package org.apache.cxf.rs.security.oauth2.services;

import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.provider.AuthorizationRequestFilter;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.provider.ResourceOwnerNameProvider;
import org.apache.cxf.rs.security.oauth2.provider.SessionAuthenticityTokenProvider;
import org.apache.cxf.rs.security.oauth2.provider.SubjectCreator;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.security.SecurityContext;

/* loaded from: input_file:org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.class */
public abstract class RedirectionBasedGrantService extends AbstractOAuthService {
    private static final String AUTHORIZATION_REQUEST_PARAMETERS = "authorization.request.parameters";
    private static final String PREAUTHORIZED_TOKEN_KEY = "preauthorized.token.key";
    private Set<String> supportedResponseTypes;
    private String supportedGrantType;
    private boolean useAllClientScopes;
    private boolean partialMatchScopeValidation;
    private boolean useRegisteredRedirectUriIfPossible;
    private SessionAuthenticityTokenProvider sessionAuthenticityTokenProvider;
    private SubjectCreator subjectCreator;
    private ResourceOwnerNameProvider resourceOwnerNameProvider;
    private int maxDefaultSessionInterval;
    private boolean matchRedirectUriWithApplicationUri;
    private boolean hidePreauthorizedScopesInForm;
    private AuthorizationRequestFilter authorizationFilter;
    private List<String> scopesRequiringNoConsent;
    private boolean supportSinglePageApplications;
    private boolean revokePreauthorizedTokenOnApproval;

    /* JADX INFO: Access modifiers changed from: protected */
    public RedirectionBasedGrantService(String str, String str2) {
        this((Set<String>) Collections.singleton(str), str2);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public RedirectionBasedGrantService(Set<String> set, String str) {
        this.useRegisteredRedirectUriIfPossible = true;
        this.supportSinglePageApplications = true;
        this.revokePreauthorizedTokenOnApproval = true;
        this.supportedResponseTypes = set;
        this.supportedGrantType = str;
    }

    @GET
    @Produces({MediaType.APPLICATION_XHTML_XML, MediaType.TEXT_HTML, MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON})
    public Response authorize() {
        return startAuthorization(getQueryParameters());
    }

    @GET
    @Path("/decision")
    public Response authorizeDecision() {
        return completeAuthorization(getQueryParameters());
    }

    @POST
    @Path("/decision")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response authorizeDecisionForm(MultivaluedMap<String, String> multivaluedMap) {
        return completeAuthorization(multivaluedMap);
    }

    protected Response startAuthorization(MultivaluedMap<String, String> multivaluedMap) {
        SecurityContext andValidateSecurityContext = getAndValidateSecurityContext(multivaluedMap);
        Client client = getClient(multivaluedMap.getFirst("client_id"), multivaluedMap);
        UserSubject createUserSubject = createUserSubject(andValidateSecurityContext, multivaluedMap);
        if (this.authorizationFilter != null) {
            multivaluedMap = this.authorizationFilter.process(multivaluedMap, createUserSubject, client);
        }
        return startAuthorization(multivaluedMap, createUserSubject, client, validateRedirectUri(client, multivaluedMap.getFirst(OAuthConstants.REDIRECT_URI)));
    }

    /* JADX WARN: Removed duplicated region for block: B:29:0x013e A[Catch: OAuthServiceException -> 0x018d, TryCatch #0 {OAuthServiceException -> 0x018d, blocks: (B:42:0x0113, B:27:0x0126, B:29:0x013e, B:31:0x014f, B:32:0x0159, B:39:0x0176, B:40:0x0180), top: B:41:0x0113 }] */
    /* JADX WARN: Removed duplicated region for block: B:37:0x0171  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    protected javax.ws.rs.core.Response startAuthorization(javax.ws.rs.core.MultivaluedMap<java.lang.String, java.lang.String> r10, org.apache.cxf.rs.security.oauth2.common.UserSubject r11, org.apache.cxf.rs.security.oauth2.common.Client r12, java.lang.String r13) {
        /*
            Method dump skipped, instructions count: 419
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService.startAuthorization(javax.ws.rs.core.MultivaluedMap, org.apache.cxf.rs.security.oauth2.common.UserSubject, org.apache.cxf.rs.security.oauth2.common.Client, java.lang.String):javax.ws.rs.core.Response");
    }

    public Set<String> getSupportedResponseTypes() {
        return this.supportedResponseTypes;
    }

    protected boolean canAuthorizationBeSkipped(MultivaluedMap<String, String> multivaluedMap, Client client, UserSubject userSubject, List<String> list, List<OAuthPermission> list2) {
        return noConsentForRequestedScopes(multivaluedMap, client, userSubject, list, list2);
    }

