package org.apereo.cas.support.oauth.web.endpoints;

import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.PrincipalException;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.oauth.OAuth20Constants;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.validator.authorization.OAuth20AuthorizationRequestValidator;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRequestDataHolder;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationResponseBuilder;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.web.support.CookieUtils;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.profile.CommonProfile;
import org.pac4j.core.profile.ProfileManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.servlet.ModelAndView;

/* loaded from: input_file:org/apereo/cas/support/oauth/web/endpoints/OAuth20AuthorizeEndpointController.class */
public class OAuth20AuthorizeEndpointController extends BaseOAuth20Controller {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20AuthorizeEndpointController.class);

    public OAuth20AuthorizeEndpointController(OAuth20ConfigurationContext oAuth20ConfigurationContext) {
        super(oAuth20ConfigurationContext);
    }

    private static boolean isRequestAuthenticated(ProfileManager profileManager, JEEContext jEEContext) {
        return profileManager.get(true).isPresent();
    }

    @GetMapping(path = {"/oauth2.0/authorize"})
    public ModelAndView handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        JEEContext jEEContext = new JEEContext(httpServletRequest, httpServletResponse, getOAuthConfigurationContext().getSessionStore());
        ProfileManager<CommonProfile> profileManager = new ProfileManager<>(jEEContext, jEEContext.getSessionStore());
        if (!verifyAuthorizeRequest(jEEContext) || !isRequestAuthenticated(profileManager, jEEContext)) {
            LOGGER.error("Authorize request verification failed. Authorization request is missing required parameters, or the request is not authenticated and contains no authenticated profile/principal.");
            return OAuth20Utils.produceUnauthorizedErrorView();
        }
        String str = (String) jEEContext.getRequestParameter("client_id").map((v0) -> {
            return String.valueOf(v0);
        }).orElse("");
        OAuthRegisteredService registeredServiceByClientId = getRegisteredServiceByClientId(str);
        try {
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(str, registeredServiceByClientId);
            ModelAndView resolve = getOAuthConfigurationContext().getConsentApprovalViewResolver().resolve(jEEContext, registeredServiceByClientId);
            if (resolve.isEmpty() || !resolve.hasView()) {
                return redirectToCallbackRedirectUrl(profileManager, registeredServiceByClientId, jEEContext, str);
            }
            LOGGER.debug("Redirecting to consent-approval view with model [{}]", resolve.getModel());
            return resolve;
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            return OAuth20Utils.produceUnauthorizedErrorView();
        }
    }

    @PostMapping(path = {"/oauth2.0/authorize"})
    public ModelAndView handleRequestPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        return handleRequest(httpServletRequest, httpServletResponse);
    }

    protected OAuthRegisteredService getRegisteredServiceByClientId(String str) {
        return OAuth20Utils.getRegisteredOAuthServiceByClientId(getOAuthConfigurationContext().getServicesManager(), str);
    }

    protected ModelAndView redirectToCallbackRedirectUrl(ProfileManager<CommonProfile> profileManager, OAuthRegisteredService oAuthRegisteredService, JEEContext jEEContext, String str) {
        Optional optional = profileManager.get(true);
        if (optional.isEmpty()) {
            LOGGER.error("Unexpected null profile from profile manager. Request is not fully authenticated.");
            return OAuth20Utils.produceUnauthorizedErrorView();
        }
        CommonProfile commonProfile = (CommonProfile) optional.get();
        Service buildService = getOAuthConfigurationContext().getAuthenticationBuilder().buildService(oAuthRegisteredService, jEEContext, false);
        LOGGER.trace("Created service [{}] based on registered service [{}]", buildService, oAuthRegisteredService);
        Authentication build = getOAuthConfigurationContext().getAuthenticationBuilder().build(commonProfile, oAuthRegisteredService, jEEContext, buildService);
        LOGGER.trace("Created OAuth authentication [{}] for service [{}]", buildService, build);
        try {
            getOAuthConfigurationContext().getRegisteredServiceAccessStrategyEnforcer().execute(AuditableContext.builder().service(buildService).authentication(build).registeredService(oAuthRegisteredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.TRUE).build()).throwExceptionIfNeeded();
            ModelAndView buildAuthorizationForRequest = buildAuthorizationForRequest(oAuthRegisteredService, jEEContext, str, buildService, build);
            if (buildAuthorizationForRequest != null && buildAuthorizationForRequest.hasView()) {
                return buildAuthorizationForRequest;
            }
            LOGGER.debug("No explicit view was defined as part of the authorization response");
            return null;
        } catch (UnauthorizedServiceException | PrincipalException e) {
            LOGGER.error(e.getMessage(), e);
            return OAuth20Utils.produceUnauthorizedErrorView();
        }
    }

