package org.apache.sling.auth.oauth_client.impl;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.AuthorizationResponse;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.ErrorResponse;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.TokenResponse;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Identifier;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.pkce.CodeVerifier;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
import com.nimbusds.openid.connect.sdk.UserInfoRequest;
import com.nimbusds.openid.connect.sdk.UserInfoResponse;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Dictionary;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.jackrabbit.oak.spi.security.authentication.credentials.CredentialsSupport;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityProvider;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler;
import org.apache.sling.auth.oauth_client.ClientConnection;
import org.apache.sling.auth.oauth_client.spi.LoginCookieManager;
import org.apache.sling.auth.oauth_client.spi.OidcAuthCredentials;
import org.apache.sling.auth.oauth_client.spi.UserInfoProcessor;
import org.apache.sling.commons.crypto.CryptoService;
import org.jetbrains.annotations.NotNull;
import org.osgi.framework.BundleContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Config.class, factory = true)
@Component(service = {AuthenticationHandler.class}, immediate = true)
/* loaded from: input_file:org/apache/sling/auth/oauth_client/impl/OidcAuthenticationHandler.class */
public class OidcAuthenticationHandler extends DefaultAuthenticationFeedbackHandler implements AuthenticationHandler {
    public static final String REDIRECT_ATTRIBUTE_NAME = "sling.redirect";
    private static final Logger logger = LoggerFactory.getLogger(OidcAuthenticationHandler.class);
    private static final String AUTH_TYPE = "oidc";
    private final Map<String, ClientConnection> connections;
    private final String idp;
    private final String callbackUri;
    private final LoginCookieManager loginCookieManager;
    private final String defaultConnectionName;
    private final UserInfoProcessor userInfoProcessor;
    private final boolean userInfoEnabled;
    private final boolean pkceEnabled;
    private final String[] path;
    private final CryptoService cryptoService;

    @ObjectClassDefinition(name = "Apache Sling Oidc Authentication Handler", description = "Apache Sling Oidc Authentication Handler Service")
    /* loaded from: input_file:org/apache/sling/auth/oauth_client/impl/OidcAuthenticationHandler$Config.class */
    @interface Config {
        @AttributeDefinition(name = "Path", description = "Repository path for which this authentication handler should be used by Sling. If this is empty, the authentication handler will be disabled. By default this is set to \"/\".")
        String[] path() default {"/"};

        @AttributeDefinition(name = "Sync Handler Configuration Name", description = "Name of Sync Handler Configuration")
        String idp() default "oidc";

        @AttributeDefinition(name = "Callback URI", description = "Callback URI")
        String callbackUri() default "callbackUri";

        @AttributeDefinition(name = "Default Connection Name", description = "Default Connection Name")
        String defaultConnectionName() default "";

        @AttributeDefinition(name = "PKCE Enabled", description = "PKCE Enabled")
        boolean pkceEnabled() default false;

        @AttributeDefinition(name = "UserInfo Enabled", description = "UserInfo Enabled")
        boolean userInfoEnabled() default true;
    }

    @Activate
    public OidcAuthenticationHandler(@NotNull BundleContext bundleContext, @Reference List<ClientConnection> list, Config config, @Reference(policyOption = ReferencePolicyOption.GREEDY) LoginCookieManager loginCookieManager, @Reference(policyOption = ReferencePolicyOption.GREEDY) UserInfoProcessor userInfoProcessor, @Reference CryptoService cryptoService) {
        this.connections = (Map) list.stream().collect(Collectors.toMap((v0) -> {
            return v0.name();
        }, Function.identity()));
        this.idp = config.idp();
        this.callbackUri = config.callbackUri();
        this.loginCookieManager = loginCookieManager;
        this.defaultConnectionName = config.defaultConnectionName();
        this.userInfoProcessor = userInfoProcessor;
        this.userInfoEnabled = config.userInfoEnabled();
        this.pkceEnabled = config.pkceEnabled();
        this.path = config.path();
        this.cryptoService = cryptoService;
        logger.debug("activate: registering ExternalIdentityProvider");
        bundleContext.registerService(new String[]{ExternalIdentityProvider.class.getName(), CredentialsSupport.class.getName()}, new OidcIdentityProvider(this.idp), (Dictionary) null);
        logger.info("OidcAuthenticationHandler successfully activated");
    }

