package com.predic8.membrane.core.interceptor.oauth2client;

import com.bornium.security.oauth2openid.Constants;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.predic8.membrane.annot.MCAttribute;
import com.predic8.membrane.annot.MCChildElement;
import com.predic8.membrane.annot.MCElement;
import com.predic8.membrane.annot.Required;
import com.predic8.membrane.core.Router;
import com.predic8.membrane.core.exchange.AbstractExchange;
import com.predic8.membrane.core.exchange.Exchange;
import com.predic8.membrane.core.exchange.snapshots.AbstractExchangeSnapshot;
import com.predic8.membrane.core.http.Header;
import com.predic8.membrane.core.http.Request;
import com.predic8.membrane.core.http.Response;
import com.predic8.membrane.core.interceptor.AbstractInterceptorWithSession;
import com.predic8.membrane.core.interceptor.Interceptor;
import com.predic8.membrane.core.interceptor.LogInterceptor;
import com.predic8.membrane.core.interceptor.Outcome;
import com.predic8.membrane.core.interceptor.jwt.Jwks;
import com.predic8.membrane.core.interceptor.jwt.JwtAuthInterceptor;
import com.predic8.membrane.core.interceptor.oauth2.OAuth2AnswerParameters;
import com.predic8.membrane.core.interceptor.oauth2.OAuth2Statistics;
import com.predic8.membrane.core.interceptor.oauth2.authorizationservice.AuthorizationService;
import com.predic8.membrane.core.interceptor.oauth2.tokengenerators.JwtGenerator;
import com.predic8.membrane.core.interceptor.server.WebServerInterceptor;
import com.predic8.membrane.core.interceptor.session.Session;
import com.predic8.membrane.core.rules.RuleKey;
import com.predic8.membrane.core.transport.ssl.PEMSupport;
import com.predic8.membrane.core.util.URIFactory;
import com.predic8.membrane.core.util.URLParamUtil;
import java.io.IOException;
import java.math.BigInteger;
import java.security.Key;
import java.security.KeyPair;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.time.LocalDateTime;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.UUID;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.annotation.concurrent.GuardedBy;
import javax.mail.internet.ParseException;
import org.apache.commons.codec.binary.Base64;
import org.codehaus.groovy.control.ResolveVisitor;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.BeanFactory;

@MCElement(name = "oauth2Resource2")
/* loaded from: input_file:WEB-INF/lib/service-proxy-core-5.0.0-alpha-1.jar:com/predic8/membrane/core/interceptor/oauth2client/OAuth2Resource2Interceptor.class */
public class OAuth2Resource2Interceptor extends AbstractInterceptorWithSession {
    public static final String OAUTH2_ANSWER = "oauth2Answer";
    public static final String OA2REDIRECT = "oa2redirect";
    public static final String OA2REDIRECT_PREFIX = "_redirect_for_oa2redirect_";
    private static Logger log = LoggerFactory.getLogger(OAuth2Resource2Interceptor.class.getName());
    private AuthorizationService auth;
    private OAuth2Statistics statistics;
    private WebServerInterceptor wsi;
    private URIFactory uriFactory;
    private boolean firstInitWhenDynamicAuthorizationService;
    private OriginalExchangeStore originalExchangeStore;
    private Key key;
    private X509Certificate certificate;
    private boolean skipUserInfo;
    private JwtAuthInterceptor jwtAuthInterceptor;
    private final Cache<String, Object> synchronizers = CacheBuilder.newBuilder().expireAfterAccess(1, TimeUnit.MINUTES).build();

    @GuardedBy("publicURLs")
    private List<String> publicURLs = new ArrayList();
    private Cache<String, Boolean> validTokens = CacheBuilder.newBuilder().expireAfterWrite(10, TimeUnit.MINUTES).build();
    private int revalidateTokenAfter = -1;
    private boolean initPublicURLsOnTheFly = false;
    private String callbackPath = "oauth2callback";
    private final ObjectMapper om = new ObjectMapper();

