package org.wildfly.security.http.oidc;

import java.net.URISyntaxException;
import java.util.List;
import org.apache.http.client.utils.URIBuilder;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.wildfly.security.http.HttpScope;
import org.wildfly.security.http.Scope;
import org.wildfly.security.http.oidc.OidcHttpFacade;

/* loaded from: input_file:org/wildfly/security/http/oidc/OidcCookieTokenStore.class */
public class OidcCookieTokenStore implements OidcTokenStore {
    private final OidcHttpFacade httpFacade;
    private static final String DELIM = "###";
    private static final String LEGACY_DELIM = "___";
    private static final int EXPECTED_NUM_TOKENS = 3;
    private static final int ACCESS_TOKEN_INDEX = 0;
    private static final int ID_TOKEN_INDEX = 1;
    private static final int REFRESH_TOKEN_INDEX = 2;

    public OidcCookieTokenStore(OidcHttpFacade oidcHttpFacade) {
        this.httpFacade = oidcHttpFacade;
    }

    @Override // org.wildfly.security.http.oidc.OidcTokenStore
    public void checkCurrentToken() {
        OidcPrincipal<RefreshableOidcSecurityContext> principalFromCookie = getPrincipalFromCookie(this.httpFacade.getOidcClientConfiguration(), this.httpFacade, this);
        if (principalFromCookie == null) {
            return;
        }
        RefreshableOidcSecurityContext oidcSecurityContext = principalFromCookie.getOidcSecurityContext();
        if (!oidcSecurityContext.isActive() || oidcSecurityContext.getOidcClientConfiguration().isAlwaysRefreshToken()) {
            if (oidcSecurityContext.refreshToken(false) && oidcSecurityContext.isActive()) {
                return;
            }
            saveAccountInfo(new OidcAccount(principalFromCookie));
        }
    }

    @Override // org.wildfly.security.http.oidc.OidcTokenStore
    public boolean isCached(RequestAuthenticator requestAuthenticator) {
        OidcClientConfiguration oidcClientConfiguration = this.httpFacade.getOidcClientConfiguration();
        OidcPrincipal<RefreshableOidcSecurityContext> principalFromCookie = getPrincipalFromCookie(oidcClientConfiguration, this.httpFacade, this);
        if (principalFromCookie == null) {
            ElytronMessages.log.debug("Account was not in cookie or was invalid, returning null");
            return false;
        }
        OidcAccount oidcAccount = new OidcAccount(principalFromCookie);
        if (!Oidc.checkCachedAccountMatchesRequest(oidcAccount, oidcClientConfiguration)) {
            return false;
        }
        boolean checkActive = oidcAccount.checkActive();
        if (!checkActive) {
            checkActive = oidcAccount.tryRefresh();
        }
        if (!checkActive) {
            ElytronMessages.log.debug("Account was not active, removing cookie and returning false");
            removeCookie(oidcClientConfiguration, this.httpFacade);
            return false;
        }
        ElytronMessages.log.debug("Cached account found");
        restoreRequest();
        this.httpFacade.authenticationComplete(oidcAccount, true);
        return true;
    }

    @Override // org.wildfly.security.http.oidc.OidcTokenStore
    public void saveAccountInfo(OidcAccount oidcAccount) {
        setTokenCookie(this.httpFacade.getOidcClientConfiguration(), this.httpFacade, oidcAccount.getOidcSecurityContext());
        HttpScope scope = this.httpFacade.getScope(Scope.EXCHANGE);
        scope.registerForNotification(httpScopeNotification -> {
            logout();
        });
        scope.setAttachment(OidcAccount.class.getName(), oidcAccount);
        scope.setAttachment(OidcSecurityContext.class.getName(), oidcAccount.getOidcSecurityContext());
        restoreRequest();
    }

    @Override // org.wildfly.security.http.oidc.OidcTokenStore
    public void logout() {
        logout(false);
    }

    @Override // org.wildfly.security.http.oidc.OidcTokenStore
    public void refreshCallback(RefreshableOidcSecurityContext refreshableOidcSecurityContext) {
        setTokenCookie(this.httpFacade.getOidcClientConfiguration(), this.httpFacade, refreshableOidcSecurityContext);
    }

    @Override // org.wildfly.security.http.oidc.OidcTokenStore
    public void saveRequest() {
    }

    @Override // org.wildfly.security.http.oidc.OidcTokenStore
    public boolean restoreRequest() {
        return false;
    }

    @Override // org.wildfly.security.http.oidc.OidcTokenStore
    public void logout(boolean z) {
        RefreshableOidcSecurityContext oidcSecurityContext;
        OidcPrincipal<RefreshableOidcSecurityContext> principalFromCookie = getPrincipalFromCookie(this.httpFacade.getOidcClientConfiguration(), this.httpFacade, this);
        if (principalFromCookie == null) {
            return;
        }
        removeCookie(this.httpFacade.getOidcClientConfiguration(), this.httpFacade);
        if (!z || (oidcSecurityContext = principalFromCookie.getOidcSecurityContext()) == null) {
            return;
        }
        OidcClientConfiguration oidcClientConfiguration = this.httpFacade.getOidcClientConfiguration();
        if (oidcClientConfiguration.isBearerOnly() || !(oidcSecurityContext instanceof RefreshableOidcSecurityContext)) {
            return;
        }
        oidcSecurityContext.logout(oidcClientConfiguration);
    }

