package org.apereo.cas.support.oauth.web.endpoints;

import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationCredentialsThreadLocalBinder;
import org.apereo.cas.authentication.PreventedException;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20ConfigurationContext;
import org.apereo.cas.support.oauth.web.response.OAuth20AuthorizationRequest;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRequestContext;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationResponseBuilder;
import org.apereo.cas.util.LoggingUtils;
import org.jooq.lambda.Unchecked;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.profile.ProfileManager;
import org.pac4j.core.profile.UserProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.OrderComparator;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.servlet.ModelAndView;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oauth-core-api-6.5.3.jar:org/apereo/cas/support/oauth/web/endpoints/OAuth20AuthorizeEndpointController.class */
public class OAuth20AuthorizeEndpointController<T extends OAuth20ConfigurationContext> extends BaseOAuth20Controller<T> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OAuth20AuthorizeEndpointController.class);

    public OAuth20AuthorizeEndpointController(T t) {
        super(t);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Optional<OAuth20AuthorizationRequest.OAuth20AuthorizationRequestBuilder> toAuthorizationRequest(OAuthRegisteredService oAuthRegisteredService, JEEContext jEEContext, Service service, Authentication authentication, OAuth20AuthorizationResponseBuilder oAuth20AuthorizationResponseBuilder) {
        return oAuth20AuthorizationResponseBuilder.toAuthorizationRequest(jEEContext, authentication, service, oAuthRegisteredService);
    }

    @GetMapping(path = {"/oauth2.0/authorize"})
    public ModelAndView handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        ensureSessionReplicationIsAutoconfiguredIfNeedBe(httpServletRequest);
        JEEContext jEEContext = new JEEContext(httpServletRequest, httpServletResponse);
        ProfileManager profileManager = new ProfileManager(jEEContext, getConfigurationContext().getSessionStore());
        if (jEEContext.getRequestAttribute("error").isPresent()) {
            ModelAndView build = getConfigurationContext().getOauthInvalidAuthorizationResponseBuilder().build(jEEContext);
            if (!build.isEmpty() && build.hasView()) {
                return build;
            }
        }
        String str = (String) OAuth20Utils.getRequestParameter(jEEContext, "client_id").map((v0) -> {
            return String.valueOf(v0);
        }).orElse("");
        OAuthRegisteredService registeredServiceByClientId = getRegisteredServiceByClientId(str);
        RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(str, registeredServiceByClientId);
        if (isRequestAuthenticated(profileManager, jEEContext, registeredServiceByClientId)) {
            ModelAndView resolve = getConfigurationContext().getConsentApprovalViewResolver().resolve(jEEContext, registeredServiceByClientId);
            if (!resolve.isEmpty() && resolve.hasView()) {
                LOGGER.debug("Redirecting to consent-approval view with model [{}]", resolve.getModel());
                return resolve;
            }
        }
        return redirectToCallbackRedirectUrl(profileManager, registeredServiceByClientId, jEEContext);
    }

    @PostMapping(path = {"/oauth2.0/authorize"})
    public ModelAndView handleRequestPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        return handleRequest(httpServletRequest, httpServletResponse);
    }

    protected boolean isRequestAuthenticated(ProfileManager profileManager, WebContext webContext, OAuthRegisteredService oAuthRegisteredService) {
        return profileManager.getProfile().isPresent();
    }

