package org.apereo.cas.support.oauth.web.endpoints;

import java.util.Optional;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.PrincipalException;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.authenticator.OAuth20CasAuthenticationBuilder;
import org.apereo.cas.support.oauth.profile.OAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.validator.OAuth20RequestValidator;
import org.apereo.cas.support.oauth.validator.OAuth20Validator;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRequestDataHolder;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationResponseBuilder;
import org.apereo.cas.support.oauth.web.views.ConsentApprovalViewResolver;
import org.apereo.cas.ticket.accesstoken.AccessTokenFactory;
import org.apereo.cas.ticket.code.OAuthCodeFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.web.support.CookieRetrievingCookieGenerator;
import org.apereo.cas.web.support.CookieUtils;
import org.apereo.cas.web.support.WebUtils;
import org.pac4j.core.context.J2EContext;
import org.pac4j.core.profile.ProfileManager;
import org.pac4j.core.profile.UserProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.View;

/* loaded from: input_file:org/apereo/cas/support/oauth/web/endpoints/OAuth20AuthorizeEndpointController.class */
public class OAuth20AuthorizeEndpointController extends BaseOAuth20Controller {
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20AuthorizeEndpointController.class);
    protected OAuthCodeFactory oAuthCodeFactory;
    protected final ConsentApprovalViewResolver consentApprovalViewResolver;
    protected final OAuth20CasAuthenticationBuilder authenticationBuilder;
    protected final Set<OAuth20AuthorizationResponseBuilder> oauthAuthorizationResponseBuilders;
    protected final Set<OAuth20RequestValidator> oauthRequestValidators;

    public OAuth20AuthorizeEndpointController(ServicesManager servicesManager, TicketRegistry ticketRegistry, OAuth20Validator oAuth20Validator, AccessTokenFactory accessTokenFactory, PrincipalFactory principalFactory, ServiceFactory<WebApplicationService> serviceFactory, OAuthCodeFactory oAuthCodeFactory, ConsentApprovalViewResolver consentApprovalViewResolver, OAuth20ProfileScopeToAttributesFilter oAuth20ProfileScopeToAttributesFilter, CasConfigurationProperties casConfigurationProperties, CookieRetrievingCookieGenerator cookieRetrievingCookieGenerator, OAuth20CasAuthenticationBuilder oAuth20CasAuthenticationBuilder, Set<OAuth20AuthorizationResponseBuilder> set, Set<OAuth20RequestValidator> set2) {
        super(servicesManager, ticketRegistry, oAuth20Validator, accessTokenFactory, principalFactory, serviceFactory, oAuth20ProfileScopeToAttributesFilter, casConfigurationProperties, cookieRetrievingCookieGenerator);
        this.oAuthCodeFactory = oAuthCodeFactory;
        this.consentApprovalViewResolver = consentApprovalViewResolver;
        this.authenticationBuilder = oAuth20CasAuthenticationBuilder;
        this.oauthAuthorizationResponseBuilders = set;
        this.oauthRequestValidators = set2;
    }

    @GetMapping(path = {"/oauth2.0/authorize"})
    public ModelAndView handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        J2EContext pac4jJ2EContext = WebUtils.getPac4jJ2EContext(httpServletRequest, httpServletResponse);
        ProfileManager pac4jProfileManager = WebUtils.getPac4jProfileManager(httpServletRequest, httpServletResponse);
        if (!verifyAuthorizeRequest(pac4jJ2EContext) || !isRequestAuthenticated(pac4jProfileManager, pac4jJ2EContext)) {
            LOGGER.error("Authorize request verification failed. Either the authorization request is misssing required parameters, or the request is not authenticated and contains no authenticated profile/principal.");
            return OAuth20Utils.produceUnauthorizedErrorView();
        }
        String requestParameter = pac4jJ2EContext.getRequestParameter("client_id");
        OAuthRegisteredService registeredServiceByClientId = getRegisteredServiceByClientId(requestParameter);
        try {
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(requestParameter, registeredServiceByClientId);
            ModelAndView resolve = this.consentApprovalViewResolver.resolve(pac4jJ2EContext, registeredServiceByClientId);
            return (resolve.isEmpty() || !resolve.hasView()) ? redirectToCallbackRedirectUrl(pac4jProfileManager, registeredServiceByClientId, pac4jJ2EContext, requestParameter) : resolve;
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            return OAuth20Utils.produceUnauthorizedErrorView();
        }
    }

