package org.clazzes.login.oauth;

import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.Principal;
import java.util.List;
import java.util.Locale;
import java.util.TimeZone;
import java.util.concurrent.TimeoutException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.clazzes.login.jbo.jwt.JWToken;
import org.clazzes.login.oauth.i18n.OAuthMessages;
import org.clazzes.util.aop.ThreadLocalManager;
import org.clazzes.util.aop.i18n.Messages;
import org.clazzes.util.http.sec.HttpLoginService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/clazzes/login/oauth/OAuthHttpLoginService.class */
public class OAuthHttpLoginService implements HttpLoginService {
    private static final Logger log = LoggerFactory.getLogger(OAuthHttpLoginService.class);
    private static final String LOGIN_URL = "/oauth-login/login";
    private static final String REDIRECT_URL = "/oauth-login/auth";
    private int sessionTimeout;
    private String sessionCookie;
    private boolean secureCookie;
    private SameSitePolicy sameSitePolicy;
    private String delegateDomain;
    private TokenType delegateTokenType;
    private LoginInfoCache loginInfoCache;
    private ConfigurationService configurationService;
    private OAuthHttpClient oauthHttpClient;
    private TokenValidator tokenValidator;

    public String getLoginUrl() {
        return LOGIN_URL;
    }

    public String getRedirectUrl() {
        return REDIRECT_URL;
    }

    private final String parseCookie(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Cookie");
        if (header == null) {
            return null;
        }
        for (String str : header.split("\\s*;\\s*")) {
            String[] split = str.split("\\s*=\\s*", 2);
            if (split.length == 2 && split[0].equals(this.sessionCookie)) {
                return split[1];
            }
        }
        return null;
    }

    private LoginInfo getLoginInfoFromCookie(HttpServletRequest httpServletRequest) {
        String parseCookie = parseCookie(httpServletRequest);
        if (parseCookie != null) {
            return this.loginInfoCache.getLoginInfo(parseCookie);
        }
        if (this.delegateDomain == null || this.delegateDomain.isEmpty()) {
            return null;
        }
        Locale locale = httpServletRequest.getLocale();
        if (locale == null) {
            locale = Locale.getDefault();
        }
        return getLoginInfoFromBearerToken(OAuthMessages.getMesssages(locale), httpServletRequest);
    }

    private static final String parseBearerToken(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            return null;
        }
        String trim = header.trim();
        if (trim.startsWith("Bearer ")) {
            return trim.substring(7).trim();
        }
        return null;
    }

    private LoginInfo getLoginInfoFromBearerToken(Messages messages, HttpServletRequest httpServletRequest) {
        String parseBearerToken = parseBearerToken(httpServletRequest);
        if (parseBearerToken == null) {
            return null;
        }
        LoginInfo byIdToken = this.delegateTokenType == TokenType.JWT ? this.loginInfoCache.getByIdToken(parseBearerToken) : this.loginInfoCache.getByBearerToken(parseBearerToken);
        if (byIdToken != null) {
            return byIdToken;
        }
        try {
            String scope = this.configurationService.getDomainConfiguration(this.delegateDomain).getScope();
            OAuthTokenResponse oAuthTokenResponse = this.delegateTokenType == TokenType.JWT ? new OAuthTokenResponse(null, "bearer", null, scope, null, parseBearerToken, null, null) : new OAuthTokenResponse(parseBearerToken, "bearer", null, scope, null, null, null, null);
            return this.loginInfoCache.createLoginInfo(parsePrincipal(this.delegateDomain, oAuthTokenResponse, messages), oAuthTokenResponse, messages.getLocale(), null, this.sessionTimeout * 60000, true);
        } catch (Exception e) {
            log.error("Loading user info for domain [" + this.delegateDomain + "] failed", e);
            return null;
        }
    }

