package org.kontinuity.catapult.web.api;

import java.io.StringReader;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.Base64;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.json.Json;
import javax.json.JsonObject;
import javax.json.JsonReader;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import javax.validation.constraints.NotNull;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedHashMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.kontinuity.catapult.service.github.CatapultAppId;
import org.kontinuity.catapult.service.github.CatapultAppOAuthSecret;

@Path(GitHubResource.PATH_GITHUB)
@ApplicationScoped
/* loaded from: input_file:WEB-INF/classes/org/kontinuity/catapult/web/api/GitHubResource.class */
public class GitHubResource {
    public static final String MSG_NO_STATE = "No initiating state found in the session; potential in-the-middle attack";
    public static final String MSG_UNMATCHED_STATE = "Expected state does not match specified; potential in-the-middle attack";
    public static final String MSG_NO_REDIRECT = "No redirect found in the state after OAuth";
    public static final String PATH_GITHUB = "/github";
    public static final String PATH_CALLBACK = "/callback";
    public static final String PATH_AUTHORIZE = "/authorize";
    public static final String PATH_VERIFY = "/verify";
    static final String SESSION_ATTRIBUTE_GITHUB_ACCESS_TOKEN = "GitHubAccessToken";
    static final String SESSION_ATTRIBUTE_GITHUB_OAUTH_STATE_UUID = "GitHubOAuthState";
    static final String QUERY_PARAM_REDIRECT_URL = "redirect_url";
    private static final String GITHUB_OAUTH_AUTH_URL = "https://github.com/login/oauth/authorize";
    private static final String GITHUB_OAUTH_ACCESS_TOKEN_URL = "https://github.com/login/oauth/access_token";
    private static final String QUERY_PARAM_CLIENT_ID_NAME = "client_id";
    private static final String QUERY_PARAM_SCOPE_NAME = "scope";
    private static final String QUERY_PARAM_SCOPE_VALUE = "user:email,public_repo";
    private static final String QUERY_PARAM_STATE_NAME = "state";
    private static final String QUERY_PARAM_CODE_NAME = "code";
    private static final String JSON_PARAM_TOKEN_NAME = "access_token";
    private static final String TOKEN_REQUEST_PARAM_CLIENT_ID_NAME = "client_id";
    private static final String TOKEN_REQUEST_PARAM_CLIENT_SECRET_NAME = "client_secret";
    private static final String TOKEN_REQUEST_PARAM_CODE_NAME = "code";
    private static final String TOKEN_REQUEST_PARAM_STATE_NAME = "state";
    private static final String STATE_ATTR_UUID = "uuid";
    private static final String STATE_ATTR_REDIRECT_URL = "redirect_url";
    private static final String VERIFY_ATTR_ACCESS_TOKEN = "session_has_github_access_token";
    private static Logger log;

    @Inject
    @CatapultAppId
    private String catapultAppId;

    @Inject
    @CatapultAppOAuthSecret
    private String catapultOAuthDevAppSecret;
    static final /* synthetic */ boolean $assertionsDisabled;

    @GET
    @Produces({"application/json"})
    @Path(PATH_VERIFY)
    public Response verify(@Context HttpServletRequest httpServletRequest) {
        return Response.ok(Json.createObjectBuilder().add(VERIFY_ATTR_ACCESS_TOKEN, httpServletRequest.getSession().getAttribute(SESSION_ATTRIBUTE_GITHUB_ACCESS_TOKEN) != null).build(), MediaType.APPLICATION_JSON_TYPE).build();
    }

    @GET
    @Path(PATH_AUTHORIZE)
    public Response authorize(@Context HttpServletRequest httpServletRequest, @NotNull @QueryParam("redirect_url") String str) {
        String uuid = UUID.randomUUID().toString();
        httpServletRequest.getSession().setAttribute(SESSION_ATTRIBUTE_GITHUB_OAUTH_STATE_UUID, uuid);
        return Response.temporaryRedirect(UriBuilder.fromUri(GITHUB_OAUTH_AUTH_URL).queryParam("client_id", new Object[]{this.catapultAppId}).queryParam(QUERY_PARAM_SCOPE_NAME, new Object[]{QUERY_PARAM_SCOPE_VALUE}).queryParam("state", new Object[]{serializeState(uuid, str)}).queryParam("redirect_url", new Object[]{str}).build(new Object[0])).build();
    }

