package de.adorsys.oauth.client.jaas;

import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.AuthorizationRequest;
import com.nimbusds.oauth2.sdk.AuthorizationSuccessResponse;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.net.URI;
import java.net.URL;
import java.security.Principal;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.authenticator.AuthenticatorBase;
import org.apache.catalina.connector.Request;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpEntity;
import org.apache.http.client.cache.HttpCacheContext;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.cache.CacheConfig;
import org.apache.http.impl.client.cache.CachingHttpClients;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/adorsys/oauth/client/jaas/OAuthAuthenticator.class */
public class OAuthAuthenticator extends AuthenticatorBase {
    private static final Logger LOG = LoggerFactory.getLogger(OAuthAuthenticator.class);
    private URI authEndpoint;
    private URI tokenEndpoint;
    private URI userInfoEndpoint;
    private boolean supportHttpSession;
    private boolean supportAuthCode = true;
    private boolean supportGuest;
    private CloseableHttpClient cachingHttpClient;
    private String clientSecretValue;
    private ClientID clientId;
    private ClientSecretBasic clientSecretBasic;

    protected boolean authenticate(Request request, HttpServletResponse httpServletResponse, LoginConfig loginConfig) throws IOException {
        if (request.getUserPrincipal() != null) {
            return true;
        }
        URI uri = null;
        try {
            uri = new URL(request.getScheme(), request.getServerName(), request.getServerPort(), request.getDecodedRequestURI() + (request.getQueryString() == null ? "" : "?" + request.getQueryString())).toURI();
        } catch (Exception e) {
            LOG.error("ups", e);
        }
        LOG.debug("Request " + uri);
        AccessToken resolveAccessToken = resolveAccessToken(request, uri);
        if (resolveAccessToken == null && this.supportGuest) {
            request.setUserPrincipal(this.context.getRealm().authenticate("guest", "NONE"));
            return true;
        }
        if (authenticate(resolveAccessToken, request, httpServletResponse)) {
            return true;
        }
        if (!this.supportAuthCode) {
            httpServletResponse.setStatus(401);
            return false;
        }
        AuthorizationCode resolveAuthorizationCode = resolveAuthorizationCode(request, uri);
        if (resolveAuthorizationCode != null) {
            AccessTokenResponse handleAuthorization = handleAuthorization(resolveAuthorizationCode, uri, httpServletResponse);
            AccessToken accessToken = handleAuthorization != null ? handleAuthorization.getAccessToken() : null;
            if (accessToken != null && authenticate(accessToken, request, httpServletResponse)) {
                return true;
            }
        }
        try {
            AuthorizationRequest build = new AuthorizationRequest.Builder(new ResponseType(new ResponseType.Value[]{ResponseType.Value.CODE}), this.clientId).endpointURI(this.authEndpoint).redirectionURI(uri).build();
            String format = String.format("%s?%s", build.toHTTPRequest().getURL(), build.toHTTPRequest().getQuery());
            LOG.info("redirect to {}", format);
            httpServletResponse.sendRedirect(format);
            return false;
        } catch (Exception e2) {
            LOG.error(e2.getClass().getSimpleName() + " " + e2.getMessage());
            throw new IOException(e2);
        }
    }

    private AccessTokenResponse handleAuthorization(AuthorizationCode authorizationCode, URI uri, HttpServletResponse httpServletResponse) {
        try {
            HTTPResponse send = (this.clientSecretBasic == null ? new TokenRequest(this.tokenEndpoint, this.clientId, new AuthorizationCodeGrant(authorizationCode, uri)) : new TokenRequest(this.tokenEndpoint, this.clientSecretBasic, new AuthorizationCodeGrant(authorizationCode, uri))).toHTTPRequest().send();
            send.indicatesSuccess();
            return AccessTokenResponse.parse(send);
        } catch (Exception e) {
            LOG.error(e.getClass().getSimpleName() + " " + e.getMessage());
            return null;
        }
    }

    private AuthorizationCode resolveAuthorizationCode(Request request, URI uri) {
        try {
            return AuthorizationSuccessResponse.parse(uri).getAuthorizationCode();
        } catch (Exception e) {
            LOG.trace("invalid authorization-response {}", uri);
            return null;
        }
    }

