package de.adorsys.oauth.client.jaspic;

import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.AuthorizationRequest;
import com.nimbusds.oauth2.sdk.AuthorizationSuccessResponse;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.http.ServletUtils;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.net.URI;
import java.net.URL;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.message.AuthException;
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.MessagePolicy;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.security.auth.message.callback.GroupPrincipalCallback;
import javax.security.auth.message.callback.PasswordValidationCallback;
import javax.security.auth.message.module.ServerAuthModule;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.client.cache.HttpCacheContext;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.cache.CacheConfig;
import org.apache.http.impl.client.cache.CachingHttpClients;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/adorsys/oauth/client/jaspic/OAuthServerAuthModule.class */
public class OAuthServerAuthModule implements ServerAuthModule {
    private static final Logger LOG = LoggerFactory.getLogger(OAuthServerAuthModule.class);
    private static final Class<?>[] SUPPORTED_MESSAGE_TYPES = {HttpServletRequest.class, HttpServletResponse.class};
    private CallbackHandler callbackHandler;
    private URI authEndpoint;
    private URI tokenEndpoint;
    private URI userInfoEndpoint;
    private boolean supportHttpSession;
    private CloseableHttpClient cachingHttpClient;
    private ClientID clientId;

    public Class[] getSupportedMessageTypes() {
        return SUPPORTED_MESSAGE_TYPES;
    }

    public void initialize(MessagePolicy messagePolicy, MessagePolicy messagePolicy2, CallbackHandler callbackHandler, Map map) throws AuthException {
        this.callbackHandler = callbackHandler;
        this.authEndpoint = from(map, "oauth.auth");
        this.tokenEndpoint = from(map, "oauth.token");
        this.userInfoEndpoint = from(map, "oauth.userinfo");
        this.clientId = new ClientID((String) map.get("oauth.clientId"));
        this.supportHttpSession = Boolean.parseBoolean((String) map.get("oauth.supportHttpSession"));
        CacheConfig build = CacheConfig.custom().setMaxCacheEntries(1000).setMaxObjectSize(8192L).build();
        this.cachingHttpClient = CachingHttpClients.custom().setCacheConfig(build).setDefaultRequestConfig(RequestConfig.custom().setConnectTimeout(30000).setSocketTimeout(30000).build()).build();
    }

    private URI from(Map map, String str) throws AuthException {
        String str2 = (String) map.get(str);
        if (str2 == null) {
            throw new AuthException("missing property " + str);
        }
        try {
            return new URL(str2).toURI();
        } catch (Exception e) {
            throw new AuthException(String.format("wrong property value %s : %s - %s", str, str2, e.getMessage()));
        }
    }

    public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException {
    }

    public AuthStatus secureResponse(MessageInfo messageInfo, Subject subject) throws AuthException {
        return AuthStatus.SEND_SUCCESS;
    }

    public AuthStatus validateRequest(MessageInfo messageInfo, Subject subject, Subject subject2) throws AuthException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) messageInfo.getRequestMessage();
        HttpServletResponse httpServletResponse = (HttpServletResponse) messageInfo.getResponseMessage();
        if (httpServletRequest.getUserPrincipal() != null) {
            return AuthStatus.SUCCESS;
        }
        URI uri = null;
        try {
            uri = new URL(httpServletRequest.getScheme(), httpServletRequest.getLocalName(), httpServletRequest.getLocalPort(), httpServletRequest.getRequestURI() + (httpServletRequest.getQueryString() == null ? "" : "?" + httpServletRequest.getQueryString())).toURI();
        } catch (Exception e) {
            LOG.error("ups", e);
        }
        LOG.debug("Request " + uri);
        AccessToken resolveAccessToken = resolveAccessToken(httpServletRequest, uri);
        if (resolveAccessToken != null && authenticate(resolveAccessToken, httpServletRequest, httpServletResponse, subject)) {
            return AuthStatus.SUCCESS;
        }
        AuthorizationCode resolveAuthorizationCode = resolveAuthorizationCode(httpServletRequest, uri);
        if (resolveAuthorizationCode != null) {
            return handleAuthorization(resolveAuthorizationCode, uri, httpServletResponse);
        }
        try {
            AuthorizationRequest build = new AuthorizationRequest.Builder(new ResponseType(new ResponseType.Value[]{ResponseType.Value.CODE}), this.clientId).endpointURI(this.authEndpoint).redirectionURI(uri).build();
            String format = String.format("%s?%s", build.toHTTPRequest().getURL(), build.toHTTPRequest().getQuery());
            LOG.info("redirect to {}", format);
            httpServletResponse.sendRedirect(format);
            return AuthStatus.FAILURE;
        } catch (Exception e2) {
            LOG.error(e2.getClass().getSimpleName() + " " + e2.getMessage());
            throw new AuthException(e2.getMessage());
        }
    }

