package net.shibboleth.idp.plugin.authn.oidc.rp.impl;

import com.nimbusds.oauth2.sdk.ResponseMode;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.concurrent.ThreadSafe;
import net.shibboleth.idp.authn.ExternalAuthentication;
import net.shibboleth.idp.authn.ExternalAuthenticationException;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.plugin.authn.oidc.rp.context.OIDCAuthnContext;
import net.shibboleth.idp.plugin.authn.oidc.rp.context.OutboundMessageHandlerContext;
import net.shibboleth.idp.plugin.authn.oidc.rp.exception.OIDCProxyException;
import net.shibboleth.oidc.profile.core.OIDCAuthenticationRequest;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.component.AbstractInitializableComponent;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.decoder.MessageDecoder;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.messaging.handler.MessageHandler;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.profile.context.EventContext;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;

@RequestMapping({"%{idp.authn.oidc.rp.externalAuthnPath:/Authn/OIDC/RP}"})
@ThreadSafe
@Controller
/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/impl/AuthorizationController.class */
public class AuthorizationController extends AbstractInitializableComponent {

    @Nonnull
    @NotEmpty
    public static final String AUTHORIZE_PATH_SEGMENT = "/authz";

    @Nonnull
    @NotEmpty
    public static final String CALLBACK_PATH_SEGMENT = "/callback";

    @Nonnull
    @NotEmpty
    public static final String CODE_PARAMETER = "code";

    @Nonnull
    @NotEmpty
    public static final String STATE_PARAMETER = "state";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(AuthorizationController.class);

    @Nonnull
    private Function<ProfileRequestContext, ProfileRequestContext> profileRequestContextLookupStrategy = new ChildContextLookup(ProfileRequestContext.class).compose(new ChildContextLookup(AuthenticationContext.class));

    @Nonnull
    private Function<ProfileRequestContext, OIDCAuthnContext> oidcContextLookupStrategy = new ChildContextLookup(OIDCAuthnContext.class).compose(new ChildContextLookup(AuthenticationContext.class));

    public void setProfileRequestContextLookupStrategy(@Nonnull Function<ProfileRequestContext, ProfileRequestContext> function) {
        checkSetterPreconditions();
        this.profileRequestContextLookupStrategy = (Function) Constraint.isNotNull(function, "ProfileRequestContext lookup strategy cannot be null");
    }

    public void setOidcAuthnContextLookupStrategy(@Nonnull Function<ProfileRequestContext, OIDCAuthnContext> function) {
        checkSetterPreconditions();
        this.oidcContextLookupStrategy = (Function) Constraint.isNotNull(function, "OIDCAuthnContext lookup strategy cannot be null");
    }

    @GetMapping({AUTHORIZE_PATH_SEGMENT})
    public void authorizationRequest(@Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse) throws ServletException, IOException, ExternalAuthenticationException {
        String startExternalAuthentication = ExternalAuthentication.startExternalAuthentication(httpServletRequest);
        ProfileRequestContext profileRequestContext = ExternalAuthentication.getProfileRequestContext(startExternalAuthentication, httpServletRequest);
        OIDCAuthnContext apply = this.oidcContextLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.error("OIDCAuthnContext not found");
            httpServletRequest.setAttribute("authnError", "InvalidProfileContext");
            ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
            return;
        }
        ProfileRequestContext apply2 = this.profileRequestContextLookupStrategy.apply(profileRequestContext);
        if (apply2 == null) {
            this.log.error("Nested ProfileRequestContext not found");
            httpServletRequest.setAttribute("authnError", "InvalidProfileContext");
            ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
            return;
        }
        MessageContext outboundMessageContext = apply2.getOutboundMessageContext();
        if (outboundMessageContext == null || !(outboundMessageContext.getMessage() instanceof OIDCAuthenticationRequest)) {
            this.log.error("Outbound Authorization message not found");
            httpServletRequest.setAttribute("authnError", "InvalidMessage");
            ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
            return;
        }
        outboundMessageContext.addSubcontext(new OutboundMessageHandlerContext(startExternalAuthentication));
        try {
            MessageHandler outboundMessageHandler = apply.getOutboundMessageHandler();
            if (outboundMessageHandler != null) {
                outboundMessageHandler.invoke(outboundMessageContext);
            }
            this.log.debug("OIDC Relying Party Proxy executing message encoders to make upstream request to OpenID Provider");
            apply.getEncodeMessageAction().execute(apply2);
            EventContext subcontext = apply2.getSubcontext(EventContext.class);
            Object event = subcontext != null ? subcontext.getEvent() : null;
            if (subcontext == null || event == null || "proceed".equals(subcontext.getEvent())) {
                return;
            }
            this.log.error("Message encoding action signaled non-proceed event {}", event);
            httpServletRequest.setAttribute("authnError", event.toString());
            ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
        } catch (MessageHandlerException e) {
            this.log.error("Caught message handling exception", e);
            httpServletRequest.setAttribute("authnError", "MessageProcessingError");
            ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
        }
    }