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptorWithSession, com.predic8.membrane.core.interceptor.AbstractInterceptor
    public void init() throws Exception {
        super.init();
        if (this.originalExchangeStore == null) {
            this.originalExchangeStore = new CookieOriginialExchangeStore();
        }
    }

    public String getPublicURL() {
        String join;
        synchronized (this.publicURLs) {
            join = String.join(" ", this.publicURLs);
        }
        return join;
    }

    @MCAttribute
    public void setPublicURL(String str) {
        synchronized (this.publicURLs) {
            this.publicURLs.clear();
            for (String str2 : str.split("[ \t]+")) {
                this.publicURLs.add(str2);
            }
        }
    }

    public AuthorizationService getAuthService() {
        return this.auth;
    }

    @MCChildElement(order = 10)
    @Required
    public void setAuthService(AuthorizationService authorizationService) {
        this.auth = authorizationService;
    }

    public int getRevalidateTokenAfter() {
        return this.revalidateTokenAfter;
    }

    @MCAttribute
    public void setRevalidateTokenAfter(int i) {
        this.revalidateTokenAfter = i;
    }

    public String getCallbackPath() {
        return this.callbackPath;
    }

    @MCAttribute
    public void setCallbackPath(String str) {
        this.callbackPath = str;
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public void init(Router router) throws Exception {
        this.name = "OAuth 2 Client";
        setFlow(Interceptor.Flow.Set.REQUEST_RESPONSE);
        super.init(router);
        this.auth.init(router);
        this.statistics = new OAuth2Statistics();
        this.uriFactory = router.getUriFactory();
        synchronized (this.publicURLs) {
            if (this.publicURLs.size() == 0) {
                this.initPublicURLsOnTheFly = true;
            } else {
                for (int i = 0; i < this.publicURLs.size(); i++) {
                    this.publicURLs.set(i, normalizePublicURL(this.publicURLs.get(i)));
                }
            }
        }
        this.firstInitWhenDynamicAuthorizationService = getAuthService().supportsDynamicRegistration();
        if (!getAuthService().supportsDynamicRegistration()) {
            this.firstInitWhenDynamicAuthorizationService = false;
        }
        if (this.auth.isUseJWTForClientAuth()) {
            Object parseKey = PEMSupport.getInstance().parseKey(this.auth.getSslParser().getKey().getPrivate().get(router.getResolverMap(), router.getBaseLocation()));
            this.key = parseKey instanceof Key ? (Key) parseKey : ((KeyPair) parseKey).getPrivate();
            this.certificate = PEMSupport.getInstance().parseCertificate(this.auth.getSslParser().getKey().getCertificates().get(0).get(router.getResolverMap(), router.getBaseLocation()));
        }
        if (this.skipUserInfo) {
            this.jwtAuthInterceptor = new JwtAuthInterceptor();
            Jwks jwks = new Jwks();
            jwks.setJwks(new ArrayList());
            jwks.setJwksUris(this.auth.getJwksEndpoint());
            this.jwtAuthInterceptor.setJwks(jwks);
            this.jwtAuthInterceptor.setExpectedAud("any!!");
            this.jwtAuthInterceptor.init(router);
        }
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptorWithSession
    public final Outcome handleRequestInternal(Exchange exchange) throws Exception {
        return handleRequestInternal2(exchange);
    }

