package org.iplass.mtp.impl.auth.oauth.command;

import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.concurrent.TimeUnit;
import java.util.function.Consumer;
import org.iplass.mtp.auth.AuthContext;
import org.iplass.mtp.auth.NeedTrustedAuthenticationException;
import org.iplass.mtp.command.Command;
import org.iplass.mtp.command.RequestContext;
import org.iplass.mtp.command.annotation.CommandClass;
import org.iplass.mtp.command.annotation.action.ActionMapping;
import org.iplass.mtp.command.annotation.action.Result;
import org.iplass.mtp.command.annotation.template.Template;
import org.iplass.mtp.command.annotation.template.Templates;
import org.iplass.mtp.impl.auth.oauth.MetaOAuthAuthorization;
import org.iplass.mtp.impl.auth.oauth.MetaOAuthClient;
import org.iplass.mtp.impl.auth.oauth.OAuthApplicationException;
import org.iplass.mtp.impl.auth.oauth.OAuthClientService;
import org.iplass.mtp.impl.auth.oauth.OAuthConstants;
import org.iplass.mtp.impl.auth.oauth.OAuthRuntimeException;
import org.iplass.mtp.impl.auth.oauth.code.AuthorizationCode;
import org.iplass.mtp.impl.auth.oauth.code.AuthorizationRequest;
import org.iplass.mtp.impl.webapi.command.entity.CreateEntityCommand;
import org.iplass.mtp.spi.ServiceRegistry;
import org.iplass.mtp.util.StringUtil;
import org.iplass.mtp.web.WebRequestConstants;
import org.iplass.mtp.web.actionmapping.definition.HttpMethodType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ActionMapping(name = "oauth/authorize", clientCacheType = ActionMapping.ClientCacheType.NO_CACHE, allowMethod = {HttpMethodType.GET, HttpMethodType.POST}, publicAction = true, result = {@Result(status = AuthorizeCommand.STAT_SUCCESS_REDIRECT, type = Result.Type.REDIRECT, allowExternalLocation = true, value = WebRequestConstants.REDIRECT_PATH), @Result(status = AuthorizeCommand.STAT_SUCCESS_POST, type = Result.Type.TEMPLATE, value = AuthorizeCommand.TMPL_POST), @Result(status = AuthorizeCommand.STAT_NEED_CONSENT, type = Result.Type.DYNAMIC, value = AuthorizeCommand.REQUEST_TMPL_NAME), @Result(status = AuthorizeCommand.STAT_ERROR_REDIRECT, type = Result.Type.REDIRECT, allowExternalLocation = true, value = WebRequestConstants.REDIRECT_PATH), @Result(status = AuthorizeCommand.STAT_ERROR_POST, type = Result.Type.TEMPLATE, value = AuthorizeCommand.TMPL_POST)})
@Templates({@Template(name = AuthorizeCommand.TMPL_POST, displayName = "OAuth Post Response Mode", path = "/jsp/oauth/OAuthPost.jsp", contentType = "text/html; charset=utf-8"), @Template(name = AuthorizeCommand.TMPL_CONSENT, displayName = "Default OAuth Consent View", path = "/jsp/oauth/Consent.jsp", contentType = "text/html; charset=utf-8")})
@CommandClass(name = "mtp/oauth/AuthorizeCommand", displayName = "OAuth2.0 Authorization Endpoint")
/* loaded from: input_file:org/iplass/mtp/impl/auth/oauth/command/AuthorizeCommand.class */
public class AuthorizeCommand implements Command {
    static final String PARAM_DEFINITION_NAME = "defName";
    static final String PARAM_RESPONSE_TYPE = "response_type";
    static final String PARAM_CLIENT_ID = "client_id";
    static final String PARAM_REDIRECT_URI = "redirect_uri";
    static final String PARAM_SCOPE = "scope";
    static final String PARAM_STATE = "state";
    static final String PARAM_CODE = "code";
    static final String PARAM_RESPONSE_MODE = "response_mode";
    static final String PARAM_ERROR = "error";
    static final String PARAM_ERROR_DESCRIPTION = "error_description";
    static final String PARAM_CODE_CHALLENGE = "code_challenge";
    static final String PARAM_CODE_CHALLENGE_METHOD = "code_challenge_method";
    static final String PARAM_NONCE = "nonce";
    static final String PARAM_PROMPT = "prompt";
    static final String PARAM_MAX_AGE = "max_age";
    static final String STAT_SUCCESS_REDIRECT = "SUCCESS_REDIRECT";
    static final String STAT_SUCCESS_POST = "SUCCESS_POST";
    static final String STAT_ERROR_REDIRECT = "ERROR_REDIRECT";
    static final String STAT_ERROR_POST = "ERROR_POST";
    static final String STAT_NEED_CONSENT = "NEED_CONSENT";
    static final String REQUEST_TMPL_NAME = "templateName";
    static final String REQUEST_AUTHORIZATION_CODE = "authorizationCode";
    static final String REQUEST_AUTHORIZATION_REQUEST = "authorizationRequest";
