package org.ametys.plugins.extrausermgt.oauth;

import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.AuthorizationGrant;
import com.nimbusds.oauth2.sdk.AuthorizationRequest;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.RefreshTokenGrant;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.TokenResponse;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.oauth2.sdk.token.Tokens;
import java.io.IOException;
import java.net.URI;
import java.time.ZonedDateTime;
import java.time.chrono.ChronoZonedDateTime;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import net.minidev.json.JSONObject;
import net.minidev.json.JSONValue;
import org.ametys.core.util.DateUtils;
import org.ametys.core.util.SessionAttributeProvider;
import org.ametys.runtime.authentication.AccessDeniedException;
import org.ametys.runtime.config.Config;
import org.ametys.runtime.plugin.component.AbstractLogEnabled;
import org.apache.avalon.framework.configuration.Configurable;
import org.apache.avalon.framework.configuration.Configuration;
import org.apache.avalon.framework.configuration.ConfigurationException;
import org.apache.avalon.framework.context.Context;
import org.apache.avalon.framework.context.ContextException;
import org.apache.avalon.framework.context.Contextualizable;
import org.apache.avalon.framework.service.ServiceException;
import org.apache.avalon.framework.service.ServiceManager;
import org.apache.avalon.framework.service.Serviceable;
import org.apache.cocoon.ProcessingException;
import org.apache.cocoon.components.ContextHelper;
import org.apache.cocoon.environment.Redirector;
import org.apache.cocoon.environment.Request;
import org.apache.cocoon.environment.Session;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringTokenizer;

/* loaded from: input_file:org/ametys/plugins/extrausermgt/oauth/DefaultOauthProvider.class */
public class DefaultOauthProvider extends AbstractLogEnabled implements OAuthProvider, Configurable, Serviceable, Contextualizable {
    public static final String OAUTH_STATE_SESSION_ATTRIBUTE = "oauth.state";
    public static final String OAUTH_REDIRECT_URI_SESSION_ATTRIBUTE = "oauth.redirect.uri";
    public static final String OAUTH_ACCESS_TOKEN_SESSION_ATTRIBUTE = "oauth.access.token";
    public static final String OAUTH_ACCESS_TOKEN_EXPIRATION_DATE_SESSION_ATTRIBUTE = "oauth.access.token.expiration.date";
    public static final String OAUTH_REFRESH_TOKEN_SESSION_ATTRIBUTE = "oauth.refresh.token";
    public static final String OAUTH_CUSTOM_PARAMETER = "oauth.custom.parameter";
    private static final String __OAUTH_AUTHORIZATION_CALLBACK = "/_extra-user-management/oauth-callback";
    protected String _id;
    protected ClientID _clientID;
    protected ClientAuthentication _auth;
    protected URI _authorizationEnpoint;
    protected URI _tokenEndpointURI;
    protected Scope _scope;
    protected Set<String> _customParameters;
    private SessionAttributeProvider _sessionAttributeProvider;
    private Set<State> _knownState = new HashSet();
    private Context _context;

    public void contextualize(Context context) throws ContextException {
        this._context = context;
    }

    public void service(ServiceManager serviceManager) throws ServiceException {
        this._sessionAttributeProvider = (SessionAttributeProvider) serviceManager.lookup(SessionAttributeProvider.ROLE);
    }

    public void configure(Configuration configuration) throws ConfigurationException {
        this._id = configuration.getAttribute("id");
        this._clientID = new ClientID(_getConfigValue(configuration.getChild("clientId")));
        this._auth = new ClientSecretBasic(this._clientID, new Secret(_getConfigValue(configuration.getChild("secret"))));
        String _getConfigValue = _getConfigValue(configuration.getChild("baseURL"));
        if (StringUtils.isNotEmpty(_getConfigValue)) {
            this._authorizationEnpoint = URI.create(_getConfigValue + _getConfigValue(configuration.getChild("authorizationEndpointPath")));
            this._tokenEndpointURI = URI.create(_getConfigValue + _getConfigValue(configuration.getChild("tokenEndpointPath")));
        } else {
            this._authorizationEnpoint = URI.create(_getConfigValue(configuration.getChild("authorizationEndpointURI")));
            this._tokenEndpointURI = URI.create(_getConfigValue(configuration.getChild("tokenEndpointURI")));
        }
        this._scope = new Scope();
        Iterator it = StringTokenizer.getCSVInstance(_getConfigValue(configuration.getChild("scopes"))).getTokenList().iterator();
        while (it.hasNext()) {
            this._scope.add((String) it.next());
        }
        this._customParameters = new HashSet(StringTokenizer.getCSVInstance(_getConfigValue(configuration.getChild("customParams"))).getTokenList());
    }

    protected String _getConfigValue(Configuration configuration) {
        return configuration.getAttributeAsBoolean("config", false) ? (String) Config.getInstance().getValue(configuration.getValue("")) : configuration.getValue((String) null);
    }

