package com.predic8.membrane.core.interceptor.oauth2client;

import com.bornium.security.oauth2openid.Constants;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.predic8.membrane.annot.MCAttribute;
import com.predic8.membrane.annot.MCChildElement;
import com.predic8.membrane.annot.MCElement;
import com.predic8.membrane.annot.Required;
import com.predic8.membrane.core.Router;
import com.predic8.membrane.core.exchange.AbstractExchange;
import com.predic8.membrane.core.exchange.Exchange;
import com.predic8.membrane.core.exchange.snapshots.AbstractExchangeSnapshot;
import com.predic8.membrane.core.http.Header;
import com.predic8.membrane.core.http.Response;
import com.predic8.membrane.core.interceptor.AbstractInterceptorWithSession;
import com.predic8.membrane.core.interceptor.Interceptor;
import com.predic8.membrane.core.interceptor.Outcome;
import com.predic8.membrane.core.interceptor.oauth2.OAuth2AnswerParameters;
import com.predic8.membrane.core.interceptor.oauth2.OAuth2Statistics;
import com.predic8.membrane.core.interceptor.oauth2.authorizationservice.AuthorizationService;
import com.predic8.membrane.core.interceptor.oauth2client.rf.FormPostGenerator;
import com.predic8.membrane.core.interceptor.oauth2client.rf.OAuth2CallbackRequestHandler;
import com.predic8.membrane.core.interceptor.oauth2client.rf.OAuth2Exception;
import com.predic8.membrane.core.interceptor.oauth2client.rf.OAuthUtils;
import com.predic8.membrane.core.interceptor.oauth2client.rf.PublicUrlManager;
import com.predic8.membrane.core.interceptor.oauth2client.rf.SessionAuthorizer;
import com.predic8.membrane.core.interceptor.oauth2client.rf.StateManager;
import com.predic8.membrane.core.interceptor.oauth2client.rf.TokenAuthenticator;
import com.predic8.membrane.core.interceptor.oauth2client.rf.token.AccessTokenRefresher;
import com.predic8.membrane.core.interceptor.oauth2client.rf.token.AccessTokenRevalidator;
import com.predic8.membrane.core.interceptor.session.Session;
import com.predic8.membrane.core.interceptor.session.SessionManager;
import com.predic8.membrane.core.util.URI;
import com.predic8.membrane.core.util.URIFactory;
import com.predic8.membrane.core.util.URLParamUtil;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.propertyeditors.CustomBooleanEditor;

@MCElement(name = "oauth2Resource2")
/* loaded from: input_file:WEB-INF/lib/service-proxy-core-5.8.2.jar:com/predic8/membrane/core/interceptor/oauth2client/OAuth2Resource2Interceptor.class */
public class OAuth2Resource2Interceptor extends AbstractInterceptorWithSession {
    private static final Logger log = LoggerFactory.getLogger(OAuth2Resource2Interceptor.class.getName());
    public static final String ERROR_STATUS = "oauth2-error-status";
    public static final String EXPECTED_AUDIENCE = "oauth2-expected-audience";
    public static final String WANTED_SCOPE = "oauth2-wanted-scope";
    private AuthorizationService auth;
    private OAuth2Statistics statistics;
    private URIFactory uriFactory;
    private OriginalExchangeStore originalExchangeStore;
    private String customHeaderUserPropertyPrefix;
    private String logoutUrl;
    private boolean appendAccessTokenToRequest;
    private String callbackPath = "oauth2callback";
    private final AccessTokenRevalidator accessTokenRevalidator = new AccessTokenRevalidator();
    private final AccessTokenRefresher accessTokenRefresher = new AccessTokenRefresher();
    private PublicUrlManager publicUrlManager = new PublicUrlManager();
    private final SessionAuthorizer sessionAuthorizer = new SessionAuthorizer();
    private final OAuth2CallbackRequestHandler oAuth2CallbackRequestHandler = new OAuth2CallbackRequestHandler();
    private final TokenAuthenticator tokenAuthenticator = new TokenAuthenticator();
    private String afterLogoutUrl = "/";
    private String afterErrorUrl = null;
    private List<LoginParameter> loginParameters = new ArrayList();
    private boolean onlyRefreshToken = false;

