package com.predic8.membrane.core.interceptor.oauth2.authorizationservice;

import com.predic8.membrane.annot.MCAttribute;
import com.predic8.membrane.annot.MCChildElement;
import com.predic8.membrane.core.Constants;
import com.predic8.membrane.core.Router;
import com.predic8.membrane.core.config.security.SSLParser;
import com.predic8.membrane.core.exchange.Exchange;
import com.predic8.membrane.core.http.Request;
import com.predic8.membrane.core.http.Response;
import com.predic8.membrane.core.interceptor.oauth2.OAuth2AnswerParameters;
import com.predic8.membrane.core.interceptor.oauth2.tokengenerators.JwtGenerator;
import com.predic8.membrane.core.interceptor.oauth2client.rf.LogHelper;
import com.predic8.membrane.core.interceptor.oauth2client.rf.token.JWSSigner;
import com.predic8.membrane.core.interceptor.session.Session;
import com.predic8.membrane.core.resolver.ResolverMap;
import com.predic8.membrane.core.transport.http.HttpClient;
import com.predic8.membrane.core.transport.http.client.HttpClientConfiguration;
import com.predic8.membrane.core.transport.ssl.PEMSupport;
import com.predic8.membrane.core.transport.ssl.SSLContext;
import com.predic8.membrane.core.transport.ssl.StaticSSLContext;
import java.io.InputStream;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.UUID;
import javax.annotation.concurrent.GuardedBy;
import org.apache.commons.codec.binary.Base64;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/service-proxy-core-5.6.0.jar:com/predic8/membrane/core/interceptor/oauth2/authorizationservice/AuthorizationService.class */
public abstract class AuthorizationService {
    protected Logger log;
    private HttpClient httpClient;
    protected Router router;
    protected HttpClientConfiguration httpClientConfiguration;

    @GuardedBy("lock")
    private String clientId;

    @GuardedBy("lock")
    private String clientSecret;
    private JWSSigner JWSSigner;
    protected String scope;
    private SSLParser sslParser;
    private SSLContext sslContext;
    private boolean useJWTForClientAuth;
    private final Object lock = new Object();
    private final LogHelper logHelper = new LogHelper();
    protected boolean supportsDynamicRegistration = false;

    public boolean supportsDynamicRegistration() {
        return this.supportsDynamicRegistration;
    }

    public void init(Router router) throws Exception {
        this.log = LoggerFactory.getLogger(getClass().getName());
        if (isUseJWTForClientAuth()) {
            this.JWSSigner = new JWSSigner(PEMSupport.getInstance().parseKey(getSslParser().getKey().getPrivate().get(router.getResolverMap(), router.getBaseLocation())), getSslParser().getKey().getCertificates().get(0).get(router.getResolverMap(), router.getBaseLocation()));
        }
        setHttpClient(router.getHttpClientFactory().createClient(getHttpClientConfiguration()));
        if (this.sslParser != null) {
            this.sslContext = new StaticSSLContext(this.sslParser, router.getResolverMap(), router.getBaseLocation());
        }
        this.router = router;
        init();
        if (supportsDynamicRegistration()) {
            return;
        }
        checkForClientIdAndSecret();
    }

    public abstract void init() throws Exception;

    public abstract String getIssuer();

    public abstract String getJwksEndpoint() throws Exception;

    public abstract String getEndSessionEndpoint() throws Exception;

    public abstract String getLoginURL(String str, String str2, String str3);

    public abstract String getUserInfoEndpoint();

    public abstract String getSubject();

    public abstract String getTokenEndpoint();

    public abstract String getRevocationEndpoint();

    protected void doDynamicRegistration(List<String> list) throws Exception {
    }

    public void dynamicRegistration(List<String> list) throws Exception {
        if (supportsDynamicRegistration()) {
            doDynamicRegistration(list);
        }
    }

    protected void checkForClientIdAndSecret() {
        synchronized (this.lock) {
            if (this.clientId == null) {
                throw new RuntimeException(getClass().getSimpleName() + " cannot work without specified clientId");
            }
            if (this.clientSecret == null && this.sslParser == null) {
                throw new RuntimeException(getClass().getSimpleName() + " cannot work without either clientSecret or a client key+certificate");
            }
        }
    }

    public HttpClientConfiguration getHttpClientConfiguration() {
        return this.httpClientConfiguration;
    }

    @MCAttribute
    public void setHttpClientConfiguration(HttpClientConfiguration httpClientConfiguration) {
        this.httpClientConfiguration = httpClientConfiguration;
    }

    public String getClientId() {
        String str;
        synchronized (this.lock) {
            str = this.clientId;
        }
        return str;
    }

    @MCAttribute
    public void setClientId(String str) {
        synchronized (this.lock) {
            this.clientId = str;
        }
    }

    public String getClientSecret() {
        String str;
        synchronized (this.lock) {
            str = this.clientSecret;
        }
        return str;
    }

