package org.wildfly.security.http.oidc;

import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.Map;
import org.apache.http.client.utils.URIBuilder;
import org.wildfly.security.http.oidc.AuthenticationError;
import org.wildfly.security.http.oidc.Oidc;
import org.wildfly.security.http.oidc.OidcHttpFacade;
import org.wildfly.security.http.oidc.ServerRequest;
import org.wildfly.security.http.oidc.TokenValidator;

/* loaded from: input_file:org/wildfly/security/http/oidc/OidcRequestAuthenticator.class */
public class OidcRequestAuthenticator {
    protected OidcClientConfiguration deployment;
    protected RequestAuthenticator reqAuthenticator;
    protected int sslRedirectPort;
    protected OidcTokenStore tokenStore;
    protected String tokenString;
    protected String idTokenString;
    protected IDToken idToken;
    protected AccessToken token;
    protected OidcHttpFacade facade;
    protected AuthChallenge challenge;
    protected String refreshToken;
    protected String strippedOauthParametersRequestUri;

    public OidcRequestAuthenticator(RequestAuthenticator requestAuthenticator, OidcHttpFacade oidcHttpFacade, OidcClientConfiguration oidcClientConfiguration, int i, OidcTokenStore oidcTokenStore) {
        this.reqAuthenticator = requestAuthenticator;
        this.facade = oidcHttpFacade;
        this.deployment = oidcClientConfiguration;
        this.sslRedirectPort = oidcClientConfiguration.getConfidentialPort() != -1 ? oidcClientConfiguration.getConfidentialPort() : i;
        this.tokenStore = oidcTokenStore;
    }

    public AuthChallenge getChallenge() {
        return this.challenge;
    }

    public String getTokenString() {
        return this.tokenString;
    }

    public AccessToken getToken() {
        return this.token;
    }

    public String getRefreshToken() {
        return this.refreshToken;
    }

    public String getIDTokenString() {
        return this.idTokenString;
    }

    public void setIDTokenString(String str) {
        this.idTokenString = str;
    }

    public IDToken getIDToken() {
        return this.idToken;
    }

    public void setIDToken(IDToken iDToken) {
        this.idToken = iDToken;
    }

    public String getStrippedOauthParametersRequestUri() {
        return this.strippedOauthParametersRequestUri;
    }

    public void setStrippedOauthParametersRequestUri(String str) {
        this.strippedOauthParametersRequestUri = str;
    }

    protected String getRequestUrl() {
        return this.facade.getRequest().getURI();
    }

    protected boolean isRequestSecure() {
        return this.facade.getRequest().isSecure();
    }

    protected OidcHttpFacade.Cookie getCookie(String str) {
        return this.facade.getRequest().getCookie(str);
    }

    protected String getCookieValue(String str) {
        OidcHttpFacade.Cookie cookie = getCookie(str);
        if (cookie == null) {
            return null;
        }
        return cookie.getValue();
    }

    protected String getError() {
        return Oidc.getQueryParamValue(this.facade, Oidc.ERROR);
    }

    protected String getCode() {
        return Oidc.getQueryParamValue(this.facade, Oidc.CODE);
    }