    protected boolean noConsentForRequestedScopes(MultivaluedMap<String, String> multivaluedMap, Client client, UserSubject userSubject, List<String> list, List<OAuthPermission> list2) {
        return (this.scopesRequiringNoConsent == null || list == null || !this.scopesRequiringNoConsent.containsAll(list)) ? false : true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public OAuthAuthorizationData createAuthorizationData(Client client, MultivaluedMap<String, String> multivaluedMap, String str, UserSubject userSubject, List<OAuthPermission> list, List<OAuthPermission> list2, boolean z) {
        OAuthAuthorizationData oAuthAuthorizationData = new OAuthAuthorizationData();
        oAuthAuthorizationData.setState(multivaluedMap.getFirst(OAuthConstants.STATE));
        oAuthAuthorizationData.setRedirectUri(str);
        oAuthAuthorizationData.setAudience(multivaluedMap.getFirst(OAuthConstants.CLIENT_AUDIENCE));
        oAuthAuthorizationData.setNonce(multivaluedMap.getFirst("nonce"));
        oAuthAuthorizationData.setClientId(client.getClientId());
        oAuthAuthorizationData.setResponseType(multivaluedMap.getFirst(OAuthConstants.RESPONSE_TYPE));
        if (list != null && !list.isEmpty()) {
            StringBuilder sb = new StringBuilder();
            Iterator<OAuthPermission> it = list.iterator();
            while (it.hasNext()) {
                sb.append(it.next().getPermission() + " ");
            }
            oAuthAuthorizationData.setProposedScope(sb.toString().trim());
        }
        if (!z) {
            oAuthAuthorizationData.setPermissions(list);
            oAuthAuthorizationData.setAlreadyAuthorizedPermissions(list2);
            oAuthAuthorizationData.setHidePreauthorizedScopesInForm(this.hidePreauthorizedScopesInForm);
            oAuthAuthorizationData.setApplicationName(client.getApplicationName());
            oAuthAuthorizationData.setApplicationWebUri(client.getApplicationWebUri());
            oAuthAuthorizationData.setApplicationDescription(client.getApplicationDescription());
            oAuthAuthorizationData.setApplicationLogoUri(client.getApplicationLogoUri());
            oAuthAuthorizationData.setApplicationCertificates(client.getApplicationCertificates());
            oAuthAuthorizationData.setExtraApplicationProperties(client.getProperties());
            oAuthAuthorizationData.setApplicationRegisteredDynamically(client.isRegisteredDynamically());
            oAuthAuthorizationData.setSupportSinglePageApplications(this.supportSinglePageApplications);
            oAuthAuthorizationData.setReplyTo(getMessageContext().getUriInfo().getAbsolutePathBuilder().path("decision").build(new Object[0]).toString());
            personalizeData(oAuthAuthorizationData, userSubject);
            addAuthenticityTokenToSession(oAuthAuthorizationData, multivaluedMap, userSubject);
        }
        return oAuthAuthorizationData;
    }

    protected OAuthRedirectionState recreateRedirectionStateFromSession(UserSubject userSubject, String str) {
        if (this.sessionAuthenticityTokenProvider != null) {
            return this.sessionAuthenticityTokenProvider.getSessionState(super.getMessageContext(), str, userSubject);
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public OAuthRedirectionState recreateRedirectionStateFromParams(MultivaluedMap<String, String> multivaluedMap) {
        OAuthRedirectionState oAuthRedirectionState = new OAuthRedirectionState();
        oAuthRedirectionState.setClientId(multivaluedMap.getFirst("client_id"));
        oAuthRedirectionState.setRedirectUri(multivaluedMap.getFirst(OAuthConstants.REDIRECT_URI));
        oAuthRedirectionState.setAudience(multivaluedMap.getFirst(OAuthConstants.CLIENT_AUDIENCE));
        oAuthRedirectionState.setProposedScope(multivaluedMap.getFirst("scope"));
        oAuthRedirectionState.setState(multivaluedMap.getFirst(OAuthConstants.STATE));
        oAuthRedirectionState.setNonce(multivaluedMap.getFirst("nonce"));
        oAuthRedirectionState.setResponseType(multivaluedMap.getFirst(OAuthConstants.RESPONSE_TYPE));
        return oAuthRedirectionState;
    }

