package com.bornium.security.oauth2openid.server.endpoints;

import com.bornium.http.Exchange;
import com.bornium.http.util.UriUtil;
import com.bornium.security.oauth2openid.Constants;
import com.bornium.security.oauth2openid.providers.Session;
import com.bornium.security.oauth2openid.responsegenerators.CombinedResponseGenerator;
import com.bornium.security.oauth2openid.server.ServerServices;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.HashSet;
import java.util.Map;
import java.util.regex.Pattern;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:lib/oauth2-openid-1.2.0.jar:com/bornium/security/oauth2openid/server/endpoints/AuthorizationEndpoint.class */
public class AuthorizationEndpoint extends Endpoint {
    public AuthorizationEndpoint(ServerServices serverServices) {
        super(serverServices, Constants.ENDPOINT_AUTHORIZATION, Constants.ENDPOINT_AFTER_LOGIN);
    }

    private boolean redirectUriOrClientIdProblem(Map<String, String> map) {
        return (map.get("redirect_uri") != null && Parameters.redirectUriIsAbsolute(map.get("redirect_uri")) && map.get("client_id") != null && this.serverServices.getProvidedServices().getClientDataProvider().getRedirectUris(map.get("client_id")).contains(map.get("redirect_uri")) && clientExists(map.get("client_id"))) ? false : true;
    }

    @Override // com.bornium.security.oauth2openid.server.endpoints.Endpoint
    public void invokeOn(Exchange exchange) throws Exception {
        Session session = this.serverServices.getProvidedServices().getSessionProvider().getSession(exchange);
        if (!requestTargetsTheAuthorizationEndpoint(exchange)) {
            if (isLoggedInAndHasGivenConsent(exchange)) {
                answerWithToken(exchange, session);
                return;
            } else {
                this.log.debug("Session is not logged in or has not given consent.");
                exchange.setResponse(redirectToCallbackWithError(session.getValue("redirect_uri"), Constants.ERROR_ACCESS_DENIED, session.getValue("state"), setToResponseModeOrUseDefault(exchange, session)));
                return;
            }
        }
        Map<String, String> params = getParams(exchange);
        if (redirectUriOrClientIdProblem(params)) {
            this.log.debug("Parameters client_id ('" + params.get("client_id") + "') or redirect_uri ('" + params.get("redirect_uri") + "') have problems.");
            exchange.setResponse(informResourceOwnerError(Constants.ERROR_INVALID_REQUEST));
            return;
        }
        if (params.get("response_type") == null) {
            this.log.debug("Parameter response_type is missing.");
            exchange.setResponse(redirectToCallbackWithError(params.get("redirect_uri"), Constants.ERROR_INVALID_REQUEST, params.get("state"), false));
            return;
        }
        if (!responseTypeIsSupported(params.get("response_type"))) {
            this.log.debug("ResponseType ('" + params.get("response_type") + "') is not supported.");
            exchange.setResponse(redirectToCallbackWithError(params.get("redirect_uri"), Constants.ERROR_UNSUPPORTED_RESPONSE_TYPE, params.get("state"), false));
            return;
        }
        session.putValue("response_type", params.get("response_type"));
        if (params.get(Constants.PARAMETER_RESPONSE_MODE) != null) {
            session.putValue(Constants.PARAMETER_RESPONSE_MODE, params.get(Constants.PARAMETER_RESPONSE_MODE));
        }
        if (hasOpenIdScope(exchange) && isImplicitFlowAndHasNoNonceValue(params)) {
            this.log.debug("Implicit Flow is used, but no nonce value present.");
            exchange.setResponse(redirectToCallbackWithError(params.get("redirect_uri"), Constants.ERROR_INVALID_REQUEST, params.get("state"), setToResponseModeOrUseDefault(exchange, session)));
            return;
        }
        if (!this.serverServices.getSupportedScopes().scopesSupported(params.get("scope"))) {
            this.log.debug("Scope ('" + params.get("scope") + "') not supported.");
            exchange.setResponse(redirectToCallbackWithError(params.get("redirect_uri"), Constants.ERROR_INVALID_SCOPE, params.get("state"), setToResponseModeOrUseDefault(exchange, session)));
            return;
        }
        if (isLoggedIn(exchange) && hasAMaximumAuthenticationAgeFromBefore(session)) {
            if (Instant.now().isAfter(Instant.ofEpochSecond(Long.parseLong(session.getValue("auth_time"))).plus((TemporalAmount) Duration.ofSeconds(Integer.parseInt(session.getValue(Constants.PARAMETER_MAX_AGE)))))) {
                session.clear();
            }
        }
        if (hasOpenIdScope(exchange)) {
            if (params.get("prompt") != null) {
                String str = params.get("prompt");
                if (str.equals(Constants.PARAMETER_VALUE_LOGIN)) {
                    session.clear();
                }
                if (str.equals("none") && !isLoggedInAndHasGivenConsent(exchange)) {
                    this.log.debug("Session is not logged in or has not given consent.");
                    exchange.setResponse(redirectToCallbackWithError(params.get("redirect_uri"), Constants.ERROR_INTERACTION_REQUIRED, params.get("state"), setToResponseModeOrUseDefault(exchange, session)));
                    return;
                }
            }
            if (params.get(Constants.PARAMETER_MAX_AGE) != null) {
                try {
                    if (Integer.parseInt(params.get(Constants.PARAMETER_MAX_AGE)) < 0) {
                        throw new RuntimeException();
                    }
                } catch (Exception e) {
                    this.log.debug("MaxAge ('" + params.get(Constants.PARAMETER_MAX_AGE) + "') has a problem.");
                    exchange.setResponse(redirectToCallbackWithError(params.get("redirect_uri"), Constants.ERROR_INVALID_REQUEST, params.get("state"), setToResponseModeOrUseDefault(exchange, session)));
                    return;
                }
            }
            if (params.containsKey("request")) {
                this.log.debug("Parameter 'request' not supported with OpenId Scope.");
                exchange.setResponse(redirectToCallbackWithError(params.get("redirect_uri"), Constants.ERROR_REQUEST_NOT_SUPPORTED, params.get("state"), setToResponseModeOrUseDefault(exchange, session)));
                return;
            } else if (params.containsKey(Constants.PARAMETER_REQUEST_URI)) {
                this.log.debug("Parameter 'request_uri' not supported with OpenId Scope.");
                exchange.setResponse(redirectToCallbackWithError(params.get("redirect_uri"), Constants.ERROR_REQUEST_URI_NOT_SUPPORTED, params.get("state"), setToResponseModeOrUseDefault(exchange, session)));
                return;
            }
        }
        copyParametersInSession(session, params);
        if (isLoggedInAndHasGivenConsent(exchange)) {
            answerWithToken(exchange, session);
        } else {
            exchange.setResponse(redirectToLogin(prepareJsStateParameter(session)));
        }
    }