    protected String getRedirectUri(String str) {
        String requestUrl = getRequestUrl();
        ElytronMessages.log.debugf("callback uri: %s", requestUrl);
        try {
            if (!this.facade.getRequest().isSecure() && this.deployment.getSSLRequired().isRequired(this.facade.getRequest().getRemoteAddr())) {
                int sSLRedirectPort = getSSLRedirectPort();
                if (sSLRedirectPort < 0) {
                    return null;
                }
                URIBuilder scheme = new URIBuilder(requestUrl).setScheme("https");
                if (sSLRedirectPort != 443) {
                    scheme.setPort(sSLRedirectPort);
                }
                requestUrl = scheme.build().toString();
            }
            String queryParamValue = Oidc.getQueryParamValue(this.facade, Oidc.LOGIN_HINT);
            String stripQueryParam = Oidc.stripQueryParam(requestUrl, Oidc.LOGIN_HINT);
            String queryParamValue2 = Oidc.getQueryParamValue(this.facade, Oidc.KC_IDP_HINT);
            String stripQueryParam2 = Oidc.stripQueryParam(stripQueryParam, Oidc.KC_IDP_HINT);
            String queryParamValue3 = Oidc.getQueryParamValue(this.facade, Oidc.SCOPE);
            String stripQueryParam3 = Oidc.stripQueryParam(stripQueryParam2, Oidc.SCOPE);
            String queryParamValue4 = Oidc.getQueryParamValue(this.facade, Oidc.PROMPT);
            String stripQueryParam4 = Oidc.stripQueryParam(stripQueryParam3, Oidc.PROMPT);
            String queryParamValue5 = Oidc.getQueryParamValue(this.facade, Oidc.MAX_AGE);
            String stripQueryParam5 = Oidc.stripQueryParam(stripQueryParam4, Oidc.MAX_AGE);
            String queryParamValue6 = Oidc.getQueryParamValue(this.facade, Oidc.UI_LOCALES);
            String stripQueryParam6 = Oidc.stripQueryParam(stripQueryParam5, Oidc.UI_LOCALES);
            if (this.deployment.getAuthUrl() == null) {
                return null;
            }
            URIBuilder addParameter = new URIBuilder(this.deployment.getAuthUrl()).addParameter(Oidc.RESPONSE_TYPE, Oidc.CODE).addParameter(Oidc.CLIENT_ID, this.deployment.getResourceName()).addParameter(Oidc.REDIRECT_URI, rewrittenRedirectUri(stripQueryParam6)).addParameter(Oidc.STATE, str);
            if (queryParamValue != null && queryParamValue.length() > 0) {
                addParameter.addParameter(Oidc.LOGIN_HINT, queryParamValue);
            }
            if (queryParamValue2 != null && queryParamValue2.length() > 0) {
                addParameter.addParameter(Oidc.KC_IDP_HINT, queryParamValue2);
            }
            if (queryParamValue4 != null && queryParamValue4.length() > 0) {
                addParameter.addParameter(Oidc.PROMPT, queryParamValue4);
            }
            if (queryParamValue5 != null && queryParamValue5.length() > 0) {
                addParameter.addParameter(Oidc.MAX_AGE, queryParamValue5);
            }
            if (queryParamValue6 != null && queryParamValue6.length() > 0) {
                addParameter.addParameter(Oidc.UI_LOCALES, queryParamValue6);
            }
            addParameter.addParameter(Oidc.SCOPE, addOidcScopeIfNeeded(queryParamValue3));
            return addParameter.build().toString();
        } catch (URISyntaxException e) {
            throw ElytronMessages.log.unableToCreateRedirectResponse(e);
        }
    }

    protected int getSSLRedirectPort() {
        return this.sslRedirectPort;
    }

    protected String getStateCode() {
        return Oidc.generateId();
    }

    protected AuthChallenge loginRedirect() {
        final String stateCode = getStateCode();
        final String redirectUri = getRedirectUri(stateCode);
        return redirectUri == null ? challenge(403, AuthenticationError.Reason.NO_REDIRECT_URI, null) : new AuthChallenge() { // from class: org.wildfly.security.http.oidc.OidcRequestAuthenticator.1
            @Override // org.wildfly.security.http.oidc.AuthChallenge
            public int getResponseCode() {
                return 0;
            }

