package org.fenixedu.bennu.oauth.servlets;

import com.google.common.base.Joiner;
import com.google.common.base.Strings;
import com.google.gson.JsonObject;
import com.mitchellbosecke.pebble.PebbleEngine;
import com.mitchellbosecke.pebble.error.LoaderException;
import com.mitchellbosecke.pebble.error.PebbleException;
import com.mitchellbosecke.pebble.extension.AbstractExtension;
import com.mitchellbosecke.pebble.extension.Extension;
import com.mitchellbosecke.pebble.extension.Function;
import com.mitchellbosecke.pebble.loader.ClasspathLoader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.io.Reader;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.Callable;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.fenixedu.bennu.core.domain.User;
import org.fenixedu.bennu.core.i18n.BundleUtil;
import org.fenixedu.bennu.core.security.Authenticate;
import org.fenixedu.bennu.core.util.CoreConfiguration;
import org.fenixedu.bennu.oauth.OAuthProperties;
import org.fenixedu.bennu.oauth.domain.ApplicationUserAuthorization;
import org.fenixedu.bennu.oauth.domain.ApplicationUserSession;
import org.fenixedu.bennu.oauth.domain.ExternalApplication;
import org.fenixedu.bennu.oauth.domain.ServiceApplication;
import org.fenixedu.bennu.oauth.util.OAuthUtils;
import org.fenixedu.bennu.portal.BennuPortalConfiguration;
import org.fenixedu.bennu.portal.domain.PortalConfiguration;
import org.fenixedu.commons.i18n.I18N;
import pt.ist.esw.advice.Advice;
import pt.ist.esw.advice.pt.ist.fenixframework.AtomicInstance;
import pt.ist.fenixframework.Atomic;
import pt.ist.fenixframework.FenixFramework;
import pt.ist.fenixframework.atomic.AtomicContextFactory;

@WebServlet({"/oauth/*"})
/* loaded from: input_file:org/fenixedu/bennu/oauth/servlets/OAuthAuthorizationServlet.class */
public class OAuthAuthorizationServlet extends HttpServlet {
    private static final String GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials";
    private static final String GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code";
    private static final String CODE_EXPIRED = "code expired";
    private static final String CODE_INVALID = "code invalid";
    private static final long serialVersionUID = 1;
    private static final String OAUTH_SESSION_KEY = "OAUTH_CLIENT_ID";
    private static final String CLIENT_ID = "client_id";
    private static final String CLIENT_SECRET = "client_secret";
    private static final String REDIRECT_URI = "redirect_uri";
    private static final String CODE = "code";
    private static final String CSRF_HEADER = "X-CSRF-Token";
    private static final String ACCESS_TOKEN = "access_token";
    private static final String REFRESH_TOKEN = "refresh_token";
    private static final String GRANT_TYPE = "grant_type";
    private static final String DEVICE_ID = "device_id";
    private static final String STATE = "state";
    private static final String EXPIRES_IN = "expires_in";
    private static final String TOKEN_TYPE = "token_type";
    private static final String TOKEN_TYPE_VALUE = "Bearer";
    private static final String INVALID_GRANT = "invalid_grant";
    private static final String REFRESH_TOKEN_DOESN_T_MATCH = "refresh token doesn't match";
    private static final String CREDENTIALS_OR_REDIRECT_URI_DON_T_MATCH = "credentials or redirect_uri don't match";
    private static final String REFRESH_TOKEN_NOT_RECOGNIZED = "refresh token not recognized.";
    private static final String REFRESH_TOKEN_INVALID = "refreshTokenInvalid";
    private static final String REFRESH_TOKEN_INVALID_FORMAT = "refreshTokenInvalidFormat";
    private static final String CLIENT_ID_NOT_FOUND = "client_id not found";
    private static final String APPLICATION_BANNED = "the application has been banned.";
    private static final String APPLICATION_DELETED = "the application has been deleted.";
    private static final String NO_CSRF_HEADER = "The request don't has a CSRF header.";
    private static final String NO_CSRF_HEADER_DESCRIPTION = "To make this request the browser need to send a CSRF header.";
    private PebbleEngine engine;
    public static final Advice advice$createAppUserSession = AtomicContextFactory.getInstance().newAdvice(new AtomicInstance(Atomic.TxMode.SPECULATIVE_READ, true));

