package net.trajano.openidconnect.jaspic;

import java.io.IOException;
import java.net.URI;
import java.nio.file.attribute.GroupPrincipal;
import java.nio.file.attribute.UserPrincipal;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.SecureRandom;
import java.text.MessageFormat;
import java.util.Iterator;
import java.util.Map;
import java.util.Random;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import javax.crypto.SecretKey;
import javax.json.JsonObject;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.message.AuthException;
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.MessagePolicy;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.security.auth.message.callback.GroupPrincipalCallback;
import javax.security.auth.message.config.ServerAuthContext;
import javax.security.auth.message.module.ServerAuthModule;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedHashMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import net.trajano.openidconnect.auth.AuthenticationRequest;
import net.trajano.openidconnect.auth.ResponseMode;
import net.trajano.openidconnect.auth.ResponseType;
import net.trajano.openidconnect.core.OpenIdConnectKey;
import net.trajano.openidconnect.core.OpenIdProviderConfiguration;
import net.trajano.openidconnect.crypto.Encoding;
import net.trajano.openidconnect.crypto.JsonWebAlgorithm;
import net.trajano.openidconnect.crypto.JsonWebKeySet;
import net.trajano.openidconnect.crypto.JsonWebTokenBuilder;
import net.trajano.openidconnect.crypto.JsonWebTokenProcessor;
import net.trajano.openidconnect.jaspic.internal.CipherUtil;
import net.trajano.openidconnect.jaspic.internal.Log;
import net.trajano.openidconnect.jaspic.internal.NullHostnameVerifier;
import net.trajano.openidconnect.jaspic.internal.NullX509TrustManager;
import net.trajano.openidconnect.jaspic.internal.TokenCookie;
import net.trajano.openidconnect.jaspic.internal.Utils;
import net.trajano.openidconnect.jaspic.internal.ValidateContext;
import net.trajano.openidconnect.jaspic.internal.ValidateRequestProcessors;
import net.trajano.openidconnect.rs.JsonWebKeyProvider;
import net.trajano.openidconnect.rs.JsonWebKeySetProvider;
import net.trajano.openidconnect.token.GrantType;
import net.trajano.openidconnect.token.IdTokenResponse;

/* loaded from: input_file:WEB-INF/lib/openid-connect-jaspic-module-1.0.1.jar:net/trajano/openidconnect/jaspic/OpenIdConnectAuthModule.class */
public class OpenIdConnectAuthModule implements ServerAuthModule, ServerAuthContext {
    public static final String ACCESS_TOKEN_KEY = "auth_access";
    public static final String COOKIE_CONTEXT_KEY = "cookie_context";
    public static final String DISABLE_CERTIFICATE_CHECKS_KEY = "disable_certificate_checks";
    protected static final String HTTPS_PREFIX = "https://";
    public static final String ID_TOKEN_KEY = "auth_idtoken";
    public static final String ISSUER_URI_KEY = "issuer_uri";
    protected static final Logger LOGCONFIG = Logger.getLogger("net.trajano.oidc.jaspic.config", "META-INF/Messages");
    public static final String LOGOUT_GOTO_URI_KEY = "logout_goto_uri";
    public static final String LOGOUT_URI_KEY = "logout_uri";
    public static final String NET_TRAJANO_AUTH_AGE = "net.trajano.oidc.age";
    public static final String NET_TRAJANO_AUTH_ID = "net.trajano.oidc.id";
    public static final String NET_TRAJANO_AUTH_NONCE = "net.trajano.oidc.nonce";
    public static final String REDIRECTION_ENDPOINT_URI_KEY = "redirection_endpoint";
    public static final String REFRESH_TOKEN_KEY = "auth_refresh";
    public static final String TOKEN_URI_KEY = "token_uri";
    public static final String USERINFO_KEY = "auth_userinfo";
    public static final String USERINFO_URI_KEY = "userinfo_uri";
    private String clientId;
    private String clientSecret;
    private String cookieContext;
    private CallbackHandler handler;
    private boolean mandatory;
    private Map<String, String> moduleOptions;
    private String redirectionEndpointUri;
    private Client restClient;
    private String scope;
    private SecretKey secret;
    private String tokenUri;
    private String userInfoUri;
    private final Random random = new SecureRandom();
    private ResponseMode responseMode = ResponseMode.query;

