssoSession.setStatus(SsoSession.Status.authenticated);
        ssoSession.setTempCredentials(null);
        ssoSession.setUserId(getUserId(extMap2));
        if (str3 == null) {
            time = Long.MAX_VALUE;
        } else {
            try {
                time = new SimpleDateFormat("yyyyMMddHHmmssZ").parse(str3).getTime();
            } catch (Exception e) {
                log.error("Unable to parse Auth Record valid_to value: {}", e.getMessage());
                log.debug("Exception", e);
            }
        }
        ssoSession.setValidTo(time);
        persistUserPassword(httpServletRequest, ssoSession, str);
        ssoSession.touch();
        return ssoSession;
    }

    public static void validateClientAcceptHeader(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Accept");
        if (StringUtils.isEmpty(header) || !header.equals("application/json")) {
            throw new OAuthException(SsoConstants.ERR_CODE_INVALID_REQUEST, String.format(SsoConstants.ERR_CODE_INVALID_REQUEST_MSG, "Accept Header"));
        }
    }

    public static void validateRedirectUri(HttpServletRequest httpServletRequest, String str, String str2) {
        try {
            SsoContext ssoContext = getSsoContext(httpServletRequest);
            ClientInfo clienInfo = ssoContext.getClienInfo(str);
            if (clienInfo == null) {
                throw new OAuthBadRequestException(SsoConstants.ERR_CODE_UNAUTHORIZED_CLIENT, SsoConstants.ERR_CODE_UNAUTHORIZED_CLIENT_MSG);
            }
            if (!clienInfo.isTrusted()) {
                throw new OAuthBadRequestException(SsoConstants.ERR_CODE_ACCESS_DENIED, SsoConstants.ERR_CODE_ACCESS_DENIED_MSG);
            }
            if (StringUtils.isNotEmpty(str2) && ssoContext.getSsoLocalConfig().getBoolean("SSO_CALLBACK_PREFIX_CHECK")) {
                ArrayList arrayList = new ArrayList(scopeAsList(clienInfo.getCallbackPrefix()));
                scopeAsList(ssoContext.getSsoLocalConfig().getProperty("SSO_ALTERNATE_ENGINE_FQDNS")).forEach(str3 -> {
                    arrayList.add(String.format("https://%s", str3));
                });
                boolean z = false;
                Iterator it = arrayList.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (str2.toLowerCase().startsWith(((String) it.next()).toLowerCase())) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    throw new OAuthBadRequestException(SsoConstants.ERR_CODE_INVALID_REQUEST, ssoContext.getLocalizationUtils().localize(SsoConstants.APP_ERROR_REDIRECT_URI_NOTREG_MSG, (Locale) httpServletRequest.getAttribute(SsoConstants.LOCALE)));
                }
            }
        } catch (OAuthBadRequestException e) {
            throw e;
        } catch (Exception e2) {
            log.error("Internal Server Error: {}", e2.getMessage());
            log.debug("Exception", e2);
            throw new OAuthException(SsoConstants.ERR_CODE_SERVER_ERROR, e2.getMessage());
        }
    }

    public static void validateClientRequest(HttpServletRequest httpServletRequest, String str, String str2, String str3, String str4) {
        try {
            SsoContext ssoContext = getSsoContext(httpServletRequest);
            ClientInfo clienInfo = ssoContext.getClienInfo(str);
            if (clienInfo == null) {
                throw new OAuthException(SsoConstants.ERR_CODE_UNAUTHORIZED_CLIENT, SsoConstants.ERR_CODE_UNAUTHORIZED_CLIENT_MSG);
            }
            if (!clienInfo.isTrusted()) {
                throw new OAuthException(SsoConstants.ERR_CODE_ACCESS_DENIED, SsoConstants.ERR_CODE_ACCESS_DENIED_MSG);
            }
            if (StringUtils.isNotEmpty(str2) && !EnvelopePBE.check(clienInfo.getClientSecret(), str2)) {
                throw new OAuthException(SsoConstants.ERR_CODE_INVALID_REQUEST, String.format(SsoConstants.ERR_CODE_INVALID_REQUEST_MSG, SsoConstants.HTTP_PARAM_CLIENT_SECRET));
            }
            if (StringUtils.isNotEmpty(str3)) {
                validateScope(clienInfo.getScope(), str3);
            }
            if (StringUtils.isNotEmpty(str4) && ssoContext.getSsoLocalConfig().getBoolean("SSO_CALLBACK_PREFIX_CHECK")) {
                ArrayList arrayList = new ArrayList(scopeAsList(clienInfo.getCallbackPrefix()));
                scopeAsList(ssoContext.getSsoLocalConfig().getProperty("SSO_ALTERNATE_ENGINE_FQDNS")).forEach(str5 -> {
                    arrayList.add(String.format("https://%s", str5));
                });
                boolean z = false;
                Iterator it = arrayList.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    } else if (str4.toLowerCase().startsWith(((String) it.next()).toLowerCase())) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    throw new OAuthException(SsoConstants.ERR_CODE_INVALID_REQUEST, SsoConstants.ERR_REDIRECT_URI_NOTREG_MSG);
                }
            }
        } catch (OAuthException e) {
            throw e;
        } catch (Exception e2) {
            log.error("Internal Server Error: {}", e2.getMessage());
            log.debug("Exception", e2);
            throw new OAuthException(SsoConstants.ERR_CODE_SERVER_ERROR, e2.getMessage());
        }
    }

