package org.apache.cxf.rs.security.oauth2.services;

import java.util.List;
import javax.ws.rs.Path;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.FormAuthorizationResponse;
import org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
import org.apache.cxf.rs.security.oauth2.common.OOBAuthorizationResponse;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeDataProvider;
import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration;
import org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant;
import org.apache.cxf.rs.security.oauth2.provider.AuthorizationCodeResponseFilter;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.provider.OOBResponseDeliverer;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;

@Path("/authorize")
/* loaded from: input_file:lib/cxf-rt-rs-security-oauth2-3.3.8.jar:org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.class */
public class AuthorizationCodeGrantService extends RedirectionBasedGrantService {
    private static final long RECOMMENDED_CODE_EXPIRY_TIME_SECS = 600;
    private boolean canSupportPublicClients;
    private boolean canSupportEmptyRedirectForPrivateClients;
    private OOBResponseDeliverer oobDeliverer;
    private AuthorizationCodeResponseFilter codeResponseFilter;

    public AuthorizationCodeGrantService() {
        super("code", OAuthConstants.AUTHORIZATION_CODE_GRANT);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService
    public OAuthAuthorizationData createAuthorizationData(Client client, MultivaluedMap<String, String> multivaluedMap, String str, UserSubject userSubject, List<OAuthPermission> list, List<OAuthPermission> list2, boolean z) {
        OAuthAuthorizationData createAuthorizationData = super.createAuthorizationData(client, multivaluedMap, str, userSubject, list, list2, z);
        setCodeChallenge(createAuthorizationData, multivaluedMap);
        return createAuthorizationData;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService
    public OAuthRedirectionState recreateRedirectionStateFromParams(MultivaluedMap<String, String> multivaluedMap) {
        OAuthRedirectionState recreateRedirectionStateFromParams = super.recreateRedirectionStateFromParams(multivaluedMap);
        setCodeChallenge(recreateRedirectionStateFromParams, multivaluedMap);
        return recreateRedirectionStateFromParams;
    }

    private static void setCodeChallenge(OAuthRedirectionState oAuthRedirectionState, MultivaluedMap<String, String> multivaluedMap) {
        oAuthRedirectionState.setClientCodeChallenge(multivaluedMap.getFirst(OAuthConstants.AUTHORIZATION_CODE_CHALLENGE));
    }

    @Override // org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService
    protected Response createGrant(OAuthRedirectionState oAuthRedirectionState, Client client, List<String> list, List<String> list2, UserSubject userSubject, ServerAccessToken serverAccessToken) {
        try {
            ServerAuthorizationCodeGrant grantRepresentation = getGrantRepresentation(oAuthRedirectionState, client, list, list2, userSubject, serverAccessToken);
            String processCodeGrant = processCodeGrant(client, grantRepresentation.getCode(), grantRepresentation.getSubject());
            if (oAuthRedirectionState.getRedirectUri() == null) {
                OOBAuthorizationResponse oOBAuthorizationResponse = new OOBAuthorizationResponse();
                oOBAuthorizationResponse.setClientId(client.getClientId());
                oOBAuthorizationResponse.setClientDescription(client.getApplicationDescription());
                oOBAuthorizationResponse.setAuthorizationCode(processCodeGrant);
                oOBAuthorizationResponse.setUserId(userSubject.getLogin());
                oOBAuthorizationResponse.setExpiresIn(grantRepresentation.getExpiresIn());
                return deliverOOBResponse(oOBAuthorizationResponse);
            }
            if (!isFormResponse(oAuthRedirectionState)) {
                UriBuilder redirectUriBuilder = getRedirectUriBuilder(oAuthRedirectionState.getState(), oAuthRedirectionState.getRedirectUri());
                redirectUriBuilder.queryParam("code", processCodeGrant);
                return Response.seeOther(redirectUriBuilder.build(new Object[0])).build();
            }
            FormAuthorizationResponse formAuthorizationResponse = new FormAuthorizationResponse();
            formAuthorizationResponse.setAuthorizationCode(processCodeGrant);
            formAuthorizationResponse.setExpiresIn(grantRepresentation.getExpiresIn());
            formAuthorizationResponse.setState(oAuthRedirectionState.getState());
            formAuthorizationResponse.setRedirectUri(oAuthRedirectionState.getRedirectUri());
            return createHtmlResponse(formAuthorizationResponse);
        } catch (OAuthServiceException e) {
            return createErrorResponse(oAuthRedirectionState.getState(), oAuthRedirectionState.getRedirectUri(), OAuthConstants.ACCESS_DENIED);
        }
    }

