package net.trajano.ms.oidc.internal;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObject;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.JWTClaimsSet;
import io.swagger.annotations.Api;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.text.ParseException;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.GET;
import javax.ws.rs.InternalServerErrorException;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import net.trajano.ms.common.beans.JwksProvider;
import net.trajano.ms.common.beans.TokenGenerator;
import net.trajano.ms.common.oauth.GrantTypes;
import net.trajano.ms.oidc.OpenIdConfiguration;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.cache.Cache;
import org.springframework.stereotype.Component;

@Api
@Path("/oidc")
@Component
/* loaded from: input_file:BOOT-INF/classes/net/trajano/ms/oidc/internal/OpenIdConnectResource.class */
public class OpenIdConnectResource {

    @Autowired
    private ClientBuilder cb;

    @Autowired
    private JwksProvider jwksProvider;

    @Autowired
    @Qualifier("nonce")
    private Cache nonceCache;

    @Autowired
    private ServiceConfiguration serviceConfiguration;

    @Autowired
    private TokenGenerator tokenGenerator;

    @GET
    @Path("/auth")
    public Response auth(@QueryParam("state") String str, @QueryParam("issuer_id") String str2, @Context UriInfo uriInfo) {
        return Response.ok().status(Response.Status.TEMPORARY_REDIRECT).header("Location", authUri(str, str2, uriInfo)).build();
    }

    @GET
    @Produces({"text/plain"})
    @Path("/auth-uri")
    public URI authUri(@QueryParam("state") String str, @QueryParam("issuer_id") String str2, @Context UriInfo uriInfo) {
        if (str2 == null) {
            throw new BadRequestException("Missing issuer_id");
        }
        IssuerConfig issuerConfig = this.serviceConfiguration.getIssuerConfig(str2);
        if (issuerConfig == null) {
            throw new BadRequestException("Invalid issuer_id");
        }
        return issuerConfig.buildAuthenticationRequestUri(UriBuilder.fromUri(this.serviceConfiguration.getRedirectUri()).path(str2).build(new Object[0]), str, generateNonce(str2));
    }

    @GET
    @Produces({"application/json"})
    @Path("/cb/{issuer_id}")
    public Response callback(@QueryParam("code") String str, @PathParam("issuer_id") String str2) throws MalformedURLException, IOException, ParseException, JOSEException {
        if (str2 == null) {
            throw new BadRequestException("Missing issuer_id");
        }
        IssuerConfig issuerConfig = this.serviceConfiguration.getIssuerConfig(str2);
        if (issuerConfig == null) {
            return Response.ok("Invalid issuer_id").status(Response.Status.BAD_REQUEST).build();
        }
        Client build = this.cb.build();
        URI build2 = UriBuilder.fromUri(this.serviceConfiguration.getRedirectUri()).path(str2).build(new Object[0]);
        Form form = new Form();
        form.param("redirect_uri", build2.toASCIIString());
        form.param("grant_type", GrantTypes.AUTHORIZATION_CODE);
        form.param("code", str);
        OpenIdConfiguration openIdConfiguration = issuerConfig.getOpenIdConfiguration();
        OpenIdToken openIdToken = (OpenIdToken) build.target(openIdConfiguration.getTokenEndpoint()).request("application/json").header("Authorization", issuerConfig.buildAuthorization()).buildPost(Entity.form(form)).invoke(OpenIdToken.class);
        JWKSet load = JWKSet.load(openIdConfiguration.getJwksUri().toURL());
        JOSEObject parse = JOSEObject.parse(openIdToken.getIdToken());
        if (parse instanceof JWEObject) {
            JWEObject jWEObject = (JWEObject) parse;
            jWEObject.decrypt(new RSADecrypter(this.jwksProvider.getDecryptionKey(jWEObject.getHeader().getKeyID())));
            parse = JOSEObject.parse(jWEObject.getPayload().toString());
        }
        if (parse instanceof JWSObject) {
            JWSObject jWSObject = (JWSObject) parse;
            if (!jWSObject.verify(new RSASSAVerifier(((RSAKey) load.getKeyByKeyId(jWSObject.getHeader().getKeyID())).toRSAPublicKey()))) {
                throw new NotAuthorizedException("verification failed", "JWT", new Object[0]);
            }
        }
        JWTClaimsSet parse2 = JWTClaimsSet.parse(parse.getPayload().toString());
        if (!parse2.getAudience().contains(issuerConfig.getClientId())) {
            throw new InternalServerErrorException("client_id mismatch from IP");
        }
        if (!parse2.getIssuer().equals(openIdConfiguration.getIssuer())) {
            throw new InternalServerErrorException("issuer mismatch from IP");
        }
        String stringClaim = parse2.getStringClaim("nonce");
        if (!str2.equals(this.nonceCache.get(stringClaim, String.class))) {
            throw new InternalServerErrorException("invalid nonce");
        }
        this.nonceCache.evict(stringClaim);
        System.out.println(parse.getPayload().toString());
        return Response.ok(parse2.getSubject()).build();
    }

    private String generateNonce(String str) {
        String newToken = this.tokenGenerator.newToken();
        this.nonceCache.putIfAbsent(newToken, str);
        return newToken;
    }
}
