package leap.oauth2.wac.auth;

import java.util.Map;
import leap.core.annotation.Inject;
import leap.core.security.Authentication;
import leap.core.security.token.jwt.MacSigner;
import leap.lang.Strings;
import leap.lang.intercepting.State;
import leap.lang.logging.Log;
import leap.lang.logging.LogFactory;
import leap.oauth2.OAuth2Params;
import leap.oauth2.rs.auth.ResClientPrincipal;
import leap.oauth2.wac.OAuth2WebAppConfig;
import leap.oauth2.wac.token.WacTokenManager;
import leap.web.Request;
import leap.web.Response;
import leap.web.security.authc.AuthenticationManager;
import leap.web.security.authc.SimpleAuthentication;
import leap.web.security.login.LoginManager;
import leap.web.security.user.UserDetails;
import leap.web.security.user.UserManager;

/* loaded from: input_file:leap/oauth2/wac/auth/DefaultWacResponseHandler.class */
public class DefaultWacResponseHandler implements WacResponseHandler {
    private static final Log log = LogFactory.get(DefaultWacResponseHandler.class);

    @Inject
    protected OAuth2WebAppConfig config;

    @Inject
    protected AuthenticationManager am;

    @Inject
    protected UserManager um;

    @Inject
    protected LoginManager sm;

    @Inject
    protected WacTokenManager atm;

    @Override // leap.oauth2.wac.auth.WacResponseHandler
    public State handleSuccessResponse(Request request, Response response, OAuth2Params oAuth2Params) throws Throwable {
        String idToken = oAuth2Params.getIdToken();
        if (Strings.isEmpty(idToken)) {
            return State.CONTINUE;
        }
        Authentication authenticate = authenticate(request, response, oAuth2Params, idToken, verifyIdToken(oAuth2Params, idToken));
        if (null == authenticate) {
            throw new IllegalStateException("Invalid authentication");
        }
        String code = oAuth2Params.getCode();
        if (!Strings.isEmpty(code)) {
            this.atm.fetchAndSaveAccessToken(request, authenticate, code);
        }
        login(request, response, authenticate);
        return State.INTERCEPTED;
    }

    protected WacIdToken verifyIdToken(OAuth2Params oAuth2Params, String str) throws Throwable {
        Map verify = new MacSigner(this.config.getClientSecret()).verify(str);
        WacIdToken wacIdToken = new WacIdToken();
        wacIdToken.clientId = (String) verify.remove("aud");
        wacIdToken.userId = (String) verify.remove("sub");
        return wacIdToken;
    }

    protected Authentication authenticate(Request request, Response response, OAuth2Params oAuth2Params, String str, WacIdToken wacIdToken) throws Throwable {
        String clientId = wacIdToken.getClientId();
        String userId = wacIdToken.getUserId();
        UserDetails userDetails = null;
        ResClientPrincipal resClientPrincipal = null;
        if (!Strings.isEmpty(userId)) {
            UserDetails loadUserDetails = this.um.loadUserDetails(userId);
            if (null == loadUserDetails) {
                log.debug("The user id '{}' created with id token '{}' is not found", new Object[]{userId, str});
                return null;
            }
            userDetails = loadUserDetails;
        }
        if (!Strings.isEmpty(clientId)) {
            resClientPrincipal = new ResClientPrincipal(clientId);
        }
        SimpleAuthentication simpleAuthentication = new SimpleAuthentication(userDetails, wacIdToken);
        if (null != resClientPrincipal) {
            simpleAuthentication.setClientPrincipal(resClientPrincipal);
        }
        return simpleAuthentication;
    }

    protected void login(Request request, Response response, Authentication authentication) throws Throwable {
        this.am.loginImmediately(request, response, authentication);
        this.sm.handleLoginSuccess(request, response, authentication);
    }
}
