package pl.edu.icm.unity.oauth.as.webauthz;

import com.google.common.collect.Sets;
import com.nimbusds.langtag.LangTag;
import com.nimbusds.langtag.LangTagException;
import com.nimbusds.oauth2.sdk.AuthorizationRequest;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.util.MultivaluedMapUtils;
import com.nimbusds.oauth2.sdk.util.StringUtils;
import com.nimbusds.oauth2.sdk.util.URLUtils;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.OIDCResponseTypeValue;
import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.stream.Collectors;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.hc.core5.net.URIBuilder;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.AttributesManagement;
import pl.edu.icm.unity.engine.api.EntityManagement;
import pl.edu.icm.unity.engine.api.authn.AuthenticationPolicy;
import pl.edu.icm.unity.engine.api.config.UnityServerConfiguration;
import pl.edu.icm.unity.engine.api.utils.RoutingServlet;
import pl.edu.icm.unity.oauth.as.OAuthASProperties;
import pl.edu.icm.unity.oauth.as.OAuthAuthzContext;
import pl.edu.icm.unity.oauth.as.OAuthScopesService;
import pl.edu.icm.unity.oauth.as.OAuthValidationException;
import pl.edu.icm.unity.oauth.as.token.OAuthTokenEndpoint;
import pl.edu.icm.unity.webui.LoginInProgressService;
import pl.edu.icm.unity.webui.authn.LanguageCookie;
import pl.edu.icm.unity.webui.idpcommon.EopException;

/* loaded from: input_file:pl/edu/icm/unity/oauth/as/webauthz/OAuthParseServlet.class */
public class OAuthParseServlet extends HttpServlet {
    private static final Logger log = Log.getLogger("unity.server.oauth", OAuthParseServlet.class);
    public static final Set<ResponseType.Value> KNOWN_RESPONSE_TYPES = Sets.newHashSet(new ResponseType.Value[]{ResponseType.Value.CODE, ResponseType.Value.TOKEN, OIDCResponseTypeValue.ID_TOKEN});
    private static final String UI_LOCALES_PARAM = "ui_locales";
    private final OAuthASProperties oauthConfig;
    private final String oauthUiServletPath;
    private final ErrorHandler errorHandler;
    private final OAuthWebRequestValidator validator;
    private final UnityServerConfiguration serverConfig;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/oauth/as/webauthz/OAuthParseServlet$ParsedRequestParametersWithUILocales.class */
    public class ParsedRequestParametersWithUILocales {
        final Map<String, List<String>> parsedRequestParameters;
        final Optional<List<LangTag>> uiLocales;

        ParsedRequestParametersWithUILocales(String str) {
            Map<String, List<String>> parseParameters = URLUtils.parseParameters(str);
            Optional<List<LangTag>> empty = Optional.empty();
            try {
                empty = getUILocales(parseParameters);
            } catch (LangTagException e) {
                OAuthParseServlet.log.warn("Request to OAuth2 endpoint address with invalid ui_locales parameter={}, skipping this parameter in further processing", parseParameters.get(OAuthParseServlet.UI_LOCALES_PARAM));
                parseParameters.remove(OAuthParseServlet.UI_LOCALES_PARAM);
            }
            this.parsedRequestParameters = Map.copyOf(parseParameters);
            this.uiLocales = empty;
        }

        private Optional<List<LangTag>> getUILocales(Map<String, List<String>> map) throws LangTagException {
            String str = (String) MultivaluedMapUtils.getFirstValue(map, OAuthParseServlet.UI_LOCALES_PARAM);
            LinkedList linkedList = null;
            if (StringUtils.isNotBlank(str)) {
                linkedList = new LinkedList();
                StringTokenizer stringTokenizer = new StringTokenizer(str, " ");
                while (stringTokenizer.hasMoreTokens()) {
                    linkedList.add(LangTag.parse(stringTokenizer.nextToken()));
                }
            }
            return Optional.ofNullable(linkedList);
        }
    }

