package org.forgerock.oauth2.restlet;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.inject.Inject;
import javax.inject.Named;
import org.forgerock.oauth2.core.AuthorizationService;
import org.forgerock.oauth2.core.ClientRegistration;
import org.forgerock.oauth2.core.ClientRegistrationStore;
import org.forgerock.oauth2.core.CsrfProtection;
import org.forgerock.oauth2.core.DeviceCode;
import org.forgerock.oauth2.core.OAuth2ProviderSettings;
import org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory;
import org.forgerock.oauth2.core.OAuth2Request;
import org.forgerock.oauth2.core.OAuth2RequestFactory;
import org.forgerock.oauth2.core.ResourceOwner;
import org.forgerock.oauth2.core.ResourceOwnerSessionValidator;
import org.forgerock.oauth2.core.TokenStore;
import org.forgerock.oauth2.core.Utils;
import org.forgerock.oauth2.core.exceptions.AccessDeniedException;
import org.forgerock.oauth2.core.exceptions.BadRequestException;
import org.forgerock.oauth2.core.exceptions.InteractionRequiredException;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.InvalidGrantException;
import org.forgerock.oauth2.core.exceptions.InvalidScopeException;
import org.forgerock.oauth2.core.exceptions.LoginRequiredException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.oauth2.core.exceptions.OAuth2Exception;
import org.forgerock.oauth2.core.exceptions.RedirectUriMismatchException;
import org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired;
import org.forgerock.oauth2.core.exceptions.ResourceOwnerConsentRequired;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.forgerock.openam.oauth2.OAuth2Utils;
import org.forgerock.openam.services.baseurl.BaseURLProviderFactory;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.openam.xui.XUIState;
import org.restlet.Context;
import org.restlet.Request;
import org.restlet.data.Preference;
import org.restlet.ext.freemarker.TemplateRepresentation;
import org.restlet.ext.servlet.ServletUtils;
import org.restlet.representation.Representation;
import org.restlet.resource.Get;
import org.restlet.resource.Post;
import org.restlet.routing.Router;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/forgerock/oauth2/restlet/DeviceCodeVerificationResource.class */
public class DeviceCodeVerificationResource extends ConsentRequiredResource {
    private final Logger logger;
    private static final String FORM = "templates/CodeVerificationForm.ftl";
    private static final String THANKS_PAGE = "templates/CodeThanks.ftl";
    private final OAuth2Representation representation;
    private final TokenStore tokenStore;
    private final OAuth2RequestFactory requestFactory;
    private final AuthorizationService authorizationService;
    private final OAuth2ProviderSettingsFactory providerSettingsFactory;
    private final ExceptionHandler exceptionHandler;
    private final ResourceOwnerSessionValidator resourceOwnerSessionValidator;
    private final ClientRegistrationStore clientRegistrationStore;
    private final OAuth2Utils oAuth2Utils;
    private final CsrfProtection csrfProtection;

    @Inject
    public DeviceCodeVerificationResource(XUIState xUIState, @Named("OAuth2Router") Router router, BaseURLProviderFactory baseURLProviderFactory, OAuth2Representation oAuth2Representation, TokenStore tokenStore, OAuth2RequestFactory oAuth2RequestFactory, AuthorizationService authorizationService, OAuth2ProviderSettingsFactory oAuth2ProviderSettingsFactory, ExceptionHandler exceptionHandler, ResourceOwnerSessionValidator resourceOwnerSessionValidator, ClientRegistrationStore clientRegistrationStore, OAuth2Utils oAuth2Utils, CsrfProtection csrfProtection) {
        super(router, baseURLProviderFactory, xUIState, resourceOwnerSessionValidator);
        this.logger = LoggerFactory.getLogger("OAuth2Provider");
        this.representation = oAuth2Representation;
        this.tokenStore = tokenStore;
        this.requestFactory = oAuth2RequestFactory;
        this.authorizationService = authorizationService;
        this.providerSettingsFactory = oAuth2ProviderSettingsFactory;
        this.exceptionHandler = exceptionHandler;
        this.resourceOwnerSessionValidator = resourceOwnerSessionValidator;
        this.clientRegistrationStore = clientRegistrationStore;
        this.oAuth2Utils = oAuth2Utils;
        this.csrfProtection = csrfProtection;
    }