    public ServerAuthorizationCodeGrant getGrantRepresentation(OAuthRedirectionState oAuthRedirectionState, Client client, List<String> list, List<String> list2, UserSubject userSubject, ServerAccessToken serverAccessToken) {
        ServerAuthorizationCodeGrant createCodeGrant = ((AuthorizationCodeDataProvider) getDataProvider()).createCodeGrant(createCodeRegistration(oAuthRedirectionState, client, list, list2, userSubject, serverAccessToken));
        if (createCodeGrant.getExpiresIn() > RECOMMENDED_CODE_EXPIRY_TIME_SECS) {
            LOG.warning("Code expiry time exceeds 10 minutes");
        }
        return createCodeGrant;
    }

    protected AuthorizationCodeRegistration createCodeRegistration(OAuthRedirectionState oAuthRedirectionState, Client client, List<String> list, List<String> list2, UserSubject userSubject, ServerAccessToken serverAccessToken) {
        AuthorizationCodeRegistration authorizationCodeRegistration = new AuthorizationCodeRegistration();
        authorizationCodeRegistration.setPreauthorizedTokenAvailable(serverAccessToken != null);
        authorizationCodeRegistration.setClient(client);
        authorizationCodeRegistration.setRedirectUri(oAuthRedirectionState.getRedirectUri());
        authorizationCodeRegistration.setRequestedScope(list);
        authorizationCodeRegistration.setResponseType(oAuthRedirectionState.getResponseType());
        authorizationCodeRegistration.setApprovedScope(getApprovedScope(list, list2));
        authorizationCodeRegistration.setSubject(userSubject);
        authorizationCodeRegistration.setAudience(oAuthRedirectionState.getAudience());
        authorizationCodeRegistration.setNonce(oAuthRedirectionState.getNonce());
        authorizationCodeRegistration.setClientCodeChallenge(oAuthRedirectionState.getClientCodeChallenge());
        authorizationCodeRegistration.getExtraProperties().putAll(oAuthRedirectionState.getExtraProperties());
        return authorizationCodeRegistration;
    }

    protected String processCodeGrant(Client client, String str, UserSubject userSubject) {
        return this.codeResponseFilter != null ? this.codeResponseFilter.process(client, str, userSubject) : str;
    }

    protected Response deliverOOBResponse(OOBAuthorizationResponse oOBAuthorizationResponse) {
        return this.oobDeliverer != null ? this.oobDeliverer.deliver(oOBAuthorizationResponse) : createHtmlResponse(oOBAuthorizationResponse);
    }

    @Override // org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService
    protected Response createErrorResponse(String str, String str2, String str3) {
        if (str2 == null) {
            return Response.status(401).entity(str3).build();
        }
        UriBuilder redirectUriBuilder = getRedirectUriBuilder(str, str2);
        redirectUriBuilder.queryParam(OAuthConstants.ERROR_KEY, str3);
        return Response.seeOther(redirectUriBuilder.build(new Object[0])).build();
    }

    protected UriBuilder getRedirectUriBuilder(String str, String str2) {
        UriBuilder fromUri = UriBuilder.fromUri(str2);
        if (str != null) {
            fromUri.queryParam(OAuthConstants.STATE, str);
        }
        return fromUri;
    }

    @Override // org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService
    protected boolean canSupportPublicClient(Client client) {
        return this.canSupportPublicClients && !client.isConfidential() && client.getClientSecret() == null;
    }

    @Override // org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService
    protected boolean canRedirectUriBeEmpty(Client client) {
        return client.isConfidential() && this.canSupportEmptyRedirectForPrivateClients;
    }

    public void setCanSupportPublicClients(boolean z) {
        this.canSupportPublicClients = z;
    }

    public void setCodeResponseFilter(AuthorizationCodeResponseFilter authorizationCodeResponseFilter) {
        this.codeResponseFilter = authorizationCodeResponseFilter;
    }

    public void setCanSupportEmptyRedirectForPrivateClients(boolean z) {
        this.canSupportEmptyRedirectForPrivateClients = z;
    }
}
