package net.trajano.ms.oidc;

import com.google.gson.JsonObject;
import io.swagger.annotations.Api;
import java.net.URI;
import javax.annotation.PostConstruct;
import javax.annotation.security.PermitAll;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.Consumes;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.InternalServerErrorException;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import net.trajano.ms.auth.token.GrantTypes;
import net.trajano.ms.auth.token.IdTokenResponse;
import net.trajano.ms.auth.token.OAuthTokenResponse;
import net.trajano.ms.core.CryptoOps;
import net.trajano.ms.core.ErrorCodes;
import net.trajano.ms.oidc.internal.AuthenticationUriBuilder;
import net.trajano.ms.oidc.internal.HazelcastConfiguration;
import net.trajano.ms.oidc.internal.ServerState;
import net.trajano.ms.oidc.spi.IssuerConfig;
import net.trajano.ms.oidc.spi.ServiceConfiguration;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.ReservedClaimNames;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.cache.Cache;
import org.springframework.cache.CacheManager;
import org.springframework.stereotype.Component;

@Api
@Path("/oidc")
@PermitAll
@Component
/* loaded from: input_file:BOOT-INF/lib/ms-oidc-1.0.0.jar:net/trajano/ms/oidc/OpenIdConnectResource.class */
public class OpenIdConnectResource {

    @Autowired
    private AuthenticationUriBuilder authenticationUriBuilder;

    @Value("${authorization.endpoint}")
    private URI authorizationEndpoint;

    @Context
    private Client client;

    @Autowired
    private CacheManager cm;

    @Autowired
    private CryptoOps cryptoOps;
    private Cache serverStateCache;

    @Autowired
    private ServiceConfiguration serviceConfiguration;

    @POST
    @Path("/auth/{issuer_id}")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response auth(@FormParam("state") String str, @PathParam("issuer_id") String str2, @HeaderParam("Authorization") String str3) {
        return Response.seeOther(authUri(str, str2, str3)).build();
    }

    @GET
    @Produces({"text/plain"})
    @Path("/auth-uri/{issuer_id}")
    public URI authUri(@QueryParam("state") String str, @PathParam("issuer_id") String str2, @HeaderParam("Authorization") String str3) {
        return this.authenticationUriBuilder.build(str, str2, str3, new JwtClaims());
    }

    @GET
    @Produces({"application/json"})
    @Path("/auth-info/{issuer_id}")
    public JsonObject authUriJson(@QueryParam("state") String str, @PathParam("issuer_id") String str2, @HeaderParam("Authorization") String str3) {
        JsonObject jsonObject = new JsonObject();
        jsonObject.addProperty("uri", authUri(str, str2, str3).toASCIIString());
        return jsonObject;
    }

    @GET
    @Path("/cb/{issuer_id}")
    public Response callback(@QueryParam("code") String str, @QueryParam("state") String str2, @PathParam("issuer_id") String str3) throws MalformedClaimException {
        if (str3 == null) {
            throw OAuthTokenResponse.badRequest(ErrorCodes.INVALID_REQUEST, "Missing issuer_id");
        }
        IssuerConfig issuerConfig = this.serviceConfiguration.getIssuerConfig(str3);
        if (issuerConfig == null) {
            throw OAuthTokenResponse.badRequest(ErrorCodes.INVALID_REQUEST, "Invalid issuer_id");
        }
        ServerState serverState = (ServerState) this.serverStateCache.get(str2, ServerState.class);
        if (serverState == null) {
            throw OAuthTokenResponse.badRequest(ErrorCodes.INVALID_REQUEST, "Invalid state");
        }
        URI build = UriBuilder.fromUri(this.serviceConfiguration.getRedirectUri()).path(str3).build(new Object[0]);
        Form form = new Form();
        form.param("redirect_uri", build.toASCIIString());
        form.param("grant_type", GrantTypes.AUTHORIZATION_CODE);
        form.param("code", str);
        OpenIdConfiguration openIdConfiguration = issuerConfig.getOpenIdConfiguration();
        JwtClaims claimsSet = this.cryptoOps.toClaimsSet(((IdTokenResponse) this.client.target(openIdConfiguration.getTokenEndpoint()).request("application/json").header("Authorization", issuerConfig.buildAuthorization()).post(Entity.form(form), IdTokenResponse.class)).getIdToken(), openIdConfiguration.getHttpsJwks());
        if (!serverState.getNonce().equals(claimsSet.getStringClaimValue("nonce"))) {
            throw OAuthTokenResponse.internalServerError("nonce did not match");
        }
        serverState.getAdditionalClaims().getClaimsMap().forEach((str4, obj) -> {
            if (claimsSet.hasClaim(str4)) {
                throw new InternalServerErrorException("The claim " + str4 + " already exists from the IP");
            }
            claimsSet.setClaim(str4, obj);
        });
        Form form2 = new Form();
        form2.param("grant_type", GrantTypes.JWT_ASSERTION);
        form2.param("assertion", this.cryptoOps.sign(claimsSet));
        form2.param(ReservedClaimNames.AUDIENCE, issuerConfig.getClientId());
        OAuthTokenResponse oAuthTokenResponse = (OAuthTokenResponse) this.client.target(this.authorizationEndpoint).request("application/json").header("Authorization", serverState.getClientCredentials()).post(Entity.form(form2), OAuthTokenResponse.class);
        if (oAuthTokenResponse.isError()) {
            throw new BadRequestException(Response.status(Response.Status.BAD_REQUEST).entity(oAuthTokenResponse).build());
        }
        return Response.temporaryRedirect(oAuthTokenResponse.isExpiring() ? UriBuilder.fromUri(issuerConfig.getRedirectUri()).fragment("state={state}&access_token={access_token}&refresh_token={refresh_token}&token_type={token_type}&expires_in={expires_in}").build(serverState.getClientState(), oAuthTokenResponse.getAccessToken(), oAuthTokenResponse.getRefreshToken(), oAuthTokenResponse.getTokenType(), Integer.valueOf(oAuthTokenResponse.getExpiresIn())) : UriBuilder.fromUri(issuerConfig.getRedirectUri()).fragment("state={state}&access_token={access_token}&refresh_token={refresh_token}&token_type={token_type}").build(serverState.getClientState(), oAuthTokenResponse.getAccessToken(), oAuthTokenResponse.getRefreshToken(), oAuthTokenResponse.getTokenType())).build();
    }

    @PostConstruct
    public void init() {
        this.serverStateCache = this.cm.getCache(HazelcastConfiguration.SERVER_STATE);
    }
}