    public AuthenticationInfo extractCredentials(@NotNull HttpServletRequest httpServletRequest, @NotNull HttpServletResponse httpServletResponse) {
        logger.debug("inside extractCredentials");
        AuthenticationInfo verifyLoginCookie = this.loginCookieManager.verifyLoginCookie(httpServletRequest);
        if (verifyLoginCookie != null) {
            return verifyLoginCookie;
        }
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        if (httpServletRequest.getQueryString() == null) {
            return null;
        }
        requestURL.append('?').append(httpServletRequest.getQueryString());
        try {
            AuthorizationResponse parse = AuthorizationResponse.parse(new URI(requestURL.toString()));
            State state = parse.getState();
            if (state == null) {
                logger.debug("No state found in authorization response");
                return null;
            }
            String extractAuthCode = extractAuthCode(parse);
            OAuthCookieValue oAuthCookieValue = new OAuthCookieValue(extractCookie(httpServletRequest, OAuthCookieValue.COOKIE_NAME_REQUEST_KEY).getValue(), this.cryptoService);
            httpServletRequest.setAttribute(REDIRECT_ATTRIBUTE_NAME, oAuthCookieValue.redirect());
            if (!state.getValue().equals(oAuthCookieValue.getState().getValue())) {
                throw new IllegalStateException("Failed state check: request keys from client and server are not the same");
            }
            String connectionName = oAuthCookieValue.connectionName();
            ClientConnection clientConnection = this.connections.get(connectionName);
            if (clientConnection == null) {
                throw new IllegalArgumentException(String.format("Requested unknown connection '%s'", connectionName));
            }
            ResolvedConnection resolve = ResolvedOidcConnection.resolve(clientConnection);
            TokenResponse extractTokenResponse = extractTokenResponse(extractAuthCode, resolve, this.callbackUri, oAuthCookieValue.codeVerifier());
            String value = validateIdToken(extractTokenResponse, (ResolvedOidcConnection) resolve, oAuthCookieValue.nonce()).getSubject().getValue();
            OidcAuthCredentials extractCredentials = extractCredentials((OidcConnectionImpl) clientConnection, value, extractTokenResponse);
            AuthenticationInfo authenticationInfo = new AuthenticationInfo(AUTH_TYPE, value);
            authenticationInfo.put("user.jcr.credentials", extractCredentials);
            logger.info("User {} authenticated", value);
            return authenticationInfo;
        } catch (ParseException | URISyntaxException e) {
            logger.debug("Failed to parse authorization response: {}", e.getMessage(), e);
            return null;
        }
    }

    @NotNull
    private OidcAuthCredentials extractCredentials(@NotNull OidcConnectionImpl oidcConnectionImpl, @NotNull String str, @NotNull TokenResponse tokenResponse) {
        if (!this.userInfoEnabled) {
            return this.userInfoProcessor.process(null, tokenResponse.toSuccessResponse().toSuccessResponse().toJSONObject().toJSONString(), str, this.idp);
        }
        try {
            UserInfoResponse parse = UserInfoResponse.parse(new UserInfoRequest(new URI(oidcConnectionImpl.userInfoUrl()), tokenResponse.toSuccessResponse().getTokens().getAccessToken()).toHTTPRequest().send());
            if (parse.indicatesSuccess()) {
                return this.userInfoProcessor.process(parse.toSuccessResponse().getUserInfo().toJSONObject().toJSONString(), tokenResponse.toSuccessResponse().toJSONObject().toJSONString(), str, this.idp);
            }
            logger.debug("UserInfo error. Received code: {}, message: {}", parse.toErrorResponse().getErrorObject().getCode(), parse.toErrorResponse().getErrorObject().getDescription());
            throw new RuntimeException(toErrorMessage("Error in userinfo response", parse.toErrorResponse()));
        } catch (IOException | URISyntaxException | ParseException e) {
            logger.error("Error while processing UserInfo: {}", e.getMessage(), e);
            throw new RuntimeException(e);
        }
    }

    @NotNull
    private static String extractAuthCode(@NotNull AuthorizationResponse authorizationResponse) {
        if (!authorizationResponse.indicatesSuccess()) {
            throw new IllegalStateException(authorizationResponse.toErrorResponse().getErrorObject().getDescription());
        }
        AuthorizationCode authorizationCode = authorizationResponse.toSuccessResponse().getAuthorizationCode();
        if (authorizationCode == null) {
            throw new IllegalStateException("No authorization code found in authorization response");
        }
        return authorizationCode.getValue();
    }

