package de.cuioss.portal.authentication.oauth.impl;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import de.cuioss.portal.authentication.AuthenticatedUserInfo;
import de.cuioss.portal.authentication.facade.AuthenticationSource;
import de.cuioss.portal.authentication.facade.BaseAuthenticationFacade;
import de.cuioss.portal.authentication.facade.PortalAuthenticationFacade;
import de.cuioss.portal.authentication.model.BaseAuthenticatedUserInfo;
import de.cuioss.portal.authentication.oauth.LoginPagePath;
import de.cuioss.portal.authentication.oauth.Oauth2AuthenticationFacade;
import de.cuioss.portal.authentication.oauth.Oauth2Configuration;
import de.cuioss.portal.authentication.oauth.Oauth2Service;
import de.cuioss.portal.authentication.oauth.OauthAuthenticationException;
import de.cuioss.portal.authentication.oauth.OauthRedirector;
import de.cuioss.portal.authentication.oauth.OidcRpInitiatedLogoutParams;
import de.cuioss.portal.authentication.oauth.Token;
import de.cuioss.tools.collect.CollectionBuilder;
import de.cuioss.tools.logging.CuiLogger;
import de.cuioss.tools.net.UrlParameter;
import de.cuioss.tools.string.MoreStrings;
import de.cuioss.tools.string.Splitter;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import jakarta.inject.Provider;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpSession;
import java.io.IOException;
import java.io.Serializable;
import java.math.BigInteger;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Stream;

@ApplicationScoped
@PortalAuthenticationFacade
/* loaded from: input_file:de/cuioss/portal/authentication/oauth/impl/Oauth2AuthenticationFacadeImpl.class */
public class Oauth2AuthenticationFacadeImpl extends BaseAuthenticationFacade implements Serializable, Oauth2AuthenticationFacade {
    private static final String ERROR_ACCESS_DENIED = "access_denied";
    private static final String ERROR_INVALID_SCOPE = "invalid_scope";
    private static final long serialVersionUID = -7635870199193359039L;
    private static final String AUTHENTICATED_USER_INFO_KEY = "AuthenticatedUserInfo";
    private static final String STATE_KEY = "State";
    private static final String NONCE_KEY = "Nonce";
    private static final String SCOPES_KEY = "Scopes";
    private static final String PKCE_CODE_KEY = "PKCE_CODE";

    @Inject
    private Oauth2Service oauth2ServiceImpl;

    @Inject
    private Provider<Oauth2Configuration> configurationProvider;

    @Inject
    @LoginPagePath
    private Provider<String> loginUrl;

    @Inject
    private Provider<OauthRedirector> oauthRedirector;

    @Inject
    private Provider<HttpServletRequest> servletRequestProvider;
    private static final CuiLogger LOGGER = new CuiLogger(Oauth2AuthenticationFacadeImpl.class);
    private static final AuthenticatedUserInfo NOT_LOGGED_IN = BaseAuthenticatedUserInfo.builder().authenticated(false).build();
    private final transient Object codeLock = new Object();
    private final SecureRandom random = new SecureRandom();

    public boolean logout(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (null == session) {
            return true;
        }
        session.invalidate();
        return true;
    }

    public AuthenticatedUserInfo retrieveCurrentAuthenticationContext(HttpServletRequest httpServletRequest) {
        return retrieveCurrentUserIfPresent(httpServletRequest).orElse(new OauthAuthenticatedUserInfo(NOT_LOGGED_IN));
    }

    @Override // de.cuioss.portal.authentication.oauth.Oauth2AuthenticationFacade
    public AuthenticatedUserInfo testLogin(List<UrlParameter> list, String str) {
        return triggerAuthenticate(list, str).orElse(NOT_LOGGED_IN);
    }

    @Override // de.cuioss.portal.authentication.oauth.Oauth2AuthenticationFacade
    public void invalidateToken() {
        retrieveCurrentUserIfPresent((HttpServletRequest) this.servletRequestProvider.get()).ifPresent(oauthAuthenticatedUserInfo -> {
            oauthAuthenticatedUserInfo.getToken().setAccess_token(null);
        });
    }