    private OAuthTokenResponse refreshToken(Messages messages, String str, OAuthTokenResponse oAuthTokenResponse) {
        DomainConfig domainConfiguration = this.configurationService.getDomainConfiguration(str);
        URI tokenLocation = domainConfiguration.getTokenLocation();
        if (tokenLocation == null) {
            try {
                tokenLocation = domainConfiguration.getOpenIdLocation("token_endpoint");
            } catch (Exception e) {
                log.error("Token refresh request to [" + tokenLocation + "] with refresh token [" + oAuthTokenResponse.getRefreshToken() + "] failed", e);
                return null;
            }
        }
        if (tokenLocation == null) {
            throw new OAuthTokenErrorResponse("openid-configuration-invalid", messages);
        }
        String scope = domainConfiguration.getScope();
        log.info("Refreshing token from [{}] with redirect URI to [{}].", tokenLocation, oAuthTokenResponse.getRedirectUri());
        return this.oauthHttpClient.refreshToken(tokenLocation, oAuthTokenResponse.getRedirectUri(), oAuthTokenResponse.getState(), scope, domainConfiguration.getClientCredentials(), oAuthTokenResponse.getRefreshToken());
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v12, types: [java.security.Principal] */
    public Principal checkLogin(HttpServletRequest httpServletRequest) {
        LoginInfo loginInfoFromCookie = getLoginInfoFromCookie(httpServletRequest);
        if (loginInfoFromCookie == null) {
            return null;
        }
        OAuthPrincipal principal = loginInfoFromCookie.getPrincipal();
        if (principal == null) {
            return null;
        }
        try {
            OAuthTokenResponse checkTokenValidity = loginInfoFromCookie.checkTokenValidity(60000L);
            if (checkTokenValidity != null) {
                Locale locale = null;
                if (loginInfoFromCookie != null) {
                    locale = loginInfoFromCookie.getLocale();
                }
                if (locale == null) {
                    locale = httpServletRequest.getLocale();
                }
                if (locale == null) {
                    locale = Locale.getDefault();
                }
                Messages messsages = OAuthMessages.getMesssages(locale);
                OAuthTokenResponse refreshToken = refreshToken(messsages, principal.getDomain(), checkTokenValidity);
                OAuthPrincipal oAuthPrincipal = null;
                if (refreshToken != null) {
                    try {
                        oAuthPrincipal = parsePrincipal(principal.getDomain(), refreshToken, messsages);
                    } catch (IOException | OAuthTokenErrorResponse e) {
                        log.error("Cannot parse refreshed principal of orignal principal [" + principal.getName() + "], purging HTTP session.", e);
                    }
                    if (oAuthPrincipal == null) {
                        refreshToken = null;
                    }
                }
                loginInfoFromCookie.setCredentials(refreshToken, oAuthPrincipal);
                principal = oAuthPrincipal;
                if (principal == null) {
                    this.loginInfoCache.removeLoginInfo(loginInfoFromCookie.getSessionId());
                }
            }
            if (principal != null) {
                loginInfoFromCookie.touch(this.sessionTimeout * 60000);
            }
            return principal;
        } catch (TimeoutException e2) {
            log.warn("Tokens for principal [{}] expired without a refresh URL.", principal.getName());
            return null;
        }
    }

    public List<? extends Principal> checkLoginGroups(HttpServletRequest httpServletRequest) {
        LoginInfo loginInfoFromCookie = getLoginInfoFromCookie(httpServletRequest);
        if (loginInfoFromCookie != null) {
            return loginInfoFromCookie.getPrincipal().getGroups();
        }
        return null;
    }

    public Locale getLocale(HttpServletRequest httpServletRequest) {
        Locale locale = null;
        LoginInfo loginInfoFromCookie = getLoginInfoFromCookie(httpServletRequest);
        if (loginInfoFromCookie != null) {
            locale = loginInfoFromCookie.getLocale();
        }
        if (locale == null) {
            locale = httpServletRequest.getLocale();
        }
        if (locale == null) {
            locale = Locale.getDefault();
        }
        return locale;
    }

    public TimeZone getTimeZone(HttpServletRequest httpServletRequest) {
        LoginInfo loginInfoFromCookie = getLoginInfoFromCookie(httpServletRequest);
        TimeZone timeZone = null;
        if (loginInfoFromCookie != null) {
            timeZone = loginInfoFromCookie.getTimeZone();
        }
        if (timeZone == null) {
            timeZone = TimeZone.getDefault();
        }
        return timeZone;
    }

    public boolean checkPermission(HttpServletRequest httpServletRequest, String str) {
        return LOGIN_URL.equals(str);
    }

    public void logout(HttpServletRequest httpServletRequest) {
        LoginInfo removeLoginInfo;
        String parseCookie = parseCookie(httpServletRequest);
        if (parseCookie == null || (removeLoginInfo = this.loginInfoCache.removeLoginInfo(parseCookie)) == null) {
            return;
        }
        log.info("OAuth Logout of [{}].", removeLoginInfo.getPrincipalsInfo());
        DomainConfig domainConfiguration = this.configurationService.getDomainConfiguration(removeLoginInfo.getPrincipal().getDomain());
        if (domainConfiguration == null || domainConfiguration.getOpenIdConfiguration() == null) {
            return;
        }
        try {
            URI openIdLocation = domainConfiguration.getOpenIdLocation("end_session_endpoint");
            if (openIdLocation != null && removeLoginInfo.getResponse().getAccessToken() != null) {
                this.oauthHttpClient.logout(openIdLocation, removeLoginInfo.getResponse().getAccessToken());
            }
        } catch (Exception e) {
            log.warn("Unable to retrieve the end_session_endpoint URI for domain [" + removeLoginInfo.getPrincipal().getDomain() + "]", e);
        }
    }

    public List<String> getDomains() {
        return this.configurationService.getDomains();
    }

