package org.xwiki.contrib.oidc.provider.internal.endpoint;

import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationRequest;
import com.nimbusds.oauth2.sdk.AuthorizationSuccessResponse;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.Response;
import com.nimbusds.oauth2.sdk.ResponseMode;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.ClaimsRequest;
import com.nimbusds.openid.connect.sdk.OIDCError;
import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
import com.nimbusds.openid.connect.sdk.Prompt;
import com.xpn.xwiki.XWikiContext;
import com.xpn.xwiki.user.api.XWikiUser;
import java.util.HashMap;
import java.util.Map;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Provider;
import javax.inject.Singleton;
import org.slf4j.Logger;
import org.xwiki.component.annotation.Component;
import org.xwiki.contrib.oidc.provider.internal.OIDCManager;
import org.xwiki.contrib.oidc.provider.internal.OIDCResourceReference;
import org.xwiki.contrib.oidc.provider.internal.store.OIDCConsent;
import org.xwiki.contrib.oidc.provider.internal.store.OIDCStore;
import org.xwiki.csrf.CSRFToken;
import org.xwiki.script.ScriptContextManager;

@Singleton
@Component
@Named(AuthorizationOIDCEndpoint.HINT)
/* loaded from: input_file:org/xwiki/contrib/oidc/provider/internal/endpoint/AuthorizationOIDCEndpoint.class */
public class AuthorizationOIDCEndpoint implements OIDCEndpoint {
    public static final String HINT = "authorization";

    @Inject
    private Provider<XWikiContext> xcontextProvider;

    @Inject
    private OIDCStore store;

    @Inject
    private OIDCManager manager;

    @Inject
    private CSRFToken csrf;

    @Inject
    private ScriptContextManager scripts;

    @Inject
    private Logger logger;

    @Override // org.xwiki.contrib.oidc.provider.internal.endpoint.OIDCEndpoint
    public Response handle(HTTPRequest hTTPRequest, OIDCResourceReference oIDCResourceReference) throws Exception {
        AuthorizationRequest parse = AuthorizationRequest.parse(hTTPRequest);
        if (parse.getScope() != null && parse.getScope().equals(OIDCScopeValue.OPENID)) {
            parse = AuthenticationRequest.parse(hTTPRequest);
        }
        XWikiContext xWikiContext = (XWikiContext) this.xcontextProvider.get();
        JWT jwt = null;
        AuthorizationCode authorizationCode = null;
        XWikiUser checkAuth = xWikiContext.getWiki().checkAuth(xWikiContext);
        if (checkAuth == null) {
            if (prompt(parse, Prompt.Type.NONE)) {
                return new AuthenticationErrorResponse(parse.getRedirectionURI(), OIDCError.INTERACTION_REQUIRED, parse.getState(), (ResponseMode) null);
            }
            xWikiContext.getWiki().getAuthService().showLogin(xWikiContext);
            return null;
        }
        if (prompt(parse, Prompt.Type.LOGIN)) {
            xWikiContext.getWiki().getAuthService().showLogin(xWikiContext);
            return null;
        }
        xWikiContext.setUser(checkAuth.getUser());
        ClientID clientID = parse.getClientID();
        OIDCConsent consent = this.store.getConsent(clientID, parse.getRedirectionURI());
        if (consent == null || prompt(parse, Prompt.Type.CONSENT)) {
            if (prompt(parse, Prompt.Type.NONE)) {
                return new AuthenticationErrorResponse(parse.getRedirectionURI(), OIDCError.CONSENT_REQUIRED, parse.getState(), (ResponseMode) null);
            }
            ClaimsRequest claimsRequest = null;
            if (parse instanceof AuthenticationRequest) {
                claimsRequest = ClaimsRequest.resolve(parse.getResponseType(), parse.getScope());
                claimsRequest.add(((AuthenticationRequest) parse).getClaims());
            }
            Boolean consent2 = getConsent(hTTPRequest);
            if (consent2 == null) {
                return askConsent(parse, hTTPRequest, claimsRequest);
            }
            if (!consent2.booleanValue()) {
                return new AuthenticationErrorResponse(parse.getRedirectionURI(), OAuth2Error.UNAUTHORIZED_CLIENT, parse.getState(), (ResponseMode) null);
            }
            consent = (OIDCConsent) this.store.getUserDocument().newXObject(OIDCConsent.REFERENCE, xWikiContext);
            consent.setClientID(clientID);
            consent.setRedirectURI(parse.getRedirectionURI());
            consent.setClaims(claimsRequest);
            this.store.saveConsent(consent, "Add new OIDC consent");
        }
        if (parse.getResponseType().impliesCodeFlow()) {
            authorizationCode = new AuthorizationCode();
        } else if (parse.getResponseType().impliesImplicitFlow()) {
            if (consent.getAccessToken() == null) {
                consent.setAccessToken(new BearerAccessToken());
                this.store.saveConsent(consent, "Store new OIDC access token");
            }
            if (parse instanceof AuthenticationRequest) {
                jwt = this.manager.createdIdToken(clientID, consent.getUserReference(), ((AuthenticationRequest) parse).getNonce(), ((AuthenticationRequest) parse).getClaims());
            }
        }
        this.logger.debug("Remember authorization code [{}]", authorizationCode);
        this.store.setAuthorizationCode(authorizationCode, consent.getDocumentReference());
        return parse.getResponseType().impliesCodeFlow() ? parse instanceof AuthenticationRequest ? new AuthenticationSuccessResponse(parse.getRedirectionURI(), authorizationCode, (JWT) null, (AccessToken) null, parse.getState(), (State) null, (ResponseMode) null) : new AuthorizationSuccessResponse(parse.getRedirectionURI(), authorizationCode, (AccessToken) null, parse.getState(), (ResponseMode) null) : parse instanceof AuthenticationRequest ? new AuthenticationSuccessResponse(parse.getRedirectionURI(), (AuthorizationCode) null, jwt, consent.getAccessToken(), parse.getState(), (State) null, (ResponseMode) null) : new AuthorizationSuccessResponse(parse.getRedirectionURI(), (AuthorizationCode) null, consent.getAccessToken(), parse.getState(), (ResponseMode) null);
    }

    private boolean prompt(AuthorizationRequest authorizationRequest, Prompt.Type type) {
        if (!(authorizationRequest instanceof AuthenticationRequest) || ((AuthenticationRequest) authorizationRequest).getPrompt() == null) {
            return false;
        }
        return ((AuthenticationRequest) authorizationRequest).getPrompt().contains(type);
    }

    private Boolean getConsent(HTTPRequest hTTPRequest) {
        Map queryParameters = hTTPRequest.getQueryParameters();
        if (queryParameters.get("consent_refuse") != null) {
            return false;
        }
        if (queryParameters.get("consent_accept") != null) {
            return this.csrf.isTokenValid((String) queryParameters.get("form_token")) ? true : null;
        }
        return null;
    }

    private Response askConsent(AuthorizationRequest authorizationRequest, HTTPRequest hTTPRequest, ClaimsRequest claimsRequest) throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("request", authorizationRequest);
        hashMap.put("httprequest", hTTPRequest);
        hashMap.put("resolvedClaims", claimsRequest);
        this.scripts.getScriptContext().setAttribute("oidc", hashMap, 100);
        return this.manager.executeTemplate("oidc/provider/consent.vm", authorizationRequest);
    }
}
