package leap.oauth2.wac;

import java.io.PrintWriter;
import leap.core.annotation.Inject;
import leap.lang.Strings;
import leap.lang.http.QueryStringBuilder;
import leap.lang.intercepting.State;
import leap.lang.logging.Log;
import leap.lang.logging.LogFactory;
import leap.lang.net.Urls;
import leap.lang.servlet.Servlets;
import leap.oauth2.OAuth2Params;
import leap.oauth2.RequestOAuth2Params;
import leap.oauth2.proxy.UserAgentForwardedResolver;
import leap.oauth2.wac.auth.WacResponseHandler;
import leap.web.App;
import leap.web.AppInitializable;
import leap.web.Request;
import leap.web.Response;
import leap.web.security.SecurityConfigurator;
import leap.web.security.SecurityInterceptor;
import leap.web.security.authc.AuthenticationManager;
import leap.web.security.login.LoginContext;
import leap.web.security.logout.LogoutContext;
import leap.web.security.logout.LogoutManager;
import leap.web.view.View;
import leap.web.view.ViewSource;

/* loaded from: input_file:leap/oauth2/wac/OAuth2WebAppSecurityInterceptor.class */
public class OAuth2WebAppSecurityInterceptor implements SecurityInterceptor, AppInitializable {
    private static final Log log = LogFactory.get(OAuth2WebAppSecurityInterceptor.class);

    @Inject
    protected OAuth2WebAppConfig config;

    @Inject
    protected SecurityConfigurator sc;

    @Inject
    protected ViewSource vs;

    @Inject
    protected AuthenticationManager am;

    @Inject
    protected LogoutManager lom;

    @Inject
    protected WacResponseHandler[] handlers;

    @Inject
    protected UserAgentForwardedResolver proxyResolver;
    protected String redirectPath;
    protected String logoutPath;
    protected View defaultErrorView;

    public void postAppInit(App app) throws Throwable {
        if (this.config.isEnabled()) {
            String clientRedirectUri = this.config.getClientRedirectUri();
            if (clientRedirectUri.startsWith("/")) {
                this.redirectPath = Servlets.getRequestPathFromUri(clientRedirectUri);
            } else {
                this.redirectPath = Servlets.getRequestPathFromUri(clientRedirectUri, app.getContextPath());
                if (Strings.isEmpty(this.redirectPath)) {
                    this.redirectPath = "/";
                }
            }
            this.sc.ignore(this.redirectPath);
            app.routes().get(this.redirectPath, (request, response) -> {
                handleAuthzServerLoginResponse(request, response);
            });
            String clientLogoutUri = this.config.getClientLogoutUri();
            if (!Strings.isEmpty(clientLogoutUri)) {
                if (clientLogoutUri.startsWith("/")) {
                    this.logoutPath = Servlets.getRequestPathFromUri(clientLogoutUri);
                } else {
                    this.logoutPath = Servlets.getRequestPathFromUri(clientLogoutUri, app.getContextPath());
                    if (Strings.isEmpty(this.logoutPath)) {
                        this.logoutPath = "/";
                    }
                }
                this.sc.ignore(this.logoutPath);
                app.routes().get(this.logoutPath, (request2, response2) -> {
                    handleAuthzServerLogoutNotification(request2, response2);
                });
            }
            if (Strings.isEmpty(this.config.getErrorView())) {
                return;
            }
            this.defaultErrorView = this.vs.getView(this.config.getErrorView());
        }
    }

    public State prePromoteLogin(Request request, Response response, LoginContext loginContext) throws Throwable {
        if (this.config.isOAuth2LoginEnabled()) {
            if (!Strings.isEmpty(request.getParameter("oauth2_redirect"))) {
                throw new IllegalStateException("Cannot promote login for oauth2 redirect request : " + request.getUri());
            }
            loginContext.setLoginUrl(buildRemoteLoginUrl(request));
        }
        return State.CONTINUE;
    }

    public State preLogout(Request request, Response response, LogoutContext logoutContext) throws Throwable {
        if (!this.config.isEnabled() || !this.config.isOAuth2LogoutEnabled()) {
            return State.CONTINUE;
        }
        if (null == ((Boolean) request.getAttribute("oauth2_logout")) && !"0".equals(request.getParameter("remote_logout"))) {
            response.sendRedirect(buildRemoteLogoutUrl(request));
            return State.INTERCEPTED;
        }
        return State.CONTINUE;
    }

    protected void handleAuthzServerLogoutNotification(Request request, Response response) throws Throwable {
        log.debug("Logout by oauth2 authorization server");
        this.am.logoutImmediately(request, response);
    }

