package net.trajano.auth;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.text.MessageFormat;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import javax.crypto.SecretKey;
import javax.json.Json;
import javax.json.JsonObject;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.message.AuthException;
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.MessagePolicy;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.security.auth.message.callback.GroupPrincipalCallback;
import javax.security.auth.message.config.ServerAuthContext;
import javax.security.auth.message.module.ServerAuthModule;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedHashMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import net.trajano.auth.internal.Base64;
import net.trajano.auth.internal.CipherUtil;
import net.trajano.auth.internal.JsonWebKeySet;
import net.trajano.auth.internal.OAuthParameters;
import net.trajano.auth.internal.OAuthToken;
import net.trajano.auth.internal.OpenIDProviderConfiguration;
import net.trajano.auth.internal.TokenCookie;
import net.trajano.auth.internal.Utils;

/* loaded from: input_file:net/trajano/auth/OAuthModule.class */
public abstract class OAuthModule implements ServerAuthModule, ServerAuthContext {
    public static final String ACCESS_TOKEN_KEY = "auth_access";
    public static final String CLIENT_ID_KEY = "client_id";
    public static final String CLIENT_SECRET_KEY = "client_secret";
    public static final String COOKIE_CONTEXT_KEY = "cookie_context";
    private static final String HTTPS_PREFIX = "https://";
    public static final String ID_TOKEN_KEY = "auth_idtoken";
    public static final String LOGOUT_GOTO_URI_KEY = "logout_goto_uri";
    public static final String LOGOUT_URI_KEY = "logout_uri";
    public static final String NET_TRAJANO_AUTH_AGE = "net.trajano.auth.age";
    public static final String NET_TRAJANO_AUTH_ID = "net.trajano.auth.id";
    public static final String REDIRECTION_ENDPOINT_URI_KEY = "redirection_endpoint";
    public static final String REFRESH_TOKEN_KEY = "auth_refresh";
    public static final String SCOPE_KEY = "scope";
    public static final String TOKEN_URI_KEY = "token_uri";
    public static final String USERINFO_KEY = "auth_userinfo";
    public static final String USERINFO_URI_KEY = "userinfo_uri";
    private String clientId;
    private String clientSecret;
    private String cookieContext;
    private CallbackHandler handler;
    private String logoutGotoUri;
    private String logoutUri;
    private boolean mandatory;
    private Map<String, String> moduleOptions;
    private String redirectionEndpointUri;
    private Client restClient = ClientBuilder.newClient();
    private String scope;
    private SecretKey secret;
    private String tokenUri;
    private String userInfoUri;
    private static final String MESSAGES = "META-INF/Messages";
    private static final Logger LOG = Logger.getLogger("net.trajano.auth.oauthsam", MESSAGES);
    private static final Logger LOGCONFIG = Logger.getLogger("net.trajano.auth.oauthsam.config", MESSAGES);
    private static final ResourceBundle R = ResourceBundle.getBundle(MESSAGES);

    public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException {
    }

    private void deleteAuthCookies(HttpServletResponse httpServletResponse) {
        Cookie cookie = new Cookie(NET_TRAJANO_AUTH_AGE, "");
        cookie.setMaxAge(0);
        cookie.setPath(this.cookieContext);
        httpServletResponse.addCookie(cookie);
        Cookie cookie2 = new Cookie(NET_TRAJANO_AUTH_ID, "");
        cookie2.setMaxAge(0);
        cookie2.setPath(this.cookieContext);
        httpServletResponse.addCookie(cookie2);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getClientId() {
        return this.clientId;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getClientSecret() {
        return this.clientSecret;
    }

    private String getIdToken(HttpServletRequest httpServletRequest) throws GeneralSecurityException, IOException {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        String str = null;
        boolean z = false;
        for (Cookie cookie : cookies) {
            if (NET_TRAJANO_AUTH_ID.equals(cookie.getName()) && !Utils.isNullOrEmpty(cookie.getValue())) {
                str = cookie.getValue();
            } else if (NET_TRAJANO_AUTH_AGE.equals(cookie.getName())) {
                String remoteAddr = httpServletRequest.getRemoteAddr();
                String str2 = new String(CipherUtil.decrypt(Base64.decode(cookie.getValue()), this.secret), "US-ASCII");
                if (!remoteAddr.equals(str2)) {
                    throw new AuthException(MessageFormat.format(R.getString("ipaddressMismatch"), remoteAddr, str2));
                }
                z = true;
            }
            if (str != null && z) {
                return str;
            }
        }
        return str;
    }

    protected abstract OpenIDProviderConfiguration getOpenIDProviderConfig(HttpServletRequest httpServletRequest, Client client, Map<String, String> map) throws AuthException;

