package io.quarkus.oidc.proxy.runtime;

import io.netty.handler.codec.http.HttpHeaderNames;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.quarkus.oidc.OidcConfigurationMetadata;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.common.runtime.OidcClientCommonConfig;
import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.quarkus.oidc.runtime.OidcUtils;
import io.quarkus.oidc.runtime.TenantConfigBean;
import io.quarkus.oidc.runtime.TenantConfigContext;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.smallrye.mutiny.Uni;
import io.vertx.core.MultiMap;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.Router;
import io.vertx.ext.web.RoutingContext;
import io.vertx.mutiny.core.buffer.Buffer;
import io.vertx.mutiny.ext.web.client.HttpRequest;
import io.vertx.mutiny.ext.web.client.HttpResponse;
import io.vertx.mutiny.ext.web.client.WebClient;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashSet;
import java.util.List;
import java.util.function.BiFunction;
import java.util.function.Consumer;
import java.util.function.Function;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/oidc/proxy/runtime/OidcProxy.class */
public class OidcProxy {
    private static final Logger LOG = Logger.getLogger(OidcProxy.class);
    final OidcConfigurationMetadata oidcMetadata;
    final OidcTenantConfig oidcTenantConfig;
    final OidcProxyConfig oidcProxyConfig;
    final WebClient client;
    final String configuredClientSecret;

    public OidcProxy(TenantConfigBean tenantConfigBean, OidcProxyConfig oidcProxyConfig) {
        TenantConfigContext defaultTenant = oidcProxyConfig.tenantId().isEmpty() ? tenantConfigBean.getDefaultTenant() : (TenantConfigContext) tenantConfigBean.getStaticTenantsConfig().get(oidcProxyConfig.tenantId().get());
        this.oidcTenantConfig = defaultTenant.getOidcTenantConfig();
        this.oidcMetadata = defaultTenant.getOidcMetadata();
        this.client = defaultTenant.getOidcProviderClient().getWebClient();
        this.oidcProxyConfig = oidcProxyConfig;
        this.configuredClientSecret = OidcCommonUtils.clientSecret(this.oidcTenantConfig.credentials);
    }

    public void setup(Router router, String str) {
        if (this.oidcTenantConfig.applicationType.orElse(OidcTenantConfig.ApplicationType.SERVICE) == OidcTenantConfig.ApplicationType.WEB_APP) {
            throw new ConfigurationException("OIDC Proxy can only be used with OIDC service applications");
        }
        if (this.oidcProxyConfig.externalClientSecret().isPresent() && this.configuredClientSecret.isEmpty()) {
            throw new ConfigurationException("OIDC service client secret must be configured to replace the external client secret during the token endpoint request");
        }
        if (this.oidcMetadata.getAuthorizationUri() == null || this.oidcMetadata.getTokenUri() == null) {
            throw new ConfigurationException("OIDC Proxy requires that at least OIDC authorization and token endpoints are configured");
        }
        if (((OidcClientCommonConfig.Credentials.Secret.Method) this.oidcTenantConfig.credentials.clientSecret.method.orElse(OidcClientCommonConfig.Credentials.Secret.Method.BASIC)) == OidcClientCommonConfig.Credentials.Secret.Method.POST_JWT) {
            throw new ConfigurationException("Unsupported OIDC service client authentication method");
        }
        if (this.oidcTenantConfig.authentication.redirectPath.isPresent()) {
            if (!this.oidcProxyConfig.externalRedirectUri().isPresent()) {
                throw new ConfigurationException("oidc-proxy.external-redirect-uri property must be configured becausethe local quarkus.oidc.authentication.redirect-path is configured");
            }
            router.get(str + ((String) this.oidcTenantConfig.authentication.redirectPath.get())).handler(this::localRedirect);
        }
        router.get(str + this.oidcProxyConfig.rootPath() + "/.well-known/openid-configuration").handler(this::wellKnownConfig);
        if (this.oidcMetadata.getJsonWebKeySetUri() != null) {
            router.get(str + this.oidcProxyConfig.rootPath() + this.oidcProxyConfig.jwksPath()).handler(this::jwks);
        }
        if (this.oidcMetadata.getUserInfoUri() != null && this.oidcProxyConfig.allowIdToken()) {
            router.get(str + this.oidcProxyConfig.rootPath() + this.oidcProxyConfig.userInfoPath()).handler(this::userinfo);
        }
        router.get(str + this.oidcProxyConfig.rootPath() + this.oidcProxyConfig.authorizationPath()).handler(this::authorize);
        router.post(str + this.oidcProxyConfig.rootPath() + this.oidcProxyConfig.tokenPath()).handler(this::token);
        if (this.oidcTenantConfig.authentication.redirectPath.isPresent()) {
            if (!this.oidcProxyConfig.externalRedirectUri().isPresent()) {
                throw new ConfigurationException("oidc-proxy.external-redirect-uri property must be configured becausethe local quarkus.oidc.authentication.redirect-path is configured");
            }
            router.get((String) this.oidcTenantConfig.authentication.redirectPath.get()).handler(this::localRedirect);
        }
    }

