package org.ovirt.engine.core.sso.servlets;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.ovirt.engine.core.sso.utils.AuthResult;
import org.ovirt.engine.core.sso.utils.AuthenticationException;
import org.ovirt.engine.core.sso.utils.AuthenticationUtils;
import org.ovirt.engine.core.sso.utils.Credentials;
import org.ovirt.engine.core.sso.utils.NegotiateAuthUtils;
import org.ovirt.engine.core.sso.utils.NonInteractiveAuth;
import org.ovirt.engine.core.sso.utils.OAuthException;
import org.ovirt.engine.core.sso.utils.SsoConstants;
import org.ovirt.engine.core.sso.utils.SsoContext;
import org.ovirt.engine.core.sso.utils.SsoSession;
import org.ovirt.engine.core.sso.utils.SsoUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/ovirt/engine/core/sso/servlets/OAuthTokenServlet.class */
public class OAuthTokenServlet extends HttpServlet {
    private static final long serialVersionUID = 7168485079055058668L;
    private static Logger log = LoggerFactory.getLogger(OAuthTokenServlet.class);
    protected SsoContext ssoContext;

    public void init(ServletConfig servletConfig) throws ServletException {
        this.ssoContext = SsoUtils.getSsoContext(servletConfig.getServletContext());
    }

    protected void service(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            log.debug("Entered OAuthTokenServlet Query String: {}, Parameters : {}", maskPassword(httpServletRequest.getQueryString()), SsoUtils.getRequestParameters(httpServletRequest));
            handleRequest(httpServletRequest, httpServletResponse);
        } catch (AuthenticationException e) {
            SsoUtils.sendJsonDataWithMessage(httpServletRequest, httpServletResponse, SsoConstants.ERR_CODE_ACCESS_DENIED, e);
        } catch (OAuthException e2) {
            SsoUtils.sendJsonDataWithMessage(httpServletRequest, httpServletResponse, e2);
        } catch (Exception e3) {
            SsoUtils.sendJsonDataWithMessage(httpServletRequest, httpServletResponse, SsoConstants.ERR_CODE_SERVER_ERROR, e3);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        String requestParameter = SsoUtils.getRequestParameter(httpServletRequest, SsoConstants.JSON_GRANT_TYPE, SsoConstants.JSON_GRANT_TYPE);
        String scopeRequestParameter = SsoUtils.getScopeRequestParameter(httpServletRequest, "");
        boolean z = -1;
        switch (requestParameter.hashCode()) {
            case 107231423:
                if (requestParameter.equals("urn:ovirt:params:oauth:grant-type:http")) {
                    z = 2;
                    break;
                }
                break;
            case 1216985755:
                if (requestParameter.equals("password")) {
                    z = true;
                    break;
                }
                break;
            case 1571154419:
                if (requestParameter.equals("authorization_code")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                issueTokenForAuthCode(httpServletRequest, httpServletResponse, scopeRequestParameter);
                return;
            case true:
                handlePasswordGrantType(httpServletRequest, httpServletResponse, scopeRequestParameter);
                return;
            case true:
                issueTokenUsingHttpHeaders(httpServletRequest, httpServletResponse);
                return;
            default:
                throw new OAuthException(SsoConstants.ERR_CODE_UNSUPPORTED_GRANT_TYPE, SsoConstants.ERR_CODE_UNSUPPORTED_GRANT_TYPE_MSG);
        }
    }

    protected void validateClientAcceptHeader(SsoSession ssoSession, HttpServletRequest httpServletRequest) {
        SsoUtils.validateClientAcceptHeader(httpServletRequest);
    }

    protected void issueTokenForAuthCode(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws Exception {
        String[] clientIdClientSecret = SsoUtils.getClientIdClientSecret(httpServletRequest);
        SsoUtils.validateClientRequest(httpServletRequest, clientIdClientSecret[0], clientIdClientSecret[1], str, null);
        SsoSession handleIssueTokenForAuthCode = handleIssueTokenForAuthCode(httpServletRequest, clientIdClientSecret[0], str);
        log.debug("Sending json response");
        SsoUtils.sendJsonData(httpServletResponse, buildResponse(handleIssueTokenForAuthCode));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SsoSession handleIssueTokenForAuthCode(HttpServletRequest httpServletRequest, String str, String str2) throws Exception {
        log.debug("Entered issueTokenForAuthCode");
        String tokenForAuthCode = getTokenForAuthCode(SsoUtils.getRequestParameter(httpServletRequest, SsoConstants.HTTP_PARAM_AUTHORIZATION_CODE, SsoConstants.HTTP_PARAM_AUTHORIZATION_CODE));
        SsoUtils.validateRequestScope(httpServletRequest, tokenForAuthCode, str2);
        SsoSession ssoSession = SsoUtils.getSsoSession(httpServletRequest, str, tokenForAuthCode, true);
        validateClientAcceptHeader(ssoSession, httpServletRequest);
        return ssoSession;
    }

