package edu.internet2.middleware.grouper.authentication;

import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.SerializeException;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.TokenResponse;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
import com.nimbusds.openid.connect.sdk.UserInfoRequest;
import com.nimbusds.openid.connect.sdk.UserInfoResponse;
import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
import edu.internet2.middleware.grouper.GrouperSession;
import edu.internet2.middleware.grouper.SubjectFinder;
import edu.internet2.middleware.grouper.cfg.GrouperConfig;
import edu.internet2.middleware.grouper.exception.GrouperSessionException;
import edu.internet2.middleware.grouper.misc.GrouperSessionHandler;
import edu.internet2.middleware.grouper.pit.PITPermissionAllView;
import edu.internet2.middleware.grouper.subj.SubjectHelper;
import edu.internet2.middleware.grouper.util.GrouperProxyBean;
import edu.internet2.middleware.grouper.util.GrouperUtil;
import edu.internet2.middleware.subject.Subject;
import java.io.File;
import java.io.IOException;
import java.net.URI;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.TreeMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import net.minidev.json.JSONObject;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.exception.ExceptionUtils;
import org.apache.commons.logging.Log;

/* loaded from: input_file:WEB-INF/lib/grouper-4.0.2.jar:edu/internet2/middleware/grouper/authentication/GrouperOidc.class */
public class GrouperOidc {
    private static final Log LOG = GrouperUtil.getLog(GrouperOidc.class);
    private static Pattern bearerTokenPattern = Pattern.compile("^[bB]earer oidc_([^_]+)_(.+)$");
    private static Pattern bearerTokenPatternWithRedirect = Pattern.compile("^[bB]earer oidcWithRedirectUri_([^_]+)_([^_]+)_(.+)$");
    private String oidcCodeString;
    private String redirectUri;
    private GrouperOidcConfig grouperOidcConfig;
    private Map<String, String> accessTokenAttributes;
    private AccessToken accessTokenObject;
    private boolean ws;
    private String bearerTokenHeader = null;
    private GrouperOidcResult grouperOidcResult = null;
    private String accessToken = null;
    private Map<String, Object> debugMap = new LinkedHashMap();
    private Subject subject = null;

    public static void main(String[] strArr) {
        GrouperConfig.retrieveConfig().propertiesOverrideMap().put("grouper.oidcExternalSystem.testOidcExt.userInfoUri", GrouperUtil.readFileIntoString(new File("C:\\git\\grouper_prod\\grouper\\temp\\oidc\\userInfoUri.txt")));
        GrouperConfig.retrieveConfig().propertiesOverrideMap().put("grouper.oidcExternalSystem.testOidcExt.clientId", GrouperUtil.readFileIntoString(new File("C:\\git\\grouper_prod\\grouper\\temp\\oidc\\clientId.txt")));
        GrouperConfig.retrieveConfig().propertiesOverrideMap().put("grouper.oidcExternalSystem.testOidcExt.clientSecret", GrouperUtil.readFileIntoString(new File("C:\\git\\grouper_prod\\grouper\\temp\\oidc\\clientSecretEncrypted.txt")));
        GrouperConfig.retrieveConfig().propertiesOverrideMap().put("grouper.oidcExternalSystem.testOidcExt.tokenEndpointUri", GrouperUtil.readFileIntoString(new File("C:\\git\\grouper_prod\\grouper\\temp\\oidc\\tokenEndpointUri.txt")));
        GrouperConfig.retrieveConfig().propertiesOverrideMap().put("grouper.oidc.testOidc.oidcExternalSystemConfigId", "testOidcExt");
        GrouperConfig.retrieveConfig().propertiesOverrideMap().put("grouper.oidc.testOidc.redirectUri", GrouperUtil.readFileIntoString(new File("C:\\git\\grouper_prod\\grouper\\temp\\oidc\\redirectUri.txt")));
        GrouperConfig.retrieveConfig().propertiesOverrideMap().put("grouper.oidc.testOidc.scope", GrouperUtil.readFileIntoString(new File("C:\\git\\grouper_prod\\grouper\\temp\\oidc\\scope.txt")));
        GrouperConfig.retrieveConfig().propertiesOverrideMap().put("grouper.oidc.testOidc.subjectSourceId", "pennperson");
        GrouperConfig.retrieveConfig().propertiesOverrideMap().put("grouper.oidc.testOidc.subjectIdType", "subjectId");
        GrouperConfig.retrieveConfig().propertiesOverrideMap().put("grouper.oidc.testOidc.subjectIdClaimName", "employee_number");
        GrouperOidc grouperOidc = new GrouperOidc();
        grouperOidc.assignBearerTokenHeader("Bearer oidc_testOidc_" + GrouperUtil.readFileIntoString(new File("C:\\git\\grouper_prod\\grouper\\temp\\oidc\\oidcCode.txt")));
        System.out.println(SubjectHelper.getPretty(grouperOidc.decode()));
    }