    public static void validateRequestScope(HttpServletRequest httpServletRequest, String str, String str2) {
        SsoSession ssoSessionFromRequest;
        if (!StringUtils.isNotEmpty(str2) || (ssoSessionFromRequest = getSsoSessionFromRequest(httpServletRequest, str)) == null || ssoSessionFromRequest.getScope() == null) {
            return;
        }
        validateScope(ssoSessionFromRequest.getScopeAsList(), str2);
    }

    public static void validateScope(List<String> list, String str) {
        List<String> strippedScopeAsList = strippedScopeAsList(list);
        List<String> strippedScopeAsList2 = strippedScopeAsList(scopeAsList(str));
        if (!strippedScopeAsList.containsAll(strippedScopeAsList2)) {
            throw new OAuthException(SsoConstants.ERR_CODE_INVALID_SCOPE, String.format(SsoConstants.ERR_CODE_INVALID_SCOPE_MSG, strippedScopeAsList2));
        }
    }

    public static void sendJsonDataWithMessage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, Exception exc) throws IOException {
        sendJsonDataWithMessage(httpServletRequest, httpServletResponse, new OAuthException(str, exc.getMessage(), exc));
    }

    public static void sendJsonDataWithMessage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuthException oAuthException) throws IOException {
        sendJsonDataWithMessage(httpServletRequest, httpServletResponse, oAuthException, false);
    }

    public static void sendJsonDataWithMessage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuthException oAuthException, boolean z) throws IOException {
        if (z) {
            log.debug("OAuthException {}: {}", oAuthException.getCode(), oAuthException.getMessage());
        } else {
            log.error("OAuthException {}: {}", oAuthException.getCode(), oAuthException.getMessage());
        }
        log.debug("Exception", oAuthException);
        httpServletResponse.setStatus(400);
        HashMap hashMap = new HashMap();
        if (isRestApiScope(httpServletRequest)) {
            hashMap.put(SsoConstants.ERROR_CODE, oAuthException.getCode());
            hashMap.put(SsoConstants.ERROR, oAuthException.getMessage());
        } else {
            hashMap.put(SsoConstants.ERROR, oAuthException.getCode());
            hashMap.put(SsoConstants.ERROR_DESCRIPTION, oAuthException.getMessage());
        }
        sendJsonData(httpServletResponse, hashMap);
    }

    private static boolean isRestApiScope(HttpServletRequest httpServletRequest) {
        boolean z;
        try {
            z = getSsoSession(httpServletRequest).isRestApiScope();
        } catch (OAuthException e) {
            z = false;
        }
        return z || isRestApiScope(scopeAsList(getScopeRequestParameter(httpServletRequest, "")));
    }

    public static boolean isRestApiScope(List<String> list) {
        return (!list.contains(SsoConstants.OVIRT_APP_API_SCOPE) || list.contains(SsoConstants.OVIRT_APP_ADMIN_SCOPE) || list.contains(SsoConstants.OVIRT_APP_PORTAL_SCOPE)) ? false : true;
    }

    public static void sendJsonData(HttpServletResponse httpServletResponse, Map<String, Object> map) throws IOException {
        Collection collection;
        Map map2 = (Map) map.get("ovirt");
        if (map2 != null && (collection = (Collection) map2.get("group_ids")) != null) {
            map2.put("group_ids", prepareGroupMembershipsForJson(collection));
        }
        sendJsonData(httpServletResponse, getJson(map));
    }