    /* JADX INFO: Access modifiers changed from: protected */
    public URI getRedirectionEndpointUri(HttpServletRequest httpServletRequest) {
        return URI.create(httpServletRequest.getRequestURL().toString()).resolve(this.redirectionEndpointUri);
    }

    private String getRequiredOption(String str) throws AuthException {
        String str2 = this.moduleOptions.get(str);
        if (str2 != null) {
            return str2;
        }
        LOG.log(Level.SEVERE, "missingOption", str);
        throw new AuthException(MessageFormat.format(R.getString("missingOption"), str));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Client getRestClient() {
        return this.restClient;
    }

    public Class[] getSupportedMessageTypes() {
        return new Class[]{HttpServletRequest.class, HttpServletResponse.class};
    }

    protected OAuthToken getToken(HttpServletRequest httpServletRequest, OpenIDProviderConfiguration openIDProviderConfiguration) throws IOException {
        MultivaluedHashMap multivaluedHashMap = new MultivaluedHashMap();
        multivaluedHashMap.putSingle(OAuthParameters.CODE, httpServletRequest.getParameter(OAuthParameters.CODE));
        multivaluedHashMap.putSingle(OAuthParameters.GRANT_TYPE, "authorization_code");
        multivaluedHashMap.putSingle(OAuthParameters.REDIRECT_URI, getRedirectionEndpointUri(httpServletRequest).toASCIIString());
        try {
            OAuthToken oAuthToken = (OAuthToken) this.restClient.target(openIDProviderConfiguration.getTokenEndpoint()).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).header("Authorization", "Basic " + Base64.encode((this.clientId + ":" + this.clientSecret).getBytes("UTF8"))).post(Entity.form(multivaluedHashMap), OAuthToken.class);
            if (LOG.isLoggable(Level.FINEST)) {
                LOG.finest("authorization token response =  " + oAuthToken);
            }
            return oAuthToken;
        } catch (BadRequestException e) {
            multivaluedHashMap.putSingle("client_id", this.clientId);
            multivaluedHashMap.putSingle("client_secret", this.clientSecret);
            OAuthToken oAuthToken2 = (OAuthToken) this.restClient.target(openIDProviderConfiguration.getTokenEndpoint()).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).post(Entity.form(multivaluedHashMap), OAuthToken.class);
            if (LOG.isLoggable(Level.FINEST)) {
                LOG.finest("authorization token response =  " + oAuthToken2);
            }
            return oAuthToken2;
        }
    }

    protected JsonWebKeySet getWebKeys(Map<String, String> map, OpenIDProviderConfiguration openIDProviderConfiguration) throws GeneralSecurityException {
        return new JsonWebKeySet((JsonObject) this.restClient.target(openIDProviderConfiguration.getJwksUri()).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).get(JsonObject.class));
    }

    private String googleWorkaround(String str) {
        return str.startsWith(HTTPS_PREFIX) ? str : HTTPS_PREFIX + str;
    }

