package org.gatein.security.oauth.google;

import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeRequestUrl;
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeTokenRequest;
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.auth.oauth2.GoogleRefreshTokenRequest;
import com.google.api.client.googleapis.auth.oauth2.GoogleTokenResponse;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpResponseException;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.jackson.JacksonFactory;
import com.google.api.services.oauth2.Oauth2;
import com.google.api.services.oauth2.model.Tokeninfo;
import com.google.api.services.oauth2.model.Userinfo;
import com.google.api.services.plus.Plus;
import java.io.IOException;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.exoplatform.container.ExoContainerContext;
import org.exoplatform.container.xml.InitParams;
import org.exoplatform.container.xml.ValueParam;
import org.exoplatform.services.organization.UserProfile;
import org.exoplatform.web.security.security.SecureRandomService;
import org.gatein.common.logging.Logger;
import org.gatein.common.logging.LoggerFactory;
import org.gatein.security.oauth.common.OAuthConstants;
import org.gatein.security.oauth.exception.OAuthException;
import org.gatein.security.oauth.exception.OAuthExceptionCode;
import org.gatein.security.oauth.spi.AccessTokenContext;
import org.gatein.security.oauth.spi.InteractionState;
import org.gatein.security.oauth.spi.OAuthCodec;
import org.gatein.security.oauth.utils.OAuthPersistenceUtils;

/* loaded from: input_file:org/gatein/security/oauth/google/GoogleProcessorImpl.class */
public class GoogleProcessorImpl implements GoogleProcessor {
    private static Logger log = LoggerFactory.getLogger(GoogleProcessorImpl.class);
    private final String redirectURL;
    private final String clientID;
    private final String clientSecret;
    private final String accessType;
    private final String applicationName;
    private final int chunkLength;
    private final SecureRandomService secureRandomService;
    private final Set<String> scopes = new HashSet();
    private final HttpTransport TRANSPORT = new NetHttpTransport();
    private final JacksonFactory JSON_FACTORY = new JacksonFactory();

    public GoogleProcessorImpl(ExoContainerContext exoContainerContext, InitParams initParams, SecureRandomService secureRandomService) {
        this.clientID = initParams.getValueParam("clientId").getValue();
        this.clientSecret = initParams.getValueParam("clientSecret").getValue();
        String value = initParams.getValueParam("redirectURL").getValue();
        String value2 = initParams.getValueParam(OAuthConstants.SCOPE_PARAMETER).getValue();
        this.accessType = initParams.getValueParam("accessType").getValue();
        ValueParam valueParam = initParams.getValueParam("applicationName");
        if (valueParam == null || valueParam.getValue() == null) {
            this.applicationName = "GateIn portal";
        } else {
            this.applicationName = valueParam.getValue();
        }
        if (this.clientID == null || this.clientID.length() == 0 || this.clientID.trim().equals("<<to be replaced>>")) {
            throw new IllegalArgumentException("Property 'clientId' needs to be provided. The value should be clientId of your Google application");
        }
        if (this.clientSecret == null || this.clientSecret.length() == 0 || this.clientSecret.trim().equals("<<to be replaced>>")) {
            throw new IllegalArgumentException("Property 'clientSecret' needs to be provided. The value should be clientSecret of your Google application");
        }
        if (value == null || value.length() == 0) {
            this.redirectURL = "http://localhost:8080/" + exoContainerContext.getName() + OAuthConstants.GOOGLE_AUTHENTICATION_URL_PATH;
        } else {
            this.redirectURL = value.replaceAll("@@portal.container.name@@", exoContainerContext.getName());
        }
        addScopesFromString(value2, this.scopes);
        this.chunkLength = OAuthPersistenceUtils.getChunkLength(initParams);
        if (log.isDebugEnabled()) {
            log.debug("configuration: clientId=" + this.clientID + ", clientSecret=" + this.clientSecret + ", redirectURL=" + this.redirectURL + ", scope=" + this.scopes + ", accessType=" + this.accessType + ", applicationName=" + this.applicationName + ", chunkLength=" + this.chunkLength);
        }
        this.secureRandomService = secureRandomService;
    }

