package com.appiancorp.oauth.inbound.authserver.clients.pm;

import com.appiancorp.oauth.inbound.authserver.AuthCodeRequestClientHandler;
import com.appiancorp.oauth.inbound.authserver.AuthzServerUtils;
import com.appiancorp.oauth.inbound.authserver.DefaultGrantedAuthorization;
import com.appiancorp.oauth.inbound.authserver.GrantedAuthorization;
import com.appiancorp.oauth.inbound.authserver.clients.UserCheck;
import com.appiancorp.security.auth.SecurityContext;
import com.appiancorp.security.auth.SecurityContextProvider;
import com.google.common.base.Strings;
import com.nimbusds.oauth2.sdk.AuthorizationErrorResponse;
import com.nimbusds.oauth2.sdk.AuthorizationRequest;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.http.ServletUtils;
import com.nimbusds.oauth2.sdk.pkce.CodeChallengeMethod;
import java.io.IOException;
import java.net.URI;
import java.util.Iterator;
import java.util.Optional;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/appiancorp/oauth/inbound/authserver/clients/pm/PmFrontEndAuthCodeRequestClientHandler.class */
public class PmFrontEndAuthCodeRequestClientHandler implements AuthCodeRequestClientHandler {
    private static final Logger LOG = LoggerFactory.getLogger(PmFrontEndAuthCodeRequestClientHandler.class);
    private final ProcessMiningFrontEndClientConfig clientConfig;
    private final UserCheck userCheck;
    private final SecurityContextProvider securityContextProvider;

    public PmFrontEndAuthCodeRequestClientHandler(ProcessMiningFrontEndClientConfig processMiningFrontEndClientConfig, UserCheck userCheck, SecurityContextProvider securityContextProvider) {
        this.clientConfig = processMiningFrontEndClientConfig;
        this.userCheck = userCheck;
        this.securityContextProvider = securityContextProvider;
    }

    @Override // com.appiancorp.oauth.inbound.authserver.AuthCodeRequestClientHandler
    public boolean supportsClient(String str) {
        if (this.clientConfig.getClientId().equalsIgnoreCase(str)) {
            LOG.debug("Handler will process auth code request for client id {}", str);
            return true;
        }
        LOG.debug("Handler will ignore client id {} since it only supports client id {}.", str, this.clientConfig.getClientId());
        return false;
    }

    @Override // com.appiancorp.oauth.inbound.authserver.AuthCodeRequestClientHandler
    public Optional<GrantedAuthorization> authorize(AuthorizationRequest authorizationRequest, HttpServletResponse httpServletResponse) throws IOException {
        GrantedAuthorization grantedAuthorization = null;
        URI redirectionURI = authorizationRequest.getRedirectionURI();
        String uri = redirectionURI == null ? null : authorizationRequest.getRedirectionURI().toString();
        if (Strings.isNullOrEmpty(uri)) {
            AuthzServerUtils.sendAuthzRequestErrorWithoutRedirect(httpServletResponse, LOG, "Redirect uri for client {} is null or empty: {}.", this.clientConfig.getClientId(), redirectionURI);
        } else if (!this.clientConfig.isRedirectUriValid(redirectionURI)) {
            AuthzServerUtils.sendAuthzRequestErrorWithoutRedirect(httpServletResponse, LOG, "Invalid redirect uri {} for client {}", uri, this.clientConfig.getClientId());
        } else if (authorizationRequest.getResponseType() == null) {
            sendErrorWithRedirect(authorizationRequest, OAuth2Error.INVALID_REQUEST, httpServletResponse, "Code response type is null for client {}.", this.clientConfig.getClientId());
        } else if (!ResponseType.CODE.equals(authorizationRequest.getResponseType())) {
            sendErrorWithRedirect(authorizationRequest, OAuth2Error.UNSUPPORTED_RESPONSE_TYPE, httpServletResponse, "Only Code response type is allowed for client {}, Received: {}.", this.clientConfig.getClientId(), authorizationRequest.getResponseType());
        } else if (authorizationRequest.getCodeChallenge() == null) {
            sendErrorWithRedirect(authorizationRequest, OAuth2Error.INVALID_REQUEST, httpServletResponse, "Code challenge is required for client {}.", this.clientConfig.getClientId());
        } else if (CodeChallengeMethod.S256.equals(authorizationRequest.getCodeChallengeMethod())) {
            SecurityContext securityContext = this.securityContextProvider.get();
            String name = securityContext.getName();
            Optional of = this.userCheck.isUserAuthorized(name) ? Optional.of(securityContext.getUserUuid()) : Optional.empty();
            if (of.isPresent()) {
                grantedAuthorization = createGrantedAuthorization((String) of.get(), authorizationRequest);
            } else {
                sendErrorWithRedirect(authorizationRequest, OAuth2Error.ACCESS_DENIED, httpServletResponse, "User {} was not authorized for client {}.", name, this.clientConfig.getClientId());
            }
        } else {
            sendErrorWithRedirect(authorizationRequest, OAuth2Error.UNSUPPORTED_RESPONSE_TYPE, httpServletResponse, "Only S256 code challenge is allowed for client {}, Received: {}.", this.clientConfig.getClientId(), authorizationRequest.getCodeChallengeMethod());
        }
        return Optional.ofNullable(grantedAuthorization);
    }

    private GrantedAuthorization createGrantedAuthorization(String str, AuthorizationRequest authorizationRequest) {
        String sessionIdFromHttpSession = AuthzServerUtils.getSessionIdFromHttpSession();
        DefaultGrantedAuthorization.Builder withRedirectUri = DefaultGrantedAuthorization.newSessionBackedGrantAuthorization(str, sessionIdFromHttpSession).withCodeChallenge(authorizationRequest.getCodeChallenge().getValue()).withState(authorizationRequest.getState().getValue()).withRedirectUri(authorizationRequest.getRedirectionURI());
        Scope scope = authorizationRequest.getScope();
        if (scope != null) {
            Iterator it = scope.toStringList().iterator();
            while (it.hasNext()) {
                withRedirectUri = withRedirectUri.withScope((String) it.next());
            }
        }
        return withRedirectUri.build();
    }

    private void sendErrorWithRedirect(AuthorizationRequest authorizationRequest, ErrorObject errorObject, HttpServletResponse httpServletResponse, String str, Object... objArr) throws IOException {
        LOG.error(str, objArr);
        ServletUtils.applyHTTPResponse(new AuthorizationErrorResponse(authorizationRequest.getRedirectionURI(), errorObject, authorizationRequest.getState(), authorizationRequest.getResponseMode()).toHTTPResponse(), httpServletResponse);
    }
}
