package io.vertx.ext.auth.oauth2.impl;

import io.vertx.core.AsyncResult;
import io.vertx.core.Closeable;
import io.vertx.core.Context;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.Promise;
import io.vertx.core.Vertx;
import io.vertx.core.impl.VertxInternal;
import io.vertx.core.impl.logging.Logger;
import io.vertx.core.impl.logging.LoggerFactory;
import io.vertx.core.json.DecodeException;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.JWTOptions;
import io.vertx.ext.auth.NoSuchKeyIdException;
import io.vertx.ext.auth.PubSecKeyOptions;
import io.vertx.ext.auth.User;
import io.vertx.ext.auth.authentication.CredentialValidationException;
import io.vertx.ext.auth.authentication.Credentials;
import io.vertx.ext.auth.authentication.TokenCredentials;
import io.vertx.ext.auth.authentication.UsernamePasswordCredentials;
import io.vertx.ext.auth.impl.jose.JWK;
import io.vertx.ext.auth.impl.jose.JWT;
import io.vertx.ext.auth.oauth2.OAuth2Auth;
import io.vertx.ext.auth.oauth2.OAuth2FlowType;
import io.vertx.ext.auth.oauth2.OAuth2Options;
import io.vertx.ext.auth.oauth2.Oauth2Credentials;
import java.util.Iterator;
import org.apache.kafka.common.config.SaslConfigs;
import org.apache.kafka.common.security.oauthbearer.internals.secured.LoginAccessTokenValidator;
import org.apache.sshd.common.auth.UserAuthMethodFactory;
import org.kogito.workitem.rest.auth.BearerTokenAuthDecorator;
import org.wildfly.security.http.HttpConstants;

/* loaded from: input_file:BOOT-INF/lib/vertx-auth-oauth2-4.3.6.jar:io/vertx/ext/auth/oauth2/impl/OAuth2AuthProviderImpl.class */
public class OAuth2AuthProviderImpl implements OAuth2Auth, Closeable {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) OAuth2AuthProviderImpl.class);
    private final Vertx vertx;
    private final Context context;
    private final OAuth2Options config;
    private final OAuth2API api;
    private volatile JWT jwt = new JWT();
    private volatile long updateTimerId = -1;
    private Handler<String> missingKeyHandler;

    public OAuth2AuthProviderImpl(Vertx vertx, OAuth2Options oAuth2Options) {
        this.vertx = vertx;
        this.context = vertx.getOrCreateContext();
        this.config = oAuth2Options;
        this.api = new OAuth2API(vertx, oAuth2Options);
        this.config.replaceVariables(true);
        this.config.validate();
        this.jwt.nonceAlgorithm(this.config.getJWTOptions().getNonceAlgorithm());
        if (oAuth2Options.getPubSecKeys() != null) {
            Iterator<PubSecKeyOptions> it = oAuth2Options.getPubSecKeys().iterator();
            while (it.hasNext()) {
                this.jwt.addJWK(new JWK(it.next()));
            }
        }
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    public void close() {
        synchronized (this) {
            if (this.updateTimerId != -1) {
                this.vertx.cancelTimer(this.updateTimerId);
                ((VertxInternal) this.vertx).removeCloseHook(this);
                this.updateTimerId = -1L;
            }
            this.jwt = null;
        }
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    public Future<Void> jWKSet() {
        return this.api.jwkSet().compose(jsonObject -> {
            synchronized (this) {
                if (this.updateTimerId != -1) {
                    this.vertx.cancelTimer(this.updateTimerId);
                    ((VertxInternal) this.vertx).removeCloseHook(this);
                }
                JWT nonceAlgorithm = new JWT().nonceAlgorithm(this.config.getJWTOptions().getNonceAlgorithm());
                Iterator<Object> it = jsonObject.getJsonArray("keys").iterator();
                while (it.hasNext()) {
                    try {
                        nonceAlgorithm.addJWK(new JWK((JsonObject) it.next()));
                    } catch (Exception e) {
                        LOG.warn("Unsupported JWK", e);
                    }
                }
                this.jwt = nonceAlgorithm;
                long longValue = (jsonObject.getLong("maxAge", Long.valueOf(this.config.getJwkMaxAgeInSeconds())).longValue() * 1000) - Math.max(0, this.config.getJWTOptions().getLeeway());
                if (longValue > 0) {
                    this.updateTimerId = this.vertx.setPeriodic(longValue, l -> {
                        jWKSet().onFailure(th -> {
                            LOG.warn("Failed to auto-update JWK Set", th);
                        });
                    });
                    ((VertxInternal) this.vertx).addCloseHook(this);
                } else {
                    this.updateTimerId = -1L;
                }
            }
            return Future.succeededFuture();
        });
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    public OAuth2Auth missingKeyHandler(Handler<String> handler) {
        this.missingKeyHandler = handler;
        return this;
    }

