package org.glassfish.soteria.mechanisms;

import jakarta.annotation.PostConstruct;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.inject.Instance;
import jakarta.enterprise.inject.Typed;
import jakarta.inject.Inject;
import jakarta.json.Json;
import jakarta.json.JsonNumber;
import jakarta.json.JsonObject;
import jakarta.json.JsonReader;
import jakarta.security.auth.message.callback.CallerPrincipalCallback;
import jakarta.security.enterprise.AuthenticationException;
import jakarta.security.enterprise.AuthenticationStatus;
import jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
import jakarta.security.enterprise.authentication.mechanism.http.HttpMessageContext;
import jakarta.security.enterprise.authentication.mechanism.http.openid.OpenIdConstant;
import jakarta.security.enterprise.identitystore.CredentialValidationResult;
import jakarta.security.enterprise.identitystore.IdentityStoreHandler;
import jakarta.security.enterprise.identitystore.openid.RefreshToken;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriBuilder;
import java.io.IOException;
import java.io.Serializable;
import java.io.StringReader;
import java.util.Objects;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.eclipse.persistence.config.ResultSetType;
import org.glassfish.soteria.Utils;
import org.glassfish.soteria.mechanisms.openid.OpenIdCredential;
import org.glassfish.soteria.mechanisms.openid.OpenIdState;
import org.glassfish.soteria.mechanisms.openid.controller.AuthenticationController;
import org.glassfish.soteria.mechanisms.openid.controller.StateController;
import org.glassfish.soteria.mechanisms.openid.controller.TokenController;
import org.glassfish.soteria.mechanisms.openid.domain.LogoutConfiguration;
import org.glassfish.soteria.mechanisms.openid.domain.OpenIdConfiguration;
import org.glassfish.soteria.mechanisms.openid.domain.OpenIdContextImpl;
import org.glassfish.soteria.mechanisms.openid.domain.RefreshTokenImpl;
import org.glassfish.soteria.servlet.HttpServletRequestDelegator;
import org.glassfish.soteria.servlet.HttpStorageController;
import org.glassfish.soteria.servlet.RequestData;

@ApplicationScoped
@Typed({OpenIdAuthenticationMechanism.class})
/* loaded from: input_file:org/glassfish/soteria/mechanisms/OpenIdAuthenticationMechanism.class */
public class OpenIdAuthenticationMechanism implements HttpAuthenticationMechanism {
    public static final String ORIGINAL_REQUEST_DATA_JSON = "org.glassfish.soteria.original.request.json";

    @Inject
    private OpenIdConfiguration configuration;

    @Inject
    private OpenIdContextImpl context;
    private IdentityStoreHandler identityStoreHandler;

    @Inject
    private AuthenticationController authenticationController;

    @Inject
    private TokenController tokenController;

    @Inject
    private StateController stateController;

    @Inject
    Instance<IdentityStoreHandler> storeHandlerInstance;
    private static final Logger LOGGER = Logger.getLogger(OpenIdAuthenticationMechanism.class.getName());
    private static final String SESSION_LOCK_NAME = OpenIdAuthenticationMechanism.class.getName();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/glassfish/soteria/mechanisms/OpenIdAuthenticationMechanism$Lock.class */
    public static class Lock implements Serializable {
        private static final long serialVersionUID = 1;

        private Lock() {
        }
    }

    @PostConstruct
    void init() {
        if (!this.storeHandlerInstance.isResolvable()) {
            throw new IllegalStateException("Cannot get instance of IdentityStoreHandler\n@Inject IdentityStoreHandler is unsatisfied.");
        }
        this.identityStoreHandler = this.storeHandlerInstance.get2();
    }

