package org.apache.tomee.security.cdi;

import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import jakarta.security.auth.message.callback.CallerPrincipalCallback;
import jakarta.security.enterprise.AuthenticationException;
import jakarta.security.enterprise.AuthenticationStatus;
import jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
import jakarta.security.enterprise.authentication.mechanism.http.HttpMessageContext;
import jakarta.security.enterprise.authentication.mechanism.http.OpenIdAuthenticationMechanismDefinition;
import jakarta.security.enterprise.authentication.mechanism.http.openid.OpenIdConstant;
import jakarta.security.enterprise.identitystore.CredentialValidationResult;
import jakarta.security.enterprise.identitystore.IdentityStoreHandler;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import jakarta.ws.rs.client.Client;
import jakarta.ws.rs.client.ClientBuilder;
import jakarta.ws.rs.client.Entity;
import jakarta.ws.rs.core.Form;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.UriBuilder;
import java.io.IOException;
import java.net.URI;
import java.util.Arrays;
import java.util.stream.Collectors;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.myfaces.renderkit.html.util.HTML;
import org.apache.openejb.util.LogCategory;
import org.apache.openejb.util.Logger;
import org.apache.tomee.security.cdi.openid.TomEEOpenIdContext;
import org.apache.tomee.security.cdi.openid.storage.OpenIdStorageHandler;
import org.apache.tomee.security.http.SavedRequest;
import org.apache.tomee.security.http.openid.model.TokenResponse;
import org.apache.tomee.security.http.openid.model.TomEEOpenIdCredential;

@ApplicationScoped
/* loaded from: input_file:lib/tomee-security-10.0.0-M2.jar:org/apache/tomee/security/cdi/OpenIdAuthenticationMechanism.class */
public class OpenIdAuthenticationMechanism implements HttpAuthenticationMechanism {
    private static final Logger LOGGER = Logger.getInstance(LogCategory.TOMEE_SECURITY, OpenIdAuthenticationMechanism.class);

    @Inject
    private OpenIdAuthenticationMechanismDefinition definition;

    @Inject
    private IdentityStoreHandler identityStoreHandler;

    @Inject
    private TomEEOpenIdContext openIdContext;

    @Inject
    private OpenIdStorageHandler storageHandler;

    @Override // jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism
    public void cleanSubject(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMessageContext httpMessageContext) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            session.invalidate();
        }
        if (this.definition.logout().notifyProvider()) {
            if (!this.definition.providerMetadata().endSessionEndpoint().isEmpty()) {
                UriBuilder queryParam = UriBuilder.fromUri(this.definition.providerMetadata().endSessionEndpoint()).queryParam(OpenIdConstant.ID_TOKEN_HINT, this.openIdContext.getIdentityToken().getToken());
                if (!this.definition.logout().redirectURI().isEmpty()) {
                    queryParam.queryParam(OpenIdConstant.POST_LOGOUT_REDIRECT_URI, this.definition.logout().redirectURI());
                }
                httpMessageContext.redirect(queryParam.build(new Object[0]).toString());
                return;
            }
        } else if (!this.definition.logout().redirectURI().isEmpty()) {
            httpMessageContext.redirect(this.definition.logout().redirectURI());
            return;
        }
        redirectToAuthorization(httpServletRequest, httpServletResponse, httpMessageContext);
    }

    @Override // jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism
    public AuthenticationStatus validateRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMessageContext httpMessageContext) throws AuthenticationException {
        if (httpServletRequest.getUserPrincipal() == null) {
            AuthenticationStatus performAuthentication = performAuthentication(httpServletRequest, httpServletResponse, httpMessageContext);
            return performAuthentication != null ? performAuthentication : httpMessageContext.doNothing();
        }
        AuthenticationStatus handleExpiredTokens = handleExpiredTokens(httpServletRequest, httpServletResponse, httpMessageContext);
        if (handleExpiredTokens != null) {
            return handleExpiredTokens;
        }
        try {
            httpMessageContext.getHandler().handle(new Callback[]{new CallerPrincipalCallback(httpMessageContext.getClientSubject(), httpServletRequest.getUserPrincipal())});
        } catch (IOException | UnsupportedCallbackException e) {
            LOGGER.error("Could not handle CallerPrincipalCallback", e);
        }
        return AuthenticationStatus.SUCCESS;
    }

