package org.nuxeo.ecm.platform.oauth2;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nuxeo.common.utils.URIUtils;
import org.nuxeo.ecm.platform.oauth2.clients.OAuth2Client;
import org.nuxeo.ecm.platform.oauth2.clients.OAuth2ClientService;
import org.nuxeo.ecm.platform.oauth2.request.AuthorizationRequest;
import org.nuxeo.ecm.platform.oauth2.request.TokenRequest;
import org.nuxeo.ecm.platform.oauth2.tokens.NuxeoOAuth2Token;
import org.nuxeo.ecm.platform.oauth2.tokens.OAuth2TokenStore;
import org.nuxeo.runtime.api.Framework;
import org.nuxeo.runtime.transaction.TransactionHelper;

/* loaded from: input_file:org/nuxeo/ecm/platform/oauth2/NuxeoOAuth2Servlet.class */
public class NuxeoOAuth2Servlet extends HttpServlet {
    private static final long serialVersionUID = 1;
    private static final Log log = LogFactory.getLog(NuxeoOAuth2Servlet.class);
    public static final String ENDPOINT_AUTH = "authorize";
    public static final String ENDPOINT_TOKEN = "token";
    public static final String ENDPOINT_AUTH_SUBMIT = "authorize_submit";
    public static final String ERROR_PARAM = "error";
    public static final String ERROR_DESCRIPTION_PARAM = "error_description";
    public static final String CLIENT_NAME = "client_name";
    public static final String GRANT_JSP_PAGE_PATH = "/oauth2Grant.jsp";
    public static final String GRANT_ACCESS_PARAM = "grant_access";
    public static final String ERROR_JSP_PAGE_PATH = "/oauth2error.jsp";
    public static final int ACCESS_TOKEN_EXPIRATION_TIME = 3600000;
    protected final OAuth2TokenStore tokenStore = new OAuth2TokenStore(Constants.TOKEN_SERVICE);

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        String pathInfo = httpServletRequest.getPathInfo();
        if (pathInfo.endsWith(ENDPOINT_AUTH)) {
            doGetAuthorize(httpServletRequest, httpServletResponse);
            return;
        }
        if (pathInfo.endsWith(ENDPOINT_AUTH_SUBMIT)) {
            doGetNotAllowed(ENDPOINT_AUTH_SUBMIT, httpServletRequest, httpServletResponse);
        } else if (pathInfo.endsWith(ENDPOINT_TOKEN)) {
            doGetNotAllowed(ENDPOINT_TOKEN, httpServletRequest, httpServletResponse);
        } else {
            httpServletResponse.sendError(404);
        }
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        String pathInfo = httpServletRequest.getPathInfo();
        if (pathInfo.endsWith(ENDPOINT_AUTH_SUBMIT)) {
            doPostAuthorizeSubmit(httpServletRequest, httpServletResponse);
        } else if (pathInfo.endsWith(ENDPOINT_TOKEN)) {
            doPostToken(httpServletRequest, httpServletResponse);
        } else {
            httpServletResponse.sendError(404);
        }
    }

    protected void doGetAuthorize(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        OAuth2ClientService oAuth2ClientService = (OAuth2ClientService) Framework.getService(OAuth2ClientService.class);
        AuthorizationRequest fromRequest = AuthorizationRequest.fromRequest(httpServletRequest);
        OAuth2Error checkError = fromRequest.checkError();
        if (checkError != null) {
            handleError(checkError, httpServletRequest, httpServletResponse);
            return;
        }
        String clientId = fromRequest.getClientId();
        OAuth2Client client = oAuth2ClientService.getClient(clientId);
        if (client.isAutoGrant() || this.tokenStore.getToken(clientId, fromRequest.getUsername()) != null) {
            String redirectURI = getRedirectURI(fromRequest);
            String storeAuthorizationRequest = storeAuthorizationRequest(fromRequest);
            String parameter = httpServletRequest.getParameter(Constants.STATE_PARAM);
            HashMap hashMap = new HashMap();
            hashMap.put("code", storeAuthorizationRequest);
            if (StringUtils.isNotBlank(parameter)) {
                hashMap.put(Constants.STATE_PARAM, parameter);
            }
            sendRedirect(httpServletRequest, httpServletResponse, redirectURI, hashMap);
            return;
        }
        httpServletRequest.setAttribute(Constants.RESPONSE_TYPE_PARAM, fromRequest.getResponseType());
        httpServletRequest.setAttribute(Constants.CLIENT_ID_PARAM, clientId);
        String redirectURI2 = fromRequest.getRedirectURI();
        if (StringUtils.isNotBlank(redirectURI2)) {
            httpServletRequest.setAttribute(Constants.REDIRECT_URI_PARAM, redirectURI2);
        }
        String scope = fromRequest.getScope();
        if (StringUtils.isNotBlank(scope)) {
            httpServletRequest.setAttribute(Constants.SCOPE_PARAM, scope);
        }
        String parameter2 = httpServletRequest.getParameter(Constants.STATE_PARAM);
        if (StringUtils.isNotBlank(parameter2)) {
            httpServletRequest.setAttribute(Constants.STATE_PARAM, parameter2);
        }
        String codeChallenge = fromRequest.getCodeChallenge();
        String codeChallengeMethod = fromRequest.getCodeChallengeMethod();
        if (codeChallenge != null && codeChallengeMethod != null) {
            httpServletRequest.setAttribute(Constants.CODE_CHALLENGE_PARAM, codeChallenge);
            httpServletRequest.setAttribute(Constants.CODE_CHALLENGE_METHOD_PARAM, codeChallengeMethod);
        }
        httpServletRequest.setAttribute(CLIENT_NAME, client.getName());
        httpServletRequest.getRequestDispatcher(GRANT_JSP_PAGE_PATH).forward(httpServletRequest, httpServletResponse);
    }