    @MCAttribute
    public void setClientSecret(String str) {
        synchronized (this.lock) {
            this.clientSecret = str;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setClientIdAndSecret(String str, String str2) {
        synchronized (this.lock) {
            this.clientId = str;
            this.clientSecret = str2;
        }
    }

    public String getScope() {
        return this.scope;
    }

    @MCAttribute
    public void setScope(String str) {
        this.scope = str;
    }

    public HttpClient getHttpClient() {
        return this.httpClient;
    }

    public void setHttpClient(HttpClient httpClient) {
        this.httpClient = httpClient;
    }

    public Response doRequest(Exchange exchange) throws Exception {
        if (this.sslContext != null) {
            exchange.setProperty(Exchange.SSL_CONTEXT, this.sslContext);
        }
        return getHttpClient().call(exchange).getResponse();
    }

    public SSLParser getSslParser() {
        return this.sslParser;
    }

    @MCChildElement(order = 20, allowForeign = true)
    public void setSslParser(SSLParser sSLParser) {
        this.sslParser = sSLParser;
    }

    public boolean isUseJWTForClientAuth() {
        return this.useJWTForClientAuth;
    }

    @MCAttribute
    public void setUseJWTForClientAuth(boolean z) {
        this.useJWTForClientAuth = z;
    }

    public JWSSigner getJwtKeyCertHandler() {
        return this.JWSSigner;
    }

    public Request.Builder applyAuth(Request.Builder builder, String str) {
        if (isUseJWTForClientAuth()) {
            str = str + "&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=" + createClientToken();
        }
        String clientSecret = getClientSecret();
        if (clientSecret != null) {
            builder.header("Authorization", "Basic " + new String(Base64.encodeBase64((getClientId() + ":" + clientSecret).getBytes()))).body(str);
        } else {
            builder.body(str + "&client_id" + getClientId());
        }
        return builder;
    }

    public Response refreshTokenRequest(Session session, OAuth2AnswerParameters oAuth2AnswerParameters, String str) throws Exception {
        String tokenEndpoint = getTokenEndpoint();
        if (session.get("defaultFlow") != null) {
            tokenEndpoint = tokenEndpoint.replaceAll((String) session.get("defaultFlow"), (String) session.get("triggerFlow"));
        }
        Exchange buildExchange = applyAuth(new Request.Builder().post(tokenEndpoint).contentType("application/x-www-form-urlencoded").header("Accept", "application/json").header("User-Agent", Constants.USERAGENT), "grant_type=refresh_token&refresh_token=" + oAuth2AnswerParameters.getRefreshToken() + (str != null ? "&scope=" + URLEncoder.encode(str, StandardCharsets.UTF_8) : "")).buildExchange();
        this.logHelper.handleRequest(buildExchange);
        Response doRequest = doRequest(buildExchange);
        this.logHelper.handleResponse(buildExchange);
        return doRequest;
    }

    public Response requestUserEndpoint(OAuth2AnswerParameters oAuth2AnswerParameters) throws Exception {
        return doRequest(new Request.Builder().get(getUserInfoEndpoint()).header("Authorization", oAuth2AnswerParameters.getTokenType() + " " + oAuth2AnswerParameters.getAccessToken()).header("User-Agent", Constants.USERAGENT).header("Accept", "application/json").buildExchange());
    }

    public boolean idTokenIsValid(String str) {
        try {
            JwtGenerator.getClaimsFromSignedIdToken(str, getIssuer(), getClientId(), getJwksEndpoint(), this);
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    private String createClientToken() {
        try {
            String clientId = getClientId();
            String tokenEndpoint = getTokenEndpoint();
            JwtClaims jwtClaims = new JwtClaims();
            jwtClaims.setSubject(clientId);
            jwtClaims.setAudience(tokenEndpoint);
            jwtClaims.setIssuer(jwtClaims.getSubject());
            jwtClaims.setJwtId(UUID.randomUUID().toString());
            jwtClaims.setIssuedAtToNow();
            NumericDate now = NumericDate.now();
            now.addSeconds(300L);
            jwtClaims.setExpirationTime(now);
            jwtClaims.setNotBeforeMinutesInThePast(2.0f);
            return this.JWSSigner.signToCompactSerialization(jwtClaims.toJson());
        } catch (MalformedClaimException | JoseException e) {
            throw new RuntimeException(e);
        }
    }

    public InputStream resolve(ResolverMap resolverMap, String str, String str2) throws Exception {
        String combine = ResolverMap.combine(str, str2);
        return combine.startsWith("http") ? this.httpClient.call(Request.get(combine).buildExchange()).getResponse().getBodyAsStreamDecoded() : resolverMap.resolve(combine);
    }
}