    protected void handleAuthzServerLoginResponse(Request request, Response response) throws Throwable {
        if (!Strings.isEmpty(request.getParameter("oauth2_logout"))) {
            request.setAttribute("oauth2_logout", Boolean.TRUE);
            this.lom.logout(request, response);
            return;
        }
        RequestOAuth2Params requestOAuth2Params = new RequestOAuth2Params(request);
        if (requestOAuth2Params.isError()) {
            handleOAuth2ServerError(request, response, requestOAuth2Params);
        } else {
            handleOAuth2ServerSuccess(request, response, requestOAuth2Params);
        }
    }

    protected void handleOAuth2ServerError(Request request, Response response, OAuth2Params oAuth2Params) throws Throwable {
        if (null == this.defaultErrorView) {
            printError(response, oAuth2Params.getError(), oAuth2Params.getErrorDescription());
            return;
        }
        View view = request.getViewSource().getView(this.config.getErrorView(), request.getLocale());
        if (null == view) {
            view = this.defaultErrorView;
        }
        view.render(request, response);
    }

    protected void printError(Response response, String str, String str2) throws Throwable {
        PrintWriter writer = response.getWriter();
        writer.write(str);
        if (Strings.isEmpty(str2)) {
            return;
        }
        writer.write(":");
        writer.write(str2);
    }

    protected void handleOAuth2ServerSuccess(Request request, Response response, OAuth2Params oAuth2Params) throws Throwable {
        boolean z = false;
        for (WacResponseHandler wacResponseHandler : this.handlers) {
            State handleSuccessResponse = wacResponseHandler.handleSuccessResponse(request, response, oAuth2Params);
            if (State.isProcessed(handleSuccessResponse)) {
                z = true;
            }
            if (State.isIntercepted(handleSuccessResponse)) {
                return;
            }
        }
        if (z) {
            return;
        }
        printError(response, "invalid_redirect", "cannot handle the response from oauth2 server");
    }

    protected String buildRemoteLoginUrl(Request request) {
        QueryStringBuilder queryStringBuilder = new QueryStringBuilder();
        queryStringBuilder.add(OAuth2Params.RESPONSE_TYPE, this.config.isAccessTokenEnabled() ? "code id_token" : OAuth2Params.ID_TOKEN);
        queryStringBuilder.add(OAuth2Params.CLIENT_ID, this.config.getClientId());
        queryStringBuilder.add(OAuth2Params.REDIRECT_URI, buildClientRedirectUri(request));
        queryStringBuilder.add(OAuth2Params.LOGOUT_URI, buildClientLogoutUri(request));
        return "redirect:" + Urls.appendQueryString(this.config.getServerAuthorizationEndpointUrl(), queryStringBuilder.build());
    }

    protected String buildClientRedirectUri(Request request) {
        String str;
        if (!this.config.getClientRedirectUri().startsWith("/")) {
            str = this.config.getClientRedirectUri();
        } else if (this.proxyResolver.isProxyRequest(request)) {
            String resolveUserAgentForwarded = this.proxyResolver.resolveUserAgentForwarded(request);
            str = !Strings.isEmpty(resolveUserAgentForwarded) ? resolveUserAgentForwarded + this.config.getClientRedirectUri() : request.getContextUrl() + this.config.getClientRedirectUri();
        } else {
            str = request.getContextUrl() + this.config.getClientRedirectUri();
        }
        return Urls.appendQueryString(str, "oauth2_redirect=1&" + this.sc.config().getReturnUrlParameterName() + "=" + Urls.encode(request.getUriWithQueryString()));
    }

    protected String buildClientLogoutUri(Request request) {
        String clientLogoutUri = this.config.getClientLogoutUri();
        if (Strings.isEmpty(clientLogoutUri)) {
            return request.getContextUrl() + "/logout";
        }
        if (clientLogoutUri.startsWith("/")) {
            clientLogoutUri = request.getContextUrl() + clientLogoutUri;
        }
        return clientLogoutUri;
    }

    protected String buildRemoteLogoutUrl(Request request) {
        QueryStringBuilder queryStringBuilder = new QueryStringBuilder();
        queryStringBuilder.add(OAuth2Params.CLIENT_ID, this.config.getClientId());
        queryStringBuilder.add(OAuth2Params.POST_LOGOUT_REDIRECT_URI, buildLogoutRedirectUri(request));
        return Urls.appendQueryString(this.config.getServerLogoutEndpointUrl(), queryStringBuilder.build());
    }

    protected String buildLogoutRedirectUri(Request request) {
        return Urls.appendQueryString(!this.config.getClientRedirectUri().startsWith("/") ? this.config.getClientRedirectUri() : request.getContextUrl() + this.config.getClientRedirectUri(), "oauth2_logout=1");
    }
}