    protected void doGetNotAllowed(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        handleError(OAuth2Error.invalidRequest(String.format("The /oauth2/%s endpoint only accepts POST requests.", str)), 405, httpServletRequest, httpServletResponse);
    }

    protected void doPostAuthorizeSubmit(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        AuthorizationRequest fromRequest = AuthorizationRequest.fromRequest(httpServletRequest);
        OAuth2Error checkError = fromRequest.checkError();
        if (checkError != null) {
            handleError(checkError, httpServletRequest, httpServletResponse);
            return;
        }
        String redirectURI = getRedirectURI(fromRequest);
        String parameter = httpServletRequest.getParameter(Constants.STATE_PARAM);
        if (httpServletRequest.getParameter(GRANT_ACCESS_PARAM) != null) {
            String storeAuthorizationRequest = storeAuthorizationRequest(fromRequest);
            HashMap hashMap = new HashMap();
            hashMap.put("code", storeAuthorizationRequest);
            if (StringUtils.isNotBlank(parameter)) {
                hashMap.put(Constants.STATE_PARAM, parameter);
            }
            sendRedirect(httpServletRequest, httpServletResponse, redirectURI, hashMap);
            return;
        }
        OAuth2Error accessDenied = OAuth2Error.accessDenied("Access denied by the user");
        HashMap hashMap2 = new HashMap();
        hashMap2.put("error", accessDenied.getId());
        String description = accessDenied.getDescription();
        if (StringUtils.isNotBlank(description)) {
            hashMap2.put(ERROR_DESCRIPTION_PARAM, description);
        }
        if (StringUtils.isNotBlank(parameter)) {
            hashMap2.put(Constants.STATE_PARAM, parameter);
        }
        sendRedirect(httpServletRequest, httpServletResponse, redirectURI, hashMap2);
    }

    protected String getRedirectURI(AuthorizationRequest authorizationRequest) {
        String redirectURI = authorizationRequest.getRedirectURI();
        return StringUtils.isBlank(redirectURI) ? ((OAuth2ClientService) Framework.getService(OAuth2ClientService.class)).getClient(authorizationRequest.getClientId()).getRedirectURIs().get(0) : redirectURI;
    }

    protected String storeAuthorizationRequest(AuthorizationRequest authorizationRequest) {
        String authorizationCode = authorizationRequest.getAuthorizationCode();
        AuthorizationRequest.store(authorizationCode, authorizationRequest);
        return authorizationCode;
    }

