package io.quarkus.oidc.runtime;

import io.netty.handler.codec.http.HttpResponseStatus;
import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.oidc.IdTokenCredential;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.RefreshToken;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.identity.IdentityProviderManager;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.quarkus.vertx.http.runtime.security.AuthenticationCompletionException;
import io.quarkus.vertx.http.runtime.security.AuthenticationRedirectException;
import io.quarkus.vertx.http.runtime.security.ChallengeData;
import io.smallrye.jwt.build.Jwt;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.groups.UniCreate;
import io.smallrye.mutiny.subscription.UniEmitter;
import io.vertx.core.AsyncResult;
import io.vertx.core.Handler;
import io.vertx.core.http.Cookie;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.http.impl.ServerCookie;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.oauth2.AccessToken;
import io.vertx.ext.auth.oauth2.OAuth2Auth;
import io.vertx.ext.auth.oauth2.impl.OAuth2AuthProviderImpl;
import io.vertx.ext.auth.oauth2.impl.OAuth2TokenImpl;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.impl.CookieImpl;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.Permission;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.UUID;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.regex.Pattern;
import javax.crypto.spec.SecretKeySpec;
import org.jboss.logging.Logger;
import org.jose4j.jwt.ReservedClaimNames;

/* loaded from: input_file:io/quarkus/oidc/runtime/CodeAuthenticationMechanism.class */
public class CodeAuthenticationMechanism extends AbstractOidcAuthenticationMechanism {
    private static final String STATE_COOKIE_NAME = "q_auth";
    private static final String SESSION_COOKIE_NAME = "q_session";
    private static final String POST_LOGOUT_COOKIE_NAME = "q_post_logout";
    private static final String COOKIE_DELIM = "|";
    private static final Logger LOG = Logger.getLogger((Class<?>) CodeAuthenticationMechanism.class);
    private static final Pattern COOKIE_PATTERN = Pattern.compile("\\|");

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.quarkus.oidc.runtime.CodeAuthenticationMechanism$5, reason: invalid class name */
    /* loaded from: input_file:io/quarkus/oidc/runtime/CodeAuthenticationMechanism$5.class */
    public class AnonymousClass5 implements Consumer<UniEmitter<? super SecurityIdentity>> {
        final /* synthetic */ TenantConfigContext val$configContext;
        final /* synthetic */ String val$refreshToken;
        final /* synthetic */ RoutingContext val$context;
        final /* synthetic */ IdentityProviderManager val$identityProviderManager;

        AnonymousClass5(TenantConfigContext tenantConfigContext, String str, RoutingContext routingContext, IdentityProviderManager identityProviderManager) {
            this.val$configContext = tenantConfigContext;
            this.val$refreshToken = str;
            this.val$context = routingContext;
            this.val$identityProviderManager = identityProviderManager;
        }