    protected void ensureSessionReplicationIsAutoconfiguredIfNeedBe(HttpServletRequest httpServletRequest) {
        CasConfigurationProperties casProperties = getConfigurationContext().getCasProperties();
        boolean isReplicateSessions = casProperties.getAuthn().getOauth().isReplicateSessions();
        boolean isAutoConfigureCookiePath = casProperties.getSessionReplication().getCookie().isAutoConfigureCookiePath();
        if (isReplicateSessions && isAutoConfigureCookiePath) {
            String contextPath = httpServletRequest.getContextPath();
            String str = StringUtils.isNotBlank(contextPath) ? contextPath + "/" : "/";
            String cookiePath = getConfigurationContext().getOauthDistributedSessionCookieGenerator().getCookiePath();
            if (!StringUtils.isBlank(cookiePath)) {
                LOGGER.trace("OAuth distributed cookie domain is [{}] with path [{}]", getConfigurationContext().getOauthDistributedSessionCookieGenerator().getCookieDomain(), cookiePath);
            } else {
                LOGGER.debug("Setting path for cookies for OAuth distributed session cookie generator to: [{}]", str);
                getConfigurationContext().getOauthDistributedSessionCookieGenerator().setCookiePath(str);
            }
        }
    }

    protected OAuthRegisteredService getRegisteredServiceByClientId(String str) {
        return OAuth20Utils.getRegisteredOAuthServiceByClientId(getConfigurationContext().getServicesManager(), str);
    }

    /* JADX WARN: Type inference failed for: r0v19, types: [org.apereo.cas.audit.AuditableContext$AuditableContextBuilder] */
    protected ModelAndView redirectToCallbackRedirectUrl(ProfileManager profileManager, OAuthRegisteredService oAuthRegisteredService, JEEContext jEEContext) {
        UserProfile orElseThrow = profileManager.getProfile().orElseThrow(() -> {
            return new IllegalArgumentException("Unable to locate authentication profile");
        });
        Service buildService = getConfigurationContext().getAuthenticationBuilder().buildService(oAuthRegisteredService, jEEContext, false);
        LOGGER.trace("Created service [{}] based on registered service [{}]", buildService, oAuthRegisteredService);
        Authentication build = getConfigurationContext().getAuthenticationBuilder().build(orElseThrow, oAuthRegisteredService, jEEContext, buildService);
        LOGGER.trace("Created OAuth authentication [{}] for service [{}]", build, buildService);
        try {
            AuthenticationCredentialsThreadLocalBinder.bindCurrent(build);
            getConfigurationContext().getRegisteredServiceAccessStrategyEnforcer().execute(AuditableContext.builder().service(buildService).authentication(build).registeredService(oAuthRegisteredService).build()).throwExceptionIfNeeded();
            return (ModelAndView) Optional.ofNullable(buildAuthorizationForRequest(oAuthRegisteredService, jEEContext, buildService, build)).filter((v0) -> {
                return v0.hasView();
            }).orElseGet(() -> {
                LOGGER.trace("No explicit view was defined as part of the authorization response");
                return null;
            });
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            return OAuth20Utils.produceUnauthorizedErrorView(HttpStatus.FORBIDDEN);
        }
    }

    protected ModelAndView buildAuthorizationForRequest(OAuthRegisteredService oAuthRegisteredService, JEEContext jEEContext, Service service, Authentication authentication) {
        List<OAuth20AuthorizationResponseBuilder> object = getConfigurationContext().getOauthAuthorizationResponseBuilders().getObject();
        OAuth20AuthorizationRequest build = ((OAuth20AuthorizationRequest.OAuth20AuthorizationRequestBuilder) ((Optional) object.stream().sorted(OrderComparator.INSTANCE).map(oAuth20AuthorizationResponseBuilder -> {
            return toAuthorizationRequest(oAuthRegisteredService, jEEContext, service, authentication, oAuth20AuthorizationResponseBuilder);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).filter((v0) -> {
            return v0.isPresent();
        }).findFirst().orElseThrow(() -> {
            return new IllegalArgumentException("Unable to build authorization request");
        })).get()).build();
        AccessTokenRequestContext accessTokenRequestContext = (AccessTokenRequestContext) Optional.ofNullable(build.getAccessTokenRequest()).orElseGet(Unchecked.supplier(() -> {
            return prepareAccessTokenRequestContext(build, oAuthRegisteredService, jEEContext, service, authentication);
        }));
        return (ModelAndView) object.stream().sorted(OrderComparator.INSTANCE).filter(oAuth20AuthorizationResponseBuilder2 -> {
            return oAuth20AuthorizationResponseBuilder2.supports(build);
        }).findFirst().map(Unchecked.function(oAuth20AuthorizationResponseBuilder3 -> {
            if (!build.isSingleSignOnSessionRequired() || accessTokenRequestContext.getTicketGrantingTicket() != null) {
                return oAuth20AuthorizationResponseBuilder3.build(accessTokenRequestContext);
            }
            String format = String.format("Missing ticket-granting-ticket for client id [%s] and service [%s]", build.getClientId(), oAuthRegisteredService.getName());
            LOGGER.error(format);
            return OAuth20Utils.produceErrorView(new PreventedException(format));
        })).orElseGet(() -> {
            return OAuth20Utils.produceErrorView(new PreventedException("Could not build the callback response"));
        });
    }

