package io.jans.as.server.authorize.ws.rs;

import com.google.common.collect.Maps;
import io.jans.as.common.model.common.User;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.model.session.SessionId;
import io.jans.as.model.authorize.AuthorizationChallengeResponse;
import io.jans.as.model.authorize.AuthorizeErrorResponseType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.binding.TokenBindingMessage;
import io.jans.as.model.crypto.binding.TokenBindingParseException;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.server.audit.ApplicationAuditLogger;
import io.jans.as.server.model.authorize.ScopeChecker;
import io.jans.as.server.model.common.AuthorizationCodeGrant;
import io.jans.as.server.model.common.AuthorizationGrantList;
import io.jans.as.server.model.common.ExecutionContext;
import io.jans.as.server.security.Identity;
import io.jans.as.server.service.CookieService;
import io.jans.as.server.service.RequestParameterService;
import io.jans.as.server.service.SessionIdService;
import io.jans.as.server.service.external.ExternalAuthorizationChallengeService;
import io.jans.as.server.util.ServerUtil;
import jakarta.enterprise.context.RequestScoped;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.util.Date;
import java.util.Map;
import java.util.Set;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.BooleanUtils;
import org.slf4j.Logger;

@Named
@RequestScoped
/* loaded from: input_file:io/jans/as/server/authorize/ws/rs/AuthorizationChallengeService.class */
public class AuthorizationChallengeService {

    @Inject
    private Logger log;

    @Inject
    private AuthzRequestService authzRequestService;

    @Inject
    private ApplicationAuditLogger applicationAuditLogger;

    @Inject
    private AuthorizeRestWebServiceValidator authorizeRestWebServiceValidator;

    @Inject
    private ScopeChecker scopeChecker;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private AuthorizationChallengeValidator authorizationChallengeValidator;

    @Inject
    private ExternalAuthorizationChallengeService externalAuthorizationChallengeService;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private DeviceSessionService deviceSessionService;

    @Inject
    private Identity identity;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private RequestParameterService requestParameterService;

    @Inject
    private CookieService cookieService;

    public Response requestAuthorization(AuthzRequest authzRequest) {
        this.log.debug("Attempting to request authz challenge: {}", authzRequest);
        this.authzRequestService.createOauth2AuditLog(authzRequest);
        try {
            try {
                Response authorize = authorize(authzRequest);
                this.applicationAuditLogger.sendMessage(authzRequest.getAuditLog());
                return authorize;
            } catch (Exception e) {
                this.log.error(e.getMessage(), e);
                this.applicationAuditLogger.sendMessage(authzRequest.getAuditLog());
                return Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode()).build();
            } catch (WebApplicationException e2) {
                if (this.log.isErrorEnabled() && AuthzRequestService.canLogWebApplicationException(e2)) {
                    this.log.error(e2.getMessage(), e2);
                }
                throw e2;
            }
        } catch (Throwable th) {
            this.applicationAuditLogger.sendMessage(authzRequest.getAuditLog());
            throw th;
        }
    }

    public void prepareAuthzRequest(AuthzRequest authzRequest) {
        authzRequest.setScope(ServerUtil.urlDecode(authzRequest.getScope()));
        if (StringUtils.isNotBlank(authzRequest.getDeviceSession())) {
            authzRequest.setDeviceSessionObject(this.deviceSessionService.getDeviceSession(authzRequest.getDeviceSession()));
        }
    }