        @Override // java.util.function.Consumer
        public void accept(final UniEmitter<? super SecurityIdentity> uniEmitter) {
            final OAuth2TokenImpl oAuth2TokenImpl = new OAuth2TokenImpl(this.val$configContext.auth, new JsonObject());
            oAuth2TokenImpl.principal().put("refresh_token", this.val$refreshToken);
            oAuth2TokenImpl.refresh(new Handler<AsyncResult<Void>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.5.1
                @Override // io.vertx.core.Handler
                public void handle(AsyncResult<Void> asyncResult) {
                    if (!asyncResult.succeeded()) {
                        uniEmitter.fail(new AuthenticationFailedException(asyncResult.cause()));
                    } else {
                        AnonymousClass5.this.val$context.put("access_token", oAuth2TokenImpl.opaqueAccessToken());
                        CodeAuthenticationMechanism.this.authenticate(AnonymousClass5.this.val$identityProviderManager, new IdTokenCredential(oAuth2TokenImpl.opaqueIdToken(), AnonymousClass5.this.val$context)).subscribe().with(new Consumer<SecurityIdentity>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.5.1.1
                            @Override // java.util.function.Consumer
                            public void accept(SecurityIdentity securityIdentity) {
                                CodeAuthenticationMechanism.this.processSuccessfulAuthentication(AnonymousClass5.this.val$context, AnonymousClass5.this.val$configContext, oAuth2TokenImpl, oAuth2TokenImpl.opaqueRefreshToken() != null ? oAuth2TokenImpl.opaqueRefreshToken() : AnonymousClass5.this.val$refreshToken, securityIdentity);
                                uniEmitter.complete(CodeAuthenticationMechanism.augmentIdentity(securityIdentity, oAuth2TokenImpl.opaqueAccessToken(), oAuth2TokenImpl.opaqueRefreshToken(), AnonymousClass5.this.val$context));
                            }
                        }, new Consumer<Throwable>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.5.1.2
                            @Override // java.util.function.Consumer
                            public void accept(Throwable th) {
                                uniEmitter.fail(th);
                            }
                        });
                    }
                }
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static QuarkusSecurityIdentity augmentIdentity(final SecurityIdentity securityIdentity, String str, String str2, RoutingContext routingContext) {
        IdTokenCredential idTokenCredential = (IdTokenCredential) securityIdentity.getCredential(IdTokenCredential.class);
        RefreshToken refreshToken = new RefreshToken(str2);
        return QuarkusSecurityIdentity.builder().setPrincipal(securityIdentity.getPrincipal()).addCredential(idTokenCredential).addCredential(new AccessTokenCredential(str, refreshToken, routingContext)).addCredential(refreshToken).addRoles(securityIdentity.getRoles()).addAttributes(securityIdentity.getAttributes()).addPermissionChecker(new Function<Permission, Uni<Boolean>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.1
            @Override // java.util.function.Function
            public Uni<Boolean> apply(Permission permission) {
                return SecurityIdentity.this.checkPermission(permission);
            }
        }).build();
    }

    public Uni<SecurityIdentity> authenticate(final RoutingContext routingContext, final IdentityProviderManager identityProviderManager, DefaultTenantConfigResolver defaultTenantConfigResolver) {
        Cookie cookie = routingContext.request().getCookie(getSessionCookieName(defaultTenantConfigResolver.resolve(routingContext, false)));
        if (cookie == null) {
            routingContext.put("new_authentication", Boolean.TRUE);
            return performCodeFlow(identityProviderManager, routingContext, defaultTenantConfigResolver);
        }
        String[] split = COOKIE_PATTERN.split(cookie.getValue());
        final String str = split[0];
        final String str2 = split[1];
        final String str3 = split[2];
        final TenantConfigContext resolve = defaultTenantConfigResolver.resolve(routingContext, true);
        routingContext.put("access_token", str2);
        return authenticate(identityProviderManager, new IdTokenCredential(str, routingContext)).map(new Function<SecurityIdentity, SecurityIdentity>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.3
            @Override // java.util.function.Function
            public SecurityIdentity apply(SecurityIdentity securityIdentity) {
                if (CodeAuthenticationMechanism.this.isLogout(routingContext, resolve)) {
                    throw CodeAuthenticationMechanism.this.redirectToLogoutEndpoint(routingContext, resolve, str);
                }
                return CodeAuthenticationMechanism.augmentIdentity(securityIdentity, str2, str3, routingContext);
            }
        }).on().failure().recoverWithItem((Function) new Function<Throwable, SecurityIdentity>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.2
            @Override // java.util.function.Function
            public SecurityIdentity apply(Throwable th) {
                SecurityIdentity trySilentRefresh;
                if (th instanceof AuthenticationRedirectException) {
                    throw ((AuthenticationRedirectException) AuthenticationRedirectException.class.cast(th));
                }
                if (th instanceof TokenAutoRefreshException) {
                    trySilentRefresh = CodeAuthenticationMechanism.this.trySilentRefresh(resolve, str3, routingContext, identityProviderManager);
                    if (trySilentRefresh == null) {
                        CodeAuthenticationMechanism.LOG.debug("ID token can no longer be refreshed, using the current SecurityIdentity");
                        trySilentRefresh = ((TokenAutoRefreshException) th).getSecurityIdentity();
                    }
                } else {
                    Throwable cause = th.getCause();
                    if (cause != null && !"expired token".equalsIgnoreCase(cause.getMessage())) {
                        CodeAuthenticationMechanism.LOG.debugf("Authentication failure: %s", cause);
                        throw new AuthenticationCompletionException(cause);
                    }
                    if (!resolve.oidcConfig.token.refreshExpired) {
                        CodeAuthenticationMechanism.LOG.debug("Token has expired, token refresh is not allowed");
                        throw new AuthenticationCompletionException(cause);
                    }
                    CodeAuthenticationMechanism.LOG.debug("Token has expired, trying to refresh it");
                    trySilentRefresh = CodeAuthenticationMechanism.this.trySilentRefresh(resolve, str3, routingContext, identityProviderManager);
                    if (trySilentRefresh == null) {
                        CodeAuthenticationMechanism.LOG.debug("SecurityIdentity is null after a token refresh");
                        throw new AuthenticationCompletionException();
                    }
                }
                return trySilentRefresh;
            }
        });
    }

