package edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet;

import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.UsernameFindable;
import edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.AbstractInitServlet;
import edu.uiuc.ncsa.security.core.exceptions.NFWException;
import edu.uiuc.ncsa.security.delegation.server.ServiceTransaction;
import edu.uiuc.ncsa.security.delegation.server.request.AGResponse;
import edu.uiuc.ncsa.security.delegation.server.request.IssuerResponse;
import edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant;
import edu.uiuc.ncsa.security.oauth_2_0.IDTokenUtil;
import edu.uiuc.ncsa.security.oauth_2_0.NonceHerder;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Constants;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Errors;
import edu.uiuc.ncsa.security.oauth_2_0.OA2RedirectableError;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Scopes;
import edu.uiuc.ncsa.security.oauth_2_0.server.OA2Claims;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.util.ArrayList;
import java.util.Map;
import java.util.StringTokenizer;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.sf.json.JSONObject;
import net.sf.json.util.JSONUtils;

/* loaded from: input_file:WEB-INF/lib/oa4mp-server-loader-oauth2-3.3.0.2.jar:edu/uiuc/ncsa/myproxy/oa4mp/oauth2/servlet/OA2AuthorizedServlet.class */
public class OA2AuthorizedServlet extends AbstractInitServlet {
    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.AbstractInitServlet, edu.uiuc.ncsa.security.servlet.AbstractServlet
    public void doIt(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable {
        String parameter = httpServletRequest.getParameter(OA2Constants.REDIRECT_URI);
        if (httpServletRequest.getParameterMap().containsKey(OA2Constants.REQUEST_URI)) {
            throw new OA2RedirectableError(OA2Errors.REQUEST_URI_NOT_SUPPORTED, "Request uri not supported by this server", httpServletRequest.getParameter(OA2Constants.STATE), parameter);
        }
        if (httpServletRequest.getParameterMap().containsKey("request")) {
            throw new OA2RedirectableError(OA2Errors.REQUEST_NOT_SUPPORTED, "Request not supported by this server", httpServletRequest.getParameter(OA2Constants.STATE), parameter);
        }
        if (!httpServletRequest.getParameterMap().containsKey(OA2Constants.RESPONSE_TYPE)) {
            throw new OA2RedirectableError(OA2Errors.INVALID_REQUEST, "no response type", httpServletRequest.getParameter(OA2Constants.STATE), parameter);
        }
        if (CheckIdTokenHint(httpServletRequest, httpServletResponse, parameter)) {
            return;
        }
        super.doIt(httpServletRequest, httpServletResponse);
    }

    protected boolean CheckIdTokenHint(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        if (!httpServletRequest.getParameterMap().containsKey(OA2Constants.ID_TOKEN_HINT)) {
            return false;
        }
        JSONObject readIDToken = IDTokenUtil.readIDToken(String.valueOf(httpServletRequest.getParameterMap().get(OA2Constants.ID_TOKEN_HINT)));
        String parameter = httpServletRequest.getParameter(OA2Constants.STATE);
        String str2 = null;
        if (readIDToken.containsKey(OA2Claims.SUBJECT)) {
            str2 = readIDToken.getString(OA2Claims.SUBJECT);
        }
        try {
            OA2ServiceTransaction byUsername = ((UsernameFindable) getTransactionStore()).getByUsername(str2);
            if (byUsername == null) {
                throw new OA2RedirectableError(OA2Errors.LOGIN_REQUIRED, "Login required.", parameter, str);
            }
            if (!readIDToken.containsKey(OA2Claims.AUDIENCE)) {
                throw new OA2RedirectableError(OA2Errors.REQUEST_NOT_SUPPORTED, "No aud parameter in the ID token. This request is not supported on this server", parameter, str);
            }
            if (!byUsername.getClient().getIdentifierString().equals(readIDToken.getString(OA2Claims.AUDIENCE))) {
                throw new OA2RedirectableError(OA2Errors.REQUEST_NOT_SUPPORTED, "Incorrect aud parameter in the ID token. This request is not supported on this server", parameter, str);
            }
            httpServletResponse.setStatus(200);
            return true;
        } catch (IOException e) {
            throw new NFWException("Internal error: Could not cast the store to a username findable store.");
        }
    }