            @Override // org.wildfly.security.http.oidc.AuthChallenge
            public boolean challenge(OidcHttpFacade oidcHttpFacade) {
                OidcRequestAuthenticator.this.tokenStore.saveRequest();
                ElytronMessages.log.debug("Sending redirect to login page: " + redirectUri);
                oidcHttpFacade.getResponse().setStatus(302);
                oidcHttpFacade.getResponse().setCookie(OidcRequestAuthenticator.this.deployment.getStateCookieName(), stateCode, "/", null, -1, OidcRequestAuthenticator.this.deployment.getSSLRequired().isRequired(OidcRequestAuthenticator.this.facade.getRequest().getRemoteAddr()), true);
                oidcHttpFacade.getResponse().setHeader("Location", redirectUri);
                return true;
            }
        };
    }

    protected AuthChallenge checkStateCookie() {
        OidcHttpFacade.Cookie cookie = getCookie(this.deployment.getStateCookieName());
        if (cookie == null) {
            ElytronMessages.log.warn("No state cookie");
            return challenge(400, AuthenticationError.Reason.INVALID_STATE_COOKIE, null);
        }
        ElytronMessages.log.debug("** reseting application state cookie");
        this.facade.getResponse().resetCookie(this.deployment.getStateCookieName(), cookie.getPath());
        String cookieValue = getCookieValue(this.deployment.getStateCookieName());
        String queryParamValue = Oidc.getQueryParamValue(this.facade, Oidc.STATE);
        if (queryParamValue == null) {
            ElytronMessages.log.warn("state parameter was null");
            return challenge(400, AuthenticationError.Reason.INVALID_STATE_COOKIE, null);
        }
        if (queryParamValue.equals(cookieValue)) {
            return null;
        }
        ElytronMessages.log.warn("state parameter invalid");
        ElytronMessages.log.warn("cookie: " + cookieValue);
        ElytronMessages.log.warn("queryParam: " + queryParamValue);
        return challenge(400, AuthenticationError.Reason.INVALID_STATE_COOKIE, null);
    }

    public Oidc.AuthOutcome authenticate() {
        String code = getCode();
        if (code != null) {
            ElytronMessages.log.debug("there was a code, resolving");
            this.challenge = resolveCode(code);
            return this.challenge != null ? Oidc.AuthOutcome.FAILED : Oidc.AuthOutcome.AUTHENTICATED;
        }
        ElytronMessages.log.debug("there was no code");
        String error = getError();
        if (error != null) {
            ElytronMessages.log.warn("There was an error: " + error);
            this.challenge = challenge(400, AuthenticationError.Reason.OAUTH_ERROR, error);
            return Oidc.AuthOutcome.FAILED;
        }
        ElytronMessages.log.debug("redirecting to auth server");
        this.challenge = loginRedirect();
        return Oidc.AuthOutcome.NOT_ATTEMPTED;
    }

    protected AuthChallenge challenge(final int i, final AuthenticationError.Reason reason, final String str) {
        return new AuthChallenge() { // from class: org.wildfly.security.http.oidc.OidcRequestAuthenticator.2
            @Override // org.wildfly.security.http.oidc.AuthChallenge
            public int getResponseCode() {
                return i;
            }

            @Override // org.wildfly.security.http.oidc.AuthChallenge
            public boolean challenge(OidcHttpFacade oidcHttpFacade) {
                oidcHttpFacade.getRequest().setError(new AuthenticationError(reason, str));
                oidcHttpFacade.getResponse().sendError(i);
                return true;
            }
        };
    }