    private Outcome handleRequestInternal2(Exchange exchange) throws Exception {
        String firstValue;
        if (isFaviconRequest(exchange)) {
            exchange.setResponse(Response.badRequest().build());
            return Outcome.RETURN;
        }
        Session session = getSessionManager().getSession(exchange);
        simplifyMultipleOAuth2Answers(session);
        if (isOAuth2RedirectRequest(exchange)) {
            handleOriginalRequest(exchange);
        }
        if (!this.skipUserInfo && ((session == null || !session.isVerified()) && (firstValue = exchange.getRequest().getHeader().getFirstValue("Authorization")) != null && firstValue.substring(0, 7).equalsIgnoreCase("Bearer "))) {
            session = getSessionManager().getSession(exchange);
            session.put("access_token", firstValue.substring(7));
            OAuth2AnswerParameters oAuth2AnswerParameters = new OAuth2AnswerParameters();
            oAuth2AnswerParameters.setAccessToken(firstValue.substring(7));
            oAuth2AnswerParameters.setTokenType(Constants.PARAMETER_VALUE_BEARER);
            Map<String, Object> revalidateToken = revalidateToken(oAuth2AnswerParameters);
            if (revalidateToken == null) {
                log.debug("userinfo is null, redirecting.");
                return respondWithRedirect(exchange);
            }
            oAuth2AnswerParameters.setUserinfo(revalidateToken);
            session.put("oauth2Answer", oAuth2AnswerParameters.serialize());
            processUserInfo(revalidateToken, session);
        }
        if (session == null) {
            log.debug("session is null, redirecting.");
            return respondWithRedirect(exchange);
        }
        if (session.get("oauth2Answer") != null && tokenNeedsRevalidation((String) session.get("access_token")) && revalidateToken(OAuth2AnswerParameters.deserialize((String) session.get("oauth2Answer"))) == null) {
            session.clear();
        }
        if (session.get("oauth2Answer") != null) {
            exchange.setProperty(Exchange.OAUTH2, OAuth2AnswerParameters.deserialize((String) session.get("oauth2Answer")));
        }
        if (refreshingOfAccessTokenIsNeeded(session)) {
            synchronized (getTokenSynchronizer(session)) {
                try {
                    refreshAccessToken(session);
                    exchange.setProperty(Exchange.OAUTH2, OAuth2AnswerParameters.deserialize((String) session.get("oauth2Answer")));
                } catch (Exception e) {
                    log.warn("Failed to refresh access token, clearing session and restarting OAuth2 flow.", (Throwable) e);
                    session.clearAuthentication();
                }
            }
        }
        if (session.isVerified()) {
            applyBackendAuthorization(exchange, session);
            this.statistics.successfulRequest();
            return Outcome.CONTINUE;
        }
        if (!handleRequest(exchange, getPublicURL(exchange), session)) {
            log.debug("session present, but not verified, redirecting.");
            return respondWithRedirect(exchange);
        }
        if (exchange.getResponse() == null && exchange.getRequest() != null && session.isVerified() && session.get().containsKey("oauth2Answer")) {
            exchange.setProperty(Exchange.OAUTH2, OAuth2AnswerParameters.deserialize((String) session.get("oauth2Answer")));
            return Outcome.CONTINUE;
        }
        if (exchange.getResponse().getStatusCode() >= 400) {
            session.clear();
        }
        return Outcome.RETURN;
    }

    private void simplifyMultipleOAuth2Answers(Session session) {
        String str;
        int indexOfTopLevelComma;
        if (session == null || (str = (String) session.get("oauth2Answer")) == null || (indexOfTopLevelComma = getIndexOfTopLevelComma(str)) == -1) {
            return;
        }
        session.put("oauth2Answer", str.substring(0, indexOfTopLevelComma));
    }

    /* JADX WARN: Code restructure failed: missing block: B:33:0x0095, code lost:
    
        continue;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private int getIndexOfTopLevelComma(java.lang.String r4) {
        /*
            r3 = this;
            r0 = 0
            r5 = r0
            r0 = 0
            r6 = r0
            r0 = 0
            r7 = r0
            r0 = 0
            r8 = r0
        La:
            r0 = r8
            r1 = r4
            int r1 = r1.length()
            if (r0 >= r1) goto L9b
            r0 = r7
            if (r0 == 0) goto L1e
            r0 = 0
            r7 = r0
            goto L95
        L1e:
            r0 = r4
            r1 = r8
            char r0 = r0.charAt(r1)
            r9 = r0
            r0 = r6
            if (r0 == 0) goto L53
            r0 = r9
            switch(r0) {
                case 34: goto L48;
                case 92: goto L4d;
                default: goto L50;
            }
        L48:
            r0 = 0
            r6 = r0
            goto L50
        L4d:
            r0 = 1
            r7 = r0
        L50:
            goto L95
        L53:
            r0 = r9
            switch(r0) {
                case 34: goto L93;
                case 44: goto L8c;
                case 123: goto L80;
                case 125: goto L86;
                default: goto L95;
            }
        L80:
            int r5 = r5 + 1
            goto L95
        L86:
            int r5 = r5 + (-1)
            goto L95
        L8c:
            r0 = r5
            if (r0 != 0) goto L95
            r0 = r8
            return r0
        L93:
            r0 = 1
            r6 = r0
        L95:
            int r8 = r8 + 1
            goto La
        L9b:
            r0 = -1
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: com.predic8.membrane.core.interceptor.oauth2client.OAuth2Resource2Interceptor.getIndexOfTopLevelComma(java.lang.String):int");
    }