    public OAuthPrincipal parsePrincipal(String str, OAuthTokenResponse oAuthTokenResponse, Messages messages) throws OAuthTokenErrorResponse, IOException {
        OAuthPrincipal oAuthPrincipal = null;
        if (messages.getLocale() != null) {
            ThreadLocalManager.bindLoginLocale(messages.getLocale());
        }
        try {
            DomainConfig domainConfiguration = this.configurationService.getDomainConfiguration(str);
            URI userLocation = domainConfiguration.getUserLocation();
            if (userLocation == null || oAuthTokenResponse.getAccessToken() == null) {
                JWToken validateToken = this.tokenValidator.validateToken(domainConfiguration, oAuthTokenResponse, messages);
                if (validateToken != null) {
                    oAuthPrincipal = new OAuthPrincipal(str, validateToken, oAuthTokenResponse.getAccessToken());
                } else {
                    if (oAuthTokenResponse.getAccessToken() == null) {
                        log.error("JWT Bearer Token for [" + domainConfiguration.getDomain() + "] was empty and no access token given.");
                        throw new OAuthTokenErrorResponse("openid-token-validation-failed", messages);
                    }
                    try {
                        userLocation = domainConfiguration.getOpenIdLocation("userinfo_endpoint");
                    } catch (IllegalStateException e) {
                        log.error("OpenID configuration of domain [" + domainConfiguration.getDomain() + "] not loaded while requesting user location", e);
                        throw new OAuthTokenErrorResponse("openid-configuration-not-loaded", messages);
                    } catch (URISyntaxException e2) {
                        log.error("OpenID configuration of domain [" + domainConfiguration.getDomain() + "] contains and invalid user location", e2);
                        throw new OAuthTokenErrorResponse("openid-configuration-invalid", messages);
                    }
                }
            }
            if (oAuthPrincipal == null) {
                if (userLocation == null) {
                    log.error("No ID token given and OpenID configuration of domain [" + domainConfiguration.getDomain() + "] contains no user location");
                    throw new OAuthTokenErrorResponse("openid-configuration-invalid", messages);
                }
                oAuthPrincipal = new OAuthPrincipal(str, this.oauthHttpClient.loadStringMap(userLocation, oAuthTokenResponse.getAccessToken()), oAuthTokenResponse.getAccessToken());
            }
            if (log.isDebugEnabled()) {
                log.debug("Parsed OAuth principal as [{}]", oAuthPrincipal);
            }
            return oAuthPrincipal;
        } finally {
            if (messages.getLocale() != null) {
                ThreadLocalManager.unbindLoginLocale();
            }
        }
    }

    public OAuthPrincipal tryLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, OAuthTokenResponse oAuthTokenResponse, Messages messages) throws IOException, OAuthTokenErrorResponse {
        OAuthPrincipal parsePrincipal = parsePrincipal(str, oAuthTokenResponse, messages);
        TimeZone timeZone = null;
        LoginInfo createLoginInfo = this.loginInfoCache.createLoginInfo(parsePrincipal, oAuthTokenResponse, messages.getLocale(), null, this.sessionTimeout * 60000, str.equals(this.delegateDomain));
        Logger logger = log;
        Object[] objArr = new Object[4];
        objArr[0] = parsePrincipal.getName();
        objArr[1] = parsePrincipal.getGroups();
        objArr[2] = messages.getLocale();
        objArr[3] = 0 == 0 ? null : timeZone.getID();
        logger.info("Successful login of user [{}] with groups [{}] locale [{}] and timezone [{}].", objArr);
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append(this.sessionCookie);
        stringBuffer.append("=");
        stringBuffer.append(createLoginInfo.getSessionId());
        stringBuffer.append("; Path=/; ");
        if (this.sameSitePolicy != null) {
            stringBuffer.append("SameSite=");
            stringBuffer.append(this.sameSitePolicy);
            stringBuffer.append("; ");
        }
        if (this.secureCookie) {
            stringBuffer.append("Secure; ");
        }
        stringBuffer.append("HttpOnly");
        httpServletResponse.setHeader("Set-Cookie", stringBuffer.toString());
        return parsePrincipal;
    }

    public LoginInfoCache getLoginInfoCache() {
        return this.loginInfoCache;
    }

    public void setLoginInfoCache(LoginInfoCache loginInfoCache) {
        this.loginInfoCache = loginInfoCache;
    }

    public OAuthHttpClient getOauthHttpClient() {
        return this.oauthHttpClient;
    }

    public void setOauthHttpClient(OAuthHttpClient oAuthHttpClient) {
        this.oauthHttpClient = oAuthHttpClient;
    }

    public void setSessionTimeout(int i) {
        this.sessionTimeout = i;
    }

    public int getSessionTimeout() {
        return this.sessionTimeout;
    }

    public void setSessionCookie(String str) {
        this.sessionCookie = str;
    }

    public void setSecureCookie(boolean z) {
        this.secureCookie = z;
    }

    public void setSameSitePolicyString(String str) {
        String trim = str.trim();
        this.sameSitePolicy = trim.isEmpty() ? null : SameSitePolicy.valueOf(trim);
    }

    public String getDelegateDomain() {
        return this.delegateDomain;
    }

    public void setDelegateDomain(String str) {
        this.delegateDomain = str;
    }

    public void setDelegateTokenType(TokenType tokenType) {
        this.delegateTokenType = tokenType;
    }

    public void setConfigurationService(ConfigurationService configurationService) {
        this.configurationService = configurationService;
    }

    public void setTokenValidator(TokenValidator tokenValidator) {
        this.tokenValidator = tokenValidator;
    }
}