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptorWithSession, com.predic8.membrane.core.interceptor.AbstractInterceptor
    public void init() throws Exception {
        super.init();
        if (this.originalExchangeStore == null) {
            this.originalExchangeStore = new CookieOriginialExchangeStore();
        }
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public void init(Router router) throws Exception {
        this.name = "OAuth 2 Client";
        setFlow(Interceptor.Flow.Set.REQUEST_RESPONSE);
        super.init(router);
        this.auth.init(router);
        this.statistics = new OAuth2Statistics();
        this.uriFactory = router.getUriFactory();
        this.publicUrlManager.init(this.auth, this.callbackPath);
        this.accessTokenRevalidator.init(this.auth, this.statistics);
        this.accessTokenRefresher.init(this.auth, this.onlyRefreshToken);
        this.sessionAuthorizer.init(this.auth, router, this.statistics);
        this.oAuth2CallbackRequestHandler.init(this.uriFactory, this.auth, this.originalExchangeStore, this.accessTokenRevalidator, this.sessionAuthorizer, this.publicUrlManager, this.callbackPath, this.onlyRefreshToken);
        this.tokenAuthenticator.init(this.sessionAuthorizer, this.statistics, this.accessTokenRevalidator, this.auth);
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptorWithSession
    protected Outcome handleResponseInternal(Exchange exchange) {
        return Outcome.CONTINUE;
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptorWithSession
    public final Outcome handleRequestInternal(Exchange exchange) throws Exception {
        Session session = getSessionManager().getSession(exchange);
        if (isLogoutBackRequest(exchange)) {
            exchange.setResponse(Response.redirect(this.afterLogoutUrl, false).status(303).build());
            logOutSession(exchange);
            return Outcome.RETURN;
        }
        if (isLogoutRequest(exchange)) {
            String endSessionEndpoint = this.auth.getEndSessionEndpoint();
            if (endSessionEndpoint == null || session.getOAuth2Answer(null) == null) {
                exchange.setResponse(Response.redirect(this.afterLogoutUrl, false).status(303).build());
            } else {
                String str = endSessionEndpoint + "?post_logout_redirect_uri=" + URLEncoder.encode(replaceUrlPath(this.publicUrlManager.getPublicURL(exchange), this.logoutUrl + "/back"), StandardCharsets.UTF_8);
                OAuth2AnswerParameters oAuth2AnswerParameters = session.getOAuth2AnswerParameters();
                if (oAuth2AnswerParameters != null && oAuth2AnswerParameters.getIdToken() != null) {
                    str = str + "&id_token_hint=" + oAuth2AnswerParameters.getIdToken();
                }
                exchange.setResponse(Response.redirect(str, false).status(303).build());
            }
            logOutSession(exchange);
            return Outcome.RETURN;
        }
        if (isFaviconRequest(exchange)) {
            exchange.setResponse(Response.badRequest().build());
            return Outcome.RETURN;
        }
        OAuthUtils.simplifyMultipleOAuth2Answers(session);
        if (OAuthUtils.isOAuth2RedirectRequest(exchange)) {
            handleOriginalRequest(exchange);
        }
        String str2 = (String) exchange.getProperty(WANTED_SCOPE);
        if (this.tokenAuthenticator.userInfoIsNullAndShouldRedirect(session, exchange, str2)) {
            return respondWithRedirect(exchange);
        }
        this.accessTokenRevalidator.revalidateIfNeeded(session, str2);
        if (session.hasOAuth2Answer(str2)) {
            exchange.setProperty(Exchange.OAUTH2, session.getOAuth2AnswerParameters(str2));
        }
        this.accessTokenRefresher.refreshIfNeeded(session, exchange);
        try {
            boolean handleRequest = handleRequest(exchange, session);
            if (!handleRequest && session.isVerified()) {
                applyBackendAuthorization(exchange, session);
                this.statistics.successfulRequest();
                appendAccessTokenToRequest(exchange);
                return Outcome.CONTINUE;
            }
            if (!handleRequest) {
                log.debug("session present, but not verified, redirecting.");
                return respondWithRedirect(exchange);
            }
            if (exchange.getResponse() == null && exchange.getRequest() != null && session.isVerified() && session.hasOAuth2Answer()) {
                exchange.setProperty(Exchange.OAUTH2, session.getOAuth2AnswerParameters(str2));
                appendAccessTokenToRequest(exchange);
                return Outcome.CONTINUE;
            }
            if (exchange.getResponse().getStatusCode() >= 400) {
                session.clear();
            }
            return Outcome.RETURN;
        } catch (OAuth2Exception e) {
            session.clear();
            if (this.afterErrorUrl != null) {
                FormPostGenerator withParameter = new FormPostGenerator(this.afterErrorUrl).withParameter(Constants.PARAMETER_ERROR, e.getError());
                if (e.getErrorDescription() != null) {
                    withParameter.withParameter("error_description", e.getErrorDescription());
                }
                exchange.setResponse(withParameter.build());
            } else {
                exchange.setResponse(e.getResponse());
            }
            return Outcome.RETURN;
        }
    }