    @Override // jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism
    public AuthenticationStatus validateRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMessageContext httpMessageContext) throws AuthenticationException {
        if (Objects.isNull(httpServletRequest.getUserPrincipal())) {
            LOGGER.fine("UserPrincipal is not set, authenticate user using OpenId Connect protocol.");
            return authenticate(httpServletRequest, httpServletResponse, httpMessageContext);
        }
        try {
            httpMessageContext.getHandler().handle(new Callback[]{new CallerPrincipalCallback(httpMessageContext.getClientSubject(), httpServletRequest.getUserPrincipal())});
            boolean isExpired = this.context.getAccessToken().isExpired();
            boolean isExpired2 = this.context.getIdentityToken().isExpired();
            if ((isExpired || isExpired2) && this.configuration.isTokenAutoRefresh()) {
                if (isExpired) {
                    LOGGER.fine("Access Token is expired. Request new Access Token with Refresh Token.");
                }
                if (isExpired2) {
                    LOGGER.fine("Identity Token is expired. Request new Identity Token with Refresh Token.");
                }
                return reAuthenticate(httpMessageContext);
            }
            LogoutConfiguration logoutConfiguration = this.configuration.getLogoutConfiguration();
            if (logoutConfiguration.isIdentityTokenExpiry()) {
                LOGGER.log(Level.FINE, "UserPrincipal is set, check if Identity Token is valid.");
            }
            if (logoutConfiguration.isAccessTokenExpiry()) {
                LOGGER.log(Level.FINE, "UserPrincipal is set, check if Access Token is valid.");
            }
            if ((!logoutConfiguration.isAccessTokenExpiry() || !isExpired) && (!logoutConfiguration.isIdentityTokenExpiry() || !isExpired2)) {
                return AuthenticationStatus.SUCCESS;
            }
            logout(httpServletRequest, httpServletResponse);
            return AuthenticationStatus.SEND_FAILURE;
        } catch (IOException | UnsupportedCallbackException e) {
            throw new AuthenticationException("Failed to register CallerPrincipalCallback.", e);
        }
    }

    @Override // jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism
    public void cleanSubject(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMessageContext httpMessageContext) {
        logout(httpServletRequest, httpServletResponse);
    }

    private AuthenticationStatus authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMessageContext httpMessageContext) {
        Optional<OpenIdState> from = OpenIdState.from(httpServletRequest.getParameter("state"));
        if (from.isEmpty() && httpMessageContext.isProtected() && Objects.isNull(httpServletRequest.getUserPrincipal())) {
            return this.authenticationController.authenticateUser(httpServletRequest, httpServletResponse);
        }
        if (!from.isPresent()) {
            return httpMessageContext.doNothing();
        }
        String buildRedirectURI = this.configuration.buildRedirectURI(httpServletRequest);
        String originalUrl = getOriginalUrl(httpServletRequest, httpServletResponse);
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        if (this.configuration.isRedirectToOriginalResource()) {
            if (!Utils.isOneOf(stringBuffer, originalUrl, buildRedirectURI)) {
                LOGGER.log(Level.INFO, "OpenID request URL {0} not matched with either callback {1} or original URL {2}", new Object[]{stringBuffer, buildRedirectURI, originalUrl});
                return httpMessageContext.notifyContainerAboutLogin(CredentialValidationResult.NOT_VALIDATED_RESULT);
            }
        } else if (!Utils.isOneOf(stringBuffer, buildRedirectURI)) {
            LOGGER.log(Level.INFO, "OpenID request URL {0} not matched with callback URL {1}", new Object[]{stringBuffer, buildRedirectURI, originalUrl});
            return httpMessageContext.notifyContainerAboutLogin(CredentialValidationResult.NOT_VALIDATED_RESULT);
        }
        Optional<OpenIdState> optional = this.stateController.get(httpServletRequest, httpServletResponse);
        if (!optional.isPresent()) {
            LOGGER.fine("Expected state not found");
            return httpMessageContext.notifyContainerAboutLogin(CredentialValidationResult.NOT_VALIDATED_RESULT);
        }
        if (optional.equals(from)) {
            return (!this.configuration.isRedirectToOriginalResource() || isOnOriginalURL(httpServletRequest, httpServletResponse)) ? validateAuthorizationCode(httpMessageContext) : httpMessageContext.redirect(getOriginalRedirectUrl(httpServletRequest, httpServletResponse));
        }
        LOGGER.fine("Inconsistent received state, value not matched");
        return httpMessageContext.notifyContainerAboutLogin(CredentialValidationResult.INVALID_RESULT);
    }