    public GrouperOidc assignBearerTokenHeader(String str) {
        this.bearerTokenHeader = str;
        return this;
    }

    public GrouperOidcResult getGrouperOidcResult() {
        return this.grouperOidcResult;
    }

    public String getAccessToken() {
        return this.accessToken;
    }

    public void setAccessToken(String str) {
        this.accessToken = str;
    }

    public void decodeAccessToken() {
        try {
            HTTPRequest hTTPRequest = new UserInfoRequest(this.grouperOidcConfig.getUserInfoUri(), (BearerAccessToken) this.accessTokenObject).toHTTPRequest();
            GrouperProxyBean proxyConfig = GrouperProxyBean.proxyConfig(this.grouperOidcConfig.getProxyType(), this.grouperOidcConfig.getProxyUrl(), this.grouperOidcConfig.getTokenEndpointUri().toString());
            if (proxyConfig != null) {
                hTTPRequest.setProxy(proxyConfig.retrieveProxy());
            }
            try {
                UserInfoResponse parse = UserInfoResponse.parse(hTTPRequest.send());
                if (parse instanceof UserInfoErrorResponse) {
                    throw new RuntimeException("Error: " + ((UserInfoErrorResponse) parse).getErrorObject().toString());
                }
                JSONObject jSONObject = ((UserInfoSuccessResponse) parse).getUserInfo().toJSONObject();
                this.accessTokenAttributes = new TreeMap();
                for (String str : jSONObject.keySet()) {
                    this.accessTokenAttributes.put(str, jSONObject.getAsString(str));
                }
            } catch (ParseException e) {
                throw new RuntimeException(e);
            }
        } catch (SerializeException | IOException e2) {
            throw new RuntimeException(e2);
        }
    }

    public void retrieveAccessToken() {
        GrouperUtil.assertion(this.grouperOidcConfig != null, "config is required");
        GrouperUtil.assertion(!StringUtils.isBlank(this.oidcCodeString), "code is required");
        GrouperUtil.assertion(!StringUtils.isBlank(this.grouperOidcConfig.getClientId()), "clientId is required");
        GrouperUtil.assertion(!StringUtils.isBlank(this.grouperOidcConfig.getClientSecret()), "clientSecret is required");
        String str = this.redirectUri;
        if (StringUtils.isBlank(str)) {
            str = this.grouperOidcConfig.getRedirectUri();
        }
        GrouperUtil.assertion(!StringUtils.isBlank(str), "redirectUri is required");
        GrouperUtil.assertion(this.grouperOidcConfig.getTokenEndpointUri() != null, "tokenEndpoint is required");
        try {
            AuthorizationCodeGrant authorizationCodeGrant = new AuthorizationCodeGrant(new AuthorizationCode(this.oidcCodeString), new URI(str));
            ClientSecretBasic clientSecretBasic = new ClientSecretBasic(new ClientID(this.grouperOidcConfig.getClientId()), new Secret(this.grouperOidcConfig.getClientSecret()));
            URI tokenEndpointUri = this.grouperOidcConfig.getTokenEndpointUri();
            TokenRequest tokenRequest = new TokenRequest(tokenEndpointUri, clientSecretBasic, authorizationCodeGrant);
            GrouperProxyBean proxyConfig = GrouperProxyBean.proxyConfig(this.grouperOidcConfig.getProxyType(), this.grouperOidcConfig.getProxyUrl(), tokenEndpointUri.toString());
            HTTPRequest hTTPRequest = tokenRequest.toHTTPRequest();
            if (proxyConfig != null) {
                hTTPRequest.setProxy(proxyConfig.retrieveProxy());
            }
            TokenResponse parse = TokenResponse.parse(hTTPRequest.send());
            this.debugMap.put("tokenServiceSuccess", Boolean.valueOf(parse.indicatesSuccess()));
            if (!parse.indicatesSuccess()) {
                TokenErrorResponse errorResponse = parse.toErrorResponse();
                String str2 = errorResponse.getErrorObject().getHTTPStatusCode() + ": " + errorResponse.getErrorObject().getDescription();
                this.debugMap.put("tokenServiceError", str2);
                throw new RuntimeException(str2);
            }
            AccessToken accessToken = parse.toSuccessResponse().getTokens().getAccessToken();
            this.accessToken = accessToken.getValue();
            this.accessTokenObject = accessToken;
            this.debugMap.put("accessToken", StringUtils.abbreviate(this.accessToken, 8));
        } catch (RuntimeException e) {
            throw e;
        } catch (Exception e2) {
            throw new RuntimeException("error", e2);
        }
    }