    /* loaded from: input_file:org/fenixedu/bennu/oauth/servlets/OAuthAuthorizationServlet$I18NFunction.class */
    private static class I18NFunction implements Function {
        final List<String> variableArgs;

        private I18NFunction() {
            this.variableArgs = (List) Stream.of((Object[]) new String[]{"arg0", "arg1", "arg2", "arg3", "arg4", "arg5"}).collect(Collectors.toList());
        }

        public List<String> getArgumentNames() {
            return (List) Stream.of((Object[]) new String[]{"bundle", "key", "arg0", "arg1", "arg2", "arg3", "arg4", "arg5"}).collect(Collectors.toList());
        }

        public Object execute(Map<String, Object> map) {
            return BundleUtil.getString((String) map.get("bundle"), map.get("key").toString(), arguments(map));
        }

        public String[] arguments(Map<String, Object> map) {
            ArrayList arrayList = new ArrayList();
            for (String str : this.variableArgs) {
                if (map.containsKey(str) && (map.get(str) instanceof String)) {
                    arrayList.add((String) map.get(str));
                }
            }
            return (String[]) arrayList.toArray(new String[0]);
        }
    }

    public void init(final ServletConfig servletConfig) throws ServletException {
        super.init(servletConfig);
        this.engine = new PebbleEngine.Builder().loader(new ClasspathLoader() { // from class: org.fenixedu.bennu.oauth.servlets.OAuthAuthorizationServlet.2
            public Reader getReader(String str) throws LoaderException {
                InputStream resourceAsStream = servletConfig.getServletContext().getResourceAsStream("/themes/" + PortalConfiguration.getInstance().getTheme() + "/oauth/" + str + ".html");
                return resourceAsStream != null ? new InputStreamReader(resourceAsStream, StandardCharsets.UTF_8) : new InputStreamReader(servletConfig.getServletContext().getResourceAsStream("/bennu-oauth/" + str + ".html"), StandardCharsets.UTF_8);
            }
        }).cacheActive(!BennuPortalConfiguration.getConfiguration().themeDevelopmentMode().booleanValue()).extension(new Extension[]{new AbstractExtension() { // from class: org.fenixedu.bennu.oauth.servlets.OAuthAuthorizationServlet.1
            public Map<String, Function> getFunctions() {
                HashMap hashMap = new HashMap();
                hashMap.put("i18n", new I18NFunction());
                return hashMap;
            }
        }}).build();
    }

    protected void service(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        if (Strings.isNullOrEmpty(httpServletRequest.getPathInfo())) {
            httpServletResponse.sendError(404);
            return;
        }
        String trim = trim(httpServletRequest.getPathInfo());
        boolean z = -1;
        switch (trim.hashCode()) {
            case -1938933922:
                if (trim.equals("access_token")) {
                    z = 3;
                    break;
                }
                break;
            case -1432035435:
                if (trim.equals("refresh_token")) {
                    z = 5;
                    break;
                }
                break;
            case 110541305:
                if (trim.equals(OAuthUtils.STANDARD_ACCESS_TOKEN)) {
                    z = 4;
                    break;
                }
                break;
            case 1160978304:
                if (trim.equals(OAuthUtils.USER_CONFIRMATION)) {
                    z = 2;
                    break;
                }
                break;
            case 1475610601:
                if (trim.equals(OAuthUtils.STANDARD_USER_DIALOG)) {
                    z = true;
                    break;
                }
                break;
            case 2068161747:
                if (trim.equals(OAuthUtils.USER_DIALOG)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
                handleUserDialog(httpServletRequest, httpServletResponse, trim);
                return;
            case true:
                if ("POST".equals(httpServletRequest.getMethod())) {
                    userConfirmation(httpServletRequest, httpServletResponse);
                    return;
                } else {
                    httpServletResponse.sendError(405);
                    return;
                }
            case true:
            case true:
                if ("POST".equals(httpServletRequest.getMethod())) {
                    handleAccessToken(httpServletRequest, httpServletResponse);
                    return;
                } else {
                    httpServletResponse.sendError(405);
                    return;
                }
            case true:
                if ("POST".equals(httpServletRequest.getMethod())) {
                    handleRefreshToken(httpServletRequest, httpServletResponse);
                    return;
                } else {
                    httpServletResponse.sendError(405);
                    return;
                }
            default:
                httpServletResponse.sendError(404);
                return;
        }
    }