    public void authorize(RoutingContext routingContext) {
        LOG.debug("OidcProxy: authorize");
        MultiMap queryParams = routingContext.queryParams();
        StringBuilder sb = new StringBuilder(168);
        sb.append("response_type").append("=").append("code");
        String clientId = getClientId(queryParams.get("client_id"));
        if (clientId == null) {
            LOG.error("Client id must be provided");
            badClientRequest(routingContext);
            return;
        }
        sb.append("&").append("client_id").append("=").append(OidcCommonUtils.urlEncode(clientId));
        String encodeScope = encodeScope(queryParams.get("scope"));
        if (encodeScope != null) {
            sb.append("&").append("scope").append("=").append(encodeScope);
        }
        String str = queryParams.get("state");
        if (str == null) {
            LOG.error("State must be provided");
            badClientRequest(routingContext);
            return;
        }
        sb.append("&").append("state").append("=").append(str);
        String str2 = queryParams.get("nonce");
        if (str2 != null) {
            sb.append("&").append("nonce").append("=").append(str2);
        }
        String str3 = queryParams.get("prompt");
        if (str3 != null) {
            sb.append("&").append("prompt").append("=").append(str3);
        }
        String redirectUri = getRedirectUri(routingContext, queryParams.get("redirect_uri"));
        if (redirectUri == null) {
            LOG.error("Redirect URI must be provided");
            badClientRequest(routingContext);
            return;
        }
        sb.append("&").append("redirect_uri").append("=").append(OidcCommonUtils.urlEncode(redirectUri));
        String str4 = this.oidcMetadata.getAuthorizationUri() + "?" + sb.toString();
        routingContext.response().setStatusCode(HttpResponseStatus.FOUND.code());
        routingContext.response().putHeader(HttpHeaders.LOCATION, str4);
        routingContext.response().end();
    }

    public void localRedirect(RoutingContext routingContext) {
        LOG.debug("OidcProxy: local redirect");
        MultiMap queryParams = routingContext.queryParams();
        StringBuilder sb = new StringBuilder(168);
        String str = queryParams.get("code");
        if (str != null) {
            sb.append("code").append("=").append(str);
            sb.append("&").append("state").append("=").append(queryParams.get("state"));
        } else {
            sb.append("error").append("=").append(queryParams.get("error"));
            String str2 = queryParams.get("error_description");
            if (str2 != null) {
                sb.append("error_description").append("=").append(OidcCommonUtils.urlEncode(str2));
            }
        }
        String str3 = this.oidcProxyConfig.externalRedirectUri().get() + "?" + sb.toString();
        routingContext.response().setStatusCode(HttpResponseStatus.FOUND.code());
        routingContext.response().putHeader(HttpHeaders.LOCATION, str3);
        routingContext.response().end();
    }