    public Subject decode() {
        long nanoTime = System.nanoTime();
        try {
            try {
                retrieveCodeFromHeader();
                retrieveAccessToken();
                decodeAccessToken();
                findSubject();
                Subject subject = this.subject;
                this.debugMap.put("tookMs", Long.valueOf((System.nanoTime() - nanoTime) / 1000000));
                if (this.debugMap.get("exception") != null) {
                    LOG.error(GrouperUtil.mapToString(this.debugMap));
                } else if (LOG.isDebugEnabled()) {
                    LOG.debug(GrouperUtil.mapToString(this.debugMap));
                }
                return subject;
            } catch (Exception e) {
                this.debugMap.put("exception", ExceptionUtils.getFullStackTrace(e));
                if (e instanceof RuntimeException) {
                    throw ((RuntimeException) e);
                }
                throw new RuntimeException(e);
            }
        } catch (Throwable th) {
            this.debugMap.put("tookMs", Long.valueOf((System.nanoTime() - nanoTime) / 1000000));
            if (this.debugMap.get("exception") != null) {
                LOG.error(GrouperUtil.mapToString(this.debugMap));
            } else if (LOG.isDebugEnabled()) {
                LOG.debug(GrouperUtil.mapToString(this.debugMap));
            }
            throw th;
        }
    }

    public GrouperOidc assignExternalSystemConfigId(String str) {
        this.grouperOidcConfig = GrouperOidcConfig.retrieveFromConfigOrCache(str);
        if (this.grouperOidcConfig == null) {
            throw new RuntimeException("Cant find oidc config: '" + str + "'");
        }
        return this;
    }

    private void retrieveCodeFromHeader() {
        if (StringUtils.isBlank(this.bearerTokenHeader)) {
            this.grouperOidcResult = GrouperOidcResult.ERROR_MISSING_TOKEN;
            throw new RuntimeException("bearerTokenHeader is required");
        }
        boolean z = false;
        this.debugMap.put("bearerTokenHeader", StringUtils.abbreviate(this.bearerTokenHeader, 50));
        Matcher matcher = bearerTokenPattern.matcher(this.bearerTokenHeader);
        if (!matcher.matches()) {
            matcher = bearerTokenPatternWithRedirect.matcher(this.bearerTokenHeader);
            z = true;
        }
        if (!matcher.matches()) {
            this.grouperOidcResult = GrouperOidcResult.ERROR_TOKEN_INVALID;
            throw new RuntimeException("bearerTokenHeader is invalid!");
        }
        this.debugMap.put("uriPattern", Boolean.valueOf(z));
        assignExternalSystemConfigId(matcher.group(1));
        if (this.ws && !this.grouperOidcConfig.isWs()) {
            throw new RuntimeException(matcher.group(1) + " is not enabled for ws in the external system.");
        }
        this.oidcCodeString = matcher.group(z ? 3 : 2);
        this.debugMap.put("oidcCode", StringUtils.abbreviate(this.oidcCodeString, 8));
        if (z) {
            this.redirectUri = matcher.group(2);
            this.redirectUri = new String(Base64.decodeBase64(this.redirectUri));
        } else {
            this.redirectUri = this.grouperOidcConfig.getRedirectUri();
        }
        this.debugMap.put("redirectUri", this.redirectUri);
    }

    public String generateLoginUrl() {
        try {
            State state = new State();
            Nonce nonce = new Nonce();
            return new AuthenticationRequest(this.grouperOidcConfig.getAuthorizationEndpointUri(), new ResponseType(this.grouperOidcConfig.getResponseType()), Scope.parse(this.grouperOidcConfig.getScope()), new ClientID(this.grouperOidcConfig.getClientId()), new URI(this.grouperOidcConfig.getRedirectUri()), state, nonce).toURI().toString();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public String retrieveResponseType() {
        return this.grouperOidcConfig.getResponseType();
    }

    public String findSubjectClaim() {
        String str = null;
        if (!StringUtils.isBlank(this.grouperOidcConfig.getSubjectIdClaimName())) {
            str = this.grouperOidcConfig.getSubjectIdClaimName();
        }
        if (StringUtils.isBlank(str)) {
            return null;
        }
        this.debugMap.put("subjectIdClaimName", str);
        return this.accessTokenAttributes.get(str);
    }