    protected void personalizeData(OAuthAuthorizationData oAuthAuthorizationData, UserSubject userSubject) {
        if (this.resourceOwnerNameProvider != null) {
            oAuthAuthorizationData.setEndUserName(this.resourceOwnerNameProvider.getName(userSubject));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<String> getApprovedScope(List<String> list, List<String> list2) {
        return StringUtils.isEmpty(list2) ? list : list2;
    }

    protected Response completeAuthorization(MultivaluedMap<String, String> multivaluedMap) {
        UserSubject createUserSubject = createUserSubject(getAndValidateSecurityContext(multivaluedMap), multivaluedMap);
        String first = multivaluedMap.getFirst(OAuthConstants.SESSION_AUTHENTICITY_TOKEN_PARAM_NAME);
        if (first == null) {
            first = OAuthConstants.SESSION_AUTHENTICITY_TOKEN;
        }
        String first2 = multivaluedMap.getFirst(first);
        if (first2 == null || !compareRequestAndSessionTokens(first2, multivaluedMap, createUserSubject)) {
            throw ExceptionUtils.toBadRequestException(null, null);
        }
        OAuthRedirectionState recreateRedirectionStateFromSession = recreateRedirectionStateFromSession(createUserSubject, first2);
        if (recreateRedirectionStateFromSession == null) {
            recreateRedirectionStateFromSession = recreateRedirectionStateFromParams(multivaluedMap);
        }
        Client client = getClient(recreateRedirectionStateFromSession.getClientId(), multivaluedMap);
        String validateRedirectUri = validateRedirectUri(client, recreateRedirectionStateFromSession.getRedirectUri());
        if (!OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(multivaluedMap.getFirst(OAuthConstants.AUTHORIZATION_DECISION_KEY))) {
            return createErrorResponse(multivaluedMap, validateRedirectUri, OAuthConstants.ACCESS_DENIED);
        }
        List<String> parseScope = OAuthUtils.parseScope(recreateRedirectionStateFromSession.getProposedScope());
        List<String> linkedList = new LinkedList<>();
        for (String str : parseScope) {
            String first3 = multivaluedMap.getFirst(str + "_status");
            if (first3 != null && OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(first3)) {
                linkedList.add(str);
            }
        }
        if (!parseScope.containsAll(linkedList) || !OAuthUtils.validateScopes(parseScope, client.getRegisteredScopes(), this.partialMatchScopeValidation)) {
            return createErrorResponse(multivaluedMap, validateRedirectUri, OAuthConstants.INVALID_SCOPE);
        }
        getMessageContext().put(AUTHORIZATION_REQUEST_PARAMETERS, multivaluedMap);
        String first4 = multivaluedMap.getFirst(PREAUTHORIZED_TOKEN_KEY);
        if (first4 != null && isRevokePreauthorizedTokenOnApproval()) {
            getDataProvider().revokeToken(client, first4, OAuthConstants.ACCESS_TOKEN);
        }
        return createGrant(recreateRedirectionStateFromSession, client, parseScope, linkedList, createUserSubject, null);
    }

    public boolean isRevokePreauthorizedTokenOnApproval() {
        return this.revokePreauthorizedTokenOnApproval;
    }

    public void setRevokePreauthorizedTokenOnApproval(boolean z) {
        this.revokePreauthorizedTokenOnApproval = z;
    }

    public void setSessionAuthenticityTokenProvider(SessionAuthenticityTokenProvider sessionAuthenticityTokenProvider) {
        this.sessionAuthenticityTokenProvider = sessionAuthenticityTokenProvider;
    }

    public void setSubjectCreator(SubjectCreator subjectCreator) {
        this.subjectCreator = subjectCreator;
    }

    protected UserSubject createUserSubject(SecurityContext securityContext, MultivaluedMap<String, String> multivaluedMap) {
        UserSubject createUserSubject;
        return (this.subjectCreator == null || (createUserSubject = this.subjectCreator.createUserSubject(getMessageContext(), multivaluedMap)) == null) ? OAuthUtils.createSubject(getMessageContext(), securityContext) : createUserSubject;
    }

    protected Response createErrorResponse(MultivaluedMap<String, String> multivaluedMap, String str, String str2) {
        return createErrorResponse(multivaluedMap.getFirst(OAuthConstants.STATE), str, str2);
    }

    protected boolean canAccessTokenBeReturned(String str) {
        return true;
    }

    protected abstract Response createErrorResponse(String str, String str2, String str3);

    protected abstract Response createGrant(OAuthRedirectionState oAuthRedirectionState, Client client, List<String> list, List<String> list2, UserSubject userSubject, ServerAccessToken serverAccessToken);

