package io.vertx.ext.web.handler.impl;

import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import io.vertx.core.AsyncResult;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.Vertx;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.http.HttpMethod;
import io.vertx.core.impl.logging.Logger;
import io.vertx.core.impl.logging.LoggerFactory;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.User;
import io.vertx.ext.auth.VertxContextPRNG;
import io.vertx.ext.auth.authentication.TokenCredentials;
import io.vertx.ext.auth.oauth2.OAuth2Auth;
import io.vertx.ext.auth.oauth2.Oauth2Credentials;
import io.vertx.ext.web.Route;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.Session;
import io.vertx.ext.web.handler.AuthenticationHandler;
import io.vertx.ext.web.handler.HttpException;
import io.vertx.ext.web.handler.OAuth2AuthHandler;
import io.vertx.ext.web.handler.impl.HTTPAuthorizationHandler;
import io.vertx.ext.web.impl.Origin;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
import org.springframework.security.oauth2.core.oidc.OidcScopes;

/* loaded from: input_file:BOOT-INF/lib/vertx-web-4.2.5.jar:io/vertx/ext/web/handler/impl/OAuth2AuthHandlerImpl.class */
public class OAuth2AuthHandlerImpl extends HTTPAuthorizationHandler<OAuth2Auth> implements OAuth2AuthHandler, ScopedAuthentication<OAuth2AuthHandler> {
    private final VertxContextPRNG prng;
    private final Origin callbackURL;
    private final MessageDigest sha256;
    private final List<String> scopes;
    private final boolean openId;
    private JsonObject extraParams;
    private String prompt;
    private int pkce;
    private boolean bearerOnly;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) OAuth2AuthHandlerImpl.class);
    private static final Set<String> OPENID_SCOPES = new HashSet();

    public OAuth2AuthHandlerImpl(Vertx vertx, OAuth2Auth oAuth2Auth, String str) {
        this(vertx, oAuth2Auth, str, null);
    }

    public OAuth2AuthHandlerImpl(Vertx vertx, OAuth2Auth oAuth2Auth, String str, String str2) {
        super(oAuth2Auth, HTTPAuthorizationHandler.Type.BEARER, str2);
        this.pkce = -1;
        this.bearerOnly = true;
        this.prng = VertxContextPRNG.current(vertx);
        try {
            this.sha256 = MessageDigest.getInstance("SHA-256");
            if (str != null) {
                this.callbackURL = Origin.parse(str);
            } else {
                this.callbackURL = null;
            }
            this.scopes = new ArrayList();
            this.openId = false;
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("Cannot get instance of SHA-256 MessageDigest", e);
        }
    }

    private OAuth2AuthHandlerImpl(OAuth2AuthHandlerImpl oAuth2AuthHandlerImpl, List<String> list) {
        super(oAuth2AuthHandlerImpl.authProvider, HTTPAuthorizationHandler.Type.BEARER, oAuth2AuthHandlerImpl.realm);
        this.pkce = -1;
        this.bearerOnly = true;
        this.prng = oAuth2AuthHandlerImpl.prng;
        this.callbackURL = oAuth2AuthHandlerImpl.callbackURL;
        this.prompt = oAuth2AuthHandlerImpl.prompt;
        this.pkce = oAuth2AuthHandlerImpl.pkce;
        this.bearerOnly = oAuth2AuthHandlerImpl.bearerOnly;
        try {
            this.sha256 = MessageDigest.getInstance("SHA-256");
            if (oAuth2AuthHandlerImpl.extraParams != null) {
                this.extraParams = this.extraParams.copy();
            }
            this.scopes = list;
            this.openId = list != null && list.contains(OidcScopes.OPENID);
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("Cannot get instance of SHA-256 MessageDigest", e);
        }
    }