    public OAuth2Options getConfig() {
        return this.config;
    }

    @Override // io.vertx.ext.auth.authentication.AuthenticationProvider
    public void authenticate(JsonObject jsonObject, Handler<AsyncResult<User>> handler) {
        authenticate(jsonObject).onComplete2(handler);
    }

    @Override // io.vertx.ext.auth.authentication.AuthenticationProvider
    public Future<User> authenticate(JsonObject jsonObject) {
        if (jsonObject.containsKey("access_token")) {
            TokenCredentials tokenCredentials = new TokenCredentials(jsonObject.getString("access_token"));
            if (jsonObject.containsKey("scopes")) {
                Iterator<Object> it = jsonObject.getJsonArray("scopes").iterator();
                while (it.hasNext()) {
                    tokenCredentials.addScope((String) it.next());
                }
            }
            return authenticate(tokenCredentials);
        }
        OAuth2FlowType flow = (jsonObject.getString("flow") == null || jsonObject.getString("flow").isEmpty()) ? this.config.getFlow() : OAuth2FlowType.getFlow(jsonObject.getString("flow"));
        switch (flow) {
            case AUTH_CODE:
                if (jsonObject.containsKey("code")) {
                    return authenticate(new Oauth2Credentials().setCode(jsonObject.getString("code")).setCodeVerifier(jsonObject.getString("codeVerifier")).setRedirectUri(jsonObject.getString("redirectUri")).setFlow(flow));
                }
                break;
            case CLIENT:
                Oauth2Credentials flow2 = new Oauth2Credentials().setFlow(flow);
                if (jsonObject.containsKey("scopes")) {
                    Iterator<Object> it2 = jsonObject.getJsonArray("scopes").iterator();
                    while (it2.hasNext()) {
                        flow2.addScope((String) it2.next());
                    }
                }
                return authenticate(flow2);
            case PASSWORD:
                if (jsonObject.containsKey(HttpConstants.USERNAME) && jsonObject.containsKey(UserAuthMethodFactory.PASSWORD)) {
                    Oauth2Credentials flow3 = new Oauth2Credentials().setUsername(jsonObject.getString(HttpConstants.USERNAME)).setPassword(jsonObject.getString(UserAuthMethodFactory.PASSWORD)).setFlow(flow);
                    if (jsonObject.containsKey("scopes")) {
                        Iterator<Object> it3 = jsonObject.getJsonArray("scopes").iterator();
                        while (it3.hasNext()) {
                            flow3.addScope((String) it3.next());
                        }
                    }
                    return authenticate(flow3);
                }
                break;
            case AUTH_JWT:
            case AAD_OBO:
                return jsonObject.containsKey("assertion") ? authenticate(new Oauth2Credentials().setAssertion(jsonObject.getString("assertion")).setFlow(flow)) : authenticate(new Oauth2Credentials().setJwt(jsonObject).setFlow(flow));
        }
        return Future.failedFuture("can't parse token: " + jsonObject);
    }

