package ca.nrc.cadc.ac.server.oidc;

import ca.nrc.cadc.auth.AuthMethod;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.NotAuthenticatedException;
import ca.nrc.cadc.net.NetUtil;
import ca.nrc.cadc.reg.client.RegistryClient;
import ca.nrc.cadc.rest.RestAction;
import java.io.OutputStreamWriter;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URL;
import java.net.URLEncoder;
import java.util.Arrays;
import javax.security.auth.Subject;
import org.apache.log4j.Logger;

/* loaded from: input_file:ca/nrc/cadc/ac/server/oidc/AuthorizeAction.class */
public abstract class AuthorizeAction extends RestAction {
    private static final Logger log = Logger.getLogger(AuthorizeAction.class);
    private static final String CODE_REPSONSE_TYPE = "code";
    private static final String TOKEN_REPSONSE_TYPE = "token";
    private static final String IDTOKEN_REPSONSE_TYPE = "id_token";
    private static final String OIDC_SCOPE = "openid";
    private static final String VO_SINGLESIGNON_SCOPE = "vo-sso";
    protected String scope;
    protected String responseType;
    protected String clientID;
    protected String redirectURI;
    protected String state;
    protected String responseMode;
    protected String nonce;
    protected String display;
    protected String prompt;
    protected String maxAge;
    protected String uiLocales;
    protected String idTokenHint;
    protected String loginHint;
    protected String acrValues;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:ca/nrc/cadc/ac/server/oidc/AuthorizeAction$AuthorizeError.class */
    public class AuthorizeError {
        String error;
        String errorDescription;

        private AuthorizeError() {
        }
    }

    protected abstract void loadRequestInput();

    public void doAction() throws Exception {
        loadRequestInput();
        logRequestInput();
        if (this.responseType == null) {
            sendError(missingParameter("response_type"));
            return;
        }
        if (!CODE_REPSONSE_TYPE.equals(this.responseType)) {
            if (TOKEN_REPSONSE_TYPE.equals(this.responseType) || IDTOKEN_REPSONSE_TYPE.equals(this.responseType)) {
                doCLIFlow();
                return;
            }
            AuthorizeError authorizeError = new AuthorizeError();
            authorizeError.error = "unsupported_response_type";
            sendError(authorizeError);
            return;
        }
        if (this.scope == null) {
            sendError(missingParameter("scope"));
        } else {
            if (Arrays.asList(this.scope.split("\\s+")).contains(OIDC_SCOPE)) {
                doOpenIDCodeFlow();
                return;
            }
            AuthorizeError authorizeError2 = new AuthorizeError();
            authorizeError2.error = "invalid_scope";
            sendError(authorizeError2);
        }
    }

    private void doOpenIDCodeFlow() throws Exception {
        if (this.redirectURI == null) {
            sendError(missingParameter("redirect_uri"));
            return;
        }
        if (this.clientID == null) {
            sendError(missingParameter("client_id"));
            return;
        }
        RelyParty relyParty = OIDCUtil.getRelyParty(this.clientID);
        if (relyParty == null) {
            AuthorizeError authorizeError = new AuthorizeError();
            authorizeError.error = "unauthorized_client";
            sendError(authorizeError);
            return;
        }
        if (!"login".equals(this.prompt)) {
        }
        if ("none".equals(this.prompt)) {
            AuthorizeError authorizeError2 = new AuthorizeError();
            authorizeError2.error = "login_required";
            sendError(authorizeError2);
            return;
        }
        Subject currentSubject = AuthenticationUtil.getCurrentSubject();
        if (!AuthenticationUtil.getAuthMethodFromCredentials(currentSubject).equals(AuthMethod.ANON)) {
            if (!OIDCUtil.accessAllowed(relyParty)) {
                AuthorizeError authorizeError3 = new AuthorizeError();
                authorizeError3.error = "login failed, not a member of " + relyParty.getAccessGroup();
                sendError(authorizeError3);
                return;
            }
            String name = ((HttpPrincipal) currentSubject.getPrincipals(HttpPrincipal.class).iterator().next()).getName();
            StringBuilder sb = new StringBuilder(this.redirectURI);
            String token = OIDCUtil.getToken(name, URI.create(OIDCUtil.AUTHORIZE_TOKEN_SCOPE), OIDCUtil.AUTHORIZE_CODE_EXPIRY_MINUTES.intValue());
            sb.append("?code=");
            sb.append(token);
            if (this.state != null) {
                sb.append("&state=");
                sb.append(this.state);
            }
            this.syncOutput.setCode(302);
            this.syncOutput.setHeader("Location", sb);
            return;
        }
        URL accessURL = new RegistryClient().getAccessURL(RegistryClient.Query.APPLICATIONS, new URI("ivo://cadc.nrc.ca/login"));
        StringBuilder sb2 = new StringBuilder();
        sb2.append(accessURL.toExternalForm());
        sb2.append("#redirect_uri=");
        sb2.append(this.redirectURI);
        if (this.loginHint != null) {
            sb2.append("&username=");
            sb2.append(this.loginHint);
        }
        if (this.state != null) {
            sb2.append("&state=");
            sb2.append(this.state);
        }
        sb2.append("&clientid=").append(NetUtil.encode(this.clientID));
        sb2.append("&client=").append(NetUtil.encode(relyParty.getClientDescription()));
        sb2.append("&claims=").append(NetUtil.encode(OIDCUtil.getClaimDescriptionString(relyParty.getClaims())));
        log.debug("redirecting to " + sb2.toString());
        this.syncOutput.setCode(302);
        this.syncOutput.setHeader("Location", sb2);
    }

