package org.wso2.carbon.identity.oauth.endpoint.authz;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.concurrent.ConcurrentHashMap;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.as.response.OAuthASResponse;
import org.apache.oltu.oauth2.common.exception.OAuthProblemException;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.apache.oltu.oauth2.common.message.OAuthResponse;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.authentication.framework.AuthenticatorFlowStatus;
import org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler;
import org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationResultCacheEntry;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult;
import org.wso2.carbon.identity.application.authentication.framework.model.CommonAuthRequestWrapper;
import org.wso2.carbon.identity.application.authentication.framework.model.CommonAuthResponseWrapper;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.Claim;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.oauth.IdentityOAuthAdminException;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth.cache.SessionDataCache;
import org.wso2.carbon.identity.oauth.cache.SessionDataCacheEntry;
import org.wso2.carbon.identity.oauth.cache.SessionDataCacheKey;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDAO;
import org.wso2.carbon.identity.oauth.endpoint.OAuthRequestWrapper;
import org.wso2.carbon.identity.oauth.endpoint.introspection.IntrospectionResponse;
import org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint;
import org.wso2.carbon.identity.oauth.endpoint.util.EndpointUtil;
import org.wso2.carbon.identity.oauth.endpoint.util.OpenIDConnectUserRPStore;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AuthorizeReqDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AuthorizeRespDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2ClientValidationResponseDTO;
import org.wso2.carbon.identity.oauth2.model.CarbonOAuthAuthzRequest;
import org.wso2.carbon.identity.oauth2.model.OAuth2Parameters;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oidc.session.OIDCSessionState;
import org.wso2.carbon.identity.oidc.session.util.OIDCSessionManagementUtil;
import org.wso2.carbon.registry.core.utils.UUIDGenerator;

@Path("/authorize")
/* loaded from: input_file:WEB-INF/classes/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.class */
public class OAuth2AuthzEndpoint {
    private static final Log log = LogFactory.getLog(OAuth2AuthzEndpoint.class);
    public static final String APPROVE = "approve";
    private boolean isCacheAvailable = false;