    public static void sendJsonData(HttpServletResponse httpServletResponse, String str) throws IOException {
        sendJsonData(httpServletResponse, str, "application/json");
    }

    public static void sendJsonData(HttpServletResponse httpServletResponse, String str, String str2) throws IOException {
        ServletOutputStream outputStream = httpServletResponse.getOutputStream();
        Throwable th = null;
        try {
            try {
                httpServletResponse.setContentType(str2);
                byte[] bytes = str.getBytes(StandardCharsets.UTF_8.name());
                httpServletResponse.setContentLength(bytes.length);
                outputStream.write(bytes);
                log.trace("Sending json data {}", str);
                if (outputStream != null) {
                    if (0 == 0) {
                        outputStream.close();
                        return;
                    }
                    try {
                        outputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (outputStream != null) {
                if (th != null) {
                    try {
                        outputStream.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    outputStream.close();
                }
            }
            throw th4;
        }
    }

    public static List<String> strippedScopeAsList(List<String> list) {
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            String[] split = it.next().split("=", 3);
            if (split.length == 1) {
                arrayList.add(split[0]);
            } else if (!split[1].equals("auth:identity")) {
                arrayList.add(split[0] + "=" + split[1]);
            }
        }
        return arrayList;
    }

    public static List<String> scopeAsList(String str) {
        return StringUtils.isEmpty(str) ? Collections.emptyList() : Arrays.asList(str.trim().split("\\s *"));
    }

    public static String encrypt(ServletContext servletContext, String str) throws Exception {
        return EnvelopeEncryptDecrypt.encrypt("AES/OFB/PKCS5Padding", 256, getSsoContext(servletContext).getEngineCertificate(), 100, str.getBytes(StandardCharsets.UTF_8));
    }

    public static void notifyClientsOfLogoutEvent(SsoContext ssoContext, Set<String> set, String str) throws Exception {
        if (set != null) {
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                notifyClientOfLogoutEvent(ssoContext, it.next(), str);
            }
        }
    }

    public static void notifyClientOfAuditLogEvent(SsoContext ssoContext, String str, String str2, String str3, String str4) throws Exception {
        ClientInfo clienInfo = ssoContext.getClienInfo(str2);
        if (clienInfo != null) {
            String clientNotificationCallback = clienInfo.getClientNotificationCallback();
            if (StringUtils.isNotEmpty(clientNotificationCallback)) {
                HttpPost createPost = createPost(clientNotificationCallback);
                ArrayList arrayList = new ArrayList();
                arrayList.add(new BasicNameValuePair("event", "auditLog"));
                arrayList.add(new BasicNameValuePair("userName", str3));
                arrayList.add(new BasicNameValuePair("loginErrMsg", str4));
                arrayList.add(new BasicNameValuePair("clientSecret", clienInfo.getClientSecret()));
                arrayList.add(new BasicNameValuePair("sourceIp", str));
                createPost.setEntity(new UrlEncodedFormEntity(arrayList, StandardCharsets.UTF_8));
                execute(createPost, ssoContext, str2);
            }
        }
    }

    private static void notifyClientOfLogoutEvent(SsoContext ssoContext, String str, String str2) throws Exception {
        String clientNotificationCallback = ssoContext.getClienInfo(str).getClientNotificationCallback();
        if (StringUtils.isNotEmpty(clientNotificationCallback)) {
            HttpPost createPost = createPost(clientNotificationCallback);
            ArrayList arrayList = new ArrayList(3);
            arrayList.add(new BasicNameValuePair("event", "logout"));
            arrayList.add(new BasicNameValuePair(SsoConstants.HTTP_PARAM_TOKEN, str2));
            arrayList.add(new BasicNameValuePair(SsoConstants.JSON_TOKEN_TYPE, "bearer"));
            createPost.setEntity(new UrlEncodedFormEntity(arrayList, StandardCharsets.UTF_8));
            execute(createPost, ssoContext, str);
        }
    }

    private static HttpPost createPost(String str) throws Exception {
        HttpPost httpPost = new HttpPost();
        httpPost.setURI(new URI(str));
        httpPost.setHeader("Accept", "application/json");
        return httpPost;
    }

