package net.trajano.openidconnect.jaspic.internal.processors;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.text.MessageFormat;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import javax.json.JsonObject;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.message.AuthException;
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.security.auth.message.callback.GroupPrincipalCallback;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedHashMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import net.trajano.openidconnect.core.OpenIdProviderConfiguration;
import net.trajano.openidconnect.crypto.Encoding;
import net.trajano.openidconnect.crypto.JsonWebKeySet;
import net.trajano.openidconnect.crypto.JsonWebTokenProcessor;
import net.trajano.openidconnect.jaspic.OpenIdConnectAuthModule;
import net.trajano.openidconnect.jaspic.internal.CipherUtil;
import net.trajano.openidconnect.jaspic.internal.Log;
import net.trajano.openidconnect.jaspic.internal.TokenCookie;
import net.trajano.openidconnect.jaspic.internal.Utils;
import net.trajano.openidconnect.jaspic.internal.ValidateContext;
import net.trajano.openidconnect.jaspic.internal.ValidateRequestProcessor;
import net.trajano.openidconnect.token.GrantType;
import net.trajano.openidconnect.token.IdTokenResponse;

/* loaded from: input_file:net/trajano/openidconnect/jaspic/internal/processors/CallbackRequestProcessor.class */
public class CallbackRequestProcessor implements ValidateRequestProcessor {
    protected static final String HTTPS_PREFIX = "https://";
    private static final Logger LOG = Log.getInstance();

    @Override // net.trajano.openidconnect.jaspic.internal.ValidateRequestProcessor
    public boolean canValidateRequest(ValidateContext validateContext) {
        return validateContext.isSecure() && validateContext.isRequestUri(OpenIdConnectAuthModule.REDIRECTION_ENDPOINT_URI_KEY) && !Utils.isNullOrEmpty(validateContext.getReq().getParameter("code")) && !Utils.isNullOrEmpty(validateContext.getReq().getParameter("state"));
    }

    private IdTokenResponse getToken(String str, String str2, GrantType grantType, ValidateContext validateContext) throws IOException {
        MultivaluedHashMap multivaluedHashMap = new MultivaluedHashMap();
        multivaluedHashMap.putSingle(str, str2);
        multivaluedHashMap.putSingle("grant_type", grantType.name());
        multivaluedHashMap.putSingle("redirect_uri", validateContext.getUri(OpenIdConnectAuthModule.REDIRECTION_ENDPOINT_URI_KEY).toASCIIString());
        try {
            IdTokenResponse idTokenResponse = (IdTokenResponse) validateContext.target(validateContext.getOpenIDProviderConfig().getTokenEndpoint()).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).header("Authorization", "Basic " + Encoding.base64Encode(validateContext.getOption("client_id") + ":" + validateContext.getOption("client_secret"))).post(Entity.form(multivaluedHashMap), IdTokenResponse.class);
            if (LOG.isLoggable(Level.FINEST)) {
                LOG.finest("authorization token response =  " + idTokenResponse);
            }
            return idTokenResponse;
        } catch (BadRequestException e) {
            multivaluedHashMap.putSingle("client_id", validateContext.getOption("client_id"));
            multivaluedHashMap.putSingle("client_secret", validateContext.getOption("client_secret"));
            IdTokenResponse idTokenResponse2 = (IdTokenResponse) validateContext.target(validateContext.getOpenIDProviderConfig().getTokenEndpoint()).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).post(Entity.form(multivaluedHashMap), IdTokenResponse.class);
            if (LOG.isLoggable(Level.FINEST)) {
                LOG.finest("authorization token response =  " + idTokenResponse2);
            }
            return idTokenResponse2;
        }
    }

    private JsonWebKeySet getWebKeys(ValidateContext validateContext) throws GeneralSecurityException {
        return (JsonWebKeySet) validateContext.target(validateContext.getOpenIDProviderConfig().getJwksUri()).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).get(JsonWebKeySet.class);
    }