    protected OAuthRegisteredService getRegisteredServiceByClientId(String str) {
        return OAuth20Utils.getRegisteredOAuthService(this.servicesManager, str);
    }

    private static boolean isRequestAuthenticated(ProfileManager profileManager, J2EContext j2EContext) {
        return profileManager.get(true).isPresent();
    }

    protected ModelAndView redirectToCallbackRedirectUrl(ProfileManager profileManager, OAuthRegisteredService oAuthRegisteredService, J2EContext j2EContext, String str) throws Exception {
        Optional optional = profileManager.get(true);
        if (optional == null || !optional.isPresent()) {
            LOGGER.error("Unexpected null profile from profile manager. Request is not fully authenticated.");
            return OAuth20Utils.produceUnauthorizedErrorView();
        }
        Service buildService = this.authenticationBuilder.buildService(oAuthRegisteredService, j2EContext, false);
        LOGGER.debug("Created service [{}] based on registered service [{}]", buildService, oAuthRegisteredService);
        Authentication build = this.authenticationBuilder.build((UserProfile) optional.get(), oAuthRegisteredService, j2EContext, buildService);
        LOGGER.debug("Created OAuth authentication [{}] for service [{}]", buildService, build);
        try {
            RegisteredServiceAccessStrategyUtils.ensurePrincipalAccessIsAllowedForService(buildService, oAuthRegisteredService, build);
            View buildAuthorizationForRequest = buildAuthorizationForRequest(oAuthRegisteredService, j2EContext, str, buildService, build);
            if (buildAuthorizationForRequest != null) {
                return OAuth20Utils.redirectTo(buildAuthorizationForRequest);
            }
            LOGGER.debug("No explicit view was defined as part of the authorization response");
            return null;
        } catch (UnauthorizedServiceException | PrincipalException e) {
            LOGGER.error(e.getMessage(), e);
            return OAuth20Utils.produceUnauthorizedErrorView();
        }
    }

    protected View buildAuthorizationForRequest(OAuthRegisteredService oAuthRegisteredService, J2EContext j2EContext, String str, Service service, Authentication authentication) {
        return this.oauthAuthorizationResponseBuilders.stream().filter(oAuth20AuthorizationResponseBuilder -> {
            return oAuth20AuthorizationResponseBuilder.supports(j2EContext);
        }).findFirst().orElseThrow(() -> {
            return new IllegalArgumentException("Could not build the callback url. Response type likely not supported");
        }).build(j2EContext, str, new AccessTokenRequestDataHolder(service, authentication, oAuthRegisteredService, CookieUtils.getTicketGrantingTicketFromRequest(this.ticketGrantingTicketCookieGenerator, this.ticketRegistry, j2EContext.getRequest()), OAuth20GrantTypes.valueOf(((String) StringUtils.defaultIfEmpty(j2EContext.getRequestParameter("grant_type"), OAuth20GrantTypes.AUTHORIZATION_CODE.getType())).toUpperCase())));
    }

    private boolean verifyAuthorizeRequest(J2EContext j2EContext) {
        return this.oauthRequestValidators.stream().filter(oAuth20RequestValidator -> {
            return oAuth20RequestValidator.supports(j2EContext);
        }).findFirst().orElseThrow(() -> {
            return new IllegalArgumentException("Could not validate the request given it's unsupported");
        }).validate(j2EContext);
    }
}