    public void token(final RoutingContext routingContext) {
        OidcUtils.getFormUrlEncodedData(routingContext).onItem().transformToUni(new Function<MultiMap, Uni<? extends Void>>() { // from class: io.quarkus.oidc.proxy.runtime.OidcProxy.2
            @Override // java.util.function.Function
            public Uni<Void> apply(MultiMap multiMap) {
                String clientId;
                String str;
                OidcProxy.LOG.debug("OidcProxy: Token exchange: start");
                HttpRequest postAbs = OidcProxy.this.client.postAbs(OidcProxy.this.oidcMetadata.getTokenUri());
                postAbs.putHeader(String.valueOf(HttpHeaders.CONTENT_TYPE), String.valueOf(HttpHeaders.APPLICATION_X_WWW_FORM_URLENCODED));
                postAbs.putHeader(String.valueOf(HttpHeaders.ACCEPT), "application/json");
                Buffer buffer = Buffer.buffer();
                String str2 = multiMap.get("grant_type");
                if (!"authorization_code".equals(str2) && !"refresh_token".equals(str2)) {
                    OidcProxy.LOG.errorf("Unsupported grant: %s", str2);
                    return OidcProxy.this.badClientRequest(routingContext);
                }
                OidcProxy.encodeForm(buffer, "grant_type", str2);
                String header = routingContext.request().getHeader(HttpHeaderNames.AUTHORIZATION);
                if (header != null) {
                    OidcProxy.LOG.debug("OidcProxy: Authorization header");
                    String[] clientIdAndSecretFromAuthorization = OidcProxy.this.getClientIdAndSecretFromAuthorization(header);
                    clientId = OidcProxy.this.getClientId(clientIdAndSecretFromAuthorization[0]);
                    str = clientIdAndSecretFromAuthorization[1];
                } else {
                    OidcProxy.LOG.debug("OidcProxy: POST authentication");
                    clientId = OidcProxy.this.getClientId(multiMap.get("client_id"));
                    str = multiMap.get("client_secret");
                }
                if (clientId == null) {
                    OidcProxy.LOG.error("Client id must be provided");
                    return OidcProxy.this.badClientRequest(routingContext);
                }
                if (OidcProxy.this.oidcProxyConfig.externalClientSecret().isPresent()) {
                    if (!OidcProxy.this.oidcProxyConfig.externalClientSecret().get().equals(str)) {
                        OidcProxy.LOG.error("Provided client secret does not match the external client secret property");
                        return OidcProxy.this.badClientRequest(routingContext);
                    }
                    str = OidcProxy.this.configuredClientSecret;
                }
                if (OidcProxy.this.configuredClientSecret != null && !OidcProxy.this.configuredClientSecret.equals(str)) {
                    OidcProxy.LOG.error("Provided client secret does not match the OIDC service client secret property");
                    return OidcProxy.this.badClientRequest(routingContext);
                }
                OidcClientCommonConfig.Credentials.Secret.Method method = (OidcClientCommonConfig.Credentials.Secret.Method) OidcProxy.this.oidcTenantConfig.credentials.clientSecret.method.orElse(OidcClientCommonConfig.Credentials.Secret.Method.BASIC);
                if (method == OidcClientCommonConfig.Credentials.Secret.Method.BASIC) {
                    postAbs.putHeader(String.valueOf(HttpHeaders.AUTHORIZATION), "Basic " + new String(Base64.getEncoder().encode((clientId + ":" + str).getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
                } else if (method == OidcClientCommonConfig.Credentials.Secret.Method.POST) {
                    OidcProxy.encodeForm(buffer, "client_id", clientId);
                    OidcProxy.encodeForm(buffer, "client_secret", str);
                } else if (method == OidcClientCommonConfig.Credentials.Secret.Method.QUERY) {
                    postAbs.addQueryParam("client_id", OidcCommonUtils.urlEncode(clientId));
                    postAbs.addQueryParam("client_secret", OidcCommonUtils.urlEncode(str));
                }
                if (multiMap.contains("refresh_token")) {
                    String str3 = multiMap.get("refresh_token");
                    if (str3 == null) {
                        OidcProxy.LOG.error("Refresh token must be provided");
                        return OidcProxy.this.badClientRequest(routingContext);
                    }
                    OidcProxy.encodeForm(buffer, "refresh_token", str3);
                } else {
                    String str4 = multiMap.get("code");
                    if (str4 == null) {
                        OidcProxy.LOG.error("Authorization code must be provided");
                        return OidcProxy.this.badClientRequest(routingContext);
                    }
                    OidcProxy.encodeForm(buffer, "code", str4);
                    String redirectUri = OidcProxy.this.getRedirectUri(routingContext, multiMap.get("redirect_uri"));
                    if (redirectUri == null) {
                        OidcProxy.LOG.error("Redirect URI must be provided");
                        return OidcProxy.this.badClientRequest(routingContext);
                    }
                    OidcProxy.encodeForm(buffer, "redirect_uri", redirectUri);
                }
                return postAbs.sendBuffer(buffer).onItemOrFailure().transformToUni(new BiFunction<HttpResponse<Buffer>, Throwable, Uni<? extends Void>>() { // from class: io.quarkus.oidc.proxy.runtime.OidcProxy.2.1
                    @Override // java.util.function.BiFunction
                    public Uni<Void> apply(HttpResponse<Buffer> httpResponse, Throwable th) {
                        OidcProxy.LOG.debug("OidcProxy: Token exchange: end");
                        JsonObject bodyAsJsonObject = httpResponse.bodyAsJsonObject();
                        if (!OidcProxy.this.oidcProxyConfig.allowIdToken()) {
                            bodyAsJsonObject.remove("id_token");
                        }
                        if (!OidcProxy.this.oidcProxyConfig.allowRefreshToken()) {
                            bodyAsJsonObject.remove("refresh_token");
                        }
                        OidcProxy.endJsonResponse(routingContext, bodyAsJsonObject.toString());
                        return Uni.createFrom().voidItem();
                    }
                });
            }
        }).subscribe().with(new Consumer<Void>() { // from class: io.quarkus.oidc.proxy.runtime.OidcProxy.1
            @Override // java.util.function.Consumer
            public void accept(Void r2) {
            }
        });
    }

