package pl.edu.icm.unity.oauth.as.webauthz;

import com.nimbusds.oauth2.sdk.AuthorizationErrorResponse;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.openid.connect.sdk.OIDCError;
import com.vaadin.flow.component.Component;
import com.vaadin.flow.component.UI;
import com.vaadin.flow.router.Route;
import io.imunity.vaadin.elements.NotificationPresenter;
import io.imunity.vaadin.elements.UnityViewComponent;
import io.imunity.vaadin.endpoint.common.EopException;
import io.imunity.vaadin.endpoint.common.Vaadin2XWebAppContext;
import io.imunity.vaadin.endpoint.common.VaadinWebLogoutHandler;
import io.imunity.vaadin.endpoint.common.active_value_select.ActiveValueSelectionScreen;
import io.imunity.vaadin.endpoint.common.api.EnquiresDialogLauncher;
import io.imunity.vaadin.endpoint.common.consent_utils.PolicyAgreementScreen;
import io.imunity.vaadin.endpoint.common.forms.VaadinLogoImageLoader;
import io.imunity.vaadin.endpoint.common.forms.components.WorkflowCompletedComponent;
import io.imunity.vaadin.endpoint.common.forms.policy_agreements.PolicyAgreementRepresentationBuilder;
import io.imunity.vaadin.endpoint.common.layout.WrappedLayout;
import io.imunity.vaadin.endpoint.common.plugins.attributes.AttributeHandlerRegistry;
import jakarta.annotation.security.PermitAll;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import pl.edu.icm.unity.base.endpoint.idp.IdpStatistic;
import pl.edu.icm.unity.base.entity.EntityParam;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.identity.IdentityParam;
import pl.edu.icm.unity.base.message.MessageSource;
import pl.edu.icm.unity.base.policy_agreement.PolicyAgreementConfiguration;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.PreferencesManagement;
import pl.edu.icm.unity.engine.api.attributes.AttributeTypeSupport;
import pl.edu.icm.unity.engine.api.attributes.DynamicAttribute;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.finalization.WorkflowFinalizationConfiguration;
import pl.edu.icm.unity.engine.api.identity.IdentityTypeSupport;
import pl.edu.icm.unity.engine.api.idp.ActiveValueClientHelper;
import pl.edu.icm.unity.engine.api.idp.CommonIdPProperties;
import pl.edu.icm.unity.engine.api.idp.IdPEngine;
import pl.edu.icm.unity.engine.api.policyAgreement.PolicyAgreementManagement;
import pl.edu.icm.unity.engine.api.translation.StopAuthenticationException;
import pl.edu.icm.unity.engine.api.translation.out.AuthenticationFinalizationConfiguration;
import pl.edu.icm.unity.engine.api.translation.out.TranslationResult;
import pl.edu.icm.unity.engine.api.utils.FreemarkerAppHandler;
import pl.edu.icm.unity.oauth.as.AttributeFilteringSpec;
import pl.edu.icm.unity.oauth.as.AttributeValueFilter;
import pl.edu.icm.unity.oauth.as.AttributeValueFilterUtils;
import pl.edu.icm.unity.oauth.as.OAuthASProperties;
import pl.edu.icm.unity.oauth.as.OAuthAuthzContext;
import pl.edu.icm.unity.oauth.as.OAuthErrorResponseException;
import pl.edu.icm.unity.oauth.as.OAuthIdpStatisticReporter;
import pl.edu.icm.unity.oauth.as.OAuthProcessor;

@Route(value = OAuthAuthzWebEndpoint.OAUTH_UI_SERVLET_PATH, layout = WrappedLayout.class)
@PermitAll
/* loaded from: input_file:pl/edu/icm/unity/oauth/as/webauthz/OAuthAuthzView.class */
class OAuthAuthzView extends UnityViewComponent {
    private static final Logger log = Log.getLogger("unity.server.oauth", OAuthAuthzView.class);
    private final MessageSource msg;
    private final OAuthIdPEngine idpEngine;
    private final AttributeHandlerRegistry handlersRegistry;
    private final PreferencesManagement preferencesMan;
    private final VaadinWebLogoutHandler authnProcessor;
    private final IdentityTypeSupport idTypeSupport;
    private final AttributeTypeSupport aTypeSupport;
    private final OAuthSessionService oauthSessionService;
    private final OAuthProcessor oauthProcessor;
    private final PolicyAgreementManagement policyAgreementsMan;
    private final PolicyAgreementRepresentationBuilder policyAgreementRepresentationBuilder;
    private final NotificationPresenter notificationPresenter;
    private final VaadinLogoImageLoader imageAccessService;
    private OAuthResponseHandler oauthResponseHandler;
    private IdentityParam identity;
    private final OAuthIdpStatisticReporter.OAuthIdpStatisticReporterFactory idpStatisticReporterFactory;
    private final FreemarkerAppHandler freemarkerHandler;

