package net.unit8.bouncr.api.resource;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import enkan.collection.Headers;
import enkan.collection.Parameters;
import enkan.component.BeansConverter;
import enkan.data.Cookie;
import enkan.data.HttpRequest;
import enkan.exception.FalteringEnvironmentException;
import enkan.util.BeanBuilder;
import enkan.util.CodecUtils;
import enkan.util.ThreadingUtils;
import enkan.util.jpa.EntityTransactionManager;
import java.io.InputStream;
import java.io.Serializable;
import java.time.LocalDateTime;
import java.util.Base64;
import java.util.HashMap;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import javax.inject.Inject;
import javax.persistence.EntityManager;
import javax.persistence.criteria.CriteriaBuilder;
import javax.persistence.criteria.CriteriaQuery;
import javax.persistence.criteria.Predicate;
import javax.persistence.criteria.Root;
import kotowari.restful.Decision;
import kotowari.restful.DecisionPoint;
import kotowari.restful.data.ApiResponse;
import kotowari.restful.data.Problem;
import kotowari.restful.data.RestContext;
import kotowari.restful.resource.AllowedMethods;
import net.jodah.failsafe.Failsafe;
import net.jodah.failsafe.RetryPolicy;
import net.unit8.bouncr.api.service.SignInService;
import net.unit8.bouncr.component.BouncrConfiguration;
import net.unit8.bouncr.component.StoreProvider;
import net.unit8.bouncr.data.OidcSession;
import net.unit8.bouncr.entity.Invitation;
import net.unit8.bouncr.entity.OidcInvitation;
import net.unit8.bouncr.entity.OidcProvider;
import net.unit8.bouncr.entity.OidcUser;
import net.unit8.bouncr.entity.ResponseType;
import net.unit8.bouncr.sign.JsonWebToken;
import net.unit8.bouncr.sign.JwtClaim;
import net.unit8.bouncr.util.RandomUtils;
import okhttp3.FormBody;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;

@AllowedMethods({"GET"})
/* loaded from: input_file:net/unit8/bouncr/api/resource/OidcSignInResource.class */
public class OidcSignInResource {
    private static final TypeReference<HashMap<String, Object>> GENERAL_JSON_REF = new TypeReference<HashMap<String, Object>>() { // from class: net.unit8.bouncr.api.resource.OidcSignInResource.1
    };
    private static final OkHttpClient OKHTTP = new OkHttpClient().newBuilder().connectTimeout(3, TimeUnit.SECONDS).readTimeout(10, TimeUnit.SECONDS).build();

    @Inject
    private StoreProvider storeProvider;

    @Inject
    private BeansConverter converter;

    @Inject
    private BouncrConfiguration config;

    @Inject
    private JsonWebToken jsonWebToken;
    private ObjectMapper jsonMapper = new ObjectMapper();

    /* loaded from: input_file:net/unit8/bouncr/api/resource/OidcSignInResource$OidcProviderDto.class */
    public static class OidcProviderDto implements Serializable {
        private Long id;
        private String name;
        private String clientId;
        private String scope;
        private String responseType;
        private String tokenEndpoint;
        private String authorizationEndpoint;
        private String redirectUriBase;
        private String state = RandomUtils.generateRandomString(8);
        private String nonce = RandomUtils.generateRandomString(32);

        public String getRedirectUri() {
            return this.redirectUriBase + "/sign_in/oidc/" + this.name;
        }

        public String getAuthorizationUrl() {
            return this.authorizationEndpoint + "?response_type=" + CodecUtils.urlEncode(this.responseType) + "&client_id=" + this.clientId + "&redirect_uri=" + CodecUtils.urlEncode(getRedirectUri()) + "&state=" + this.state + "&scope=" + this.scope + "&nonce=" + this.nonce;
        }