    protected SecurityContext getAndValidateSecurityContext(MultivaluedMap<String, String> multivaluedMap) {
        SecurityContext securityContext = (SecurityContext) getMessageContext().get(SecurityContext.class.getName());
        if (securityContext == null || securityContext.getUserPrincipal() == null) {
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
        checkTransportSecurity();
        return securityContext;
    }

    protected String validateRedirectUri(Client client, String str) {
        List<String> redirectUris = client.getRedirectUris();
        if (str != null) {
            if (!redirectUris.contains(str)) {
                reportInvalidRequestError("Client Redirect Uri is invalid");
            }
        } else if (redirectUris.size() == 1 && this.useRegisteredRedirectUriIfPossible) {
            str = redirectUris.get(0);
        }
        if (str == null && redirectUris.size() == 0 && !canRedirectUriBeEmpty(client)) {
            reportInvalidRequestError("Client Redirect Uri is invalid");
        }
        if (str != null && this.matchRedirectUriWithApplicationUri && client.getApplicationWebUri() != null && !str.startsWith(client.getApplicationWebUri())) {
            reportInvalidRequestError("Client Redirect Uri is invalid");
        }
        return str;
    }

    private void addAuthenticityTokenToSession(OAuthAuthorizationData oAuthAuthorizationData, MultivaluedMap<String, String> multivaluedMap, UserSubject userSubject) {
        oAuthAuthorizationData.setAuthenticityToken(this.sessionAuthenticityTokenProvider != null ? this.sessionAuthenticityTokenProvider.createSessionToken(getMessageContext(), multivaluedMap, userSubject, oAuthAuthorizationData) : OAuthUtils.setSessionToken(getMessageContext(), this.maxDefaultSessionInterval));
    }

    private boolean compareRequestAndSessionTokens(String str, MultivaluedMap<String, String> multivaluedMap, UserSubject userSubject) {
        String removeSessionToken = this.sessionAuthenticityTokenProvider != null ? this.sessionAuthenticityTokenProvider.removeSessionToken(getMessageContext(), multivaluedMap, userSubject) : OAuthUtils.getSessionToken(getMessageContext());
        if (StringUtils.isEmpty(removeSessionToken)) {
            return false;
        }
        return str.equals(removeSessionToken);
    }

    protected Client getClient(String str, MultivaluedMap<String, String> multivaluedMap) {
        Client client = null;
        try {
            client = getValidClient(str, multivaluedMap);
        } catch (OAuthServiceException e) {
            if (e.getError() != null) {
                reportInvalidRequestError(e.getError(), (MediaType) null);
            }
        }
        if (client == null) {
            reportInvalidRequestError("Client ID is invalid", (MediaType) null);
        }
        return client;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response createHtmlResponse(Object obj) {
        return Response.ok(obj).type(MediaType.TEXT_HTML).build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isFormResponse(OAuthRedirectionState oAuthRedirectionState) {
        return OAuthConstants.FORM_RESPONSE_MODE.equals(oAuthRedirectionState.getExtraProperties().get(OAuthConstants.RESPONSE_MODE));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getSupportedGrantType() {
        return this.supportedGrantType;
    }

    public void setResourceOwnerNameProvider(ResourceOwnerNameProvider resourceOwnerNameProvider) {
        this.resourceOwnerNameProvider = resourceOwnerNameProvider;
    }

    public void setPartialMatchScopeValidation(boolean z) {
        this.partialMatchScopeValidation = z;
    }

    public void setUseAllClientScopes(boolean z) {
        this.useAllClientScopes = z;
    }

    public void setUseRegisteredRedirectUriIfPossible(boolean z) {
        this.useRegisteredRedirectUriIfPossible = z;
    }

    protected abstract boolean canSupportPublicClient(Client client);

    protected abstract boolean canRedirectUriBeEmpty(Client client);

    public void setMaxDefaultSessionInterval(int i) {
        this.maxDefaultSessionInterval = i;
    }

    public void setMatchRedirectUriWithApplicationUri(boolean z) {
        this.matchRedirectUriWithApplicationUri = z;
    }

    public void setHidePreauthorizedScopesInForm(boolean z) {
        this.hidePreauthorizedScopesInForm = z;
    }

    public void setAuthorizationFilter(AuthorizationRequestFilter authorizationRequestFilter) {
        this.authorizationFilter = authorizationRequestFilter;
    }

    public void setScopesRequiringNoConsent(List<String> list) {
        this.scopesRequiringNoConsent = list;
    }

    public void setSupportSinglePageApplications(boolean z) {
        this.supportSinglePageApplications = z;
    }
}