    @GET
    @Path("/")
    @Consumes({"application/x-www-form-urlencoded"})
    @Produces({"text/html"})
    public Response authorize(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws URISyntaxException {
        PrivilegedCarbonContext.startTenantFlow();
        PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
        threadLocalCarbonContext.setTenantId(-1234);
        threadLocalCarbonContext.setTenantDomain("carbon.super");
        String parameter = httpServletRequest.getParameter(IntrospectionResponse.CLIENT_ID);
        String sessionDataKey = getSessionDataKey(httpServletRequest);
        String parameter2 = httpServletRequest.getParameter("sessionDataKeyConsent");
        SessionDataCacheKey sessionDataCacheKey = null;
        SessionDataCacheEntry sessionDataCacheEntry = null;
        SessionDataCacheEntry sessionDataCacheEntry2 = null;
        Object attribute = httpServletRequest.getAttribute("authenticatorFlowStatus");
        if ("true".equals(httpServletRequest.getParameter("tocommonauth")) && attribute == null) {
            try {
                return sendRequestToFramework(httpServletRequest, httpServletResponse);
            } catch (ServletException | IOException e) {
                log.error("Error occurred while sending request to authentication framework.");
                return Response.status(500).build();
            }
        }
        if (StringUtils.isNotEmpty(sessionDataKey)) {
            sessionDataCacheKey = new SessionDataCacheKey(sessionDataKey);
            sessionDataCacheEntry = SessionDataCache.getInstance().getValueFromCache(sessionDataCacheKey);
        }
        if (StringUtils.isNotEmpty(parameter2)) {
            sessionDataCacheKey = new SessionDataCacheKey(parameter2);
            sessionDataCacheEntry2 = SessionDataCache.getInstance().getValueFromCache(sessionDataCacheKey);
            SessionDataCache.getInstance().clearCacheEntry(sessionDataCacheKey);
        }
        if (sessionDataCacheEntry != null && sessionDataCacheEntry2 != null) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid authorization request.'SessionDataKey' found in request as parameter and attribute, and both have non NULL objects in cache");
            }
            return Response.status(302).location(new URI(EndpointUtil.getErrorPageURL(IntrospectionResponse.Error.INVALID_REQUEST, "Invalid authorization request", null))).build();
        }
        if (parameter == null && sessionDataCacheEntry == null && sessionDataCacheEntry2 == null) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid authorization request.'SessionDataKey' not found in request as parameter or attribute, and client_id parameter cannot be found in request");
            }
            return Response.status(302).location(new URI(EndpointUtil.getErrorPageURL(IntrospectionResponse.Error.INVALID_REQUEST, "Invalid authorization request", null))).build();
        }
        if (sessionDataKey != null && sessionDataCacheEntry == null) {
            if (log.isDebugEnabled()) {
                log.debug("Session data not found in SessionDataCache for " + sessionDataKey);
            }
            return Response.status(302).location(new URI(EndpointUtil.getErrorPageURL("access_denied", "Session Timed Out", null))).build();
        }
        if (parameter2 != null && sessionDataCacheEntry2 == null) {
            if (sessionDataCacheEntry == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Session data not found in SessionDataCache for " + parameter2);
                }
                return Response.status(302).location(new URI(EndpointUtil.getErrorPageURL("access_denied", "Session Timed Out", null))).build();
            }
            parameter2 = null;
        }
        SessionDataCacheEntry sessionDataCacheEntry3 = null;
        try {
            try {
                try {
                    if (StringUtils.isNotEmpty(parameter)) {
                        try {
                            if (!"ACTIVE".equalsIgnoreCase(new OAuthAppDAO().getConsumerAppState(parameter))) {
                                if (log.isDebugEnabled()) {
                                    log.debug("Oauth App is not in active state.");
                                }
                                OAuthResponse buildJSONMessage = OAuthASResponse.errorResponse(401).setError("invalid_client").setErrorDescription("Oauth application is not in active state.").buildJSONMessage();
                                Response build = Response.status(buildJSONMessage.getResponseStatus()).entity(buildJSONMessage.getBody()).build();
                                if (parameter2 != null && System.getProperty("retainCache") == null) {
                                    clearCacheEntry(parameter2);
                                }
                                PrivilegedCarbonContext.endTenantFlow();
                                return build;
                            }
                        } catch (IdentityOAuthAdminException e2) {
                            if (log.isDebugEnabled()) {
                                log.debug("Error in getting oauth app state.", e2);
                            }
                            OAuthResponse buildJSONMessage2 = OAuthASResponse.errorResponse(404).setError("server_error").setErrorDescription("Error in getting oauth app state.").buildJSONMessage();
                            Response build2 = Response.status(buildJSONMessage2.getResponseStatus()).entity(buildJSONMessage2.getBody()).build();
                            if (parameter2 != null && System.getProperty("retainCache") == null) {
                                clearCacheEntry(parameter2);
                            }
                            PrivilegedCarbonContext.endTenantFlow();
                            return build2;
                        }
                    }
                    if (parameter != null && sessionDataKey == null && parameter2 == null) {
                        String handleOAuthAuthorizationRequest = handleOAuthAuthorizationRequest(parameter, httpServletRequest);
                        String str = "oauth2";
                        String parameter3 = httpServletRequest.getParameter(IntrospectionResponse.SCOPE);
                        if (parameter3 != null && parameter3.contains("openid")) {
                            str = "oidc";
                        }
                        Object attribute2 = httpServletRequest.getAttribute("authenticatorFlowStatus");
                        if (attribute2 == null || attribute2 != AuthenticatorFlowStatus.SUCCESS_COMPLETED) {
                            Response build3 = Response.status(302).location(new URI(handleOAuthAuthorizationRequest)).build();
                            if (parameter2 != null && System.getProperty("retainCache") == null) {
                                clearCacheEntry(parameter2);
                            }
                            PrivilegedCarbonContext.endTenantFlow();
                            return build3;
                        }
                        try {
                            Response sendRequestToFramework = sendRequestToFramework(httpServletRequest, httpServletResponse, (String) httpServletRequest.getAttribute("sessionDataKey"), str);
                            if (parameter2 != null && System.getProperty("retainCache") == null) {
                                clearCacheEntry(parameter2);
                            }
                            PrivilegedCarbonContext.endTenantFlow();
                            return sendRequestToFramework;
                        } catch (ServletException | IOException e3) {
                            log.error("Error occurred while sending request to authentication framework.");
                            Response build4 = Response.status(500).build();
                            if (parameter2 != null && System.getProperty("retainCache") == null) {
                                clearCacheEntry(parameter2);
                            }
                            PrivilegedCarbonContext.endTenantFlow();
                            return build4;
                        }
                    }
                    if (sessionDataCacheEntry != null) {
                        SessionDataCacheEntry sessionDataCacheEntry4 = sessionDataCacheEntry;
                        OAuth2Parameters oAuth2Parameters = sessionDataCacheEntry4.getoAuth2Parameters();
                        AuthenticationResult authenticationResult = getAuthenticationResult(httpServletRequest, sessionDataKey);
                        if (authenticationResult == null) {
                            String applicationName = sessionDataCacheEntry4.getoAuth2Parameters().getApplicationName();
                            if (log.isDebugEnabled()) {
                                log.debug("Invalid authorization request. 'sessionDataKey' attribute found but corresponding AuthenticationResult does not exist in the cache.");
                            }
                            Response build5 = Response.status(302).location(new URI(EndpointUtil.getErrorPageURL(IntrospectionResponse.Error.INVALID_REQUEST, "Invalid authorization request", applicationName))).build();
                            if (parameter2 != null && System.getProperty("retainCache") == null) {
                                clearCacheEntry(parameter2);