    @Override // io.vertx.ext.auth.authentication.AuthenticationProvider
    public Future<User> authenticate(Credentials credentials) {
        try {
            if (credentials instanceof UsernamePasswordCredentials) {
                UsernamePasswordCredentials usernamePasswordCredentials = (UsernamePasswordCredentials) credentials;
                usernamePasswordCredentials.checkValid(null);
                return authenticate(new Oauth2Credentials().setUsername(usernamePasswordCredentials.getUsername()).setPassword(usernamePasswordCredentials.getPassword()).setFlow(OAuth2FlowType.PASSWORD));
            }
            if (credentials instanceof TokenCredentials) {
                TokenCredentials tokenCredentials = (TokenCredentials) credentials;
                tokenCredentials.checkValid(null);
                User createUser = createUser(new JsonObject().put("access_token", tokenCredentials.getToken()), false);
                return (!createUser.attributes().containsKey(BearerTokenAuthDecorator.BEARER_TOKEN) || this.jwt.isUnsecure() || createUser.expired(this.config.getJWTOptions().getLeeway())) ? this.config.getIntrospectionPath() == null ? createUser.attributes().containsKey("missing-kid") ? Future.failedFuture(new NoSuchKeyIdException(createUser.attributes().getString("missing-kid"))) : Future.failedFuture("Can't authenticate access_token: Provider doesn't support token introspection") : this.api.tokenIntrospection("access_token", tokenCredentials.getToken()).compose(jsonObject -> {
                    String clientId;
                    if (jsonObject.containsKey("active") && !jsonObject.getBoolean("active", false).booleanValue()) {
                        return Future.failedFuture("Inactive Token");
                    }
                    if (jsonObject.containsKey("client_id") && (clientId = this.config.getClientId()) != null && !clientId.equals(jsonObject.getString("client_id"))) {
                        LOG.info("Introspect client_id doesn't match configured client_id");
                    }
                    User createUser2 = createUser(jsonObject, createUser.attributes().containsKey("missing-kid"));
                    return createUser2.expired(this.config.getJWTOptions().getLeeway()) ? Future.failedFuture("Used is expired.") : Future.succeededFuture(createUser2);
                }) : Future.succeededFuture(createUser);
            }
            Oauth2Credentials oauth2Credentials = (Oauth2Credentials) credentials;
            JsonObject jsonObject2 = new JsonObject();
            OAuth2FlowType flow = oauth2Credentials.getFlow() != null ? oauth2Credentials.getFlow() : this.config.getFlow();
            oauth2Credentials.checkValid(flow);
            if (this.config.getSupportedGrantTypes() != null && !this.config.getSupportedGrantTypes().isEmpty() && !this.config.getSupportedGrantTypes().contains(flow.getGrantType())) {
                return Future.failedFuture("Provided flow is not supported by provider");
            }
            switch (flow) {
                case AUTH_CODE:
                    jsonObject2.put("code", oauth2Credentials.getCode());
                    if (oauth2Credentials.getRedirectUri() != null) {
                        jsonObject2.put("redirect_uri", oauth2Credentials.getRedirectUri());
                    }
                    if (oauth2Credentials.getCodeVerifier() != null) {
                        jsonObject2.put("code_verifier", oauth2Credentials.getCodeVerifier());
                        break;
                    }
                    break;
                case CLIENT:
                    if (oauth2Credentials.getScopes() != null) {
                        jsonObject2.put("scope", String.join(this.config.getScopeSeparator(), oauth2Credentials.getScopes()));
                        break;
                    }
                    break;
                case PASSWORD:
                    jsonObject2.put(HttpConstants.USERNAME, oauth2Credentials.getUsername()).put(UserAuthMethodFactory.PASSWORD, oauth2Credentials.getPassword());
                    if (oauth2Credentials.getScopes() != null) {
                        jsonObject2.put("scope", String.join(this.config.getScopeSeparator(), oauth2Credentials.getScopes()));
                        break;
                    }
                    break;
                case AUTH_JWT:
                    jsonObject2.put("assertion", this.jwt.sign(oauth2Credentials.getJwt().copy(), this.config.getJWTOptions()));
                    if (oauth2Credentials.getScopes() != null) {
                        jsonObject2.put("scope", String.join(this.config.getScopeSeparator(), oauth2Credentials.getScopes()));
                        break;
                    }
                    break;
                case AAD_OBO:
                    jsonObject2.put("requested_token_use", "on_behalf_of").put("assertion", oauth2Credentials.getAssertion());
                    if (oauth2Credentials.getScopes() != null) {
                        jsonObject2.put("scope", String.join(this.config.getScopeSeparator(), oauth2Credentials.getScopes()));
                        break;
                    }
                    break;
                default:
                    return Future.failedFuture("Current flow does not allow acquiring a token by the replay party");
            }
            return this.api.token(flow.getGrantType(), jsonObject2).compose(jsonObject3 -> {
                User createUser2 = createUser(jsonObject3, false);
                return createUser2.expired(this.config.getJWTOptions().getLeeway()) ? Future.failedFuture("Used is expired.") : Future.succeededFuture(createUser2);
            });
        } catch (CredentialValidationException | ClassCastException e) {
            return Future.failedFuture(e);
        }
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    public String authorizeURL(JsonObject jsonObject) {
        return this.api.authorizeURL(jsonObject);
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    public Future<User> refresh(User user) {
        return (user.principal().getString("refresh_token") == null || user.principal().getString("refresh_token").isEmpty()) ? Future.failedFuture(new IllegalStateException("refresh_token is null or empty")) : this.api.token("refresh_token", new JsonObject().put("refresh_token", user.principal().getString("refresh_token"))).compose(jsonObject -> {
            User createUser = createUser(jsonObject, false);
            return createUser.expired(this.config.getJWTOptions().getLeeway()) ? Future.failedFuture("Used is expired.") : Future.succeededFuture(createUser);
        });
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    public Future<Void> revoke(User user, String str) {
        return this.api.tokenRevocation(str, user.principal().getString(str));
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    public Future<JsonObject> userInfo(User user) {
        return this.api.userInfo(user.principal().getString("access_token"), this.jwt).compose(jsonObject -> {
            String string = user.principal().getString(SaslConfigs.DEFAULT_SASL_OAUTHBEARER_SUB_CLAIM_NAME, user.attributes().getString(SaslConfigs.DEFAULT_SASL_OAUTHBEARER_SUB_CLAIM_NAME));
            String string2 = jsonObject.getString(SaslConfigs.DEFAULT_SASL_OAUTHBEARER_SUB_CLAIM_NAME);
            if ((string != null || string2 != null) && string != null && string2 != null && !string.equals(string2)) {
                return Future.failedFuture("Used 'sub' does not match UserInfo 'sub'.");
            }
            copyProperties(jsonObject, user.attributes(), true, new String[0]);
            return user.expired(this.config.getJWTOptions().getLeeway()) ? Future.failedFuture("Used is expired.") : Future.succeededFuture(jsonObject);
        });
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    public String endSessionURL(User user, JsonObject jsonObject) {
        return this.api.endSessionURL(user.principal().getString("id_token"), jsonObject);
    }