    private Object getTokenSynchronizer(Session session) {
        try {
            String refreshToken = OAuth2AnswerParameters.deserialize((String) session.get("oauth2Answer")).getRefreshToken();
            if (refreshToken == null) {
                return new Object();
            }
            try {
                return this.synchronizers.get(refreshToken, () -> {
                    return new Object();
                });
            } catch (ExecutionException e) {
                throw new RuntimeException(e);
            }
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        }
    }

    private void handleOriginalRequest(Exchange exchange) throws Exception {
        String str = URLParamUtil.getParams(this.uriFactory, exchange).get("oa2redirect");
        Session session = getSessionManager().getSession(exchange);
        AbstractExchange abstractExchange = ((AbstractExchangeSnapshot) new ObjectMapper().readValue(session.get(oa2redictKeyNameInSession(str)).toString(), AbstractExchangeSnapshot.class)).toAbstractExchange();
        session.remove(oa2redictKeyNameInSession(str));
        doOriginalRequest(exchange, abstractExchange);
    }

    private boolean isOAuth2RedirectRequest(Exchange exchange) {
        return exchange.getOriginalRequestUri().contains("oa2redirect");
    }

    private void refreshAccessToken(Session session) throws Exception {
        if (refreshingOfAccessTokenIsNeeded(session)) {
            OAuth2AnswerParameters deserialize = OAuth2AnswerParameters.deserialize((String) session.get("oauth2Answer"));
            Response doRequest = this.auth.doRequest(applyAuth(this.auth, new Request.Builder().post(this.auth.getTokenEndpoint()).header("Content-Type", "application/x-www-form-urlencoded").header("Accept", "application/json").header("User-Agent", com.predic8.membrane.core.Constants.USERAGENT), "grant_type=refresh_token&refresh_token=" + deserialize.getRefreshToken()).buildExchange());
            if (!doRequest.isOk()) {
                doRequest.getBody().read();
                throw new RuntimeException("Statuscode from authorization server for refresh token request: " + doRequest.getStatusCode());
            }
            if (!isJson(doRequest)) {
                throw new RuntimeException("Refresh Token response is no JSON.");
            }
            Map map = (Map) this.om.readValue(doRequest.getBodyAsStreamDecoded(), Map.class);
            if (map.get("access_token") == null || map.get("refresh_token") == null) {
                doRequest.getBody().read();
                throw new RuntimeException("Statuscode was ok but no access_token and refresh_token was received: " + doRequest.getStatusCode());
            }
            deserialize.setAccessToken((String) map.get("access_token"));
            deserialize.setRefreshToken((String) map.get("refresh_token"));
            deserialize.setExpiration(numberToString(map.get(Constants.PARAMETER_EXPIRES_IN)));
            LocalDateTime now = LocalDateTime.now();
            deserialize.setReceivedAt(now.withSecond((now.getSecond() / 30) * 30).withNano(0));
            if (map.containsKey("id_token")) {
                if (idTokenIsValid((String) map.get("id_token"))) {
                    deserialize.setIdToken((String) map.get("id_token"));
                } else {
                    deserialize.setIdToken("INVALID");
                }
            }
            session.put("oauth2Answer", deserialize.serialize());
        }
    }

    private Request.Builder applyAuth(AuthorizationService authorizationService, Request.Builder builder, String str) {
        if (authorizationService.isUseJWTForClientAuth()) {
            str = str + "&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=" + createClientToken(authorizationService);
        }
        String clientSecret = authorizationService.getClientSecret();
        if (clientSecret != null) {
            builder.header("Authorization", "Basic " + new String(Base64.encodeBase64((authorizationService.getClientId() + ":" + clientSecret).getBytes()))).body(str);
        } else {
            builder.body(str + "&client_id" + authorizationService.getClientId());
        }
        return builder;
    }