    private void handleRefreshToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String str;
        String str2;
        String[] authorizationHeader = getAuthorizationHeader(httpServletRequest);
        if (authorizationHeader == null) {
            str = httpServletRequest.getParameter(CLIENT_ID);
            str2 = httpServletRequest.getParameter(CLIENT_SECRET);
        } else {
            str = authorizationHeader[0];
            str2 = authorizationHeader[1];
        }
        String parameter = httpServletRequest.getParameter("refresh_token");
        ExternalApplication externalApplication = (ExternalApplication) OAuthUtils.getDomainObject(str, ExternalApplication.class).orElse(null);
        if (externalApplication == null) {
            sendOAuthErrorResponse(httpServletResponse, Response.Status.BAD_REQUEST, INVALID_GRANT, CLIENT_ID_NOT_FOUND);
            return;
        }
        if (isValidApplication(httpServletResponse, externalApplication)) {
            if (Strings.isNullOrEmpty(parameter)) {
                sendOAuthErrorResponse(httpServletResponse, Response.Status.UNAUTHORIZED, REFRESH_TOKEN_INVALID_FORMAT, REFRESH_TOKEN_NOT_RECOGNIZED);
                return;
            }
            try {
                String[] split = new String(Base64.getDecoder().decode(parameter), StandardCharsets.UTF_8).split(":");
                if (split.length != 2) {
                    sendOAuthErrorResponse(httpServletResponse, Response.Status.UNAUTHORIZED, REFRESH_TOKEN_INVALID_FORMAT, REFRESH_TOKEN_NOT_RECOGNIZED);
                    return;
                }
                ApplicationUserSession domainObject = FenixFramework.getDomainObject(split[0]);
                if (!externalApplication.matchesSecret(str2)) {
                    sendOAuthErrorResponse(httpServletResponse, Response.Status.UNAUTHORIZED, INVALID_GRANT, CREDENTIALS_OR_REDIRECT_URI_DON_T_MATCH);
                    return;
                }
                if (!FenixFramework.isDomainObjectValid(domainObject) || !domainObject.matchesRefreshToken(parameter)) {
                    sendOAuthErrorResponse(httpServletResponse, Response.Status.UNAUTHORIZED, REFRESH_TOKEN_INVALID, REFRESH_TOKEN_DOESN_T_MATCH);
                    return;
                }
                if (domainObject.getApplicationUserAuthorization().getUser().isLoginExpired()) {
                    sendOAuthErrorResponse(httpServletResponse, Response.Status.BAD_REQUEST, REFRESH_TOKEN_INVALID_FORMAT, REFRESH_TOKEN_NOT_RECOGNIZED);
                    return;
                }
                String generateToken = OAuthUtils.generateToken(domainObject);
                domainObject.setNewAccessToken(generateToken);
                JsonObject jsonObject = new JsonObject();
                jsonObject.addProperty("access_token", generateToken);
                jsonObject.addProperty("refresh_token", parameter);
                jsonObject.addProperty("token_type", "Bearer");
                jsonObject.addProperty("expires_in", OAuthProperties.getConfiguration().getAccessTokenExpirationSeconds());
                sendOAuthResponse(httpServletResponse, Response.Status.OK, jsonObject);
            } catch (IllegalArgumentException e) {
                sendOAuthErrorResponse(httpServletResponse, Response.Status.UNAUTHORIZED, REFRESH_TOKEN_INVALID_FORMAT, REFRESH_TOKEN_NOT_RECOGNIZED);
            }
        }
    }

