package org.wso2.carbon.identity.oauth.endpoint.authz;

import java.net.URI;
import java.net.URISyntaxException;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.apache.amber.oauth2.as.request.OAuthAuthzRequest;
import org.apache.amber.oauth2.as.response.OAuthASResponse;
import org.apache.amber.oauth2.common.exception.OAuthProblemException;
import org.apache.amber.oauth2.common.exception.OAuthSystemException;
import org.apache.amber.oauth2.common.message.OAuthResponse;
import org.apache.amber.oauth2.common.message.types.ResponseType;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.openidconnect.as.util.OIDCAuthzServerUtil;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.oauth.cache.CacheEntry;
import org.wso2.carbon.identity.oauth.cache.SessionDataCache;
import org.wso2.carbon.identity.oauth.cache.SessionDataCacheEntry;
import org.wso2.carbon.identity.oauth.cache.SessionDataCacheKey;
import org.wso2.carbon.identity.oauth.endpoint.OAuthRequestWrapper;
import org.wso2.carbon.identity.oauth.endpoint.user.UserInfoEndpointException;
import org.wso2.carbon.identity.oauth.util.EndpointUtil;
import org.wso2.carbon.identity.oauth.util.OpenIDConnectConstant;
import org.wso2.carbon.identity.oauth.util.OpenIDConnectUserRPStore;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AuthorizeReqDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AuthorizeRespDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2ClientValidationResponseDTO;
import org.wso2.carbon.identity.oauth2.model.OAuth2Parameters;
import org.wso2.carbon.registry.core.utils.UUIDGenerator;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

@Path("/authorize")
/* loaded from: input_file:WEB-INF/classes/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.class */
public class OAuth2AuthzEndpoint {
    private static Log log = LogFactory.getLog(OAuth2AuthzEndpoint.class);

