package org.apache.cxf.rs.security.oauth.services;

import java.io.IOException;
import java.net.URI;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import net.oauth.OAuth;
import net.oauth.OAuthMessage;
import net.oauth.OAuthProblemException;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.rs.security.oauth.data.AuthorizationInput;
import org.apache.cxf.rs.security.oauth.data.OAuthAuthorizationData;
import org.apache.cxf.rs.security.oauth.data.OAuthPermission;
import org.apache.cxf.rs.security.oauth.data.RequestToken;
import org.apache.cxf.rs.security.oauth.data.UserSubject;
import org.apache.cxf.rs.security.oauth.provider.DefaultOAuthValidator;
import org.apache.cxf.rs.security.oauth.provider.OAuthDataProvider;
import org.apache.cxf.rs.security.oauth.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth.utils.OAuthUtils;
import org.apache.cxf.security.LoginSecurityContext;
import org.apache.cxf.security.SecurityContext;
import org.eclipse.jetty.http.HttpStatus;

/* loaded from: input_file:WEB-INF/lib/cxf-rt-rs-security-oauth-3.1.5.redhat-630464.jar:org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.class */
public class AuthorizationRequestHandler {
    private static final Logger LOG = LogUtils.getL7dLogger(AuthorizationRequestHandler.class);
    private static final String[] REQUIRED_PARAMETERS = {OAuth.OAUTH_TOKEN};

    public Response handle(MessageContext messageContext, OAuthDataProvider oAuthDataProvider) {
        HttpServletRequest httpServletRequest = messageContext.getHttpServletRequest();
        try {
            OAuthMessage oAuthMessage = OAuthUtils.getOAuthMessage(messageContext, httpServletRequest, REQUIRED_PARAMETERS);
            new DefaultOAuthValidator().checkSingleParameter(oAuthMessage);
            RequestToken requestToken = oAuthDataProvider.getRequestToken(oAuthMessage.getToken());
            if (requestToken == null) {
                throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
            }
            String parameter = oAuthMessage.getParameter(OAuthConstants.AUTHORIZATION_DECISION_KEY);
            OAuthAuthorizationData oAuthAuthorizationData = new OAuthAuthorizationData();
            if (!compareRequestSessionTokens(httpServletRequest, oAuthMessage)) {
                if (parameter != null) {
                    LOG.warning("Session authenticity token is missing or invalid");
                    throw ExceptionUtils.toBadRequestException(null, null);
                }
                addAuthenticityTokenToSession(oAuthAuthorizationData, httpServletRequest);
                return Response.ok(addAdditionalParams(oAuthAuthorizationData, oAuthDataProvider, requestToken)).build();
            }
            boolean equals = OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(parameter);
            HashMap hashMap = new HashMap();
            if (equals) {
                SecurityContext securityContext = (SecurityContext) messageContext.get(SecurityContext.class.getName());
                List emptyList = Collections.emptyList();
                if (securityContext instanceof LoginSecurityContext) {
                    emptyList = new ArrayList();
                    Iterator<Principal> it = ((LoginSecurityContext) securityContext).getUserRoles().iterator();
                    while (it.hasNext()) {
                        emptyList.add(it.next().getName());
                    }
                }
                requestToken.setSubject(new UserSubject(securityContext.getUserPrincipal() == null ? null : securityContext.getUserPrincipal().getName(), emptyList));
                AuthorizationInput authorizationInput = new AuthorizationInput();
                authorizationInput.setToken(requestToken);
                HashSet hashSet = new HashSet();
                List<OAuthPermission> scopes = requestToken.getScopes();
                for (OAuthPermission oAuthPermission : scopes) {
                    String parameter2 = oAuthMessage.getParameter(oAuthPermission.getPermission() + "_status");
                    if (parameter2 != null && OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(parameter2)) {
                        hashSet.add(oAuthPermission);
                    }
                }
                List<OAuthPermission> linkedList = new LinkedList(hashSet);
                if (linkedList.isEmpty()) {
                    linkedList = scopes;
                } else if (linkedList.size() < scopes.size()) {
                    for (OAuthPermission oAuthPermission2 : scopes) {
                        if (oAuthPermission2.isDefault() && !linkedList.contains(oAuthPermission2)) {
                            linkedList.add(oAuthPermission2);
                        }
                    }
                }
                authorizationInput.setApprovedScopes(linkedList);
                hashMap.put(OAuth.OAUTH_VERIFIER, oAuthDataProvider.finalizeAuthorization(authorizationInput));
            } else {
                oAuthDataProvider.removeToken(requestToken);
            }
            hashMap.put(OAuth.OAUTH_TOKEN, requestToken.getTokenKey());
            if (requestToken.getState() != null) {
                hashMap.put(OAuthConstants.X_OAUTH_STATE, requestToken.getState());
            }
            String callbackValue = getCallbackValue(requestToken);
            return OAuthConstants.OAUTH_CALLBACK_OOB.equals(callbackValue) ? Response.ok().entity(convertQueryParamsToOOB(hashMap)).build() : Response.seeOther(buildCallbackURI(callbackValue, hashMap)).build();
        } catch (OAuthProblemException e) {
            LOG.log(Level.WARNING, "An OAuth related problem: {0}", new Object[]{e.fillInStackTrace()});
            int httpStatusCode = e.getHttpStatusCode();
            if (httpStatusCode == 200) {
                httpStatusCode = e.getProblem() == OAuth.Problems.CONSUMER_KEY_UNKNOWN ? HttpStatus.UNAUTHORIZED_401 : HttpStatus.BAD_REQUEST_400;
            }
            return OAuthUtils.handleException(messageContext, e, httpStatusCode);
        } catch (OAuthServiceException e2) {
            return OAuthUtils.handleException(messageContext, e2, HttpStatus.BAD_REQUEST_400);
        } catch (Exception e3) {
            LOG.log(Level.SEVERE, "Unexpected internal server exception: {0}", new Object[]{e3.fillInStackTrace()});
            return OAuthUtils.handleException(messageContext, e3, 500);
        }
    }