    @Override // org.ametys.plugins.extrausermgt.oauth.OAuthProvider
    public ClientID getClientID() {
        return this._clientID;
    }

    @Override // org.ametys.plugins.extrausermgt.oauth.OAuthProvider
    public URI getAuthorizationEndpointURI() {
        return this._authorizationEnpoint;
    }

    @Override // org.ametys.plugins.extrausermgt.oauth.OAuthProvider
    public URI getTokenEndpointURI() {
        return this._tokenEndpointURI;
    }

    @Override // org.ametys.plugins.extrausermgt.oauth.OAuthProvider
    public String getId() {
        return this._id;
    }

    @Override // org.ametys.plugins.extrausermgt.oauth.OAuthProvider
    public ClientAuthentication getClientAuthentication() {
        return this._auth;
    }

    @Override // org.ametys.plugins.extrausermgt.oauth.OAuthProvider
    public Scope getScope() {
        return this._scope;
    }

    @Override // org.ametys.plugins.extrausermgt.oauth.OAuthProvider
    public Set<String> getCustomParametersName() {
        return this._customParameters;
    }

    @Override // org.ametys.plugins.extrausermgt.oauth.OAuthProvider
    public boolean isKnownState(State state) {
        return this._knownState.remove(state);
    }

    @Override // org.ametys.plugins.extrausermgt.oauth.OAuthProvider
    public Optional<AccessToken> getStoredAccessToken() {
        Optional<AccessToken> map = this._sessionAttributeProvider.getSessionAttribute("oauth.access.token$" + this._id).map(obj -> {
            try {
                return AccessToken.parse((JSONObject) JSONValue.parseWithException((String) obj));
            } catch (ParseException | net.minidev.json.parser.ParseException e) {
                getLogger().warn("Failed to parse the stored access token for provider {}. The token is ignored", this._id, e);
                return null;
            }
        });
        if (map.isEmpty()) {
            return map;
        }
        Optional map2 = this._sessionAttributeProvider.getSessionAttribute("oauth.access.token.expiration.date$" + this._id).map(obj2 -> {
            return DateUtils.parseZonedDateTime((String) obj2);
        });
        if (!map2.isEmpty()) {
            return ZonedDateTime.now().isBefore((ChronoZonedDateTime) map2.get()) ? map : _refreshToken();
        }
        getLogger().warn("A token is stored in session for provider {} but the token has no expiration date or an invalid one. The token is ignored.", this._id);
        return Optional.empty();
    }

    private Optional<AccessToken> _refreshToken() {
        Optional map = this._sessionAttributeProvider.getSessionAttribute("oauth.refresh.token$" + this._id).map(obj -> {
            try {
                return RefreshToken.parse((JSONObject) JSONValue.parseWithException((String) obj));
            } catch (ParseException | net.minidev.json.parser.ParseException e) {
                getLogger().warn("Failed to parse the stored refresh token for provider {}. The token is ignored", this._id, e);
                return null;
            }
        });
        if (!map.isPresent()) {
            return Optional.empty();
        }
        try {
            return Optional.of(requestAccessToken(new RefreshTokenGrant((RefreshToken) map.get())));
        } catch (AccessDeniedException | IOException e) {
            getLogger().warn("Failed to refresh access token for provider {}", this._id, e);
            return Optional.empty();
        }
    }

    @Override // org.ametys.plugins.extrausermgt.oauth.OAuthProvider
    public <T> Optional<T> getStoredCustomParameter(String str) {
        return this._sessionAttributeProvider.getSessionAttribute("oauth.custom.parameter$" + this._id + "#" + str).map(obj -> {
            return JSONValue.parse((String) obj);
        });
    }