    @GET
    @Path("/")
    @Consumes({"application/x-www-form-urlencoded"})
    @Produces({"text/html"})
    public Response authorize(@Context HttpServletRequest httpServletRequest) throws URISyntaxException {
        SessionDataCacheEntry sessionDataCacheEntry;
        String locationUri;
        try {
            PrivilegedCarbonContext.startTenantFlow();
            PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
            threadLocalCarbonContext.setTenantId(-1234);
            threadLocalCarbonContext.setTenantDomain("carbon.super");
            String safeText = EndpointUtil.getSafeText((String) httpServletRequest.getAttribute("sessionDataKey"));
            String safeText2 = EndpointUtil.getSafeText(httpServletRequest.getParameter("consent"));
            if (safeText != null) {
                CacheEntry valueFromCache = SessionDataCache.getInstance().getValueFromCache(new SessionDataCacheKey(safeText));
                if (valueFromCache == null) {
                    Response showSessionError = showSessionError(httpServletRequest, safeText);
                    PrivilegedCarbonContext.endTenantFlow();
                    return showSessionError;
                }
                sessionDataCacheEntry = (SessionDataCacheEntry) valueFromCache;
            } else if (safeText2 != null) {
                safeText = EndpointUtil.getSafeText(httpServletRequest.getParameter("sessionDataKey"));
                if (safeText == null) {
                    Response showSessionError2 = showSessionError(httpServletRequest, safeText);
                    PrivilegedCarbonContext.endTenantFlow();
                    return showSessionError2;
                }
                CacheEntry valueFromCache2 = SessionDataCache.getInstance().getValueFromCache(new SessionDataCacheKey(safeText));
                if (valueFromCache2 == null) {
                    Response showSessionError3 = showSessionError(httpServletRequest, safeText);
                    PrivilegedCarbonContext.endTenantFlow();
                    return showSessionError3;
                }
                sessionDataCacheEntry = (SessionDataCacheEntry) valueFromCache2;
            } else {
                sessionDataCacheEntry = new SessionDataCacheEntry();
            }
            String safeText3 = EndpointUtil.getSafeText(httpServletRequest.getParameter("client_id"));
            OAuth2Parameters oAuth2Parameters = sessionDataCacheEntry.getoAuth2Parameters();
            try {
                if (safeText3 != null) {
                    String safeText4 = EndpointUtil.getSafeText(httpServletRequest.getParameter("redirect_uri"));
                    try {
                        safeText4 = handleOAuthAuthorizationRequest(httpServletRequest, safeText3, safeText4, sessionDataCacheEntry);
                    } catch (OAuthProblemException e) {
                        log.debug(e.getError(), e.getCause());
                        safeText4 = OAuthASResponse.errorResponse(302).error(e).location(safeText4).buildQueryMessage().getLocationUri();
                    }
                    Response build = Response.status(302).location(new URI(safeText4)).build();
                    PrivilegedCarbonContext.endTenantFlow();
                    return build;
                }
                if (safeText2 != null) {
                    String handleUserConsent = sessionDataCacheEntry.getOidcRequest() != null ? handleUserConsent(safeText2, httpServletRequest, oAuth2Parameters, sessionDataCacheEntry) : handleUserAuthzParams(safeText2, httpServletRequest, sessionDataCacheEntry);
                    SessionDataCache.getInstance().clearCacheEntry(new SessionDataCacheKey(safeText));
                    Response build2 = Response.status(302).location(new URI(handleUserConsent)).build();
                    PrivilegedCarbonContext.endTenantFlow();
                    return build2;
                }
                if (oAuth2Parameters == null) {
                    SessionDataCache.getInstance().clearCacheEntry(new SessionDataCacheKey(safeText));
                    log.error("Invalid Authorization Request");
                    Response build3 = Response.status(302).location(new URI(EndpointUtil.getErrorPageURL(httpServletRequest, oAuth2Parameters, UserInfoEndpointException.ERROR_CODE_INVALID_REQUEST, "Invalid Authorization Request"))).build();
                    PrivilegedCarbonContext.endTenantFlow();
                    return build3;
                }
                if (((Boolean) httpServletRequest.getAttribute("commonAuthAuthenticated")).booleanValue()) {
                    String str = (String) httpServletRequest.getAttribute("authenticatedUser");
                    sessionDataCacheEntry.setOidcLoggedInUser((MultitenantUtils.getTenantAwareUsername(str) + "@" + MultitenantUtils.getTenantDomain(str)).toLowerCase());
                    locationUri = doUserAuthz(httpServletRequest, oAuth2Parameters, safeText, sessionDataCacheEntry);
                } else {
                    locationUri = OAuthASResponse.errorResponse(302).error((sessionDataCacheEntry.getOidcRequest() == null || oAuth2Parameters.getPrompt() == null || !oAuth2Parameters.getPrompt().contains("none")) ? OAuthProblemException.error("access_denied", " The end-user or authorization server denied the request") : OAuthProblemException.error("login_required", "No authenticated user found")).location(oAuth2Parameters.getRedirectURI()).setState(oAuth2Parameters.getState()).buildQueryMessage().getLocationUri();
                }
                Response build4 = Response.status(302).location(new URI(locationUri)).build();
                PrivilegedCarbonContext.endTenantFlow();
                return build4;
            } catch (OAuthSystemException e2) {
                SessionDataCache.getInstance().clearCacheEntry(new SessionDataCacheKey(safeText));
                log.error(e2.getMessage(), e2);
                Response build5 = Response.status(302).location(new URI(EndpointUtil.getErrorPageURL(httpServletRequest, oAuth2Parameters, UserInfoEndpointException.ERROR_CODE_INVALID_REQUEST, e2.getMessage()))).build();
                PrivilegedCarbonContext.endTenantFlow();
                return build5;
            }
        } catch (Throwable th) {
            PrivilegedCarbonContext.endTenantFlow();
            throw th;
        }
    }

    @Path("/")
    @Consumes({"application/x-www-form-urlencoded"})
    @POST
    @Produces({"text/html"})
    public Response authorizePost(@Context HttpServletRequest httpServletRequest, MultivaluedMap multivaluedMap) throws URISyntaxException {
        return authorize(new OAuthRequestWrapper(httpServletRequest, multivaluedMap));
    }