    @Post
    public Representation verify(Representation representation) throws ServerException, NotFoundException, InvalidGrantException, OAuth2RestletException {
        Request request = getRequest();
        OAuth2Request create = this.requestFactory.create(request);
        try {
            DeviceCode readDeviceCode = this.tokenStore.readDeviceCode((String) create.getParameter("user_code"), create);
            if (readDeviceCode == null || readDeviceCode.isIssued()) {
                return getTemplateRepresentation(FORM, create, "not_found");
            }
            addRequestParamsFromDeviceCode(request, readDeviceCode);
            try {
                boolean z = (this.providerSettingsFactory.get(create).clientsCanSkipConsent() && this.clientRegistrationStore.get((String) create.getParameter("client_id"), create).isConsentImplied()) ? false : true;
                if (z) {
                    String str = (String) create.getParameter("decision");
                    if (!StringUtils.isNotEmpty(str)) {
                        this.authorizationService.authorize(create);
                    } else {
                        if (this.csrfProtection.isCsrfAttack(create)) {
                            this.logger.debug("Session id from consent request does not match users session");
                            throw new OAuth2RestletException(400, "bad_request", null, (String) create.getParameter("state"));
                        }
                        boolean z2 = !z || "allow".equalsIgnoreCase(str);
                        if (z && "on".equalsIgnoreCase((String) create.getParameter("save_consent"))) {
                            saveConsent(create);
                        }
                        if (z2) {
                            readDeviceCode.setResourceOwnerId(this.resourceOwnerSessionValidator.validate(create).getId());
                            readDeviceCode.setAuthorized(true);
                            this.tokenStore.updateDeviceCode(readDeviceCode, create);
                        } else {
                            this.tokenStore.deleteDeviceCode(readDeviceCode.getClientId(), readDeviceCode.getDeviceCode(), create);
                        }
                    }
                } else {
                    readDeviceCode.setResourceOwnerId(this.resourceOwnerSessionValidator.validate(create).getId());
                    readDeviceCode.setAuthorized(true);
                    this.tokenStore.updateDeviceCode(readDeviceCode, create);
                }
                return getTemplateRepresentation(THANKS_PAGE, create, null);
            } catch (IllegalArgumentException e) {
                if (e.getMessage().contains("client_id")) {
                    throw new OAuth2RestletException(400, "invalid_request", e.getMessage(), (String) create.getParameter("state"));
                }
                throw new OAuth2RestletException(400, "invalid_request", e.getMessage(), (String) create.getParameter("redirect_uri"), (String) create.getParameter("state"));
            } catch (InvalidClientException | RedirectUriMismatchException e2) {
                throw new OAuth2RestletException(e2.getStatusCode(), e2.getError(), e2.getMessage(), (String) create.getParameter("state"));
            } catch (ResourceOwnerAuthenticationRequired e3) {
                throw new OAuth2RestletException(e3.getStatusCode(), e3.getError(), e3.getMessage(), e3.getRedirectUri().toString(), null);
            } catch (OAuth2Exception e4) {
                throw new OAuth2RestletException(e4.getStatusCode(), e4.getError(), e4.getMessage(), (String) create.getParameter("redirect_uri"), (String) create.getParameter("state"), e4.getParameterLocation());
            } catch (ResourceOwnerConsentRequired e5) {
                return this.representation.getRepresentation(getContext(), create, "authorize.ftl", getDataModel(e5, create));
            }
        } catch (InvalidGrantException e6) {
            return getTemplateRepresentation(FORM, create, "not_found");
        }
    }

    private void saveConsent(OAuth2Request oAuth2Request) throws NotFoundException, ServerException, InvalidScopeException, AccessDeniedException, ResourceOwnerAuthenticationRequired, InteractionRequiredException, BadRequestException, LoginRequiredException, InvalidClientException {
        OAuth2ProviderSettings oAuth2ProviderSettings = this.providerSettingsFactory.get(oAuth2Request);
        ResourceOwner validate = this.resourceOwnerSessionValidator.validate(oAuth2Request);
        ClientRegistration clientRegistration = this.clientRegistrationStore.get((String) oAuth2Request.getParameter("client_id"), oAuth2Request);
        oAuth2ProviderSettings.saveConsent(validate, clientRegistration.getClientId(), oAuth2ProviderSettings.validateAuthorizationScope(clientRegistration, Utils.splitScope((String) oAuth2Request.getParameter("scope")), oAuth2Request));
    }

    private Representation getTemplateRepresentation(String str, OAuth2Request oAuth2Request, String str2) {
        TemplateRepresentation templateRepresentation = getTemplateFactory(getContext()).getTemplateRepresentation(str);
        HashMap hashMap = new HashMap();
        hashMap.put("errorCode", str2);
        hashMap.put("baseUrl", this.baseURLProviderFactory.get((String) oAuth2Request.getParameter("realm")).getRootURL(ServletUtils.getRequest(getRequest())));
        ArrayList arrayList = new ArrayList();
        Iterator it = getRequest().getClientInfo().getAcceptedLanguages().iterator();
        while (it.hasNext()) {
            arrayList.add(((Preference) it.next()).getMetadata().getName());
        }
        hashMap.put("locale", this.oAuth2Utils.join(arrayList, OAuth2Utils.SCOPE_DELIMITER));
        hashMap.put("realm", oAuth2Request.getParameter("realm"));
        templateRepresentation.setDataModel(hashMap);
        return templateRepresentation;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void addRequestParamsFromDeviceCode(Request request, DeviceCode deviceCode) {
        for (Map.Entry entry : ((Map) deviceCode.getObject()).entrySet()) {
            Object value = entry.getValue();
            String next = !((String) entry.getKey()).equals("scope") ? ((List) value).iterator().next() : this.oAuth2Utils.join((List) value, OAuth2Utils.SCOPE_DELIMITER);
            if (((String) entry.getKey()).equals("clientID")) {
                request.getAttributes().put("client_id", next);
            } else {
                request.getAttributes().put(entry.getKey(), next);
            }
        }
    }

    @Get
    public Representation userCodeForm() throws OAuth2RestletException, InvalidGrantException, NotFoundException, ServerException {
        OAuth2Request create = this.requestFactory.create(getRequest());
        return create.getParameter("user_code") != null ? verify(null) : getTemplateRepresentation(FORM, create, null);
    }

    private TemplateFactory getTemplateFactory(Context context) {
        Object obj = context.getAttributes().get(TemplateFactory.class.getName());
        if (obj instanceof TemplateFactory) {
            return (TemplateFactory) obj;
        }
        TemplateFactory newInstance = TemplateFactory.newInstance(context);
        context.getAttributes().put(TemplateFactory.class.getName(), newInstance);
        return newInstance;
    }

    protected void doCatch(Throwable th) {
        this.exceptionHandler.handle(th, getContext(), getRequest(), getResponse());
    }
}
