package org.apache.sling.auth.oauth_client.impl;

import com.nimbusds.oauth2.sdk.AuthorizationRequest;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Identifier;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.net.URI;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.servlets.SlingAllMethodsServlet;
import org.apache.sling.auth.oauth_client.ClientConnection;
import org.apache.sling.servlets.annotations.SlingServletPaths;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {Servlet.class}, property = {"sling.auth.requirements=/system/sling/oauth/entry-point"})
@SlingServletPaths({OAuthEntryPointServlet.PATH})
/* loaded from: input_file:org/apache/sling/auth/oauth_client/impl/OAuthEntryPointServlet.class */
public class OAuthEntryPointServlet extends SlingAllMethodsServlet {
    private static final long serialVersionUID = 1;
    private static final int COOKIE_MAX_AGE_SECONDS = 300;
    public static final String PATH = "/system/sling/oauth/entry-point";
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private final Map<String, ClientConnection> connections;
    private final OAuthStateManager stateManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/sling/auth/oauth_client/impl/OAuthEntryPointServlet$RedirectTarget.class */
    public static final class RedirectTarget extends Record {
        private final URI uri;
        private final Cookie cookie;

        RedirectTarget(URI uri, Cookie cookie) {
            this.uri = uri;
            this.cookie = cookie;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, RedirectTarget.class), RedirectTarget.class, "uri;cookie", "FIELD:Lorg/apache/sling/auth/oauth_client/impl/OAuthEntryPointServlet$RedirectTarget;->uri:Ljava/net/URI;", "FIELD:Lorg/apache/sling/auth/oauth_client/impl/OAuthEntryPointServlet$RedirectTarget;->cookie:Ljavax/servlet/http/Cookie;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, RedirectTarget.class), RedirectTarget.class, "uri;cookie", "FIELD:Lorg/apache/sling/auth/oauth_client/impl/OAuthEntryPointServlet$RedirectTarget;->uri:Ljava/net/URI;", "FIELD:Lorg/apache/sling/auth/oauth_client/impl/OAuthEntryPointServlet$RedirectTarget;->cookie:Ljavax/servlet/http/Cookie;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, RedirectTarget.class, Object.class), RedirectTarget.class, "uri;cookie", "FIELD:Lorg/apache/sling/auth/oauth_client/impl/OAuthEntryPointServlet$RedirectTarget;->uri:Ljava/net/URI;", "FIELD:Lorg/apache/sling/auth/oauth_client/impl/OAuthEntryPointServlet$RedirectTarget;->cookie:Ljavax/servlet/http/Cookie;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public URI uri() {
            return this.uri;
        }

        public Cookie cookie() {
            return this.cookie;
        }
    }

    @Activate
    public OAuthEntryPointServlet(@Reference(policyOption = ReferencePolicyOption.GREEDY) List<ClientConnection> list, @Reference OAuthStateManager oAuthStateManager) {
        this.connections = (Map) list.stream().collect(Collectors.toMap((v0) -> {
            return v0.name();
        }, Function.identity()));
        this.stateManager = oAuthStateManager;
    }

    protected void doGet(SlingHttpServletRequest slingHttpServletRequest, SlingHttpServletResponse slingHttpServletResponse) throws ServletException, IOException {
        try {
            String parameter = slingHttpServletRequest.getParameter("c");
            if (parameter == null) {
                this.logger.debug("Missing mandatory request parameter 'c'");
                slingHttpServletResponse.sendError(400);
                return;
            }
            ClientConnection clientConnection = this.connections.get(parameter);
            if (clientConnection == null) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("Client requested unknown connection '{}'; known: '{}'", parameter, this.connections.keySet());
                }
                slingHttpServletResponse.sendError(400);
            } else {
                RedirectTarget authenticationRequestUri = getAuthenticationRequestUri(clientConnection, slingHttpServletRequest, URI.create(OAuthCallbackServlet.getCallbackUri(slingHttpServletRequest)));
                slingHttpServletResponse.addCookie(authenticationRequestUri.cookie());
                slingHttpServletResponse.sendRedirect(authenticationRequestUri.uri().toString());
            }
        } catch (Exception e) {
            throw new OAuthEntryPointException("Internal error", e);
        }
    }

    private RedirectTarget getAuthenticationRequestUri(ClientConnection clientConnection, SlingHttpServletRequest slingHttpServletRequest, URI uri) {
        ResolvedOAuthConnection resolve = ResolvedOAuthConnection.resolve(clientConnection);
        ClientID clientID = new ClientID(resolve.clientId());
        String name = clientConnection.name();
        String parameter = slingHttpServletRequest.getParameter(OAuthStateManager.PARAMETER_NAME_REDIRECT);
        String value = new Identifier().getValue();
        Cookie cookie = new Cookie(OAuthStateManager.COOKIE_NAME_REQUEST_KEY, value);
        cookie.setHttpOnly(true);
        cookie.setSecure(true);
        cookie.setMaxAge(COOKIE_MAX_AGE_SECONDS);
        AuthorizationRequest.Builder state = new AuthorizationRequest.Builder(ResponseType.CODE, clientID).scope(new Scope((String[]) resolve.scopes().toArray(new String[0]))).endpointURI(URI.create(resolve.authorizationEndpoint())).redirectionURI(uri).state(this.stateManager.toNimbusState(new OAuthState(value, name, parameter)));
        if (resolve.additionalAuthorizationParameters() != null) {
            resolve.additionalAuthorizationParameters().stream().map(str -> {
                return str.split("=");
            }).filter(strArr -> {
                return strArr.length == 2;
            }).forEach(strArr2 -> {
                state.customParameter(strArr2[0], new String[]{strArr2[1]});
            });
        }
        return new RedirectTarget(state.build().toURI(), cookie);
    }
}