    private String[] getAuthorizationHeader(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.startsWith("Basic")) {
            return null;
        }
        try {
            String[] split = new String(Base64.getDecoder().decode(header.substring("Basic".length()).trim()), Charset.forName("UTF-8")).split(":", 2);
            if (split.length != 2) {
                return null;
            }
            return split;
        } catch (IllegalArgumentException e) {
            return null;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void handleAccessToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String str;
        String str2;
        String[] authorizationHeader = getAuthorizationHeader(httpServletRequest);
        if (authorizationHeader == null) {
            str = httpServletRequest.getParameter(CLIENT_ID);
            str2 = httpServletRequest.getParameter(CLIENT_SECRET);
        } else {
            str = authorizationHeader[0];
            str2 = authorizationHeader[1];
        }
        String parameter = httpServletRequest.getParameter(REDIRECT_URI);
        String parameter2 = httpServletRequest.getParameter(CODE);
        String parameter3 = httpServletRequest.getParameter(GRANT_TYPE);
        if (Strings.isNullOrEmpty(str) || Strings.isNullOrEmpty(str2) || Strings.isNullOrEmpty(parameter3)) {
            sendOAuthErrorResponse(httpServletResponse, Response.Status.BAD_REQUEST, INVALID_GRANT, Joiner.on(",").join(CLIENT_ID, CLIENT_SECRET, new Object[]{GRANT_TYPE}) + " are mandatory");
            return;
        }
        if (!GRANT_TYPE_AUTHORIZATION_CODE.equals(parameter3) && !GRANT_TYPE_CLIENT_CREDENTIALS.equals(parameter3)) {
            sendOAuthErrorResponse(httpServletResponse, Response.Status.BAD_REQUEST, INVALID_GRANT, "grant_type must be on of the following values: " + Joiner.on(",").join(GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_AUTHORIZATION_CODE, new Object[0]));
            return;
        }
        if (GRANT_TYPE_AUTHORIZATION_CODE.equals(parameter3) && (Strings.isNullOrEmpty(parameter) || Strings.isNullOrEmpty(parameter2))) {
            sendOAuthErrorResponse(httpServletResponse, Response.Status.BAD_REQUEST, INVALID_GRANT, Joiner.on(",").join(REDIRECT_URI, CODE, new Object[0]) + " are mandatory");
            return;
        }
        ExternalApplication externalApplication = (ExternalApplication) OAuthUtils.getDomainObject(str, ExternalApplication.class).orElse(null);
        if (externalApplication == 0) {
            sendOAuthErrorResponse(httpServletResponse, Response.Status.BAD_REQUEST, INVALID_GRANT, CLIENT_ID_NOT_FOUND);
            return;
        }
        if ((externalApplication instanceof ServiceApplication) && !GRANT_TYPE_CLIENT_CREDENTIALS.equals(parameter3)) {
            sendOAuthErrorResponse(httpServletResponse, Response.Status.BAD_REQUEST, INVALID_GRANT, CLIENT_ID_NOT_FOUND);
            return;
        }
        if (isValidApplication(httpServletResponse, externalApplication)) {
            if (!externalApplication.matches(parameter, str2)) {
                sendOAuthErrorResponse(httpServletResponse, Response.Status.BAD_REQUEST, INVALID_GRANT, CREDENTIALS_OR_REDIRECT_URI_DON_T_MATCH);
                return;
            }
            if (externalApplication instanceof ServiceApplication) {
                String generateToken = OAuthUtils.generateToken(externalApplication);
                ((ServiceApplication) externalApplication).createServiceAuthorization(generateToken);
                JsonObject jsonObject = new JsonObject();
                jsonObject.addProperty("access_token", generateToken);
                sendOAuthResponse(httpServletResponse, Response.Status.OK, jsonObject);
                return;
            }
            ApplicationUserSession applicationUserSession = externalApplication.getApplicationUserSession(parameter2);
            if (applicationUserSession == null) {
                sendOAuthErrorResponse(httpServletResponse, Response.Status.BAD_REQUEST, INVALID_GRANT, CODE_INVALID);
                return;
            }
            if (applicationUserSession.getApplicationUserAuthorization().getUser().isLoginExpired()) {
                sendOAuthErrorResponse(httpServletResponse, Response.Status.BAD_REQUEST, INVALID_GRANT, CODE_EXPIRED);
                return;
            }
            if (!applicationUserSession.isCodeValid()) {
                sendOAuthErrorResponse(httpServletResponse, Response.Status.BAD_REQUEST, INVALID_GRANT, CODE_EXPIRED);
                return;
            }
            String generateToken2 = OAuthUtils.generateToken(applicationUserSession);
            String generateToken3 = OAuthUtils.generateToken(applicationUserSession);
            applicationUserSession.setTokens(generateToken2, generateToken3);
            JsonObject jsonObject2 = new JsonObject();
            jsonObject2.addProperty("access_token", generateToken2);
            jsonObject2.addProperty("refresh_token", generateToken3);
            jsonObject2.addProperty("token_type", "Bearer");
            jsonObject2.addProperty("expires_in", OAuthProperties.getConfiguration().getAccessTokenExpirationSeconds());
            sendOAuthResponse(httpServletResponse, Response.Status.OK, jsonObject2);
        }
    }