        public Long getId() {
            return this.id;
        }

        public void setId(Long l) {
            this.id = l;
        }

        public String getName() {
            return this.name;
        }

        public void setName(String str) {
            this.name = str;
        }

        public String getClientId() {
            return this.clientId;
        }

        public void setClientId(String str) {
            this.clientId = str;
        }

        public String getScope() {
            return this.scope;
        }

        public void setScope(String str) {
            this.scope = str;
        }

        public String getState() {
            return this.state;
        }

        public void setState(String str) {
            this.state = str;
        }

        public String getResponseType() {
            return this.responseType;
        }

        public void setResponseType(String str) {
            this.responseType = str;
        }

        public String getTokenEndpoint() {
            return this.tokenEndpoint;
        }

        public void setTokenEndpoint(String str) {
            this.tokenEndpoint = str;
        }

        public String getAuthorizationEndpoint() {
            return this.authorizationEndpoint;
        }

        public void setAuthorizationEndpoint(String str) {
            this.authorizationEndpoint = str;
        }

        public String getNonce() {
            return this.nonce;
        }

        public void setNonce(String str) {
            this.nonce = str;
        }

        public String getRedirectUriBase() {
            return this.redirectUriBase;
        }

        public void setRedirectUriBase(String str) {
            this.redirectUriBase = str;
        }
    }

    @Decision(DecisionPoint.EXISTS)
    public boolean exists(Parameters parameters, RestContext restContext, EntityManager entityManager) {
        CriteriaBuilder criteriaBuilder = entityManager.getCriteriaBuilder();
        CriteriaQuery createQuery = criteriaBuilder.createQuery(OidcProvider.class);
        createQuery.where(criteriaBuilder.equal(createQuery.from(OidcProvider.class).get("name"), parameters.get("name")));
        OidcProvider oidcProvider = (OidcProvider) entityManager.createQuery(createQuery).getResultStream().findAny().orElse(null);
        if (oidcProvider != null) {
            restContext.putValue(oidcProvider);
        }
        return oidcProvider != null;
    }

    @Decision(DecisionPoint.PROCESSABLE)
    public boolean processable(Parameters parameters, OidcSession oidcSession) {
        return true;
    }

    @Decision(DecisionPoint.HANDLE_OK)
    public ApiResponse callback(HttpRequest httpRequest, Parameters parameters, OidcProvider oidcProvider, EntityManager entityManager) {
        if (oidcProvider.getResponseType() == ResponseType.ID_TOKEN || oidcProvider.getResponseType() == ResponseType.TOKEN) {
            this.storeProvider.getStore(StoreProvider.StoreType.OIDC_SESSION).read((String) ThreadingUtils.some((Cookie) httpRequest.getCookies().get("OIDC_SESSION_ID"), (v0) -> {
                return v0.getValue();
            }).orElse(null));
        }
        OidcProviderDto oidcProviderDto = (OidcProviderDto) this.converter.createFrom(oidcProvider, OidcProviderDto.class);
        oidcProviderDto.setRedirectUriBase(httpRequest.getScheme() + "://" + httpRequest.getServerName() + ":" + httpRequest.getServerPort() + "/bouncr/api");
        String str = (String) ((HashMap) Failsafe.with(new RetryPolicy[]{this.config.getHttpClientRetryPolicy()}).get(() -> {
            Response execute = OKHTTP.newCall(new Request.Builder().url(oidcProvider.getTokenEndpoint()).header("Authorization", "Basic " + Base64.getUrlEncoder().encodeToString((oidcProvider.getClientId() + ":" + oidcProvider.getClientSecret()).getBytes())).post(new FormBody.Builder().add("grant_type", "authorization").add("code", parameters.get("code")).add("redirect_uri", oidcProviderDto.getRedirectUri()).build()).build()).execute();
            if (execute.code() == 503) {
                throw new FalteringEnvironmentException();
            }
            InputStream byteStream = execute.body().byteStream();
            try {
                HashMap hashMap = (HashMap) this.jsonMapper.readValue(byteStream, GENERAL_JSON_REF);
                if (byteStream != null) {
                    byteStream.close();
                }
                return hashMap;
            } catch (Throwable th) {
                if (byteStream != null) {
                    try {
                        byteStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        })).get("id_token");
        return str == null ? (ApiResponse) BeanBuilder.builder(new ApiResponse()).set((v0, v1) -> {
            v0.setStatus(v1);
        }, 401).set((v0, v1) -> {
            v0.setBody(v1);
        }, Problem.valueOf(401, "Can't authenticate by OpenID Connect")).build() : connectOpenIdToBouncrUser(str, oidcProvider, httpRequest, entityManager);
    }

