package ru.org.openam.auth.modules;

import com.iplanet.services.util.Crypt;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.authentication.service.LoginState;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.spi.PagePropertiesCallback;
import com.sun.identity.authentication.spi.RedirectCallback;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.shared.encode.CookieUtils;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.ConfirmationCallback;
import javax.security.auth.callback.NameCallback;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import ru.org.openam.auth.modules.exception.auth.access_denied;
import ru.org.openam.auth.modules.exception.auth.server_error;
import ru.org.openam.auth.modules.exception.auth.temporarily_unavailable;
import ru.org.openam.auth.modules.exception.error;
import ru.org.openam.oauth.v2.data.Permission;
import ru.org.openam.oauth.v2.jaxrs.OAuth2;

/* loaded from: input_file:ru/org/openam/auth/modules/OAuth2Auth.class */
public class OAuth2Auth extends OAuth2AMLoginModule {
    public static Logger logger = LoggerFactory.getLogger(OAuth2Auth.class);
    private CallbackHandler callbackHandler;
    public SSOToken userToken;
    public LoginState ls;
    public Permission permission = null;
    Principal userPrincipal = null;

    @Override // ru.org.openam.auth.modules.OAuth2AMLoginModule
    public void init(Subject subject, Map map, Map map2) {
        super.init(subject, map, map2);
        this.callbackHandler = getCallbackHandler();
        try {
            setAuthLevel(Integer.parseInt(CollectionHelper.getMapAttr(map2, "ru.org.openam.auth.modules.OAuth2Auth.authlevel", "0")));
        } catch (Exception e) {
            setAuthLevel(0);
        }
    }

    public int process(Callback[] callbackArr, int i) throws AuthLoginException {
        HttpServletRequest httpServletRequest = getHttpServletRequest();
        String loginHint = getLoginHint(httpServletRequest);
        String str = null;
        try {
            if (httpServletRequest == null) {
                return 0;
            }
            try {
                httpServletRequest.setAttribute("SafeURL.ignore", true);
                this.ls = getLoginState(OAuth2Auth.class.getName());
                if (this.permission == null) {
                    this.permission = new Permission();
                    this.permission.auth(this);
                    httpServletRequest.setAttribute(Permission.class.getName(), this.permission);
                    this.userToken = SSOTokenManager.getInstance().createSSOToken(httpServletRequest);
                    str = this.userToken.getProperty("am.protected." + Permission.class.getName(), true);
                    if (StringUtils.isNotBlank(str)) {
                        Permission fromString = Permission.fromString(str);
                        if (!StringUtils.equals(this.permission.st, fromString.st)) {
                            throw new SSOException("invalid state");
                        }
                        this.permission = fromString;
                    }
                    if (StringUtils.isBlank(str) && StringUtils.isNotBlank(loginHint) && !"1".equals(this.userToken.getProperty("am.protected.login_hint.ignore")) && ((!StringUtils.startsWith(this.userToken.getProperty("UserToken"), loginHint) && !StringUtils.endsWith(this.userToken.getProperty("UserToken"), loginHint)) || StringUtils.startsWithIgnoreCase(httpServletRequest.getParameter("login_hint"), "MSISDN:"))) {
                        throw new SSOException("ForceAuth=true by login_hint");
                    }
                }
                ConfirmationCallback[] submittedInfo = this.ls.getSubmittedInfo();
                if (submittedInfo == null && !this.permission.ignoreAccept() && StringUtils.isBlank(str)) {
                    this.ls.setForceAuth(true);
                    this.ls.setSessionUpgrade(false);
                    this.callbackHandler.handle(new Callback[]{new PagePropertiesCallback("Confirm", "Please authorize access", (String) null, 1200, "OAuth2Auth.jsp", false, (String) null), new NameCallback("Request", httpServletRequest.getParameter("scope")), new ConfirmationCallback("Please authorize access", 0, new String[]{"Decline", "Accept"}, 0)});
                    return 0;
                }
                if (submittedInfo != null && (submittedInfo.length <= 2 || !(submittedInfo[2] instanceof ConfirmationCallback) || submittedInfo[2].getSelectedIndex() != 1)) {
                    throw new access_denied(this, "The client is not authorized to request an authorization code");
                }
                this.permission.accept(this);
                this.userPrincipal = this.userToken.getPrincipal();
                return -1;
            } catch (SSOException e) {
                HashMap hashMap = new HashMap();
                String str2 = (String) httpServletRequest.getAttribute(OAuth2.class.getName().concat(".uri"));
                if (str2 == null) {
                    str2 = httpServletRequest.getRequestURI().concat("?").concat(httpServletRequest.getQueryString());
                }
                if (httpServletRequest.getParameter("auth-service") != null) {
                    hashMap.put("service", uriencode(httpServletRequest.getParameter("auth-service")));
                }
                if (httpServletRequest.getParameter("auth-org") != null) {
                    hashMap.put("org", uriencode(httpServletRequest.getParameter("auth-org")));
                }
                if (httpServletRequest.getParameter("display") != null) {
                    hashMap.put("display", uriencode(httpServletRequest.getParameter("display")));
                }
                if (loginHint != null) {
                    hashMap.put("login_hint", uriencode(loginHint));
                }
                if (loginHint != null) {
                    hashMap.put("ForceAuth", "true");
                }
                if (httpServletRequest.getParameter("acr_values") != null) {
                    hashMap.put("acr_values", uriencode(httpServletRequest.getParameter("acr_values")));
                }
                hashMap.put("goto", uriencode(str2));
                getHttpServletResponse().addCookie(CookieUtils.newCookie("p", Crypt.encryptLocal(this.permission.toString()), 900));
                logger.debug("forward on Login?{}", hashMap);
                this.callbackHandler.handle(new Callback[]{new RedirectCallback(httpServletRequest.getContextPath() + httpServletRequest.getServletPath() + "/Login", hashMap, "GET")});
                return 1;
            }
        } catch (AuthLoginException e2) {
            throw new temporarily_unavailable(this, "Internal Server Error");
        } catch (Exception e3) {
            throw new server_error(this, "Internal Server Error");
        } catch (error e4) {
            throw e4;
        }
    }

    String getLoginHint(HttpServletRequest httpServletRequest) {
        return StringUtils.startsWithIgnoreCase(httpServletRequest.getParameter("login_hint"), "PCR:") ? httpServletRequest.getParameter("login_hint").replace("PCR:", "") : StringUtils.startsWithIgnoreCase(httpServletRequest.getParameter("login_hint"), "ENCR_MSISDN:") ? httpServletRequest.getParameter("login_hint").replace("ENCR_MSISDN:", "") : StringUtils.startsWithIgnoreCase(httpServletRequest.getParameter("login_hint"), "MSISDN:") ? httpServletRequest.getParameter("login_hint").replace("MSISDN:", "") : httpServletRequest.getParameter("login_hint");
    }

    public static String uriencode(String str) {
        if (str == null) {
            return "";
        }
        try {
            return URLEncoder.encode(str, "UTF-8");
        } catch (UnsupportedEncodingException e) {
            return str;
        }
    }

    public Principal getPrincipal() {
        return this.userPrincipal;
    }
}