    @Override // edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.MyProxyDelegationServlet
    public ServiceTransaction verifyAndGet(IssuerResponse issuerResponse) throws UnsupportedEncodingException {
        AGResponse aGResponse = (AGResponse) issuerResponse;
        Map<String, String> parameters = aGResponse.getParameters();
        String str = null;
        if (parameters.containsKey(OA2Constants.STATE)) {
            str = parameters.get(OA2Constants.STATE);
        }
        String str2 = parameters.get(OA2Constants.REDIRECT_URI);
        OA2ClientCheck.check(aGResponse.getClient(), str2);
        String str3 = parameters.get(OA2Constants.CLIENT_SECRET);
        if (str3 != null) {
            info("Client is sending secret in initial request. Though not forbidden by the protocol this is discouraged.");
            if (!aGResponse.getClient().getSecret().equals(str3)) {
                info("And for what it is worth, the client sent along an incorrect secret too...");
            }
        }
        String str4 = parameters.get(OA2Constants.NONCE);
        if (str4 == null || str4.length() == 0) {
            info("No nonce in initial request for " + ((AGResponse) issuerResponse).getClient().getIdentifierString());
        } else {
            NonceHerder.putNonce(str4);
        }
        if (parameters.containsKey(OA2Constants.DISPLAY) && !parameters.get(OA2Constants.DISPLAY).equals(OA2Constants.DISPLAY_PAGE)) {
            throw new OA2RedirectableError(OA2Errors.INVALID_REQUEST, "Only display=page is supported", str, str2);
        }
        String str5 = parameters.get("scope");
        if (str5 == null || str5.length() == 0) {
            throw new OA2RedirectableError(OA2Errors.INVALID_SCOPE, "Missing scopes parameter.", str, str2);
        }
        StringTokenizer stringTokenizer = new StringTokenizer(str5);
        ArrayList arrayList = new ArrayList();
        boolean z = false;
        while (stringTokenizer.hasMoreTokens()) {
            String nextToken = stringTokenizer.nextToken();
            if (!OA2Scopes.ScopeUtil.hasScope(nextToken)) {
                throw new OA2RedirectableError(OA2Errors.INVALID_SCOPE, "Unrecognized scope \"" + nextToken + JSONUtils.DOUBLE_QUOTE, str, str2);
            }
            if (nextToken.equals(OA2Scopes.SCOPE_OPENID)) {
                z = true;
            }
            arrayList.add(nextToken);
        }
        if (!z) {
            throw new OA2RedirectableError(OA2Errors.INVALID_REQUEST, "Scopes must contain openid", str, str2);
        }
        OA2ServiceTransaction createNewTransaction = createNewTransaction(aGResponse.getGrant());
        createNewTransaction.setScopes(arrayList);
        createNewTransaction.setAuthGrantValid(false);
        createNewTransaction.setAccessTokenValid(false);
        createNewTransaction.setCallback(URI.create(parameters.get(OA2Constants.REDIRECT_URI)));
        createNewTransaction.setNonce(str4);
        if (aGResponse.getParameters().containsKey(OA2Constants.MAX_AGE)) {
            throw new OA2RedirectableError(OA2Errors.INVALID_REQUEST, "The max_age parameter is not supported at this time.", str, str2);
        }
        checkPrompts(parameters);
        if (parameters.containsKey("request")) {
            throw new OA2RedirectableError(OA2Errors.REQUEST_NOT_SUPPORTED, "The \"request\" parameter is not supported on this server", str, str2);
        }
        if (parameters.containsKey(OA2Constants.REQUEST_URI)) {
            throw new OA2RedirectableError(OA2Errors.REQUEST_URI_NOT_SUPPORTED, "The \"request_uri\" parameter is not supported on this server", str, str2);
        }
        return createNewTransaction;
    }

    protected OA2ServiceTransaction createNewTransaction(AuthorizationGrant authorizationGrant) {
        return new OA2ServiceTransaction(authorizationGrant);
    }

    protected void checkPrompts(Map<String, String> map) {
        if (map.containsKey(OA2Constants.PROMPT)) {
            StringTokenizer stringTokenizer = new StringTokenizer(map.get(OA2Constants.PROMPT));
            ArrayList arrayList = new ArrayList();
            while (stringTokenizer.hasMoreElements()) {
                arrayList.add(stringTokenizer.nextToken());
            }
            if (!arrayList.contains("none") && arrayList.size() == 0) {
                throw new OA2RedirectableError(OA2Errors.LOGIN_REQUIRED, "A login is required on this server", map.get(OA2Constants.STATE));
            }
            if (arrayList.contains("none") && 1 < arrayList.size()) {
                throw new OA2RedirectableError(OA2Errors.INVALID_REQUEST, "You cannot specify \"none\" for the prompt and any other option", map.get(OA2Constants.STATE));
            }
            if (!arrayList.contains(OA2Constants.PROMPT_LOGIN)) {
                throw new OA2RedirectableError(OA2Errors.LOGIN_REQUIRED, "You must specify \"login\" as an option", map.get(OA2Constants.STATE));
            }
        }
    }
}