    private AccessToken resolveAccessToken(Request request, URI uri) {
        String parameter = request.getParameter("access_token");
        if (StringUtils.isNotEmpty(parameter)) {
            return new BearerAccessToken(parameter);
        }
        String header = request.getHeader("Authorization");
        if (header == null || !header.contains("Bearer")) {
            return null;
        }
        try {
            return BearerAccessToken.parse(header);
        } catch (Exception e) {
            LOG.debug("invalid authorization-header {}", header);
            return null;
        }
    }

    private boolean authenticate(AccessToken accessToken, Request request, HttpServletResponse httpServletResponse) {
        HttpEntity entity;
        if (accessToken == null) {
            return false;
        }
        LOG.debug("authenticate accessToken {}", accessToken);
        UserInfo userInfo = null;
        try {
            HttpGet httpGet = new HttpGet(new URI(String.format("%s?id=%s", this.userInfoEndpoint.toString(), accessToken.getValue())));
            httpGet.setHeader("Authorization", new BearerAccessToken(accessToken.getValue()).toAuthorizationHeader());
            HttpCacheContext create = HttpCacheContext.create();
            CloseableHttpResponse execute = this.cachingHttpClient.execute(httpGet, create);
            LOG.debug("read userinfo {} {}", accessToken.getValue(), create.getCacheResponseStatus());
            entity = execute.getEntity();
        } catch (Exception e) {
            LOG.error("ups", e);
        }
        if (entity == null) {
            LOG.info("no userInfo available for {}", accessToken.getValue());
            return false;
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        entity.writeTo(byteArrayOutputStream);
        userInfo = UserInfo.parse(byteArrayOutputStream.toString());
        if (userInfo == null) {
            LOG.info("no userInfo available for {}", accessToken.getValue());
            return false;
        }
        request.setAttribute(UserInfo.class.getName(), userInfo);
        Principal authenticate = this.context.getRealm().authenticate(userInfo.getSubject().getValue(), accessToken.getValue());
        if (this.supportHttpSession) {
            request.getSessionInternal();
        }
        request.setUserPrincipal(authenticate);
        httpServletResponse.setHeader("Authorization", accessToken.toAuthorizationHeader());
        register(request, httpServletResponse, authenticate, "OAUTH", userInfo.getSubject().getValue(), accessToken.getValue());
        return true;
    }

    public void start() throws LifecycleException {
        if (this.authEndpoint == null || this.tokenEndpoint == null || this.userInfoEndpoint == null || this.clientId == null) {
            throw new LifecycleException("Endpoint/ClientId missing");
        }
        CacheConfig build = CacheConfig.custom().setMaxCacheEntries(1000).setMaxObjectSize(8192L).build();
        this.cachingHttpClient = CachingHttpClients.custom().setCacheConfig(build).setDefaultRequestConfig(RequestConfig.custom().setConnectTimeout(30000).setSocketTimeout(30000).build()).build();
        if (this.clientSecretValue != null) {
            this.clientSecretBasic = new ClientSecretBasic(this.clientId, new Secret(this.clientSecretValue));
        }
        super.start();
        LOG.info("OAuthAuthenticator initialized, authEndpoint={}, tokenEndpoint={}", this.authEndpoint, this.tokenEndpoint);
    }

    public void setAuthEndpoint(String str) {
        try {
            this.authEndpoint = new URI(str);
        } catch (Exception e) {
            throw new IllegalArgumentException("invalid authEndpoint " + str);
        }
    }

    public void setTokenEndpoint(String str) {
        try {
            this.tokenEndpoint = new URI(str);
        } catch (Exception e) {
            throw new IllegalArgumentException("invalid tokenEndpoint " + str);
        }
    }

    public void setUserInfoEndpoint(String str) {
        try {
            this.userInfoEndpoint = new URI(str);
        } catch (Exception e) {
            throw new IllegalArgumentException("invalid userInfoEndpoint " + str);
        }
    }

    public void setSupportHttpSession(boolean z) {
        this.supportHttpSession = z;
    }

    public void setSupportAuthCode(boolean z) {
        this.supportAuthCode = z;
    }

    public void setClientSecret(String str) {
        this.clientSecretValue = str;
    }

    public void setClientId(String str) {
        this.clientId = new ClientID(str);
    }
}