    @Override // org.gatein.security.oauth.spi.OAuthProviderProcessor
    public InteractionState<GoogleAccessTokenContext> processOAuthInteraction(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, OAuthException {
        return processOAuthInteractionImpl(httpServletRequest, httpServletResponse, this.scopes);
    }

    @Override // org.gatein.security.oauth.spi.OAuthProviderProcessor
    public InteractionState<GoogleAccessTokenContext> processOAuthInteraction(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException, OAuthException {
        HashSet hashSet = new HashSet();
        addScopesFromString(str, hashSet);
        return processOAuthInteractionImpl(httpServletRequest, httpServletResponse, hashSet);
    }

    protected InteractionState<GoogleAccessTokenContext> processOAuthInteractionImpl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Set<String> set) throws IOException {
        HttpSession session = httpServletRequest.getSession();
        String str = (String) session.getAttribute(OAuthConstants.ATTRIBUTE_AUTH_STATE);
        if (str == null || str.isEmpty()) {
            return initialInteraction(httpServletRequest, httpServletResponse, set);
        }
        if (!str.equals(InteractionState.State.AUTH.name())) {
            return new InteractionState<>(InteractionState.State.valueOf(str), null);
        }
        GoogleAccessTokenContext validateTokenAndUpdateScopes = validateTokenAndUpdateScopes(new GoogleAccessTokenContext(obtainAccessToken(httpServletRequest), new String[0]));
        session.removeAttribute(OAuthConstants.ATTRIBUTE_AUTH_STATE);
        session.removeAttribute(OAuthConstants.ATTRIBUTE_VERIFICATION_STATE);
        return new InteractionState<>(InteractionState.State.FINISH, validateTokenAndUpdateScopes);
    }

    protected InteractionState<GoogleAccessTokenContext> initialInteraction(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Set<String> set) throws IOException {
        String valueOf = String.valueOf(this.secureRandomService.getSecureRandom().nextLong());
        String build = new GoogleAuthorizationCodeRequestUrl(this.clientID, this.redirectURL, set).setState(valueOf).setAccessType(this.accessType).build();
        if (log.isTraceEnabled()) {
            log.trace("Starting OAuth2 interaction with Google+");
            log.trace("URL to send to Google+: " + build);
        }
        HttpSession session = httpServletRequest.getSession();
        session.setAttribute(OAuthConstants.ATTRIBUTE_VERIFICATION_STATE, valueOf);
        session.setAttribute(OAuthConstants.ATTRIBUTE_AUTH_STATE, InteractionState.State.AUTH.name());
        httpServletResponse.sendRedirect(build);
        return new InteractionState<>(InteractionState.State.AUTH, null);
    }

    protected GoogleTokenResponse obtainAccessToken(HttpServletRequest httpServletRequest) throws IOException {
        String str = (String) httpServletRequest.getSession().getAttribute(OAuthConstants.ATTRIBUTE_VERIFICATION_STATE);
        String parameter = httpServletRequest.getParameter(OAuthConstants.STATE_PARAMETER);
        if (str == null || parameter == null || !str.equals(parameter)) {
            throw new OAuthException(OAuthExceptionCode.INVALID_STATE, "Validation of state parameter failed. stateFromSession=" + str + ", stateFromRequest=" + parameter);
        }
        String parameter2 = httpServletRequest.getParameter(OAuthConstants.ERROR_PARAMETER);
        if (parameter2 != null) {
            if (OAuthConstants.ERROR_ACCESS_DENIED.equals(parameter2)) {
                throw new OAuthException(OAuthExceptionCode.USER_DENIED_SCOPE, parameter2);
            }
            throw new OAuthException(OAuthExceptionCode.UNKNOWN_ERROR, parameter2);
        }
        GoogleTokenResponse execute = new GoogleAuthorizationCodeTokenRequest(this.TRANSPORT, this.JSON_FACTORY, this.clientID, this.clientSecret, httpServletRequest.getParameter(OAuthConstants.CODE_PARAMETER), this.redirectURL).execute();
        if (log.isTraceEnabled()) {
            log.trace("Successfully obtained accessToken from google: " + execute);
        }
        return execute;
    }