    private static void execute(HttpUriRequest httpUriRequest, SsoContext ssoContext, String str) throws Exception {
        CloseableHttpClient closeableHttpClient;
        synchronized (CLIENTS) {
            closeableHttpClient = CLIENTS.get(str);
            if (closeableHttpClient == null) {
                closeableHttpClient = createClient(ssoContext, str);
                CLIENTS.put(str, closeableHttpClient);
            }
        }
        CloseableHttpResponse execute = closeableHttpClient.execute(httpUriRequest);
        Throwable th = null;
        try {
            try {
                EntityUtils.consumeQuietly(execute.getEntity());
                if (execute != null) {
                    if (0 == 0) {
                        execute.close();
                        return;
                    }
                    try {
                        execute.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (execute != null) {
                if (th != null) {
                    try {
                        execute.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    execute.close();
                }
            }
            throw th4;
        }
    }

    private static CloseableHttpClient createClient(SsoContext ssoContext, String str) throws Exception {
        SsoLocalConfig ssoLocalConfig = ssoContext.getSsoLocalConfig();
        ClientInfo clienInfo = ssoContext.getClienInfo(str);
        return new HttpClientBuilder().setSslProtocol(clienInfo.getNotificationCallbackProtocol()).setPoolSize(Integer.valueOf(ssoLocalConfig.getInteger("SSO_CALLBACK_CLIENT_POOL_SIZE"))).setReadTimeout(Integer.valueOf(ssoLocalConfig.getInteger("SSO_CALLBACK_READ_TIMEOUT"))).setConnectTimeout(Integer.valueOf(ssoLocalConfig.getInteger("SSO_CALLBACK_CONNECT_TIMEOUT"))).setRetryCount(Integer.valueOf(ssoLocalConfig.getInteger("SSO_CALLBACK_CONNECTION_RETRY_COUNT"))).setTrustManagerAlgorithm(TrustManagerFactory.getDefaultAlgorithm()).setTrustStore(ssoLocalConfig.getProperty("ENGINE_HTTPS_PKI_TRUST_STORE")).setTrustStorePassword(ssoLocalConfig.getProperty("ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD")).setTrustStoreType(ssoLocalConfig.getProperty("ENGINE_HTTPS_PKI_TRUST_STORE_TYPE")).setValidateAfterInactivity(Integer.valueOf(ssoLocalConfig.getInteger("SSO_CALLBACK_CONNECTION_VALIDATE_AFTER_INACTIVITY"))).setVerifyChain(Boolean.valueOf(clienInfo.isNotificationCallbackVerifyChain())).setVerifyHost(Boolean.valueOf(clienInfo.isNotificationCallbackVerifyHost())).build();
    }

    public static Collection<ExtMap> prepareGroupMembershipsForJson(Collection<ExtMap> collection) {
        HashMap hashMap = new HashMap();
        for (ExtMap extMap : collection) {
            if (!hashMap.containsKey(extMap.get(Authz.GroupRecord.ID))) {
                ExtMap extMap2 = new ExtMap(extMap);
                extMap2.put(Authz.PrincipalRecord.PRINCIPAL, "");
                hashMap.put(extMap2.get(Authz.GroupRecord.ID), extMap2);
                extMap2.put(Authz.GroupRecord.GROUPS, processGroupMemberships((Collection) extMap2.get(Authz.GroupRecord.GROUPS, Collections.emptyList()), hashMap));
            }
        }
        return new ArrayList(hashMap.values());
    }

    /* JADX WARN: Multi-variable type inference failed */
    private static Set<String> processGroupMemberships(Collection<ExtMap> collection, Map<String, ExtMap> map) {
        HashSet hashSet = new HashSet();
        Iterator<ExtMap> it = collection.iterator();
        while (it.hasNext()) {
            ExtMap extMap = new ExtMap(it.next());
            hashSet.add(extMap.get(Authz.GroupRecord.ID));
            if (!map.containsKey(extMap.get(Authz.GroupRecord.ID))) {
                map.put(extMap.get(Authz.GroupRecord.ID), extMap);
                extMap.put(Authz.GroupRecord.GROUPS, processGroupMemberships((Collection) extMap.get(Authz.GroupRecord.GROUPS, Collections.emptyList()), map));
            }
        }
        return hashSet;
    }

    static {
        Runtime.getRuntime().addShutdownHook(new Thread(() -> {
            CLIENTS.values().forEach((v0) -> {
                IOUtils.closeQuietly(v0);
            });
            CLIENTS.clear();
        }));
    }
}