    @Override // io.vertx.ext.web.handler.impl.AuthenticationHandlerInternal
    public void authenticate(RoutingContext routingContext, Handler<AsyncResult<User>> handler) {
        parseAuthorization(routingContext, !this.bearerOnly, asyncResult -> {
            if (asyncResult.failed()) {
                handler.handle(Future.failedFuture(asyncResult.cause()));
                return;
            }
            String str = (String) asyncResult.result();
            if (str != null) {
                this.authProvider.authenticate(this.scopes.size() > 0 ? new TokenCredentials(str).setScopes(this.scopes) : new TokenCredentials(str), asyncResult -> {
                    if (asyncResult.failed()) {
                        handler.handle(Future.failedFuture(new HttpException(HTTPResponse.SC_UNAUTHORIZED, asyncResult.cause())));
                    } else {
                        handler.handle(asyncResult);
                    }
                });
                return;
            }
            if (this.bearerOnly) {
                handler.handle(Future.failedFuture("callback route is not configured."));
                return;
            }
            if (routingContext.request().method() == HttpMethod.GET && routingContext.normalizedPath().equals(this.callbackURL.resource())) {
                LOG.warn("The callback route is shaded by the OAuth2AuthHandler, ensure the callback route is added BEFORE the OAuth2AuthHandler route!");
                handler.handle(Future.failedFuture(new HttpException(500, "Infinite redirect loop [oauth2 callback]")));
                return;
            }
            if (routingContext.request().method() != HttpMethod.GET) {
                LOG.error("OAuth2 redirect attempt to non GET resource");
                routingContext.fail(405, new IllegalStateException("OAuth2 redirect attempt to non GET resource"));
                return;
            }
            String uri = routingContext.request().uri();
            String str2 = null;
            String str3 = null;
            Session session = routingContext.session();
            if (session != null) {
                session.put(OAuth2ParameterNames.REDIRECT_URI, routingContext.request().uri());
                str2 = this.prng.nextString(6);
                session.put(OAuth2ParameterNames.STATE, str2);
                if (this.pkce > 0) {
                    str3 = this.prng.nextString(this.pkce);
                    session.put("pkce", str3);
                }
            } else if (this.pkce > 0) {
                routingContext.fail(500, new IllegalStateException("OAuth2 PKCE requires a session to be present"));
                return;
            }
            handler.handle(Future.failedFuture(new HttpException(HTTPResponse.SC_FOUND, authURI(uri, str2, str3))));
        });
    }

    private String authURI(String str, String str2, String str3) {
        JsonObject jsonObject = new JsonObject();
        if (this.extraParams != null) {
            jsonObject.mergeIn(this.extraParams);
        }
        jsonObject.put(OAuth2ParameterNames.STATE, str2 != null ? str2 : str);
        if (this.callbackURL != null) {
            jsonObject.put(OAuth2ParameterNames.REDIRECT_URI, this.callbackURL.href());
        }
        if (this.scopes.size() > 0) {
            jsonObject.put("scopes", this.scopes);
        }
        if (this.prompt != null) {
            jsonObject.put("prompt", this.prompt);
        }
        if (str3 != null) {
            synchronized (this.sha256) {
                this.sha256.update(str3.getBytes(StandardCharsets.US_ASCII));
                jsonObject.put(PkceParameterNames.CODE_CHALLENGE, this.sha256.digest()).put(PkceParameterNames.CODE_CHALLENGE_METHOD, "S256");
            }
        }
        return this.authProvider.authorizeURL(jsonObject);
    }

    @Override // io.vertx.ext.web.handler.OAuth2AuthHandler
    public OAuth2AuthHandler extraParams(JsonObject jsonObject) {
        this.extraParams = jsonObject;
        return this;
    }

    @Override // io.vertx.ext.web.handler.impl.ScopedAuthentication
    public OAuth2AuthHandler withScope(String str) {
        ArrayList arrayList = new ArrayList(this.scopes);
        arrayList.add(str);
        return new OAuth2AuthHandlerImpl(this, arrayList);
    }

    @Override // io.vertx.ext.web.handler.OAuth2AuthHandler, io.vertx.ext.web.handler.impl.ScopedAuthentication
    public OAuth2AuthHandler withScopes(List<String> list) {
        return new OAuth2AuthHandlerImpl(this, list);
    }

    @Override // io.vertx.ext.web.handler.OAuth2AuthHandler
    public OAuth2AuthHandler prompt(String str) {
        this.prompt = str;
        return this;
    }

    @Override // io.vertx.ext.web.handler.OAuth2AuthHandler
    public OAuth2AuthHandler pkceVerifierLength(int i) {
        if (i >= 0 && (i < 43 || i > 128)) {
            throw new IllegalArgumentException("Length must be between 34 and 128");
        }
        this.pkce = i;
        return this;
    }

