package com.predic8.membrane.core.interceptor.oauth2client.rf;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.predic8.membrane.core.exchange.Exchange;
import com.predic8.membrane.core.exchange.snapshots.AbstractExchangeSnapshot;
import com.predic8.membrane.core.http.Request;
import com.predic8.membrane.core.http.Response;
import com.predic8.membrane.core.interceptor.oauth2.OAuth2AnswerParameters;
import com.predic8.membrane.core.interceptor.oauth2.authorizationservice.AuthorizationService;
import com.predic8.membrane.core.interceptor.oauth2client.OriginalExchangeStore;
import com.predic8.membrane.core.interceptor.oauth2client.rf.token.AccessTokenRevalidator;
import com.predic8.membrane.core.interceptor.session.Session;
import com.predic8.membrane.core.util.URIFactory;
import java.math.BigInteger;
import java.security.SecureRandom;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/predic8/membrane/core/interceptor/oauth2client/rf/OAuth2CallbackRequestHandler.class */
public class OAuth2CallbackRequestHandler {
    private static final Logger log = LoggerFactory.getLogger(OAuth2CallbackRequestHandler.class);
    public static final String MEMBRANE_MISSING_SESSION = "Missing session.";
    public static final String MEMBRANE_CSRF_TOKEN_MISSING_IN_SESSION = "CSRF token missing in session.";
    public static final String MEMBRANE_CSRF_TOKEN_MISMATCH = "CSRF token mismatch.";
    private URIFactory uriFactory;
    private AuthorizationService auth;
    private OriginalExchangeStore originalExchangeStore;
    private AccessTokenRevalidator accessTokenRevalidator;
    private SessionAuthorizer sessionAuthorizer;
    private PublicUrlManager publicUrlManager;
    private String callbackPath;
    private boolean onlyRefreshToken;

    public void init(URIFactory uRIFactory, AuthorizationService authorizationService, OriginalExchangeStore originalExchangeStore, AccessTokenRevalidator accessTokenRevalidator, SessionAuthorizer sessionAuthorizer, PublicUrlManager publicUrlManager, String str, boolean z) {
        this.uriFactory = uRIFactory;
        this.auth = authorizationService;
        this.originalExchangeStore = originalExchangeStore;
        this.accessTokenRevalidator = accessTokenRevalidator;
        this.sessionAuthorizer = sessionAuthorizer;
        this.publicUrlManager = publicUrlManager;
        this.callbackPath = str;
        this.onlyRefreshToken = z;
        if (z && !sessionAuthorizer.isSkipUserInfo()) {
            throw new RuntimeException("If onlyRefreshToken is set, skipUserInfo also has to be set.");
        }
    }

    public void handleRequest(Exchange exchange, Session session) throws Exception {
        try {
            OAuth2Parameters parse = OAuth2Parameters.parse(this.uriFactory, exchange);
            parse.checkCodeOrError();
            StateManager stateManager = new StateManager(parse.getState());
            StateManager.verifyCsrfToken(session, stateManager);
            AbstractExchangeSnapshot reconstruct = this.originalExchangeStore.reconstruct(exchange, session, stateManager);
            this.originalExchangeStore.remove(exchange, session, stateManager);
            if (log.isDebugEnabled()) {
                log.debug("CSRF token match.");
            }
            OAuth2TokenResponseBody codeTokenRequest = this.auth.codeTokenRequest(this.publicUrlManager.getPublicURLAndReregister(exchange) + this.callbackPath, parse.getCode(), PKCEVerifier.getVerifier(stateManager, session));
            if (codeTokenRequest.getAccessToken() != null) {
                this.accessTokenRevalidator.getValidTokens().put(codeTokenRequest.getAccessToken(), true);
                session.setAccessToken(null, codeTokenRequest.getAccessToken());
                if (this.sessionAuthorizer.isSkipUserInfo()) {
                    this.sessionAuthorizer.verifyJWT(exchange, codeTokenRequest.getAccessToken(), OAuth2AnswerParameters.createFrom(codeTokenRequest), session);
                } else {
                    this.sessionAuthorizer.retrieveUserInfo(codeTokenRequest, OAuth2AnswerParameters.createFrom(codeTokenRequest), session);
                }
            } else {
                if (!this.onlyRefreshToken) {
                    throw new RuntimeException("No access_token received.");
                }
                this.sessionAuthorizer.verifyJWT(exchange, codeTokenRequest.getIdToken(), OAuth2AnswerParameters.createFrom(codeTokenRequest), session);
            }
            continueOriginalExchange(exchange, reconstruct, session);
            this.originalExchangeStore.postProcess(exchange);
        } catch (OAuth2Exception e) {
            throw e;
        } catch (Exception e2) {
            log.error("Could not exchange code for token.", e2);
            exchange.setResponse(Response.badRequest().body(e2.getMessage()).build());
            this.originalExchangeStore.postProcess(exchange);
        }
    }

    private static void continueOriginalExchange(Exchange exchange, AbstractExchangeSnapshot abstractExchangeSnapshot, Session session) throws Exception {
        if (abstractExchangeSnapshot.getRequest().getMethod().equals(Request.METHOD_GET)) {
            exchange.setResponse(Response.redirect(abstractExchangeSnapshot.getOriginalRequestUri(), 302).build());
            return;
        }
        String bigInteger = new BigInteger(130, new SecureRandom()).toString(32);
        session.put(OAuthUtils.oa2redictKeyNameInSession(bigInteger), new ObjectMapper().writeValueAsString(abstractExchangeSnapshot));
        exchange.setResponse(Response.redirect(abstractExchangeSnapshot.getOriginalRequestUri() + (abstractExchangeSnapshot.getOriginalRequestUri().contains("?") ? "&" : "?") + "oa2redirect=" + bigInteger, 302).build());
    }
}
