package org.apache.cxf.rs.security.oauth2.client;

import jakarta.annotation.Priority;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.container.PreMatching;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.SecurityContext;
import jakarta.ws.rs.core.UriBuilder;
import jakarta.ws.rs.core.UriInfo;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.jaxrs.impl.MetadataMap;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.FormUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrant;
import org.apache.cxf.rs.security.oauth2.grants.code.CodeVerifierTransformer;
import org.apache.cxf.rs.security.oauth2.grants.code.JwtRequestCodeGrant;
import org.apache.cxf.rs.security.oauth2.provider.OAuthJoseJwtProducer;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.rt.security.crypto.CryptoUtils;

@PreMatching
@Priority(1001)
/* loaded from: input_file:lib/cxf-shade-9.0.0.RC1.jar:org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.class */
public class ClientCodeRequestFilter implements ContainerRequestFilter {
    protected static final Logger LOG = LogUtils.getL7dLogger(ClientCodeRequestFilter.class);

    @Context
    private MessageContext mc;
    private String scopes;
    private String completeUri;
    private String startUri;
    private String authorizationServiceUri;
    private Consumer consumer;
    private ClientCodeStateManager clientStateManager;
    private ClientTokenContextManager clientTokenContextManager;
    private WebClient accessTokenServiceClient;
    private boolean decodeRequestParameters;
    private long expiryThreshold;
    private String redirectUri;
    private boolean setFormPostResponseMode;
    private boolean faultAccessDeniedResponses;
    private boolean applicationCanHandleAccessDenied;
    private CodeVerifierTransformer codeVerifierTransformer;
    private OAuthJoseJwtProducer codeRequestJoseProducer;
    private boolean useAuthorizationHeader = true;

    @Override // jakarta.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        String headerString;
        checkSecurityContextStart(containerRequestContext);
        UriInfo uriInfo = containerRequestContext.getUriInfo();
        String uri = uriInfo.getAbsolutePath().toString();
        boolean z = false;
        if (this.completeUri == null && (headerString = containerRequestContext.getHeaderString("Referer")) != null && headerString.startsWith(this.authorizationServiceUri)) {
            this.completeUri = uri;
            z = true;
        }
        if (isStartUriMatched(uriInfo, uri, z)) {
            ClientTokenContext clientTokenContext = getClientTokenContext(containerRequestContext);
            if (clientTokenContext == null) {
                containerRequestContext.abortWith(createCodeResponse(containerRequestContext, uriInfo));
                return;
            }
            setClientCodeRequest(clientTokenContext);
            if (this.completeUri != null) {
                containerRequestContext.setRequestUri(URI.create(this.completeUri));
                return;
            }
            return;
        }
        MultivaluedMap<String, String> requestState = toRequestState(containerRequestContext, uriInfo);
        if (!codeResponseQueryParamsAvailable(requestState) || (this.completeUri != null && !uri.endsWith(this.completeUri))) {
            containerRequestContext.abortWith(Response.status(401).build());
        } else {
            processCodeResponse(containerRequestContext, uriInfo, requestState);
            checkSecurityContextEnd(containerRequestContext, requestState);
        }
    }

    protected boolean isStartUriMatched(UriInfo uriInfo, String str, boolean z) {
        if (this.startUri == null && this.completeUri != null && !str.endsWith(this.completeUri)) {
            return true;
        }
        if ((this.completeUri == null || (this.startUri != null && this.startUri.equals(this.completeUri))) && codeResponseQueryParamsAvailable(uriInfo.getQueryParameters())) {
            return false;
        }
        return (this.startUri == null && !z) || (this.startUri != null && str.endsWith(this.startUri));
    }

    private boolean codeResponseQueryParamsAvailable(MultivaluedMap<String, String> multivaluedMap) {
        return multivaluedMap.containsKey("code") || multivaluedMap.containsKey(OAuthConstants.ERROR_KEY);
    }

    protected void checkSecurityContextStart(ContainerRequestContext containerRequestContext) {
        SecurityContext securityContext = containerRequestContext.getSecurityContext();
        if (securityContext == null || securityContext.getUserPrincipal() == null) {
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
    }