    @Override // org.wildfly.security.http.oidc.OidcTokenStore
    public void logoutAll() {
    }

    @Override // org.wildfly.security.http.oidc.OidcTokenStore
    public void logoutHttpSessions(List<String> list) {
    }

    public static void removeCookie(OidcClientConfiguration oidcClientConfiguration, OidcHttpFacade oidcHttpFacade) {
        oidcHttpFacade.getResponse().resetCookie("OIDC_STATE", getCookiePath(oidcClientConfiguration, oidcHttpFacade));
    }

    public static void setTokenCookie(OidcClientConfiguration oidcClientConfiguration, OidcHttpFacade oidcHttpFacade, RefreshableOidcSecurityContext refreshableOidcSecurityContext) {
        ElytronMessages.log.debugf("Set new %s cookie now", "OIDC_STATE");
        oidcHttpFacade.getResponse().setCookie("OIDC_STATE", refreshableOidcSecurityContext.getTokenString() + DELIM + refreshableOidcSecurityContext.getIDTokenString() + DELIM + refreshableOidcSecurityContext.getRefreshToken(), getCookiePath(oidcClientConfiguration, oidcHttpFacade), null, -1, oidcClientConfiguration.getSSLRequired().isRequired(oidcHttpFacade.getRequest().getRemoteAddr()), true);
    }

    static String getCookiePath(OidcClientConfiguration oidcClientConfiguration, OidcHttpFacade oidcHttpFacade) {
        String trim = oidcClientConfiguration.getOidcStateCookiePath() == null ? "" : oidcClientConfiguration.getOidcStateCookiePath().trim();
        if (trim.startsWith(Oidc.SLASH)) {
            return trim;
        }
        String contextPath = getContextPath(oidcHttpFacade);
        StringBuilder sb = new StringBuilder(contextPath);
        if (!contextPath.endsWith(Oidc.SLASH) && !trim.isEmpty()) {
            sb.append(Oidc.SLASH);
        }
        return sb.append(trim).toString();
    }

    static String getContextPath(OidcHttpFacade oidcHttpFacade) {
        String uri = oidcHttpFacade.getRequest().getURI();
        try {
            String path = new URIBuilder(uri).build().getPath();
            if (path == null || path.isEmpty()) {
                return Oidc.SLASH;
            }
            int indexOf = path.indexOf(Oidc.SLASH, ID_TOKEN_INDEX);
            return indexOf == -1 ? path : path.substring(ACCESS_TOKEN_INDEX, indexOf);
        } catch (URISyntaxException e) {
            throw ElytronMessages.log.invalidUri(uri);
        }
    }

    public static OidcPrincipal<RefreshableOidcSecurityContext> getPrincipalFromCookie(OidcClientConfiguration oidcClientConfiguration, OidcHttpFacade oidcHttpFacade, OidcCookieTokenStore oidcCookieTokenStore) {
        OidcHttpFacade.Cookie cookie = oidcHttpFacade.getRequest().getCookie("OIDC_STATE");
        if (cookie == null) {
            ElytronMessages.log.debug("OIDC state cookie not found in current request");
            return null;
        }
        String value = cookie.getValue();
        String[] split = value.split(DELIM);
        if (split.length != EXPECTED_NUM_TOKENS) {
            split = value.split(LEGACY_DELIM);
        }
        if (split.length != EXPECTED_NUM_TOKENS) {
            ElytronMessages.log.warnf("Invalid format of %s cookie. Count of tokens: %s, expected %s", "OIDC_STATE", Integer.valueOf(split.length), Integer.valueOf(EXPECTED_NUM_TOKENS));
            ElytronMessages.log.debugf("Value of %s cookie is: %s", "OIDC_STATE", value);
            return null;
        }
        String str = split[ACCESS_TOKEN_INDEX];
        String str2 = split[ID_TOKEN_INDEX];
        String str3 = split[REFRESH_TOKEN_INDEX];
        try {
            AccessToken accessToken = new AccessToken(new JwtConsumerBuilder().setSkipSignatureVerification().setSkipAllValidators().build().processToClaims(str));
            IDToken iDToken = ACCESS_TOKEN_INDEX;
            if (str2 != null && str2.length() > 0) {
                iDToken = new IDToken(new JwtConsumerBuilder().setSkipSignatureVerification().setSkipAllValidators().build().processToClaims(str2));
            }
            ElytronMessages.log.debug("Token obtained from cookie");
            return new OidcPrincipal<>(iDToken.getPrincipalName(oidcClientConfiguration), new RefreshableOidcSecurityContext(oidcClientConfiguration, oidcCookieTokenStore, str, accessToken, str2, iDToken, str3));
        } catch (InvalidJwtException e) {
            ElytronMessages.log.failedToParseTokenFromCookie(e);
            return null;
        }
    }
}