    /* JADX WARN: Type inference failed for: r0v32, types: [org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRequestContext$AccessTokenRequestContextBuilder] */
    protected AccessTokenRequestContext prepareAccessTokenRequestContext(OAuth20AuthorizationRequest oAuth20AuthorizationRequest, OAuthRegisteredService oAuthRegisteredService, JEEContext jEEContext, Service service, Authentication authentication) throws Exception {
        AccessTokenRequestContext.AccessTokenRequestContextBuilder<?, ?> builder = AccessTokenRequestContext.builder();
        if (oAuth20AuthorizationRequest.isSingleSignOnSessionRequired()) {
            builder = builder.ticketGrantingTicket(getConfigurationContext().fetchTicketGrantingTicketFrom(jEEContext));
        }
        String str = (String) OAuth20Utils.getRequestParameter(jEEContext, "redirect_uri").map((v0) -> {
            return String.valueOf(v0);
        }).orElse("");
        Optional<U> map = jEEContext.getRequestParameter("grant_type").map((v0) -> {
            return String.valueOf(v0);
        });
        OAuth20GrantTypes oAuth20GrantTypes = OAuth20GrantTypes.AUTHORIZATION_CODE;
        Objects.requireNonNull(oAuth20GrantTypes);
        String upperCase = ((String) map.orElseGet(oAuth20GrantTypes::getType)).toUpperCase();
        Set<String> parseRequestScopes = OAuth20Utils.parseRequestScopes(jEEContext);
        String str2 = (String) jEEContext.getRequestParameter("code_challenge").map((v0) -> {
            return String.valueOf(v0);
        }).orElse("");
        String upperCase2 = ((String) jEEContext.getRequestParameter("code_challenge_method").map((v0) -> {
            return String.valueOf(v0);
        }).orElse("")).toUpperCase();
        AccessTokenRequestContext build = builder.service(service).authentication(authentication).registeredService(oAuthRegisteredService).grantType(OAuth20Utils.getGrantType(jEEContext)).responseType(OAuth20Utils.getResponseType(jEEContext)).codeChallenge(str2).codeChallengeMethod(upperCase2).scopes(parseRequestScopes).clientId(oAuth20AuthorizationRequest.getClientId()).redirectUri(str).userProfile(OAuth20Utils.getAuthenticatedUserProfile(jEEContext, getConfigurationContext().getSessionStore())).claims(OAuth20Utils.parseRequestClaims(jEEContext)).responseMode(OAuth20Utils.getResponseModeType(jEEContext)).build();
        jEEContext.getRequestParameters().keySet().forEach(str3 -> {
            jEEContext.getRequestParameter(str3).ifPresent(str3 -> {
                build.getParameters().put(str3, str3);
            });
        });
        LOGGER.debug("Building authorization response for grant type [{}] with scopes [{}] for client id [{}]", upperCase, parseRequestScopes, oAuth20AuthorizationRequest.getClientId());
        return build;
    }
}