    private boolean isXHR(RoutingContext routingContext) {
        return "XMLHttpRequest".equals(routingContext.request().getHeader("X-Requested-With"));
    }

    private boolean shouldAutoRedirect(TenantConfigContext tenantConfigContext, RoutingContext routingContext) {
        if (isXHR(routingContext)) {
            return tenantConfigContext.oidcConfig.authentication.xhrAutoRedirect;
        }
        return true;
    }

    public Uni<ChallengeData> getChallenge(RoutingContext routingContext, DefaultTenantConfigResolver defaultTenantConfigResolver) {
        TenantConfigContext resolve = defaultTenantConfigResolver.resolve(routingContext, true);
        removeCookie(routingContext, resolve, getSessionCookieName(resolve));
        if (!shouldAutoRedirect(resolve, routingContext)) {
            return Uni.createFrom().item((UniCreate) new ChallengeData(499, "WWW-Authenticate", "OIDC"));
        }
        JsonObject jsonObject = new JsonObject();
        ArrayList arrayList = new ArrayList();
        arrayList.add("openid");
        Optional<List<String>> optional = resolve.oidcConfig.getAuthentication().scopes;
        arrayList.getClass();
        optional.ifPresent((v1) -> {
            r1.addAll(v1);
        });
        jsonObject.put("scopes", new JsonArray(arrayList));
        String redirectPath = getRedirectPath(resolve, routingContext);
        String buildUri = buildUri(routingContext, isForceHttps(resolve), redirectPath);
        LOG.debugf("Authentication request redirect_uri parameter: %s", buildUri);
        jsonObject.put("redirect_uri", buildUri);
        jsonObject.put("state", generateCodeFlowState(routingContext, resolve, redirectPath));
        if (resolve.oidcConfig.authentication.getExtraParams() != null) {
            for (Map.Entry<String, String> entry : resolve.oidcConfig.authentication.getExtraParams().entrySet()) {
                jsonObject.put(entry.getKey(), entry.getValue());
            }
        }
        return Uni.createFrom().item((UniCreate) new ChallengeData(HttpResponseStatus.FOUND.code(), HttpHeaders.LOCATION, resolve.auth.authorizeURL(jsonObject)));
    }