    private void checkSecurityContextEnd(ContainerRequestContext containerRequestContext, MultivaluedMap<String, String> multivaluedMap) {
        SecurityContext securityContext = containerRequestContext.getSecurityContext();
        if (securityContext == null || securityContext.getUserPrincipal() == null) {
            if (multivaluedMap.getFirst("code") != null || !multivaluedMap.containsKey(OAuthConstants.ERROR_KEY) || this.faultAccessDeniedResponses) {
                throw ExceptionUtils.toNotAuthorizedException(null, null);
            }
            if (this.applicationCanHandleAccessDenied) {
                return;
            }
            containerRequestContext.abortWith(Response.ok(new AccessDeniedResponse(multivaluedMap.getFirst(OAuthConstants.ERROR_KEY))).build());
        }
    }

    private Response createCodeResponse(ContainerRequestContext containerRequestContext, UriInfo uriInfo) {
        MultivaluedMap<String, String> codeRequestState = toCodeRequestState(containerRequestContext, uriInfo);
        MultivaluedMap<String, String> createRedirectState = createRedirectState(containerRequestContext, uriInfo, codeRequestState);
        String first = createRedirectState != null ? createRedirectState.getFirst(OAuthConstants.STATE) : null;
        String first2 = createRedirectState != null ? createRedirectState.getFirst("scope") : null;
        UriBuilder authorizationURIBuilder = OAuthClientUtils.getAuthorizationURIBuilder(this.authorizationServiceUri, this.consumer.getClientId(), getAbsoluteRedirectUri(uriInfo).toString(), first, first2 != null ? first2 : this.scopes);
        setFormPostResponseMode(authorizationURIBuilder, createRedirectState);
        setCodeVerifier(authorizationURIBuilder, createRedirectState);
        setAdditionalCodeRequestParams(authorizationURIBuilder, createRedirectState, codeRequestState);
        return Response.seeOther(authorizationURIBuilder.build(new Object[0])).build();
    }

    protected void setFormPostResponseMode(UriBuilder uriBuilder, MultivaluedMap<String, String> multivaluedMap) {
        if (this.setFormPostResponseMode) {
            uriBuilder.queryParam(OAuthConstants.RESPONSE_MODE, OAuthConstants.FORM_RESPONSE_MODE);
        }
    }

    protected void setCodeVerifier(UriBuilder uriBuilder, MultivaluedMap<String, String> multivaluedMap) {
        if (this.codeVerifierTransformer != null) {
            uriBuilder.queryParam(OAuthConstants.AUTHORIZATION_CODE_CHALLENGE, this.codeVerifierTransformer.transformCodeVerifier(multivaluedMap.getFirst(OAuthConstants.AUTHORIZATION_CODE_VERIFIER)));
            uriBuilder.queryParam(OAuthConstants.AUTHORIZATION_CODE_CHALLENGE_METHOD, this.codeVerifierTransformer.getChallengeMethod());
        }
    }

    protected void setAdditionalCodeRequestParams(UriBuilder uriBuilder, MultivaluedMap<String, String> multivaluedMap, MultivaluedMap<String, String> multivaluedMap2) {
    }

    private URI getAbsoluteRedirectUri(UriInfo uriInfo) {
        return this.redirectUri != null ? URI.create(this.redirectUri) : this.completeUri != null ? this.completeUri.startsWith("http") ? URI.create(this.completeUri) : uriInfo.getBaseUriBuilder().path(this.completeUri).build(new Object[0]) : uriInfo.getAbsolutePath();
    }