    private void handleUserDialog(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
        String parameter = httpServletRequest.getParameter(CLIENT_ID);
        String parameter2 = httpServletRequest.getParameter(REDIRECT_URI);
        String parameter3 = httpServletRequest.getParameter(STATE);
        User user = Authenticate.getUser();
        if (!Strings.isNullOrEmpty(parameter) && !Strings.isNullOrEmpty(parameter2)) {
            if (user != null) {
                redirectToRedirectUrl(httpServletRequest, httpServletResponse, user, parameter, parameter2, parameter3);
                return;
            }
            String str2 = parameter + "|" + parameter2;
            if (parameter3 != null) {
                str2 = str2 + "|" + Base64.getEncoder().encodeToString(parameter3.getBytes(StandardCharsets.UTF_8));
            }
            httpServletResponse.addCookie(new Cookie(OAUTH_SESSION_KEY, Base64.getEncoder().encodeToString(str2.getBytes(StandardCharsets.UTF_8))));
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + "/login?callback=" + CoreConfiguration.getConfiguration().applicationUrl() + "/oauth/" + str);
            return;
        }
        if (user != null) {
            Cookie oAuthSessionCookie = getOAuthSessionCookie(httpServletRequest);
            if (oAuthSessionCookie == null) {
                errorPage(httpServletRequest, httpServletResponse);
                return;
            } else if (!Strings.isNullOrEmpty(oAuthSessionCookie.getValue())) {
                redirectToRedirectUrl(httpServletRequest, httpServletResponse, user, oAuthSessionCookie);
                return;
            }
        }
        errorPage(httpServletRequest, httpServletResponse);
    }

    private static Cookie getOAuthSessionCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (cookie.getName().equalsIgnoreCase(OAUTH_SESSION_KEY)) {
                return cookie;
            }
        }
        return null;
    }

    private void errorPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        HashMap hashMap = new HashMap();
        hashMap.put("config", PortalConfiguration.getInstance());
        hashMap.put("currentLocale", I18N.getLocale());
        hashMap.put("contextPath", httpServletRequest.getContextPath());
        hashMap.put("locales", CoreConfiguration.supportedLocales());
        try {
            httpServletResponse.setContentType("text/html;charset=UTF-8");
            this.engine.getTemplate("error-page").evaluate(httpServletResponse.getWriter(), hashMap, I18N.getLocale());
        } catch (PebbleException e) {
            throw new IOException((Throwable) e);
        }
    }

