package codes.vps.mockta.ws.okta;

import codes.vps.mockta.db.AppsDB;
import codes.vps.mockta.db.IDPDB;
import codes.vps.mockta.db.KeysDB;
import codes.vps.mockta.db.OktaApp;
import codes.vps.mockta.db.OktaSession;
import codes.vps.mockta.db.OktaUser;
import codes.vps.mockta.db.SessionDB;
import codes.vps.mockta.db.UserDB;
import codes.vps.mockta.obj.model.AuthInfo;
import codes.vps.mockta.obj.okta.ErrorObject;
import codes.vps.mockta.obj.okta.OpenIDMetaData;
import codes.vps.mockta.util.C;
import codes.vps.mockta.util.Util;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.net.URI;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import org.apache.naming.ResourceRef;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.springframework.hateoas.mediatype.html.HtmlInputType;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.util.DefaultUriBuilderFactory;

@RequestMapping(path = {"/oauth2/v1/authorize", "/oauth2/{authServer}/v1/authorize"})
@Controller
/* loaded from: input_file:WEB-INF/classes/codes/vps/mockta/ws/okta/AuthorizationController.class */
public class AuthorizationController {

    @ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
    /* loaded from: input_file:WEB-INF/classes/codes/vps/mockta/ws/okta/AuthorizationController$ChokeException.class */
    static class ChokeException extends RuntimeException {
        ChokeException() {
        }
    }

    /* loaded from: input_file:WEB-INF/classes/codes/vps/mockta/ws/okta/AuthorizationController$Prompt.class */
    enum Prompt {
        NONE
    }

    /* loaded from: input_file:WEB-INF/classes/codes/vps/mockta/ws/okta/AuthorizationController$ResponseMode.class */
    enum ResponseMode {
        OKTA_POST_MESSAGE,
        FRAGMENT
    }

    @GetMapping
    public ModelAndView authorize(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, @PathVariable(required = false) String str, @RequestParam(name = "client_id") String str2, @RequestParam(required = false) Prompt prompt, @RequestParam(name = "redirect_uri") String str3, @RequestParam(name = "response_type") String str4, @RequestParam(name = "response_mode", required = false) ResponseMode responseMode, @RequestParam String str5, @RequestParam(required = false) String str6, @RequestParam String str7, @RequestParam String str8, Model model) throws Exception {
        String errorCode;
        String errorSummary;
        if (responseMode == null) {
            responseMode = ResponseMode.FRAGMENT;
        }
        if (responseMode != ResponseMode.OKTA_POST_MESSAGE) {
            throw new ChokeException();
        }
        AuthInfo authInfo = null;
        URI uri = new URI(str3);
        String uri2 = new DefaultUriBuilderFactory().builder().scheme(uri.getScheme()).host(uri.getHost()).port(uri.getPort()).build(new Object[0]).toString();
        if (str6 == null) {
            errorCode = "no-session-token";
            errorSummary = "Only session token authorization is supported";
        } else {
            try {
                OktaApp app = AppsDB.getApp(str2);
                try {
                    OktaSession byTokenOnce = SessionDB.getByTokenOnce(str6);
                    boolean z = false;
                    Iterator<String> it = app.getRedirectUris().iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        if (str3.startsWith(it.next())) {
                            z = true;
                            break;
                        }
                    }
                    if (z) {
                        OktaUser user = UserDB.getUser(byTokenOnce.getUserId());
                        if (app.getUsers().get(user.getId()) == null) {
                            errorCode = "user-not-associated";
                            errorSummary = "User not associated with the application";
                            if (app != null) {
                                app.close();
                            }
                        } else if (Objects.equals(str4, "id_token")) {
                            OpenIDMetaData openIDMetaData = new OpenIDMetaData(httpServletRequest, str);
                            JwtClaims jwtClaims = new JwtClaims();
                            jwtClaims.setSubject(user.getId());
                            jwtClaims.setClaim(HtmlInputType.EMAIL_VALUE, user.getUserName());
                            jwtClaims.setClaim("ver", 1);
                            jwtClaims.setIssuer(openIDMetaData.getIssuer());
                            jwtClaims.setAudience(str2);
                            jwtClaims.setIssuedAtToNow();
                            NumericDate now = NumericDate.now();
                            now.addSeconds(C.SEC_IN_HOUR);
                            jwtClaims.setExpirationTime(now);
                            jwtClaims.setGeneratedJwtId();
                            jwtClaims.setStringListClaim("amr", "pwd");
                            jwtClaims.setClaim("idp", IDPDB.getIdp().getId());
                            jwtClaims.setClaim("nonce", str8);
                            jwtClaims.setClaim("email_verified", true);
                            jwtClaims.setClaim("auth_time", Long.valueOf(byTokenOnce.getCreated().getTime()));
                            JsonWebSignature jsonWebSignature = new JsonWebSignature();
                            jsonWebSignature.setPayload(jwtClaims.toJson());
                            JsonWebKey key = KeysDB.getKey();
                            jsonWebSignature.setKey(((RsaJsonWebKey) key).getRsaPrivateKey());
                            jsonWebSignature.setKeyIdHeaderValue(key.getKeyId());
                            jsonWebSignature.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
                            authInfo = AuthInfo.onAuth(uri2, str7, jsonWebSignature.getCompactSerialization());
                            byTokenOnce.setCookie(httpServletResponse);
                            if (app != null) {
                                app.close();
                            }
                            errorCode = null;
                            errorSummary = null;
                        } else {
                            errorCode = "bad-response-type";
                            errorSummary = String.format("I only know how to respond to response_type 'id_token', not %s", str4);
                            if (app != null) {
                                app.close();
                            }
                        }
                    } else {
                        errorCode = "uri-not-matched";
                        errorSummary = "The URI of the authenticating website is not registered";
                        if (app != null) {
                            app.close();
                        }
                    }
                } finally {
                }
            } catch (ErrorObject.MyException e) {
                errorCode = e.getObject().getErrorCode();
                errorSummary = e.getObject().getErrorSummary();
            }
        }
        if (authInfo == null) {
            authInfo = AuthInfo.onError(uri2, str7, errorCode, errorSummary);
        }
        httpServletResponse.addHeader("x-mockta-auth-error", (String) Util.makeNotNull(errorCode, () -> {
            return "<none>";
        }));
        model.addAttribute(ResourceRef.AUTH, authInfo);
        return new ModelAndView("postMessage", (Map<String, ?>) model.asMap());
    }
}