    @Autowired
    public OAuthAuthzView(MessageSource messageSource, OAuthProcessor oAuthProcessor, AttributeHandlerRegistry attributeHandlerRegistry, PreferencesManagement preferencesManagement, VaadinWebLogoutHandler vaadinWebLogoutHandler, IdPEngine idPEngine, IdentityTypeSupport identityTypeSupport, AttributeTypeSupport attributeTypeSupport, OAuthSessionService oAuthSessionService, PolicyAgreementManagement policyAgreementManagement, OAuthIdpStatisticReporter.OAuthIdpStatisticReporterFactory oAuthIdpStatisticReporterFactory, FreemarkerAppHandler freemarkerAppHandler, PolicyAgreementRepresentationBuilder policyAgreementRepresentationBuilder, EnquiresDialogLauncher enquiresDialogLauncher, VaadinLogoImageLoader vaadinLogoImageLoader, NotificationPresenter notificationPresenter) {
        this.msg = messageSource;
        this.oauthProcessor = oAuthProcessor;
        this.handlersRegistry = attributeHandlerRegistry;
        this.preferencesMan = preferencesManagement;
        this.authnProcessor = vaadinWebLogoutHandler;
        this.oauthSessionService = oAuthSessionService;
        this.idpEngine = new OAuthIdPEngine(idPEngine);
        this.idTypeSupport = identityTypeSupport;
        this.aTypeSupport = attributeTypeSupport;
        this.policyAgreementsMan = policyAgreementManagement;
        this.idpStatisticReporterFactory = oAuthIdpStatisticReporterFactory;
        this.freemarkerHandler = freemarkerAppHandler;
        this.policyAgreementRepresentationBuilder = policyAgreementRepresentationBuilder;
        this.notificationPresenter = notificationPresenter;
        this.imageAccessService = vaadinLogoImageLoader;
        enquiresDialogLauncher.showEnquiryDialogIfNeeded(this::enter);
    }

    protected void enter() {
        OAuthAuthzContext vaadinContext = OAuthSessionService.getVaadinContext();
        OAuthASProperties config = vaadinContext.getConfig();
        List<PolicyAgreementConfiguration> filterAgreementsToPresents = filterAgreementsToPresents(config);
        if (filterAgreementsToPresents.isEmpty()) {
            activeValueSelectionAndConsentStage(vaadinContext, config);
        } else {
            policyAgreementsStage(vaadinContext, config, filterAgreementsToPresents);
        }
    }

    private List<PolicyAgreementConfiguration> filterAgreementsToPresents(OAuthASProperties oAuthASProperties) {
        ArrayList arrayList = new ArrayList();
        try {
            arrayList.addAll(this.policyAgreementsMan.filterAgreementToPresent(new EntityParam(Long.valueOf(InvocationContext.getCurrent().getLoginSession().getEntityId())), CommonIdPProperties.getPolicyAgreementsConfig(this.msg, oAuthASProperties).agreements));
        } catch (EngineException e) {
            log.error("Unable to determine policy agreements to accept");
        }
        return arrayList;
    }

    private void policyAgreementsStage(OAuthAuthzContext oAuthAuthzContext, OAuthASProperties oAuthASProperties, List<PolicyAgreementConfiguration> list) {
        getContent().removeAll();
        getContent().add(new Component[]{PolicyAgreementScreen.builder().withMsg(this.msg).withPolicyAgreementDecider(this.policyAgreementsMan).withNotificationPresenter(this.notificationPresenter).withPolicyAgreementRepresentationBuilder(this.policyAgreementRepresentationBuilder).withTitle(oAuthASProperties.getLocalizedStringWithoutFallbackToDefault(this.msg, "policyAgreementsTitle")).withInfo(oAuthASProperties.getLocalizedStringWithoutFallbackToDefault(this.msg, "policyAgreementsInfo")).withAgreements(list).withWidth((float) oAuthASProperties.getLongValue("policyAgreementsWidth").longValue(), oAuthASProperties.getValue("policyAgreementsWidthUnit")).withSubmitHandler(() -> {
            activeValueSelectionAndConsentStage(oAuthAuthzContext, oAuthASProperties);
        }).build()});
    }