    @Override // de.cuioss.portal.authentication.oauth.Oauth2AuthenticationFacade
    public void sendRedirect(String str) {
        Objects.requireNonNull(MoreStrings.emptyToNull(str));
        sendRedirect(str, null);
    }

    @Override // de.cuioss.portal.authentication.oauth.Oauth2AuthenticationFacade
    public void sendRedirect() {
        sendRedirect((String) ((HttpServletRequest) this.servletRequestProvider.get()).getSession().getAttribute(SCOPES_KEY), null);
    }

    private void sendRedirect(String str, String str2) {
        try {
            String retrieveOauth2RedirectUrl = retrieveOauth2RedirectUrl(str, str2);
            LOGGER.debug("Calling redirect to %s", new Object[]{retrieveOauth2RedirectUrl});
            ((OauthRedirector) this.oauthRedirector.get()).sendRedirect(retrieveOauth2RedirectUrl);
        } catch (IllegalStateException e) {
            LOGGER.warn("Portal-146: Oauth2 sendRedirect failed", e);
        }
    }

    private Optional<AuthenticatedUserInfo> triggerAuthenticate(List<UrlParameter> list, String str) {
        Optional<UrlParameter> findAny = list.stream().filter(urlParameter -> {
            return "code".equals(urlParameter.getName());
        }).findAny();
        Optional<UrlParameter> findAny2 = list.stream().filter(urlParameter2 -> {
            return OidcRpInitiatedLogoutParams.STATE.equals(urlParameter2.getName());
        }).findAny();
        Optional<UrlParameter> findAny3 = list.stream().filter(urlParameter3 -> {
            return "error".equals(urlParameter3.getName());
        }).findAny();
        if (findAny2.isPresent()) {
            if (findAny.isPresent()) {
                return handleTriggerAuthenticate(str, findAny.get(), findAny2.get());
            }
            if (findAny3.isPresent()) {
                LOGGER.debug("state and error {} parameter are present", new Object[]{findAny3.get().getValue()});
                if (ERROR_ACCESS_DENIED.equals(findAny3.get().getValue())) {
                    throw new OauthAuthenticationException("system.exception.oauth.consent");
                }
                if (ERROR_INVALID_SCOPE.equals(findAny3.get().getValue())) {
                    LOGGER.warn("invalid_scope: {}", new Object[]{list});
                    throw new OauthAuthenticationException("system.exception.oauth.invalidScope");
                }
                LOGGER.warn("Portal-147: Oauth2 login error: {}", new Object[]{list});
                throw new OauthAuthenticationException("system.exception.oauth.login");
            }
        }
        return Optional.empty();
    }