    @Override // org.gatein.security.oauth.spi.OAuthProviderProcessor
    public GoogleAccessTokenContext validateTokenAndUpdateScopes(GoogleAccessTokenContext googleAccessTokenContext) {
        Tokeninfo executeRequest = new GoogleRequest<Tokeninfo>() { // from class: org.gatein.security.oauth.google.GoogleProcessorImpl.1
            /* JADX INFO: Access modifiers changed from: protected */
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.gatein.security.oauth.google.GoogleRequest
            public Tokeninfo invokeRequest(GoogleAccessTokenContext googleAccessTokenContext2) throws IOException {
                GoogleTokenResponse tokenData = googleAccessTokenContext2.getTokenData();
                return (Tokeninfo) GoogleProcessorImpl.this.getOAuth2InstanceImpl(tokenData).tokeninfo().setAccessToken(GoogleProcessorImpl.this.getGoogleCredential(tokenData).getAccessToken()).execute();
            }

            @Override // org.gatein.security.oauth.google.GoogleRequest
            protected OAuthException createException(IOException iOException) {
                return iOException instanceof HttpResponseException ? new OAuthException(OAuthExceptionCode.ACCESS_TOKEN_ERROR, "Error when obtaining tokenInfo: " + iOException.getMessage(), iOException) : new OAuthException(OAuthExceptionCode.IO_ERROR, "IO Error when obtaining tokenInfo: " + iOException.getMessage(), iOException);
            }
        }.executeRequest(googleAccessTokenContext, this);
        if (executeRequest.containsKey(OAuthConstants.ERROR_PARAMETER)) {
            throw new OAuthException(OAuthExceptionCode.ACCESS_TOKEN_ERROR, "Error during token validation: " + executeRequest.get(OAuthConstants.ERROR_PARAMETER).toString());
        }
        if (!executeRequest.getIssuedTo().equals(this.clientID)) {
            throw new OAuthException(OAuthExceptionCode.ACCESS_TOKEN_ERROR, "Token's client ID does not match app's. clientID from tokenINFO: " + executeRequest.getIssuedTo());
        }
        if (log.isTraceEnabled()) {
            log.trace("Successfully validated accessToken from google: " + executeRequest);
        }
        return new GoogleAccessTokenContext(googleAccessTokenContext.getTokenData(), executeRequest.getScope().split(AccessTokenContext.DELIMITER));
    }

    @Override // org.gatein.security.oauth.spi.OAuthProviderProcessor
    public <C> C getAuthorizedSocialApiObject(GoogleAccessTokenContext googleAccessTokenContext, Class<C> cls) {
        if (Oauth2.class.equals(cls)) {
            return cls.cast(getOAuth2Instance(googleAccessTokenContext));
        }
        if (Plus.class.equals(cls)) {
            return cls.cast(getPlusService(googleAccessTokenContext));
        }
        if (!log.isDebugEnabled()) {
            return null;
        }
        log.debug("Class '" + cls + "' not supported by this processor");
        return null;
    }

    @Override // org.gatein.security.oauth.google.GoogleProcessor
    public Userinfo obtainUserInfo(GoogleAccessTokenContext googleAccessTokenContext) {
        final Oauth2 oAuth2Instance = getOAuth2Instance(googleAccessTokenContext);
        Userinfo executeRequest = new GoogleRequest<Userinfo>() { // from class: org.gatein.security.oauth.google.GoogleProcessorImpl.2
            /* JADX INFO: Access modifiers changed from: protected */
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.gatein.security.oauth.google.GoogleRequest
            public Userinfo invokeRequest(GoogleAccessTokenContext googleAccessTokenContext2) throws IOException {
                return (Userinfo) oAuth2Instance.userinfo().v2().me().get().execute();
            }

