package com.predic8.membrane.core.interceptor.oauth2client.rf;

import com.bornium.security.oauth2openid.Constants;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.predic8.membrane.core.exceptions.ProblemDetails;
import com.predic8.membrane.core.exchange.Exchange;
import com.predic8.membrane.core.exchange.snapshots.AbstractExchangeSnapshot;
import com.predic8.membrane.core.http.Request;
import com.predic8.membrane.core.http.Response;
import com.predic8.membrane.core.interceptor.oauth2.OAuth2AnswerParameters;
import com.predic8.membrane.core.interceptor.oauth2.authorizationservice.AuthorizationService;
import com.predic8.membrane.core.interceptor.oauth2client.OriginalExchangeStore;
import com.predic8.membrane.core.interceptor.oauth2client.rf.token.AccessTokenRevalidator;
import com.predic8.membrane.core.interceptor.oauth2client.rf.token.TokenResponseHandler;
import com.predic8.membrane.core.interceptor.session.Session;
import com.predic8.membrane.core.util.URIFactory;
import com.predic8.membrane.core.util.URLParamUtil;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.HashMap;
import java.util.Map;
import org.codehaus.groovy.control.ResolveVisitor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.BeanFactory;

/* loaded from: input_file:WEB-INF/lib/service-proxy-core-5.3.5.jar:com/predic8/membrane/core/interceptor/oauth2client/rf/OAuth2CallbackRequestHandler.class */
public class OAuth2CallbackRequestHandler {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) OAuth2CallbackRequestHandler.class);
    LogHelper logHelper = new LogHelper();
    private URIFactory uriFactory;
    private AuthorizationService auth;
    private OriginalExchangeStore originalExchangeStore;
    private AccessTokenRevalidator accessTokenRevalidator;
    private SessionAuthorizer sessionAuthorizer;
    private PublicUrlManager publicUrlManager;
    private TokenResponseHandler tokenResponseHandler;
    private String callbackPath;
    private boolean onlyRefreshToken;

    public void init(URIFactory uRIFactory, AuthorizationService authorizationService, OriginalExchangeStore originalExchangeStore, AccessTokenRevalidator accessTokenRevalidator, SessionAuthorizer sessionAuthorizer, PublicUrlManager publicUrlManager, String str, boolean z) {
        this.uriFactory = uRIFactory;
        this.auth = authorizationService;
        this.originalExchangeStore = originalExchangeStore;
        this.accessTokenRevalidator = accessTokenRevalidator;
        this.sessionAuthorizer = sessionAuthorizer;
        this.publicUrlManager = publicUrlManager;
        this.callbackPath = str;
        this.onlyRefreshToken = z;
        this.tokenResponseHandler = new TokenResponseHandler();
        this.tokenResponseHandler.init(authorizationService);
        if (z && !sessionAuthorizer.isSkipUserInfo()) {
            throw new RuntimeException("If onlyRefreshToken is set, skipUserInfo also has to be set.");
        }
    }

    public boolean handleRequest(Exchange exchange, Session session) throws Exception {
        try {
            Map<String, String> params = URLParamUtil.getParams(this.uriFactory, exchange, URLParamUtil.DuplicateKeyOrInvalidFormStrategy.ERROR);
            String securityTokenFromState = StateManager.getSecurityTokenFromState(params.get("state"));
            if (!StateManager.csrfTokenMatches(session, securityTokenFromState)) {
                throw new RuntimeException("CSRF token mismatch.");
            }
            session.put("state", securityTokenFromState);
            AbstractExchangeSnapshot reconstruct = this.originalExchangeStore.reconstruct(exchange, session, securityTokenFromState);
            if (reconstruct.getRequest().getUri() == null) {
            }
            this.originalExchangeStore.remove(exchange, session, securityTokenFromState);
            if (log.isDebugEnabled()) {
                log.debug("CSRF token match.");
            }
            String tokenEndpoint = this.auth.getTokenEndpoint();
            if (session.get("defaultFlow") != null) {
                tokenEndpoint = tokenEndpoint.replaceAll((String) session.get("defaultFlow"), (String) session.get("triggerFlow"));
            }
            Map<String, Object> exchangeCodeForToken = exchangeCodeForToken(tokenEndpoint, this.publicUrlManager.getPublicURL(exchange), params);
            if (exchangeCodeForToken.containsKey("access_token")) {
                String str = (String) exchangeCodeForToken.get("access_token");
                if (str == null) {
                    throw new RuntimeException("OAuth2 response with access_token set to null.");
                }
                this.accessTokenRevalidator.getValidTokens().put(str, true);
                OAuth2AnswerParameters oAuth2AnswerParameters = new OAuth2AnswerParameters();
                this.tokenResponseHandler.handleTokenResponse(session, null, exchangeCodeForToken, oAuth2AnswerParameters);
                if (this.sessionAuthorizer.isSkipUserInfo()) {
                    this.sessionAuthorizer.verifyJWT(exchange, str, oAuth2AnswerParameters, session);
                } else {
                    this.sessionAuthorizer.retrieveUserInfo(exchangeCodeForToken.get(Constants.PARAMETER_TOKEN_TYPE).toString(), str, oAuth2AnswerParameters, session);
                }
            } else {
                if (!this.onlyRefreshToken) {
                    throw new RuntimeException("No access_token received.");
                }
                String str2 = (String) exchangeCodeForToken.get("id_token");
                OAuth2AnswerParameters oAuth2AnswerParameters2 = new OAuth2AnswerParameters();
                this.tokenResponseHandler.handleTokenResponse(session, null, exchangeCodeForToken, oAuth2AnswerParameters2);
                this.sessionAuthorizer.verifyJWT(exchange, str2, oAuth2AnswerParameters2, session);
            }
            doRedirect(exchange, reconstruct, session);
            this.originalExchangeStore.postProcess(exchange);
            return true;
        } catch (OAuth2Exception e) {
            throw e;
        } catch (Exception e2) {
            log.error("could not exchange code for token", (Throwable) e2);
            exchange.setResponse(Response.badRequest().body(e2.getMessage()).build());
            this.originalExchangeStore.postProcess(exchange);
            return true;
        }
    }

