package org.wildfly.security.http.util.sso;

import java.io.DataOutputStream;
import java.io.OutputStream;
import java.io.Serializable;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.Key;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Signature;
import java.util.Base64;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.function.Function;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.cache.CachedIdentity;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.http.HttpScope;
import org.wildfly.security.http.HttpScopeNotification;
import org.wildfly.security.http.HttpServerRequest;
import org.wildfly.security.http.Scope;
import org.wildfly.security.util.ByteIterator;

/* loaded from: input_file:org/wildfly/security/http/util/sso/DefaultSingleSignOnSessionFactory.class */
public class DefaultSingleSignOnSessionFactory implements SingleSignOnSessionFactory {
    private static final String DEFAULT_SIGNATURE_ALGORITHM = "SHA512withRSA";
    private static final String LOGOUT_REQUEST_PARAMETER = "ely_logout_message";
    private final Map<String, Object> cache;
    private final KeyStore keyStore;
    private final Function<SecurityIdentity, String> identifierFactory;
    private final SSLContext sslContext;
    private final HostnameVerifier hostnameVerifier;
    private final String keyAlias;
    private final String keyPassword;
    private static final HostnameVerifier DEFAULT_HOSTNAME_VERIFIER = (str, sSLSession) -> {
        return true;
    };
    private static final Function<SecurityIdentity, String> DEFAULT_SESSION_IDENTIFIER_FACTORY = securityIdentity -> {
        return UUID.randomUUID().toString();
    };
    private static final String SESSION_INVALIDATING_ATTRIBUTE = DefaultSingleSignOnSessionFactory.class.getName() + ".INVALIDATING";

    /* loaded from: input_file:org/wildfly/security/http/util/sso/DefaultSingleSignOnSessionFactory$AbstractSingleSignOnSession.class */
    private abstract class AbstractSingleSignOnSession implements SingleSignOnSession {
        private final HttpServerRequest request;

        AbstractSingleSignOnSession(HttpServerRequest httpServerRequest) {
            this.request = httpServerRequest;
        }

        @Override // org.wildfly.security.http.util.sso.SingleSignOnSession
        public Set<String> getLocalSessions() {
            DefaultSingleSignOnSessionEntry entry = getEntry();
            return entry == null ? Collections.emptySet() : Collections.unmodifiableSet(entry.getLocalSessions());
        }

        @Override // org.wildfly.security.http.util.sso.SingleSignOnSession
        public String getLocalSession() {
            DefaultSingleSignOnSessionEntry entry = getEntry();
            if (entry == null) {
                return null;
            }
            HttpScope scope = this.request.getScope(Scope.SESSION);
            if (scope.exists()) {
                return entry.getLocalSessions().stream().filter(str -> {
                    return str.endsWith(scope.getID());
                }).findFirst().orElse(null);
            }
            return null;
        }

        @Override // org.wildfly.security.cache.IdentityCache
        public CachedIdentity get() {
            DefaultSingleSignOnSessionEntry entry = getEntry();
            if (entry == null) {
                return null;
            }
            return entry.getCachedIdentity();
        }

        @Override // org.wildfly.security.cache.IdentityCache
        public CachedIdentity remove() {
            if (getEntry() == null) {
                return null;
            }
            DefaultSingleSignOnSessionEntry defaultSingleSignOnSessionEntry = (DefaultSingleSignOnSessionEntry) DefaultSingleSignOnSessionFactory.this.cache.remove(getId());
            invalidateLocalSession(this.request.getScope(Scope.SESSION));
            if (defaultSingleSignOnSessionEntry == null) {
                return null;
            }
            return defaultSingleSignOnSessionEntry.getCachedIdentity();
        }

        @Override // org.wildfly.security.http.util.sso.SingleSignOnSession
        public boolean logout() {
            HttpScope scope;
            String firstParameterValue = this.request.getFirstParameterValue(DefaultSingleSignOnSessionFactory.LOGOUT_REQUEST_PARAMETER);
            if (firstParameterValue == null) {
                return false;
            }
            ElytronMessages.log.debugf("Invalidating local session [%s] from SSO [%s]", getLocalSession(), getId());
            try {
                scope = this.request.getScope(Scope.SESSION, DefaultSingleSignOnSessionFactory.this.verifyLogoutRequest(firstParameterValue));
            } catch (Exception e) {
                ElytronMessages.log.errorHttpMechSsoFailedInvalidateLocalSession(e);
            }
            if (!scope.exists()) {
                return false;
            }
            invalidateLocalSession(scope);
            this.request.authenticationInProgress(httpServerResponse -> {
                httpServerResponse.setStatusCode(HttpConstants.OK);
            });
            return true;
        }