    /* JADX WARN: String concatenation convert failed
    jadx.core.utils.exceptions.JadxRuntimeException: Can't remove SSA var: r23v0 java.lang.String, still in use, count: 1, list:
      (r23v0 java.lang.String) from STR_CONCAT 
      (r23v0 java.lang.String)
      ("&")
      (wrap:java.lang.String:0x010f: INVOKE 
      (wrap:io.vertx.core.http.HttpServerRequest:0x010a: INVOKE (r12v0 io.vertx.ext.web.RoutingContext) INTERFACE call: io.vertx.ext.web.RoutingContext.request():io.vertx.core.http.HttpServerRequest A[MD:():io.vertx.core.http.HttpServerRequest (m), WRAPPED])
     INTERFACE call: io.vertx.core.http.HttpServerRequest.query():java.lang.String A[MD:():java.lang.String (m), WRAPPED])
     A[MD:():java.lang.String (c), SYNTHETIC, WRAPPED]
    	at jadx.core.utils.InsnRemover.removeSsaVar(InsnRemover.java:151)
    	at jadx.core.utils.InsnRemover.unbindResult(InsnRemover.java:116)
    	at jadx.core.utils.InsnRemover.unbindInsn(InsnRemover.java:80)
    	at jadx.core.utils.InsnRemover.unbindArgUsage(InsnRemover.java:163)
    	at jadx.core.utils.InsnRemover.unbindAllArgs(InsnRemover.java:95)
    	at jadx.core.utils.InsnRemover.unbindInsn(InsnRemover.java:79)
    	at jadx.core.utils.InsnRemover.unbindArgUsage(InsnRemover.java:163)
    	at jadx.core.utils.InsnRemover.unbindAllArgs(InsnRemover.java:95)
    	at jadx.core.utils.InsnRemover.unbindInsn(InsnRemover.java:79)
    	at jadx.core.utils.InsnRemover.unbindArgUsage(InsnRemover.java:163)
    	at jadx.core.utils.InsnRemover.unbindAllArgs(InsnRemover.java:95)
    	at jadx.core.dex.visitors.SimplifyVisitor.removeStringBuilderInsns(SimplifyVisitor.java:495)
    	at jadx.core.dex.visitors.SimplifyVisitor.convertStringBuilderChain(SimplifyVisitor.java:422)
    	at jadx.core.dex.visitors.SimplifyVisitor.convertInvoke(SimplifyVisitor.java:314)
    	at jadx.core.dex.visitors.SimplifyVisitor.simplifyInsn(SimplifyVisitor.java:145)
    	at jadx.core.dex.visitors.SimplifyVisitor.simplifyArgs(SimplifyVisitor.java:114)
    	at jadx.core.dex.visitors.SimplifyVisitor.simplifyInsn(SimplifyVisitor.java:132)
    	at jadx.core.dex.visitors.SimplifyVisitor.simplifyBlock(SimplifyVisitor.java:86)
    	at jadx.core.dex.visitors.SimplifyVisitor.visit(SimplifyVisitor.java:71)
     */
    private Uni<SecurityIdentity> performCodeFlow(final IdentityProviderManager identityProviderManager, final RoutingContext routingContext, DefaultTenantConfigResolver defaultTenantConfigResolver) {
        int indexOf;
        String str;
        final JsonObject jsonObject = new JsonObject();
        String param = routingContext.request().getParam("code");
        if (param == null) {
            return Uni.createFrom().optional(Optional.empty());
        }
        final TenantConfigContext resolve = defaultTenantConfigResolver.resolve(routingContext, true);
        io.vertx.ext.web.Cookie cookie = routingContext.getCookie(getStateCookieName(resolve));
        String str2 = null;
        if (cookie == null) {
            LOG.debug("The state cookie is missing after a redirect from IDP");
            return Uni.createFrom().failure(new AuthenticationCompletionException());
        }
        List<String> queryParam = routingContext.queryParam("state");
        if (queryParam.size() != 1) {
            LOG.debug("State parameter can not be empty or multi-valued");
            return Uni.createFrom().failure(new AuthenticationCompletionException());
        }
        if (!cookie.getValue().startsWith(queryParam.get(0))) {
            LOG.debug("State cookie value does not match the state query parameter value");
            return Uni.createFrom().failure(new AuthenticationCompletionException());
        }
        if (routingContext.queryParam("pathChecked").isEmpty()) {
            String[] split = COOKIE_PATTERN.split(cookie.getValue());
            if (split.length == 2) {
                String str3 = split[1];
                int indexOf2 = str3.indexOf("?");
                if (indexOf2 != 0) {
                    if (indexOf2 > 0) {
                        str3 = str3.substring(0, indexOf2);
                    }
                    String buildUri = buildUri(routingContext, isForceHttps(resolve), new StringBuilder().append(str3).append(routingContext.request().query() != null ? str + "&" + routingContext.request().query() : "?pathChecked=true").toString());
                    LOG.debugf("Local redirect URI: %s", buildUri);
                    return Uni.createFrom().failure(new AuthenticationRedirectException(buildUri));
                }
                if (indexOf2 + 1 < str3.length()) {
                    str2 = str3.substring(indexOf2 + 1);
                }
            }
            removeCookie(routingContext, resolve, getStateCookieName(resolve));
        } else {
            String[] split2 = COOKIE_PATTERN.split(cookie.getValue());
            if (split2.length == 2 && (indexOf = split2[1].indexOf("?")) >= 0 && indexOf + 1 < split2[1].length()) {
                str2 = split2[1].substring(indexOf + 1);
            }
            removeCookie(routingContext, resolve, getStateCookieName(resolve));
        }
        jsonObject.put("code", param);
        String buildUri2 = buildUri(routingContext, isForceHttps(resolve), getRedirectPath(resolve, routingContext));
        LOG.debugf("Token request redirect_uri parameter: %s", buildUri2);
        jsonObject.put("redirect_uri", buildUri2);
        OidcTenantConfig.Credentials credentials = resolve.oidcConfig.getCredentials();
        if (credentials.clientSecret.value.isPresent() && OidcTenantConfig.Credentials.Secret.Method.POST == credentials.clientSecret.method.orElse(null)) {
            jsonObject.put("client_secret", credentials.clientSecret.value.get());
        } else if (credentials.jwt.secret.isPresent()) {
            jsonObject.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
            jsonObject.put("client_assertion", signJwtWithClientSecret(resolve.oidcConfig));
        }
        final String str4 = str2;
        return Uni.createFrom().emitter(new Consumer<UniEmitter<? super SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.4
            @Override // java.util.function.Consumer
            public void accept(UniEmitter<? super SecurityIdentity> uniEmitter) {
                OAuth2Auth oAuth2Auth = resolve.auth;
                JsonObject jsonObject2 = jsonObject;
                RoutingContext routingContext2 = routingContext;
                IdentityProviderManager identityProviderManager2 = identityProviderManager;
                TenantConfigContext tenantConfigContext = resolve;
                String str5 = str4;
                oAuth2Auth.authenticate(jsonObject2, asyncResult -> {
                    if (asyncResult.failed()) {
                        if (asyncResult.cause() != null) {
                            CodeAuthenticationMechanism.LOG.debugf("Exception during the code to token exchange: %s", asyncResult.cause().getMessage());
                        }
                        uniEmitter.fail(new AuthenticationCompletionException(asyncResult.cause()));
                    } else {
                        final AccessToken accessToken = (AccessToken) AccessToken.class.cast(asyncResult.result());
                        routingContext2.put("access_token", accessToken.opaqueAccessToken());
                        CodeAuthenticationMechanism.this.authenticate(identityProviderManager2, new IdTokenCredential(accessToken.opaqueIdToken(), routingContext2)).subscribe().with(new Consumer<SecurityIdentity>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.4.1
                            @Override // java.util.function.Consumer
                            public void accept(SecurityIdentity securityIdentity) {
                                if (!accessToken.idToken().containsKey(ReservedClaimNames.EXPIRATION_TIME) || !accessToken.idToken().containsKey(ReservedClaimNames.ISSUED_AT)) {
                                    CodeAuthenticationMechanism.LOG.debug("ID Token is required to contain 'exp' and 'iat' claims");
                                    uniEmitter.fail(new AuthenticationCompletionException());
                                }
                                CodeAuthenticationMechanism.this.processSuccessfulAuthentication(routingContext2, tenantConfigContext, accessToken, accessToken.opaqueRefreshToken(), securityIdentity);
                                if (!tenantConfigContext.oidcConfig.authentication.isRemoveRedirectParameters() || routingContext2.request().query() == null) {
                                    uniEmitter.complete(CodeAuthenticationMechanism.augmentIdentity(securityIdentity, accessToken.opaqueAccessToken(), accessToken.opaqueRefreshToken(), routingContext2));
                                    return;
                                }
                                String buildUriWithoutQueryParams = CodeAuthenticationMechanism.this.buildUriWithoutQueryParams(routingContext2);
                                if (str5 != null) {
                                    buildUriWithoutQueryParams = buildUriWithoutQueryParams + "?" + str5;
                                }
                                CodeAuthenticationMechanism.LOG.debugf("Final redirect URI: %s", buildUriWithoutQueryParams);
                                uniEmitter.fail(new AuthenticationRedirectException(buildUriWithoutQueryParams));
                            }
                        }, new Consumer<Throwable>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.4.2
                            @Override // java.util.function.Consumer
                            public void accept(Throwable th) {
                                uniEmitter.fail(th);
                            }
                        });
                    }
                });
            }
        });
    }

