package pl.edu.icm.unity.oauth.as.webauthz;

import com.nimbusds.oauth2.sdk.AuthorizationErrorResponse;
import com.nimbusds.oauth2.sdk.AuthorizationResponse;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.SerializeException;
import com.nimbusds.openid.connect.sdk.OIDCError;
import io.imunity.vaadin.endpoint.common.EopException;
import io.imunity.vaadin.endpoint.common.QueryBuilder;
import io.imunity.vaadin.endpoint.common.consent_utils.LoginInProgressService;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Arrays;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.logging.log4j.Logger;
import org.eclipse.jetty.ee10.servlet.ServletApiRequest;
import org.eclipse.jetty.security.AuthenticationState;
import pl.edu.icm.unity.base.endpoint.idp.IdpStatistic;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.identity.IdentityParam;
import pl.edu.icm.unity.base.message.MessageSource;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.EnquiryManagement;
import pl.edu.icm.unity.engine.api.PreferencesManagement;
import pl.edu.icm.unity.engine.api.attributes.DynamicAttribute;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.idp.IdPEngine;
import pl.edu.icm.unity.engine.api.policyAgreement.PolicyAgreementManagement;
import pl.edu.icm.unity.engine.api.translation.out.TranslationResult;
import pl.edu.icm.unity.oauth.as.AttributeValueFilter;
import pl.edu.icm.unity.oauth.as.OAuthAuthzContext;
import pl.edu.icm.unity.oauth.as.OAuthErrorResponseException;
import pl.edu.icm.unity.oauth.as.OAuthIdpStatisticReporter;
import pl.edu.icm.unity.oauth.as.OAuthProcessor;
import pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences;

/* loaded from: input_file:pl/edu/icm/unity/oauth/as/webauthz/ASConsentDeciderServlet.class */
public class ASConsentDeciderServlet extends HttpServlet {
    private static final Logger log = Log.getLogger("unity.server.oauth", ASConsentDeciderServlet.class);
    private final PreferencesManagement preferencesMan;
    private final OAuthIdPEngine idpEngine;
    private final OAuthSessionService oauthSessionService;
    private final String oauthUiServletPath;
    private final OAuthProcessor oauthProcessor;
    private final OAuthIdpStatisticReporter statReporter;
    private final ASConsentDecider consentDecider;

    public ASConsentDeciderServlet(PreferencesManagement preferencesManagement, IdPEngine idPEngine, OAuthProcessor oAuthProcessor, OAuthSessionService oAuthSessionService, String str, EnquiryManagement enquiryManagement, PolicyAgreementManagement policyAgreementManagement, OAuthIdpStatisticReporter oAuthIdpStatisticReporter, MessageSource messageSource) {
        this.oauthProcessor = oAuthProcessor;
        this.preferencesMan = preferencesManagement;
        this.oauthSessionService = oAuthSessionService;
        this.idpEngine = new OAuthIdPEngine(idPEngine);
        this.oauthUiServletPath = str;
        this.statReporter = oAuthIdpStatisticReporter;
        this.consentDecider = new ASConsentDecider(enquiryManagement, policyAgreementManagement, messageSource);
    }

    protected void service(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        if (AuthenticationState.getAuthenticationState(((ServletApiRequest) httpServletRequest).getRequest()) == null) {
            sendRedirect(httpServletRequest, httpServletResponse);
        } else {
            super.service(httpServletRequest, httpServletResponse);
        }
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            serviceInterruptible(httpServletRequest, httpServletResponse);
        } catch (EopException e) {
        }
    }

    protected void serviceInterruptible(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException, EopException {
        OAuthAuthzContext oAuthContext = getOAuthContext(httpServletRequest);
        try {
            OAuthPreferences.OAuthClientSettings loadPreferences = loadPreferences(oAuthContext);
            if (this.consentDecider.forceConsentIfConsentPrompt(oAuthContext)) {
                log.debug("Consent is required for OAuth request, 'consent' prompt was requested, redirect to consent UI");
                sendRedirect(httpServletRequest, httpServletResponse);
            } else if (!this.consentDecider.isInteractiveUIRequired(loadPreferences, oAuthContext)) {
                log.debug("Consent is not required for OAuth request, processing immediatelly");
                autoReplay(loadPreferences, oAuthContext, httpServletRequest, httpServletResponse);
            } else if (this.consentDecider.isNonePrompt(oAuthContext)) {
                sendNonePromptError(oAuthContext, httpServletRequest, httpServletResponse);
            } else {
                log.debug("Consent is required for OAuth request, forwarding to consent UI");
                sendRedirect(httpServletRequest, httpServletResponse);
            }
        } catch (EngineException e) {
            log.error("Engine problem when handling client request - can not load preferences", e);
            sendReturnRedirect(new AuthorizationErrorResponse(oAuthContext.getReturnURI(), OAuth2Error.SERVER_ERROR, oAuthContext.getRequest().getState(), oAuthContext.getRequest().impliedResponseMode()), httpServletRequest, httpServletResponse, true);
            this.statReporter.reportStatus(oAuthContext, IdpStatistic.Status.FAILED);
        }
    }

    private void sendRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.sendRedirect(this.oauthUiServletPath + getQueryToAppend(httpServletRequest));
    }