        void removeLocalSession(String str) {
            DefaultSingleSignOnSessionEntry entry = getEntry();
            if (entry != null) {
                ElytronMessages.log.debugf("Removing local session [%s] from SSO [%s]", str, getId());
                entry.getLocalSessions().remove(str);
                if (entry.getLocalSessions().isEmpty()) {
                    ElytronMessages.log.debugf("Destroying SSO [%s]. SSO is not associated with participants", getId());
                    remove();
                } else if (DefaultSingleSignOnSessionFactory.this.cache.containsKey(getId())) {
                    DefaultSingleSignOnSessionFactory.this.cache.put(getId(), entry);
                }
            }
        }

        void addLocalSessionIfNecessary(DefaultSingleSignOnSessionEntry defaultSingleSignOnSessionEntry) {
            if (getLocalSession() == null) {
                HttpScope scope = this.request.getScope(Scope.SESSION);
                if (!scope.exists()) {
                    scope.create();
                }
                String createLocalSessionId = createLocalSessionId(scope.getID(), this.request);
                defaultSingleSignOnSessionEntry.getLocalSessions().add(createLocalSessionId);
                String id = getId();
                scope.registerForNotification(httpScopeNotification -> {
                    boolean z = httpScopeNotification.getScope(Scope.SESSION).getAttachment(DefaultSingleSignOnSessionFactory.SESSION_INVALIDATING_ATTRIBUTE) != null;
                    removeLocalSession(createLocalSessionId);
                    if (!httpScopeNotification.isOfType(HttpScopeNotification.SessionNotificationType.INVALIDATED) || z) {
                        return;
                    }
                    DefaultSingleSignOnSessionFactory.this.logout(id);
                });
                DefaultSingleSignOnSessionFactory.this.cache.put(getId(), defaultSingleSignOnSessionEntry);
                ElytronMessages.log.debugf("Updating local sessions for SSO [%s]. New local session [%s]. Local sessions: [%s]", getId(), createLocalSessionId, defaultSingleSignOnSessionEntry.getLocalSessions());
            }
        }

        void invalidateLocalSession(HttpScope httpScope) {
            if (httpScope.exists()) {
                httpScope.setAttachment(DefaultSingleSignOnSessionFactory.SESSION_INVALIDATING_ATTRIBUTE, true);
                httpScope.invalidate();
                ElytronMessages.log.debugf("Local session [%s] invalidated for SSO [%s]", httpScope.getID(), getId());
            }
        }

        DefaultSingleSignOnSessionEntry getEntry() {
            String id = getId();
            if (id == null) {
                return null;
            }
            return (DefaultSingleSignOnSessionEntry) DefaultSingleSignOnSessionFactory.this.cache.get(id);
        }

        String createLocalSessionId(String str, HttpServerRequest httpServerRequest) {
            return createParticipantUrl(httpServerRequest) + ":" + str;
        }

        String createParticipantUrl(HttpServerRequest httpServerRequest) {
            String scheme = httpServerRequest.getRequestURI().getScheme();
            String host = httpServerRequest.getRequestURI().getHost();
            int port = httpServerRequest.getRequestURI().getPort();
            String path = httpServerRequest.getRequestURI().getPath();
            if (path == null) {
                path = "/";
            }
            String[] split = path.split("/");
            if (split.length > 1) {
                path = "/" + split[1];
            }
            return scheme + "://" + host + ":" + port + path;
        }
    }

    /* loaded from: input_file:org/wildfly/security/http/util/sso/DefaultSingleSignOnSessionFactory$DefaultSingleSignOnSessionEntry.class */
    public static class DefaultSingleSignOnSessionEntry implements Serializable {
        private static final long serialVersionUID = 6051431359445846593L;
        private CachedIdentity cachedIdentity;
        private final Set<String> localSessions = new HashSet();

        public DefaultSingleSignOnSessionEntry(CachedIdentity cachedIdentity) {
            this.cachedIdentity = cachedIdentity;
        }