    protected String getCallbackValue(RequestToken requestToken) throws OAuthProblemException {
        String callback = requestToken.getCallback();
        if (callback == null) {
            callback = requestToken.getClient().getApplicationURI();
        }
        if (callback == null) {
            throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
        }
        return callback;
    }

    private URI buildCallbackURI(String str, Map<String, String> map) {
        UriBuilder fromUri = UriBuilder.fromUri(str);
        for (Map.Entry<String, String> entry : map.entrySet()) {
            fromUri.queryParam(entry.getKey(), entry.getValue());
        }
        return fromUri.build(new Object[0]);
    }

    private OOBAuthorizationResponse convertQueryParamsToOOB(Map<String, String> map) {
        OOBAuthorizationResponse oOBAuthorizationResponse = new OOBAuthorizationResponse();
        oOBAuthorizationResponse.setRequestToken(map.get(OAuth.OAUTH_TOKEN));
        oOBAuthorizationResponse.setVerifier(map.get(OAuth.OAUTH_VERIFIER));
        oOBAuthorizationResponse.setState(map.get(OAuthConstants.X_OAUTH_STATE));
        return oOBAuthorizationResponse;
    }

    protected OAuthAuthorizationData addAdditionalParams(OAuthAuthorizationData oAuthAuthorizationData, OAuthDataProvider oAuthDataProvider, RequestToken requestToken) throws OAuthProblemException {
        oAuthAuthorizationData.setOauthToken(requestToken.getTokenKey());
        oAuthAuthorizationData.setApplicationName(requestToken.getClient().getApplicationName());
        oAuthAuthorizationData.setApplicationURI(requestToken.getClient().getApplicationURI());
        oAuthAuthorizationData.setCallbackURI(getCallbackValue(requestToken));
        oAuthAuthorizationData.setApplicationDescription(requestToken.getClient().getApplicationDescription());
        oAuthAuthorizationData.setLogoUri(requestToken.getClient().getLogoUri());
        oAuthAuthorizationData.setPermissions(requestToken.getScopes());
        return oAuthAuthorizationData;
    }

    private void addAuthenticityTokenToSession(OAuthAuthorizationData oAuthAuthorizationData, HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession();
        String uuid = UUID.randomUUID().toString();
        oAuthAuthorizationData.setAuthenticityToken(uuid);
        session.setAttribute(OAuthConstants.AUTHENTICITY_TOKEN, uuid);
    }

    private boolean compareRequestSessionTokens(HttpServletRequest httpServletRequest, OAuthMessage oAuthMessage) {
        HttpSession session = httpServletRequest.getSession();
        try {
            String parameter = oAuthMessage.getParameter(OAuthConstants.AUTHENTICITY_TOKEN);
            String str = (String) session.getAttribute(OAuthConstants.AUTHENTICITY_TOKEN);
            if (StringUtils.isEmpty(parameter) || StringUtils.isEmpty(str)) {
                return false;
            }
            boolean equals = parameter.equals(str);
            session.removeAttribute(OAuthConstants.AUTHENTICITY_TOKEN);
            return equals;
        } catch (IOException e) {
            return false;
        }
    }
}