    protected AuthenticationStatus handleExpiredTokens(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMessageContext httpMessageContext) {
        if (this.openIdContext.getAccessToken() != null && this.openIdContext.getAccessToken().isExpired()) {
            LOGGER.debug("access token did expire");
            if (this.definition.tokenAutoRefresh()) {
                LOGGER.debug("Attempting to refresh tokens after access token expiry");
                return refreshTokens(httpServletRequest, httpServletResponse, httpMessageContext);
            }
            if (this.definition.logout().accessTokenExpiry()) {
                LOGGER.debug("access token expired and accessTokenExpiry=true, performing logout");
                cleanSubject(httpServletRequest, httpServletResponse, httpMessageContext);
                return AuthenticationStatus.SEND_FAILURE;
            }
        }
        if (this.openIdContext.getIdentityToken() == null || !this.openIdContext.getIdentityToken().isExpired()) {
            return null;
        }
        LOGGER.debug("identity token did expire");
        if (this.definition.tokenAutoRefresh()) {
            LOGGER.debug("Attempting to refresh tokens after identity token expiry");
            return refreshTokens(httpServletRequest, httpServletResponse, httpMessageContext);
        }
        if (!this.definition.logout().identityTokenExpiry()) {
            return null;
        }
        LOGGER.debug("identity token expired and identityTokenExpiry=true, performing logout");
        cleanSubject(httpServletRequest, httpServletResponse, httpMessageContext);
        return AuthenticationStatus.SEND_FAILURE;
    }

    protected AuthenticationStatus refreshTokens(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMessageContext httpMessageContext) {
        try {
            Client newClient = ClientBuilder.newClient();
            try {
                AuthenticationStatus handleTokenResponse = handleTokenResponse((TokenResponse) newClient.target(this.definition.providerMetadata().tokenEndpoint()).request().accept(MediaType.APPLICATION_JSON).post(Entity.form(new Form().param(OpenIdConstant.CLIENT_ID, this.definition.clientId()).param(OpenIdConstant.CLIENT_SECRET, this.definition.clientSecret()).param(OpenIdConstant.GRANT_TYPE, OpenIdConstant.REFRESH_TOKEN).param(OpenIdConstant.REFRESH_TOKEN, this.openIdContext.getRefreshToken().orElseThrow(() -> {
                    return new IllegalArgumentException("Cannot refresh tokens, no refresh_token received");
                }).getToken())), TokenResponse.class), httpMessageContext);
                if (newClient != null) {
                    newClient.close();
                }
                return handleTokenResponse;
            } finally {
            }
        } catch (Exception e) {
            cleanSubject(httpServletRequest, httpServletResponse, httpMessageContext);
            throw e;
        }
    }

    protected AuthenticationStatus redirectToAuthorization(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMessageContext httpMessageContext) {
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        if (httpServletRequest.getQueryString() != null) {
            stringBuffer = stringBuffer + "?" + httpServletRequest.getQueryString();
        }
        this.storageHandler.set(httpServletRequest, httpServletResponse, OpenIdConstant.ORIGINAL_REQUEST, stringBuffer);
        this.storageHandler.set(httpServletRequest, httpServletResponse, OpenIdStorageHandler.REQUEST_KEY, SavedRequest.fromRequest(httpServletRequest).toJson());
        return httpMessageContext.redirect(buildAuthorizationUri(httpServletRequest, httpServletResponse).toString());
    }