    protected String getTokenForAuthCode(String str) {
        return this.ssoContext.getTokenForAuthCode(str);
    }

    private void handlePasswordGrantType(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws Exception {
        if (SsoUtils.scopeAsList(str).contains("ovirt-ext=token:login-on-behalf")) {
            issueTokenForLoginOnBehalf(httpServletRequest, httpServletResponse, str);
        } else {
            issueTokenForPasswd(httpServletRequest, httpServletResponse, str);
        }
    }

    private void issueTokenForLoginOnBehalf(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws Exception {
        log.debug("Entered issueTokenForLoginOnBehalf");
        String[] clientIdClientSecret = SsoUtils.getClientIdClientSecret(httpServletRequest);
        String requestParameter = SsoUtils.getRequestParameter(httpServletRequest, "username");
        log.debug("Attempting to issueTokenForLoginOnBehalf for client: {}, user: {}", clientIdClientSecret[0], requestParameter);
        AuthenticationUtils.loginOnBehalf(this.ssoContext, httpServletRequest, requestParameter);
        String str2 = (String) httpServletRequest.getAttribute("access_token");
        SsoUtils.validateRequestScope(httpServletRequest, str2, str);
        SsoSession ssoSession = SsoUtils.getSsoSession(httpServletRequest, str2, true);
        if (ssoSession == null) {
            throw new OAuthException(SsoConstants.ERR_CODE_INVALID_GRANT, this.ssoContext.getLocalizationUtils().localize(SsoConstants.APP_ERROR_AUTHORIZATION_GRANT_EXPIRED_FOR_USERNAME_PASSWORD, (Locale) httpServletRequest.getAttribute(SsoConstants.LOCALE)));
        }
        validateClientAcceptHeader(ssoSession, httpServletRequest);
        log.debug("Sending json response");
        SsoUtils.sendJsonData(httpServletResponse, buildResponse(ssoSession));
    }

    protected void issueTokenForPasswd(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws Exception {
        log.debug("Entered issueTokenForPasswd");
        Credentials credentials = null;
        try {
            credentials = getCredentials(httpServletRequest);
            SsoSession handleIssueTokenForPasswd = handleIssueTokenForPasswd(httpServletRequest, str, credentials);
            log.debug("Sending json response");
            SsoUtils.sendJsonData(httpServletResponse, buildResponse(handleIssueTokenForPasswd));
        } catch (AuthenticationException e) {
            String str2 = "N/A";
            if (credentials != null) {
                str2 = credentials.getProfile() == null ? "N/A" : credentials.getProfile();
            }
            String localize = this.ssoContext.getLocalizationUtils().localize(SsoConstants.APP_ERROR_CANNOT_AUTHENTICATE_USER_IN_DOMAIN, (Locale) httpServletRequest.getAttribute(SsoConstants.LOCALE));
            Object[] objArr = new Object[3];
            objArr[0] = credentials == null ? "N/A" : credentials.getUsername();
            objArr[1] = str2;
            objArr[2] = e.getMessage();
            throw new AuthenticationException(String.format(localize, objArr));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Credentials getCredentials(HttpServletRequest httpServletRequest) throws Exception {
        return SsoUtils.translateUser(SsoUtils.getRequestParameter(httpServletRequest, "username"), SsoUtils.getRequestParameter(httpServletRequest, "password"), this.ssoContext);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SsoSession handleIssueTokenForPasswd(HttpServletRequest httpServletRequest, String str, Credentials credentials) throws Exception {
        String str2 = null;
        if (credentials != null && SsoUtils.areCredentialsValid(httpServletRequest, credentials)) {
            AuthenticationUtils.handleCredentials(this.ssoContext, httpServletRequest, credentials, false);
            str2 = (String) httpServletRequest.getAttribute("access_token");
        }
        log.debug("Attempting to issueTokenForPasswd for user: {}", Optional.ofNullable(credentials).map((v0) -> {
            return v0.getUsername();
        }).orElse("null"));
        SsoSession ssoSessionFromRequest = SsoUtils.getSsoSessionFromRequest(httpServletRequest, str2);
        if (ssoSessionFromRequest == null) {
            throw new OAuthException(SsoConstants.ERR_CODE_INVALID_GRANT, this.ssoContext.getLocalizationUtils().localize(SsoConstants.APP_ERROR_AUTHORIZATION_GRANT_EXPIRED_FOR_USERNAME_PASSWORD, (Locale) httpServletRequest.getAttribute(SsoConstants.LOCALE)));
        }
        validateClientAcceptHeader(ssoSessionFromRequest, httpServletRequest);
        SsoUtils.validateRequestScope(httpServletRequest, str2, str);
        return ssoSessionFromRequest;
    }