    private boolean isImplicitFlowAndHasNoNonceValue(Map<String, String> map) {
        return map.get("response_type").equals("token") && map.get("nonce") == null;
    }

    private boolean hasAMaximumAuthenticationAgeFromBefore(Session session) throws Exception {
        return session.getValue(Constants.PARAMETER_MAX_AGE) != null;
    }

    private boolean requestTargetsTheAuthorizationEndpoint(Exchange exchange) {
        return exchange.getRequest().getUri().getPath().endsWith(Constants.ENDPOINT_AUTHORIZATION);
    }

    private boolean responseTypeIsSupported(String str) {
        HashSet hashSet = new HashSet();
        hashSet.add("code");
        hashSet.add("token");
        hashSet.add("id_token");
        hashSet.add("none");
        for (String str2 : str.split(Pattern.quote(StringUtils.SPACE))) {
            if (!hashSet.contains(str2)) {
                return false;
            }
        }
        return true;
    }

    private void copyParametersInSession(Session session, Map<String, String> map) throws Exception {
        for (String str : map.keySet()) {
            session.putValue(str, map.get(str));
        }
    }

    private void answerWithToken(Exchange exchange, Session session) throws Exception {
        session.putValue(Constants.SESSION_ENDPOINT, Constants.ENDPOINT_AUTHORIZATION);
        String value = session.getValue("response_type");
        boolean toResponseModeOrUseDefault = setToResponseModeOrUseDefault(exchange, session, value.contains("token"));
        exchange.setResponse(redirectToCallbackWithParams(session.getValue("redirect_uri"), new CombinedResponseGenerator(this.serverServices, exchange).invokeResponse(responseTypeToResponseGeneratorValue(value)), session.getValue("state"), toResponseModeOrUseDefault));
    }

    private String responseTypeToResponseGeneratorValue(String str) {
        StringBuilder sb = new StringBuilder();
        String str2 = str;
        if (str2.contains("code")) {
            str2 = str2.replace("code", "").trim();
            sb.append("code").append(StringUtils.SPACE);
        }
        if (str2.contains("id_token")) {
            str2 = str2.replace("id_token", "").trim();
            sb.append("id_token").append(StringUtils.SPACE);
        }
        if (str2.contains("token")) {
            str2.replace("token", "").trim();
            sb.append("id_token").append(StringUtils.SPACE);
        }
        return sb.toString().trim();
    }

    @Override // com.bornium.security.oauth2openid.server.endpoints.Endpoint
    public String getScope(Exchange exchange) throws Exception {
        Map<String, String> queryToParameters = UriUtil.queryToParameters(exchange.getRequest().getUri().getQuery());
        return (queryToParameters.isEmpty() || queryToParameters.get("scope") == null) ? this.serverServices.getProvidedServices().getSessionProvider().getSession(exchange).getValue("scope") : queryToParameters.get("scope");
    }
}