    @NotNull
    private TokenResponse extractTokenResponse(@NotNull String str, @NotNull ResolvedConnection resolvedConnection, @NotNull String str2, CodeVerifier codeVerifier) {
        if (this.pkceEnabled && codeVerifier == null) {
            throw new IllegalStateException("PKCE is enabled but no code verifier cookie found");
        }
        try {
            URI uri = new URI(resolvedConnection.tokenEndpoint());
            ClientID clientID = new ClientID(resolvedConnection.clientId());
            AuthorizationCode authorizationCode = new AuthorizationCode(str);
            HTTPRequest hTTPRequest = ((!this.pkceEnabled || resolvedConnection.clientSecret() == null) ? this.pkceEnabled ? new TokenRequest.Builder(uri, clientID, new AuthorizationCodeGrant(authorizationCode, new URI(str2), new CodeVerifier(codeVerifier.getValue()))).build() : new TokenRequest.Builder(uri, new ClientSecretBasic(clientID, new Secret(resolvedConnection.clientSecret())), new AuthorizationCodeGrant(authorizationCode, new URI(str2))).build() : new TokenRequest.Builder(uri, new ClientSecretBasic(clientID, new Secret(resolvedConnection.clientSecret())), new AuthorizationCodeGrant(authorizationCode, new URI(str2), codeVerifier)).build()).toHTTPRequest();
            hTTPRequest.setAccept("application/json");
            TokenResponse parse = OIDCTokenResponseParser.parse(hTTPRequest.send());
            if (parse.indicatesSuccess()) {
                return parse.toSuccessResponse();
            }
            logger.debug("Token error. Received code: {}, message: {}", parse.toErrorResponse().getErrorObject().getCode(), parse.toErrorResponse().getErrorObject().getDescription());
            throw new RuntimeException(toErrorMessage("Error in token response", parse.toErrorResponse()));
        } catch (ParseException e) {
            logger.error("Failed to parse token response: {}", e.getMessage(), e);
            throw new RuntimeException(e.getMessage());
        } catch (IOException e2) {
            logger.error("Failed to exchange authorization code for access token: {}", e2.getMessage(), e2);
            throw new RuntimeException(e2);
        } catch (URISyntaxException e3) {
            logger.error("Token Endpoint is not a valid URI: {} Error: {}", resolvedConnection.tokenEndpoint(), e3.getMessage());
            throw new RuntimeException(String.format("Token Endpoint is not a valid URI: %s", resolvedConnection.tokenEndpoint()));
        }
    }

    @NotNull
    private static Cookie extractCookie(@NotNull HttpServletRequest httpServletRequest, String str) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            throw new IllegalStateException("Failed state check: No cookies found");
        }
        for (Cookie cookie : cookies) {
            if (str.equals(cookie.getName())) {
                return cookie;
            }
        }
        throw new IllegalStateException(String.format("Failed state check: No request cookie named %s found", str));
    }

    @NotNull
    private static IDTokenClaimsSet validateIdToken(@NotNull TokenResponse tokenResponse, @NotNull ResolvedOidcConnection resolvedOidcConnection, Nonce nonce) {
        try {
            return new IDTokenValidator(new Issuer(resolvedOidcConnection.issuer()), new ClientID(resolvedOidcConnection.clientId()), JWSAlgorithm.RS256, resolvedOidcConnection.jwkSetURL().toURL()).validate(tokenResponse.toSuccessResponse().getTokens().toOIDCTokens().getIDToken(), nonce);
        } catch (BadJOSEException | JOSEException | MalformedURLException e) {
            logger.error("Failed to validate token: {}", e.getMessage(), e);
            throw new RuntimeException(e.getMessage());
        }
    }