                            }
                            PrivilegedCarbonContext.endTenantFlow();
                            return build5;
                        }
                        removeAuthenticationResult(httpServletRequest, sessionDataKey);
                        boolean isOIDCAuthzRequest = OAuth2Util.isOIDCAuthzRequest(oAuth2Parameters.getScopes());
                        if (!authenticationResult.isAuthenticated()) {
                            String errorRedirectURL = EndpointUtil.getErrorRedirectURL(OAuthProblemException.error("access_denied", "Authentication required"), oAuth2Parameters);
                            if (isOIDCAuthzRequest) {
                                errorRedirectURL = OIDCSessionManagementUtil.addSessionStateToURL(errorRedirectURL, oAuth2Parameters.getClientId(), oAuth2Parameters.getRedirectURI(), OIDCSessionManagementUtil.getOPBrowserStateCookie(httpServletRequest), oAuth2Parameters.getResponseType());
                            }
                            Response build6 = Response.status(302).location(new URI(errorRedirectURL)).build();
                            if (parameter2 != null && System.getProperty("retainCache") == null) {
                                clearCacheEntry(parameter2);
                            }
                            PrivilegedCarbonContext.endTenantFlow();
                            return build6;
                        }
                        AuthenticatedUser subject = authenticationResult.getSubject();
                        if (subject.getUserAttributes() != null) {
                            subject.setUserAttributes(new ConcurrentHashMap(subject.getUserAttributes()));
                        }
                        sessionDataCacheEntry4.setLoggedInUser(subject);
                        sessionDataCacheEntry4.setAuthenticatedIdPs(authenticationResult.getAuthenticatedIdPs());
                        SessionDataCache.getInstance().addToCache(sessionDataCacheKey, sessionDataCacheEntry4);
                        OIDCSessionState oIDCSessionState = new OIDCSessionState();
                        String doUserAuthz = doUserAuthz(httpServletRequest, sessionDataKey, sessionDataCacheEntry4, oIDCSessionState);
                        if (isOIDCAuthzRequest) {
                            doUserAuthz = manageOIDCSessionState(httpServletRequest, httpServletResponse, oIDCSessionState, oAuth2Parameters, subject.getAuthenticatedSubjectIdentifier(), doUserAuthz);
                        }
                        Response build7 = Response.status(302).location(new URI(doUserAuthz)).build();
                        if (parameter2 != null && System.getProperty("retainCache") == null) {
                            clearCacheEntry(parameter2);
                        }
                        PrivilegedCarbonContext.endTenantFlow();
                        return build7;
                    }
                    if (sessionDataCacheEntry2 == null) {
                        if (log.isDebugEnabled()) {
                            log.debug("Invalid authorization request");
                        }
                        Response build8 = Response.status(302).location(new URI(EndpointUtil.getErrorPageURL(IntrospectionResponse.Error.INVALID_REQUEST, "Invalid authorization request", null))).build();
                        if (parameter2 != null && System.getProperty("retainCache") == null) {
                            clearCacheEntry(parameter2);
                        }
                        PrivilegedCarbonContext.endTenantFlow();
                        return build8;
                    }
                    SessionDataCacheEntry sessionDataCacheEntry5 = sessionDataCacheEntry2;
                    OAuth2Parameters oAuth2Parameters2 = sessionDataCacheEntry5.getoAuth2Parameters();
                    boolean isOIDCAuthzRequest2 = OAuth2Util.isOIDCAuthzRequest(oAuth2Parameters2.getScopes());
                    String parameter4 = httpServletRequest.getParameter("consent");
                    if (parameter4 == null) {
                        String applicationName2 = sessionDataCacheEntry5.getoAuth2Parameters().getApplicationName();
                        if (log.isDebugEnabled()) {
                            log.debug("Invalid authorization request. 'sessionDataKey' parameter found but 'consent' parameter could not be found in request");
                        }
                        Response build9 = Response.status(302).location(new URI(EndpointUtil.getErrorPageURL(IntrospectionResponse.Error.INVALID_REQUEST, "Invalid authorization request", applicationName2))).build();
                        if (parameter2 != null && System.getProperty("retainCache") == null) {
                            clearCacheEntry(parameter2);
                        }
                        PrivilegedCarbonContext.endTenantFlow();
                        return build9;
                    }
                    if ("deny".equals(parameter4)) {
                        OpenIDConnectUserRPStore.getInstance().putUserRPToStore(sessionDataCacheEntry2.getLoggedInUser(), sessionDataCacheEntry2.getoAuth2Parameters().getApplicationName(), false, oAuth2Parameters2.getClientId());
                        String errorRedirectURL2 = EndpointUtil.getErrorRedirectURL(OAuthProblemException.error("access_denied"), oAuth2Parameters2);
                        if (isOIDCAuthzRequest2) {
                            errorRedirectURL2 = OIDCSessionManagementUtil.addSessionStateToURL(errorRedirectURL2, oAuth2Parameters2.getClientId(), oAuth2Parameters2.getRedirectURI(), OIDCSessionManagementUtil.getOPBrowserStateCookie(httpServletRequest), oAuth2Parameters2.getResponseType());
                        }
                        Response build10 = Response.status(302).location(new URI(errorRedirectURL2)).build();
                        if (parameter2 != null && System.getProperty("retainCache") == null) {
                            clearCacheEntry(parameter2);
                        }
                        PrivilegedCarbonContext.endTenantFlow();
                        return build10;
                    }
                    OIDCSessionState oIDCSessionState2 = new OIDCSessionState();
                    String handleUserConsent = handleUserConsent(httpServletRequest, parameter4, oAuth2Parameters2, sessionDataCacheEntry5, oIDCSessionState2);
                    String authenticatedIdPs = sessionDataCacheEntry5.getAuthenticatedIdPs();
                    if (authenticatedIdPs != null && !authenticatedIdPs.isEmpty()) {
                        try {
                            handleUserConsent = handleUserConsent + "&AuthenticatedIdPs=" + URLEncoder.encode(authenticatedIdPs, "UTF-8");
                        } catch (UnsupportedEncodingException e4) {
                            log.error("Error while encoding the url", e4);
                        }
                    }
                    if (isOIDCAuthzRequest2) {
                        oIDCSessionState2.setAddSessionState(true);
                        handleUserConsent = manageOIDCSessionState(httpServletRequest, httpServletResponse, oIDCSessionState2, oAuth2Parameters2, sessionDataCacheEntry5.getLoggedInUser().getAuthenticatedSubjectIdentifier(), handleUserConsent);
                    }
                    Response build11 = Response.status(302).location(new URI(handleUserConsent)).build();
                    if (parameter2 != null && System.getProperty("retainCache") == null) {
                        clearCacheEntry(parameter2);
                    }
                    PrivilegedCarbonContext.endTenantFlow();
                    return build11;
                } catch (Throwable th) {
                    if (parameter2 != null && System.getProperty("retainCache") == null) {
                        clearCacheEntry(parameter2);
                    }
                    PrivilegedCarbonContext.endTenantFlow();
                    throw th;
                }
            } catch (OAuthProblemException e5) {
                if (log.isDebugEnabled()) {
                    log.debug(e5.getError(), e5);
                }
                Response build12 = Response.status(302).location(new URI(EndpointUtil.getErrorPageURL(IntrospectionResponse.Error.INVALID_REQUEST, e5.getMessage(), null))).build();
                if (parameter2 != null && System.getProperty("retainCache") == null) {
                    clearCacheEntry(parameter2);
                }
                PrivilegedCarbonContext.endTenantFlow();
                return build12;
            }
        } catch (OAuthSystemException e6) {
            OAuth2Parameters oAuth2Parameters3 = null;
            if (0 != 0) {
                oAuth2Parameters3 = sessionDataCacheEntry3.getoAuth2Parameters();
            }
            if (log.isDebugEnabled()) {
                log.debug("Server error occurred while performing authorization", e6);
            }
            Response build13 = Response.status(302).location(new URI(EndpointUtil.getErrorRedirectURL(OAuthProblemException.error("server_error", "Server error occurred while performing authorization"), oAuth2Parameters3))).build();
            if (parameter2 != null && System.getProperty("retainCache") == null) {
                clearCacheEntry(parameter2);
            }
            PrivilegedCarbonContext.endTenantFlow();
            return build13;
        }
    }

