package org.apache.sling.auth.oauth_client.impl;

import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.AuthorizationResponse;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.ErrorResponse;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.TokenResponse;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.id.ClientID;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.servlets.SlingAllMethodsServlet;
import org.apache.sling.auth.oauth_client.ClientConnection;
import org.apache.sling.servlets.annotations.SlingServletPaths;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {Servlet.class}, property = {"sling.auth.requirements=/system/sling/oauth/callback"})
@SlingServletPaths({OAuthCallbackServlet.PATH})
/* loaded from: input_file:org/apache/sling/auth/oauth_client/impl/OAuthCallbackServlet.class */
public class OAuthCallbackServlet extends SlingAllMethodsServlet {
    static final String PATH = "/system/sling/oauth/callback";
    private static final long serialVersionUID = 1;
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private final Map<String, ClientConnection> connections;
    private final OAuthTokenStore tokenStore;
    private final OAuthStateManager stateManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getCallbackUri(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getScheme() + "://" + httpServletRequest.getServerName() + (((httpServletRequest.getScheme().equals("http") && httpServletRequest.getServerPort() != 80) || (httpServletRequest.getScheme().equals("https") && httpServletRequest.getServerPort() != 443)) ? ":" + httpServletRequest.getServerPort() : "") + "/system/sling/oauth/callback";
    }

    private static String toErrorMessage(String str, ErrorResponse errorResponse) {
        ErrorObject errorObject = errorResponse.getErrorObject();
        StringBuilder sb = new StringBuilder();
        sb.append(str).append(": ").append(errorObject.getCode());
        sb.append(". Status code: ").append(errorObject.getHTTPStatusCode());
        String description = errorObject.getDescription();
        if (description != null) {
            sb.append(". ").append(description);
        }
        return sb.toString();
    }

    @Activate
    public OAuthCallbackServlet(@Reference(policyOption = ReferencePolicyOption.GREEDY) List<ClientConnection> list, @Reference OAuthTokenStore oAuthTokenStore, @Reference OAuthStateManager oAuthStateManager) {
        this.connections = (Map) list.stream().collect(Collectors.toMap((v0) -> {
            return v0.name();
        }, Function.identity()));
        this.tokenStore = oAuthTokenStore;
        this.stateManager = oAuthStateManager;
    }

    protected void doGet(SlingHttpServletRequest slingHttpServletRequest, SlingHttpServletResponse slingHttpServletResponse) throws ServletException, IOException {
        StringBuffer requestURL = slingHttpServletRequest.getRequestURL();
        if (slingHttpServletRequest.getQueryString() != null) {
            requestURL.append('?').append(slingHttpServletRequest.getQueryString());
        }
        try {
            AuthorizationResponse parse = AuthorizationResponse.parse(new URI(requestURL.toString()));
            Optional<OAuthState> oAuthState = this.stateManager.toOAuthState(parse.getState());
            if (!oAuthState.isPresent()) {
                this.logger.debug("Failed state check: no state found in authorization response");
                slingHttpServletResponse.setStatus(400);
                return;
            }
            Cookie cookie = slingHttpServletRequest.getCookie(OAuthStateManager.COOKIE_NAME_REQUEST_KEY);
            if (cookie == null) {
                this.logger.debug("Failed state check: No request cookie named '{}' found", OAuthStateManager.COOKIE_NAME_REQUEST_KEY);
                slingHttpServletResponse.setStatus(400);
                return;
            }
            try {
                if (!oAuthState.get().perRequestKey().equals(cookie.getValue())) {
                    throw new IllegalStateException("Failed state check: request keys from client and server are not the same");
                }
                if (!parse.indicatesSuccess()) {
                    throw new OAuthCallbackException("Authentication failed", new RuntimeException(toErrorMessage("Error in authentication response", parse.toErrorResponse())));
                }
                Optional ofNullable = Optional.ofNullable(oAuthState.get().redirect());
                String value = parse.toSuccessResponse().getAuthorizationCode().getValue();
                String connectionName = oAuthState.get().connectionName();
                if (connectionName == null || connectionName.isEmpty()) {
                    throw new IllegalArgumentException("No connection found in clientState");
                }
                ClientConnection clientConnection = this.connections.get(connectionName);
                if (clientConnection == null) {
                    throw new IllegalArgumentException(String.format("Requested unknown connection '%s'", connectionName));
                }
                ResolvedOAuthConnection resolve = ResolvedOAuthConnection.resolve(clientConnection);
                HTTPRequest hTTPRequest = new TokenRequest.Builder(new URI(resolve.tokenEndpoint()), new ClientSecretBasic(new ClientID(resolve.clientId()), new Secret(resolve.clientSecret())), new AuthorizationCodeGrant(new AuthorizationCode(value), new URI(getCallbackUri(slingHttpServletRequest)))).build().toHTTPRequest();
                hTTPRequest.setAccept("application/json");
                TokenResponse parse2 = TokenResponse.parse(hTTPRequest.send());
                if (!parse2.indicatesSuccess()) {
                    throw new OAuthCallbackException("Token exchange error", new RuntimeException(toErrorMessage("Error in token response", parse2.toErrorResponse())));
                }
                this.tokenStore.persistTokens(clientConnection, slingHttpServletRequest.getResourceResolver(), Converter.toSlingOAuthTokens(parse2.toSuccessResponse().getTokens()));
                if (ofNullable.isEmpty()) {
                    slingHttpServletResponse.setStatus(204);
                } else {
                    slingHttpServletResponse.sendRedirect(URLDecoder.decode((String) ofNullable.get(), StandardCharsets.UTF_8));
                }
            } catch (IllegalArgumentException e) {
                throw new OAuthCallbackException("Internal error", e);
            } catch (IllegalStateException e2) {
                throw new OAuthCallbackException("State check failed", e2);
            } catch (Exception e3) {
                throw new OAuthCallbackException("Unknown error", e3);
            } catch (OAuthCallbackException e4) {
                throw e4;
            } catch (ParseException e5) {
                throw new OAuthCallbackException("Invalid invocation", e5);
            }
        } catch (ParseException | URISyntaxException e6) {
            this.logger.debug("Failed to parse authorization response", e6);
            slingHttpServletResponse.setStatus(400);
        }
    }
}