    private User createUser(JsonObject jsonObject, boolean z) {
        Long valueOf;
        User create = User.create(jsonObject);
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        String str = null;
        if (jsonObject.containsKey("expires_in")) {
            try {
                valueOf = jsonObject.getLong("expires_in");
            } catch (ClassCastException e) {
                valueOf = Long.valueOf(jsonObject.getString("expires_in"));
            }
            create.attributes().put(LoginAccessTokenValidator.ISSUED_AT_CLAIM_NAME, Long.valueOf(currentTimeMillis)).put("exp", Long.valueOf(currentTimeMillis + valueOf.longValue()));
        }
        if (!this.jwt.isUnsecure()) {
            if (jsonObject.containsKey("access_token")) {
                try {
                    create.attributes().put(BearerTokenAuthDecorator.BEARER_TOKEN, validToken(this.jwt.decode(jsonObject.getString("access_token")), false));
                    copyProperties(create.attributes().getJsonObject(BearerTokenAuthDecorator.BEARER_TOKEN), create.attributes(), true, "exp", LoginAccessTokenValidator.ISSUED_AT_CLAIM_NAME, "nbf", SaslConfigs.DEFAULT_SASL_OAUTHBEARER_SUB_CLAIM_NAME);
                    create.attributes().put("rootClaim", BearerTokenAuthDecorator.BEARER_TOKEN);
                } catch (DecodeException | IllegalStateException e2) {
                    LOG.trace("Cannot decode access token:", e2);
                } catch (NoSuchKeyIdException e3) {
                    if (!z) {
                        create.attributes().put("missing-kid", e3.id());
                        str = e3.id();
                        if (this.missingKeyHandler != null) {
                            this.context.runOnContext(r5 -> {
                                this.missingKeyHandler.handle(e3.id());
                            });
                        } else {
                            LOG.trace("Cannot decode access token:", e3);
                        }
                    }
                }
            }
            if (jsonObject.containsKey("id_token")) {
                try {
                    create.attributes().put("idToken", validToken(this.jwt.decode(jsonObject.getString("id_token")), true));
                    copyProperties(create.attributes().getJsonObject("idToken"), create.attributes(), false, SaslConfigs.DEFAULT_SASL_OAUTHBEARER_SUB_CLAIM_NAME, "name", "email", "picture");
                    copyProperties(create.attributes().getJsonObject("idToken"), create.principal(), true, "amr");
                } catch (DecodeException | IllegalStateException e4) {
                    LOG.trace("Cannot decode id token:", e4);
                } catch (NoSuchKeyIdException e5) {
                    if (!z && !e5.id().equals(str)) {
                        create.attributes().put("missing-kid", e5.id());
                        if (this.missingKeyHandler != null) {
                            this.context.runOnContext(r52 -> {
                                this.missingKeyHandler.handle(e5.id());
                            });
                        } else {
                            LOG.trace("Cannot decode access token:", e5);
                        }
                    }
                }
            }
        }
        return create;
    }