    private void authorizationPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ExternalApplication externalApplication, String str, String str2) throws IOException {
        HashMap hashMap = new HashMap();
        hashMap.put("config", PortalConfiguration.getInstance());
        hashMap.put("app", externalApplication);
        hashMap.put("currentLocale", I18N.getLocale());
        hashMap.put("contextPath", httpServletRequest.getContextPath());
        hashMap.put("locales", CoreConfiguration.supportedLocales());
        hashMap.put("loggedUser", Authenticate.getUser());
        hashMap.put(STATE, str2);
        hashMap.put("redirectUrl", str);
        try {
            httpServletResponse.setContentType("text/html;charset=UTF-8");
            this.engine.getTemplate("auth-page").evaluate(httpServletResponse.getWriter(), hashMap, I18N.getLocale());
        } catch (PebbleException e) {
            throw new IOException((Throwable) e);
        }
    }

    private void redirectToRedirectUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, User user, Cookie cookie) throws IOException {
        String[] split = new String(Base64.getDecoder().decode(cookie.getValue())).split("\\|");
        String str = split[0];
        String str2 = split[1];
        String str3 = null;
        if (split.length > 2 && !Strings.isNullOrEmpty(split[2])) {
            str3 = new String(Base64.getDecoder().decode(split[2]));
        }
        redirectToRedirectUrl(httpServletRequest, httpServletResponse, user, str, str2, str3);
    }

    private void redirectToRedirectUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, User user, String str, String str2, String str3) throws IOException {
        ExternalApplication externalApplication = (ExternalApplication) OAuthUtils.getDomainObject(str, ExternalApplication.class).orElse(null);
        if (externalApplication == null || (externalApplication instanceof ServiceApplication)) {
            sendOAuthErrorResponse(httpServletResponse, Response.Status.BAD_REQUEST, INVALID_GRANT, CLIENT_ID_NOT_FOUND);
            return;
        }
        if (isValidApplication(httpServletResponse, externalApplication)) {
            if (!externalApplication.matchesUrl(str2)) {
                sendOAuthErrorResponse(httpServletResponse, Response.Status.BAD_REQUEST, INVALID_GRANT, CREDENTIALS_OR_REDIRECT_URI_DON_T_MATCH);
            } else if (externalApplication.hasApplicationUserAuthorization(user)) {
                redirectWithCode(httpServletRequest, httpServletResponse, user, externalApplication, str2, str3);
            } else {
                httpServletRequest.setAttribute("application", externalApplication);
                authorizationPage(httpServletRequest, httpServletResponse, externalApplication, str2, str3);
            }
        }
    }

    private void redirectWithCode(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, User user, ExternalApplication externalApplication, String str, String str2) throws IOException {
        String createAppUserSession = createAppUserSession(externalApplication, user, httpServletRequest, httpServletResponse);
        UriBuilder fromUri = UriBuilder.fromUri(str);
        fromUri.queryParam(CODE, new Object[]{createAppUserSession});
        if (!Strings.isNullOrEmpty(str2)) {
            fromUri.queryParam(STATE, new Object[]{str2});
        }
        httpServletResponse.sendRedirect(fromUri.toString());
    }

    public void userConfirmation(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        User user = Authenticate.getUser();
        if (user == null) {
            errorPage(httpServletRequest, httpServletResponse);
            return;
        }
        String parameter = httpServletRequest.getParameter(CLIENT_ID);
        String parameter2 = httpServletRequest.getParameter(REDIRECT_URI);
        String parameter3 = httpServletRequest.getParameter(STATE);
        if (httpServletRequest.getHeader(CSRF_HEADER) == null) {
            sendOAuthErrorResponse(httpServletResponse, Response.Status.BAD_REQUEST, NO_CSRF_HEADER, NO_CSRF_HEADER_DESCRIPTION);
            return;
        }
        ExternalApplication externalApplication = (ExternalApplication) OAuthUtils.getDomainObject(parameter).orElse(null);
        if (externalApplication == null || (externalApplication instanceof ServiceApplication)) {
            sendOAuthErrorResponse(httpServletResponse, Response.Status.BAD_REQUEST, INVALID_GRANT, CLIENT_ID_NOT_FOUND);
        } else if (isValidApplication(httpServletResponse, externalApplication)) {
            if (externalApplication.matchesUrl(parameter2)) {
                redirectWithCode(httpServletRequest, httpServletResponse, user, externalApplication, parameter2, parameter3);
            } else {
                errorPage(httpServletRequest, httpServletResponse);
            }
        }
    }