    private void removeAuthenticationResult(HttpServletRequest httpServletRequest, String str) {
        if (this.isCacheAvailable) {
            FrameworkUtils.removeAuthenticationResultFromCache(str);
        } else {
            httpServletRequest.removeAttribute("authResult");
        }
    }

    private String getSessionDataKey(HttpServletRequest httpServletRequest) {
        String str = (String) httpServletRequest.getAttribute("sessionDataKey");
        if (str == null) {
            str = httpServletRequest.getParameter("sessionDataKey");
        }
        return str;
    }

    @Path("/")
    @Consumes({"application/x-www-form-urlencoded"})
    @POST
    @Produces({"text/html"})
    public Response authorizePost(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, MultivaluedMap multivaluedMap) throws URISyntaxException {
        return authorize((HttpServletRequest) new OAuthRequestWrapper(httpServletRequest, multivaluedMap), httpServletResponse);
    }

    private String handleUserConsent(HttpServletRequest httpServletRequest, String str, OAuth2Parameters oAuth2Parameters, SessionDataCacheEntry sessionDataCacheEntry, OIDCSessionState oIDCSessionState) throws OAuthSystemException {
        String applicationName = sessionDataCacheEntry.getoAuth2Parameters().getApplicationName();
        AuthenticatedUser loggedInUser = sessionDataCacheEntry.getLoggedInUser();
        String clientId = sessionDataCacheEntry.getoAuth2Parameters().getClientId();
        if (!EndpointUtil.getOAuthServerConfiguration().getOpenIDConnectSkipeUserConsentConfig()) {
            boolean z = "approveAlways".equals(str);
            if (z) {
                OpenIDConnectUserRPStore.getInstance().putUserRPToStore(loggedInUser, applicationName, z, clientId);
            }
        }
        String responseType = oAuth2Parameters.getResponseType();
        OAuth2AuthorizeRespDTO authorize = authorize(oAuth2Parameters, sessionDataCacheEntry);
        if (authorize == null || authorize.getErrorCode() != null) {
            if (authorize == null || authorize.getErrorCode() == null) {
                oIDCSessionState.setAuthenticated(false);
                return EndpointUtil.getErrorRedirectURL(OAuthProblemException.error("server_error", "Error occurred while processing the request"), oAuth2Parameters);
            }
            oIDCSessionState.setAuthenticated(false);
            return EndpointUtil.getErrorRedirectURL(OAuthProblemException.error(authorize.getErrorCode(), authorize.getErrorMsg() != null ? authorize.getErrorMsg() : "Error occurred while processing the request"), oAuth2Parameters);
        }
        OAuthASResponse.OAuthAuthorizationResponseBuilder authorizationResponse = OAuthASResponse.authorizationResponse(httpServletRequest, 302);
        if (StringUtils.isNotBlank(authorize.getAuthorizationCode())) {
            authorizationResponse.setCode(authorize.getAuthorizationCode());
            addUserAttributesToCache(sessionDataCacheEntry, authorize.getAuthorizationCode(), authorize.getCodeId());
        }
        if (StringUtils.isNotBlank(authorize.getAccessToken()) && !"id_token".equalsIgnoreCase(responseType) && !"none".equalsIgnoreCase(responseType)) {
            authorizationResponse.setAccessToken(authorize.getAccessToken());
            authorizationResponse.setExpiresIn(Long.valueOf(authorize.getValidityPeriod()));
            authorizationResponse.setParam(IntrospectionResponse.TOKEN_TYPE, OAuth2TokenEndpoint.BEARER);
        }
        if (StringUtils.isNotBlank(authorize.getIdToken())) {
            authorizationResponse.setParam("id_token", authorize.getIdToken());
        }
        if (StringUtils.isNotBlank(oAuth2Parameters.getState())) {
            authorizationResponse.setParam("state", oAuth2Parameters.getState());
        }
        OAuthResponse buildQueryMessage = authorizationResponse.location(authorize.getCallbackURI()).buildQueryMessage();
        oIDCSessionState.setAuthenticated(true);
        return buildQueryMessage.getLocationUri();
    }