    protected void doPostToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        TokenRequest tokenRequest = new TokenRequest(httpServletRequest);
        OAuth2ClientService oAuth2ClientService = (OAuth2ClientService) Framework.getService(OAuth2ClientService.class);
        String grantType = tokenRequest.getGrantType();
        if (!Constants.AUTHORIZATION_CODE_GRANT_TYPE.equals(grantType)) {
            if (!"refresh_token".equals(grantType)) {
                handleJsonError(OAuth2Error.unsupportedGrantType(String.format("Unknown %s: got \"%s\", expecting \"%s\" or \"%s\".", Constants.GRANT_TYPE_PARAM, grantType, Constants.AUTHORIZATION_CODE_GRANT_TYPE, "refresh_token")), httpServletResponse);
                return;
            }
            OAuth2Error oAuth2Error = null;
            if (StringUtils.isBlank(tokenRequest.getClientId())) {
                oAuth2Error = OAuth2Error.invalidRequest("Empty client id");
            } else if (!oAuth2ClientService.isValidClient(tokenRequest.getClientId(), tokenRequest.getClientSecret())) {
                oAuth2Error = OAuth2Error.invalidClient("Disabled client or invalid client secret");
            }
            if (oAuth2Error != null) {
                handleJsonError(oAuth2Error, httpServletResponse);
                return;
            }
            NuxeoOAuth2Token nuxeoOAuth2Token = (NuxeoOAuth2Token) TransactionHelper.runInTransaction(() -> {
                return this.tokenStore.refresh(tokenRequest.getRefreshToken(), tokenRequest.getClientId());
            });
            if (nuxeoOAuth2Token == null) {
                handleJsonError(OAuth2Error.invalidGrant("Cannot refresh token"), httpServletResponse);
                return;
            } else {
                handleTokenResponse(nuxeoOAuth2Token, httpServletResponse);
                return;
            }
        }
        String code = tokenRequest.getCode();
        AuthorizationRequest authorizationRequest = AuthorizationRequest.get(code);
        String clientId = tokenRequest.getClientId();
        OAuth2Error oAuth2Error2 = null;
        if (authorizationRequest == null) {
            oAuth2Error2 = OAuth2Error.invalidGrant("Invalid authorization code");
        } else if (authorizationRequest.getClientId().equals(clientId)) {
            OAuth2Client client = oAuth2ClientService.getClient(clientId);
            if (client == null || !client.isValidWith(tokenRequest.getClientId(), tokenRequest.getClientSecret())) {
                oAuth2Error2 = OAuth2Error.invalidClient("Disabled client or invalid client secret");
            } else {
                String redirectURI = authorizationRequest.getRedirectURI();
                String redirectURI2 = tokenRequest.getRedirectURI();
                if (StringUtils.isNotBlank(redirectURI) && !redirectURI.equals(redirectURI2)) {
                    oAuth2Error2 = OAuth2Error.invalidGrant(String.format("Invalid redirect URI: %s", redirectURI2));
                } else if (authorizationRequest.getCodeChallenge() != null) {
                    String codeVerifier = tokenRequest.getCodeVerifier();
                    if (codeVerifier == null) {
                        oAuth2Error2 = OAuth2Error.invalidRequest(String.format("Missing %s parameter", Constants.CODE_VERIFIER_PARAM));
                    } else if (!authorizationRequest.isCodeVerifierValid(codeVerifier)) {
                        oAuth2Error2 = OAuth2Error.invalidGrant(String.format("Invalid %s parameter", Constants.CODE_VERIFIER_PARAM));
                    }
                }
            }
        } else {
            oAuth2Error2 = OAuth2Error.invalidClient(String.format("Invalid client id: %s", clientId));
        }
        if (authorizationRequest != null) {
            AuthorizationRequest.remove(code);
        }
        if (oAuth2Error2 != null) {
            handleJsonError(oAuth2Error2, httpServletResponse);
            return;
        }
        String username = authorizationRequest.getUsername();
        NuxeoOAuth2Token token = this.tokenStore.getToken(clientId, username);
        if (token == null) {
            NuxeoOAuth2Token nuxeoOAuth2Token2 = new NuxeoOAuth2Token(3600000L, clientId);
            TransactionHelper.runInTransaction(() -> {
                this.tokenStore.store(username, nuxeoOAuth2Token2);
            });
            token = nuxeoOAuth2Token2;
        } else if (token.isExpired()) {
            String refreshToken = token.getRefreshToken();
            token = (NuxeoOAuth2Token) TransactionHelper.runInTransaction(() -> {
                return this.tokenStore.refresh(refreshToken, clientId);
            });
        }
        handleTokenResponse(token, httpServletResponse);
    }

    protected void handleTokenResponse(NuxeoOAuth2Token nuxeoOAuth2Token, HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.setHeader("Content-Type", "application/json");
        httpServletResponse.setStatus(200);
        new ObjectMapper().writeValue(httpServletResponse.getWriter(), nuxeoOAuth2Token.toJsonObject());
    }

    protected void handleError(OAuth2Error oAuth2Error, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        handleError(oAuth2Error, 400, httpServletRequest, httpServletResponse);
    }

    protected void handleError(OAuth2Error oAuth2Error, int i, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        log.warn(String.format("OAuth2 authorization request error: %s", oAuth2Error));
        httpServletResponse.reset();
        httpServletResponse.setStatus(i);
        httpServletRequest.setAttribute("error", oAuth2Error);
        httpServletRequest.getRequestDispatcher(ERROR_JSP_PAGE_PATH).forward(httpServletRequest, httpServletResponse);
    }

    protected void handleJsonError(OAuth2Error oAuth2Error, HttpServletResponse httpServletResponse) throws IOException {
        log.warn(String.format("OAuth2 token request error: %s", oAuth2Error));
        httpServletResponse.setHeader("Content-Type", "application/json");
        httpServletResponse.setStatus(400);
        HashMap hashMap = new HashMap();
        hashMap.put("error", oAuth2Error.getId());
        if (StringUtils.isNotBlank(oAuth2Error.getDescription())) {
            hashMap.put(ERROR_DESCRIPTION_PARAM, oAuth2Error.getDescription());
        }
        new ObjectMapper().writeValue(httpServletResponse.getWriter(), hashMap);
    }

    protected void sendRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, Map<String, String> map) throws IOException {
        if (str == null) {
            httpServletResponse.sendError(400, "No redirect URI");
        } else {
            httpServletResponse.sendRedirect(URIUtils.addParametersToURIQuery(str, map));
        }
    }
}