    private String createClientToken(AuthorizationService authorizationService) {
        try {
            String clientId = authorizationService.getClientId();
            String tokenEndpoint = authorizationService.getTokenEndpoint();
            JwtClaims jwtClaims = new JwtClaims();
            jwtClaims.setSubject(clientId);
            jwtClaims.setAudience(tokenEndpoint);
            jwtClaims.setIssuer(jwtClaims.getSubject());
            jwtClaims.setJwtId(UUID.randomUUID().toString());
            jwtClaims.setIssuedAtToNow();
            NumericDate now = NumericDate.now();
            now.addSeconds(300L);
            jwtClaims.setExpirationTime(now);
            jwtClaims.setNotBeforeMinutesInThePast(2.0f);
            JsonWebSignature jsonWebSignature = new JsonWebSignature();
            jsonWebSignature.setPayload(jwtClaims.toJson());
            jsonWebSignature.setKey(this.key);
            jsonWebSignature.setX509CertSha1ThumbprintHeaderValue(this.certificate);
            jsonWebSignature.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
            jsonWebSignature.setHeader("typ", "JWT");
            return jsonWebSignature.getCompactSerialization();
        } catch (MalformedClaimException e) {
            throw new RuntimeException(e);
        } catch (JoseException e2) {
            throw new RuntimeException(e2);
        }
    }

    private String numberToString(Object obj) {
        if (obj == null) {
            return null;
        }
        if (obj instanceof Integer) {
            return ((Integer) obj).toString();
        }
        if (obj instanceof Long) {
            return ((Long) obj).toString();
        }
        if (obj instanceof Double) {
            return ((Double) obj).toString();
        }
        if (obj instanceof String) {
            return (String) obj;
        }
        log.warn("Unhandled number type " + obj.getClass().getName());
        return null;
    }

    private boolean isJson(Response response) throws ParseException {
        if (response.getHeader().getFirstValue("Content-Type") == null) {
            return false;
        }
        return response.getHeader().getContentTypeObject().match("application/json");
    }

    private boolean refreshingOfAccessTokenIsNeeded(Session session) throws IOException {
        if (session.get("oauth2Answer") == null) {
            return false;
        }
        OAuth2AnswerParameters deserialize = OAuth2AnswerParameters.deserialize((String) session.get("oauth2Answer"));
        if (deserialize.getRefreshToken() == null || deserialize.getRefreshToken().isEmpty() || deserialize.getExpiration() == null || deserialize.getExpiration().isEmpty()) {
            return false;
        }
        return LocalDateTime.now().isAfter(deserialize.getReceivedAt().plusSeconds(Long.parseLong(deserialize.getExpiration())).minusSeconds(5L));
    }

    private Map<String, Object> revalidateToken(OAuth2AnswerParameters oAuth2AnswerParameters) throws Exception {
        Response doRequest = this.auth.doRequest(new Request.Builder().get(this.auth.getUserInfoEndpoint()).header("Authorization", oAuth2AnswerParameters.getTokenType() + " " + oAuth2AnswerParameters.getAccessToken()).header("User-Agent", com.predic8.membrane.core.Constants.USERAGENT).header("Accept", "application/json").buildExchange());
        if (doRequest.getStatusCode() != 200) {
            this.statistics.accessTokenInvalid();
            return null;
        }
        this.statistics.accessTokenValid();
        if (isJson(doRequest)) {
            return (Map) this.om.readValue(doRequest.getBodyAsStreamDecoded(), Map.class);
        }
        throw new RuntimeException("Response is no JSON.");
    }

    private boolean tokenNeedsRevalidation(String str) {
        return this.revalidateTokenAfter >= 0 && this.validTokens.getIfPresent(str) == null;
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptorWithSession
    protected Outcome handleResponseInternal(Exchange exchange) throws Exception {
        return Outcome.CONTINUE;
    }

