package pl.edu.icm.unity.oauth.as.webauthz;

import com.nimbusds.oauth2.sdk.AuthorizationErrorResponse;
import com.nimbusds.oauth2.sdk.AuthorizationResponse;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.SerializeException;
import java.io.IOException;
import java.util.Optional;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.MessageSource;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.EnquiryManagement;
import pl.edu.icm.unity.engine.api.PreferencesManagement;
import pl.edu.icm.unity.engine.api.idp.IdPEngine;
import pl.edu.icm.unity.engine.api.policyAgreement.PolicyAgreementManagement;
import pl.edu.icm.unity.engine.api.translation.out.TranslationResult;
import pl.edu.icm.unity.engine.api.utils.RoutingServlet;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.oauth.as.OAuthAuthzContext;
import pl.edu.icm.unity.oauth.as.OAuthErrorResponseException;
import pl.edu.icm.unity.oauth.as.OAuthIdpStatisticReporter;
import pl.edu.icm.unity.oauth.as.OAuthProcessor;
import pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences;
import pl.edu.icm.unity.types.basic.IdentityParam;
import pl.edu.icm.unity.types.basic.idpStatistic.IdpStatistic;
import pl.edu.icm.unity.webui.LoginInProgressService;
import pl.edu.icm.unity.webui.VaadinRequestMatcher;
import pl.edu.icm.unity.webui.idpcommon.EopException;

/* loaded from: input_file:pl/edu/icm/unity/oauth/as/webauthz/ASConsentDeciderServlet.class */
public class ASConsentDeciderServlet extends HttpServlet {
    private static final Logger log = Log.getLogger("unity.server.oauth", ASConsentDeciderServlet.class);
    private PreferencesManagement preferencesMan;
    private OAuthIdPEngine idpEngine;
    private OAuthSessionService oauthSessionService;
    private String oauthUiServletPath;
    private String authenticationUIServletPath;
    private final OAuthProcessor oauthProcessor;
    private final OAuthIdpStatisticReporter statReporter;
    private final ASConsentDecider consentDecider;

    public ASConsentDeciderServlet(PreferencesManagement preferencesManagement, IdPEngine idPEngine, OAuthProcessor oAuthProcessor, OAuthSessionService oAuthSessionService, String str, String str2, EnquiryManagement enquiryManagement, PolicyAgreementManagement policyAgreementManagement, OAuthIdpStatisticReporter oAuthIdpStatisticReporter, MessageSource messageSource) {
        this.oauthProcessor = oAuthProcessor;
        this.preferencesMan = preferencesManagement;
        this.oauthSessionService = oAuthSessionService;
        this.authenticationUIServletPath = str2;
        this.idpEngine = new OAuthIdPEngine(idPEngine);
        this.oauthUiServletPath = str;
        this.statReporter = oAuthIdpStatisticReporter;
        this.consentDecider = new ASConsentDecider(enquiryManagement, policyAgreementManagement, messageSource);
    }

    protected void service(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        if (!VaadinRequestMatcher.isVaadinRequest(httpServletRequest)) {
            super.service(httpServletRequest, httpServletResponse);
            return;
        }
        String str = this.authenticationUIServletPath;
        if (httpServletRequest.getPathInfo() != null) {
            str = str + httpServletRequest.getPathInfo();
        }
        log.debug("Request to Vaadin internal address will be forwarded to authN {}", httpServletRequest.getRequestURI());
        httpServletRequest.getRequestDispatcher(str).forward(httpServletRequest, httpServletResponse);
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            serviceInterruptible(httpServletRequest, httpServletResponse);
        } catch (EopException e) {
        }
    }

    protected void serviceInterruptible(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException, EopException {
        OAuthAuthzContext oAuthContext = getOAuthContext(httpServletRequest);
        try {
            OAuthPreferences.OAuthClientSettings loadPreferences = loadPreferences(oAuthContext);
            if (this.consentDecider.forceConsentIfConsentPrompt(oAuthContext)) {
                log.trace("Consent is required for OAuth request, 'consent' prompt was given , forwarding to consent UI");
                RoutingServlet.forwardTo(this.oauthUiServletPath, httpServletRequest, httpServletResponse);
            } else if (!this.consentDecider.isInteractiveUIRequired(loadPreferences, oAuthContext)) {
                log.trace("Consent is not required for OAuth request, processing immediatelly");
                autoReplay(loadPreferences, oAuthContext, httpServletRequest, httpServletResponse);
            } else if (this.consentDecider.isNonePrompt(oAuthContext)) {
                sendNonePromptError(oAuthContext, httpServletRequest, httpServletResponse);
            } else {
                log.trace("Consent is required for OAuth request, forwarding to consent UI");
                RoutingServlet.forwardTo(this.oauthUiServletPath, httpServletRequest, httpServletResponse);
            }
        } catch (EngineException e) {
            log.error("Engine problem when handling client request - can not load preferences", e);
            sendReturnRedirect(new AuthorizationErrorResponse(oAuthContext.getReturnURI(), OAuth2Error.SERVER_ERROR, oAuthContext.getRequest().getState(), oAuthContext.getRequest().impliedResponseMode()), httpServletRequest, httpServletResponse, true);
            this.statReporter.reportStatus(oAuthContext, IdpStatistic.Status.FAILED);
        }
    }