    private void addUserAttributesToCache(SessionDataCacheEntry sessionDataCacheEntry, String str, String str2) {
        AuthorizationGrantCacheKey authorizationGrantCacheKey = new AuthorizationGrantCacheKey(str);
        AuthorizationGrantCacheEntry authorizationGrantCacheEntry = new AuthorizationGrantCacheEntry(sessionDataCacheEntry.getLoggedInUser().getUserAttributes());
        String str3 = (String) sessionDataCacheEntry.getLoggedInUser().getUserAttributes().get(IntrospectionResponse.SUB);
        if (StringUtils.isBlank(str3)) {
            str3 = sessionDataCacheEntry.getLoggedInUser().getAuthenticatedSubjectIdentifier();
        }
        if (StringUtils.isNotBlank(str3)) {
            ClaimMapping claimMapping = new ClaimMapping();
            Claim claim = new Claim();
            claim.setClaimUri(IntrospectionResponse.SUB);
            claimMapping.setRemoteClaim(claim);
            sessionDataCacheEntry.getLoggedInUser().getUserAttributes().put(claimMapping, str3);
        }
        String[] strArr = (String[]) sessionDataCacheEntry.getParamMap().get("code_challenge");
        String[] strArr2 = (String[]) sessionDataCacheEntry.getParamMap().get("code_challenge_method");
        String str4 = null;
        String str5 = null;
        if (strArr != null && strArr.length > 0) {
            str4 = strArr[0];
        }
        if (strArr2 != null && strArr2.length > 0) {
            str5 = strArr2[0];
        }
        authorizationGrantCacheEntry.setNonceValue(sessionDataCacheEntry.getoAuth2Parameters().getNonce());
        authorizationGrantCacheEntry.setCodeId(str2);
        authorizationGrantCacheEntry.setPkceCodeChallenge(str4);
        authorizationGrantCacheEntry.setPkceCodeChallengeMethod(str5);
        AuthorizationGrantCache.getInstance().addToCacheByCode(authorizationGrantCacheKey, authorizationGrantCacheEntry);
    }