    public Client buildUnsecureRestClient() throws GeneralSecurityException {
        SSLContext sSLContext = SSLContext.getInstance("TLSv1");
        sSLContext.init(null, new TrustManager[]{NullX509TrustManager.INSTANCE}, null);
        return ClientBuilder.newBuilder().hostnameVerifier(NullHostnameVerifier.INSTANCE).sslContext(sSLContext).build();
    }

    public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException {
        Iterator<Principal> it = subject.getPrincipals().iterator();
        while (it.hasNext()) {
            Principal next = it.next();
            if (next instanceof UserPrincipal) {
                it.remove();
            }
            if (next instanceof GroupPrincipal) {
                it.remove();
            }
        }
    }

    private void deleteAuthCookies(HttpServletResponse httpServletResponse) {
        for (String str : new String[]{NET_TRAJANO_AUTH_ID, NET_TRAJANO_AUTH_AGE}) {
            Cookie cookie = new Cookie(str, "");
            cookie.setMaxAge(0);
            cookie.setSecure(true);
            cookie.setPath(this.cookieContext);
            httpServletResponse.addCookie(cookie);
        }
    }

    private String getIdToken(HttpServletRequest httpServletRequest) throws GeneralSecurityException, IOException {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        String str = null;
        boolean z = false;
        for (Cookie cookie : cookies) {
            if (NET_TRAJANO_AUTH_ID.equals(cookie.getName()) && !Utils.isNullOrEmpty(cookie.getValue())) {
                str = cookie.getValue();
            } else if (NET_TRAJANO_AUTH_AGE.equals(cookie.getName())) {
                String remoteAddr = httpServletRequest.getRemoteAddr();
                String str2 = new String(CipherUtil.decrypt(Encoding.base64urlDecode(cookie.getValue()), this.secret), "US-ASCII");
                if (!remoteAddr.equals(str2)) {
                    throw new AuthException(MessageFormat.format(Log.r("ipaddressMismatch", new Object[0]), remoteAddr, str2));
                }
                z = true;
            }
            if (str != null && z) {
                return str;
            }
        }
        return null;
    }

    protected OpenIdProviderConfiguration getOpenIDProviderConfig(HttpServletRequest httpServletRequest, Client client, Map<String, String> map) throws AuthException {
        String str = map.get(ISSUER_URI_KEY);
        if (str != null) {
            return (OpenIdProviderConfiguration) client.target(URI.create(str).resolve("/.well-known/openid-configuration")).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).get(OpenIdProviderConfiguration.class);
        }
        Log.severe("missingOption", ISSUER_URI_KEY);
        throw new AuthException(MessageFormat.format(Log.r("missingOption", new Object[0]), ISSUER_URI_KEY));
    }

    protected URI getRedirectionEndpointUri(HttpServletRequest httpServletRequest) {
        return URI.create(httpServletRequest.getRequestURL().toString()).resolve(this.redirectionEndpointUri);
    }

    private String getRequiredOption(String str) throws AuthException {
        String str2 = this.moduleOptions.get(str);
        if (str2 != null) {
            return str2;
        }
        Log.severe("missingOption", str);
        throw new AuthException(MessageFormat.format(Log.r("missingOption", new Object[0]), str));
    }

    private String getState(HttpServletRequest httpServletRequest) {
        StringBuilder sb = new StringBuilder(httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length()));
        if (httpServletRequest.getQueryString() != null) {
            sb.append('?');
            sb.append(httpServletRequest.getQueryString());
        }
        return Encoding.base64urlEncode(sb.toString());
    }