    private void sendNonePromptError(OAuthAuthzContext oAuthAuthzContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        log.error("Consent is required but 'none' prompt was given");
        sendReturnRedirect(new AuthorizationErrorResponse(oAuthAuthzContext.getReturnURI(), OAuth2Error.SERVER_ERROR, oAuthAuthzContext.getRequest().getState(), oAuthAuthzContext.getRequest().impliedResponseMode()), httpServletRequest, httpServletResponse, true);
    }

    protected OAuthPreferences.OAuthClientSettings loadPreferences(OAuthAuthzContext oAuthAuthzContext) throws EngineException {
        return OAuthPreferences.getPreferences(this.preferencesMan).getSPSettings(oAuthAuthzContext.getRequest().getClientID().getValue());
    }

    protected void autoReplay(OAuthPreferences.OAuthClientSettings oAuthClientSettings, OAuthAuthzContext oAuthAuthzContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws EopException, IOException {
        if (!oAuthClientSettings.isDefaultAccept()) {
            log.trace("User preferences are set to decline authZ from the client");
            AuthorizationErrorResponse authorizationErrorResponse = new AuthorizationErrorResponse(oAuthAuthzContext.getReturnURI(), OAuth2Error.ACCESS_DENIED, oAuthAuthzContext.getRequest().getState(), oAuthAuthzContext.getRequest().impliedResponseMode());
            this.statReporter.reportStatus(oAuthAuthzContext, IdpStatistic.Status.FAILED);
            sendReturnRedirect(authorizationErrorResponse, httpServletRequest, httpServletResponse, false);
        }
        try {
            TranslationResult userInfo = this.idpEngine.getUserInfo(oAuthAuthzContext);
            handleTranslationProfileRedirectIfNeeded(userInfo, httpServletRequest, httpServletResponse);
            IdentityParam identity = this.idpEngine.getIdentity(userInfo, oAuthAuthzContext.getConfig().getSubjectIdentityType());
            log.info("Authentication of " + identity);
            sendReturnRedirect(this.oauthProcessor.prepareAuthzResponseAndRecordInternalState(OAuthProcessor.filterAttributes(userInfo, oAuthAuthzContext.getEffectiveRequestedAttrs()), identity, oAuthAuthzContext, this.statReporter), httpServletRequest, httpServletResponse, false);
        } catch (OAuthErrorResponseException e) {
            this.statReporter.reportStatus(oAuthAuthzContext, IdpStatistic.Status.FAILED);
            sendReturnRedirect(e.getOauthResponse(), httpServletRequest, httpServletResponse, e.isInvalidateSession());
        } catch (Exception e2) {
            log.error("Engine problem when handling client request", e2);
            AuthorizationErrorResponse authorizationErrorResponse2 = new AuthorizationErrorResponse(oAuthAuthzContext.getReturnURI(), OAuth2Error.SERVER_ERROR, oAuthAuthzContext.getRequest().getState(), oAuthAuthzContext.getRequest().impliedResponseMode());
            this.statReporter.reportStatus(oAuthAuthzContext, IdpStatistic.Status.FAILED);
            sendReturnRedirect(authorizationErrorResponse2, httpServletRequest, httpServletResponse, false);
        }
    }

    private void handleTranslationProfileRedirectIfNeeded(TranslationResult translationResult, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, EopException {
        String redirectURL = translationResult.getRedirectURL();
        if (redirectURL != null) {
            httpServletResponse.sendRedirect(redirectURL);
            this.oauthSessionService.cleanupComplete(Optional.of(new LoginInProgressService.HttpContextSession(httpServletRequest)), false);
            throw new EopException();
        }
    }

    private OAuthAuthzContext getOAuthContext(HttpServletRequest httpServletRequest) {
        return OAuthSessionService.getContext(httpServletRequest).orElseThrow(LoginInProgressService.noSignInContextException());
    }

    private void sendReturnRedirect(AuthorizationResponse authorizationResponse, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws IOException {
        LoginInProgressService.SignInContextSession httpContextSession = new LoginInProgressService.HttpContextSession(httpServletRequest);
        this.oauthSessionService.cleanupBeforeResponseSent(httpContextSession);
        try {
            try {
                String uri = authorizationResponse.toURI().toString();
                log.trace("Sending OAuth reply via return redirect: " + uri);
                httpServletResponse.sendRedirect(uri);
                this.oauthSessionService.cleanupAfterResponseSent(httpContextSession, z);
            } catch (SerializeException e) {
                throw new IOException("Error: can not serialize error response", e);
            }
        } catch (Throwable th) {
            this.oauthSessionService.cleanupAfterResponseSent(httpContextSession, z);
            throw th;
        }
    }
}