    @Override // io.vertx.ext.web.handler.OAuth2AuthHandler
    public OAuth2AuthHandler setupCallback(Route route) {
        if (this.callbackURL == null) {
            throw new IllegalStateException("OAuth2AuthHandler was created without a origin/callback URL");
        }
        String path = route.getPath();
        if (path == null) {
            throw new IllegalStateException("OAuth2AuthHandler callback route created without a path");
        }
        String resource = this.callbackURL.resource();
        if (resource != null && !"".equals(resource) && !resource.endsWith(path) && LOG.isWarnEnabled()) {
            LOG.warn("callback route doesn't match OAuth2AuthHandler origin configuration");
        }
        route.method(HttpMethod.GET);
        route.handler(routingContext -> {
            String str;
            int i;
            String param = routingContext.request().getParam("error");
            if (param == null) {
                String param2 = routingContext.request().getParam(OAuth2ParameterNames.CODE);
                if (param2 == null) {
                    routingContext.fail(HTTPResponse.SC_BAD_REQUEST, new IllegalStateException("Missing code parameter"));
                    return;
                }
                Oauth2Credentials code = new Oauth2Credentials().setCode(param2);
                String param3 = routingContext.request().getParam(OAuth2ParameterNames.STATE);
                if (param3 == null) {
                    routingContext.fail(HTTPResponse.SC_BAD_REQUEST, new IllegalStateException("Missing IdP state parameter to the callback endpoint"));
                    return;
                }
                Session session = routingContext.session();
                if (session == null) {
                    str = param3;
                } else if (!param3.equals((String) session.remove(OAuth2ParameterNames.STATE))) {
                    routingContext.fail(HTTPResponse.SC_UNAUTHORIZED, new IllegalStateException("Invalid oauth2 state"));
                    return;
                } else {
                    code.setCodeVerifier((String) session.remove("pkce"));
                    str = (String) session.get(OAuth2ParameterNames.REDIRECT_URI);
                }
                code.setRedirectUri(this.callbackURL.href());
                String str2 = str;
                this.authProvider.authenticate(code, asyncResult -> {
                    if (asyncResult.failed()) {
                        routingContext.fail(asyncResult.cause());
                        return;
                    }
                    routingContext.setUser((User) asyncResult.result());
                    String str3 = str2 != null ? str2 : "/";
                    if (session != null) {
                        session.regenerateId();
                    } else if (str3.length() != 0 && str3.charAt(0) == '/') {
                        routingContext.reroute(str3);
                        return;
                    }
                    routingContext.response().putHeader(HttpHeaders.CACHE_CONTROL, "no-cache, no-store, must-revalidate").putHeader("Pragma", "no-cache").putHeader(HttpHeaders.EXPIRES, "0").putHeader(HttpHeaders.LOCATION, str3).setStatusCode(HTTPResponse.SC_FOUND).end("Redirecting to " + str3 + ".");
                });
                return;
            }
            boolean z = -1;
            switch (param.hashCode()) {
                case -835880527:
                    if (param.equals(OAuth2ErrorCodes.INVALID_TOKEN)) {
                        z = false;
                        break;
                    }
                    break;
                case 1716859672:
                    if (param.equals(OAuth2ErrorCodes.INSUFFICIENT_SCOPE)) {
                        z = true;
                        break;
                    }
                    break;
                case 2117379143:
                    if (param.equals("invalid_request")) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    i = 401;
                    break;
                case true:
                    i = 403;
                    break;
                case true:
                default:
                    i = 400;
                    break;
            }
            String param4 = routingContext.request().getParam(OAuth2ParameterNames.ERROR_DESCRIPTION);
            if (param4 != null) {
                routingContext.fail(i, new IllegalStateException(param + ": " + param4));
            } else {
                routingContext.fail(i, new IllegalStateException(param));
            }
        });
        this.bearerOnly = false;
        return this;
    }

    @Override // io.vertx.ext.web.handler.impl.AuthenticationHandlerInternal
    public void postAuthentication(RoutingContext routingContext) {
        String string;
        if (this.scopes != null && this.scopes.size() > 0) {
            User user = routingContext.user();
            if (user == null) {
                routingContext.fail(HTTPResponse.SC_FORBIDDEN, new IllegalStateException("no user in the context"));
                return;
            }
            if (user.principal().containsKey("scope") && (string = user.principal().getString("scope")) != null) {
                for (String str : this.scopes) {
                    if (!this.openId || !OPENID_SCOPES.contains(str)) {
                        int indexOf = string.indexOf(str);
                        if (indexOf == -1) {
                            routingContext.fail(HTTPResponse.SC_FORBIDDEN, new IllegalStateException("principal scope != handler scopes"));
                            return;
                        } else if ((indexOf != 0 && string.charAt(indexOf - 1) != ' ') || (indexOf + str.length() != string.length() && string.charAt(indexOf + str.length()) != ' ')) {
                            routingContext.fail(HTTPResponse.SC_FORBIDDEN, new IllegalStateException("principal scope != handler scopes"));
                            return;
                        }
                    }
                }
            }
        }
        routingContext.next();
    }

    @Override // io.vertx.ext.web.handler.impl.AuthenticationHandlerInternal
    public boolean performsRedirect() {
        return (this.bearerOnly && this.callbackURL == null) ? false : true;
    }

    @Override // io.vertx.ext.web.handler.impl.ScopedAuthentication
    public /* bridge */ /* synthetic */ AuthenticationHandler withScopes(List list) {
        return withScopes((List<String>) list);
    }

    static {
        OPENID_SCOPES.add(OidcScopes.OPENID);
        OPENID_SCOPES.add("profile");
        OPENID_SCOPES.add("email");
        OPENID_SCOPES.add(OidcScopes.PHONE);
        OPENID_SCOPES.add("offline");
    }
}