    @RequestMapping({CALLBACK_PATH_SEGMENT})
    public void authorizationCallback(@Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse) throws ExternalAuthenticationException, IOException {
        ResponseMode responseMode;
        String parameter = httpServletRequest.getParameter(STATE_PARAMETER);
        this.log.debug("OIDC Relying Party Proxy recieved callback with state '{}'", parameter);
        if (parameter == null) {
            throw new ExternalAuthenticationException("OIDC authentication response must contain a 'state' parameter");
        }
        try {
            String extractKeyFromState = OIDCProxySupport.extractKeyFromState(parameter);
            ProfileRequestContext profileRequestContext = ExternalAuthentication.getProfileRequestContext(extractKeyFromState, httpServletRequest);
            OIDCAuthnContext apply = this.oidcContextLookupStrategy.apply(profileRequestContext);
            if (apply == null) {
                this.log.error("OIDCAuthnContext not found");
                httpServletRequest.setAttribute("authnError", "InvalidProfileContext");
                ExternalAuthentication.finishExternalAuthentication(extractKeyFromState, httpServletRequest, httpServletResponse);
                return;
            }
            ProfileRequestContext apply2 = this.profileRequestContextLookupStrategy.apply(profileRequestContext);
            if (apply2 == null) {
                this.log.error("Nested ProfileRequestContext not found");
                httpServletRequest.setAttribute("authnError", "InvalidProfileContext");
                ExternalAuthentication.finishExternalAuthentication(extractKeyFromState, httpServletRequest, httpServletResponse);
                return;
            }
            OIDCAuthenticationRequest oIDCAuthenticationRequest = null;
            MessageContext outboundMessageContext = apply2.getOutboundMessageContext();
            if (outboundMessageContext != null) {
                Object message = outboundMessageContext.getMessage();
                if (message instanceof OIDCAuthenticationRequest) {
                    oIDCAuthenticationRequest = (OIDCAuthenticationRequest) message;
                }
            }
            if (oIDCAuthenticationRequest == null) {
                this.log.error("Authentication request not found in context, cannot decode incomming request");
                httpServletRequest.setAttribute("authnError", "InvalidProfileContext");
                ExternalAuthentication.finishExternalAuthentication(extractKeyFromState, httpServletRequest, httpServletResponse);
                return;
            }
            this.log.debug("OIDC response_type '{}' and response_mode '{}' requested, decoding incoming request", oIDCAuthenticationRequest.getResponseType(), oIDCAuthenticationRequest.getResponseMode());
            try {
                responseMode = oIDCAuthenticationRequest.getResponseMode();
            } catch (MessageDecodingException | ComponentInitializationException e) {
                this.log.error("Unable to decode OIDC response", e);
                httpServletRequest.setAttribute("authnError", "UnableToDecode");
            }
            if (responseMode == null) {
                throw new MessageDecodingException("Unable to obtain response_mode to decode incomming request");
            }
            MessageDecoder messageDecoder = (MessageDecoder) apply.getMessageDecoderFactory().apply(responseMode.getValue());
            if (messageDecoder == null) {
                throw new MessageDecodingException("Unable to obtain MessageDecoder for response_mode: " + responseMode.getValue());
            }
            try {
                messageDecoder.initialize();
                messageDecoder.decode();
                apply2.setInboundMessageContext(messageDecoder.getMessageContext());
                messageDecoder.destroy();
                ExternalAuthentication.finishExternalAuthentication(extractKeyFromState, httpServletRequest, httpServletResponse);
            } catch (Throwable th) {
                messageDecoder.destroy();
                throw th;
            }
        } catch (OIDCProxyException e2) {
            throw new ExternalAuthenticationException("Flow execution key component could not be found in the returned state, unable to resume the flow execution", e2);
        }
    }
}