    public Subject findSubject() {
        GrouperSession.internal_callbackRootGrouperSession(new GrouperSessionHandler() { // from class: edu.internet2.middleware.grouper.authentication.GrouperOidc.1
            @Override // edu.internet2.middleware.grouper.misc.GrouperSessionHandler
            public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
                String subjectSourceId = GrouperOidc.this.grouperOidcConfig.getSubjectSourceId();
                GrouperOidc.this.debugMap.put(PITPermissionAllView.FIELD_SUBJECT_SOURCE_ID, subjectSourceId);
                String str = StringUtils.isBlank(GrouperOidc.this.grouperOidcConfig.getSubjectIdType()) ? "subjectId" : null;
                if (StringUtils.equals(GrouperOidc.this.grouperOidcConfig.getSubjectIdType(), "subjectId") && !StringUtils.isBlank(GrouperOidc.this.grouperOidcConfig.getSubjectIdClaimName())) {
                    str = GrouperOidc.this.grouperOidcConfig.getSubjectIdClaimName();
                }
                if (!StringUtils.isBlank(str)) {
                    GrouperOidc.this.debugMap.put("subjectIdClaimName", str);
                    String str2 = GrouperOidc.this.accessTokenAttributes.get(str);
                    if (!StringUtils.isBlank(str2)) {
                        GrouperOidc.this.debugMap.put("subjectId", str2);
                        if (StringUtils.isBlank(subjectSourceId)) {
                            GrouperOidc.this.subject = SubjectFinder.findById(str2, false);
                        } else {
                            GrouperOidc.this.subject = SubjectFinder.findByIdAndSource(str2, subjectSourceId, false);
                        }
                    }
                }
                String str3 = StringUtils.isBlank(GrouperOidc.this.grouperOidcConfig.getSubjectIdType()) ? "subjectIdentifier" : null;
                if (StringUtils.equals(GrouperOidc.this.grouperOidcConfig.getSubjectIdType(), "subjectIdentifier") && !StringUtils.isBlank(GrouperOidc.this.grouperOidcConfig.getSubjectIdClaimName())) {
                    str3 = GrouperOidc.this.grouperOidcConfig.getSubjectIdClaimName();
                }
                if (!StringUtils.isBlank(str3)) {
                    GrouperOidc.this.debugMap.put("subjectIdentifierClaimName", str3);
                    String str4 = GrouperOidc.this.accessTokenAttributes.get(str3);
                    if (!StringUtils.isBlank(str4)) {
                        GrouperOidc.this.debugMap.put("subjectIdentifier", str4);
                        if (StringUtils.isBlank(subjectSourceId)) {
                            GrouperOidc.this.subject = SubjectFinder.findByIdentifier(str4, false);
                        } else {
                            GrouperOidc.this.subject = SubjectFinder.findByIdentifierAndSource(str4, subjectSourceId, false);
                        }
                    }
                }
                String str5 = StringUtils.isBlank(GrouperOidc.this.grouperOidcConfig.getSubjectIdType()) ? "subjectIdOrIdentifier" : null;
                if (StringUtils.equals(GrouperOidc.this.grouperOidcConfig.getSubjectIdType(), "subjectIdOrIdentifier") && !StringUtils.isBlank(GrouperOidc.this.grouperOidcConfig.getSubjectIdClaimName())) {
                    str5 = GrouperOidc.this.grouperOidcConfig.getSubjectIdClaimName();
                }
                if (!StringUtils.isBlank(str5)) {
                    GrouperOidc.this.debugMap.put("subjectIdOrIdentifierClaimName", str5);
                    String str6 = GrouperOidc.this.accessTokenAttributes.get(str5);
                    if (!StringUtils.isBlank(str6)) {
                        GrouperOidc.this.debugMap.put("subjectIdOrIdentifier", str6);
                        if (StringUtils.isBlank(subjectSourceId)) {
                            GrouperOidc.this.subject = SubjectFinder.findByIdOrIdentifier(str6, false);
                        } else {
                            GrouperOidc.this.subject = SubjectFinder.findByIdOrIdentifierAndSource(str6, subjectSourceId, false);
                        }
                    }
                }
                GrouperOidc.this.debugMap.put("subjectFound", Boolean.valueOf(GrouperOidc.this.subject != null));
                return null;
            }
        });
        return this.subject;
    }

    public GrouperOidc assignAuthorizationCode(String str) {
        this.oidcCodeString = str;
        return this;
    }

    public GrouperOidc assignWs(boolean z) {
        this.ws = z;
        return this;
    }
}
