package org.pageseeder.bridge.berlioz.oauth;

import java.io.IOException;
import java.util.Properties;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.pageseeder.berlioz.GlobalSettings;
import org.pageseeder.bridge.PSToken;
import org.pageseeder.bridge.berlioz.auth.AuthSessions;
import org.pageseeder.bridge.berlioz.auth.AuthorizationResult;
import org.pageseeder.bridge.berlioz.auth.LoggedInAuthorizer;
import org.pageseeder.bridge.berlioz.auth.ProtectedRequest;
import org.pageseeder.bridge.model.PSMember;
import org.pageseeder.bridge.net.UnsafeSSL;
import org.pageseeder.bridge.oauth.AuthorizationRequest;
import org.pageseeder.bridge.oauth.ClientCredentials;
import org.pageseeder.bridge.oauth.TokenRequest;
import org.pageseeder.bridge.oauth.TokenResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/pageseeder/bridge/berlioz/oauth/AuthorizationCodeFilter.class */
public final class AuthorizationCodeFilter implements Filter {
    private static final Logger LOGGER = LoggerFactory.getLogger(AuthorizationCodeFilter.class);
    private static final String OAUTH_STATE = "org.pageseeder.bridge.berlioz.auth.OAuthState";

    public void init(FilterConfig filterConfig) {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (GlobalSettings.getNode("oauth.authorization-code").containsKey("client")) {
            doHttpFilter((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
        } else {
            LOGGER.error("This filter requires a valid `oauth.authorization-code.client`.");
            ((HttpServletResponse) servletResponse).sendError(503);
        }
    }

    public void destroy() {
    }

    private void doHttpFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        OAuthUser oAuthUserInSession = OAuthUtils.getOAuthUserInSession(httpServletRequest.getSession());
        String contextPath = httpServletRequest.getContextPath();
        String requestURI = httpServletRequest.getRequestURI();
        if (oAuthUserInSession != null) {
            if (LoggedInAuthorizer.getInstance().isUserAuthorized(oAuthUserInSession, requestURI) == AuthorizationResult.AUTHORIZED) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            } else {
                httpServletResponse.sendError(403);
                return;
            }
        }
        if (requestURI.startsWith(contextPath + "/auth")) {
            token(httpServletRequest, httpServletResponse);
        } else {
            authorize(httpServletRequest, httpServletResponse);
        }
    }

    public void token(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String parameter = httpServletRequest.getParameter("code");
        String parameter2 = httpServletRequest.getParameter("state");
        HttpSession session = httpServletRequest.getSession();
        String str = (String) session.getAttribute(OAUTH_STATE);
        if (str == null) {
            LOGGER.error("State already used or no longer in memory");
            httpServletResponse.sendError(401);
            return;
        }
        if (!str.equals(parameter2)) {
            LOGGER.error("State does not match!");
            httpServletResponse.sendError(403);
            return;
        }
        Properties node = GlobalSettings.getNode("oauth.authorization-code");
        TokenResponse post = TokenRequest.newAuthorizationCode(parameter, new ClientCredentials(node.getProperty("client"), node.getProperty("secret"))).post();
        if (!post.isSuccessful()) {
            LOGGER.error("OAuth failed '{}': {}", post.getError(), post.getErrorDescription());
            httpServletResponse.sendError(403);
            return;
        }
        PSToken accessToken = post.getAccessToken();
        PSMember member = post.getMember();
        if (member == null) {
            member = OAuthUtils.retrieve(accessToken);
        }
        if (member == null) {
            LOGGER.error("Unable to identify user!");
            httpServletResponse.sendError(403);
            return;
        }
        OAuthUser oAuthUser = new OAuthUser(member, accessToken);
        ProtectedRequest protectedRequest = (ProtectedRequest) session.getAttribute(AuthSessions.REQUEST_ATTRIBUTE);
        session.invalidate();
        httpServletRequest.getSession(true).setAttribute(AuthSessions.USER_ATTRIBUTE, oAuthUser);
        httpServletResponse.sendRedirect(protectedRequest.url());
    }

    public void authorize(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        ProtectedRequest create = ProtectedRequest.create(httpServletRequest);
        HttpSession session = httpServletRequest.getSession(true);
        session.setAttribute(AuthSessions.REQUEST_ATTRIBUTE, create);
        Properties node = GlobalSettings.getNode("oauth.authorization-code");
        String property = node.getProperty("client");
        String property2 = node.getProperty("scope");
        AuthorizationRequest newAuthorization = AuthorizationRequest.newAuthorization(property);
        if (property2 != null) {
            newAuthorization.scope(property2);
        }
        session.setAttribute(OAUTH_STATE, newAuthorization.state());
        httpServletResponse.sendRedirect(newAuthorization.toURLString());
    }

    static {
        UnsafeSSL.enableIfSystemProperty();
    }
}