    private AuthStatus handleCallback(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Subject subject) throws GeneralSecurityException, IOException {
        TokenCookie tokenCookie;
        OpenIDProviderConfiguration openIDProviderConfig = getOpenIDProviderConfig(httpServletRequest, this.restClient, this.moduleOptions);
        OAuthToken token = getToken(httpServletRequest, openIDProviderConfig);
        JsonWebKeySet webKeys = getWebKeys(this.moduleOptions, openIDProviderConfig);
        LOG.log(Level.FINEST, "tokenValue", token);
        JsonObject readObject = Json.createReader(new ByteArrayInputStream(Utils.getJwsPayload(token.getIdToken(), webKeys))).readObject();
        Utils.validateIdToken(this.clientId, readObject);
        String googleWorkaround = googleWorkaround(readObject.getString("iss"));
        String googleWorkaround2 = googleWorkaround(openIDProviderConfig.getIssuer());
        if (!googleWorkaround.equals(googleWorkaround2)) {
            LOG.log(Level.SEVERE, "issuerMismatch", new Object[]{googleWorkaround, googleWorkaround2});
            throw new GeneralSecurityException(MessageFormat.format(R.getString("issuerMismatch"), googleWorkaround, googleWorkaround2));
        }
        updateSubjectPrincipal(subject, readObject);
        if (openIDProviderConfig.getUserinfoEndpoint() == null || !Pattern.compile("\\bprofile\\b").matcher(this.scope).find()) {
            tokenCookie = new TokenCookie(readObject);
        } else {
            Response response = this.restClient.target(openIDProviderConfig.getUserinfoEndpoint()).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).header("Authorization", token.getTokenType() + " " + token.getAccessToken()).get();
            if (response.getStatus() == 200) {
                tokenCookie = new TokenCookie(token.getAccessToken(), token.getRefreshToken(), readObject, (JsonObject) response.readEntity(JsonObject.class));
            } else {
                LOG.log(Level.WARNING, "unableToGetProfile");
                tokenCookie = new TokenCookie(readObject);
            }
        }
        String contextPath = Utils.isNullOrEmpty(this.cookieContext) ? httpServletRequest.getContextPath() : this.cookieContext;
        Cookie cookie = new Cookie(NET_TRAJANO_AUTH_ID, tokenCookie.toCookieValue(this.clientId, this.clientSecret));
        cookie.setMaxAge(-1);
        cookie.setSecure(true);
        cookie.setPath(contextPath);
        httpServletResponse.addCookie(cookie);
        Cookie cookie2 = new Cookie(NET_TRAJANO_AUTH_AGE, Base64.encodeWithoutPadding(CipherUtil.encrypt(httpServletRequest.getRemoteAddr().getBytes("US-ASCII"), this.secret)));
        if (Utils.isNullOrEmpty(httpServletRequest.getParameter(OAuthParameters.EXPIRES_IN))) {
            cookie2.setMaxAge(3600);
        } else {
            cookie2.setMaxAge(Integer.parseInt(httpServletRequest.getParameter(OAuthParameters.EXPIRES_IN)));
        }
        cookie2.setPath(contextPath);
        cookie.setSecure(true);
        httpServletResponse.addCookie(cookie2);
        httpServletResponse.sendRedirect(httpServletResponse.encodeRedirectURL(httpServletRequest.getContextPath() + new String(Base64.decode(httpServletRequest.getParameter(OAuthParameters.STATE)))));
        return AuthStatus.SEND_SUCCESS;
    }

    public void initialize(MessagePolicy messagePolicy, MessagePolicy messagePolicy2, CallbackHandler callbackHandler, Map map) throws AuthException {
        try {
            this.moduleOptions = map;
            this.clientId = getRequiredOption("client_id");
            this.cookieContext = this.moduleOptions.get(COOKIE_CONTEXT_KEY);
            this.redirectionEndpointUri = getRequiredOption(REDIRECTION_ENDPOINT_URI_KEY);
            this.tokenUri = this.moduleOptions.get(TOKEN_URI_KEY);
            this.userInfoUri = this.moduleOptions.get(USERINFO_URI_KEY);
            this.logoutUri = this.moduleOptions.get(LOGOUT_URI_KEY);
            this.logoutGotoUri = this.moduleOptions.get(LOGOUT_GOTO_URI_KEY);
            this.scope = this.moduleOptions.get("scope");
            if (Utils.isNullOrEmpty(this.scope)) {
                this.scope = "openid";
            }
            this.clientSecret = getRequiredOption("client_secret");
            LOGCONFIG.log(Level.CONFIG, "options", this.moduleOptions);
            this.handler = callbackHandler;
            this.mandatory = messagePolicy.isMandatory();
            this.secret = CipherUtil.buildSecretKey(this.clientId, this.clientSecret);
        } catch (Exception e) {
            LOG.log(Level.SEVERE, "initializeException", (Throwable) e);
            throw new AuthException(MessageFormat.format(R.getString("initializeException"), e.getMessage()));
        }
    }