        CachedIdentity getCachedIdentity() {
            return this.cachedIdentity;
        }

        void setCachedIdentity(CachedIdentity cachedIdentity) {
            this.cachedIdentity = cachedIdentity;
        }

        Set<String> getLocalSessions() {
            return this.localSessions;
        }
    }

    public DefaultSingleSignOnSessionFactory(Map<String, Object> map, KeyStore keyStore, String str, String str2, SSLContext sSLContext) {
        this(map, keyStore, str, str2, sSLContext, DEFAULT_HOSTNAME_VERIFIER, DEFAULT_SESSION_IDENTIFIER_FACTORY);
    }

    public DefaultSingleSignOnSessionFactory(Map<String, Object> map, KeyStore keyStore, String str, String str2, SSLContext sSLContext, HostnameVerifier hostnameVerifier, Function<SecurityIdentity, String> function) {
        this.cache = (Map) Assert.checkNotNullParam("cache", map);
        this.keyStore = (KeyStore) Assert.checkNotNullParam("keyStore", keyStore);
        this.keyAlias = (String) Assert.checkNotNullParam("keyAlias", str);
        this.keyPassword = (String) Assert.checkNotNullParam("keyPassword", str2);
        try {
            Key key = keyStore.getKey(str, str2.toCharArray());
            if (!(key instanceof PrivateKey) || !"RSA".equals(key.getAlgorithm())) {
                throw ElytronMessages.log.httpMechSsoRSAPrivateKeyExpected(str);
            }
            if (keyStore.getCertificate(str) == null) {
                throw ElytronMessages.log.httpMechSsoCertificateExpected(str);
            }
            this.identifierFactory = (Function) Assert.checkNotNullParam("identifierFactory", function);
            this.sslContext = sSLContext;
            this.hostnameVerifier = hostnameVerifier;
        } catch (Exception e) {
            throw ElytronMessages.log.httpMechSsoFailedObtainKeyFromKeyStore(str, e);
        }
    }

    @Override // org.wildfly.security.http.util.sso.SingleSignOnSessionFactory
    public SingleSignOnSession findById(final String str, HttpServerRequest httpServerRequest) {
        Assert.checkNotNullParam("id", str);
        Assert.checkNotNullParam("request", httpServerRequest);
        if (!this.cache.containsKey(str)) {
            return null;
        }
        ElytronMessages.log.debugf("Found SSO session with ID [%s]", str);
        return new AbstractSingleSignOnSession(httpServerRequest) { // from class: org.wildfly.security.http.util.sso.DefaultSingleSignOnSessionFactory.1
            @Override // org.wildfly.security.http.util.sso.SingleSignOnSession
            public String getId() {
                return str;
            }

            @Override // org.wildfly.security.cache.IdentityCache
            public void put(SecurityIdentity securityIdentity) {
                DefaultSingleSignOnSessionEntry defaultSingleSignOnSessionEntry = (DefaultSingleSignOnSessionEntry) DefaultSingleSignOnSessionFactory.this.cache.get(getId());
                CachedIdentity cachedIdentity = defaultSingleSignOnSessionEntry.getCachedIdentity();
                if (cachedIdentity.getSecurityIdentity() == null) {
                    ElytronMessages.log.debugf("Updating local copy of SSO [%s] with a new identity", str);
                    defaultSingleSignOnSessionEntry.setCachedIdentity(new CachedIdentity(cachedIdentity.getMechanismName(), securityIdentity));
                }
                addLocalSessionIfNecessary(defaultSingleSignOnSessionEntry);
            }
        };
    }

    @Override // org.wildfly.security.http.util.sso.SingleSignOnSessionFactory
    public SingleSignOnSession create(HttpServerRequest httpServerRequest, final String str) {
        Assert.checkNotNullParam("request", httpServerRequest);
        Assert.checkNotNullParam("mechanismName", str);
        return new AbstractSingleSignOnSession(httpServerRequest) { // from class: org.wildfly.security.http.util.sso.DefaultSingleSignOnSessionFactory.2
            private String id;

            @Override // org.wildfly.security.http.util.sso.SingleSignOnSession
            public String getId() {
                return this.id;
            }

            @Override // org.wildfly.security.cache.IdentityCache
            public void put(SecurityIdentity securityIdentity) {
                this.id = (String) DefaultSingleSignOnSessionFactory.this.identifierFactory.apply(securityIdentity);
                ElytronMessages.log.debugf("Creating new SSO [%s]", this.id);
                addLocalSessionIfNecessary(new DefaultSingleSignOnSessionEntry(new CachedIdentity(str, securityIdentity)));
            }
        };
    }