    protected ModelAndView buildAuthorizationForRequest(OAuthRegisteredService oAuthRegisteredService, JEEContext jEEContext, String str, Service service, Authentication authentication) {
        OAuth20AuthorizationResponseBuilder orElseThrow = getOAuthConfigurationContext().getOauthAuthorizationResponseBuilders().stream().filter(oAuth20AuthorizationResponseBuilder -> {
            return oAuth20AuthorizationResponseBuilder.supports(jEEContext);
        }).findFirst().orElseThrow(() -> {
            return new IllegalArgumentException("Could not build the callback url. Response type likely not supported");
        });
        TicketGrantingTicket ticketGrantingTicketFromRequest = CookieUtils.getTicketGrantingTicketFromRequest(getOAuthConfigurationContext().getTicketGrantingTicketCookieGenerator(), getOAuthConfigurationContext().getTicketRegistry(), jEEContext.getNativeRequest());
        Optional map = jEEContext.getRequestParameter(OAuth20Constants.GRANT_TYPE).map((v0) -> {
            return String.valueOf(v0);
        });
        OAuth20GrantTypes oAuth20GrantTypes = OAuth20GrantTypes.AUTHORIZATION_CODE;
        Objects.requireNonNull(oAuth20GrantTypes);
        String upperCase = ((String) map.orElseGet(oAuth20GrantTypes::getType)).toUpperCase();
        Set<String> parseRequestScopes = OAuth20Utils.parseRequestScopes(jEEContext);
        String str2 = (String) jEEContext.getRequestParameter(OAuth20Constants.CODE_CHALLENGE).map((v0) -> {
            return String.valueOf(v0);
        }).orElse("");
        AccessTokenRequestDataHolder build = AccessTokenRequestDataHolder.builder().service(service).authentication(authentication).registeredService(oAuthRegisteredService).ticketGrantingTicket(ticketGrantingTicketFromRequest).grantType(OAuth20GrantTypes.valueOf(upperCase)).codeChallenge(str2).codeChallengeMethod(((String) jEEContext.getRequestParameter(OAuth20Constants.CODE_CHALLENGE_METHOD).map((v0) -> {
            return String.valueOf(v0);
        }).orElse("")).toUpperCase()).scopes(parseRequestScopes).clientId(str).claims(OAuth20Utils.parseRequestClaims(jEEContext)).build();
        LOGGER.debug("Building authorization response for grant type [{}] with scopes [{}] for client id [{}]", new Object[]{upperCase, parseRequestScopes, str});
        return orElseThrow.build(jEEContext, str, build);
    }

    private boolean verifyAuthorizeRequest(JEEContext jEEContext) {
        OAuth20AuthorizationRequestValidator orElse = getOAuthConfigurationContext().getOauthRequestValidators().stream().filter(oAuth20AuthorizationRequestValidator -> {
            return oAuth20AuthorizationRequestValidator.supports(jEEContext);
        }).findFirst().orElse(null);
        if (orElse != null) {
            return orElse.validate(jEEContext);
        }
        LOGGER.warn("Ignoring malformed request [{}] as no OAuth20 validator could declare support for its syntax", jEEContext.getFullRequestURL());
        return false;
    }
}