    private boolean isOnOriginalURL(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Optional<String> asString = HttpStorageController.getInstance(this.configuration, httpServletRequest, httpServletResponse).getAsString(OpenIdConstant.ORIGINAL_REQUEST);
        if (asString.isEmpty()) {
            return true;
        }
        String str = asString.get();
        if (str.contains("?")) {
            str = str.substring(0, str.indexOf(63));
        }
        return httpServletRequest.getRequestURL().toString().equals(str);
    }

    private String getOriginalRedirectUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return getOriginalUrl(httpServletRequest, httpServletResponse) + "?" + httpServletRequest.getQueryString();
    }

    private String getOriginalUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String str = HttpStorageController.getInstance(this.configuration, httpServletRequest, httpServletResponse).getAsString(OpenIdConstant.ORIGINAL_REQUEST).get();
        if (str.contains("?")) {
            str = str.substring(0, str.indexOf(63));
        }
        return str;
    }

    private RequestData getRequestData(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return RequestData.of(HttpStorageController.getInstance(this.configuration, httpServletRequest, httpServletResponse).getAsString(ORIGINAL_REQUEST_DATA_JSON).get());
    }

    private AuthenticationStatus validateAuthorizationCode(HttpMessageContext httpMessageContext) {
        HttpServletRequest request = httpMessageContext.getRequest();
        HttpServletResponse response = httpMessageContext.getResponse();
        String parameter = request.getParameter("error");
        String parameter2 = request.getParameter(OpenIdConstant.ERROR_DESCRIPTION_PARAM);
        if (!Utils.isEmpty(parameter)) {
            LOGGER.log(Level.WARNING, "Error occurred in receiving Authorization Code : {0} caused by {1}", new Object[]{parameter, parameter2});
            return httpMessageContext.notifyContainerAboutLogin(CredentialValidationResult.INVALID_RESULT);
        }
        this.stateController.remove(request, response);
        LOGGER.finer("Authorization Code received, now fetching Access token & Id token");
        Response tokens = this.tokenController.getTokens(request);
        JsonObject readJsonObject = readJsonObject((String) tokens.readEntity(String.class));
        if (tokens.getStatus() != Response.Status.OK.getStatusCode()) {
            LOGGER.log(Level.WARNING, "Error occurred in validating Authorization Code : {0} caused by {1}", new Object[]{readJsonObject.getString("error", "Unknown Error"), readJsonObject.getString(OpenIdConstant.ERROR_DESCRIPTION_PARAM, ResultSetType.Unknown)});
            return httpMessageContext.notifyContainerAboutLogin(CredentialValidationResult.INVALID_RESULT);
        }
        updateContext(readJsonObject);
        CredentialValidationResult validate = this.identityStoreHandler.validate(new OpenIdCredential(readJsonObject, httpMessageContext, this.configuration.getTokenMinValidity()));
        httpMessageContext.setRegisterSession(validate.getCallerPrincipal().getName(), validate.getCallerGroups());
        if (this.configuration.isRedirectToOriginalResource()) {
            httpMessageContext.withRequest(new HttpServletRequestDelegator(request, getRequestData(request, response)));
        }
        return httpMessageContext.notifyContainerAboutLogin(validate);
    }

    private AuthenticationStatus reAuthenticate(HttpMessageContext httpMessageContext) throws AuthenticationException {
        HttpServletRequest request = httpMessageContext.getRequest();
        HttpServletResponse response = httpMessageContext.getResponse();
        synchronized (getSessionLock(httpMessageContext.getRequest())) {
            boolean isExpired = this.context.getAccessToken().isExpired();
            boolean isExpired2 = this.context.getIdentityToken().isExpired();
            if (!isExpired && !isExpired2) {
                return AuthenticationStatus.SUCCESS;
            }
            if (isExpired) {
                LOGGER.fine("Access Token is expired. Request new Access Token with Refresh Token.");
            }
            if (isExpired2) {
                LOGGER.fine("Identity Token is expired. Request new Identity Token with Refresh Token.");
            }
            AuthenticationStatus authenticationStatus = (AuthenticationStatus) this.context.getRefreshToken().map(refreshToken -> {
                return refreshTokens(httpMessageContext, refreshToken);
            }).orElse(AuthenticationStatus.SEND_FAILURE);
            if (authenticationStatus != AuthenticationStatus.SUCCESS) {
                LOGGER.log(Level.FINE, "Failed to refresh token (Refresh Token might be invalid).");
                logout(request, response);
            }
            return authenticationStatus;
        }
    }