    @Override // org.wildfly.security.http.util.sso.SingleSignOnSessionFactory
    public void logout(String str) {
        Assert.checkNotNullParam("id", str);
        ElytronMessages.log.debugf("Performing a single logout for SSO [%s]", str);
        ((DefaultSingleSignOnSessionEntry) this.cache.get(str)).getLocalSessions().forEach(str2 -> {
            String substring = str2.substring(0, str2.lastIndexOf(":"));
            try {
                URL url = new URL(substring);
                boolean equalsIgnoreCase = url.getProtocol().equalsIgnoreCase("https");
                HttpURLConnection httpURLConnection = (HttpURLConnection) url.openConnection();
                if (equalsIgnoreCase) {
                    HttpsURLConnection httpsURLConnection = (HttpsURLConnection) httpURLConnection;
                    httpsURLConnection.setSSLSocketFactory(this.sslContext.getSocketFactory());
                    httpsURLConnection.setHostnameVerifier(this.hostnameVerifier);
                }
                try {
                    httpURLConnection.setRequestMethod(HttpConstants.POST);
                    httpURLConnection.setDoOutput(true);
                    httpURLConnection.setAllowUserInteraction(false);
                    httpURLConnection.setConnectTimeout(10000);
                    httpURLConnection.setReadTimeout(10000);
                    httpURLConnection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
                    StringBuilder sb = new StringBuilder();
                    sb.append(LOGOUT_REQUEST_PARAMETER).append("=").append(createLogoutRequest(str2));
                    httpURLConnection.setRequestProperty("Content-Length", Integer.toString(sb.length()));
                    OutputStream outputStream = httpURLConnection.getOutputStream();
                    Throwable th = null;
                    DataOutputStream dataOutputStream = new DataOutputStream(outputStream);
                    Throwable th2 = null;
                    try {
                        try {
                            dataOutputStream.writeBytes(sb.toString());
                            if (dataOutputStream != null) {
                                if (0 != 0) {
                                    try {
                                        dataOutputStream.close();
                                    } catch (Throwable th3) {
                                        th2.addSuppressed(th3);
                                    }
                                } else {
                                    dataOutputStream.close();
                                }
                            }
                            if (outputStream != null) {
                                if (0 != 0) {
                                    try {
                                        outputStream.close();
                                    } catch (Throwable th4) {
                                        th.addSuppressed(th4);
                                    }
                                } else {
                                    outputStream.close();
                                }
                            }
                            httpURLConnection.getInputStream().close();
                        } catch (Throwable th5) {
                            th2 = th5;
                            throw th5;
                        }
                    } catch (Throwable th6) {
                        if (dataOutputStream != null) {
                            if (th2 != null) {
                                try {
                                    dataOutputStream.close();
                                } catch (Throwable th7) {
                                    th2.addSuppressed(th7);
                                }
                            } else {
                                dataOutputStream.close();
                            }
                        }
                        throw th6;
                    }
                } finally {
                }
            } catch (Exception e) {
                ElytronMessages.log.warnHttpMechSsoFailedLogoutParticipant(substring.toString(), e);
            }
        });
        this.cache.remove(str);
    }

    private String createLogoutRequest(String str) throws Exception {
        String substring = str.substring(str.substring(0, str.lastIndexOf(":")).length() + 1);
        Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
        signature.initSign((PrivateKey) this.keyStore.getKey(this.keyAlias, this.keyPassword.toCharArray()));
        return substring + "." + ByteIterator.ofBytes(Base64.getUrlEncoder().encode(ByteIterator.ofBytes(substring.getBytes()).sign(signature).drain())).asUtf8String().drainToString();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String verifyLogoutRequest(String str) throws Exception {
        String[] split = str.split("\\.");
        String drainToString = ByteIterator.ofBytes(split[0].getBytes()).asUtf8String().drainToString();
        Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
        signature.initVerify(this.keyStore.getCertificate(this.keyAlias));
        signature.update(drainToString.getBytes());
        if (ByteIterator.ofBytes(Base64.getUrlDecoder().decode(split[1].getBytes())).verify(signature)) {
            return drainToString;
        }
        throw ElytronMessages.log.httpMechSsoInvalidLogoutMessage(drainToString);
    }
}