    private String handleUserConsent(String str, HttpServletRequest httpServletRequest, OAuth2Parameters oAuth2Parameters, SessionDataCacheEntry sessionDataCacheEntry) throws OAuthSystemException {
        String oidcResponse = sessionDataCacheEntry.getOidcResponse();
        String oidcRP = sessionDataCacheEntry.getOidcRP();
        String oidcLoggedInUser = sessionDataCacheEntry.getOidcLoggedInUser();
        if (OpenIDConnectConstant.Consent.DENY.equals(str)) {
            return OAuthASResponse.errorResponse(302).setError("access_denied").location(oAuth2Parameters.getRedirectURI()).setState(oAuth2Parameters.getState()).buildQueryMessage().getLocationUri();
        }
        OpenIDConnectUserRPStore.getInstance().putUserRPToStore(oidcLoggedInUser, oidcRP, OpenIDConnectConstant.Consent.APPROVE_ALWAYS.equals(str));
        return oidcResponse;
    }

    private String handleOAuthAuthorizationRequest(HttpServletRequest httpServletRequest, String str, String str2, SessionDataCacheEntry sessionDataCacheEntry) throws OAuthSystemException, OAuthProblemException {
        if (str == null) {
            log.warn("Client Id is not present in the authorization request.");
            return EndpointUtil.getErrorPageURL(httpServletRequest, null, UserInfoEndpointException.ERROR_CODE_INVALID_REQUEST, "Invalid Request. Client Id is not present in the request");
        }
        OAuth2ClientValidationResponseDTO validateClient = validateClient(httpServletRequest, str, str2);
        if (!validateClient.isValidClient()) {
            return EndpointUtil.getErrorPageURL(httpServletRequest, null, validateClient.getErrorCode(), validateClient.getErrorMsg());
        }
        OAuthAuthzRequest oAuthAuthzRequest = new OAuthAuthzRequest(httpServletRequest);
        OAuth2Parameters oAuth2Parameters = new OAuth2Parameters();
        oAuth2Parameters.setApplicationName(validateClient.getApplicationName());
        oAuth2Parameters.setRedirectURI(validateClient.getCallbackURL());
        oAuth2Parameters.setResponseType(oAuthAuthzRequest.getResponseType());
        oAuth2Parameters.setScopes(oAuthAuthzRequest.getScopes());
        oAuth2Parameters.setState(oAuthAuthzRequest.getState());
        oAuth2Parameters.setClientId(str);
        boolean z = false;
        boolean z2 = false;
        if (OIDCAuthzServerUtil.isOIDCAuthzRequest(oAuthAuthzRequest.getScopes())) {
            sessionDataCacheEntry.setOidcRequest("true");
        }
        sessionDataCacheEntry.setOidcRP(oAuth2Parameters.getApplicationName());
        oAuth2Parameters.setNonce(oAuthAuthzRequest.getParam("nonce"));
        oAuth2Parameters.setDisplay(oAuthAuthzRequest.getParam("display"));
        oAuth2Parameters.setRequest(oAuthAuthzRequest.getParam("request"));
        oAuth2Parameters.setRequestURI(oAuthAuthzRequest.getParam("request_uri"));
        oAuth2Parameters.setIDTokenHint(oAuthAuthzRequest.getParam("id_token_hint"));
        oAuth2Parameters.setLoginHint(oAuthAuthzRequest.getParam("login_hint"));
        String param = oAuthAuthzRequest.getParam("prompt");
        oAuth2Parameters.setPrompt(param);
        if (param != null) {
            String[] split = param.trim().split(" ");
            if (split.length < 1) {
                log.debug("Invalid prompt variable value. " + param);
                return OAuthASResponse.errorResponse(302).setError(UserInfoEndpointException.ERROR_CODE_INVALID_REQUEST).setErrorDescription("Invalid prompt variable value. ").location(oAuth2Parameters.getRedirectURI()).setState(oAuth2Parameters.getState()).buildQueryMessage().getLocationUri();
            }
            boolean contains = param.contains("none");
            if (split.length > 1 && contains) {
                log.debug("Invalid prompt variable combination. The value none cannot be used with others. " + param);
                return OAuthASResponse.errorResponse(302).setError(UserInfoEndpointException.ERROR_CODE_INVALID_REQUEST).setErrorDescription("Invalid prompt variable combination. The value none cannot be used with others. ").location(oAuth2Parameters.getRedirectURI()).setState(oAuth2Parameters.getState()).buildQueryMessage().getLocationUri();
            }
            if (param.contains("login")) {
                z2 = false;
                z = true;
            } else if (contains || param.contains("consent")) {
                z2 = true;
                z = false;
            }
        }
        String generateUUID = UUIDGenerator.generateUUID();
        SessionDataCacheKey sessionDataCacheKey = new SessionDataCacheKey(generateUUID);
        sessionDataCacheEntry.setoAuth2Parameters(oAuth2Parameters);
        SessionDataCache.getInstance().addToCache(sessionDataCacheKey, sessionDataCacheEntry);
        return EndpointUtil.getLoginPageURL(generateUUID, z, z2);
    }

