package org.ametys.workspaces.extrausermgt.authentication.oauth;

import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.AuthorizationResponse;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.id.State;
import java.net.URI;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.ametys.plugins.extrausermgt.oauth.DefaultOauthProvider;
import org.ametys.plugins.extrausermgt.oauth.OauthProviderExtensionPoint;
import org.ametys.runtime.authentication.AccessDeniedException;
import org.apache.avalon.framework.parameters.Parameters;
import org.apache.avalon.framework.service.ServiceException;
import org.apache.avalon.framework.service.ServiceManager;
import org.apache.avalon.framework.service.Serviceable;
import org.apache.avalon.framework.thread.ThreadSafe;
import org.apache.cocoon.acting.AbstractAction;
import org.apache.cocoon.environment.ObjectModelHelper;
import org.apache.cocoon.environment.Redirector;
import org.apache.cocoon.environment.Request;
import org.apache.cocoon.environment.Session;
import org.apache.cocoon.environment.SourceResolver;

/* loaded from: input_file:org/ametys/workspaces/extrausermgt/authentication/oauth/OAuthCallbackAction.class */
public class OAuthCallbackAction extends AbstractAction implements ThreadSafe, Serviceable {
    private OauthProviderExtensionPoint _oauthEP;

    public void service(ServiceManager serviceManager) throws ServiceException {
        this._oauthEP = (OauthProviderExtensionPoint) serviceManager.lookup(OauthProviderExtensionPoint.ROLE);
    }

    public Map act(Redirector redirector, SourceResolver sourceResolver, Map map, String str, Parameters parameters) throws Exception {
        Request request = ObjectModelHelper.getRequest(map);
        HashMap hashMap = new HashMap();
        Iterator asIterator = request.getParameterNames().asIterator();
        while (asIterator.hasNext()) {
            String str2 = (String) asIterator.next();
            hashMap.put(str2, Arrays.asList(request.getParameterValues(str2)));
        }
        AuthorizationResponse parse = AuthorizationResponse.parse(URI.create(request.getRequestURI()), hashMap);
        Session session = request.getSession();
        if (!parse.indicatesSuccess()) {
            ErrorObject errorObject = parse.toErrorResponse().getErrorObject();
            throw new AccessDeniedException("Oauth authorization request failed with http status '" + errorObject.getHTTPStatusCode() + "', code '" + errorObject.getCode() + "' and description '" + errorObject.getDescription() + "'.");
        }
        checkResponseIntegrity(parse, session);
        this._oauthEP.getProviderForState(parse.getState()).requestAccessToken(new AuthorizationCodeGrant(parse.toSuccessResponse().getAuthorizationCode(), URI.create(request.getRequestURI())));
        String str3 = (String) session.getAttribute(DefaultOauthProvider.OAUTH_REDIRECT_URI_SESSION_ATTRIBUTE);
        if (!redirector.hasRedirected()) {
            redirector.redirect(false, str3);
        }
        return EMPTY_MAP;
    }

    protected void checkResponseIntegrity(AuthorizationResponse authorizationResponse, Session session) {
        State state = (State) session.getAttribute(DefaultOauthProvider.OAUTH_STATE_SESSION_ATTRIBUTE);
        if (state == null || !state.equals(authorizationResponse.getState())) {
            throw new AccessDeniedException("Failed to retrieve the authorization code. Oauth state mismatch.");
        }
        session.removeAttribute(DefaultOauthProvider.OAUTH_STATE_SESSION_ATTRIBUTE);
    }
}
