package org.apereo.cas.support.oauth.web;

import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.client.utils.URIBuilder;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.PrincipalException;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.oauth.OAuthResponseType;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuthUtils;
import org.apereo.cas.support.oauth.validator.OAuth20Validator;
import org.apereo.cas.ticket.accesstoken.AccessToken;
import org.apereo.cas.ticket.accesstoken.AccessTokenFactory;
import org.apereo.cas.ticket.code.OAuthCode;
import org.apereo.cas.ticket.code.OAuthCodeFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.util.EncodingUtils;
import org.pac4j.core.context.J2EContext;
import org.pac4j.core.profile.ProfileManager;
import org.pac4j.core.profile.UserProfile;
import org.pac4j.core.util.CommonHelper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.servlet.ModelAndView;

/* loaded from: input_file:org/apereo/cas/support/oauth/web/OAuth20AuthorizeController.class */
public class OAuth20AuthorizeController extends BaseOAuthWrapperController {
    protected OAuthCodeFactory oAuthCodeFactory;
    private ConsentApprovalViewResolver consentApprovalViewResolver;

    @Autowired
    private CasConfigurationProperties casProperties;

    public OAuth20AuthorizeController(ServicesManager servicesManager, TicketRegistry ticketRegistry, OAuth20Validator oAuth20Validator, AccessTokenFactory accessTokenFactory, PrincipalFactory principalFactory, ServiceFactory<WebApplicationService> serviceFactory, OAuthCodeFactory oAuthCodeFactory, ConsentApprovalViewResolver consentApprovalViewResolver) {
        super(servicesManager, ticketRegistry, oAuth20Validator, accessTokenFactory, principalFactory, serviceFactory);
        this.oAuthCodeFactory = oAuthCodeFactory;
        this.consentApprovalViewResolver = consentApprovalViewResolver;
    }

    @GetMapping(path = {"/oauth2.0/authorize"})
    public ModelAndView handleRequestInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        J2EContext j2EContext = new J2EContext(httpServletRequest, httpServletResponse);
        ProfileManager profileManager = new ProfileManager(j2EContext);
        if (!verifyAuthorizeRequest(httpServletRequest) || !isRequestAuthenticated(profileManager, j2EContext)) {
            this.logger.error("Authorize request verification fails");
            return new ModelAndView("casServiceErrorView");
        }
        String requestParameter = j2EContext.getRequestParameter("client_id");
        OAuthRegisteredService registeredOAuthService = OAuthUtils.getRegisteredOAuthService(getServicesManager(), requestParameter);
        try {
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(requestParameter, registeredOAuthService);
            ModelAndView resolve = this.consentApprovalViewResolver.resolve(j2EContext, registeredOAuthService);
            return (resolve.isEmpty() || !resolve.hasView()) ? redirectToCallbackRedirectUrl(profileManager, registeredOAuthService, j2EContext, requestParameter) : resolve;
        } catch (Exception e) {
            this.logger.error(e.getMessage(), e);
            return new ModelAndView("casServiceErrorView");
        }
    }

    private static boolean isRequestAuthenticated(ProfileManager profileManager, J2EContext j2EContext) {
        return profileManager.get(true).isPresent();
    }

    private ModelAndView redirectToCallbackRedirectUrl(ProfileManager profileManager, OAuthRegisteredService oAuthRegisteredService, J2EContext j2EContext, String str) throws Exception {
        Optional optional = profileManager.get(true);
        if (optional == null || !optional.isPresent()) {
            this.logger.error("Unexpected null profile from profile manager");
            return new ModelAndView("casServiceErrorView");
        }
        WebApplicationService createService = createService(oAuthRegisteredService);
        Authentication createAuthentication = createAuthentication((UserProfile) optional.get(), oAuthRegisteredService, j2EContext);
        try {
            RegisteredServiceAccessStrategyUtils.ensurePrincipalAccessIsAllowedForService(createService, oAuthRegisteredService, createAuthentication);
            String requestParameter = j2EContext.getRequestParameter("redirect_uri");
            this.logger.debug("Authorize request verification successful for client {} with redirect uri {}", str, requestParameter);
            String buildCallbackUrlForAuthorizationCodeResponseType = isResponseType(j2EContext.getRequestParameter("response_type"), OAuthResponseType.CODE) ? buildCallbackUrlForAuthorizationCodeResponseType(createAuthentication, createService, requestParameter) : buildCallbackUrlForImplicitResponseType(j2EContext, createAuthentication, createService, requestParameter);
            this.logger.debug("callbackUrl: {}", buildCallbackUrlForAuthorizationCodeResponseType);
            return OAuthUtils.redirectTo(buildCallbackUrlForAuthorizationCodeResponseType);
        } catch (UnauthorizedServiceException | PrincipalException e) {
            this.logger.error(e.getMessage(), e);
            return new ModelAndView("casServiceErrorView");
        }
    }