    private Optional<AuthenticatedUserInfo> handleTriggerAuthenticate(String str, UrlParameter urlParameter, UrlParameter urlParameter2) {
        AuthenticatedUserInfo authenticatedUserInfo;
        String str2;
        HttpServletRequest httpServletRequest = (HttpServletRequest) this.servletRequestProvider.get();
        LOGGER.debug("code and state parameter are present");
        synchronized (this.codeLock) {
            if (null == httpServletRequest.getSession().getAttribute(STATE_KEY)) {
                LOGGER.warn("Portal-148: Oauth2 unexpected login call with unknown state {}, redirecting to login", new Object[]{urlParameter2.getValue()});
                return Optional.empty();
            }
            if (urlParameter2.getValue().equals(httpServletRequest.getSession().getAttribute(STATE_KEY))) {
                LOGGER.debug("state parameter matches stored value");
                authenticatedUserInfo = (AuthenticatedUserInfo) httpServletRequest.getSession().getAttribute(AUTHENTICATED_USER_INFO_KEY);
            } else {
                LOGGER.debug("state parameter {} differs from stored value {}", new Object[]{urlParameter2.getValue(), httpServletRequest.getSession().getAttribute(STATE_KEY)});
                authenticatedUserInfo = null;
            }
            httpServletRequest.getSession().removeAttribute(STATE_KEY);
            String str3 = (String) httpServletRequest.getSession().getAttribute(SCOPES_KEY);
            if (null == str3) {
                str3 = str;
            }
            synchronized (this.codeLock) {
                str2 = (String) httpServletRequest.getSession().getAttribute(PKCE_CODE_KEY);
                httpServletRequest.getSession().removeAttribute(PKCE_CODE_KEY);
            }
            LOGGER.trace("handleTriggerAuthenticate codeVerifier: {}", new Object[]{str2});
            AuthenticatedUserInfo createAuthenticatedUserInfo = this.oauth2ServiceImpl.createAuthenticatedUserInfo(httpServletRequest, urlParameter, urlParameter2, str3, str2);
            if (null == createAuthenticatedUserInfo) {
                LOGGER.debug("unable to retrieve authenticated user info");
                throw new OauthAuthenticationException("system.exception.oauth.login");
            }
            LOGGER.debug("authenticated oauth user info was retrieved: {}", new Object[]{createAuthenticatedUserInfo});
            if (null == authenticatedUserInfo || !authenticatedUserInfo.isAuthenticated()) {
                LOGGER.debug("session user missing or not authenticated. invalidating session! (change session after login)");
                httpServletRequest.getSession().invalidate();
            }
            AuthenticatedUserInfo enrich = enrich(createAuthenticatedUserInfo);
            LOGGER.debug("adding oauth user to (new) session.");
            httpServletRequest.getSession().setAttribute(AUTHENTICATED_USER_INFO_KEY, enrich);
            return Optional.of(enrich);
        }
    }

    @Override // de.cuioss.portal.authentication.oauth.Oauth2AuthenticationFacade
    public String retrieveOauth2RedirectUrl(String str, String str2) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) this.servletRequestProvider.get();
        Objects.requireNonNull(MoreStrings.emptyToNull(str));
        synchronized (this.codeLock) {
            if (null == httpServletRequest.getSession().getAttribute(STATE_KEY)) {
                httpServletRequest.getSession().setAttribute(STATE_KEY, new BigInteger(130, this.random).toString(32));
            }
        }
        String str3 = (String) httpServletRequest.getSession().getAttribute(STATE_KEY);
        String bigInteger = new BigInteger(130, this.random).toString(32);
        httpServletRequest.getSession().setAttribute(NONCE_KEY, bigInteger);
        httpServletRequest.getSession().setAttribute(SCOPES_KEY, str);
        synchronized (this.codeLock) {
            if (null == httpServletRequest.getSession().getAttribute(PKCE_CODE_KEY)) {
                httpServletRequest.getSession().setAttribute(PKCE_CODE_KEY, new BigInteger(260, this.random).toString(32));
                LOGGER.trace("retrieveOauth2RedirectUrl ---- NEW CODE");
            }
        }
        String str4 = (String) httpServletRequest.getSession().getAttribute(PKCE_CODE_KEY);
        LOGGER.trace("retrieveOauth2RedirectUrl code: {}", new Object[]{str4});
        try {
            String encodeToString = Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigest.getInstance("SHA-256").digest(str4.getBytes(StandardCharsets.US_ASCII)));
            LOGGER.trace("retrieveOauth2RedirectUrl code_challenge: {}", new Object[]{encodeToString});
            String encode = URLEncoder.encode(str, StandardCharsets.UTF_8);
            Oauth2Configuration oauth2Configuration = (Oauth2Configuration) this.configurationProvider.get();
            String str5 = oauth2Configuration.getAuthorizeUri().trim() + UrlParameter.createParameterString(false, new UrlParameter[]{new UrlParameter("response_type", "code", false), new UrlParameter("scope", encode, false), new UrlParameter(OidcRpInitiatedLogoutParams.CLIENT_ID, oauth2Configuration.getClientId().trim(), false), new UrlParameter(OidcRpInitiatedLogoutParams.STATE, str3, false), new UrlParameter("nonce", bigInteger, false), new UrlParameter("code_challenge", encodeToString, false), new UrlParameter("code_challenge_method", "S256", false), new UrlParameter(OidcRpInitiatedLogoutParams.ID_TOKEN_HINT, str2, false), new UrlParameter("redirect_uri", this.oauth2ServiceImpl.calcEncodedRedirectUrl(httpServletRequest.getContextPath() + ((String) this.loginUrl.get())), false)});
            LOGGER.debug("redirect url = {}", new Object[]{str5});
            return str5;
        } catch (NoSuchAlgorithmException e) {
            LOGGER.error(e, "Cannot generate code_challenge", new Object[0]);
            throw new IllegalStateException(e);
        }
    }

