package org.apache.cxf.rs.security.oauth2.services;

import com.sun.xml.ws.encoding.xml.XMLCodec;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.UUID;
import javax.servlet.http.HttpSession;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.provider.ResourceOwnerNameProvider;
import org.apache.cxf.rs.security.oauth2.provider.SessionAuthenticityTokenProvider;
import org.apache.cxf.rs.security.oauth2.provider.SubjectCreator;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.velocity.servlet.VelocityServlet;

/* loaded from: input_file:org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.class */
public abstract class RedirectionBasedGrantService extends AbstractOAuthService {
    private String supportedResponseType;
    private String supportedGrantType;
    private boolean partialMatchScopeValidation;
    private boolean useRegisteredRedirectUriIfPossible = true;
    private SessionAuthenticityTokenProvider sessionAuthenticityTokenProvider;
    private SubjectCreator subjectCreator;
    private ResourceOwnerNameProvider resourceOwnerNameProvider;

    /* JADX INFO: Access modifiers changed from: protected */
    public RedirectionBasedGrantService(String str, String str2) {
        this.supportedResponseType = str;
        this.supportedGrantType = str2;
    }

    @GET
    @Produces({"application/xhtml+xml", VelocityServlet.DEFAULT_CONTENT_TYPE, XMLCodec.XML_APPLICATION_MIME_TYPE, "application/json"})
    public Response authorize() {
        return startAuthorization(getQueryParameters());
    }

    @GET
    @Path("/decision")
    public Response authorizeDecision() {
        return completeAuthorization(getQueryParameters());
    }

    @POST
    @Path("/decision")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response authorizeDecisionForm(MultivaluedMap<String, String> multivaluedMap) {
        return completeAuthorization(multivaluedMap);
    }

    protected Response startAuthorization(MultivaluedMap<String, String> multivaluedMap) {
        SecurityContext andValidateSecurityContext = getAndValidateSecurityContext();
        Client client = getClient(multivaluedMap);
        String validateRedirectUri = validateRedirectUri(client, (String) multivaluedMap.getFirst(OAuthConstants.REDIRECT_URI));
        if (!OAuthUtils.isGrantSupportedForClient(client, canSupportPublicClient(client), this.supportedGrantType)) {
            return createErrorResponse(multivaluedMap, validateRedirectUri, OAuthConstants.UNAUTHORIZED_CLIENT);
        }
        String str = (String) multivaluedMap.getFirst(OAuthConstants.RESPONSE_TYPE);
        if (str == null || !str.equals(this.supportedResponseType)) {
            return createErrorResponse(multivaluedMap, validateRedirectUri, OAuthConstants.UNSUPPORTED_RESPONSE_TYPE);
        }
        try {
            List<String> requestedScopes = OAuthUtils.getRequestedScopes(client, (String) multivaluedMap.getFirst("scope"), this.partialMatchScopeValidation);
            UserSubject createUserSubject = createUserSubject(andValidateSecurityContext);
            ServerAccessToken preauthorizedToken = getDataProvider().getPreauthorizedToken(client, requestedScopes, createUserSubject, this.supportedGrantType);
            if (preauthorizedToken != null) {
                return createGrant(multivaluedMap, client, validateRedirectUri, requestedScopes, Collections.emptyList(), createUserSubject, preauthorizedToken);
            }
            try {
                OAuthAuthorizationData createAuthorizationData = createAuthorizationData(client, multivaluedMap, validateRedirectUri, getDataProvider().convertScopeToPermissions(client, requestedScopes));
                personalizeData(createAuthorizationData, createUserSubject);
                return Response.ok(createAuthorizationData).build();
            } catch (OAuthServiceException e) {
                return createErrorResponse(multivaluedMap, validateRedirectUri, OAuthConstants.INVALID_SCOPE);
            }
        } catch (OAuthServiceException e2) {
            return createErrorResponse(multivaluedMap, validateRedirectUri, OAuthConstants.INVALID_SCOPE);
        }
    }

    protected OAuthAuthorizationData createAuthorizationData(Client client, MultivaluedMap<String, String> multivaluedMap, String str, List<OAuthPermission> list) {
        OAuthAuthorizationData oAuthAuthorizationData = new OAuthAuthorizationData();
        addAuthenticityTokenToSession(oAuthAuthorizationData);
        oAuthAuthorizationData.setPermissions(list);
        oAuthAuthorizationData.setProposedScope(OAuthUtils.convertPermissionsToScope(list));
        oAuthAuthorizationData.setClientId(client.getClientId());
        if (str != null) {
            oAuthAuthorizationData.setRedirectUri(str);
        }
        oAuthAuthorizationData.setState((String) multivaluedMap.getFirst("state"));
        oAuthAuthorizationData.setApplicationName(client.getApplicationName());
        oAuthAuthorizationData.setApplicationWebUri(client.getApplicationWebUri());
        oAuthAuthorizationData.setApplicationDescription(client.getApplicationDescription());
        oAuthAuthorizationData.setApplicationLogoUri(client.getApplicationLogoUri());
        oAuthAuthorizationData.setAudience((String) multivaluedMap.getFirst(OAuthConstants.CLIENT_AUDIENCE));
        oAuthAuthorizationData.setExtraApplicationProperties(client.getProperties());
        oAuthAuthorizationData.setReplyTo(getMessageContext().getUriInfo().getAbsolutePathBuilder().path("decision").build(new Object[0]).toString());
        return oAuthAuthorizationData;
    }

    protected void personalizeData(OAuthAuthorizationData oAuthAuthorizationData, UserSubject userSubject) {
        if (this.resourceOwnerNameProvider != null) {
            oAuthAuthorizationData.setEndUserName(this.resourceOwnerNameProvider.getName(userSubject));
        }
    }