    public Class[] getSupportedMessageTypes() {
        return new Class[]{HttpServletRequest.class, HttpServletResponse.class};
    }

    protected IdTokenResponse getTokenViaRefresh(HttpServletRequest httpServletRequest, String str, OpenIdProviderConfiguration openIdProviderConfiguration) throws IOException {
        MultivaluedHashMap multivaluedHashMap = new MultivaluedHashMap();
        multivaluedHashMap.putSingle(OpenIdConnectKey.REFRESH_TOKEN, str);
        multivaluedHashMap.putSingle("grant_type", GrantType.refresh_token.name());
        multivaluedHashMap.putSingle("redirect_uri", getRedirectionEndpointUri(httpServletRequest).toASCIIString());
        try {
            IdTokenResponse idTokenResponse = (IdTokenResponse) this.restClient.target(openIdProviderConfiguration.getTokenEndpoint()).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).header("Authorization", "Basic " + Encoding.base64Encode(this.clientId + ":" + this.clientSecret)).post(Entity.form(multivaluedHashMap), IdTokenResponse.class);
            if (Log.isFinestLoggable()) {
                Log.getInstance().finest("authorization token response =  " + idTokenResponse);
            }
            return idTokenResponse;
        } catch (BadRequestException e) {
            multivaluedHashMap.putSingle("client_id", this.clientId);
            multivaluedHashMap.putSingle(OpenIdConnectKey.CLIENT_SECRET, this.clientSecret);
            IdTokenResponse idTokenResponse2 = (IdTokenResponse) this.restClient.target(openIdProviderConfiguration.getTokenEndpoint()).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).post(Entity.form(multivaluedHashMap), IdTokenResponse.class);
            if (Log.isFinestLoggable()) {
                Log.getInstance().finest("authorization token response =  " + idTokenResponse2);
            }
            return idTokenResponse2;
        }
    }

    private JsonWebKeySet getWebKeys(OpenIdProviderConfiguration openIdProviderConfiguration) throws GeneralSecurityException {
        return (JsonWebKeySet) this.restClient.target(openIdProviderConfiguration.getJwksUri()).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).get(JsonWebKeySet.class);
    }

    private String googleWorkaround(String str) {
        return str.startsWith(HTTPS_PREFIX) ? str : HTTPS_PREFIX + str;
    }

    public void initialize(MessagePolicy messagePolicy, MessagePolicy messagePolicy2, CallbackHandler callbackHandler, Map map) throws AuthException {
        try {
            this.moduleOptions = map;
            this.clientId = getRequiredOption("client_id");
            this.cookieContext = this.moduleOptions.get(COOKIE_CONTEXT_KEY);
            this.redirectionEndpointUri = getRequiredOption(REDIRECTION_ENDPOINT_URI_KEY);
            this.tokenUri = this.moduleOptions.get(TOKEN_URI_KEY);
            this.userInfoUri = this.moduleOptions.get(USERINFO_URI_KEY);
            this.scope = this.moduleOptions.get(OpenIdConnectKey.SCOPE);
            if (Utils.isNullOrEmpty(this.scope)) {
                this.scope = "openid";
            }
            this.clientSecret = getRequiredOption(OpenIdConnectKey.CLIENT_SECRET);
            LOGCONFIG.log(Level.CONFIG, "options", this.moduleOptions);
            String str = this.moduleOptions.get(OpenIdConnectKey.RESPONSE_MODE);
            if (str != null) {
                this.responseMode = ResponseMode.valueOf(str);
            }
            this.handler = callbackHandler;
            this.mandatory = messagePolicy.isMandatory();
            this.secret = CipherUtil.buildSecretKey(this.clientId, this.clientSecret);
            if (this.restClient == null) {
                if (this.moduleOptions.get(DISABLE_CERTIFICATE_CHECKS_KEY) == null || !Boolean.valueOf(this.moduleOptions.get(DISABLE_CERTIFICATE_CHECKS_KEY)).booleanValue()) {
                    this.restClient = ClientBuilder.newClient();
                } else {
                    this.restClient = buildUnsecureRestClient();
                }
                this.restClient.register(JsonWebKeySetProvider.class).register(JsonWebKeyProvider.class);
            }
        } catch (Exception e) {
            Log.severe("initializeException", e);
            throw new AuthException(MessageFormat.format(Log.r("initializeException", new Object[0]), e.getMessage()));
        }
    }