    public OAuthParseServlet(OAuthASProperties oAuthASProperties, String str, ErrorHandler errorHandler, EntityManagement entityManagement, AttributesManagement attributesManagement, OAuthScopesService oAuthScopesService, UnityServerConfiguration unityServerConfiguration) {
        this.oauthConfig = oAuthASProperties;
        this.oauthUiServletPath = str;
        this.errorHandler = errorHandler;
        this.validator = new OAuthWebRequestValidator(oAuthASProperties, entityManagement, attributesManagement, oAuthScopesService);
        this.serverConfig = unityServerConfiguration;
    }

    OAuthParseServlet(OAuthASProperties oAuthASProperties, String str, ErrorHandler errorHandler, OAuthWebRequestValidator oAuthWebRequestValidator, UnityServerConfiguration unityServerConfiguration) {
        this.oauthConfig = oAuthASProperties;
        this.oauthUiServletPath = str;
        this.errorHandler = errorHandler;
        this.validator = oAuthWebRequestValidator;
        this.serverConfig = unityServerConfiguration;
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        log.trace("Received GET request to the OAuth2 authorization endpoint");
        processRequest(httpServletRequest, httpServletResponse);
    }

    protected void processRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        try {
            processRequestInterruptible(httpServletRequest, httpServletResponse);
        } catch (EopException e) {
        }
    }

    private String getQueryString(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("oAuthRequest");
        return parameter != null ? new String(Base64.decodeBase64(parameter), StandardCharsets.UTF_8) : httpServletRequest.getQueryString();
    }

    protected void processRequestInterruptible(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException, EopException {
        AuthorizationRequest parse;
        log.trace("Starting OAuth2 authorization request processing");
        try {
            ParsedRequestParametersWithUILocales parsedRequestParametersWithUILocales = new ParsedRequestParametersWithUILocales(getQueryString(httpServletRequest));
            try {
                parse = AuthenticationRequest.parse((URI) null, parsedRequestParametersWithUILocales.parsedRequestParameters);
            } catch (ParseException e) {
                if (log.isTraceEnabled()) {
                    log.trace("Request to OAuth2 endpoint address, which is not OIDC request, will try plain OAuth. OIDC parse error: " + e.toString());
                }
                try {
                    parse = AuthorizationRequest.parse((URI) null, parsedRequestParametersWithUILocales.parsedRequestParameters);
                    Scope scope = parse.getScope();
                    if (scope != null && scope.contains(OIDCScopeValue.OPENID)) {
                        log.warn("Request to OAuth2 endpoint address, which is not OIDC request, but OIDC profile requested. OIDC parse error: " + e.toString());
                        this.errorHandler.showErrorPage("Error parsing OAuth OIDC request", e.getMessage(), httpServletResponse);
                        return;
                    }
                } catch (ParseException e2) {
                    if (log.isTraceEnabled()) {
                        log.trace("Request to OAuth2 endpoint address, with invalid/missing parameters, error: " + e.toString());
                    }
                    this.errorHandler.showErrorPage("Error parsing OAuth request", e.getMessage(), httpServletResponse);
                    return;
                }
            }
            if (log.isTraceEnabled()) {
                log.trace("Request to protected address, with OAuth2 input, will be processed: " + httpServletRequest.getRequestURI());
            }
            try {
                if (log.isTraceEnabled()) {
                    log.trace("Parsed OAuth request: " + httpServletRequest.getQueryString());
                }
                OAuthAuthzContext oAuthAuthzContext = new OAuthAuthzContext(parse, this.oauthConfig);
                this.validator.validate(oAuthAuthzContext);
                LoginInProgressService.SignInContextKey context = OAuthSessionService.setContext(httpServletRequest.getSession(), oAuthAuthzContext);
                RoutingServlet.clean(httpServletRequest);
                if (log.isTraceEnabled()) {
                    log.trace("Request with OAuth input handled successfully");
                }
                AuthenticationPolicy.setPolicy(httpServletRequest.getSession(), mapPromptToAuthenticationPolicy(oAuthAuthzContext.getPrompts()));
                setLanguageCookie(httpServletResponse, parsedRequestParametersWithUILocales.uiLocales);
                httpServletResponse.sendRedirect(this.oauthUiServletPath + getQueryToAppend(parse, context));
            } catch (OAuthValidationException e3) {
                log.warn("Processing of OAuth request failed", e3);
                this.errorHandler.showErrorPage(e3.getMessage(), null, httpServletResponse);
            }
        } catch (Exception e4) {
            if (log.isTraceEnabled()) {
                log.trace("Request to OAuth2 endpoint address, with invalid/missing parameters, error: " + e4.toString());
            }
            this.errorHandler.showErrorPage("Error parsing OAuth request parameters", e4.getMessage(), httpServletResponse);
        }
    }