    public void jwks(final RoutingContext routingContext) {
        LOG.debug("OidcProxy: Get JWK");
        HttpRequest abs = this.client.getAbs(this.oidcMetadata.getJsonWebKeySetUri());
        abs.putHeader(String.valueOf(HttpHeaders.ACCEPT), "application/json");
        abs.send().subscribe().with(new Consumer<HttpResponse<Buffer>>() { // from class: io.quarkus.oidc.proxy.runtime.OidcProxy.3
            @Override // java.util.function.Consumer
            public void accept(HttpResponse<Buffer> httpResponse) {
                OidcProxy.endJsonResponse(routingContext, httpResponse.bodyAsString());
            }
        });
    }

    public void userinfo(final RoutingContext routingContext) {
        LOG.debug("OidcProxy: Get UserInfo");
        String header = routingContext.request().getHeader(HttpHeaderNames.AUTHORIZATION);
        if (header == null) {
            LOG.error("Authorization header must be provided");
            badClientRequest(routingContext);
        } else if (!header.contains("Bearer")) {
            LOG.error("Authorization Bearer scheme must be used");
            badClientRequest(routingContext);
        } else {
            HttpRequest abs = this.client.getAbs(this.oidcMetadata.getUserInfoUri());
            abs.putHeader(String.valueOf(HttpHeaderNames.AUTHORIZATION), header);
            abs.putHeader(String.valueOf(HttpHeaders.ACCEPT), "application/json");
            abs.send().subscribe().with(new Consumer<HttpResponse<Buffer>>() { // from class: io.quarkus.oidc.proxy.runtime.OidcProxy.4
                @Override // java.util.function.Consumer
                public void accept(HttpResponse<Buffer> httpResponse) {
                    OidcProxy.endJsonResponse(routingContext, httpResponse.bodyAsString());
                }
            });
        }
    }