    protected void processCodeResponse(ContainerRequestContext containerRequestContext, UriInfo uriInfo, MultivaluedMap<String, String> multivaluedMap) {
        MultivaluedMap<String, String> multivaluedMap2 = null;
        if (this.clientStateManager != null) {
            multivaluedMap2 = this.clientStateManager.fromRedirectState(this.mc, multivaluedMap);
        }
        String first = multivaluedMap.getFirst("code");
        ClientAccessToken clientAccessToken = null;
        if (first != null) {
            AuthorizationCodeGrant prepareCodeGrant = prepareCodeGrant(first, getAbsoluteRedirectUri(uriInfo));
            if (multivaluedMap2 != null) {
                prepareCodeGrant.setCodeVerifier(multivaluedMap2.getFirst(OAuthConstants.AUTHORIZATION_CODE_VERIFIER));
            }
            clientAccessToken = OAuthClientUtils.getAccessToken(this.accessTokenServiceClient, this.consumer, prepareCodeGrant, this.useAuthorizationHeader);
        }
        ClientTokenContext initializeClientTokenContext = initializeClientTokenContext(containerRequestContext, clientAccessToken, multivaluedMap, multivaluedMap2);
        if (clientAccessToken != null && this.clientTokenContextManager != null) {
            this.clientTokenContextManager.setClientTokenContext(this.mc, initializeClientTokenContext);
        }
        setClientCodeRequest(initializeClientTokenContext);
    }

    private AuthorizationCodeGrant prepareCodeGrant(String str, URI uri) {
        if (this.codeRequestJoseProducer == null) {
            return new AuthorizationCodeGrant(str, uri);
        }
        JwtRequestCodeGrant jwtRequestCodeGrant = new JwtRequestCodeGrant(str, uri, this.consumer.getClientId());
        jwtRequestCodeGrant.setClientSecret(this.consumer.getClientSecret());
        jwtRequestCodeGrant.setJoseProducer(this.codeRequestJoseProducer);
        return jwtRequestCodeGrant;
    }

    protected ClientTokenContext initializeClientTokenContext(ContainerRequestContext containerRequestContext, ClientAccessToken clientAccessToken, MultivaluedMap<String, String> multivaluedMap, MultivaluedMap<String, String> multivaluedMap2) {
        ClientTokenContext createTokenContext = createTokenContext(containerRequestContext, clientAccessToken, multivaluedMap, multivaluedMap2);
        ((ClientTokenContextImpl) createTokenContext).setToken(clientAccessToken);
        ((ClientTokenContextImpl) createTokenContext).setState(multivaluedMap2);
        return createTokenContext;
    }

    protected ClientTokenContext createTokenContext(ContainerRequestContext containerRequestContext, ClientAccessToken clientAccessToken, MultivaluedMap<String, String> multivaluedMap, MultivaluedMap<String, String> multivaluedMap2) {
        return new ClientTokenContextImpl();
    }

    private void setClientCodeRequest(ClientTokenContext clientTokenContext) {
        JAXRSUtils.getCurrentMessage().setContent(ClientTokenContext.class, clientTokenContext);
    }

    protected MultivaluedMap<String, String> createRedirectState(ContainerRequestContext containerRequestContext, UriInfo uriInfo, MultivaluedMap<String, String> multivaluedMap) {
        if (this.clientStateManager == null) {
            return new MetadataMap();
        }
        String str = null;
        if (this.codeVerifierTransformer != null) {
            str = Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(32));
            multivaluedMap.putSingle(OAuthConstants.AUTHORIZATION_CODE_VERIFIER, str);
        }
        MultivaluedMap<String, String> redirectState = this.clientStateManager.toRedirectState(this.mc, multivaluedMap);
        if (str != null) {
            redirectState.putSingle(OAuthConstants.AUTHORIZATION_CODE_VERIFIER, str);
        }
        return redirectState;
    }

    protected MultivaluedMap<String, String> toCodeRequestState(ContainerRequestContext containerRequestContext, UriInfo uriInfo) {
        MultivaluedMap<String, String> requestState = toRequestState(containerRequestContext, uriInfo);
        if (requestState == null) {
            requestState = new MetadataMap();
        }
        return requestState;
    }