    private void doCLIFlow() throws Exception {
        Subject currentSubject = AuthenticationUtil.getCurrentSubject();
        if (AuthenticationUtil.getAuthMethodFromCredentials(currentSubject).equals(AuthMethod.ANON)) {
            throw new NotAuthenticatedException("login_requried");
        }
        String name = ((HttpPrincipal) currentSubject.getPrincipals(HttpPrincipal.class).iterator().next()).getName();
        if (TOKEN_REPSONSE_TYPE.equals(this.responseType)) {
            if (this.scope != null && !VO_SINGLESIGNON_SCOPE.equals(this.scope)) {
                AuthorizeError authorizeError = new AuthorizeError();
                authorizeError.error = "invalid_scope";
                sendError(authorizeError);
                return;
            } else {
                String token = OIDCUtil.getToken(name, URI.create(OIDCUtil.ACCESS_TOKEN_SCOPE), OIDCUtil.ACCESS_CODE_EXPIRY_MINUTES.intValue());
                this.syncOutput.setHeader("X-Auth-Token", token);
                OutputStreamWriter outputStreamWriter = new OutputStreamWriter(this.syncOutput.getOutputStream());
                outputStreamWriter.write(token);
                outputStreamWriter.flush();
                return;
            }
        }
        if (IDTOKEN_REPSONSE_TYPE.equals(this.responseType)) {
            RelyParty relyParty = OIDCUtil.getRelyParty(this.clientID);
            if (relyParty == null) {
                AuthorizeError authorizeError2 = new AuthorizeError();
                authorizeError2.error = "unauthorized_client";
                sendError(authorizeError2);
            } else {
                String buildIDToken = OIDCUtil.buildIDToken(relyParty);
                this.syncOutput.setHeader("X-Auth-Token", buildIDToken);
                OutputStreamWriter outputStreamWriter2 = new OutputStreamWriter(this.syncOutput.getOutputStream());
                outputStreamWriter2.write(buildIDToken);
                outputStreamWriter2.flush();
            }
        }
    }

    private void logRequestInput() {
        log.debug("scope: " + this.scope);
        log.debug("response_type: " + this.responseType);
        log.debug("client_id: " + this.clientID);
        log.debug("redirect_uri: " + this.redirectURI);
        log.debug("state: " + this.state);
        log.debug("response_mode: " + this.responseMode);
        log.debug("nonce: " + this.nonce);
        log.debug("display: " + this.display);
        log.debug("prompt: " + this.prompt);
        log.debug("max_age: " + this.maxAge);
        log.debug("ui_locales: " + this.uiLocales);
        log.debug("id_token_hint: " + this.idTokenHint);
        log.debug("login_hint: " + this.loginHint);
        log.debug("acr_values: " + this.acrValues);
    }

    private AuthorizeError missingParameter(String str) {
        AuthorizeError authorizeError = new AuthorizeError();
        authorizeError.error = "invalid_request";
        authorizeError.errorDescription = "missing required parameter '" + str + "'";
        return authorizeError;
    }

    private void sendError(AuthorizeError authorizeError) throws UnsupportedEncodingException {
        if (this.redirectURI == null) {
            String str = authorizeError.error;
            if (authorizeError.errorDescription != null) {
                str = str + ": " + authorizeError.errorDescription;
            }
            throw new IllegalArgumentException(str);
        }
        StringBuilder sb = new StringBuilder(this.redirectURI);
        sb.append("?error=");
        sb.append(authorizeError.error);
        if (authorizeError.errorDescription != null) {
            sb.append("&error_description=");
            sb.append(URLEncoder.encode(authorizeError.errorDescription, "utf-8"));
        }
        if (this.state != null) {
            sb.append("&state=");
            sb.append(this.state);
        }
        this.syncOutput.setCode(302);
        this.syncOutput.setHeader("Location", sb.toString());
    }
}