    private String buildCallbackUrlForImplicitResponseType(J2EContext j2EContext, Authentication authentication, Service service, String str) throws Exception {
        String obj = authentication.getAttributes().get("state").toString();
        String obj2 = authentication.getAttributes().get("nonce").toString();
        AccessToken generateAccessToken = generateAccessToken(service, authentication, j2EContext);
        this.logger.debug("Generated Oauth access token: {}", generateAccessToken);
        URIBuilder uRIBuilder = new URIBuilder(str);
        StringBuilder sb = new StringBuilder();
        sb.append("access_token").append('=').append(generateAccessToken.getId()).append('&').append("token_type").append('=').append("bearer").append('&').append("expires_in").append('=').append(this.casProperties.getTicket().getTgt().getTimeToKillInSeconds());
        if (StringUtils.isNotBlank(obj)) {
            sb.append('&').append("state").append('=').append(EncodingUtils.urlEncode(obj));
        }
        if (StringUtils.isNotBlank(obj2)) {
            sb.append('&').append("nonce").append('=').append(EncodingUtils.urlEncode(obj2));
        }
        uRIBuilder.setFragment(sb.toString());
        return uRIBuilder.toString();
    }

    private String buildCallbackUrlForAuthorizationCodeResponseType(Authentication authentication, Service service, String str) {
        OAuthCode create = this.oAuthCodeFactory.create(service, authentication);
        this.logger.debug("Generated OAuth code: {}", create);
        getTicketRegistry().addTicket(create);
        String obj = authentication.getAttributes().get("state").toString();
        String obj2 = authentication.getAttributes().get("nonce").toString();
        String addParameter = CommonHelper.addParameter(str, "code", create.getId());
        if (StringUtils.isNotBlank(obj)) {
            addParameter = CommonHelper.addParameter(addParameter, "state", obj);
        }
        if (StringUtils.isNotBlank(obj2)) {
            addParameter = CommonHelper.addParameter(addParameter, "nonce", obj2);
        }
        return addParameter;
    }

    private boolean verifyAuthorizeRequest(HttpServletRequest httpServletRequest) {
        boolean z = getValidator().checkParameterExist(httpServletRequest, "client_id") && getValidator().checkParameterExist(httpServletRequest, "redirect_uri") && getValidator().checkParameterExist(httpServletRequest, "response_type");
        String parameter = httpServletRequest.getParameter("response_type");
        String parameter2 = httpServletRequest.getParameter("client_id");
        String parameter3 = httpServletRequest.getParameter("redirect_uri");
        OAuthRegisteredService registeredOAuthService = OAuthUtils.getRegisteredOAuthService(getServicesManager(), parameter2);
        return z && checkResponseTypes(parameter, OAuthResponseType.CODE, OAuthResponseType.TOKEN) && getValidator().checkServiceValid(registeredOAuthService) && getValidator().checkCallbackValid(registeredOAuthService, parameter3);
    }

    private boolean checkResponseTypes(String str, OAuthResponseType... oAuthResponseTypeArr) {
        this.logger.debug("Response type: {}", str);
        for (OAuthResponseType oAuthResponseType : oAuthResponseTypeArr) {
            if (isResponseType(str, oAuthResponseType)) {
                return true;
            }
        }
        this.logger.error("Unsupported response type: {}", str);
        return false;
    }

    private static boolean isResponseType(String str, OAuthResponseType oAuthResponseType) {
        return oAuthResponseType != null && oAuthResponseType.name().toLowerCase().equals(str);
    }
}