    private void issueTokenUsingHttpHeaders(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        log.debug("Entered issueTokenUsingHttpHeaders");
        try {
            AuthResult authResult = null;
            Iterator<NonInteractiveAuth> it = getAuthSeq().iterator();
            while (it.hasNext()) {
                authResult = it.next().doAuth(httpServletRequest, httpServletResponse);
                if (authResult.getStatus() == 0 || authResult.getStatus() == 15) {
                    break;
                }
            }
            if (authResult != null && authResult.getStatus() != 0) {
                log.debug("Authentication failed using http headers");
                List list = (List) httpServletRequest.getAttribute(NegotiateAuthUtils.REQUEST_SCHEMES_KEY);
                Iterator it2 = new HashSet(list == null ? Collections.emptyList() : list).iterator();
                while (it2.hasNext()) {
                    httpServletResponse.setHeader("WWW-Authenticate", (String) it2.next());
                }
                httpServletResponse.sendError(401);
            } else {
                if (authResult == null || !StringUtils.isNotEmpty(authResult.getToken())) {
                    throw new AuthenticationException(this.ssoContext.getLocalizationUtils().localize(SsoConstants.APP_ERROR_AUTHENTICATION_FAILED, (Locale) httpServletRequest.getAttribute(SsoConstants.LOCALE)));
                }
                SsoSession ssoSessionFromRequest = SsoUtils.getSsoSessionFromRequest(httpServletRequest, authResult.getToken());
                if (ssoSessionFromRequest == null) {
                    throw new OAuthException(SsoConstants.ERR_CODE_INVALID_GRANT, this.ssoContext.getLocalizationUtils().localize(SsoConstants.APP_ERROR_AUTHORIZATION_GRANT_EXPIRED, (Locale) httpServletRequest.getAttribute(SsoConstants.LOCALE)));
                }
                validateClientAcceptHeader(ssoSessionFromRequest, httpServletRequest);
                log.debug("Sending json response");
                SsoUtils.sendJsonData(httpServletResponse, buildResponse(ssoSessionFromRequest));
            }
        } catch (Exception e) {
            throw new AuthenticationException(String.format(this.ssoContext.getLocalizationUtils().localize(SsoConstants.APP_ERROR_CANNOT_AUTHENTICATE_USER, (Locale) httpServletRequest.getAttribute(SsoConstants.LOCALE)), e.getMessage()));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<String, Object> buildResponse(SsoSession ssoSession) {
        HashMap hashMap = new HashMap();
        hashMap.put("access_token", ssoSession.getAccessToken());
        hashMap.put("scope", StringUtils.isEmpty(ssoSession.getScope()) ? "" : ssoSession.getScope());
        hashMap.put(SsoConstants.JSON_EXPIRES_IN, ssoSession.getValidTo().toString());
        hashMap.put(SsoConstants.JSON_TOKEN_TYPE, "bearer");
        return hashMap;
    }

    private List<NonInteractiveAuth> getAuthSeq() {
        String property = this.ssoContext.getSsoLocalConfig().getProperty("SSO_TOKEN_HTTP_LOGIN_SEQUENCE");
        ArrayList arrayList = new ArrayList();
        if (StringUtils.isNotEmpty(property)) {
            for (char c : property.toCharArray()) {
                if (c != '~') {
                    try {
                        arrayList.add(Enum.valueOf(NonInteractiveAuth.class, "" + c));
                    } catch (IllegalArgumentException e) {
                        log.error("Unable to retrieve auth for value {}: {}", Character.valueOf(c), e.getMessage());
                        log.debug("Exception", e);
                    }
                }
            }
        }
        return arrayList;
    }

    private String maskPassword(String str) {
        return StringUtils.isNotEmpty(str) ? str.replaceAll("password=[^&]+", "password=***") : str;
    }
}