    private String replaceUrlPath(String str, String str2) {
        URI createWithoutException = this.router.getUriFactory().createWithoutException(str);
        return createWithoutException.getScheme() + "://" + createWithoutException.getHost() + (createWithoutException.getPort() != -1 ? ":" + createWithoutException.getPort() : "") + str2;
    }

    private void handleOriginalRequest(Exchange exchange) throws Exception {
        String str = URLParamUtil.getParams(this.uriFactory, exchange, URLParamUtil.DuplicateKeyOrInvalidFormStrategy.ERROR).get("oa2redirect");
        Session session = getSessionManager().getSession(exchange);
        AbstractExchange abstractExchange = ((AbstractExchangeSnapshot) new ObjectMapper().readValue(session.get(OAuthUtils.oa2redictKeyNameInSession(str)).toString(), AbstractExchangeSnapshot.class)).toAbstractExchange();
        session.remove(OAuthUtils.oa2redictKeyNameInSession(str));
        doOriginalRequest(exchange, abstractExchange);
    }

    private boolean isLogoutRequest(Exchange exchange) {
        return this.logoutUrl != null && exchange.getRequestURI().startsWith(this.logoutUrl);
    }

    private boolean isLogoutBackRequest(Exchange exchange) {
        return this.logoutUrl != null && exchange.getRequestURI().startsWith(this.logoutUrl + "/back");
    }

    public void logOutSession(Exchange exchange) {
        getSessionManager().getSession(exchange).clear();
        getSessionManager().removeSession(exchange);
        exchange.getProperties().remove("SESSION");
        exchange.getProperties().remove(SessionManager.SESSION_COOKIE_ORIGINAL);
    }

    private boolean isFaviconRequest(Exchange exchange) {
        return exchange.getRequestURI().startsWith("/favicon.ico");
    }

    private void applyBackendAuthorization(Exchange exchange, Session session) {
        if (this.customHeaderUserPropertyPrefix == null) {
            return;
        }
        Header header = exchange.getRequest().getHeader();
        for (Map.Entry<String, Object> entry : session.get().entrySet()) {
            if (entry.getKey().startsWith(this.customHeaderUserPropertyPrefix)) {
                String substring = entry.getKey().substring(this.customHeaderUserPropertyPrefix.length());
                header.removeFields(substring);
                header.add(substring, entry.getValue().toString());
            }
        }
    }

    public Outcome respondWithRedirect(Exchange exchange) throws Exception {
        Integer num = (Integer) exchange.getProperty(ERROR_STATUS);
        if (num != null) {
            exchange.setResponse(Response.statusCode(num.intValue()).header("Content-Length", CustomBooleanEditor.VALUE_0).build());
            return Outcome.RETURN;
        }
        String generateNewState = StateManager.generateNewState();
        Map map = (Map) this.loginParameters.stream().collect(HashMap::new, (hashMap, loginParameter) -> {
            hashMap.put(loginParameter.getName(), loginParameter.getValue());
        }, (v0, v1) -> {
            v0.putAll(v1);
        });
        ((List) Optional.ofNullable((List) exchange.getProperty("loginParameters")).orElse(List.of())).forEach(loginParameter2 -> {
            map.put(loginParameter2.getName(), loginParameter2.getValue());
        });
        exchange.setResponse(Response.redirect(this.auth.getLoginURL(generateNewState, this.publicUrlManager.getPublicURL(exchange) + this.callbackPath, exchange.getRequestURI()) + LoginParameter.copyLoginParameters(exchange, map.entrySet().stream().filter(entry -> {
            String str = (String) entry.getKey();
            return ("client_id".equals(str) || "response_type".equals(str) || "scope".equals(str) || "redirect_uri".equals(str) || Constants.PARAMETER_RESPONSE_MODE.equals(str) || "state".equals(str) || "claims".equals(str)) ? false : true;
        }).map(entry2 -> {
            return new LoginParameter((String) entry2.getKey(), (String) entry2.getValue());
        }).toList()), false).build());
        readBodyFromStreamIntoMemory(exchange);
        Session session = getSessionManager().getSession(exchange);
        this.originalExchangeStore.store(exchange, session, generateNewState, exchange);
        if (session.get().containsKey("state")) {
            generateNewState = String.valueOf(session.get("state")) + "," + generateNewState;
        }
        session.put("state", generateNewState);
        session.remove("defaultFlow", "triggerFlow");
        return Outcome.RETURN;
    }

    private void readBodyFromStreamIntoMemory(Exchange exchange) {
        exchange.getRequest().getBodyAsStringDecoded();
    }

    private boolean handleRequest(Exchange exchange, Session session) throws Exception {
        String path = this.uriFactory.create(exchange.getDestinations().get(0)).getPath();
        if (path != null && path.endsWith("/" + this.callbackPath)) {
            return this.oAuth2CallbackRequestHandler.handleRequest(exchange, session);
        }
        return false;
    }