    public Response authorize(AuthzRequest authzRequest) throws IOException, TokenBindingParseException {
        String state = authzRequest.getState();
        String header = authzRequest.getHttpRequest().getHeader("Sec-Token-Binding");
        prepareAuthzRequest(authzRequest);
        SessionId sessionId = this.identity.getSessionId();
        User user = this.sessionIdService.getUser(sessionId);
        Client validateClient = this.authorizeRestWebServiceValidator.validateClient(authzRequest, false);
        this.authorizationChallengeValidator.validateGrantType(validateClient, state);
        this.authorizationChallengeValidator.validateAccess(validateClient);
        Set<String> checkScopesPolicy = this.scopeChecker.checkScopesPolicy(validateClient, authzRequest.getScope());
        this.authorizeRestWebServiceValidator.validateAuthorizationDetails(authzRequest, validateClient);
        ExecutionContext of = ExecutionContext.of(authzRequest);
        if (user == null) {
            this.log.trace("Executing external authentication challenge");
            if (!this.externalAuthorizationChallengeService.externalAuthorize(of)) {
                this.log.debug("Not allowed by authorization challenge script, client_id {}.", validateClient.getClientId());
                throw new WebApplicationException(this.errorResponseFactory.newErrorResponse(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.ACCESS_DENIED, state, "No allowed by authorization challenge script.")).build());
            }
            user = of.getUser() != null ? of.getUser() : new User();
            if (sessionId == null) {
                sessionId = generateAuthenticateSessionWithCookie(authzRequest, user);
            }
        }
        String name = of.getScript() != null ? of.getScript().getName() : authzRequest.getAcrValues();
        AuthorizationCodeGrant createAuthorizationCodeGrant = this.authorizationGrantList.createAuthorizationCodeGrant(user, validateClient, new Date());
        createAuthorizationCodeGrant.setNonce(authzRequest.getNonce());
        createAuthorizationCodeGrant.setJwtAuthorizationRequest(authzRequest.getJwtRequest());
        createAuthorizationCodeGrant.setTokenBindingHash(TokenBindingMessage.getTokenBindingIdHashFromTokenBindingMessage(header, validateClient.getIdTokenTokenBindingCnf()));
        createAuthorizationCodeGrant.setScopes(checkScopesPolicy);
        createAuthorizationCodeGrant.setAuthzDetails(authzRequest.getAuthzDetails());
        createAuthorizationCodeGrant.setCodeChallenge(authzRequest.getCodeChallenge());
        createAuthorizationCodeGrant.setCodeChallengeMethod(authzRequest.getCodeChallengeMethod());
        createAuthorizationCodeGrant.setClaims(authzRequest.getClaims());
        createAuthorizationCodeGrant.setSessionDn(sessionId != null ? sessionId.getDn() : "no_session_for_authorization_challenge");
        createAuthorizationCodeGrant.setAcrValues(name);
        createAuthorizationCodeGrant.save();
        return createSuccessfulResponse(createAuthorizationCodeGrant.getAuthorizationCode().getCode());
    }

    private SessionId generateAuthenticateSessionWithCookie(AuthzRequest authzRequest, User user) {
        if (user == null) {
            this.log.trace("Skip session_id generation because user is null");
            return null;
        }
        if (BooleanUtils.isFalse(this.appConfiguration.getAuthorizationChallengeShouldGenerateSession())) {
            this.log.trace("Skip session_id generation because it's not allowed by AS configuration ('authorizationChallengeShouldGenerateSession=false')");
            return null;
        }
        Map<String, String> allowedParameters = this.requestParameterService.getAllowedParameters(Maps.newHashMap(AuthorizeRestWebServiceImpl.getGenericRequestMap(authzRequest.getHttpRequest())));
        SessionId generateAuthenticatedSessionId = this.sessionIdService.generateAuthenticatedSessionId(authzRequest.getHttpRequest(), user.getDn(), authzRequest.getPrompt());
        Set keySet = generateAuthenticatedSessionId.getSessionAttributes().keySet();
        allowedParameters.forEach((str, str2) -> {
            if (keySet.contains(str)) {
                return;
            }
            generateAuthenticatedSessionId.getSessionAttributes().put(str, str2);
        });
        this.cookieService.createSessionIdCookie(generateAuthenticatedSessionId, authzRequest.getHttpRequest(), authzRequest.getHttpResponse(), false);
        this.sessionIdService.updateSessionId(generateAuthenticatedSessionId);
        this.log.trace("Session updated with {}", generateAuthenticatedSessionId);
        return generateAuthenticatedSessionId;
    }

    public Response createSuccessfulResponse(String str) throws IOException {
        AuthorizationChallengeResponse authorizationChallengeResponse = new AuthorizationChallengeResponse();
        authorizationChallengeResponse.setAuthorizationCode(str);
        return Response.status(Response.Status.OK).entity(ServerUtil.asJson(authorizationChallengeResponse)).cacheControl(ServerUtil.cacheControl(true)).type(MediaType.APPLICATION_JSON_TYPE).build();
    }
}