    private AuthenticationStatus refreshTokens(HttpMessageContext httpMessageContext, RefreshToken refreshToken) {
        Response refreshTokens = this.tokenController.refreshTokens(refreshToken);
        JsonObject readJsonObject = readJsonObject((String) refreshTokens.readEntity(String.class));
        if (refreshTokens.getStatus() == Response.Status.OK.getStatusCode()) {
            updateContext(readJsonObject);
            return httpMessageContext.notifyContainerAboutLogin(this.identityStoreHandler.validate(new OpenIdCredential(readJsonObject, httpMessageContext, this.configuration.getTokenMinValidity())));
        }
        LOGGER.log(Level.FINE, "Error occurred in refreshing Access Token and Refresh Token : {0} caused by {1}", new Object[]{readJsonObject.getString("error", "Unknown Error"), readJsonObject.getString(OpenIdConstant.ERROR_DESCRIPTION_PARAM, ResultSetType.Unknown)});
        return AuthenticationStatus.SEND_FAILURE;
    }

    private void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        LogoutConfiguration logoutConfiguration = this.configuration.getLogoutConfiguration();
        if (logoutConfiguration == null) {
            LOGGER.log(Level.WARNING, "Logout invoked on session without OpenID session");
            redirect(httpServletResponse, httpServletRequest.getContextPath());
            return;
        }
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            session.invalidate();
        }
        if (!logoutConfiguration.isNotifyProvider() || Utils.isEmpty(this.configuration.getProviderMetadata().getEndSessionEndpoint())) {
            if (Utils.isEmpty(logoutConfiguration.getRedirectURI())) {
                this.authenticationController.authenticateUser(httpServletRequest, httpServletResponse);
                return;
            } else {
                redirect(httpServletResponse, logoutConfiguration.buildRedirectURI(httpServletRequest));
                return;
            }
        }
        UriBuilder queryParam = UriBuilder.fromUri(this.configuration.getProviderMetadata().getEndSessionEndpoint()).queryParam(OpenIdConstant.ID_TOKEN_HINT, this.context.getIdentityToken().getToken());
        if (!Utils.isEmpty(logoutConfiguration.getRedirectURI())) {
            queryParam.queryParam(OpenIdConstant.POST_LOGOUT_REDIRECT_URI, logoutConfiguration.buildRedirectURI(httpServletRequest));
        }
        redirect(httpServletResponse, queryParam.toString());
    }

    private static void redirect(HttpServletResponse httpServletResponse, String str) {
        try {
            httpServletResponse.sendRedirect(str);
        } catch (IOException e) {
            throw new IllegalStateException(e);
        }
    }

    private JsonObject readJsonObject(String str) {
        JsonReader createReader = Json.createReader(new StringReader(str));
        try {
            JsonObject readObject = createReader.readObject();
            if (createReader != null) {
                createReader.close();
            }
            return readObject;
        } catch (Throwable th) {
            if (createReader != null) {
                try {
                    createReader.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void updateContext(JsonObject jsonObject) {
        this.context.setTokenType(jsonObject.getString(OpenIdConstant.TOKEN_TYPE, (String) null));
        String string = jsonObject.getString(OpenIdConstant.REFRESH_TOKEN, (String) null);
        if (Objects.nonNull(string)) {
            this.context.setRefreshToken(new RefreshTokenImpl(string));
        }
        JsonNumber jsonNumber = jsonObject.getJsonNumber(OpenIdConstant.EXPIRES_IN);
        if (Objects.nonNull(jsonNumber)) {
            this.context.setExpiresIn(Long.valueOf(jsonNumber.longValue()));
        }
    }

    private Object getSessionLock(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession();
        Object attribute = session.getAttribute(SESSION_LOCK_NAME);
        if (Objects.isNull(attribute)) {
            synchronized (OpenIdAuthenticationMechanism.class) {
                attribute = session.getAttribute(SESSION_LOCK_NAME);
                if (Objects.isNull(attribute)) {
                    attribute = new Lock();
                    session.setAttribute(SESSION_LOCK_NAME, attribute);
                }
            }
        }
        return attribute;
    }
}