    static final String REQUEST_ERROR = "error";
    public static final String SESSION_AUTHORIZATION_REQUEST = "authorizationRequest";
    public static final String TMPL_POST = "oauth/OAuthPost";
    public static final String TMPL_CONSENT = "oauth/Consent";
    private static Logger logger = LoggerFactory.getLogger(AuthorizeCommand.class);
    private OAuthClientService clientService = (OAuthClientService) ServiceRegistry.getRegistry().getService(OAuthClientService.class);

    /* JADX WARN: Type inference failed for: r14v0, types: [java.lang.Throwable, org.iplass.mtp.impl.auth.oauth.OAuthApplicationException] */
    public String execute(RequestContext requestContext) {
        String param = requestContext.getParam(PARAM_CLIENT_ID);
        MetaOAuthClient.OAuthClientRuntime runtimeByName = this.clientService.getRuntimeByName(param);
        if (runtimeByName == null) {
            throw new OAuthRuntimeException("invalid client_id:" + param);
        }
        String stripToNull = StringUtil.stripToNull(requestContext.getParam(PARAM_REDIRECT_URI));
        String selectValidRedirectUri = runtimeByName.selectValidRedirectUri(stripToNull);
        if (selectValidRedirectUri == null) {
            throw new OAuthRuntimeException("invalid redirect_uri:" + stripToNull);
        }
        MetaOAuthAuthorization.OAuthAuthorizationRuntime authorizationServer = runtimeByName.getAuthorizationServer();
        AuthorizationRequest authorizationRequest = new AuthorizationRequest(authorizationServer.m26getMetaData().getName(), runtimeByName.m32getMetaData().getName(), selectValidRedirectUri);
        authorizationRequest.setState(StringUtil.stripToNull(requestContext.getParam(PARAM_STATE)));
        authorizationRequest.setCodeChallenge(StringUtil.stripToNull(requestContext.getParam(PARAM_CODE_CHALLENGE)));
        authorizationRequest.setCodeChallengeMethod(StringUtil.stripToNull(requestContext.getParam(PARAM_CODE_CHALLENGE_METHOD)));
        authorizationRequest.addResponseTypes(StringUtil.split(requestContext.getParam(PARAM_RESPONSE_TYPE), ' '));
        authorizationRequest.addScopes(StringUtil.split(requestContext.getParam(PARAM_SCOPE), ' '));
        authorizationRequest.setResponseMode(StringUtil.stripToNull(requestContext.getParam(PARAM_RESPONSE_MODE)));
        authorizationRequest.setNonce(StringUtil.stripToNull(requestContext.getParam(PARAM_NONCE)));
        authorizationRequest.addPrompts(StringUtil.split(requestContext.getParam(PARAM_PROMPT), ' '));
        authorizationRequest.setMaxAge(requestContext.getParamAsLong(PARAM_MAX_AGE));
        try {
            authorizationServer.checkValidAuthorizationRequest(authorizationRequest);
            AuthContext currentContext = AuthContext.getCurrentContext();
            if (!currentContext.isAuthenticated() || authorizationRequest.hasPrompt(OAuthConstants.PROMPT_LOGIN)) {
                if (authorizationRequest.hasPrompt(OAuthConstants.PROMPT_NONE)) {
                    throw new OAuthApplicationException(OAuthConstants.ERROR_LOGIN_REQUIRED, "Login required.");
                }
                throw new NeedTrustedAuthenticationException();
            }
            if (authorizationRequest.getMaxAge() != null && currentContext.getAuthTime() + TimeUnit.SECONDS.toMillis(authorizationRequest.getMaxAge().longValue()) < System.currentTimeMillis()) {
                if (authorizationRequest.hasPrompt(OAuthConstants.PROMPT_NONE)) {
                    throw new OAuthApplicationException(OAuthConstants.ERROR_LOGIN_REQUIRED, "Login required.");
                }
                throw new NeedTrustedAuthenticationException();
            }
            if (!authorizationServer.hasAvailableRole()) {
                throw new OAuthApplicationException(OAuthConstants.ERROR_ACCESS_DENIED, "User can't access this resource.");
            }
            if (!authorizationRequest.hasPrompt(OAuthConstants.PROMPT_CONSENT) && !authorizationServer.isNeedConsent(requestContext, authorizationRequest)) {
                authorizationRequest.getScopes().remove(OAuthConstants.SCOPE_OFFLINE_ACCESS);
                return success(requestContext, authorizationServer.generateCode(authorizationRequest));
            }
            if (authorizationRequest.getPrompt() == null || !authorizationRequest.getPrompt().contains(OAuthConstants.PROMPT_NONE)) {