    private String getPublicURL(Exchange exchange) throws Exception {
        String firstValue = exchange.getRequest().getHeader().getFirstValue("X-Forwarded-Proto");
        String str = (firstValue != null ? "https".equals(firstValue) : exchange.getRule().getSslInboundContext() != null ? "https://" : "http://") + exchange.getOriginalHostHeader();
        RuleKey key = exchange.getRule().getKey();
        if (!key.isPathRegExp() && key.getPath() != null) {
            str = str + key.getPath();
        }
        String normalizePublicURL = normalizePublicURL(str);
        synchronized (this.publicURLs) {
            if (this.publicURLs.contains(normalizePublicURL)) {
                return normalizePublicURL;
            }
            if (!this.initPublicURLsOnTheFly) {
                return this.publicURLs.get(0);
            }
            String str2 = null;
            if (this.initPublicURLsOnTheFly) {
                str2 = addPublicURL(normalizePublicURL);
            }
            if (this.firstInitWhenDynamicAuthorizationService && str2 != null) {
                getAuthService().dynamicRegistration((List) getPublicURLs().stream().map(str3 -> {
                    return str3 + this.callbackPath;
                }).collect(Collectors.toList()));
            }
            return normalizePublicURL;
        }
    }

    private String addPublicURL(String str) {
        synchronized (this.publicURLs) {
            if (this.publicURLs.contains(str)) {
                return null;
            }
            this.publicURLs.add(str);
            return str;
        }
    }

    private List<String> getPublicURLs() {
        ArrayList arrayList;
        synchronized (this.publicURLs) {
            arrayList = new ArrayList(this.publicURLs);
        }
        return arrayList;
    }

    private String normalizePublicURL(String str) {
        if (!str.endsWith("/")) {
            str = str + "/";
        }
        return str;
    }

    private boolean isFaviconRequest(Exchange exchange) {
        return exchange.getRequestURI().startsWith("/favicon.ico");
    }

    private void applyBackendAuthorization(Exchange exchange, Session session) {
        Header header = exchange.getRequest().getHeader();
        for (Map.Entry<String, Object> entry : session.get().entrySet()) {
            if (entry.getKey().startsWith("header")) {
                String substring = entry.getKey().substring(6);
                header.removeFields(substring);
                header.add(substring, entry.getValue().toString());
            }
        }
    }

    private Outcome respondWithRedirect(Exchange exchange) throws Exception {
        String bigInteger = new BigInteger(130, new SecureRandom()).toString(32);
        exchange.setResponse(Response.redirect(this.auth.getLoginURL(bigInteger, getPublicURL(exchange) + this.callbackPath, exchange.getRequestURI()), false).build());
        readBodyFromStreamIntoMemory(exchange);
        Session session = getSessionManager().getSession(exchange);
        this.originalExchangeStore.store(exchange, session, bigInteger, exchange);
        if (session.get().containsKey("state")) {
            bigInteger = session.get("state") + "," + bigInteger;
        }
        session.put("state", bigInteger);
        return Outcome.RETURN;
    }

    private String oa2redictKeyNameInSession(String str) {
        return "_redirect_for_oa2redirect_" + str;
    }

    private void readBodyFromStreamIntoMemory(Exchange exchange) {
        exchange.getRequest().getBodyAsStringDecoded();
    }