    private AuthStatus handleAuthorization(AuthorizationCode authorizationCode, URI uri, HttpServletResponse httpServletResponse) {
        try {
            HTTPResponse send = new TokenRequest(this.tokenEndpoint, this.clientId, new AuthorizationCodeGrant(authorizationCode, uri)).toHTTPRequest().send();
            send.indicatesSuccess();
            AccessTokenResponse parse = AccessTokenResponse.parse(send);
            LOG.info("apply accessTokenResponse {}", parse.toJSONObject().toJSONString());
            ServletUtils.applyHTTPResponse(parse.toHTTPResponse(), httpServletResponse);
        } catch (Exception e) {
            LOG.error(e.getClass().getSimpleName() + " " + e.getMessage());
        }
        return AuthStatus.FAILURE;
    }

    private AuthorizationCode resolveAuthorizationCode(HttpServletRequest httpServletRequest, URI uri) {
        try {
            return AuthorizationSuccessResponse.parse(uri).getAuthorizationCode();
        } catch (Exception e) {
            LOG.debug("invalid authorization-response {}", uri);
            return null;
        }
    }

    private AccessToken resolveAccessToken(HttpServletRequest httpServletRequest, URI uri) {
        try {
            AccessToken accessToken = AuthorizationSuccessResponse.parse(uri).getAccessToken();
            if (accessToken != null) {
                return accessToken;
            }
        } catch (Exception e) {
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.contains("Bearer")) {
            return null;
        }
        try {
            return BearerAccessToken.parse(header);
        } catch (Exception e2) {
            LOG.debug("invalid authorization-header {}", header);
            return null;
        }
    }

    private boolean authenticate(AccessToken accessToken, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Subject subject) throws AuthException {
        LOG.debug("authenticate accessToken {}", accessToken);
        HttpGet httpGet = new HttpGet(this.userInfoEndpoint);
        httpGet.setHeader("Authorization", new BearerAccessToken(accessToken.getValue()).toAuthorizationHeader());
        UserInfo userInfo = null;
        try {
            HttpCacheContext create = HttpCacheContext.create();
            CloseableHttpResponse execute = this.cachingHttpClient.execute(httpGet, create);
            LOG.debug("read userinfo {} {}", accessToken.getValue(), create.getCacheResponseStatus());
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            execute.getEntity().writeTo(byteArrayOutputStream);
            userInfo = UserInfo.parse(byteArrayOutputStream.toString());
        } catch (Exception e) {
            LOG.error("ups", e);
        }
        if (userInfo == null) {
            LOG.info("no userInfo available for {}", accessToken.getValue());
            return false;
        }
        List list = (List) userInfo.getClaim("groups");
        if (this.supportHttpSession) {
            httpServletRequest.getSession(true);
        }
        try {
            String name = userInfo.getName();
            this.callbackHandler.handle(new Callback[]{new CallerPrincipalCallback(subject, name), new PasswordValidationCallback(subject, name, accessToken.getValue().toCharArray()), new GroupPrincipalCallback(subject, (String[]) list.toArray(new String[list.size()]))});
            return true;
        } catch (IOException | UnsupportedCallbackException e2) {
            throw new AuthException(e2.getMessage());
        }
    }
}