    private void activeValueSelectionAndConsentStage(OAuthAuthzContext oAuthAuthzContext, OAuthASProperties oAuthASProperties) {
        try {
            TranslationResult translationResult = getTranslationResult(oAuthAuthzContext);
            handleRedirectIfNeeded(translationResult);
            this.identity = this.idpEngine.getIdentity(translationResult, oAuthAuthzContext.getConfig().getSubjectIdentityType());
            Set<DynamicAttribute> filterAttributes = OAuthProcessor.filterAttributes(translationResult, oAuthAuthzContext.getEffectiveRequestedAttrs());
            Set<DynamicAttribute> filterAttributes2 = AttributeValueFilter.filterAttributes(oAuthAuthzContext.getClaimValueFilters(), filterAttributes);
            Optional activeValueSelectionConfig = ActiveValueClientHelper.getActiveValueSelectionConfig(oAuthASProperties.getActiveValueClients(), oAuthAuthzContext.getClientUsername(), filterAttributes2);
            try {
                EssentialACRConsistencyValidator.verifyEssentialRequestedACRisReturned(oAuthAuthzContext, filterAttributes2);
                if (activeValueSelectionConfig.isPresent()) {
                    showActiveValueSelectionScreen((ActiveValueClientHelper.ActiveValueSelectionConfig) activeValueSelectionConfig.get(), oAuthAuthzContext);
                } else {
                    gotoConsentStage(filterAttributes, null, oAuthAuthzContext);
                }
            } catch (OAuthErrorResponseException e) {
                this.oauthResponseHandler.returnOauthResponseNotThrowingAndReportStatistic(e.getOauthResponse(), false, oAuthAuthzContext, IdpStatistic.Status.FAILED);
            }
        } catch (EopException e2) {
        }
    }

    private void gotoConsentStage(Collection<DynamicAttribute> collection, Collection<DynamicAttribute> collection2, OAuthAuthzContext oAuthAuthzContext) {
        if (!forceConsentIfConsentPrompt(oAuthAuthzContext)) {
            if (oAuthAuthzContext.getConfig().isSkipConsent()) {
                onFinalConfirm(this.identity, AttributeValueFilter.filterAttributes(oAuthAuthzContext.getClaimValueFilters(), collection), collection2);
                return;
            } else if (isNonePrompt(oAuthAuthzContext)) {
                sendNonePromptError(oAuthAuthzContext);
                return;
            }
        }
        Component oAuthConsentScreen = new OAuthConsentScreen(this.msg, this.handlersRegistry, this.preferencesMan, this.authnProcessor, this.idTypeSupport, this.aTypeSupport, this.identity, collection, this::onDecline, (identityParam, collection3) -> {
            onFinalConfirm(identityParam, AttributeValueFilter.filterAttributes(oAuthAuthzContext.getClaimValueFilters(), collection3), collection2);
        }, this.oauthResponseHandler);
        getContent().removeAll();
        getContent().add(new Component[]{oAuthConsentScreen});
    }

    private void sendNonePromptError(OAuthAuthzContext oAuthAuthzContext) {
        log.error("Consent is required but 'none' prompt was given");
        this.oauthResponseHandler.returnOauthResponseNotThrowing(new AuthorizationErrorResponse(oAuthAuthzContext.getReturnURI(), OIDCError.CONSENT_REQUIRED, oAuthAuthzContext.getRequest().getState(), oAuthAuthzContext.getRequest().impliedResponseMode()), true);
    }

    private boolean isNonePrompt(OAuthAuthzContext oAuthAuthzContext) {
        return oAuthAuthzContext.getPrompts().contains(OAuthAuthzContext.Prompt.NONE);
    }

    private boolean forceConsentIfConsentPrompt(OAuthAuthzContext oAuthAuthzContext) {
        return oAuthAuthzContext.getPrompts().contains(OAuthAuthzContext.Prompt.CONSENT);
    }

    private void showActiveValueSelectionScreen(ActiveValueClientHelper.ActiveValueSelectionConfig activeValueSelectionConfig, OAuthAuthzContext oAuthAuthzContext) {
        Component activeValueSelectionScreen = new ActiveValueSelectionScreen(this.msg, this.handlersRegistry, this.authnProcessor, activeValueSelectionConfig.singleSelectableAttributes, activeValueSelectionConfig.multiSelectableAttributes, activeValueSelectionConfig.remainingAttributes, OAuthAuthzWebEndpoint.OAUTH_CONSENT_DECIDER_SERVLET_PATH, this::onDecline, attributeValueSelectionResult -> {
            gotoConsentStage(attributeValueSelectionResult.allAttributes(), attributeValueSelectionResult.filteredAttributes(), oAuthAuthzContext);
        });
        getContent().removeAll();
        getContent().add(new Component[]{activeValueSelectionScreen});
    }