    public boolean handleRequest(Exchange exchange, String str, Session session) throws Exception {
        String path = this.uriFactory.create(exchange.getDestinations().get(0)).getPath();
        if (path == null || !path.endsWith("/" + this.callbackPath)) {
            return false;
        }
        try {
            Map<String, String> params = URLParamUtil.getParams(this.uriFactory, exchange);
            String securityTokenFromState = getSecurityTokenFromState(params.get("state"));
            if (!csrfTokenMatches(session, securityTokenFromState)) {
                throw new RuntimeException("CSRF token mismatch.");
            }
            session.put("state", securityTokenFromState);
            AbstractExchangeSnapshot reconstruct = this.originalExchangeStore.reconstruct(exchange, session, securityTokenFromState);
            if (reconstruct.getRequest().getUri() == null) {
            }
            this.originalExchangeStore.remove(exchange, session, securityTokenFromState);
            if (log.isDebugEnabled()) {
                log.debug("CSRF token match.");
            }
            String str2 = params.get("code");
            if (str2 == null) {
                throw new RuntimeException("No code received.");
            }
            Exchange buildExchange = applyAuth(this.auth, new Request.Builder().post(this.auth.getTokenEndpoint()).header("Content-Type", "application/x-www-form-urlencoded").header("Accept", "application/json").header("User-Agent", com.predic8.membrane.core.Constants.USERAGENT), "code=" + str2 + "&redirect_uri=" + str + this.callbackPath + "&grant_type=authorization_code").buildExchange();
            LogInterceptor logInterceptor = null;
            if (log.isDebugEnabled()) {
                logInterceptor = new LogInterceptor();
                logInterceptor.setHeaderOnly(false);
                logInterceptor.handleRequest(buildExchange);
            }
            Response doRequest = this.auth.doRequest(buildExchange);
            if (doRequest.getStatusCode() != 200) {
                doRequest.getBody().read();
                throw new RuntimeException("Authorization server returned " + doRequest.getStatusCode() + ".");
            }
            if (log.isDebugEnabled()) {
                logInterceptor.handleResponse(buildExchange);
            }
            if (!isJson(doRequest)) {
                throw new RuntimeException("Token response is no JSON.");
            }
            Map map = (Map) this.om.readValue(doRequest.getBodyAsStreamDecoded(), Map.class);
            if (!map.containsKey("access_token")) {
                throw new RuntimeException("No access_token received.");
            }
            String str3 = (String) map.get("access_token");
            OAuth2AnswerParameters oAuth2AnswerParameters = new OAuth2AnswerParameters();
            session.put("access_token", str3);
            oAuth2AnswerParameters.setAccessToken(str3);
            oAuth2AnswerParameters.setTokenType((String) map.get(Constants.PARAMETER_TOKEN_TYPE));
            oAuth2AnswerParameters.setExpiration(numberToString(map.get(Constants.PARAMETER_EXPIRES_IN)));
            oAuth2AnswerParameters.setRefreshToken((String) map.get("refresh_token"));
            LocalDateTime now = LocalDateTime.now();
            oAuth2AnswerParameters.setReceivedAt(now.withSecond((now.getSecond() / 30) * 30).withNano(0));
            if (map.containsKey("id_token")) {
                if (idTokenIsValid((String) map.get("id_token"))) {
                    oAuth2AnswerParameters.setIdToken((String) map.get("id_token"));
                } else {
                    oAuth2AnswerParameters.setIdToken("INVALID");
                }
            }
            this.validTokens.put(str3, true);
            if (this.skipUserInfo) {
                session.put("oauth2Answer", oAuth2AnswerParameters.serialize());
                if (this.jwtAuthInterceptor.handleJwt(exchange, str3) != Outcome.CONTINUE) {
                    throw new RuntimeException("Access token is not a JWT.");
                }
                processUserInfo((Map) exchange.getProperty("jwt"), session);
            } else {
                Exchange buildExchange2 = new Request.Builder().get(this.auth.getUserInfoEndpoint()).header("Authorization", map.get(Constants.PARAMETER_TOKEN_TYPE) + " " + str3).header("User-Agent", com.predic8.membrane.core.Constants.USERAGENT).header("Accept", "application/json").buildExchange();
                if (log.isDebugEnabled()) {
                    logInterceptor.setHeaderOnly(false);
                    logInterceptor.handleRequest(buildExchange2);
                }
                Response doRequest2 = this.auth.doRequest(buildExchange2);
                if (log.isDebugEnabled()) {
                    logInterceptor.handleResponse(buildExchange2);
                }
                if (doRequest2.getStatusCode() != 200) {
                    this.statistics.accessTokenInvalid();
                    throw new RuntimeException("User data could not be retrieved.");
                }
                this.statistics.accessTokenValid();
                if (!isJson(doRequest2)) {
                    throw new RuntimeException("Userinfo response is no JSON.");
                }
                Map<String, ?> map2 = (Map) this.om.readValue(doRequest2.getBodyAsStreamDecoded(), Map.class);
                oAuth2AnswerParameters.setUserinfo(map2);
                session.put("oauth2Answer", oAuth2AnswerParameters.serialize());
                processUserInfo(map2, session);
            }
            doRedirect(exchange, reconstruct);
            this.originalExchangeStore.postProcess(exchange);
            return true;
        } catch (Exception e) {
            e.printStackTrace();
            exchange.setResponse(Response.badRequest().body(e.getMessage()).build());
            this.originalExchangeStore.postProcess(exchange);
            return true;
        }
    }