    private void setLanguageCookie(HttpServletResponse httpServletResponse, Optional<List<LangTag>> optional) {
        if (optional.isEmpty()) {
            return;
        }
        List<Locale> list = (List) optional.get().stream().map(langTag -> {
            return Locale.forLanguageTag(langTag.toString());
        }).collect(Collectors.toList());
        Optional<Locale> matchFullLocale = matchFullLocale(list);
        if (matchFullLocale.isPresent()) {
            httpServletResponse.addCookie(new LanguageCookie(matchFullLocale.get().toString()));
            return;
        }
        Optional<Locale> matchPrimaryLangFromLocale = matchPrimaryLangFromLocale(list);
        if (matchPrimaryLangFromLocale.isPresent()) {
            httpServletResponse.addCookie(new LanguageCookie(matchPrimaryLangFromLocale.get().toString()));
        }
    }

    private Optional<Locale> matchFullLocale(List<Locale> list) {
        for (Locale locale : list) {
            if (this.serverConfig.isLocaleSupported(locale)) {
                return Optional.of(locale);
            }
        }
        return Optional.empty();
    }

    private Optional<Locale> matchPrimaryLangFromLocale(List<Locale> list) {
        Iterator<Locale> it = list.iterator();
        while (it.hasNext()) {
            Locale locale = new Locale(it.next().getLanguage());
            if (this.serverConfig.isLocaleSupported(locale)) {
                return Optional.of(locale);
            }
        }
        return Optional.empty();
    }

    private AuthenticationPolicy mapPromptToAuthenticationPolicy(Set<OAuthAuthzContext.Prompt> set) {
        return set.contains(OAuthAuthzContext.Prompt.NONE) ? AuthenticationPolicy.REQUIRE_EXISTING_SESSION : set.contains(OAuthAuthzContext.Prompt.LOGIN) ? AuthenticationPolicy.FORCE_LOGIN : AuthenticationPolicy.DEFAULT;
    }

    private String getQueryToAppend(AuthorizationRequest authorizationRequest, LoginInProgressService.SignInContextKey signInContextKey) {
        Map customParameters = authorizationRequest.getCustomParameters();
        URIBuilder uRIBuilder = new URIBuilder();
        for (Map.Entry entry : customParameters.entrySet()) {
            Iterator it = ((List) entry.getValue()).iterator();
            while (it.hasNext()) {
                uRIBuilder.addParameter((String) entry.getKey(), (String) it.next());
            }
        }
        if (!LoginInProgressService.SignInContextKey.DEFAULT.equals(signInContextKey)) {
            uRIBuilder.addParameter("signInId", signInContextKey.key);
        }
        String str = null;
        try {
            str = uRIBuilder.build().getRawQuery();
        } catch (URISyntaxException e) {
            log.error("Can't re-encode URL query params, shouldn't happen", e);
        }
        return str == null ? OAuthTokenEndpoint.PATH : "?" + str;
    }
}
