package be.atbash.ee.security.octopus.sso.callback;

import be.atbash.ee.security.octopus.SecurityUtils;
import be.atbash.ee.security.octopus.authz.UnauthorizedException;
import be.atbash.ee.security.octopus.config.OctopusCoreConfiguration;
import be.atbash.ee.security.octopus.session.SessionUtil;
import be.atbash.ee.security.octopus.sso.client.OpenIdVariableClientData;
import be.atbash.ee.security.octopus.sso.client.config.OctopusSSOServerClientConfiguration;
import be.atbash.ee.security.octopus.sso.client.requestor.CustomUserInfoValidator;
import be.atbash.ee.security.octopus.sso.client.requestor.OctopusUserRequestor;
import be.atbash.ee.security.octopus.sso.config.OctopusSSOClientConfiguration;
import be.atbash.ee.security.octopus.sso.core.client.SSOFlow;
import be.atbash.ee.security.octopus.sso.core.rest.DefaultPrincipalUserInfoJSONProvider;
import be.atbash.ee.security.octopus.sso.core.rest.PrincipalUserInfoJSONProvider;
import be.atbash.ee.security.octopus.sso.core.token.OctopusSSOToken;
import be.atbash.ee.security.octopus.sso.core.token.OctopusSSOTokenConverter;
import be.atbash.ee.security.octopus.subject.WebSubject;
import be.atbash.ee.security.octopus.util.SavedRequest;
import be.atbash.ee.security.octopus.util.WebUtils;
import be.atbash.util.CDIUtils;
import be.atbash.util.exception.AtbashUnexpectedException;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import java.io.IOException;
import java.lang.annotation.Annotation;
import javax.inject.Inject;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

@WebServlet({"/sso/SSOCallback"})
/* loaded from: input_file:be/atbash/ee/security/octopus/sso/callback/SSOCallbackServlet.class */
public class SSOCallbackServlet extends HttpServlet {

    @Inject
    private ExchangeForAccessCode exchangeForAccessCode;

    @Inject
    private CallbackErrorHandler callbackErrorHandler;

    @Inject
    private OctopusSSOTokenConverter octopusSSOTokenConverter;

    @Inject
    private OctopusSSOClientConfiguration ssoClientConfiguration;

    @Inject
    private OctopusCoreConfiguration coreConfiguration;

    @Inject
    private OctopusSSOServerClientConfiguration octopusSSOServerClientConfiguration;

    @Inject
    private SessionUtil sessionUtil;
    private transient OctopusUserRequestor octopusUserRequestor;

    public void init() throws ServletException {
        DefaultPrincipalUserInfoJSONProvider defaultPrincipalUserInfoJSONProvider = (PrincipalUserInfoJSONProvider) CDIUtils.retrieveOptionalInstance(PrincipalUserInfoJSONProvider.class, new Annotation[0]);
        if (defaultPrincipalUserInfoJSONProvider == null) {
            defaultPrincipalUserInfoJSONProvider = new DefaultPrincipalUserInfoJSONProvider();
        }
        this.octopusUserRequestor = new OctopusUserRequestor(this.coreConfiguration, this.octopusSSOServerClientConfiguration, this.octopusSSOTokenConverter, defaultPrincipalUserInfoJSONProvider, (CustomUserInfoValidator) CDIUtils.retrieveOptionalInstance(CustomUserInfoValidator.class, new Annotation[0]));
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        SSOCallbackServletHandler sSOCallbackServletHandler;
        AuthenticationSuccessResponse authenticationResponse;
        OctopusSSOToken retrieveUser;
        OpenIdVariableClientData openIdVariableClientData = getOpenIdVariableClientData(httpServletRequest, httpServletResponse);
        if (openIdVariableClientData == null || (authenticationResponse = (sSOCallbackServletHandler = new SSOCallbackServletHandler(httpServletRequest, httpServletResponse, openIdVariableClientData, this.callbackErrorHandler)).getAuthenticationResponse()) == null) {
            return;
        }
        BearerAccessToken bearerAccessToken = null;
        if (this.ssoClientConfiguration.getSSOType() == SSOFlow.AUTHORIZATION_CODE) {
            bearerAccessToken = sSOCallbackServletHandler.getAccessTokenFromAuthorizationCode(authenticationResponse, this.exchangeForAccessCode);
        }
        if (this.ssoClientConfiguration.getSSOType() == SSOFlow.IMPLICIT) {
            bearerAccessToken = (BearerAccessToken) authenticationResponse.getAccessToken();
            if (bearerAccessToken == null) {
                this.callbackErrorHandler.showErrorMessage(httpServletResponse, new ErrorObject("OCT-SSO-CLIENT-014", "Missing Access code"));
            }
        }
        if (bearerAccessToken == null || (retrieveUser = sSOCallbackServletHandler.retrieveUser(this.octopusUserRequestor, bearerAccessToken)) == null) {
            return;
        }
        try {
            this.sessionUtil.invalidateCurrentSession(httpServletRequest);
            WebSubject subject = SecurityUtils.getSubject();
            subject.login(retrieveUser);
            SavedRequest andClearSavedRequest = WebUtils.getAndClearSavedRequest(subject);
            try {
                httpServletResponse.sendRedirect(andClearSavedRequest != null ? andClearSavedRequest.getRequestUrl() : httpServletRequest.getContextPath());
            } catch (IOException e) {
                throw new AtbashUnexpectedException(e);
            }
        } catch (UnauthorizedException e2) {
            handleException(httpServletRequest, httpServletResponse, e2, retrieveUser);
        }
    }

    private OpenIdVariableClientData getOpenIdVariableClientData(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        OpenIdVariableClientData openIdVariableClientData = (OpenIdVariableClientData) httpServletRequest.getSession(true).getAttribute(OpenIdVariableClientData.class.getName());
        if (openIdVariableClientData != null) {
            return openIdVariableClientData;
        }
        this.callbackErrorHandler.showErrorMessage(httpServletResponse, new ErrorObject("OCT-SSO-CLIENT-012", "Request did not originate from this session"));
        return null;
    }

    private void handleException(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Throwable th, OctopusSSOToken octopusSSOToken) {
        httpServletRequest.getSession().invalidate();
        HttpSession session = httpServletRequest.getSession(true);
        session.setAttribute(OctopusSSOToken.class.getSimpleName(), octopusSSOToken);
        session.setAttribute("AuthenticationExceptionMessage", th.getMessage());
        try {
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + this.ssoClientConfiguration.getUnauthorizedExceptionPage());
        } catch (IOException e) {
            throw new AtbashUnexpectedException(e);
        }
    }
}