    private OAuth2ClientValidationResponseDTO validateClient(HttpServletRequest httpServletRequest, String str, String str2) {
        return EndpointUtil.getOAuth2Service().validateClientInfo(str, str2);
    }

    public String handleUserAuthzParams(String str, HttpServletRequest httpServletRequest, SessionDataCacheEntry sessionDataCacheEntry) throws OAuthSystemException {
        OAuthResponse buildQueryMessage;
        OAuth2Parameters oAuth2Parameters = sessionDataCacheEntry.getoAuth2Parameters();
        String oidcLoggedInUser = sessionDataCacheEntry.getOidcLoggedInUser();
        if (OpenIDConnectConstant.Consent.DENY.equals(str)) {
            return OAuthASResponse.errorResponse(302).setError("access_denied").location(oAuth2Parameters.getRedirectURI()).setState(oAuth2Parameters.getState()).buildQueryMessage().getLocationUri();
        }
        OpenIDConnectUserRPStore.getInstance().putUserRPToStore(oidcLoggedInUser, oAuth2Parameters.getApplicationName(), OpenIDConnectConstant.Consent.APPROVE_ALWAYS.equals(str));
        OAuth2AuthorizeRespDTO authorize = authorize(oAuth2Parameters, sessionDataCacheEntry);
        if (authorize == null || !authorize.isAuthorized()) {
            buildQueryMessage = OAuthASResponse.errorResponse(302).error(OAuthProblemException.error(authorize.getErrorCode(), authorize.getErrorMsg())).location(oAuth2Parameters.getRedirectURI()).setState(oAuth2Parameters.getState()).buildQueryMessage();
        } else {
            OAuthASResponse.OAuthAuthorizationResponseBuilder authorizationResponse = OAuthASResponse.authorizationResponse(httpServletRequest, 302);
            if (ResponseType.CODE.toString().equals(oAuth2Parameters.getResponseType())) {
                authorizationResponse.setCode(authorize.getAuthorizationCode());
            } else if (ResponseType.TOKEN.toString().equals(oAuth2Parameters.getResponseType())) {
                authorizationResponse.setAccessToken(authorize.getAccessToken());
                authorizationResponse.setExpiresIn(String.valueOf(3600));
            }
            authorizationResponse.setParam("state", oAuth2Parameters.getState());
            buildQueryMessage = authorizationResponse.location(authorize.getCallbackURI()).buildQueryMessage();
        }
        return buildQueryMessage.getLocationUri();
    }