    public void wellKnownConfig(RoutingContext routingContext) {
        LOG.debug("OidcProxy: Well Known Configuration");
        JsonObject jsonObject = new JsonObject();
        jsonObject.put("authorization_endpoint", buildUri(routingContext, this.oidcProxyConfig.rootPath() + this.oidcProxyConfig.authorizationPath()));
        jsonObject.put("token_endpoint", buildUri(routingContext, this.oidcProxyConfig.rootPath() + this.oidcProxyConfig.tokenPath()));
        if (this.oidcMetadata.getJsonWebKeySetUri() != null) {
            jsonObject.put("jwks_uri", buildUri(routingContext, this.oidcProxyConfig.rootPath() + this.oidcProxyConfig.jwksPath()));
        }
        if (this.oidcMetadata.getUserInfoUri() != null && this.oidcProxyConfig.allowIdToken()) {
            jsonObject.put("userinfo_endpoint", buildUri(routingContext, this.oidcProxyConfig.rootPath() + this.oidcProxyConfig.userInfoPath()));
        }
        if (this.oidcMetadata.getIssuer() != null) {
            jsonObject.put("issuer", this.oidcMetadata.getIssuer());
        }
        endJsonResponse(routingContext, jsonObject.toString());
    }

    private Uni<Void> badClientRequest(RoutingContext routingContext) {
        routingContext.response().setStatusCode(400);
        routingContext.response().end();
        return Uni.createFrom().voidItem();
    }

    private static void endJsonResponse(RoutingContext routingContext, String str) {
        routingContext.response().setStatusCode(HttpResponseStatus.OK.code());
        routingContext.response().putHeader(HttpHeaders.CONTENT_TYPE, "application/json");
        routingContext.end(str);
    }

    public static void encodeForm(Buffer buffer, String str, String str2) {
        if (buffer.length() != 0) {
            buffer.appendByte((byte) 38);
        }
        buffer.appendString(str);
        buffer.appendByte((byte) 61);
        buffer.appendString(OidcCommonUtils.urlEncode(str2));
    }

    private String getClientId(String str) {
        if (this.oidcProxyConfig.externalClientId().isPresent()) {
            if (this.oidcProxyConfig.externalClientId().get().equals(str)) {
                return (String) this.oidcTenantConfig.clientId.get();
            }
            LOG.errorf("Provided client id '%s' does not match the external client id '%s' property", str, this.oidcProxyConfig.externalClientId().get());
            return null;
        }
        if (!this.oidcTenantConfig.clientId.isPresent() || ((String) this.oidcTenantConfig.clientId.get()).equals(str)) {
            return str;
        }
        LOG.error("Provided client id does not match the OIDC service client id property");
        return null;
    }

    private String getRedirectUri(RoutingContext routingContext, String str) {
        return this.oidcTenantConfig.authentication.redirectPath.isPresent() ? buildUri(routingContext, (String) this.oidcTenantConfig.authentication.redirectPath.get()) : str;
    }

    private String encodeScope(String str) {
        String str2 = (String) this.oidcTenantConfig.authentication.scopeSeparator.orElse(" ");
        HashSet hashSet = new HashSet(OidcUtils.getAllScopes(this.oidcTenantConfig));
        hashSet.addAll((str == null || str.isEmpty()) ? List.of() : Arrays.asList(str.split(str2)));
        if (((Boolean) this.oidcTenantConfig.authentication.addOpenidScope.orElse(true)).booleanValue()) {
            hashSet.add("openid");
        } else {
            hashSet.remove("openid");
        }
        if (hashSet.isEmpty()) {
            return null;
        }
        return OidcCommonUtils.urlEncode(String.join(str2, hashSet));
    }

    private String buildUri(RoutingContext routingContext, String str) {
        return (this.oidcTenantConfig.authentication.forceRedirectHttpsScheme.isPresent() ? "https" : routingContext.request().scheme()) + "://" + URI.create(routingContext.request().absoluteURI()).getAuthority() + str;
    }

    private String[] getClientIdAndSecretFromAuthorization(String str) {
        if (str == null) {
            return null;
        }
        if (str.startsWith("Basic") || str.startsWith("Basic")) {
            return new String(Base64.getDecoder().decode(str.substring(6)), StandardCharsets.UTF_8).split(":");
        }
        return null;
    }
}