    private String nextNonce() {
        byte[] bArr = new byte[8];
        this.random.nextBytes(bArr);
        return Encoding.base64urlEncode(bArr);
    }

    private TokenCookie processTokenCookie(Subject subject, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            String idToken = getIdToken(httpServletRequest);
            TokenCookie tokenCookie = null;
            if (idToken != null) {
                tokenCookie = new TokenCookie(idToken, this.secret);
                if (tokenCookie.isExpired() && tokenCookie.getRefreshToken() != null) {
                    OpenIdProviderConfiguration openIDProviderConfig = getOpenIDProviderConfig(httpServletRequest, this.restClient, this.moduleOptions);
                    IdTokenResponse tokenViaRefresh = getTokenViaRefresh(httpServletRequest, tokenCookie.getRefreshToken(), openIDProviderConfig);
                    JsonObject jsonPayload = new JsonWebTokenProcessor(tokenViaRefresh.getEncodedIdToken()).jwks(getWebKeys(openIDProviderConfig)).getJsonPayload();
                    String googleWorkaround = googleWorkaround(jsonPayload.getString("iss"));
                    String googleWorkaround2 = googleWorkaround(openIDProviderConfig.getIssuer());
                    if (!googleWorkaround.equals(googleWorkaround2)) {
                        Log.severe("issuerMismatch", googleWorkaround, googleWorkaround2);
                        throw new GeneralSecurityException(Log.r("issuerMismatch", googleWorkaround, googleWorkaround2));
                    }
                    updateSubjectPrincipal(subject, jsonPayload);
                    if (openIDProviderConfig.getUserinfoEndpoint() == null || !Pattern.compile("\\bprofile\\b").matcher(this.scope).find()) {
                        tokenCookie = new TokenCookie(jsonPayload, tokenViaRefresh.getEncodedIdToken());
                    } else {
                        Response response = this.restClient.target(openIDProviderConfig.getUserinfoEndpoint()).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).header("Authorization", tokenViaRefresh.getTokenType() + " " + tokenViaRefresh.getAccessToken()).get();
                        if (response.getStatus() == 200) {
                            tokenCookie = new TokenCookie(tokenViaRefresh.getAccessToken(), tokenViaRefresh.getRefreshToken(), jsonPayload, tokenViaRefresh.getEncodedIdToken(), (JsonObject) response.readEntity(JsonObject.class));
                        } else {
                            Log.getInstance().log(Level.WARNING, "unableToGetProfile");
                            tokenCookie = new TokenCookie(jsonPayload, tokenViaRefresh.getEncodedIdToken());
                        }
                    }
                    String contextPath = Utils.isNullOrEmpty(this.cookieContext) ? httpServletRequest.getContextPath() : this.cookieContext;
                    Cookie cookie = new Cookie(NET_TRAJANO_AUTH_ID, tokenCookie.toCookieValue(this.secret));
                    cookie.setMaxAge(-1);
                    cookie.setSecure(true);
                    cookie.setHttpOnly(true);
                    cookie.setPath(contextPath);
                    httpServletResponse.addCookie(cookie);
                }
                Utils.validateIdToken(this.clientId, tokenCookie.getIdToken(), null, tokenCookie.getAccessToken());
                updateSubjectPrincipal(subject, tokenCookie.getIdToken());
                httpServletRequest.setAttribute(ACCESS_TOKEN_KEY, tokenCookie.getAccessToken());
                httpServletRequest.setAttribute(REFRESH_TOKEN_KEY, tokenCookie.getRefreshToken());
                httpServletRequest.setAttribute(ID_TOKEN_KEY, tokenCookie.getIdToken());
                if (tokenCookie.getUserInfo() != null) {
                    httpServletRequest.setAttribute(USERINFO_KEY, tokenCookie.getUserInfo());
                }
            }
            return tokenCookie;
        } catch (IOException | GeneralSecurityException e) {
            e.printStackTrace();
            Log.getInstance().log(Level.FINE, "invalidToken", e.getMessage());
            Log.getInstance().throwing(getClass().getName(), "validateRequest", e);
            return null;
        }
    }