    @Override // de.cuioss.portal.authentication.oauth.Oauth2AuthenticationFacade
    public String retrieveOauth2RenewUrl() {
        HttpServletRequest httpServletRequest = (HttpServletRequest) this.servletRequestProvider.get();
        Optional<OauthAuthenticatedUserInfo> retrieveCurrentUserIfPresent = retrieveCurrentUserIfPresent(httpServletRequest);
        if (!retrieveCurrentUserIfPresent.isPresent()) {
            return null;
        }
        Token token = retrieveCurrentUserIfPresent.get().getToken();
        String str = (String) httpServletRequest.getSession().getAttribute(SCOPES_KEY);
        if (MoreStrings.isEmpty(str)) {
            str = retrieveCurrentUserIfPresent.get().getScopes();
        }
        if (MoreStrings.isEmpty(str)) {
            return null;
        }
        return (token == null || !checkToken(token, Integer.valueOf(retrieveCurrentUserIfPresent.get().getTokenTimestamp()))) ? retrieveOauth2RedirectUrl(str, null) : retrieveOauth2RedirectUrl(str, token.getId_token()) + "&prompt=none&response_mode=cors";
    }

    @Override // de.cuioss.portal.authentication.oauth.Oauth2AuthenticationFacade
    public String retrieveToken(String str) {
        Objects.requireNonNull(MoreStrings.emptyToNull((String) this.loginUrl.get()));
        Objects.requireNonNull(MoreStrings.emptyToNull(str));
        LOGGER.trace("retrieveToken for scopes: {}", new Object[]{str});
        Optional<OauthAuthenticatedUserInfo> retrieveCurrentUserIfPresent = retrieveCurrentUserIfPresent((HttpServletRequest) this.servletRequestProvider.get());
        String str2 = null;
        if (retrieveCurrentUserIfPresent.isPresent()) {
            LOGGER.debug("we have a user");
            String checkAndRetrieveToken = checkAndRetrieveToken(retrieveCurrentUserIfPresent.get(), str);
            if (null != checkAndRetrieveToken) {
                LOGGER.debug("accessToken present. returning accessToken.");
                return checkAndRetrieveToken;
            }
            Token token = retrieveCurrentUserIfPresent.get().getToken();
            if (token != null) {
                LOGGER.debug("CUI Token present. extracting idToken.");
                str2 = token.getId_token();
            } else {
                LOGGER.debug("No CUI Token available. Cannot set idToken.");
            }
        }
        CuiLogger cuiLogger = LOGGER;
        Object[] objArr = new Object[1];
        objArr[0] = Boolean.valueOf(null != str2);
        cuiLogger.debug("accessToken not present, redirecting to oauth server using idToken={}.", objArr);
        LOGGER.trace("using idToken: {}", new Object[]{str2});
        sendRedirect(str, str2);
        return null;
    }

    @Override // de.cuioss.portal.authentication.oauth.Oauth2AuthenticationFacade
    public String retrieveClientToken(String str) {
        return this.oauth2ServiceImpl.retrieveClientToken(str);
    }

