package leap.oauth2.webapp.login;

import leap.core.annotation.Inject;
import leap.core.security.Authentication;
import leap.core.security.UserNotFoundException;
import leap.core.security.UserPrincipal;
import leap.core.security.token.TokenVerifyException;
import leap.lang.Strings;
import leap.lang.http.HTTP;
import leap.lang.intercepting.State;
import leap.lang.logging.Log;
import leap.lang.logging.LogFactory;
import leap.oauth2.webapp.OAuth2Config;
import leap.oauth2.webapp.OAuth2ErrorHandler;
import leap.oauth2.webapp.OAuth2Params;
import leap.oauth2.webapp.OAuth2RequestParams;
import leap.oauth2.webapp.client.OAuth2Client;
import leap.oauth2.webapp.code.CodeVerifier;
import leap.oauth2.webapp.token.TokenContext;
import leap.oauth2.webapp.token.at.AccessToken;
import leap.oauth2.webapp.token.at.AccessTokenStore;
import leap.oauth2.webapp.token.id.IdToken;
import leap.oauth2.webapp.token.id.IdTokenVerifier;
import leap.oauth2.webapp.user.UserDetailsLookup;
import leap.oauth2.webapp.user.UserInfoLookup;
import leap.web.Request;
import leap.web.Response;
import leap.web.security.authc.AuthenticationContext;
import leap.web.security.authc.AuthenticationManager;
import leap.web.security.login.LoginManager;
import leap.web.view.View;

/* loaded from: input_file:leap/oauth2/webapp/login/DefaultOAuth2LoginHandler.class */
public class DefaultOAuth2LoginHandler implements OAuth2LoginHandler {
    private static final Log log = LogFactory.get(DefaultOAuth2LoginHandler.class);

    @Inject
    protected OAuth2Config config;

    @Inject
    protected OAuth2ErrorHandler errorHandler;

    @Inject
    protected AuthenticationManager am;

    @Inject
    protected LoginManager lm;

    @Inject
    protected AccessTokenStore accessTokenStore;

    @Inject
    protected IdTokenVerifier idTokenVerifier;

    @Inject
    protected CodeVerifier codeVerifier;

    @Inject
    protected UserInfoLookup userInfoLookup;

    @Inject
    protected UserDetailsLookup userDetailsLookup;

    @Override // leap.oauth2.webapp.login.OAuth2LoginHandler
    public State handleServerRedirectRequest(Request request, Response response, AuthenticationContext authenticationContext) throws Throwable {
        OAuth2RequestParams oAuth2RequestParams = new OAuth2RequestParams(request);
        return oAuth2RequestParams.isError() ? handleOAuth2ServerError(request, response, oAuth2RequestParams) : handleOAuth2ServerSuccess(request, response, oAuth2RequestParams);
    }

    @Override // leap.oauth2.webapp.login.OAuth2LoginHandler
    public State handleAuthenticationResolved(Request request, Response response, AuthenticationContext authenticationContext) throws Throwable {
        AccessToken loadAccessToken;
        Authentication authentication = authenticationContext.getAuthentication();
        if (null != authentication) {
            if (authentication instanceof OAuth2LoginAuthentication) {
                loadAccessToken = ((OAuth2LoginAuthentication) authentication).getAccessToken();
                if (null != loadAccessToken) {
                    this.accessTokenStore.saveAccessToken(request, authenticationContext, loadAccessToken);
                }
            } else {
                loadAccessToken = this.accessTokenStore.loadAccessToken(request, authenticationContext);
            }
            if (null != loadAccessToken) {
                if (loadAccessToken.isExpired()) {
                    log.info("AT '{}' expired, refresh it", new Object[]{loadAccessToken.getToken()});
                    loadAccessToken = this.accessTokenStore.refreshAndSaveAccessToken(request, authenticationContext, loadAccessToken);
                }
                TokenContext.setAccessToken(request, loadAccessToken);
            }
        }
        return State.CONTINUE;
    }

    protected State handleOAuth2ServerError(Request request, Response response, OAuth2Params oAuth2Params) throws Throwable {
        if (!Strings.isEmpty(this.config.getErrorView())) {
            return error(request, response, oAuth2Params.getError(), oAuth2Params.getErrorDescription());
        }
        View view = request.getView(this.config.getErrorView());
        if (null != view) {
            view.render(request, response);
        }
        return State.INTERCEPTED;
    }

    protected State error(Request request, Response response, String str, String str2) {
        this.errorHandler.responseError(request, response, HTTP.Status.INTERNAL_SERVER_ERROR.value(), str, str2);
        return State.INTERCEPTED;
    }

    protected State handleOAuth2ServerSuccess(Request request, Response response, OAuth2Params oAuth2Params) throws Throwable {
        AccessToken accessToken = null;
        if (this.config.isLoginWithAccessToken()) {
            String code = oAuth2Params.getCode();
            if (Strings.isEmpty(code)) {
                return error(request, response, "illegal_state", "code required from oauth2 server");
            }
            accessToken = this.codeVerifier.verifyCode(code);
            if (null == accessToken) {
                return error(request, response, "illegal_state", "invalid authorization code");
            }
        }
        String idToken = oAuth2Params.getIdToken();
        if (Strings.isEmpty(idToken)) {
            return error(request, response, "illegal_state", "id_token required from oauth2 server");
        }
        try {
            login(request, response, authenticate(oAuth2Params, this.idTokenVerifier.verifyIdToken(oAuth2Params, idToken), accessToken));
            return State.CONTINUE;
        } catch (TokenVerifyException e) {
            return error(request, response, e.getErrorCode().name(), e.getMessage());
        } catch (UserNotFoundException e2) {
            return error(request, response, "user_not_found", e2.getMessage());
        }
    }

    protected Authentication authenticate(OAuth2Params oAuth2Params, IdToken idToken, AccessToken accessToken) {
        String clientId = idToken.getClientId();
        String userId = idToken.getUserId();
        UserPrincipal userInfo = idToken.getUserInfo();
        OAuth2Client clientInfo = idToken.getClientInfo();
        if (this.config.isForceLookupUserInfo() && null != accessToken) {
            userInfo = this.userInfoLookup.lookupUserInfo(accessToken.getToken(), userId);
        }
        if (null != this.userDetailsLookup && this.userDetailsLookup.isEnabled() && !Strings.isEmpty(userId)) {
            userInfo = this.userDetailsLookup.lookupUserDetails(userId, userInfo.getName(), userInfo.getLoginName());
        }
        if (null == userInfo) {
            throw new UserNotFoundException("User '" + userId + "' not found");
        }
        if (null == clientInfo && !Strings.isEmpty(clientId)) {
            clientInfo = new OAuth2Client(clientId, idToken.getClaims());
        }
        OAuth2LoginAuthentication oAuth2LoginAuthentication = new OAuth2LoginAuthentication(userInfo, idToken);
        if (null != clientInfo) {
            oAuth2LoginAuthentication.setClientPrincipal(clientInfo);
        }
        if (null != accessToken) {
            oAuth2LoginAuthentication.setAccessToken(accessToken);
        }
        return oAuth2LoginAuthentication;
    }

    protected void login(Request request, Response response, Authentication authentication) throws Throwable {
        this.am.loginImmediately(request, response, authentication);
        this.lm.handleLoginSuccess(request, response, authentication);
    }
}