    @GET
    @Path(PATH_CALLBACK)
    public Response callback(@Context HttpServletRequest httpServletRequest, @NotNull @QueryParam("code") String str, @NotNull @QueryParam("state") String str2) {
        if (log.isLoggable(Level.FINEST)) {
            log.finest(String.format("%s: code=%s, state=%s", PATH_CALLBACK, str, str2));
        }
        HttpSession session = httpServletRequest.getSession();
        JsonObject deserializeState = deserializeState(str2);
        String string = deserializeState.getString(STATE_ATTR_UUID);
        String str3 = (String) session.getAttribute(SESSION_ATTRIBUTE_GITHUB_OAUTH_STATE_UUID);
        if (str3 == null) {
            return Response.status(Response.Status.UNAUTHORIZED).entity(MSG_NO_STATE).build();
        }
        if (!str3.equals(string)) {
            return Response.status(Response.Status.UNAUTHORIZED).entity(MSG_UNMATCHED_STATE).build();
        }
        session.removeAttribute(SESSION_ATTRIBUTE_GITHUB_OAUTH_STATE_UUID);
        session.setAttribute(SESSION_ATTRIBUTE_GITHUB_ACCESS_TOKEN, postToken(str, str2).getString(JSON_PARAM_TOKEN_NAME));
        String string2 = deserializeState.getString("redirect_url");
        try {
            log.warning("Redirect URL: " + URLDecoder.decode(string2, "UTF-8"));
            return (string2 == null || string2.isEmpty()) ? Response.serverError().entity(new IllegalStateException(MSG_NO_REDIRECT)).build() : Response.temporaryRedirect(UriBuilder.fromUri(string2).build(new Object[0])).build();
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    private static String serializeState(String str, String str2) {
        if (!$assertionsDisabled && (str == null || str.isEmpty())) {
            throw new AssertionError("uuid is required");
        }
        if (!$assertionsDisabled && (str2 == null || str2.isEmpty())) {
            throw new AssertionError("redirectUrl is required");
        }
        return Base64.getEncoder().encodeToString(Json.createObjectBuilder().add(STATE_ATTR_UUID, str).add("redirect_url", str2).build().toString().getBytes());
    }

    private static JsonObject deserializeState(String str) {
        if (!$assertionsDisabled && (str == null || str.isEmpty())) {
            throw new AssertionError("base64state is required");
        }
        JsonReader createReader = Json.createReader(new StringReader(new String(Base64.getDecoder().decode(str.getBytes()))));
        Throwable th = null;
        try {
            JsonObject readObject = createReader.readObject();
            if (createReader != null) {
                if (0 != 0) {
                    try {
                        createReader.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    createReader.close();
                }
            }
            return readObject;
        } catch (Throwable th3) {
            if (createReader != null) {
                if (0 != 0) {
                    try {
                        createReader.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    createReader.close();
                }
            }
            throw th3;
        }
    }

    private JsonObject postToken(String str, String str2) {
        Client newClient = ClientBuilder.newClient();
        MultivaluedHashMap multivaluedHashMap = new MultivaluedHashMap();
        multivaluedHashMap.putSingle("client_id", this.catapultAppId);
        multivaluedHashMap.putSingle(TOKEN_REQUEST_PARAM_CLIENT_SECRET_NAME, this.catapultOAuthDevAppSecret);
        multivaluedHashMap.putSingle("code", str);
        multivaluedHashMap.putSingle("state", str2);
        return (JsonObject) newClient.target(GITHUB_OAUTH_ACCESS_TOKEN_URL).request().accept(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).post(Entity.form(multivaluedHashMap), JsonObject.class);
    }

    static {
        $assertionsDisabled = !GitHubResource.class.desiredAssertionStatus();
        log = Logger.getLogger(GitHubResource.class.getName());
    }
}