    @Override // de.cuioss.portal.authentication.oauth.Oauth2AuthenticationFacade
    public String retrieveToken(AuthenticatedUserInfo authenticatedUserInfo, String str) {
        Objects.requireNonNull(authenticatedUserInfo);
        Objects.requireNonNull(MoreStrings.emptyToNull(str));
        return checkAndRetrieveToken(new OauthAuthenticatedUserInfo(authenticatedUserInfo), str);
    }

    @Override // de.cuioss.portal.authentication.oauth.Oauth2AuthenticationFacade
    public Map<String, Object> retrieveIdToken(AuthenticatedUserInfo authenticatedUserInfo) {
        Token token = new OauthAuthenticatedUserInfo(authenticatedUserInfo).getToken();
        if (null == token || MoreStrings.isEmpty(token.getId_token())) {
            return Collections.emptyMap();
        }
        String[] split = token.getId_token().split("\\.");
        if (split.length != 3) {
            LOGGER.info("idToken can not be splitted: {}", new Object[]{token.getId_token()});
            return Collections.emptyMap();
        }
        try {
            return (Map) new ObjectMapper().reader().forType(new TypeReference<Map<String, Object>>() { // from class: de.cuioss.portal.authentication.oauth.impl.Oauth2AuthenticationFacadeImpl.1
            }).readValue(Base64.getDecoder().decode(split[1]));
        } catch (IOException e) {
            LOGGER.info(e, "idToken {} can not be parsed", new Object[]{split[1]});
            return Collections.emptyMap();
        }
    }

    private static Optional<OauthAuthenticatedUserInfo> retrieveCurrentUserIfPresent(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (null != session) {
            try {
                return Optional.ofNullable(OauthAuthenticatedUserInfo.createOf((AuthenticatedUserInfo) session.getAttribute(AUTHENTICATED_USER_INFO_KEY)));
            } catch (IllegalStateException e) {
                LOGGER.debug("getAttribute failed: ", e);
            }
        }
        return Optional.empty();
    }

    @Override // de.cuioss.portal.authentication.oauth.Oauth2AuthenticationFacade
    public String retrieveRenewInterval() {
        Optional<OauthAuthenticatedUserInfo> retrieveCurrentUserIfPresent = retrieveCurrentUserIfPresent((HttpServletRequest) this.servletRequestProvider.get());
        if (!retrieveCurrentUserIfPresent.isPresent()) {
            return null;
        }
        try {
            return String.valueOf(((retrieveCurrentUserIfPresent.get().getTokenTimestamp() - ((int) (System.currentTimeMillis() / 1000))) + Integer.parseInt(retrieveCurrentUserIfPresent.get().getToken().getExpires_in())) - 10);
        } catch (NumberFormatException e) {
            LOGGER.debug("token.expires_in not a valid number", e);
            return null;
        }
    }

    @Override // de.cuioss.portal.authentication.oauth.Oauth2AuthenticationFacade
    public AuthenticatedUserInfo refreshUserinfo() {
        Token token;
        Optional<OauthAuthenticatedUserInfo> retrieveCurrentUserIfPresent = retrieveCurrentUserIfPresent((HttpServletRequest) this.servletRequestProvider.get());
        if (!retrieveCurrentUserIfPresent.isPresent() || null == (token = retrieveCurrentUserIfPresent.get().getToken())) {
            return null;
        }
        return this.oauth2ServiceImpl.retrieveAuthenticatedUser(retrieveCurrentUserIfPresent.get().getScopes(), token, retrieveCurrentUserIfPresent.get().getTokenTimestamp());
    }

    @Override // de.cuioss.portal.authentication.oauth.Oauth2AuthenticationFacade
    public String getLoginUrl() {
        return (String) this.loginUrl.get();
    }