    private AuthStatus redirectToAuthorizationEndpoint(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws AuthException {
        Log.fine("redirecting", str);
        try {
            OpenIdProviderConfiguration openIDProviderConfig = getOpenIDProviderConfig(httpServletRequest, this.restClient, this.moduleOptions);
            String state = getState(httpServletRequest);
            String contextPath = Utils.isNullOrEmpty(this.cookieContext) ? httpServletRequest.getContextPath() : this.cookieContext;
            String nextNonce = nextNonce();
            Cookie cookie = new Cookie(NET_TRAJANO_AUTH_NONCE, Encoding.base64urlEncode(CipherUtil.encrypt(nextNonce.getBytes(), this.secret)));
            cookie.setMaxAge(-1);
            cookie.setPath(contextPath);
            cookie.setHttpOnly(true);
            cookie.setSecure(true);
            httpServletResponse.addCookie(cookie);
            AuthenticationRequest build = new AuthenticationRequest.Builder().clientId(this.clientId).scope(this.scope).redirectUri(URI.create(httpServletRequest.getRequestURL().toString()).resolve(this.moduleOptions.get(REDIRECTION_ENDPOINT_URI_KEY))).responseType(ResponseType.code, new ResponseType[0]).state(state).nonce(nextNonce).uiLocale(httpServletRequest.getLocales()).responseMode(this.responseMode).build();
            UriBuilder fromUri = UriBuilder.fromUri(openIDProviderConfig.getAuthorizationEndpoint());
            if (openIDProviderConfig.isRequestParameterSupported()) {
                String firstMatchingKexAlgorithm = JsonWebAlgorithm.getFirstMatchingKexAlgorithm(openIDProviderConfig.getRequestObjectEncryptionAlgValuesSupported());
                String firstMatchingEncAlgorithm = JsonWebAlgorithm.getFirstMatchingEncAlgorithm(openIDProviderConfig.getRequestObjectEncryptionEncValuesSupported());
                if (firstMatchingKexAlgorithm == null) {
                    throw new AuthException("no matching kex with provider");
                }
                if (firstMatchingEncAlgorithm == null) {
                    throw new AuthException("no matching env with provider");
                }
                fromUri.queryParam(OpenIdConnectKey.REQUEST, new Object[]{new JsonWebTokenBuilder().alg(firstMatchingKexAlgorithm).enc(firstMatchingEncAlgorithm).compress(true).jwk(getWebKeys(openIDProviderConfig)).payload(build.toJsonObject()).build().toString()});
            } else {
                build.addQueryParams(fromUri);
                if (this.responseMode != ResponseMode.query) {
                    fromUri.queryParam(OpenIdConnectKey.RESPONSE_MODE, new Object[]{this.responseMode.toString()});
                }
            }
            URI build2 = fromUri.build(new Object[0]);
            deleteAuthCookies(httpServletResponse);
            httpServletResponse.sendRedirect(build2.toASCIIString());
            return AuthStatus.SEND_CONTINUE;
        } catch (IOException | GeneralSecurityException e) {
            Log.getInstance().log(Level.SEVERE, "sendRedirectException", new Object[]{null, e.getMessage()});
            Log.getInstance().throwing(getClass().getName(), "redirectToAuthorizationEndpoint", e);
            throw new AuthException(MessageFormat.format(Log.r("sendRedirectException", new Object[0]), null, e.getMessage()));
        }
    }