    protected MultivaluedMap<String, String> toRequestState(ContainerRequestContext containerRequestContext, UriInfo uriInfo) {
        MetadataMap metadataMap = new MetadataMap();
        metadataMap.putAll(uriInfo.getQueryParameters(this.decodeRequestParameters));
        if (MediaType.APPLICATION_FORM_URLENCODED_TYPE.isCompatible(containerRequestContext.getMediaType())) {
            FormUtils.populateMapFromString(metadataMap, JAXRSUtils.getCurrentMessage(), FormUtils.readBody(containerRequestContext.getEntityStream(), StandardCharsets.UTF_8.name()), StandardCharsets.UTF_8.name(), this.decodeRequestParameters);
        }
        return metadataMap;
    }

    public void setScopeList(List<String> list) {
        setScopes(String.join(" ", list));
    }

    public void setScopes(String str) {
        this.scopes = str.trim();
    }

    public void setStartUri(String str) {
        this.startUri = str;
    }

    public void setAuthorizationServiceUri(String str) {
        this.authorizationServiceUri = str;
    }

    public void setCompleteUri(String str) {
        this.completeUri = str;
    }

    public void setAccessTokenServiceClient(WebClient webClient) {
        this.accessTokenServiceClient = webClient;
    }

    public void setClientCodeStateManager(ClientCodeStateManager clientCodeStateManager) {
        this.clientStateManager = clientCodeStateManager;
    }

    public void setClientTokenContextManager(ClientTokenContextManager clientTokenContextManager) {
        this.clientTokenContextManager = clientTokenContextManager;
    }

    public void setConsumer(Consumer consumer) {
        this.consumer = consumer;
    }

    public Consumer getConsumer() {
        return this.consumer;
    }

    public void setDecodeRequestParameters(boolean z) {
        this.decodeRequestParameters = z;
    }

    protected ClientTokenContext getClientTokenContext(ContainerRequestContext containerRequestContext) {
        ClientAccessToken refreshAccessTokenIfExpired;
        ClientTokenContext clientTokenContext = null;
        if (this.clientTokenContextManager != null) {
            clientTokenContext = this.clientTokenContextManager.getClientTokenContext(this.mc);
            if (clientTokenContext != null && (refreshAccessTokenIfExpired = refreshAccessTokenIfExpired(clientTokenContext.getToken())) != null) {
                ((ClientTokenContextImpl) clientTokenContext).setToken(refreshAccessTokenIfExpired);
                this.clientTokenContextManager.setClientTokenContext(this.mc, clientTokenContext);
            }
        }
        return clientTokenContext;
    }

    private ClientAccessToken refreshAccessTokenIfExpired(ClientAccessToken clientAccessToken) {
        if (clientAccessToken.getRefreshToken() == null) {
            return null;
        }
        if ((this.expiryThreshold <= 0 || !OAuthUtils.isExpired(Long.valueOf(clientAccessToken.getIssuedAt()), Long.valueOf(clientAccessToken.getExpiresIn() - this.expiryThreshold))) && !OAuthUtils.isExpired(Long.valueOf(clientAccessToken.getIssuedAt()), Long.valueOf(clientAccessToken.getExpiresIn()))) {
            return null;
        }
        return OAuthClientUtils.refreshAccessToken(this.accessTokenServiceClient, this.consumer, clientAccessToken);
    }

    public void setExpiryThreshold(long j) {
        this.expiryThreshold = j;
    }

    public void setRedirectUri(String str) {
        this.redirectUri = str;
    }

    public void setSetFormPostResponseMode(boolean z) {
        this.setFormPostResponseMode = z;
    }

    public void setBlockAccessDeniedResponses(boolean z) {
        this.faultAccessDeniedResponses = z;
    }

    public void setApplicationCanHandleAccessDenied(boolean z) {
        this.applicationCanHandleAccessDenied = z;
    }

    public void setCodeVerifierTransformer(CodeVerifierTransformer codeVerifierTransformer) {
        this.codeVerifierTransformer = codeVerifierTransformer;
    }

    public void setCodeRequestJoseProducer(OAuthJoseJwtProducer oAuthJoseJwtProducer) {
        this.codeRequestJoseProducer = oAuthJoseJwtProducer;
    }

    public void setUseAuthorizationHeader(boolean z) {
        this.useAuthorizationHeader = z;
    }
}