    private TranslationResult getTranslationResult(OAuthAuthzContext oAuthAuthzContext) throws EopException {
        this.oauthResponseHandler = new OAuthResponseHandler(this.oauthSessionService, this.idpStatisticReporterFactory.getForEndpoint(Vaadin2XWebAppContext.getCurrentWebAppEndpoint()), this.freemarkerHandler);
        try {
            return this.idpEngine.getUserInfo(oAuthAuthzContext);
        } catch (StopAuthenticationException e) {
            handleFinalizationScreen(e.finalizationScreenConfiguration);
            return null;
        } catch (OAuthErrorResponseException e2) {
            this.oauthResponseHandler.returnOauthResponseAndReportStatistic(e2.getOauthResponse(), e2.isInvalidateSession(), oAuthAuthzContext, IdpStatistic.Status.FAILED);
            return null;
        } catch (Exception e3) {
            log.error("Engine problem when handling client request", e3);
            this.oauthResponseHandler.returnOauthResponseAndReportStatistic(new AuthorizationErrorResponse(oAuthAuthzContext.getReturnURI(), OAuth2Error.SERVER_ERROR, oAuthAuthzContext.getRequest().getState(), oAuthAuthzContext.getRequest().impliedResponseMode()), true, oAuthAuthzContext, IdpStatistic.Status.FAILED);
            return null;
        }
    }

    private void handleRedirectIfNeeded(TranslationResult translationResult) throws EopException {
        String redirectURL = translationResult.getRedirectURL();
        if (redirectURL != null) {
            UI.getCurrent().getPage().open(redirectURL, (String) null);
            throw new EopException();
        }
    }

    private void handleFinalizationScreen(AuthenticationFinalizationConfiguration authenticationFinalizationConfiguration) throws EopException {
        WorkflowFinalizationConfiguration workflowFinalizationConfiguration = new WorkflowFinalizationConfiguration(false, false, (String) null, (String) null, authenticationFinalizationConfiguration.title.getValue(this.msg), authenticationFinalizationConfiguration.info.getValue(this.msg), authenticationFinalizationConfiguration.redirectURL, authenticationFinalizationConfiguration.redirectCaption.getValue(this.msg), authenticationFinalizationConfiguration.redirectAfterTime);
        Component workflowCompletedComponent = new WorkflowCompletedComponent(workflowFinalizationConfiguration, (Component) this.imageAccessService.loadImageFromUri(workflowFinalizationConfiguration.logoURL).orElse(null));
        getContent().removeAll();
        getContent().add(new Component[]{workflowCompletedComponent});
        throw new EopException();
    }

    private void onDecline() {
        OAuthAuthzContext vaadinContext = OAuthSessionService.getVaadinContext();
        this.oauthResponseHandler.returnOauthResponseNotThrowingAndReportStatistic(new AuthorizationErrorResponse(vaadinContext.getReturnURI(), OAuth2Error.ACCESS_DENIED, vaadinContext.getRequest().getState(), vaadinContext.getRequest().impliedResponseMode()), false, vaadinContext, IdpStatistic.Status.FAILED);
    }

    private void onFinalConfirm(IdentityParam identityParam, Collection<DynamicAttribute> collection, Collection<DynamicAttribute> collection2) {
        OAuthAuthzContext vaadinContext = OAuthSessionService.getVaadinContext();
        try {
            this.oauthResponseHandler.returnOauthResponseNotThrowing(this.oauthProcessor.prepareAuthzResponseAndRecordInternalState(collection, identityParam, vaadinContext, this.oauthResponseHandler.statReporter, InvocationContext.getCurrent().getLoginSession().getAuthenticationTime(), collection2 == null ? null : AttributeValueFilterUtils.mergeFiltersWithPreservingLast(vaadinContext.getClaimValueFilters(), mapSelectedAttributesToFilters(collection2))), false);
        } catch (Exception e) {
            log.error("Error during OAuth processing", e);
            this.oauthResponseHandler.returnOauthResponseNotThrowingAndReportStatistic(new AuthorizationErrorResponse(vaadinContext.getReturnURI(), OAuth2Error.SERVER_ERROR, vaadinContext.getRequest().getState(), vaadinContext.getRequest().impliedResponseMode()), false, vaadinContext, IdpStatistic.Status.FAILED);
        }
    }

    private List<AttributeFilteringSpec> mapSelectedAttributesToFilters(Collection<DynamicAttribute> collection) {
        if (collection == null) {
            return null;
        }
        return collection.stream().map(dynamicAttribute -> {
            return new AttributeFilteringSpec(dynamicAttribute.getAttribute().getName(), (Set) dynamicAttribute.getAttribute().getValues().stream().collect(Collectors.toSet()));
        }).toList();
    }

    public String getPageTitle() {
        return Vaadin2XWebAppContext.getCurrentWebAppDisplayedName();
    }
}