    @NotNull
    private static String toErrorMessage(@NotNull String str, @NotNull ErrorResponse errorResponse) {
        ErrorObject errorObject = errorResponse.getErrorObject();
        StringBuilder sb = new StringBuilder();
        sb.append(str).append(": ").append(errorObject.getCode());
        sb.append(". Status code: ").append(errorObject.getHTTPStatusCode());
        String description = errorObject.getDescription();
        if (description != null) {
            sb.append(". ").append(description);
        }
        return sb.toString();
    }

    public boolean requestCredentials(@NotNull HttpServletRequest httpServletRequest, @NotNull HttpServletResponse httpServletResponse) {
        logger.debug("inside requestCredentials");
        if (this.loginCookieManager.verifyLoginCookie(httpServletRequest) != null) {
            return true;
        }
        String parameter = httpServletRequest.getParameter("c");
        if (parameter == null) {
            logger.debug("Missing mandatory request parameter 'c' using default connection");
            parameter = this.defaultConnectionName;
        }
        try {
            ClientConnection clientConnection = this.connections.get(parameter);
            if (clientConnection == null) {
                logger.debug("Client requested unknown connection");
                httpServletResponse.sendError(400, "Client requested unknown connection");
                return false;
            }
            RedirectTarget authenticationRequestUri = getAuthenticationRequestUri(clientConnection, httpServletRequest, URI.create(this.callbackUri));
            httpServletResponse.addCookie(authenticationRequestUri.cookie());
            httpServletResponse.sendRedirect(authenticationRequestUri.uri().toString());
            return true;
        } catch (IOException e) {
            logger.error("Error while redirecting to default redirect: {}", e.getMessage(), e);
            throw new RuntimeException(e);
        }
    }

    @NotNull
    private RedirectTarget getAuthenticationRequestUri(@NotNull ClientConnection clientConnection, @NotNull HttpServletRequest httpServletRequest, @NotNull URI uri) {
        ResolvedConnection resolve = ResolvedOidcConnection.resolve(clientConnection);
        String requestURI = httpServletRequest.getRequestURI();
        String value = new Identifier().getValue();
        Nonce nonce = new Nonce(new Identifier().getValue());
        CodeVerifier codeVerifier = null;
        if (this.pkceEnabled) {
            codeVerifier = new CodeVerifier();
        }
        return RedirectHelper.buildRedirectTarget(this.path, uri, resolve, new OAuthCookieValue(value, clientConnection.name(), requestURI, nonce, codeVerifier), this.cryptoService);
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
    }

    public boolean authenticationSucceeded(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        if (this.loginCookieManager == null) {
            logger.debug("TokenUpdate service is not available");
            return super.authenticationSucceeded(httpServletRequest, httpServletResponse, authenticationInfo);
        }
        if (this.loginCookieManager.getLoginCookie(httpServletRequest) != null) {
            deleteAuthenticationCookies(httpServletRequest.getRequestURI(), httpServletResponse);
            return false;
        }
        Object obj = authenticationInfo.get("user.jcr.credentials");
        if (!(obj instanceof OidcAuthCredentials)) {
            return true;
        }
        OidcAuthCredentials oidcAuthCredentials = (OidcAuthCredentials) obj;
        Object attribute = oidcAuthCredentials.getAttribute(".token");
        if (attribute != null && !attribute.toString().isEmpty() && !attribute.toString().isEmpty()) {
            logger.debug("Calling TokenUpdate service to update token cookie");
            this.loginCookieManager.setLoginCookie(httpServletRequest, httpServletResponse, oidcAuthCredentials);
        }
        String str = (String) httpServletRequest.getAttribute(REDIRECT_ATTRIBUTE_NAME);
        deleteAuthenticationCookies(httpServletRequest.getRequestURL().toString(), httpServletResponse);
        try {
            httpServletResponse.sendRedirect(str);
            return true;
        } catch (IOException e) {
            logger.error("Error while redirecting to redirect url '{}': {}", new Object[]{str, e.getMessage(), e});
            throw new RuntimeException(e);
        }
    }

    private void deleteAuthenticationCookies(@NotNull String str, @NotNull HttpServletResponse httpServletResponse) {
        deleteCookie(str, httpServletResponse, OAuthCookieValue.COOKIE_NAME_REQUEST_KEY);
    }

    private void deleteCookie(@NotNull String str, @NotNull HttpServletResponse httpServletResponse, @NotNull String str2) {
        Cookie cookie = new Cookie(str2, (String) null);
        cookie.setMaxAge(0);
        cookie.setHttpOnly(true);
        cookie.setSecure(true);
        cookie.setPath(RedirectHelper.findLongestPathMatching(this.path, str));
        httpServletResponse.addCookie(cookie);
    }
}