            @Override // org.gatein.security.oauth.google.GoogleRequest
            protected OAuthException createException(IOException iOException) {
                return iOException instanceof HttpResponseException ? new OAuthException(OAuthExceptionCode.ACCESS_TOKEN_ERROR, "Error when obtaining userInfo: " + iOException.getMessage(), iOException) : new OAuthException(OAuthExceptionCode.IO_ERROR, "IO Error when obtaining userInfo: " + iOException.getMessage(), iOException);
            }
        }.executeRequest(googleAccessTokenContext, this);
        if (log.isTraceEnabled()) {
            log.trace("Successfully obtained userInfo from google: " + executeRequest);
        }
        return executeRequest;
    }

    @Override // org.gatein.security.oauth.google.GoogleProcessor
    public Oauth2 getOAuth2Instance(GoogleAccessTokenContext googleAccessTokenContext) {
        return getOAuth2InstanceImpl(googleAccessTokenContext.getTokenData());
    }

    protected Oauth2 getOAuth2InstanceImpl(GoogleTokenResponse googleTokenResponse) {
        return new Oauth2.Builder(this.TRANSPORT, this.JSON_FACTORY, getGoogleCredential(googleTokenResponse)).setApplicationName(this.applicationName).build();
    }

    @Override // org.gatein.security.oauth.google.GoogleProcessor
    public Plus getPlusService(GoogleAccessTokenContext googleAccessTokenContext) {
        return new Plus.Builder(this.TRANSPORT, this.JSON_FACTORY, getGoogleCredential(googleAccessTokenContext.getTokenData())).setApplicationName(this.applicationName).build();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public GoogleCredential getGoogleCredential(GoogleTokenResponse googleTokenResponse) {
        return new GoogleCredential.Builder().setJsonFactory(this.JSON_FACTORY).setTransport(this.TRANSPORT).setClientSecrets(this.clientID, this.clientSecret).build().setFromTokenResponse(googleTokenResponse);
    }

    @Override // org.gatein.security.oauth.spi.OAuthProviderProcessor
    public void saveAccessTokenAttributesToUserProfile(UserProfile userProfile, OAuthCodec oAuthCodec, GoogleAccessTokenContext googleAccessTokenContext) {
        GoogleTokenResponse tokenData = googleAccessTokenContext.getTokenData();
        String encodeString = oAuthCodec.encodeString(tokenData.getAccessToken());
        String encodeString2 = oAuthCodec.encodeString(tokenData.getRefreshToken());
        String encodeString3 = oAuthCodec.encodeString(googleAccessTokenContext.getScopesAsString());
        OAuthPersistenceUtils.saveLongAttribute(encodeString, userProfile, OAuthConstants.PROFILE_GOOGLE_ACCESS_TOKEN, false, this.chunkLength);
        userProfile.setAttribute(OAuthConstants.PROFILE_GOOGLE_SCOPE, encodeString3);
        if (encodeString2 != null) {
            OAuthPersistenceUtils.saveLongAttribute(encodeString2, userProfile, OAuthConstants.PROFILE_GOOGLE_REFRESH_TOKEN, false, this.chunkLength);
        }
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.gatein.security.oauth.spi.OAuthProviderProcessor
    public GoogleAccessTokenContext getAccessTokenFromUserProfile(UserProfile userProfile, OAuthCodec oAuthCodec) {
        String decodeString = oAuthCodec.decodeString(OAuthPersistenceUtils.getLongAttribute(userProfile, OAuthConstants.PROFILE_GOOGLE_ACCESS_TOKEN, false));
        if (decodeString == null) {
            return null;
        }
        String decodeString2 = oAuthCodec.decodeString(OAuthPersistenceUtils.getLongAttribute(userProfile, OAuthConstants.PROFILE_GOOGLE_REFRESH_TOKEN, false));
        String decodeString3 = oAuthCodec.decodeString(userProfile.getAttribute(OAuthConstants.PROFILE_GOOGLE_SCOPE));
        GoogleTokenResponse googleTokenResponse = new GoogleTokenResponse();
        googleTokenResponse.setAccessToken(decodeString);
        googleTokenResponse.setRefreshToken(decodeString2);
        googleTokenResponse.setTokenType("Bearer");
        googleTokenResponse.setExpiresInSeconds(1000L);
        googleTokenResponse.setIdToken("someTokenId");
        return new GoogleAccessTokenContext(googleTokenResponse, decodeString3);
    }