    private String signJwtWithClientSecret(OidcTenantConfig oidcTenantConfig) {
        byte[] bytes = oidcTenantConfig.credentials.jwt.secret.get().getBytes(StandardCharsets.UTF_8);
        SecretKeySpec secretKeySpec = new SecretKeySpec(bytes, 0, bytes.length, "HMACSHA256");
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        return Jwt.claims().issuer(oidcTenantConfig.clientId.get()).subject(oidcTenantConfig.clientId.get()).audience(oidcTenantConfig.authServerUrl.get()).issuedAt(currentTimeMillis).expiresAt(currentTimeMillis + oidcTenantConfig.credentials.jwt.lifespan).sign(secretKeySpec);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void processSuccessfulAuthentication(RoutingContext routingContext, TenantConfigContext tenantConfigContext, AccessToken accessToken, String str, SecurityIdentity securityIdentity) {
        removeCookie(routingContext, tenantConfigContext, getSessionCookieName(tenantConfigContext));
        String str2 = accessToken.opaqueIdToken() + COOKIE_DELIM + accessToken.opaqueAccessToken() + COOKIE_DELIM + str;
        long longValue = accessToken.idToken().getLong(ReservedClaimNames.EXPIRATION_TIME).longValue() - accessToken.idToken().getLong(ReservedClaimNames.ISSUED_AT).longValue();
        if (tenantConfigContext.oidcConfig.token.lifespanGrace.isPresent()) {
            longValue += tenantConfigContext.oidcConfig.token.lifespanGrace.getAsInt();
        }
        if (tenantConfigContext.oidcConfig.token.refreshExpired) {
            longValue += tenantConfigContext.oidcConfig.authentication.sessionAgeExtension.getSeconds();
        }
        createCookie(routingContext, tenantConfigContext, getSessionCookieName(tenantConfigContext), str2, longValue);
    }