    @Override // org.ametys.plugins.extrausermgt.oauth.OAuthProvider
    public Optional<AccessToken> getAccessToken(Redirector redirector) throws ProcessingException, IOException {
        Optional<AccessToken> storedAccessToken = getStoredAccessToken();
        if (storedAccessToken.isPresent()) {
            return storedAccessToken;
        }
        AuthorizationRequest buildAuthorizationCodeRequest = buildAuthorizationCodeRequest();
        if (!redirector.hasRedirected()) {
            redirector.redirect(false, buildAuthorizationCodeRequest.toURI().toString());
        }
        return Optional.empty();
    }

    protected AuthorizationRequest buildAuthorizationCodeRequest() {
        AuthorizationRequest.Builder state = new AuthorizationRequest.Builder(ResponseType.CODE, this._clientID).endpointURI(this._authorizationEnpoint).redirectionURI(_getRedirectUri()).state(_generateState());
        if (!this._scope.isEmpty()) {
            state.scope(this._scope);
        }
        return state.build();
    }

    protected State _generateState() {
        State state = new State();
        while (true) {
            State state2 = state;
            if (this._knownState.add(state2)) {
                ContextHelper.getRequest(this._context).getSession().setAttribute(OAUTH_STATE_SESSION_ATTRIBUTE, state2);
                return state2;
            }
            state = new State();
        }
    }

    private URI _getRedirectUri() {
        Request request = ContextHelper.getRequest(this._context);
        _storeCurrentRequestUriInSession(request);
        return _buildAbsoluteURI(request, __OAUTH_AUTHORIZATION_CALLBACK);
    }

    private void _storeCurrentRequestUriInSession(Request request) {
        StringBuilder sb = new StringBuilder(request.getRequestURI());
        String queryString = request.getQueryString();
        if (StringUtils.isNotEmpty(queryString)) {
            sb.append("?");
            sb.append(queryString);
        }
        request.getSession(true).setAttribute(OAUTH_REDIRECT_URI_SESSION_ATTRIBUTE, sb.toString());
    }

    private URI _buildAbsoluteURI(Request request, String str) {
        StringBuilder append = new StringBuilder().append(request.getScheme()).append("://").append(request.getServerName());
        if (request.isSecure()) {
            if (request.getServerPort() != 443) {
                append.append(":");
                append.append(request.getServerPort());
            }
        } else if (request.getServerPort() != 80) {
            append.append(":");
            append.append(request.getServerPort());
        }
        append.append(request.getContextPath());
        append.append(str);
        return URI.create(append.toString());
    }

    @Override // org.ametys.plugins.extrausermgt.oauth.OAuthProvider
    public AccessToken requestAccessToken(AuthorizationGrant authorizationGrant) throws IOException {
        TokenRequest tokenRequest = new TokenRequest(getTokenEndpointURI(), getClientAuthentication(), authorizationGrant, getScope());
        return _getAccessTokenFromAuthorizationServerResponse(tokenRequest.toHTTPRequest().send(), ZonedDateTime.now());
    }

    protected AccessToken _getAccessTokenFromAuthorizationServerResponse(HTTPResponse hTTPResponse, ZonedDateTime zonedDateTime) {
        try {
            TokenResponse parse = TokenResponse.parse(hTTPResponse);
            if (parse.indicatesSuccess()) {
                return storeTokens(parse.toSuccessResponse(), zonedDateTime);
            }
            ErrorObject errorObject = parse.toErrorResponse().getErrorObject();
            throw new AccessDeniedException("Oauth authorization request failed with http status '" + errorObject.getHTTPStatusCode() + "', code '" + errorObject.getCode() + "' and description '" + errorObject.getDescription() + "'.");
        } catch (ParseException e) {
            getLogger().error("Token response is invalid. Access will be denied", e);
            throw new AccessDeniedException("Oauth authorization request failed with invalid response. The response was not parseable");
        }
    }

    protected AccessToken storeTokens(AccessTokenResponse accessTokenResponse, ZonedDateTime zonedDateTime) {
        Session session = ContextHelper.getRequest(this._context).getSession();
        Tokens tokens = accessTokenResponse.getTokens();
        AccessToken accessToken = tokens.getAccessToken();
        session.setAttribute("oauth.access.token$" + this._id, accessToken.toJSONObject().toJSONString());
        session.setAttribute("oauth.refresh.token$" + this._id, tokens.getRefreshToken().toJSONObject().toJSONString());
        if (accessToken.getLifetime() != 0) {
            session.setAttribute("oauth.access.token.expiration.date$" + this._id, DateUtils.zonedDateTimeToString(zonedDateTime.plusSeconds(accessToken.getLifetime())));
        }
        Map customParameters = accessTokenResponse.getCustomParameters();
        for (String str : getCustomParametersName()) {
            session.setAttribute("oauth.custom.parameter$" + this._id + "#" + str, JSONValue.toJSONString(customParameters.get(str)));
        }
        return accessToken;
    }
}