    @Override // org.gatein.security.oauth.spi.OAuthProviderProcessor
    public void removeAccessTokenFromUserProfile(UserProfile userProfile) {
        OAuthPersistenceUtils.removeLongAttribute(userProfile, OAuthConstants.PROFILE_GOOGLE_ACCESS_TOKEN, false);
        OAuthPersistenceUtils.removeLongAttribute(userProfile, OAuthConstants.PROFILE_GOOGLE_REFRESH_TOKEN, false);
        userProfile.setAttribute(OAuthConstants.PROFILE_GOOGLE_SCOPE, (String) null);
    }

    @Override // org.gatein.security.oauth.spi.OAuthProviderProcessor
    public void revokeToken(GoogleAccessTokenContext googleAccessTokenContext) throws OAuthException {
        new GoogleRequest<Void>() { // from class: org.gatein.security.oauth.google.GoogleProcessorImpl.3
            /* JADX INFO: Access modifiers changed from: protected */
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.gatein.security.oauth.google.GoogleRequest
            public Void invokeRequest(GoogleAccessTokenContext googleAccessTokenContext2) throws IOException {
                GoogleProcessorImpl.this.revokeTokenImpl(googleAccessTokenContext2.getTokenData());
                return null;
            }

            @Override // org.gatein.security.oauth.google.GoogleRequest
            protected OAuthException createException(IOException iOException) {
                return new OAuthException(OAuthExceptionCode.TOKEN_REVOCATION_FAILED, "Error when revoking token", iOException);
            }
        }.executeRequest(googleAccessTokenContext, this);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void revokeTokenImpl(GoogleTokenResponse googleTokenResponse) throws IOException {
        this.TRANSPORT.createRequestFactory().buildGetRequest(new GenericUrl("https://accounts.google.com/o/oauth2/revoke?token=" + googleTokenResponse.getAccessToken())).execute();
        if (log.isTraceEnabled()) {
            log.trace("Revoked token " + googleTokenResponse);
        }
    }

    @Override // org.gatein.security.oauth.google.GoogleProcessor
    public void refreshToken(GoogleAccessTokenContext googleAccessTokenContext) {
        GoogleTokenResponse tokenData = googleAccessTokenContext.getTokenData();
        if (tokenData.getRefreshToken() == null) {
            throw new OAuthException(OAuthExceptionCode.GOOGLE_ERROR, "Given GoogleTokenResponse does not contain refreshToken");
        }
        try {
            GoogleTokenResponse execute = new GoogleRefreshTokenRequest(this.TRANSPORT, this.JSON_FACTORY, tokenData.getRefreshToken(), this.clientID, this.clientSecret).execute();
            tokenData.setAccessToken(execute.getAccessToken());
            if (log.isTraceEnabled()) {
                log.trace("AccessToken refreshed successfully with value " + execute.getAccessToken());
            }
        } catch (IOException e) {
            throw new OAuthException(OAuthExceptionCode.GOOGLE_ERROR, e);
        }
    }

    private void addScopesFromString(String str, Set<String> set) {
        for (String str2 : str.split(AccessTokenContext.DELIMITER)) {
            set.add(str2);
        }
    }
}