    protected AuthChallenge resolveCode(String str) {
        if (!isRequestSecure() && this.deployment.getSSLRequired().isRequired(this.facade.getRequest().getRemoteAddr())) {
            ElytronMessages.log.error("SSL required. Request: " + this.facade.getRequest().getURI());
            return challenge(403, AuthenticationError.Reason.SSL_REQUIRED, null);
        }
        ElytronMessages.log.debug("checking state cookie for after code");
        AuthChallenge checkStateCookie = checkStateCookie();
        if (checkStateCookie != null) {
            return checkStateCookie;
        }
        this.strippedOauthParametersRequestUri = rewrittenRedirectUri(stripOauthParametersFromRedirect(this.facade.getRequest().getURI()));
        try {
            AccessAndIDTokenResponse invokeAccessCodeToToken = ServerRequest.invokeAccessCodeToToken(this.deployment, str, this.strippedOauthParametersRequestUri);
            this.tokenString = invokeAccessCodeToToken.getAccessToken();
            this.refreshToken = invokeAccessCodeToToken.getRefreshToken();
            this.idTokenString = invokeAccessCodeToToken.getIDToken();
            ElytronMessages.log.debug("Verifying tokens");
            Oidc.logToken("\taccess_token", this.tokenString);
            Oidc.logToken("\tid_token", this.idTokenString);
            Oidc.logToken("\trefresh_token", this.refreshToken);
            try {
                TokenValidator.VerifiedTokens parseAndVerifyToken = TokenValidator.builder(this.deployment).build().parseAndVerifyToken(this.idTokenString, this.tokenString);
                this.idToken = parseAndVerifyToken.getIdToken();
                this.token = parseAndVerifyToken.getAccessToken();
                ElytronMessages.log.debug("Token Verification succeeded!");
                if (invokeAccessCodeToToken.getNotBeforePolicy() > this.deployment.getNotBefore()) {
                    this.deployment.updateNotBefore(invokeAccessCodeToToken.getNotBeforePolicy());
                }
                if (this.token.getIssuedAt().longValue() < this.deployment.getNotBefore()) {
                    ElytronMessages.log.error("Stale token");
                    return challenge(403, AuthenticationError.Reason.STALE_TOKEN, null);
                }
                ElytronMessages.log.debug("successfully authenticated");
                return null;
            } catch (OidcException e) {
                ElytronMessages.log.failedVerificationOfToken(e.getMessage());
                return challenge(403, AuthenticationError.Reason.INVALID_TOKEN, null);
            }
        } catch (IOException e2) {
            ElytronMessages.log.error("failed to turn code into token", e2);
            return challenge(403, AuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null);
        } catch (ServerRequest.HttpFailure e3) {
            ElytronMessages.log.error("failed to turn code into token");
            ElytronMessages.log.error("status from server: " + e3.getStatus());
            if (e3.getError() != null && !e3.getError().trim().isEmpty()) {
                ElytronMessages.log.error("   " + e3.getError());
            }
            return challenge(403, AuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null);
        }
    }

    private static String stripOauthParametersFromRedirect(String str) {
        return Oidc.stripQueryParam(Oidc.stripQueryParam(Oidc.stripQueryParam(str, Oidc.CODE), Oidc.STATE), Oidc.SESSION_STATE);
    }

    private String rewrittenRedirectUri(String str) {
        Map<String, String> redirectRewriteRules = this.deployment.getRedirectRewriteRules();
        if (redirectRewriteRules == null || redirectRewriteRules.isEmpty()) {
            return str;
        }
        try {
            URL url = new URL(str);
            Map.Entry<String, String> next = redirectRewriteRules.entrySet().iterator().next();
            StringBuilder sb = new StringBuilder(url.getProtocol());
            sb.append("://" + url.getAuthority());
            sb.append(url.getPath().replaceFirst(next.getKey(), next.getValue()));
            return sb.toString();
        } catch (MalformedURLException e) {
            ElytronMessages.log.error("Not a valid request url");
            throw new RuntimeException(e);
        }
    }

    private static String addOidcScopeIfNeeded(String str) {
        return (str == null || str.isEmpty()) ? Oidc.OIDC_SCOPE : hasScope(str, Oidc.OIDC_SCOPE) ? str : "openid " + str;
    }

    private static boolean hasScope(String str, String str2) {
        if (str == null || str2 == null) {
            return false;
        }
        for (String str3 : str.split(" ")) {
            if (str2.equals(str3)) {
                return true;
            }
        }
        return false;
    }
}