    @Override // de.cuioss.portal.authentication.oauth.Oauth2AuthenticationFacade
    public String retrieveClientLogoutUrl(Set<UrlParameter> set) {
        Oauth2Configuration oauth2Configuration = (Oauth2Configuration) this.configurationProvider.get();
        if (MoreStrings.isEmpty(oauth2Configuration.getLogoutUri())) {
            String formatted = "Portal-160: Missing config for logout URI. Check the end_session_endpoint property from userinfo endpoint.".formatted(new Object[0]);
            LOGGER.warn(formatted);
            throw new IllegalStateException(formatted);
        }
        CollectionBuilder copyFrom = CollectionBuilder.copyFrom(set);
        if (oauth2Configuration.isLogoutWithIdTokenHintEnabled()) {
            Stream map = copyFrom.stream().map((v0) -> {
                return v0.getName();
            });
            String str = OidcRpInitiatedLogoutParams.ID_TOKEN_HINT;
            if (map.noneMatch((v1) -> {
                return r1.equals(v1);
            })) {
                LOGGER.debug("Adding id-token-hint as recommended by spec.");
                Optional<U> map2 = getIdTokenFromCurrentUser().map(OidcRpInitiatedLogoutParams::getIdTokenHintUrlParam);
                Objects.requireNonNull(copyFrom);
                map2.ifPresent(copyFrom::add);
            }
        }
        String str2 = oauth2Configuration.getLogoutUri() + UrlParameter.createParameterString((UrlParameter[]) copyFrom.toArray(UrlParameter.class));
        LOGGER.trace("logoutUrl: {}", new Object[]{str2});
        return str2;
    }

    private Optional<String> getIdTokenFromCurrentUser() {
        Optional<OauthAuthenticatedUserInfo> retrieveCurrentUserIfPresent = retrieveCurrentUserIfPresent((HttpServletRequest) this.servletRequestProvider.get());
        if (retrieveCurrentUserIfPresent.isPresent()) {
            return retrieveCurrentUserIfPresent.get().getIdToken();
        }
        LOGGER.warn("could not get id-token. no user context available.");
        return Optional.empty();
    }

    private String checkAndRetrieveToken(OauthAuthenticatedUserInfo oauthAuthenticatedUserInfo, String str) {
        Token token = oauthAuthenticatedUserInfo.getToken();
        if (!checkToken(token, Integer.valueOf(oauthAuthenticatedUserInfo.getTokenTimestamp()))) {
            if (MoreStrings.isEmpty(token.getRefresh_token())) {
                return null;
            }
            LOGGER.debug("AccessToken expired, but RefreshToken present; trying to use it to get a new access token");
            return this.oauth2ServiceImpl.refreshToken(oauthAuthenticatedUserInfo);
        }
        LOGGER.debug("token is valid.");
        boolean z = true;
        List splitToList = Splitter.on(' ').omitEmptyStrings().splitToList(oauthAuthenticatedUserInfo.getScopes());
        Iterator it = Splitter.on(' ').omitEmptyStrings().splitToList(str).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            String str2 = (String) it.next();
            if (!splitToList.contains(str2)) {
                z = false;
                LOGGER.debug("Missing scope: {}", new Object[]{str2});
                break;
            }
        }
        if (z) {
            return token.getAccess_token();
        }
        return null;
    }

    private static boolean checkToken(Token token, Integer num) {
        if (null == token) {
            return false;
        }
        if (MoreStrings.isEmpty(token.getExpires_in())) {
            LOGGER.trace("token has no expiration. token is valid!");
            return true;
        }
        try {
            boolean z = (num.intValue() + Integer.parseInt(token.getExpires_in())) - 10 > ((int) (System.currentTimeMillis() / 1000));
            LOGGER.trace("checked expire time. token valid?: {}", new Object[]{Boolean.valueOf(z)});
            return z;
        } catch (NumberFormatException e) {
            LOGGER.warn("Portal-149: Oauth2 token.expires_in not a valid number", e);
            return false;
        }
    }

    public AuthenticationSource getAuthenticationSource() {
        return AuthenticationSource.OPEN_ID_CONNECT;
    }
}