    private String handleOAuthAuthorizationRequest(String str, HttpServletRequest httpServletRequest) throws OAuthSystemException, OAuthProblemException {
        String parameter = httpServletRequest.getParameter("redirect_uri");
        boolean isPKCESupportEnabled = EndpointUtil.getOAuth2Service().isPKCESupportEnabled();
        if (StringUtils.isBlank(str)) {
            if (log.isDebugEnabled()) {
                log.debug("Client Id is not present in the authorization request");
            }
            return EndpointUtil.getErrorPageURL(IntrospectionResponse.Error.INVALID_REQUEST, "Client Id is not present in the authorization request", null);
        }
        if (StringUtils.isBlank(parameter)) {
            if (log.isDebugEnabled()) {
                log.debug("Redirect URI is not present in the authorization request");
            }
            return EndpointUtil.getErrorPageURL(IntrospectionResponse.Error.INVALID_REQUEST, "Redirect URI is not present in the authorization request", null);
        }
        OAuth2ClientValidationResponseDTO validateClient = validateClient(str, parameter);
        if (!validateClient.isValidClient()) {
            return EndpointUtil.getErrorPageURL(validateClient.getErrorCode(), validateClient.getErrorMsg(), null);
        }
        CarbonOAuthAuthzRequest carbonOAuthAuthzRequest = new CarbonOAuthAuthzRequest(httpServletRequest);
        OAuth2Parameters oAuth2Parameters = new OAuth2Parameters();
        oAuth2Parameters.setClientId(str);
        oAuth2Parameters.setRedirectURI(validateClient.getCallbackURL());
        oAuth2Parameters.setResponseType(carbonOAuthAuthzRequest.getResponseType());
        oAuth2Parameters.setScopes(carbonOAuthAuthzRequest.getScopes());
        if (oAuth2Parameters.getScopes() == null) {
            HashSet hashSet = new HashSet();
            hashSet.add("");
            oAuth2Parameters.setScopes(hashSet);
        }
        oAuth2Parameters.setState(carbonOAuthAuthzRequest.getState());
        oAuth2Parameters.setApplicationName(validateClient.getApplicationName());
        String parameter2 = httpServletRequest.getParameter("code_challenge");
        String parameter3 = httpServletRequest.getParameter("code_challenge_method");
        if (isPKCESupportEnabled) {
            if (validateClient.isPkceMandatory() && (parameter2 == null || !OAuth2Util.validatePKCECodeChallenge(parameter2, parameter3))) {
                return EndpointUtil.getErrorPageURL(IntrospectionResponse.Error.INVALID_REQUEST, "PKCE is mandatory for this application. PKCE Challenge is not provided or is not upto RFC 7636 specification.", null);
            }
            if (parameter2 != null && parameter3 != null && !"plain".equals(parameter3) && !"S256".equals(parameter3)) {
                return EndpointUtil.getErrorPageURL(IntrospectionResponse.Error.INVALID_REQUEST, "Unsupported PKCE Challenge Method", null);
            }
            if (parameter2 != null && !validateClient.isPkceSupportPlain() && (parameter3 == null || "plain".equals(parameter3))) {
                return EndpointUtil.getErrorPageURL(IntrospectionResponse.Error.INVALID_REQUEST, "This application does not support \"plain\" transformation algorithm.", null);
            }
            if (parameter2 != null && !OAuth2Util.validatePKCECodeChallenge(parameter2, parameter3)) {
                return EndpointUtil.getErrorPageURL(IntrospectionResponse.Error.INVALID_REQUEST, "Code challenge used is not up to RFC 7636 specifications.", null);
            }
        }
        oAuth2Parameters.setPkceCodeChallenge(parameter2);
        oAuth2Parameters.setPkceCodeChallengeMethod(parameter3);
        oAuth2Parameters.setNonce(carbonOAuthAuthzRequest.getParam("nonce"));
        oAuth2Parameters.setDisplay(carbonOAuthAuthzRequest.getParam("display"));
        oAuth2Parameters.setIDTokenHint(carbonOAuthAuthzRequest.getParam("id_token_hint"));
        oAuth2Parameters.setLoginHint(carbonOAuthAuthzRequest.getParam("login_hint"));
        if (StringUtils.isNotEmpty(carbonOAuthAuthzRequest.getParam("tenantDomain"))) {
            oAuth2Parameters.setTenantDomain(carbonOAuthAuthzRequest.getParam("tenantDomain"));
        } else {
            oAuth2Parameters.setTenantDomain("carbon.super");
        }
        if (StringUtils.isNotBlank(carbonOAuthAuthzRequest.getParam("acr_values")) && !"null".equals(carbonOAuthAuthzRequest.getParam("acr_values"))) {
            String[] split = carbonOAuthAuthzRequest.getParam("acr_values").split(" ");
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            for (String str2 : split) {
                linkedHashSet.add(str2);
            }
            oAuth2Parameters.setACRValues(linkedHashSet);
        }
        String param = carbonOAuthAuthzRequest.getParam("prompt");
        oAuth2Parameters.setPrompt(param);
        boolean z = false;
        boolean z2 = false;
        boolean equals = "none".equals(param);
        if (StringUtils.isNotBlank(param)) {
            String[] split2 = param.trim().split("\\s");
            equals = "none".equals(param);
            if (split2.length > 1 && equals) {
                if (log.isDebugEnabled()) {
                    log.debug("Invalid prompt variable combination. The value 'none' cannot be used with others prompts. Prompt: " + param);
                }
                return EndpointUtil.getErrorRedirectURL(OAuthProblemException.error(IntrospectionResponse.Error.INVALID_REQUEST, "Invalid prompt variable combination. The value 'none' cannot be used with others prompts."), oAuth2Parameters);
            }
        }
        if ("login".equals(param)) {
            z2 = false;
            z = true;
        } else if (equals) {
            z2 = true;
            z = false;
        } else if ("consent".equals(param)) {
            z2 = false;
            z = false;
        }
        String generateUUID = UUIDGenerator.generateUUID();
        SessionDataCacheKey sessionDataCacheKey = new SessionDataCacheKey(generateUUID);
        SessionDataCacheEntry sessionDataCacheEntry = new SessionDataCacheEntry();
        sessionDataCacheEntry.setoAuth2Parameters(oAuth2Parameters);
        sessionDataCacheEntry.setQueryString(httpServletRequest.getQueryString());
        if (httpServletRequest.getParameterMap() != null) {
            sessionDataCacheEntry.setParamMap(new ConcurrentHashMap(httpServletRequest.getParameterMap()));
        }
        SessionDataCache.getInstance().addToCache(sessionDataCacheKey, sessionDataCacheEntry);
        try {
            httpServletRequest.setAttribute("authenticatorFlowStatus", AuthenticatorFlowStatus.SUCCESS_COMPLETED);
            httpServletRequest.setAttribute("sessionDataKey", generateUUID);
            return EndpointUtil.getLoginPageURL(str, generateUUID, z, z2, carbonOAuthAuthzRequest.getScopes(), httpServletRequest.getParameterMap());
        } catch (IdentityOAuth2Exception e) {
            if (log.isDebugEnabled()) {
                log.debug("Error while retrieving the login page url.", e);
            }
            throw new OAuthSystemException("Error when encoding login page URL");
        }
    }

    private OAuth2ClientValidationResponseDTO validateClient(String str, String str2) {
        return EndpointUtil.getOAuth2Service().validateClientInfo(str, str2);
    }