    protected AuthenticationStatus performAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMessageContext httpMessageContext) {
        String parameter = httpServletRequest.getParameter(OpenIdConstant.STATE);
        if (parameter == null && httpServletRequest.getUserPrincipal() == null && httpMessageContext.isProtected()) {
            return redirectToAuthorization(httpServletRequest, httpServletResponse, httpMessageContext);
        }
        if (parameter == null) {
            return null;
        }
        String str = this.storageHandler.get(httpServletRequest, httpServletResponse, OpenIdConstant.ORIGINAL_REQUEST);
        boolean startsWith = str.startsWith(httpServletRequest.getRequestURL().toString());
        if ((httpServletRequest.getRequestURL().toString().equals(this.definition.redirectURI()) || !this.definition.redirectToOriginalResource() || startsWith) && this.storageHandler.getStoredState(httpServletRequest, httpServletResponse) != null) {
            if (parameter.equals(this.storageHandler.getStoredState(httpServletRequest, httpServletResponse)) && httpServletRequest.getParameter(OpenIdConstant.ERROR_PARAM) == null) {
                if (this.definition.redirectToOriginalResource() && !startsWith) {
                    return httpMessageContext.redirect(appendQueryString(str, httpServletRequest.getQueryString()));
                }
                this.storageHandler.delete(httpServletRequest, httpServletResponse, "STATE");
                Client newClient = ClientBuilder.newClient();
                try {
                    AuthenticationStatus handleTokenResponse = handleTokenResponse((TokenResponse) newClient.target(this.definition.providerMetadata().tokenEndpoint()).request().accept(MediaType.APPLICATION_JSON).post(Entity.form(new Form().param(OpenIdConstant.CLIENT_ID, this.definition.clientId()).param(OpenIdConstant.CLIENT_SECRET, this.definition.clientSecret()).param(OpenIdConstant.GRANT_TYPE, OpenIdConstant.AUTHORIZATION_CODE).param(OpenIdConstant.REDIRECT_URI, this.definition.redirectURI()).param(OpenIdConstant.CODE, httpServletRequest.getParameter(OpenIdConstant.CODE))), TokenResponse.class), httpMessageContext);
                    if (this.definition.redirectToOriginalResource()) {
                        httpMessageContext.withRequest(SavedRequest.fromJson(this.storageHandler.get(httpServletRequest, httpServletResponse, OpenIdStorageHandler.REQUEST_KEY)).mask(httpServletRequest));
                    }
                    this.storageHandler.delete(httpServletRequest, httpServletResponse, OpenIdStorageHandler.NONCE_KEY);
                    this.storageHandler.delete(httpServletRequest, httpServletResponse, OpenIdStorageHandler.REQUEST_KEY);
                    this.storageHandler.delete(httpServletRequest, httpServletResponse, OpenIdConstant.ORIGINAL_REQUEST);
                    if (newClient != null) {
                        newClient.close();
                    }
                    return handleTokenResponse;
                } catch (Throwable th) {
                    if (newClient != null) {
                        try {
                            newClient.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }
            return httpMessageContext.notifyContainerAboutLogin(CredentialValidationResult.INVALID_RESULT);
        }
        return httpMessageContext.notifyContainerAboutLogin(CredentialValidationResult.NOT_VALIDATED_RESULT);
    }

    protected AuthenticationStatus handleTokenResponse(TokenResponse tokenResponse, HttpMessageContext httpMessageContext) {
        this.openIdContext.setExpiresIn(Long.valueOf(tokenResponse.getExpiresIn()));
        this.openIdContext.setTokenType(tokenResponse.getTokenType());
        CredentialValidationResult validate = this.identityStoreHandler.validate(new TomEEOpenIdCredential(tokenResponse, httpMessageContext));
        httpMessageContext.setRegisterSession(validate.getCallerPrincipal().getName(), validate.getCallerGroups());
        return httpMessageContext.notifyContainerAboutLogin(validate);
    }

    protected URI buildAuthorizationUri(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        UriBuilder queryParam = UriBuilder.fromUri(this.definition.providerMetadata().authorizationEndpoint()).queryParam(OpenIdConstant.CLIENT_ID, this.definition.clientId()).queryParam("scope", String.join(" ", this.definition.scope())).queryParam(OpenIdConstant.RESPONSE_TYPE, this.definition.responseType()).queryParam(OpenIdConstant.STATE, this.storageHandler.createNewState(httpServletRequest, httpServletResponse)).queryParam(OpenIdConstant.REDIRECT_URI, this.definition.redirectURI());
        if (this.definition.useNonce()) {
            queryParam.queryParam(OpenIdConstant.NONCE, this.storageHandler.createNewNonce(httpServletRequest, httpServletResponse));
        }
        if (!this.definition.responseMode().isEmpty()) {
            queryParam.queryParam(OpenIdConstant.RESPONSE_MODE, this.definition.responseMode());
        }
        if (this.definition.display() != null) {
            queryParam.queryParam(OpenIdConstant.DISPLAY, this.definition.display().name().toLowerCase());
        }
        if (this.definition.prompt().length > 0) {
            queryParam.queryParam(OpenIdConstant.PROMPT, (String) Arrays.stream(this.definition.prompt()).map((v0) -> {
                return v0.toString();
            }).map((v0) -> {
                return v0.toLowerCase();
            }).collect(Collectors.joining(" ")));
        }
        for (String str : this.definition.extraParameters()) {
            String[] split = str.split("=");
            if (split.length != 2) {
                throw new IllegalArgumentException("extra parameter in invalid format, expected \"key=value\": " + str);
            }
            queryParam.queryParam(split[0], split[1]);
        }
        return queryParam.build(new Object[0]);
    }

    protected String appendQueryString(String str, String str2) {
        return str.contains(HTML.HREF_PATH_FROM_PARAM_SEPARATOR) ? str + "&" + str2 : str + "?" + str2;
    }
}
