package no.nav.brukerdialog.security.jaspic;

import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.time.Instant;
import java.util.List;
import java.util.Optional;
import java.util.function.Function;
import java.util.stream.Stream;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import no.nav.brukerdialog.security.Constants;
import no.nav.brukerdialog.security.jwks.CacheMissAction;
import no.nav.brukerdialog.security.oidc.OidcTokenValidator;
import no.nav.brukerdialog.security.oidc.OidcTokenValidatorResult;
import no.nav.brukerdialog.security.oidc.provider.OidcProvider;
import no.nav.brukerdialog.tools.HostUtils;
import no.nav.brukerdialog.tools.Utils;
import no.nav.common.auth.LoginProvider;
import no.nav.common.auth.SsoToken;
import no.nav.common.auth.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:no/nav/brukerdialog/security/jaspic/OidcAuthModule.class */
public class OidcAuthModule implements LoginProvider {
    private static final Logger log = LoggerFactory.getLogger(OidcAuthModule.class);
    private static final boolean sslOnlyCookies;
    private final List<OidcProvider> providers;
    private final OidcTokenValidator oidcTokenValidator;

    public OidcAuthModule(List<OidcProvider> list) {
        this(list, new OidcTokenValidator());
    }

    OidcAuthModule(List<OidcProvider> list, OidcTokenValidator oidcTokenValidator) {
        this.providers = list;
        this.oidcTokenValidator = oidcTokenValidator;
    }

    public Optional<Subject> authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return Stream.of((Object[]) new CacheMissAction[]{CacheMissAction.NO_REFRESH, CacheMissAction.REFRESH}).flatMap(cacheMissAction -> {
            return authenticate(httpServletRequest, httpServletResponse, cacheMissAction);
        }).findFirst();
    }

    private Stream<Subject> authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, CacheMissAction cacheMissAction) {
        return this.providers.stream().flatMap(catchAndLogErrors(oidcProvider -> {
            return doValidateRequest(httpServletRequest, httpServletResponse, oidcProvider, cacheMissAction);
        }));
    }

    private Function<OidcProvider, Stream<Subject>> catchAndLogErrors(Function<OidcProvider, Stream<Subject>> function) {
        return oidcProvider -> {
            try {
                return (Stream) function.apply(oidcProvider);
            } catch (Throwable th) {
                log.warn(th.getMessage(), th);
                return Stream.empty();
            }
        };
    }

    private Stream<Subject> doValidateRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OidcProvider oidcProvider, CacheMissAction cacheMissAction) {
        Optional<String> token = oidcProvider.getToken(httpServletRequest);
        if (!token.isPresent()) {
            return Stream.empty();
        }
        String str = token.get();
        OidcTokenValidatorResult validate = this.oidcTokenValidator.validate(str, oidcProvider, cacheMissAction);
        Optional<String> refreshToken = oidcProvider.getRefreshToken(httpServletRequest);
        boolean needToRefreshToken = needToRefreshToken(validate);
        if (refreshToken.isPresent() && needToRefreshToken) {
            Optional<String> fetchUpdatedToken = fetchUpdatedToken(refreshToken.get(), str, oidcProvider);
            if (fetchUpdatedToken.isPresent()) {
                String str2 = fetchUpdatedToken.get();
                OidcTokenValidatorResult validate2 = this.oidcTokenValidator.validate(str2, oidcProvider, cacheMissAction);
                if (validate2.isValid()) {
                    addHttpOnlyCookie(httpServletRequest, httpServletResponse, Constants.ID_TOKEN_COOKIE_NAME, str2);
                    return handleValidatedToken(validate2, str2, validate2.getSubject(), oidcProvider);
                }
            }
        }
        return validate.isValid() ? handleValidatedToken(validate, str, validate.getSubject(), oidcProvider) : Stream.empty();
    }

    private boolean needToRefreshToken(OidcTokenValidatorResult oidcTokenValidatorResult) {
        return !oidcTokenValidatorResult.isValid() || tokenIsSoonExpired(oidcTokenValidatorResult);
    }

    private boolean tokenIsSoonExpired(OidcTokenValidatorResult oidcTokenValidatorResult) {
        return (oidcTokenValidatorResult.getExpSeconds() * 1000) - Instant.now().toEpochMilli() < ((long) getMinimumTimeToExpireBeforeRefresh());
    }

    private int getMinimumTimeToExpireBeforeRefresh() {
        return Integer.parseInt(System.getProperty(Constants.REFRESH_TIME, "60")) * 1000;
    }

    private Optional<String> fetchUpdatedToken(String str, String str2, OidcProvider oidcProvider) {
        log.debug("Refreshing token");
        try {
            return Optional.of(oidcProvider.getFreshToken(str, str2).getToken());
        } catch (Exception e) {
            log.error("Could not refresh token", e);
            return Optional.empty();
        }
    }

    private void addHttpOnlyCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) {
        Cookie cookie = new Cookie(str, str2);
        cookie.setSecure(sslOnlyCookies);
        cookie.setHttpOnly(true);
        cookie.setPath("/");
        String cookieDomain = HostUtils.cookieDomain(httpServletRequest);
        if (cookieDomain != null) {
            cookie.setDomain(cookieDomain);
        }
        httpServletResponse.addCookie(cookie);
    }

    private void addApplicationCallbackSpecificHttpOnlyCookie(HttpServletResponse httpServletResponse, String str, String str2) {
        Cookie cookie = new Cookie(str, str2);
        cookie.setSecure(sslOnlyCookies);
        cookie.setHttpOnly(true);
        cookie.setPath(Utils.getRelativePath(Constants.getOidcRedirectUrl()));
        cookie.setDomain(".adeo.no");
        httpServletResponse.addCookie(cookie);
    }

    public Optional<String> redirectUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!Constants.hasRedirectUrl()) {
            return Optional.empty();
        }
        AuthorizationRequestBuilder authorizationRequestBuilder = new AuthorizationRequestBuilder();
        addApplicationCallbackSpecificHttpOnlyCookie(httpServletResponse, authorizationRequestBuilder.getStateIndex(), encode(getOriginalUrl(httpServletRequest)));
        return Optional.of(authorizationRequestBuilder.buildRedirectString());
    }

    private String encode(String str) throws UnsupportedEncodingException {
        return URLEncoder.encode(str, "UTF-8");
    }

    private String getOriginalUrl(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getQueryString() == null ? httpServletRequest.getRequestURL().toString() : httpServletRequest.getRequestURL().toString() + "?" + httpServletRequest.getQueryString();
    }

    private Stream<Subject> handleValidatedToken(OidcTokenValidatorResult oidcTokenValidatorResult, String str, String str2, OidcProvider oidcProvider) {
        return Stream.of(new Subject(str2, oidcProvider.getIdentType(str), SsoToken.oidcToken(str, oidcTokenValidatorResult.getAttributes())));
    }

    static {
        sslOnlyCookies = !Boolean.valueOf(System.getProperty("develop-local", "false")).booleanValue();
    }
}
