package net.shibboleth.idp.plugin.authn.duo.impl;

import java.io.IOException;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.shibboleth.idp.authn.ExternalAuthentication;
import net.shibboleth.idp.authn.ExternalAuthenticationException;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.plugin.authn.duo.DuoClientException;
import net.shibboleth.idp.plugin.authn.duo.DuoException;
import net.shibboleth.idp.plugin.authn.duo.DuoOIDCClient;
import net.shibboleth.idp.plugin.authn.duo.context.DuoOIDCAuthenticationContext;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.component.AbstractInitializableComponent;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;

@RequestMapping({"%{idp.duo.oidc.externalAuthnPath:/Authn/Duo/2FA}"})
@Controller
/* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/impl/DuoOIDCAuthnController.class */
public class DuoOIDCAuthnController extends AbstractInitializableComponent {

    @NotEmpty
    @Nonnull
    public static final String CODE_PARAMETER = "code";

    @NotEmpty
    @Nonnull
    public static final String DUO_CODE_PARAMETER = "duo_code";

    @NotEmpty
    @Nonnull
    public static final String STATE_PARAMETER = "state";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(DuoOIDCAuthnController.class);

    @Nonnull
    private Function<ProfileRequestContext, DuoOIDCAuthenticationContext> duoContextLookupStrategy = new ChildContextLookup(DuoOIDCAuthenticationContext.class).compose(new ChildContextLookup(AuthenticationContext.class));

    public void setDuoContextLookupStrategy(@Nonnull Function<ProfileRequestContext, DuoOIDCAuthenticationContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.duoContextLookupStrategy = (Function) Constraint.isNotNull(function, "DuoContext lookup strategy cannot be null");
    }

    @GetMapping({"/authorize"})
    public void authorizationRequest(@Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse) throws ExternalAuthenticationException, IOException {
        String createAuthUrl;
        String startExternalAuthentication = ExternalAuthentication.startExternalAuthentication(httpServletRequest);
        DuoOIDCAuthenticationContext apply = this.duoContextLookupStrategy.apply(ExternalAuthentication.getProfileRequestContext(startExternalAuthentication, httpServletRequest));
        if (apply == null) {
            this.log.error("No Duo context to use in initiating a Duo 2FA request");
            httpServletRequest.setAttribute("authnError", "InvalidProfileContext");
            ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
            return;
        }
        this.log.trace("Starting Duo 2FA for integration client '{}' and user '{}'", apply.getIntegration() != null ? apply.getIntegration().getClientId() : "none", apply.getUsername());
        try {
            DuoOIDCClient client = apply.getClient();
            if (client == null) {
                throw new DuoClientException("Duo client is null, has the context been created correctly?");
            }
            String generateNonce = DuoSupport.generateNonce(32);
            String generateState = DuoSupport.generateState(generateNonce, startExternalAuthentication);
            apply.setRequestState(generateNonce);
            if (client.getCapabilities().isSupportsNonce()) {
                String generateNonce2 = DuoSupport.generateNonce(36);
                createAuthUrl = client.createAuthUrl(apply.getUsername(), generateState, generateNonce2);
                apply.setNonce(generateNonce2);
            } else {
                createAuthUrl = client.createAuthUrl(apply.getUsername(), generateState, (String) null);
            }
            httpServletResponse.sendRedirect(createAuthUrl);
        } catch (DuoClientException e) {
            httpServletRequest.setAttribute("authnException", e);
            ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
        }
    }

    @GetMapping({"/duo-callback"})
    public void authorizationCallback(@Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse) throws ExternalAuthenticationException, IOException {
        String parameter = httpServletRequest.getParameter(CODE_PARAMETER);
        String parameter2 = httpServletRequest.getParameter(STATE_PARAMETER);
        String parameter3 = httpServletRequest.getParameter(DUO_CODE_PARAMETER);
        if (parameter2 == null || (parameter == null && parameter3 == null)) {
            throw new ExternalAuthenticationException("Duo response must contain a 'code' and 'state' parameter");
        }
        if (parameter != null && parameter3 != null) {
            throw new ExternalAuthenticationException("Duo response can not contain both a 'code' and 'duo_code' parameter");
        }
        try {
            String extractKeyFromState = DuoSupport.extractKeyFromState(parameter2);
            String extractNonceFromState = DuoSupport.extractNonceFromState(parameter2);
            DuoOIDCAuthenticationContext apply = this.duoContextLookupStrategy.apply(ExternalAuthentication.getProfileRequestContext(extractKeyFromState, httpServletRequest));
            if (apply == null) {
                this.log.error("No Duo authentication context to store the Duo 2FA response");
                httpServletRequest.setAttribute("authnError", "InvalidProfileContext");
                ExternalAuthentication.finishExternalAuthentication(extractKeyFromState, httpServletRequest, httpServletResponse);
            } else {
                apply.setAuthorizationCode(parameter != null ? parameter : parameter3);
                apply.setResponseState(extractNonceFromState);
                ExternalAuthentication.finishExternalAuthentication(extractKeyFromState, httpServletRequest, httpServletResponse);
            }
        } catch (DuoException e) {
            throw new ExternalAuthenticationException("Flow execution key component could not be found in the returned state, unable to resume the flow execution", e);
        }
    }
}