    private String getRedirectPath(TenantConfigContext tenantConfigContext, RoutingContext routingContext) {
        OidcTenantConfig.Authentication authentication = tenantConfigContext.oidcConfig.getAuthentication();
        return authentication.getRedirectPath().isPresent() ? authentication.getRedirectPath().get() : routingContext.request().path();
    }

    private String generateCodeFlowState(RoutingContext routingContext, TenantConfigContext tenantConfigContext, String str) {
        String uuid = UUID.randomUUID().toString();
        String str2 = uuid;
        if (tenantConfigContext.oidcConfig.getAuthentication().isRestorePathAfterRedirect()) {
            String path = !str.equals(routingContext.request().path()) ? routingContext.request().path() : "";
            if (routingContext.request().query() != null) {
                path = path + "?" + routingContext.request().query();
            }
            if (!path.isEmpty()) {
                str2 = str2 + COOKIE_DELIM + path;
            }
        }
        createCookie(routingContext, tenantConfigContext, getStateCookieName(tenantConfigContext), str2, 1800L);
        return uuid;
    }

    private String generatePostLogoutState(RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
        removeCookie(routingContext, tenantConfigContext, getPostLogoutCookieName(tenantConfigContext));
        return createCookie(routingContext, tenantConfigContext, getPostLogoutCookieName(tenantConfigContext), UUID.randomUUID().toString(), 1800L).getValue();
    }

    private CookieImpl createCookie(RoutingContext routingContext, TenantConfigContext tenantConfigContext, String str, String str2, long j) {
        CookieImpl cookieImpl = new CookieImpl(str, str2);
        cookieImpl.setHttpOnly(true);
        cookieImpl.setSecure(routingContext.request().isSSL());
        cookieImpl.setMaxAge(j);
        LOG.debugf(str + " cookie 'max-age' parameter is set to %d", j);
        OidcTenantConfig.Authentication authentication = tenantConfigContext.oidcConfig.getAuthentication();
        if (authentication.cookiePath.isPresent()) {
            cookieImpl.setPath(authentication.getCookiePath().get());
        }
        routingContext.response().addCookie(cookieImpl);
        return cookieImpl;
    }