    private void doOriginalRequest(Exchange exchange, AbstractExchange abstractExchange) {
        abstractExchange.getRequest().getHeader().add("Cookie", exchange.getRequest().getHeader().getFirstValue("Cookie"));
        exchange.setRequest(abstractExchange.getRequest());
        exchange.getDestinations().clear();
        String firstValue = abstractExchange.getRequest().getHeader().getFirstValue("X-Forwarded-Proto");
        String firstValue2 = abstractExchange.getRequest().getHeader().getFirstValue("X-Forwarded-Host");
        String originalRequestUri = abstractExchange.getOriginalRequestUri();
        exchange.getDestinations().add(firstValue + "://" + firstValue2 + originalRequestUri);
        exchange.setOriginalRequestUri(originalRequestUri);
        exchange.setOriginalHostHeader(firstValue2);
    }

    private void appendAccessTokenToRequest(Exchange exchange) {
        if (this.appendAccessTokenToRequest && exchange.getProperty(Exchange.OAUTH2) != null) {
            OAuth2AnswerParameters oAuth2AnswerParameters = (OAuth2AnswerParameters) exchange.getProperty(Exchange.OAUTH2);
            if (oAuth2AnswerParameters.getAccessToken() == null) {
                return;
            }
            exchange.getRequest().getHeader().setValue("Authorization", "Bearer " + oAuth2AnswerParameters.getAccessToken());
        }
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public String getShortDescription() {
        return "Client of the oauth2 authentication process.\n" + this.statistics.toString();
    }

    public OriginalExchangeStore getOriginalExchangeStore() {
        return this.originalExchangeStore;
    }

    @MCChildElement(order = 20, allowForeign = true)
    public void setOriginalExchangeStore(OriginalExchangeStore originalExchangeStore) {
        this.originalExchangeStore = originalExchangeStore;
    }

    public boolean isSkipUserInfo() {
        return this.sessionAuthorizer.isSkipUserInfo();
    }

    @MCAttribute
    public void setSkipUserInfo(boolean z) {
        this.sessionAuthorizer.setSkipUserInfo(z);
    }

    @MCChildElement(order = 5)
    public void setPublicUrlManager(PublicUrlManager publicUrlManager) {
        this.publicUrlManager = publicUrlManager;
    }

    public PublicUrlManager getPublicUrlManager() {
        return this.publicUrlManager;
    }

    public AuthorizationService getAuthService() {
        return this.auth;
    }

    @MCChildElement(order = 10)
    @Required
    public void setAuthService(AuthorizationService authorizationService) {
        this.auth = authorizationService;
    }

    public int getRevalidateTokenAfter() {
        return this.accessTokenRevalidator.getRevalidateTokenAfter();
    }

    @MCAttribute
    public void setRevalidateTokenAfter(int i) {
        this.accessTokenRevalidator.setRevalidateTokenAfter(i);
    }

    public String getCallbackPath() {
        return this.callbackPath;
    }

    @MCAttribute
    public void setCallbackPath(String str) {
        this.callbackPath = str;
    }

    public String getCustomHeaderUserPropertyPrefix() {
        return this.customHeaderUserPropertyPrefix;
    }

    @MCAttribute
    public void setCustomHeaderUserPropertyPrefix(String str) {
        this.customHeaderUserPropertyPrefix = str;
    }

    public String getLogoutUrl() {
        return this.logoutUrl;
    }

    @MCAttribute
    public void setLogoutUrl(String str) {
        this.logoutUrl = str;
    }

    public String getAfterLogoutUrl() {
        return this.afterLogoutUrl;
    }

    @MCAttribute
    public void setAfterLogoutUrl(String str) {
        this.afterLogoutUrl = str;
    }

    public List<LoginParameter> getLoginParameters() {
        return this.loginParameters;
    }

    @MCChildElement(order = 25)
    public void setLoginParameters(List<LoginParameter> list) {
        this.loginParameters = list;
    }

    public boolean isAppendAccessTokenToRequest() {
        return this.appendAccessTokenToRequest;
    }

    @MCAttribute
    public void setAppendAccessTokenToRequest(boolean z) {
        this.appendAccessTokenToRequest = z;
    }

    public String getAfterErrorUrl() {
        return this.afterErrorUrl;
    }

    @MCAttribute
    public void setAfterErrorUrl(String str) {
        this.afterErrorUrl = str;
    }

    public boolean isOnlyRefreshToken() {
        return this.onlyRefreshToken;
    }

    @MCAttribute
    public void setOnlyRefreshToken(boolean z) {
        this.onlyRefreshToken = z;
    }
}