    private Map<String, Object> exchangeCodeForToken(String str, String str2, Map<String, String> map) throws Exception {
        String str3 = map.get("code");
        if (str3 == null) {
            String str4 = map.get(Constants.PARAMETER_ERROR);
            if (str4 == null) {
                throw new RuntimeException("No code received.");
            }
            String str5 = map.get("error_description");
            HashMap hashMap = new HashMap();
            hashMap.put(Constants.PARAMETER_ERROR, str4);
            if (str5 != null) {
                hashMap.put("error_description", str5);
            }
            log.info("Error from Authorization Server: error=" + str4 + (str5 != null ? " error_description=" + str5.replaceAll("[\r\n]", " ") : ""));
            throw new OAuth2Exception(str4, str5, ProblemDetails.createProblemDetails(500, "/oauth2-error-from-authentication-server", "OAuth2 Error from Authentication Server", hashMap));
        }
        Exchange buildExchange = this.auth.applyAuth(new Request.Builder().post(str).contentType("application/x-www-form-urlencoded").header("Accept", "application/json").header("User-Agent", com.predic8.membrane.core.Constants.USERAGENT), "code=" + str3 + "&redirect_uri=" + str2 + this.callbackPath + "&grant_type=authorization_code").buildExchange();
        this.logHelper.handleRequest(buildExchange);
        Response doRequest = this.auth.doRequest(buildExchange);
        this.logHelper.handleResponse(buildExchange);
        if (doRequest.getStatusCode() != 200) {
            doRequest.getBody().read();
            throw new RuntimeException("Authorization server returned " + doRequest.getStatusCode() + ".");
        }
        if (JsonUtils.isJson(doRequest)) {
            return (Map) new ObjectMapper().readValue(doRequest.getBodyAsStreamDecoded(), new TypeReference<Map<String, Object>>() { // from class: com.predic8.membrane.core.interceptor.oauth2client.rf.OAuth2CallbackRequestHandler.1
            });
        }
        throw new RuntimeException("Token response is no JSON.");
    }

    private static void doRedirect(Exchange exchange, AbstractExchangeSnapshot abstractExchangeSnapshot, Session session) throws JsonProcessingException {
        if (abstractExchangeSnapshot.getRequest().getMethod().equals("GET")) {
            exchange.setResponse(Response.redirect(abstractExchangeSnapshot.getOriginalRequestUri(), false).build());
            return;
        }
        String bigInteger = new BigInteger(130, new SecureRandom()).toString(32);
        session.put(OAuthUtils.oa2redictKeyNameInSession(bigInteger), new ObjectMapper().writeValueAsString(abstractExchangeSnapshot));
        exchange.setResponse(Response.redirect(abstractExchangeSnapshot.getOriginalRequestUri() + (abstractExchangeSnapshot.getOriginalRequestUri().contains(ResolveVisitor.QUESTION_MARK) ? BeanFactory.FACTORY_BEAN_PREFIX : ResolveVisitor.QUESTION_MARK) + "oa2redirect=" + bigInteger, false).build());
    }
}