    private OidcUser findOidcUser(OidcProvider oidcProvider, String str, EntityManager entityManager) {
        CriteriaBuilder criteriaBuilder = entityManager.getCriteriaBuilder();
        CriteriaQuery createQuery = criteriaBuilder.createQuery(OidcUser.class);
        Root from = createQuery.from(OidcUser.class);
        from.fetch("user");
        createQuery.where(new Predicate[]{criteriaBuilder.equal(from.get("oidcSub"), str), criteriaBuilder.equal(from.get("oidcProvider"), oidcProvider)});
        return (OidcUser) entityManager.createQuery(createQuery).getResultStream().findAny().orElse(null);
    }

    private ApiResponse connectOpenIdToBouncrUser(String str, OidcProvider oidcProvider, HttpRequest httpRequest, EntityManager entityManager) {
        String[] split = str.split("\\.", 3);
        JwtClaim jwtClaim = (JwtClaim) this.jsonWebToken.decodePayload(split[1], new TypeReference<JwtClaim>() { // from class: net.unit8.bouncr.api.resource.OidcSignInResource.2
        });
        SignInService signInService = new SignInService(entityManager, this.storeProvider, this.config);
        if (jwtClaim.getSub() == null) {
            return (ApiResponse) BeanBuilder.builder(new ApiResponse()).set((v0, v1) -> {
                v0.setStatus(v1);
            }, 401).set((v0, v1) -> {
                v0.setBody(v1);
            }, Problem.valueOf(401)).build();
        }
        OidcUser findOidcUser = findOidcUser(oidcProvider, jwtClaim.getSub(), entityManager);
        if (findOidcUser != null) {
            return (ApiResponse) BeanBuilder.builder(new ApiResponse()).set((v0, v1) -> {
                v0.setStatus(v1);
            }, 200).set((v0, v1) -> {
                v0.setBody(v1);
            }, signInService.createUserSession(httpRequest, findOidcUser.getUser(), signInService.createToken())).build();
        }
        Invitation invitation = (Invitation) BeanBuilder.builder(new Invitation()).set((v0, v1) -> {
            v0.setCode(v1);
        }, RandomUtils.generateRandomString(8, this.config.getSecureRandom())).set((v0, v1) -> {
            v0.setInvitedAt(v1);
        }, LocalDateTime.now()).build();
        OidcInvitation oidcInvitation = (OidcInvitation) BeanBuilder.builder(new OidcInvitation()).set((v0, v1) -> {
            v0.setInvitation(v1);
        }, invitation).set((v0, v1) -> {
            v0.setOidcProvider(v1);
        }, oidcProvider).set((v0, v1) -> {
            v0.setOidcPayload(v1);
        }, split[1]).build();
        new EntityTransactionManager(entityManager).required(() -> {
            entityManager.persist(invitation);
            entityManager.persist(oidcInvitation);
        });
        if (Objects.equals(httpRequest.getHeaders().get("X-Requested-With"), "XMLHttpRequest")) {
            return null;
        }
        return (ApiResponse) BeanBuilder.builder(new ApiResponse()).set((v0, v1) -> {
            v0.setHeaders(v1);
        }, Headers.of("Location", "/bouncr/api/sign_up?code=" + invitation.getCode())).set((v0, v1) -> {
            v0.setStatus(v1);
        }, 307).build();
    }
}