    public boolean isCallback(HttpServletRequest httpServletRequest) {
        return this.moduleOptions.get(REDIRECTION_ENDPOINT_URI_KEY).equals(httpServletRequest.getRequestURI()) && Utils.isRetrievalRequest(httpServletRequest) && !Utils.isNullOrEmpty(httpServletRequest.getParameter(OAuthParameters.CODE)) && !Utils.isNullOrEmpty(httpServletRequest.getParameter(OAuthParameters.STATE));
    }

    private TokenCookie processTokenCookie(Subject subject, HttpServletRequest httpServletRequest) {
        try {
            String idToken = getIdToken(httpServletRequest);
            TokenCookie tokenCookie = null;
            if (idToken != null) {
                tokenCookie = new TokenCookie(idToken, this.secret);
                Utils.validateIdToken(this.clientId, tokenCookie.getIdToken());
                updateSubjectPrincipal(subject, tokenCookie.getIdToken());
                httpServletRequest.setAttribute(ACCESS_TOKEN_KEY, tokenCookie.getAccessToken());
                httpServletRequest.setAttribute(REFRESH_TOKEN_KEY, tokenCookie.getRefreshToken());
                httpServletRequest.setAttribute(ID_TOKEN_KEY, tokenCookie.getIdToken());
                if (tokenCookie.getUserInfo() != null) {
                    httpServletRequest.setAttribute(USERINFO_KEY, tokenCookie.getUserInfo());
                }
            }
            return tokenCookie;
        } catch (IOException | GeneralSecurityException e) {
            LOG.log(Level.FINE, "invalidToken", e.getMessage());
            LOG.throwing(getClass().getName(), "validateRequest", e);
            return null;
        }
    }

    private AuthStatus redirectToAuthorizationEndpoint(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws AuthException {
        LOG.log(Level.FINE, "redirecting", new Object[]{str});
        URI uri = null;
        try {
            OpenIDProviderConfiguration openIDProviderConfig = getOpenIDProviderConfig(httpServletRequest, this.restClient, this.moduleOptions);
            StringBuilder sb = new StringBuilder(httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length()));
            if (httpServletRequest.getQueryString() != null) {
                sb.append('?');
                sb.append(httpServletRequest.getQueryString());
            }
            uri = UriBuilder.fromUri(openIDProviderConfig.getAuthorizationEndpoint()).queryParam("client_id", new Object[]{this.clientId}).queryParam(OAuthParameters.RESPONSE_TYPE, new Object[]{OAuthParameters.CODE}).queryParam("scope", new Object[]{this.scope}).queryParam(OAuthParameters.REDIRECT_URI, new Object[]{URI.create(httpServletRequest.getRequestURL().toString()).resolve(this.moduleOptions.get(REDIRECTION_ENDPOINT_URI_KEY))}).queryParam(OAuthParameters.STATE, new Object[]{Base64.encodeWithoutPadding(sb.toString().getBytes("UTF-8"))}).build(new Object[0]);
            deleteAuthCookies(httpServletResponse);
            httpServletResponse.sendRedirect(uri.toASCIIString());
            return AuthStatus.SEND_CONTINUE;
        } catch (IOException e) {
            LOG.log(Level.SEVERE, "sendRedirectException", new Object[]{uri, e.getMessage()});
            LOG.throwing(getClass().getName(), "redirectToAuthorizationEndpoint", e);
            throw new AuthException(MessageFormat.format(R.getString("sendRedirectException"), uri, e.getMessage()));
        }
    }

    public AuthStatus secureResponse(MessageInfo messageInfo, Subject subject) throws AuthException {
        return AuthStatus.SEND_SUCCESS;
    }

    public void setRestClient(Client client) {
        this.restClient = client;
    }