    private boolean isValidApplication(HttpServletResponse httpServletResponse, ExternalApplication externalApplication) {
        if (externalApplication.isDeleted()) {
            sendOAuthErrorResponse(httpServletResponse, Response.Status.UNAUTHORIZED, INVALID_GRANT, APPLICATION_DELETED);
            return false;
        }
        if (!externalApplication.isBanned()) {
            return true;
        }
        sendOAuthErrorResponse(httpServletResponse, Response.Status.UNAUTHORIZED, INVALID_GRANT, APPLICATION_BANNED);
        return false;
    }

    private static String createAppUserSession(final ExternalApplication externalApplication, final User user, final HttpServletRequest httpServletRequest, final HttpServletResponse httpServletResponse) {
        return (String) advice$createAppUserSession.perform(new Callable<String>(externalApplication, user, httpServletRequest, httpServletResponse) { // from class: org.fenixedu.bennu.oauth.servlets.OAuthAuthorizationServlet$callable$createAppUserSession
            private final ExternalApplication arg0;
            private final User arg1;
            private final HttpServletRequest arg2;
            private final HttpServletResponse arg3;

            {
                this.arg0 = externalApplication;
                this.arg1 = user;
                this.arg2 = httpServletRequest;
                this.arg3 = httpServletResponse;
            }

            @Override // java.util.concurrent.Callable
            public String call() {
                return OAuthAuthorizationServlet.advised$createAppUserSession(this.arg0, this.arg1, this.arg2, this.arg3);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ String advised$createAppUserSession(ExternalApplication externalApplication, User user, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String generateCode = OAuthUtils.generateCode();
        ApplicationUserAuthorization orElseGet = externalApplication.getApplicationUserAuthorization(user).orElseGet(() -> {
            return new ApplicationUserAuthorization(user, externalApplication);
        });
        ApplicationUserSession applicationUserSession = new ApplicationUserSession();
        applicationUserSession.setCode(generateCode);
        applicationUserSession.setDeviceId(getDeviceId(httpServletRequest));
        applicationUserSession.setApplicationUserAuthorization(orElseGet);
        return generateCode;
    }

    private void sendOAuthErrorResponse(HttpServletResponse httpServletResponse, Response.Status status, String str, String str2) {
        JsonObject jsonObject = new JsonObject();
        jsonObject.addProperty("error", str);
        jsonObject.addProperty("errorDescription", str2);
        sendOAuthResponse(httpServletResponse, status, jsonObject);
    }

    private void sendOAuthResponse(HttpServletResponse httpServletResponse, Response.Status status, JsonObject jsonObject) {
        httpServletResponse.setContentType("application/json; charset=UTF-8");
        httpServletResponse.setStatus(status.getStatusCode());
        try {
            PrintWriter writer = httpServletResponse.getWriter();
            try {
                writer.print(jsonObject.toString());
                writer.flush();
                if (writer != null) {
                    writer.close();
                }
            } finally {
            }
        } catch (IOException e) {
            throw new WebApplicationException(e);
        }
    }

    private static String getDeviceId(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(DEVICE_ID);
        return Strings.isNullOrEmpty(parameter) ? httpServletRequest.getHeader("User-Agent") : parameter;
    }

    private String trim(String str) {
        int length = str.length();
        int i = 0;
        char[] charArray = str.toCharArray();
        while (i < length && charArray[i] == '/') {
            i++;
        }
        while (i < length && charArray[length - 1] == '/') {
            length--;
        }
        return (i > 0 || length < str.length()) ? str.substring(i, length) : str;
    }
}
