package net.krotscheck.kangaroo.authz.common.authenticator.oauth2;

import ch.qos.logback.core.joran.action.Action;
import com.google.common.base.Strings;
import java.net.URI;
import java.util.HashMap;
import java.util.Map;
import javax.inject.Inject;
import javax.ws.rs.ProcessingException;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.GenericType;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import net.krotscheck.kangaroo.authz.common.authenticator.IAuthenticator;
import net.krotscheck.kangaroo.authz.common.authenticator.exception.MisconfiguredAuthenticatorException;
import net.krotscheck.kangaroo.authz.common.authenticator.exception.ThirdPartyErrorException;
import net.krotscheck.kangaroo.authz.common.database.entity.Application;
import net.krotscheck.kangaroo.authz.common.database.entity.Authenticator;
import net.krotscheck.kangaroo.authz.common.database.entity.User;
import net.krotscheck.kangaroo.authz.common.database.entity.UserIdentity;
import net.krotscheck.kangaroo.authz.oauth2.exception.RFC6749;
import net.krotscheck.kangaroo.common.exception.KangarooException;
import net.krotscheck.kangaroo.util.HttpUtil;
import org.hibernate.Session;
import org.hibernate.criterion.Restrictions;

/* loaded from: input_file:net/krotscheck/kangaroo/authz/common/authenticator/oauth2/AbstractOAuth2Authenticator.class */
public abstract class AbstractOAuth2Authenticator implements IAuthenticator {
    public static final GenericType<HashMap<String, String>> MAP_TYPE = new GenericType<HashMap<String, String>>() { // from class: net.krotscheck.kangaroo.authz.common.authenticator.oauth2.AbstractOAuth2Authenticator.1
    };
    public static final String CLIENT_ID_KEY = "client_id";
    public static final String CLIENT_SECRET_KEY = "client_secret";

    @Inject
    private Client client;

    @Inject
    private Session session;

    public final Client getClient() {
        return this.client;
    }

    public final void setClient(Client client) {
        this.client = client;
    }

    public final Session getSession() {
        return this.session;
    }

    public final void setSession(Session session) {
        this.session = session;
    }

    protected abstract String getAuthEndpoint();

    protected abstract String getTokenEndpoint();

    protected abstract String getScopes();

    private URI buildRedirect(URI uri) {
        return UriBuilder.fromUri(uri).fragment(null).replaceQuery(null).build(new Object[0]);
    }

    protected final String getClientSecret(Authenticator authenticator) {
        return authenticator.getConfiguration().get(CLIENT_SECRET_KEY);
    }

    protected final String getClientId(Authenticator authenticator) {
        return authenticator.getConfiguration().get(CLIENT_ID_KEY);
    }

    @Override // net.krotscheck.kangaroo.authz.common.authenticator.IAuthenticator
    public final Response delegate(Authenticator authenticator, URI uri) {
        validate(authenticator);
        if (uri == null) {
            throw new RFC6749.ServerErrorException();
        }
        String first = HttpUtil.parseQueryParams(uri).getFirst("state");
        if (Strings.isNullOrEmpty(first)) {
            throw new RFC6749.ServerErrorException();
        }
        URI buildRedirect = buildRedirect(uri);
        return Response.status(Response.Status.FOUND).location(UriBuilder.fromUri(getAuthEndpoint()).queryParam(CLIENT_ID_KEY, getClientId(authenticator)).queryParam("redirect_uri", buildRedirect).queryParam("response_type", "code").queryParam("state", first).queryParam(Action.SCOPE_ATTRIBUTE, getScopes()).build(new Object[0])).build();
    }

    @Override // net.krotscheck.kangaroo.authz.common.authenticator.IAuthenticator
    public final void validate(Authenticator authenticator) throws KangarooException {
        if (authenticator == null || authenticator.getConfiguration() == null) {
            throw new MisconfiguredAuthenticatorException();
        }
        Map<String, String> configuration = authenticator.getConfiguration();
        String orDefault = configuration.getOrDefault(CLIENT_ID_KEY, null);
        if (Strings.isNullOrEmpty(configuration.getOrDefault(CLIENT_SECRET_KEY, null)) || Strings.isNullOrEmpty(orDefault)) {
            throw new MisconfiguredAuthenticatorException();
        }
    }

    @Override // net.krotscheck.kangaroo.authz.common.authenticator.IAuthenticator
    public final UserIdentity authenticate(Authenticator authenticator, MultivaluedMap<String, String> multivaluedMap, URI uri) {
        URI buildRedirect = buildRedirect(uri);
        if (multivaluedMap.containsKey("error")) {
            throw new ThirdPartyErrorException(multivaluedMap);
        }
        String first = multivaluedMap.getFirst("code");
        if (Strings.isNullOrEmpty(first)) {
            throw new RFC6749.InvalidRequestException();
        }
        OAuth2IdPToken resolveIdPToken = resolveIdPToken(getClientId(authenticator), getClientSecret(authenticator), first, buildRedirect);
        if (Strings.isNullOrEmpty(resolveIdPToken.getAccessToken())) {
            throw new ThirdPartyErrorException();
        }
        OAuth2User loadUserIdentity = loadUserIdentity(resolveIdPToken);
        if (Strings.isNullOrEmpty(loadUserIdentity.getId())) {
            throw new ThirdPartyErrorException();
        }
        Application application = authenticator.getClient().getApplication();
        UserIdentity userIdentity = (UserIdentity) this.session.createCriteria(UserIdentity.class).createAlias("user", "u").add(Restrictions.eq("type", authenticator.getType())).add(Restrictions.eq("remoteId", loadUserIdentity.getId())).add(Restrictions.eq("u.application", application)).setFirstResult(0).setMaxResults(1).uniqueResult();
        if (userIdentity == null) {
            User user = new User();
            user.setApplication(application);
            user.setRole(application.getDefaultRole());
            userIdentity = new UserIdentity();
            userIdentity.setUser(user);
            userIdentity.setType(authenticator.getType());
            userIdentity.setRemoteId(loadUserIdentity.getId());
            userIdentity.setClaims(loadUserIdentity.getClaims());
            this.session.save(user);
            this.session.save(userIdentity);
        } else {
            userIdentity.getClaims().putAll(loadUserIdentity.getClaims());
            this.session.save(userIdentity);
        }
        return userIdentity;
    }

    protected abstract OAuth2User loadUserIdentity(OAuth2IdPToken oAuth2IdPToken);

    private OAuth2IdPToken resolveIdPToken(String str, String str2, String str3, URI uri) {
        String authHeaderBasic = HttpUtil.authHeaderBasic(str, str2);
        Form form = new Form();
        form.param(CLIENT_ID_KEY, str);
        form.param("code", str3);
        form.param("grant_type", "authorization_code");
        form.param("redirect_uri", uri.toString());
        Response post = this.client.target(getTokenEndpoint()).request().header("Accept", MediaType.APPLICATION_JSON).header("Authorization", authHeaderBasic).post(Entity.entity(form, MediaType.APPLICATION_FORM_URLENCODED_TYPE));
        try {
            try {
                if (!post.getStatusInfo().getFamily().equals(Response.Status.Family.SUCCESSFUL)) {
                    throw new ThirdPartyErrorException((Map<String, String>) post.readEntity(MAP_TYPE));
                }
                OAuth2IdPToken oAuth2IdPToken = (OAuth2IdPToken) post.readEntity(OAuth2IdPToken.class);
                post.close();
                return oAuth2IdPToken;
            } catch (ProcessingException e) {
                throw new ThirdPartyErrorException();
            }
        } catch (Throwable th) {
            post.close();
            throw th;
        }
    }
}
