package org.mitre.uma.web;

import com.google.common.base.Strings;
import com.google.common.collect.Sets;
import com.google.gson.JsonElement;
import com.google.gson.JsonPrimitive;
import java.util.HashSet;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.openid.connect.model.OIDCAuthenticationToken;
import org.mitre.openid.connect.model.UserInfo;
import org.mitre.uma.model.Claim;
import org.mitre.uma.model.PermissionTicket;
import org.mitre.uma.service.PermissionService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.util.UriComponentsBuilder;

@RequestMapping({"/rqp_claims"})
@Controller
@PreAuthorize("hasRole('ROLE_EXTERNAL_USER')")
/* loaded from: input_file:org/mitre/uma/web/ClaimsCollectionEndpoint.class */
public class ClaimsCollectionEndpoint {
    private static final Logger logger = LoggerFactory.getLogger(ClaimsCollectionEndpoint.class);
    public static final String URL = "rqp_claims";

    @Autowired
    private ClientDetailsEntityService clientService;

    @Autowired
    private PermissionService permissionService;

    @RequestMapping(method = {RequestMethod.GET})
    public String collectClaims(@RequestParam("client_id") String str, @RequestParam(value = "redirect_uri", required = false) String str2, @RequestParam("ticket") String str3, @RequestParam(value = "state", required = false) String str4, Model model, OIDCAuthenticationToken oIDCAuthenticationToken) {
        ClientDetailsEntity loadClientByClientId = this.clientService.loadClientByClientId(str);
        PermissionTicket byTicket = this.permissionService.getByTicket(str3);
        if (loadClientByClientId == null || byTicket == null) {
            logger.info("Client or ticket not found: " + str + " :: " + str3);
            model.addAttribute("code", HttpStatus.NOT_FOUND);
            return "httpCodeView";
        }
        HashSet newHashSet = Sets.newHashSet(byTicket.getClaimsSupplied());
        String issuer = oIDCAuthenticationToken.getIssuer();
        UserInfo userInfo = oIDCAuthenticationToken.getUserInfo();
        newHashSet.add(mkClaim(issuer, "sub", new JsonPrimitive(oIDCAuthenticationToken.getSub())));
        if (userInfo.getEmail() != null) {
            newHashSet.add(mkClaim(issuer, "email", new JsonPrimitive(userInfo.getEmail())));
        }
        if (userInfo.getEmailVerified() != null) {
            newHashSet.add(mkClaim(issuer, "email_verified", new JsonPrimitive(userInfo.getEmailVerified())));
        }
        if (userInfo.getPhoneNumber() != null) {
            newHashSet.add(mkClaim(issuer, "phone_number", new JsonPrimitive(oIDCAuthenticationToken.getUserInfo().getPhoneNumber())));
        }
        if (userInfo.getPhoneNumberVerified() != null) {
            newHashSet.add(mkClaim(issuer, "phone_number_verified", new JsonPrimitive(oIDCAuthenticationToken.getUserInfo().getPhoneNumberVerified())));
        }
        if (userInfo.getPreferredUsername() != null) {
            newHashSet.add(mkClaim(issuer, "preferred_username", new JsonPrimitive(oIDCAuthenticationToken.getUserInfo().getPreferredUsername())));
        }
        if (userInfo.getProfile() != null) {
            newHashSet.add(mkClaim(issuer, "profile", new JsonPrimitive(oIDCAuthenticationToken.getUserInfo().getProfile())));
        }
        byTicket.setClaimsSupplied(newHashSet);
        this.permissionService.updateTicket(byTicket);
        if (Strings.isNullOrEmpty(str2)) {
            if (loadClientByClientId.getClaimsRedirectUris().size() != 1) {
                throw new RedirectMismatchException("Unable to find redirect URI and none passed in.");
            }
            str2 = (String) loadClientByClientId.getClaimsRedirectUris().iterator().next();
            logger.info("No redirect URI passed in, using registered value: " + str2);
        } else if (!loadClientByClientId.getClaimsRedirectUris().contains(str2)) {
            throw new RedirectMismatchException("Claims redirect did not match the registered values.");
        }
        UriComponentsBuilder fromUriString = UriComponentsBuilder.fromUriString(str2);
        fromUriString.queryParam("authorization_state", new Object[]{"claims_submitted"});
        if (!Strings.isNullOrEmpty(str4)) {
            fromUriString.queryParam("state", new Object[]{str4});
        }
        String uriString = fromUriString.toUriString();
        logger.info("Redirecting to " + uriString);
        return "redirect:" + uriString;
    }

    private Claim mkClaim(String str, String str2, JsonElement jsonElement) {
        Claim claim = new Claim();
        claim.setIssuer(Sets.newHashSet(new String[]{str}));
        claim.setName(str2);
        claim.setValue(jsonElement);
        return claim;
    }
}