                return needConsent(requestContext, authorizationRequest, authorizationServer);
            }
            throw new OAuthApplicationException(OAuthConstants.ERROR_CONSENT_REQUIRED, "Consent required.");
        } catch (NeedTrustedAuthenticationException e) {
            throw e;
        } catch (RuntimeException e2) {
            logger.error(e2.getMessage(), e2);
            return error(requestContext, OAuthConstants.ERROR_SERVER_ERROR, "See server log for details.", authorizationRequest);
        } catch (OAuthApplicationException e3) {
            if (logger.isDebugEnabled()) {
                logger.debug(e3.getMessage(), (Throwable) e3);
            }
            return error(requestContext, e3.getCode(), e3.getDescription(), authorizationRequest);
        }
    }

    private String encode(String str) {
        try {
            return URLEncoder.encode(str, "UTF-8").replace("+", "%20");
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    private String createRedirectUri(AuthorizationRequest authorizationRequest, Consumer<StringBuilder> consumer) {
        StringBuilder sb = new StringBuilder();
        sb.append(authorizationRequest.getRedirectUri());
        if (authorizationRequest.getResponseMode() == null || authorizationRequest.getResponseMode().equals("query")) {
            if (authorizationRequest.getRedirectUri().contains("?")) {
                sb.append('&');
            } else {
                sb.append('?');
            }
        } else if (authorizationRequest.getResponseMode().equals(OAuthConstants.RESPONSE_MODE_FRAGMENT)) {
            sb.append('#');
        }
        consumer.accept(sb);
        return sb.toString();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String success(RequestContext requestContext, AuthorizationCode authorizationCode) {
        if (!OAuthConstants.RESPONSE_MODE_FORM_POST.equals(authorizationCode.getRequest().getResponseMode())) {
            requestContext.setAttribute(WebRequestConstants.REDIRECT_PATH, createRedirectUri(authorizationCode.getRequest(), sb -> {
                sb.append("code").append('=').append(encode(authorizationCode.getCodeValue()));
                if (authorizationCode.getRequest().getState() != null) {
                    sb.append('&').append(PARAM_STATE).append('=').append(encode(authorizationCode.getRequest().getState()));
                }
            }).toString());
            return STAT_SUCCESS_REDIRECT;
        }
        requestContext.setAttribute("authorizationRequest", authorizationCode.getRequest());
        requestContext.setAttribute(REQUEST_AUTHORIZATION_CODE, authorizationCode);
        return STAT_SUCCESS_POST;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String error(RequestContext requestContext, String str, String str2, AuthorizationRequest authorizationRequest) {
        if (!OAuthConstants.RESPONSE_MODE_FORM_POST.equals(authorizationRequest.getResponseMode())) {
            requestContext.setAttribute(WebRequestConstants.REDIRECT_PATH, createRedirectUri(authorizationRequest, sb -> {
                sb.append(CreateEntityCommand.RESULT_UPLOAD_ERROR).append('=').append(encode(str));
                if (str2 != null) {
                    sb.append('&').append(PARAM_ERROR_DESCRIPTION).append('=').append(encode(str2));
                }
                if (authorizationRequest.getState() != null) {
                    sb.append('&').append(PARAM_STATE).append('=').append(encode(authorizationRequest.getState()));
                }
            }).toString());
            return STAT_ERROR_REDIRECT;
        }
        requestContext.setAttribute("authorizationRequest", authorizationRequest);
        requestContext.setAttribute(CreateEntityCommand.RESULT_UPLOAD_ERROR, new OAuthApplicationException(str, str2));
        return STAT_ERROR_POST;
    }

    String needConsent(RequestContext requestContext, AuthorizationRequest authorizationRequest, MetaOAuthAuthorization.OAuthAuthorizationRuntime oAuthAuthorizationRuntime) {
        requestContext.getSession().setAttribute("authorizationRequest", authorizationRequest);
        requestContext.setAttribute(REQUEST_TMPL_NAME, oAuthAuthorizationRuntime.consentTemplateName());
        return STAT_NEED_CONSENT;
    }
}