    private void updateSubjectPrincipal(Subject subject, JsonObject jsonObject) throws GeneralSecurityException {
        try {
            String googleWorkaround = googleWorkaround(jsonObject.getString("iss"));
            this.handler.handle(new Callback[]{new CallerPrincipalCallback(subject, UriBuilder.fromUri(googleWorkaround).userInfo(jsonObject.getString("sub")).build(new Object[0]).toASCIIString()), new GroupPrincipalCallback(subject, new String[]{googleWorkaround})});
        } catch (IOException | UnsupportedCallbackException e) {
            LOG.log(Level.SEVERE, "updatePrincipalException", e.getMessage());
            LOG.throwing(getClass().getName(), "updateSubjectPrincipal", e);
            throw new AuthException(MessageFormat.format(R.getString("updatePrincipalException"), e.getMessage()));
        }
    }

    public AuthStatus validateRequest(MessageInfo messageInfo, Subject subject, Subject subject2) throws AuthException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) messageInfo.getRequestMessage();
        HttpServletResponse httpServletResponse = (HttpServletResponse) messageInfo.getResponseMessage();
        try {
            TokenCookie processTokenCookie = processTokenCookie(subject, httpServletRequest);
            if (processTokenCookie != null && httpServletRequest.isSecure() && Utils.isGetRequest(httpServletRequest) && httpServletRequest.getRequestURI().equals(this.tokenUri)) {
                httpServletResponse.setContentType("application/json");
                httpServletResponse.getWriter().print(processTokenCookie.getIdToken());
                return AuthStatus.SEND_SUCCESS;
            }
            if (processTokenCookie != null && httpServletRequest.isSecure() && Utils.isGetRequest(httpServletRequest) && httpServletRequest.getRequestURI().equals(this.userInfoUri)) {
                httpServletResponse.setContentType("application/json");
                httpServletResponse.getWriter().print(processTokenCookie.getUserInfo());
                return AuthStatus.SEND_SUCCESS;
            }
            if (processTokenCookie != null && httpServletRequest.isSecure() && Utils.isGetRequest(httpServletRequest) && httpServletRequest.getRequestURI().equals(this.logoutUri)) {
                deleteAuthCookies(httpServletResponse);
                if (this.logoutGotoUri == null) {
                    httpServletResponse.sendRedirect(httpServletRequest.getServletContext() + "/");
                } else {
                    httpServletResponse.sendRedirect(this.logoutGotoUri);
                }
                return AuthStatus.SEND_SUCCESS;
            }
            if (!this.mandatory && !httpServletRequest.isSecure()) {
                return AuthStatus.SUCCESS;
            }
            if (!httpServletRequest.isSecure() && this.mandatory) {
                httpServletResponse.sendError(403, R.getString("SSLReq"));
                return AuthStatus.SEND_FAILURE;
            }
            if (!httpServletRequest.isSecure() && isCallback(httpServletRequest)) {
                httpServletResponse.sendError(403, R.getString("SSLReq"));
                return AuthStatus.SEND_FAILURE;
            }
            if (httpServletRequest.isSecure() && isCallback(httpServletRequest)) {
                return handleCallback(httpServletRequest, httpServletResponse, subject);
            }
            if (!this.mandatory || (processTokenCookie != null && !processTokenCookie.isExpired())) {
                return AuthStatus.SUCCESS;
            }
            if (httpServletRequest.isSecure() && Utils.isHeadRequest(httpServletRequest) && httpServletRequest.getRequestURI().equals(this.tokenUri)) {
                httpServletResponse.setContentType("application/json");
                return AuthStatus.SEND_SUCCESS;
            }
            if (httpServletRequest.getRequestURI().equals(this.userInfoUri) && Utils.isHeadRequest(httpServletRequest)) {
                httpServletResponse.setContentType("application/json");
                return AuthStatus.SEND_SUCCESS;
            }
            if (Utils.isRetrievalRequest(httpServletRequest)) {
                return redirectToAuthorizationEndpoint(httpServletRequest, httpServletResponse, "request is not valid");
            }
            httpServletResponse.sendError(403, "Unable to POST when unauthorized.");
            return AuthStatus.SEND_FAILURE;
        } catch (Exception e) {
            LOG.log(Level.FINE, "validationException", e.getMessage());
            LOG.throwing(getClass().getName(), "validateRequest", e);
            return redirectToAuthorizationEndpoint(httpServletRequest, httpServletResponse, e.getMessage());
        }
    }
}