    public AuthStatus secureResponse(MessageInfo messageInfo, Subject subject) throws AuthException {
        return AuthStatus.SEND_SUCCESS;
    }

    public void setRestClient(Client client) {
        this.restClient = client;
    }

    private void updateSubjectPrincipal(Subject subject, JsonObject jsonObject) throws GeneralSecurityException {
        try {
            String googleWorkaround = googleWorkaround(jsonObject.getString("iss"));
            this.handler.handle(new Callback[]{new CallerPrincipalCallback(subject, UriBuilder.fromUri(googleWorkaround).userInfo(jsonObject.getString("sub")).build(new Object[0]).toASCIIString()), new GroupPrincipalCallback(subject, new String[]{googleWorkaround})});
        } catch (IOException | UnsupportedCallbackException e) {
            Log.getInstance().log(Level.SEVERE, "updatePrincipalException", e.getMessage());
            Log.getInstance().throwing(getClass().getName(), "updateSubjectPrincipal", e);
            throw new AuthException(MessageFormat.format(Log.r("updatePrincipalException", new Object[0]), e.getMessage()));
        }
    }

    public AuthStatus validateRequest(MessageInfo messageInfo, Subject subject, Subject subject2) throws AuthException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) messageInfo.getRequestMessage();
        HttpServletResponse httpServletResponse = (HttpServletResponse) messageInfo.getResponseMessage();
        try {
            TokenCookie processTokenCookie = processTokenCookie(subject, httpServletRequest, httpServletResponse);
            AuthStatus validateRequest = ValidateRequestProcessors.getInstance().validateRequest(new ValidateContext(this.restClient, subject, this.mandatory, this.moduleOptions, httpServletRequest, httpServletResponse, processTokenCookie, this.cookieContext, this.handler));
            if (validateRequest != null) {
                return validateRequest;
            }
            if (this.mandatory && processTokenCookie != null && processTokenCookie.isExpired()) {
                return redirectToAuthorizationEndpoint(httpServletRequest, httpServletResponse, "token cookie is expired");
            }
            if (this.mandatory && processTokenCookie == null) {
                return redirectToAuthorizationEndpoint(httpServletRequest, httpServletResponse, "token cookie is missing");
            }
            if (httpServletRequest.isSecure() && Utils.isHeadRequest(httpServletRequest) && httpServletRequest.getRequestURI().equals(this.tokenUri)) {
                httpServletResponse.setContentType("application/json");
                return AuthStatus.SEND_SUCCESS;
            }
            if (httpServletRequest.getRequestURI().equals(this.userInfoUri) && Utils.isHeadRequest(httpServletRequest)) {
                httpServletResponse.setContentType("application/json");
                return AuthStatus.SEND_SUCCESS;
            }
            if (Utils.isRetrievalRequest(httpServletRequest)) {
                return redirectToAuthorizationEndpoint(httpServletRequest, httpServletResponse, "request is not valid");
            }
            httpServletResponse.sendError(403, "Unable to POST when unauthorized.");
            return AuthStatus.SEND_FAILURE;
        } catch (GeneralSecurityException e) {
            Log.getInstance().log(Level.FINE, "validationException", e.getMessage());
            Log.getInstance().throwing(getClass().getName(), "validateRequest", e);
            return redirectToAuthorizationEndpoint(httpServletRequest, httpServletResponse, e.getMessage());
        } catch (AuthException e2) {
            Log.getInstance().log(Level.FINE, "validationException", e2.getMessage());
            Log.getInstance().throwing(getClass().getName(), "validateRequest", e2);
            return AuthStatus.FAILURE;
        } catch (IOException e3) {
            Log.getInstance().log(Level.FINE, "validationException", e3.getMessage());
            Log.getInstance().throwing(getClass().getName(), "validateRequest", e3);
            return AuthStatus.FAILURE;
        }
    }
}
