package pl.edu.icm.unity.oauth.as.webauthz;

import com.nimbusds.oauth2.sdk.AuthorizationErrorResponse;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import java.util.Optional;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.idp.EntityInGroup;
import pl.edu.icm.unity.engine.api.idp.IdPEngine;
import pl.edu.icm.unity.engine.api.translation.ExecutionFailException;
import pl.edu.icm.unity.engine.api.translation.out.TranslationResult;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.IllegalGroupValueException;
import pl.edu.icm.unity.oauth.as.OAuthASProperties;
import pl.edu.icm.unity.oauth.as.OAuthAuthzContext;
import pl.edu.icm.unity.oauth.as.OAuthErrorResponseException;
import pl.edu.icm.unity.oauth.as.OAuthSystemAttributesProvider;
import pl.edu.icm.unity.types.basic.EntityParam;
import pl.edu.icm.unity.types.basic.IdentityParam;

/* loaded from: input_file:pl/edu/icm/unity/oauth/as/webauthz/OAuthIdPEngine.class */
public class OAuthIdPEngine {
    private static final Logger log = Log.getLogger("unity.server.oauth", OAuthIdPEngine.class);
    private IdPEngine idpEngine;

    public OAuthIdPEngine(IdPEngine idPEngine) {
        this.idpEngine = idPEngine;
    }

    public TranslationResult getUserInfo(OAuthAuthzContext oAuthAuthzContext) throws OAuthErrorResponseException {
        try {
            return getUserInfoUnsafe(oAuthAuthzContext);
        } catch (ExecutionFailException e) {
            log.debug("Authentication failed due to profile's decision, returning error");
            throw new OAuthErrorResponseException(new AuthorizationErrorResponse(oAuthAuthzContext.getReturnURI(), new ErrorObject("access_denied", e.getMessage(), 403), oAuthAuthzContext.getRequest().getState(), oAuthAuthzContext.getRequest().impliedResponseMode()), true);
        } catch (Exception e2) {
            log.error("Engine problem when handling client request", e2);
            throw new OAuthErrorResponseException(new AuthorizationErrorResponse(oAuthAuthzContext.getReturnURI(), OAuth2Error.SERVER_ERROR, oAuthAuthzContext.getRequest().getState(), oAuthAuthzContext.getRequest().impliedResponseMode()), true);
        } catch (IllegalGroupValueException e3) {
            log.debug("Entity trying to access OAuth resource is not a member of required group");
            throw new OAuthErrorResponseException(new AuthorizationErrorResponse(oAuthAuthzContext.getReturnURI(), new ErrorObject("access_denied", "Not a member of required group " + oAuthAuthzContext.getUsersGroup(), 403), oAuthAuthzContext.getRequest().getState(), oAuthAuthzContext.getRequest().impliedResponseMode()), true);
        }
    }

    public IdentityParam getIdentity(TranslationResult translationResult, String str) {
        for (IdentityParam identityParam : translationResult.getIdentities()) {
            if (str.equals(identityParam.getTypeId())) {
                return identityParam;
            }
        }
        throw new IllegalStateException("There is no " + str + " identity for the authenticated user, sub claim can not be created. Probably the endpoint is misconfigured.");
    }

    private TranslationResult getUserInfoUnsafe(OAuthAuthzContext oAuthAuthzContext) throws EngineException {
        return getUserInfoUnsafe(InvocationContext.getCurrent().getLoginSession().getEntityId(), oAuthAuthzContext.getRequest().getClientID().getValue(), Optional.of(new EntityInGroup(oAuthAuthzContext.getConfig().getValue(OAuthASProperties.CLIENTS_GROUP), new EntityParam(Long.valueOf(oAuthAuthzContext.getClientEntityId())))), oAuthAuthzContext.getUsersGroup(), oAuthAuthzContext.getTranslationProfile(), oAuthAuthzContext.getRequest().getResponseType().impliesCodeFlow() ? OAuthSystemAttributesProvider.GrantFlow.authorizationCode.toString() : OAuthSystemAttributesProvider.GrantFlow.implicit.toString(), oAuthAuthzContext.getConfig());
    }

    public TranslationResult getUserInfoUnsafe(long j, String str, Optional<EntityInGroup> optional, String str2, String str3, String str4, OAuthASProperties oAuthASProperties) throws EngineException {
        return this.idpEngine.obtainUserInformationWithEnrichingImport(new EntityParam(Long.valueOf(j)), str2, str3, str, optional, "OAuth2", str4, true, oAuthASProperties);
    }
}
