package org.mitre.openid.connect.token;

import com.google.common.base.Splitter;
import com.google.common.base.Strings;
import com.google.common.collect.Sets;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import javax.servlet.http.HttpSession;
import org.mitre.oauth2.model.SystemScope;
import org.mitre.oauth2.service.SystemScopeService;
import org.mitre.openid.connect.model.ApprovedSite;
import org.mitre.openid.connect.model.WhitelistedSite;
import org.mitre.openid.connect.request.ConnectRequestParameters;
import org.mitre.openid.connect.service.ApprovedSiteService;
import org.mitre.openid.connect.service.WhitelistedSiteService;
import org.mitre.openid.connect.web.AuthenticationTimeStamper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

@Component("tofuUserApprovalHandler")
/* loaded from: input_file:WEB-INF/lib/openid-connect-server-1.2.0.jar:org/mitre/openid/connect/token/TofuUserApprovalHandler.class */
public class TofuUserApprovalHandler implements UserApprovalHandler {

    @Autowired
    private ApprovedSiteService approvedSiteService;

    @Autowired
    private WhitelistedSiteService whitelistedSiteService;

    @Autowired
    private ClientDetailsService clientDetailsService;

    @Autowired
    private SystemScopeService systemScopes;

    @Override // org.springframework.security.oauth2.provider.approval.UserApprovalHandler
    public boolean isApproved(AuthorizationRequest authorizationRequest, Authentication authentication) {
        if (authorizationRequest.isApproved()) {
            return true;
        }
        if (Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get(OAuth2Utils.USER_OAUTH_APPROVAL)) && authorizationRequest.getExtensions().get("csrf") != null && authorizationRequest.getExtensions().get("csrf").equals(authorizationRequest.getApprovalParameters().get("csrf"))) {
            return authentication.isAuthenticated();
        }
        return false;
    }

    @Override // org.springframework.security.oauth2.provider.approval.UserApprovalHandler
    public AuthorizationRequest checkForPreApproval(AuthorizationRequest authorizationRequest, Authentication authentication) {
        WhitelistedSite byClientId;
        String name = authentication.getName();
        String clientId = authorizationRequest.getClientId();
        boolean z = false;
        if (!Splitter.on(" ").splitToList(Strings.nullToEmpty((String) authorizationRequest.getExtensions().get(ConnectRequestParameters.PROMPT))).contains(" ")) {
            for (ApprovedSite approvedSite : this.approvedSiteService.getByClientIdAndUserId(clientId, name)) {
                if (!approvedSite.isExpired() && this.systemScopes.scopesMatch(approvedSite.getAllowedScopes(), authorizationRequest.getScope())) {
                    approvedSite.setAccessDate(new Date());
                    this.approvedSiteService.save(approvedSite);
                    authorizationRequest.getExtensions().put(ConnectRequestParameters.APPROVED_SITE, approvedSite.getId().toString());
                    authorizationRequest.setApproved(true);
                    z = true;
                    setAuthTime(authorizationRequest);
                }
            }
            if (!z && (byClientId = this.whitelistedSiteService.getByClientId(clientId)) != null && this.systemScopes.scopesMatch(byClientId.getAllowedScopes(), authorizationRequest.getScope())) {
                authorizationRequest.setApproved(true);
                setAuthTime(authorizationRequest);
            }
        }
        return authorizationRequest;
    }

    @Override // org.springframework.security.oauth2.provider.approval.UserApprovalHandler
    public AuthorizationRequest updateAfterApproval(AuthorizationRequest authorizationRequest, Authentication authentication) {
        String name = authentication.getName();
        String clientId = authorizationRequest.getClientId();
        ClientDetails loadClientByClientId = this.clientDetailsService.loadClientByClientId(clientId);
        if (Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get(OAuth2Utils.USER_OAUTH_APPROVAL)) && authorizationRequest.getExtensions().get("csrf") != null && authorizationRequest.getExtensions().get("csrf").equals(authorizationRequest.getApprovalParameters().get("csrf"))) {
            authorizationRequest.setApproved(true);
            HashSet newHashSet = Sets.newHashSet();
            Map<String, String> approvalParameters = authorizationRequest.getApprovalParameters();
            for (String str : approvalParameters.keySet()) {
                if (str.startsWith("scope_")) {
                    String str2 = approvalParameters.get(str);
                    if (this.systemScopes.scopesMatch(loadClientByClientId.getScope(), Sets.newHashSet(str2))) {
                        SystemScope byValue = this.systemScopes.getByValue(str2);
                        if (byValue == null || !byValue.isStructured()) {
                            newHashSet.add(str2);
                        } else {
                            newHashSet.add(str2 + ":" + approvalParameters.get("scopeparam_" + str2));
                        }
                    }
                }
            }
            authorizationRequest.setScope(newHashSet);
            String str3 = authorizationRequest.getApprovalParameters().get("remember");
            if (!Strings.isNullOrEmpty(str3) && !str3.equals("none")) {
                Date date = null;
                if (str3.equals("one-hour")) {
                    Calendar calendar = Calendar.getInstance();
                    calendar.add(10, 1);
                    date = calendar.getTime();
                }
                authorizationRequest.getExtensions().put(ConnectRequestParameters.APPROVED_SITE, this.approvedSiteService.createApprovedSite(clientId, name, date, newHashSet).getId().toString());
            }
            setAuthTime(authorizationRequest);
        }
        return authorizationRequest;
    }

    private void setAuthTime(AuthorizationRequest authorizationRequest) {
        HttpSession session;
        Date date;
        ServletRequestAttributes servletRequestAttributes = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
        if (servletRequestAttributes == null || (session = servletRequestAttributes.getRequest().getSession()) == null || (date = (Date) session.getAttribute(AuthenticationTimeStamper.AUTH_TIMESTAMP)) == null) {
            return;
        }
        authorizationRequest.getExtensions().put(AuthenticationTimeStamper.AUTH_TIMESTAMP, Long.toString(date.getTime()));
    }

    @Override // org.springframework.security.oauth2.provider.approval.UserApprovalHandler
    public Map<String, Object> getUserApprovalRequest(AuthorizationRequest authorizationRequest, Authentication authentication) {
        HashMap hashMap = new HashMap();
        hashMap.putAll(authorizationRequest.getRequestParameters());
        return hashMap;
    }
}