    private String doUserAuthz(HttpServletRequest httpServletRequest, String str, SessionDataCacheEntry sessionDataCacheEntry, OIDCSessionState oIDCSessionState) throws OAuthSystemException {
        OAuth2Parameters oAuth2Parameters = sessionDataCacheEntry.getoAuth2Parameters();
        AuthenticatedUser loggedInUser = sessionDataCacheEntry.getLoggedInUser();
        String authenticatedSubjectIdentifier = loggedInUser.getAuthenticatedSubjectIdentifier();
        boolean openIDConnectSkipeUserConsentConfig = EndpointUtil.getOAuthServerConfiguration().getOpenIDConnectSkipeUserConsentConfig();
        boolean hasUserApproved = OpenIDConnectUserRPStore.getInstance().hasUserApproved(loggedInUser, oAuth2Parameters.getApplicationName(), oAuth2Parameters.getClientId());
        String errorRedirectURL = EndpointUtil.getErrorRedirectURL(OAuthProblemException.error("access_denied"), oAuth2Parameters);
        String userConsentURL = EndpointUtil.getUserConsentURL(oAuth2Parameters, authenticatedSubjectIdentifier, str, OAuth2Util.isOIDCAuthzRequest(oAuth2Parameters.getScopes()));
        if ("consent".equals(oAuth2Parameters.getPrompt())) {
            return userConsentURL;
        }
        if (!"none".equals(oAuth2Parameters.getPrompt())) {
            if (!"login".equals(oAuth2Parameters.getPrompt()) && !StringUtils.isBlank(oAuth2Parameters.getPrompt())) {
                return "";
            }
            if (!openIDConnectSkipeUserConsentConfig && !hasUserApproved) {
                return userConsentURL;
            }
            oIDCSessionState.setAddSessionState(true);
            return handleUserConsent(httpServletRequest, APPROVE, oAuth2Parameters, sessionDataCacheEntry, oIDCSessionState);
        }
        if (sessionDataCacheEntry.getLoggedInUser() == null) {
            return errorRedirectURL;
        }
        oIDCSessionState.setAddSessionState(true);
        if (!openIDConnectSkipeUserConsentConfig && !hasUserApproved) {
            return errorRedirectURL;
        }
        String handleUserConsent = handleUserConsent(httpServletRequest, APPROVE, oAuth2Parameters, sessionDataCacheEntry, oIDCSessionState);
        oIDCSessionState.setAuthenticated(false);
        return handleUserConsent;
    }

    private OAuth2AuthorizeRespDTO authorize(OAuth2Parameters oAuth2Parameters, SessionDataCacheEntry sessionDataCacheEntry) {
        OAuth2AuthorizeReqDTO oAuth2AuthorizeReqDTO = new OAuth2AuthorizeReqDTO();
        oAuth2AuthorizeReqDTO.setCallbackUrl(oAuth2Parameters.getRedirectURI());
        oAuth2AuthorizeReqDTO.setConsumerKey(oAuth2Parameters.getClientId());
        oAuth2AuthorizeReqDTO.setResponseType(oAuth2Parameters.getResponseType());
        oAuth2AuthorizeReqDTO.setScopes((String[]) oAuth2Parameters.getScopes().toArray(new String[oAuth2Parameters.getScopes().size()]));
        oAuth2AuthorizeReqDTO.setUser(sessionDataCacheEntry.getLoggedInUser());
        oAuth2AuthorizeReqDTO.setACRValues(oAuth2Parameters.getACRValues());
        oAuth2AuthorizeReqDTO.setNonce(oAuth2Parameters.getNonce());
        oAuth2AuthorizeReqDTO.setPkceCodeChallenge(oAuth2Parameters.getPkceCodeChallenge());
        oAuth2AuthorizeReqDTO.setPkceCodeChallengeMethod(oAuth2Parameters.getPkceCodeChallengeMethod());
        oAuth2AuthorizeReqDTO.setTenantDomain(oAuth2Parameters.getTenantDomain());
        return EndpointUtil.getOAuth2Service().authorize(oAuth2AuthorizeReqDTO);
    }

    private void clearCacheEntry(String str) {
        if (str != null) {
            SessionDataCacheKey sessionDataCacheKey = new SessionDataCacheKey(str);
            if (SessionDataCache.getInstance().getValueFromCache(sessionDataCacheKey) != null) {
                SessionDataCache.getInstance().clearCacheEntry(sessionDataCacheKey);
            }
        }
    }

    private AuthenticationResult getAuthenticationResult(HttpServletRequest httpServletRequest, String str) {
        AuthenticationResult authenticationResultFromRequest = getAuthenticationResultFromRequest(httpServletRequest);
        if (authenticationResultFromRequest == null) {
            this.isCacheAvailable = true;
            authenticationResultFromRequest = getAuthenticationResultFromCache(str);
        }
        return authenticationResultFromRequest;
    }

    private AuthenticationResult getAuthenticationResultFromCache(String str) {
        AuthenticationResult authenticationResult = null;
        AuthenticationResultCacheEntry authenticationResultFromCache = FrameworkUtils.getAuthenticationResultFromCache(str);
        if (authenticationResultFromCache != null) {
            authenticationResult = authenticationResultFromCache.getResult();
        } else {
            log.error("Cannot find AuthenticationResult from the cache");
        }
        return authenticationResult;
    }

    private AuthenticationResult getAuthenticationResultFromRequest(HttpServletRequest httpServletRequest) {
        return (AuthenticationResult) httpServletRequest.getAttribute("authResult");
    }