    private String googleWorkaround(String str) {
        return str.startsWith(HTTPS_PREFIX) ? str : HTTPS_PREFIX + str;
    }

    private void updateSubjectPrincipal(Subject subject, JsonObject jsonObject, ValidateContext validateContext) throws GeneralSecurityException {
        try {
            String googleWorkaround = googleWorkaround(jsonObject.getString("iss"));
            validateContext.getHandler().handle(new Callback[]{new CallerPrincipalCallback(subject, UriBuilder.fromUri(googleWorkaround).userInfo(jsonObject.getString("sub")).build(new Object[0]).toASCIIString()), new GroupPrincipalCallback(subject, new String[]{googleWorkaround})});
        } catch (IOException | UnsupportedCallbackException e) {
            LOG.log(Level.SEVERE, "updatePrincipalException", e.getMessage());
            LOG.throwing(getClass().getName(), "updateSubjectPrincipal", e);
            throw new AuthException(MessageFormat.format(Log.r("updatePrincipalException", new Object[0]), e.getMessage()));
        }
    }

    @Override // net.trajano.openidconnect.jaspic.internal.ValidateRequestProcessor
    public AuthStatus validateRequest(ValidateContext validateContext) throws IOException, GeneralSecurityException {
        TokenCookie tokenCookie;
        OpenIdProviderConfiguration openIDProviderConfig = validateContext.getOpenIDProviderConfig();
        IdTokenResponse token = getToken("code", validateContext.getReq().getParameter("code"), GrantType.authorization_code, validateContext);
        JsonWebKeySet webKeys = getWebKeys(validateContext);
        LOG.log(Level.FINEST, "tokenValue", token);
        JsonObject jsonPayload = new JsonWebTokenProcessor(token.getEncodedIdToken()).jwks(webKeys).getJsonPayload();
        String cookie = validateContext.getCookie(OpenIdConnectAuthModule.NET_TRAJANO_AUTH_NONCE);
        Utils.validateIdToken(validateContext.getOption("client_id"), jsonPayload, cookie != null ? new String(CipherUtil.decrypt(Encoding.base64urlDecode(cookie), validateContext.getSecret()), "US-ASCII") : null, token.getAccessToken());
        validateContext.deleteCookie(OpenIdConnectAuthModule.NET_TRAJANO_AUTH_NONCE);
        String googleWorkaround = googleWorkaround(jsonPayload.getString("iss"));
        String googleWorkaround2 = googleWorkaround(openIDProviderConfig.getIssuer());
        if (!googleWorkaround.equals(googleWorkaround2)) {
            LOG.log(Level.SEVERE, "issuerMismatch", new Object[]{googleWorkaround, googleWorkaround2});
            throw new GeneralSecurityException(MessageFormat.format(Log.r("issuerMismatch", new Object[0]), googleWorkaround, googleWorkaround2));
        }
        updateSubjectPrincipal(validateContext.getClientSubject(), jsonPayload, validateContext);
        if (openIDProviderConfig.getUserinfoEndpoint() == null || !Pattern.compile("\\bprofile\\b").matcher(validateContext.getOption("scope")).find()) {
            tokenCookie = new TokenCookie(jsonPayload, token.getEncodedIdToken());
        } else {
            Response response = validateContext.target(openIDProviderConfig.getUserinfoEndpoint()).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).header("Authorization", token.getTokenType() + " " + token.getAccessToken()).get();
            if (response.getStatus() == 200) {
                tokenCookie = new TokenCookie(token.getAccessToken(), token.getRefreshToken(), jsonPayload, token.getEncodedIdToken(), (JsonObject) response.readEntity(JsonObject.class));
            } else {
                LOG.log(Level.WARNING, "unableToGetProfile");
                tokenCookie = new TokenCookie(jsonPayload, token.getEncodedIdToken());
            }
        }
        validateContext.saveIdTokenCookie(tokenCookie);
        validateContext.saveAgeCookie();
        validateContext.redirectToState();
        return AuthStatus.SEND_SUCCESS;
    }
}