    private String getQueryToAppend(HttpServletRequest httpServletRequest) {
        return QueryBuilder.buildQuery((Map) httpServletRequest.getParameterMap().entrySet().stream().collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry -> {
            return Arrays.asList((String[]) entry.getValue());
        })));
    }

    private void sendNonePromptError(OAuthAuthzContext oAuthAuthzContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        log.info("Consent is required but 'none' prompt was requested");
        sendReturnRedirect(new AuthorizationErrorResponse(oAuthAuthzContext.getReturnURI(), OIDCError.CONSENT_REQUIRED, oAuthAuthzContext.getRequest().getState(), oAuthAuthzContext.getRequest().impliedResponseMode()), httpServletRequest, httpServletResponse, true);
    }

    protected OAuthPreferences.OAuthClientSettings loadPreferences(OAuthAuthzContext oAuthAuthzContext) throws EngineException {
        return OAuthPreferences.getPreferences(this.preferencesMan).getSPSettings(oAuthAuthzContext.getRequest().getClientID().getValue());
    }

    protected void autoReplay(OAuthPreferences.OAuthClientSettings oAuthClientSettings, OAuthAuthzContext oAuthAuthzContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws EopException, IOException {
        if (!oAuthClientSettings.isDefaultAccept()) {
            log.debug("User preferences are set to decline authZ from the client");
            AuthorizationErrorResponse authorizationErrorResponse = new AuthorizationErrorResponse(oAuthAuthzContext.getReturnURI(), OAuth2Error.ACCESS_DENIED, oAuthAuthzContext.getRequest().getState(), oAuthAuthzContext.getRequest().impliedResponseMode());
            this.statReporter.reportStatus(oAuthAuthzContext, IdpStatistic.Status.FAILED);
            sendReturnRedirect(authorizationErrorResponse, httpServletRequest, httpServletResponse, false);
        }
        try {
            TranslationResult userInfo = this.idpEngine.getUserInfo(oAuthAuthzContext);
            handleTranslationProfileRedirectIfNeeded(userInfo, httpServletRequest, httpServletResponse);
            IdentityParam identity = this.idpEngine.getIdentity(userInfo, oAuthAuthzContext.getConfig().getSubjectIdentityType());
            log.info("Authentication of " + identity);
            Set<DynamicAttribute> filterAttributes = AttributeValueFilter.filterAttributes(oAuthAuthzContext.getClaimValueFilters(), OAuthProcessor.filterAttributes(userInfo, oAuthAuthzContext.getEffectiveRequestedAttrs()));
            EssentialACRConsistencyValidator.verifyEssentialRequestedACRisReturned(oAuthAuthzContext, filterAttributes);
            sendReturnRedirect(this.oauthProcessor.prepareAuthzResponseAndRecordInternalState(filterAttributes, identity, oAuthAuthzContext, this.statReporter, InvocationContext.getCurrent().getLoginSession().getAuthenticationTime(), oAuthAuthzContext.getClaimValueFilters()), httpServletRequest, httpServletResponse, false);
        } catch (OAuthErrorResponseException e) {
            this.statReporter.reportStatus(oAuthAuthzContext, IdpStatistic.Status.FAILED);
            sendReturnRedirect(e.getOauthResponse(), httpServletRequest, httpServletResponse, e.isInvalidateSession());
        } catch (Exception e2) {
            log.error("Engine problem when handling client request", e2);
            AuthorizationErrorResponse authorizationErrorResponse2 = new AuthorizationErrorResponse(oAuthAuthzContext.getReturnURI(), OAuth2Error.SERVER_ERROR, oAuthAuthzContext.getRequest().getState(), oAuthAuthzContext.getRequest().impliedResponseMode());
            this.statReporter.reportStatus(oAuthAuthzContext, IdpStatistic.Status.FAILED);
            sendReturnRedirect(authorizationErrorResponse2, httpServletRequest, httpServletResponse, false);
        }
    }

    private void handleTranslationProfileRedirectIfNeeded(TranslationResult translationResult, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, EopException {
        String redirectURL = translationResult.getRedirectURL();
        if (redirectURL != null) {
            httpServletResponse.sendRedirect(redirectURL);
            this.oauthSessionService.cleanupComplete(Optional.of(new LoginInProgressService.HttpContextSession(httpServletRequest)), false);
            throw new EopException();
        }
    }

    private OAuthAuthzContext getOAuthContext(HttpServletRequest httpServletRequest) {
        return OAuthSessionService.getContext(httpServletRequest).orElseThrow(LoginInProgressService.noSignInContextException());
    }

    private void sendReturnRedirect(AuthorizationResponse authorizationResponse, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws IOException {
        LoginInProgressService.SignInContextSession httpContextSession = new LoginInProgressService.HttpContextSession(httpServletRequest);
        this.oauthSessionService.cleanupBeforeResponseSent(httpContextSession);
        try {
            try {
                String uri = authorizationResponse.toURI().toString();
                log.trace("Sending OAuth reply via return redirect: " + uri);
                httpServletResponse.sendRedirect(uri);
                this.oauthSessionService.cleanupAfterResponseSent(httpContextSession, z);
            } catch (SerializeException e) {
                throw new IOException("Error: can not serialize error response", e);
            }
        } catch (Throwable th) {
            this.oauthSessionService.cleanupAfterResponseSent(httpContextSession, z);
            throw th;
        }
    }
}