    private JsonObject validToken(JsonObject jsonObject, boolean z) throws IllegalStateException {
        JWTOptions jWTOptions = this.config.getJWTOptions();
        JsonArray jsonArray = null;
        if (jsonObject.containsKey("aud")) {
            try {
                jsonArray = jsonObject.getValue("aud") instanceof String ? new JsonArray().add(jsonObject.getValue("aud")) : jsonObject.getJsonArray("aud");
            } catch (RuntimeException e) {
                throw new IllegalStateException("User audience isn't a JsonArray or String");
            }
        }
        if (jsonArray != null && jsonArray.size() > 0) {
            if (!z && jWTOptions.getAudience() != null) {
                for (String str : jWTOptions.getAudience()) {
                    if (!jsonArray.contains(str)) {
                        throw new IllegalStateException("Invalid JWT audience. expected: " + str);
                    }
                }
            } else if (!jsonArray.contains(this.config.getClientId())) {
                throw new IllegalStateException("Invalid JWT audience. expected: " + this.config.getClientId());
            }
        }
        if (jWTOptions.getIssuer() != null && !jWTOptions.getIssuer().equals(jsonObject.getString("iss"))) {
            throw new IllegalStateException("Invalid JWT issuer");
        }
        if (z && jsonObject.containsKey("azp")) {
            if (!this.config.getClientId().equals(jsonObject.getString("azp"))) {
                throw new IllegalStateException("Invalid authorised party != config.clientID");
            }
            if (jsonArray != null && jsonArray.size() > 1 && !jsonArray.contains(jsonObject.getString("azp"))) {
                throw new IllegalStateException("ID Token with multiple audiences, doesn't contain azp Claim value");
            }
        }
        return jsonObject;
    }

    private static void copyProperties(JsonObject jsonObject, JsonObject jsonObject2, boolean z, String... strArr) {
        if (jsonObject == null || jsonObject2 == null) {
            return;
        }
        if (strArr.length == 0) {
            for (String str : jsonObject.fieldNames()) {
                if (!jsonObject2.containsKey(str) || z) {
                    jsonObject2.put(str, jsonObject.getValue(str));
                }
            }
            return;
        }
        for (String str2 : strArr) {
            if (jsonObject.containsKey(str2) && (!jsonObject2.containsKey(str2) || z)) {
                jsonObject2.put(str2, jsonObject.getValue(str2));
            }
        }
    }

    @Override // io.vertx.core.Closeable
    public void close(Promise<Void> promise) {
        close();
        promise.complete();
    }
}