    protected Response completeAuthorization(MultivaluedMap<String, String> multivaluedMap) {
        SecurityContext andValidateSecurityContext = getAndValidateSecurityContext();
        if (!compareRequestAndSessionTokens((String) multivaluedMap.getFirst("session_authenticity_token"))) {
            throw ExceptionUtils.toBadRequestException(null, null);
        }
        Client client = getClient(multivaluedMap);
        String validateRedirectUri = validateRedirectUri(client, (String) multivaluedMap.getFirst(OAuthConstants.REDIRECT_URI));
        if (!"allow".equals((String) multivaluedMap.getFirst("oauthDecision"))) {
            return createErrorResponse(multivaluedMap, validateRedirectUri, OAuthConstants.ACCESS_DENIED);
        }
        List<String> parseScope = OAuthUtils.parseScope((String) multivaluedMap.getFirst("scope"));
        List<String> linkedList = new LinkedList<>();
        for (String str : parseScope) {
            String str2 = (String) multivaluedMap.getFirst(str + "_status");
            if (str2 != null && "allow".equals(str2)) {
                linkedList.add(str);
            }
        }
        return (parseScope.containsAll(linkedList) && OAuthUtils.validateScopes(parseScope, client.getRegisteredScopes(), this.partialMatchScopeValidation)) ? createGrant(multivaluedMap, client, validateRedirectUri, parseScope, linkedList, createUserSubject(andValidateSecurityContext), null) : createErrorResponse(multivaluedMap, validateRedirectUri, OAuthConstants.INVALID_SCOPE);
    }

    public void setSessionAuthenticityTokenProvider(SessionAuthenticityTokenProvider sessionAuthenticityTokenProvider) {
        this.sessionAuthenticityTokenProvider = sessionAuthenticityTokenProvider;
    }

    public void setSubjectCreator(SubjectCreator subjectCreator) {
        this.subjectCreator = subjectCreator;
    }

    protected UserSubject createUserSubject(SecurityContext securityContext) {
        UserSubject createUserSubject;
        if (this.subjectCreator != null && (createUserSubject = this.subjectCreator.createUserSubject(getMessageContext())) != null) {
            return createUserSubject;
        }
        UserSubject userSubject = (UserSubject) getMessageContext().getContent(UserSubject.class);
        return userSubject != null ? userSubject : OAuthUtils.createSubject(securityContext);
    }

    protected abstract Response createErrorResponse(MultivaluedMap<String, String> multivaluedMap, String str, String str2);

    protected abstract Response createGrant(MultivaluedMap<String, String> multivaluedMap, Client client, String str, List<String> list, List<String> list2, UserSubject userSubject, ServerAccessToken serverAccessToken);

    private SecurityContext getAndValidateSecurityContext() {
        SecurityContext securityContext = (SecurityContext) getMessageContext().get(SecurityContext.class.getName());
        if (securityContext == null || securityContext.getUserPrincipal() == null) {
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
        checkTransportSecurity();
        return securityContext;
    }

    protected String validateRedirectUri(Client client, String str) {
        List<String> redirectUris = client.getRedirectUris();
        if (str != null) {
            if (!redirectUris.contains(str)) {
                str = null;
            }
        } else if (redirectUris.size() == 1 && this.useRegisteredRedirectUriIfPossible) {
            str = redirectUris.get(0);
        }
        if (str == null && redirectUris.size() == 0 && !canRedirectUriBeEmpty(client)) {
            reportInvalidRequestError("Client Redirect Uri is invalid");
        }
        return str;
    }

    private void addAuthenticityTokenToSession(OAuthAuthorizationData oAuthAuthorizationData) {
        String uuid;
        if (this.sessionAuthenticityTokenProvider != null) {
            uuid = this.sessionAuthenticityTokenProvider.createSessionToken(getMessageContext());
        } else {
            HttpSession session = getMessageContext().getHttpServletRequest().getSession();
            uuid = UUID.randomUUID().toString();
            session.setAttribute("session_authenticity_token", uuid);
        }
        oAuthAuthorizationData.setAuthenticityToken(uuid);
    }

    private boolean compareRequestAndSessionTokens(String str) {
        String str2;
        if (this.sessionAuthenticityTokenProvider != null) {
            str2 = this.sessionAuthenticityTokenProvider.removeSessionToken(getMessageContext());
        } else {
            HttpSession session = getMessageContext().getHttpServletRequest().getSession();
            str2 = (String) session.getAttribute("session_authenticity_token");
            if (str2 != null) {
                session.removeAttribute("session_authenticity_token");
            }
        }
        if (StringUtils.isEmpty(str2)) {
            return false;
        }
        return str.equals(str2);
    }

    protected Client getClient(MultivaluedMap<String, String> multivaluedMap) {
        Client client = null;
        try {
            client = getValidClient(multivaluedMap);
        } catch (OAuthServiceException e) {
            if (e.getError() != null) {
                reportInvalidRequestError(e.getError(), (MediaType) null);
            }
        }
        if (client == null) {
            reportInvalidRequestError("Client ID is invalid", (MediaType) null);
        }
        return client;
    }

    public void setResourceOwnerNameProvider(ResourceOwnerNameProvider resourceOwnerNameProvider) {
        this.resourceOwnerNameProvider = resourceOwnerNameProvider;
    }

    public void setPartialMatchScopeValidation(boolean z) {
        this.partialMatchScopeValidation = z;
    }

    public void setUseRegisteredRedirectUriIfPossible(boolean z) {
        this.useRegisteredRedirectUriIfPossible = z;
    }

    protected abstract boolean canSupportPublicClient(Client client);

    protected abstract boolean canRedirectUriBeEmpty(Client client);
}