    private String buildUri(RoutingContext routingContext, boolean z, String str) {
        return (z ? "https" : routingContext.request().scheme()) + "://" + URI.create(routingContext.request().absoluteURI()).getAuthority() + str;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String buildUriWithoutQueryParams(RoutingContext routingContext) {
        URI create = URI.create(routingContext.request().absoluteURI());
        return routingContext.request().scheme() + "://" + create.getAuthority() + create.getRawPath();
    }

    private void removeCookie(RoutingContext routingContext, TenantConfigContext tenantConfigContext, String str) {
        ServerCookie serverCookie = (ServerCookie) routingContext.cookieMap().get(str);
        if (serverCookie != null) {
            serverCookie.setValue("");
            serverCookie.setMaxAge(0L);
            OidcTenantConfig.Authentication authentication = tenantConfigContext.oidcConfig.getAuthentication();
            if (authentication.cookiePath.isPresent()) {
                serverCookie.setPath(authentication.cookiePath.get());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isLogout(RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
        Optional<String> optional = tenantConfigContext.oidcConfig.logout.path;
        if (optional.isPresent()) {
            return routingContext.request().absoluteURI().equals(buildUri(routingContext, false, optional.get()));
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public SecurityIdentity trySilentRefresh(TenantConfigContext tenantConfigContext, String str, RoutingContext routingContext, IdentityProviderManager identityProviderManager) {
        return (SecurityIdentity) Uni.createFrom().emitter(new AnonymousClass5(tenantConfigContext, str, routingContext, identityProviderManager)).await().indefinitely();
    }

    private String buildLogoutRedirectUri(TenantConfigContext tenantConfigContext, String str, RoutingContext routingContext) {
        StringBuilder append = new StringBuilder(tenantConfigContext.oidcConfig.getEndSessionPath().orElse(((OAuth2AuthProviderImpl) OAuth2AuthProviderImpl.class.cast(tenantConfigContext.auth)).getConfig().getLogoutPath())).append("?").append("id_token_hint=").append(str);
        if (tenantConfigContext.oidcConfig.logout.postLogoutPath.isPresent()) {
            append.append("&post_logout_redirect_uri=").append(buildUri(routingContext, isForceHttps(tenantConfigContext), tenantConfigContext.oidcConfig.logout.postLogoutPath.get()));
            append.append("&state=").append(generatePostLogoutState(routingContext, tenantConfigContext));
        }
        return append.toString();
    }

    private boolean isForceHttps(TenantConfigContext tenantConfigContext) {
        return tenantConfigContext.oidcConfig.authentication.forceRedirectHttpsScheme;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AuthenticationRedirectException redirectToLogoutEndpoint(RoutingContext routingContext, TenantConfigContext tenantConfigContext, String str) {
        removeCookie(routingContext, tenantConfigContext, getSessionCookieName(tenantConfigContext));
        return new AuthenticationRedirectException(buildLogoutRedirectUri(tenantConfigContext, str, routingContext));
    }

    private static String getSessionCookieName(TenantConfigContext tenantConfigContext) {
        return SESSION_COOKIE_NAME + getCookieSuffix(tenantConfigContext);
    }

    private static String getStateCookieName(TenantConfigContext tenantConfigContext) {
        return STATE_COOKIE_NAME + getCookieSuffix(tenantConfigContext);
    }

    private static String getPostLogoutCookieName(TenantConfigContext tenantConfigContext) {
        return POST_LOGOUT_COOKIE_NAME + getCookieSuffix(tenantConfigContext);
    }

    private static String getCookieSuffix(TenantConfigContext tenantConfigContext) {
        return !"Default".equals(tenantConfigContext.oidcConfig.tenantId.get()) ? "_" + tenantConfigContext.oidcConfig.tenantId.get() : "";
    }
}