    private String doUserAuthz(HttpServletRequest httpServletRequest, OAuth2Parameters oAuth2Parameters, String str, SessionDataCacheEntry sessionDataCacheEntry) throws OAuthSystemException {
        OAuthResponse buildQueryMessage;
        String oidcLoggedInUser = sessionDataCacheEntry.getOidcLoggedInUser();
        OAuth2AuthorizeRespDTO authorize = authorize(oAuth2Parameters, sessionDataCacheEntry);
        if (authorize == null || !authorize.isAuthorized()) {
            buildQueryMessage = OAuthASResponse.errorResponse(302).error(OAuthProblemException.error(authorize.getErrorCode(), authorize.getErrorMsg())).location(oAuth2Parameters.getRedirectURI()).setState(oAuth2Parameters.getState()).buildQueryMessage();
        } else {
            OAuthASResponse.OAuthAuthorizationResponseBuilder authorizationResponse = OAuthASResponse.authorizationResponse(httpServletRequest, 302);
            if (ResponseType.CODE.toString().equals(oAuth2Parameters.getResponseType())) {
                authorizationResponse.setCode(authorize.getAuthorizationCode());
            } else if (ResponseType.TOKEN.toString().equals(oAuth2Parameters.getResponseType())) {
                authorizationResponse.setAccessToken(authorize.getAccessToken());
                authorizationResponse.setExpiresIn(String.valueOf(3600));
            }
            authorizationResponse.setParam("state", oAuth2Parameters.getState());
            buildQueryMessage = authorizationResponse.location(authorize.getCallbackURI()).buildQueryMessage();
        }
        String locationUri = buildQueryMessage.getLocationUri();
        if ("true".equals(sessionDataCacheEntry.getOidcRequest())) {
            if (oAuth2Parameters.getPrompt() == null || oAuth2Parameters.getPrompt().contains("consent") || !oAuth2Parameters.getPrompt().contains("none")) {
                sessionDataCacheEntry.setOidcResponse(locationUri);
                SessionDataCache.getInstance().addToCache(new SessionDataCacheKey(str), sessionDataCacheEntry);
                return EndpointUtil.getUserConsentURL(oAuth2Parameters, oidcLoggedInUser, str, true);
            }
            if (oAuth2Parameters.getPrompt().contains("none")) {
                String applicationName = oAuth2Parameters.getApplicationName();
                boolean z = true;
                if (!EndpointUtil.getOAuthServerConfiguration().getOpenIDConnectSkipeUserConsentConfig()) {
                    z = OpenIDConnectUserRPStore.getInstance().hasUserApproved(oidcLoggedInUser, applicationName);
                }
                return z ? locationUri : OAuthASResponse.errorResponse(302).setError("consent_required").location(oAuth2Parameters.getRedirectURI()).setState(oAuth2Parameters.getState()).buildQueryMessage().getLocationUri();
            }
        } else {
            if (oAuth2Parameters.getPrompt() == null || oAuth2Parameters.getPrompt().contains("consent") || !oAuth2Parameters.getPrompt().contains("none")) {
                SessionDataCache.getInstance().addToCache(new SessionDataCacheKey(str), sessionDataCacheEntry);
                return EndpointUtil.getUserConsentURL(oAuth2Parameters, oidcLoggedInUser, str, false);
            }
            if (oAuth2Parameters.getPrompt().contains("none")) {
                String oidcRP = sessionDataCacheEntry.getOidcRP();
                boolean z2 = true;
                if (!EndpointUtil.getOAuthServerConfiguration().getOpenIDConnectSkipeUserConsentConfig()) {
                    z2 = OpenIDConnectUserRPStore.getInstance().hasUserApproved(oidcLoggedInUser, oidcRP);
                }
                return z2 ? locationUri : OAuthASResponse.errorResponse(302).setError("consent_required").location(oAuth2Parameters.getRedirectURI()).setState(oAuth2Parameters.getState()).buildQueryMessage().getLocationUri();
            }
        }
        return OAuthASResponse.errorResponse(302).setError("access_denied").location(oAuth2Parameters.getRedirectURI()).setState(oAuth2Parameters.getState()).buildQueryMessage().getLocationUri();
    }

    private OAuth2AuthorizeRespDTO authorize(OAuth2Parameters oAuth2Parameters, SessionDataCacheEntry sessionDataCacheEntry) {
        OAuth2AuthorizeReqDTO oAuth2AuthorizeReqDTO = new OAuth2AuthorizeReqDTO();
        oAuth2AuthorizeReqDTO.setCallbackUrl(oAuth2Parameters.getRedirectURI());
        oAuth2AuthorizeReqDTO.setConsumerKey(oAuth2Parameters.getClientId());
        oAuth2AuthorizeReqDTO.setResponseType(oAuth2Parameters.getResponseType());
        oAuth2AuthorizeReqDTO.setScopes((String[]) oAuth2Parameters.getScopes().toArray(new String[oAuth2Parameters.getScopes().size()]));
        oAuth2AuthorizeReqDTO.setUsername(sessionDataCacheEntry.getOidcLoggedInUser());
        return EndpointUtil.getOAuth2Service().authorize(oAuth2AuthorizeReqDTO);
    }

    private Response showSessionError(HttpServletRequest httpServletRequest, String str) throws URISyntaxException {
        log.debug("Session data not found in SessionDataCache for " + str);
        return Response.status(302).location(new URI(EndpointUtil.getErrorPageURL(httpServletRequest, null, "access_denied", "Session Timed Out"))).build();
    }
}