    private Response sendRequestToFramework(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException, URISyntaxException {
        CommonAuthenticationHandler commonAuthenticationHandler = new CommonAuthenticationHandler();
        CommonAuthResponseWrapper commonAuthResponseWrapper = new CommonAuthResponseWrapper(httpServletResponse);
        commonAuthenticationHandler.doGet(httpServletRequest, commonAuthResponseWrapper);
        Object attribute = httpServletRequest.getAttribute("authenticatorFlowStatus");
        if (attribute == null) {
            httpServletRequest.setAttribute("authenticatorFlowStatus", AuthenticatorFlowStatus.UNKNOWN);
            return authorize(httpServletRequest, httpServletResponse);
        }
        if (attribute != AuthenticatorFlowStatus.INCOMPLETE) {
            return authorize(httpServletRequest, httpServletResponse);
        }
        if (!commonAuthResponseWrapper.isRedirect()) {
            return Response.status(200).entity(commonAuthResponseWrapper.getContent()).build();
        }
        httpServletResponse.sendRedirect(commonAuthResponseWrapper.getRedirectURL());
        return null;
    }

    private Response sendRequestToFramework(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) throws ServletException, IOException, URISyntaxException {
        CommonAuthenticationHandler commonAuthenticationHandler = new CommonAuthenticationHandler();
        CommonAuthRequestWrapper commonAuthRequestWrapper = new CommonAuthRequestWrapper(httpServletRequest);
        commonAuthRequestWrapper.setParameter("sessionDataKey", str);
        commonAuthRequestWrapper.setParameter("type", str2);
        CommonAuthResponseWrapper commonAuthResponseWrapper = new CommonAuthResponseWrapper(httpServletResponse);
        commonAuthenticationHandler.doGet(commonAuthRequestWrapper, commonAuthResponseWrapper);
        Object attribute = httpServletRequest.getAttribute("authenticatorFlowStatus");
        if (attribute == null) {
            commonAuthRequestWrapper.setAttribute("authenticatorFlowStatus", AuthenticatorFlowStatus.UNKNOWN);
            return authorize((HttpServletRequest) commonAuthRequestWrapper, (HttpServletResponse) commonAuthResponseWrapper);
        }
        if (attribute != AuthenticatorFlowStatus.INCOMPLETE) {
            return authorize((HttpServletRequest) commonAuthRequestWrapper, (HttpServletResponse) commonAuthResponseWrapper);
        }
        if (!commonAuthResponseWrapper.isRedirect()) {
            return Response.status(200).entity(commonAuthResponseWrapper.getContent()).build();
        }
        httpServletResponse.sendRedirect(commonAuthResponseWrapper.getRedirectURL());
        return null;
    }

    private String manageOIDCSessionState(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OIDCSessionState oIDCSessionState, OAuth2Parameters oAuth2Parameters, String str, String str2) {
        Cookie oPBrowserStateCookie = OIDCSessionManagementUtil.getOPBrowserStateCookie(httpServletRequest);
        if (oIDCSessionState.isAuthenticated()) {
            if (oPBrowserStateCookie == null) {
                oPBrowserStateCookie = OIDCSessionManagementUtil.addOPBrowserStateCookie(httpServletResponse);
                oIDCSessionState.setAuthenticatedUser(str);
                oIDCSessionState.addSessionParticipant(oAuth2Parameters.getClientId());
                OIDCSessionManagementUtil.getSessionManager().storeOIDCSessionState(oPBrowserStateCookie.getValue(), oIDCSessionState);
            } else {
                OIDCSessionState oIDCSessionState2 = OIDCSessionManagementUtil.getSessionManager().getOIDCSessionState(oPBrowserStateCookie.getValue());
                if (oIDCSessionState2 == null) {
                    log.warn("No session state found for the received Session ID : " + oPBrowserStateCookie.getValue());
                } else if (!oIDCSessionState2.getAuthenticatedUser().equals(str)) {
                    if (log.isDebugEnabled()) {
                        log.debug("Existing session is not authenticated for the given user " + str);
                    }
                    str2 = EndpointUtil.getErrorPageURL("access_denied", "No valid session found for the authenticated user " + str, oAuth2Parameters.getApplicationName());
                    oIDCSessionState.setAddSessionState(false);
                } else if (!oIDCSessionState2.getSessionParticipants().contains(oAuth2Parameters.getClientId())) {
                    String value = oPBrowserStateCookie.getValue();
                    oPBrowserStateCookie = OIDCSessionManagementUtil.addOPBrowserStateCookie(httpServletResponse);
                    String value2 = oPBrowserStateCookie.getValue();
                    oIDCSessionState2.addSessionParticipant(oAuth2Parameters.getClientId());
                    OIDCSessionManagementUtil.getSessionManager().restoreOIDCSessionState(value, value2, oIDCSessionState2);
                }
            }
        }
        if (oIDCSessionState.isAddSessionState()) {
            str2 = OIDCSessionManagementUtil.addSessionStateToURL(str2, OIDCSessionManagementUtil.getSessionStateParam(oAuth2Parameters.getClientId(), oAuth2Parameters.getRedirectURI(), oPBrowserStateCookie == null ? null : oPBrowserStateCookie.getValue()), oAuth2Parameters.getResponseType());
        }
        return str2;
    }
}