    private String getSecurityTokenFromState(String str) {
        if (str == null) {
            throw new RuntimeException("No CSRF token.");
        }
        Map<String, String> parseQueryString = URLParamUtil.parseQueryString(str);
        if (parseQueryString == null || !parseQueryString.containsKey("security_token")) {
            throw new RuntimeException("No CSRF token.");
        }
        return parseQueryString.get("security_token");
    }

    private boolean csrfTokenMatches(Session session, String str) {
        Optional ofNullable = Optional.ofNullable(session.get("state"));
        return ofNullable.isPresent() && Arrays.asList(ofNullable.get().toString().split(",")).stream().filter(str2 -> {
            return str2.equals(str);
        }).count() == 1;
    }

    private void doRedirect(Exchange exchange, AbstractExchangeSnapshot abstractExchangeSnapshot) throws JsonProcessingException {
        if (abstractExchangeSnapshot.getRequest().getMethod().equals("GET")) {
            exchange.setResponse(Response.redirect(abstractExchangeSnapshot.getOriginalRequestUri(), false).build());
            return;
        }
        String bigInteger = new BigInteger(130, new SecureRandom()).toString(32);
        getSessionManager().getSession(exchange).put(oa2redictKeyNameInSession(bigInteger), new ObjectMapper().writeValueAsString(abstractExchangeSnapshot));
        exchange.setResponse(Response.redirect(abstractExchangeSnapshot.getOriginalRequestUri() + (abstractExchangeSnapshot.getOriginalRequestUri().contains(ResolveVisitor.QUESTION_MARK) ? BeanFactory.FACTORY_BEAN_PREFIX : ResolveVisitor.QUESTION_MARK) + "oa2redirect=" + bigInteger, false).build());
    }

    private void doOriginalRequest(Exchange exchange, AbstractExchange abstractExchange) throws Exception {
        abstractExchange.getRequest().getHeader().add("Cookie", exchange.getRequest().getHeader().getFirstValue("Cookie"));
        exchange.setRequest(abstractExchange.getRequest());
        exchange.getDestinations().clear();
        String firstValue = abstractExchange.getRequest().getHeader().getFirstValue("X-Forwarded-Proto");
        String firstValue2 = abstractExchange.getRequest().getHeader().getFirstValue("X-Forwarded-Host");
        String originalRequestUri = abstractExchange.getOriginalRequestUri();
        exchange.getDestinations().add(firstValue + "://" + firstValue2 + originalRequestUri);
        exchange.setOriginalRequestUri(originalRequestUri);
        exchange.setOriginalHostHeader(firstValue2);
    }

    private void processUserInfo(Map<String, Object> map, Session session) {
        if (!map.containsKey(this.auth.getSubject())) {
            throw new RuntimeException("User object does not contain " + this.auth.getSubject() + " key.");
        }
        Map<String, Object> map2 = session.get();
        String str = this.auth.getSubject().substring(0, 1).toUpperCase() + this.auth.getSubject().substring(1);
        String str2 = (String) map.get(this.auth.getSubject());
        map2.put("headerX-Authenticated-" + str, str2);
        session.authorize(str2);
    }

    private boolean idTokenIsValid(String str) throws Exception {
        try {
            JwtGenerator.getClaimsFromSignedIdToken(str, getAuthService().getIssuer(), getAuthService().getClientId(), getAuthService().getJwksEndpoint(), this.auth);
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public String getShortDescription() {
        return "Client of the oauth2 authentication process.\n" + this.statistics.toString();
    }

    public OriginalExchangeStore getOriginalExchangeStore() {
        return this.originalExchangeStore;
    }

    @MCChildElement(order = 20, allowForeign = true)
    public void setOriginalExchangeStore(OriginalExchangeStore originalExchangeStore) {
        this.originalExchangeStore = originalExchangeStore;
    }

    public boolean isSkipUserInfo() {
        return this.skipUserInfo;
    }

    @MCAttribute
    public void setSkipUserInfo(boolean z) {
        this.skipUserInfo = z;
    }
}
