package org.ametys.plugins.extrausermgt.authentication.oidc;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.AuthorizationGrant;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.RefreshTokenGrant;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.SerializeException;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
import com.nimbusds.openid.connect.sdk.UserInfoRequest;
import com.nimbusds.openid.connect.sdk.UserInfoResponse;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.ametys.core.authentication.AbstractCredentialProvider;
import org.ametys.core.authentication.BlockingCredentialProvider;
import org.ametys.core.user.User;
import org.ametys.core.user.UserIdentity;
import org.ametys.core.user.directory.NotUniqueUserException;
import org.ametys.core.user.directory.UserDirectory;
import org.ametys.core.user.population.UserPopulation;
import org.ametys.plugins.extrausermgt.authentication.oidc.endofauthenticationprocess.EndOfAuthenticationProcess;
import org.ametys.runtime.authentication.AccessDeniedException;
import org.apache.avalon.framework.context.Context;
import org.apache.avalon.framework.context.ContextException;
import org.apache.avalon.framework.context.Contextualizable;
import org.apache.avalon.framework.service.ServiceException;
import org.apache.avalon.framework.service.ServiceManager;
import org.apache.avalon.framework.service.Serviceable;
import org.apache.cocoon.ProcessingException;
import org.apache.cocoon.components.ContextHelper;
import org.apache.cocoon.environment.Redirector;
import org.apache.cocoon.environment.Request;
import org.apache.cocoon.environment.Session;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:org/ametys/plugins/extrausermgt/authentication/oidc/AbstractOIDCCredentialProvider.class */
public abstract class AbstractOIDCCredentialProvider extends AbstractCredentialProvider implements BlockingCredentialProvider, Contextualizable, Serviceable {
    public static final String REDIRECT_URI_SESSION_ATTRIBUTE = "oidc_actualRedirectUri";
    public static final String TOKEN_SESSION_ATTRIBUTE = "oidc_token";
    public static final String EXPDATE_SESSION_ATTRIBUTE = "oidc_expirationDate";
    public static final String REFRESH_TOKEN_SESSION_ATTRIBUTE = "oidc_refreshToken";
    public static final String STATE_SESSION_ATTRIBUTE = "oidc_state";
    protected Scope _scope;
    protected URI _authUri;
    protected URI _tokenEndpointUri;
    protected URI _userInfoEndpoint;
    protected URL _jwkSetURL;
    protected Issuer _iss;
    protected Context _context;
    protected ClientID _clientID;
    protected Secret _clientSecret;
    private EndOfAuthenticationProcess _endOfAuthenticationProcess;

    public void contextualize(Context context) throws ContextException {
        this._context = context;
    }

    public void service(ServiceManager serviceManager) throws ServiceException {
        this._endOfAuthenticationProcess = (EndOfAuthenticationProcess) serviceManager.lookup(EndOfAuthenticationProcess.ROLE);
    }

    public void init(String str, String str2, Map<String, Object> map, String str3) throws Exception {
        super.init(str, str2, map, str3);
        this._clientID = new ClientID(map.get("authentication.oidc.idclient").toString());
        this._clientSecret = new Secret(map.get("authentication.oidc.clientsecret").toString());
        initUrisScope();
    }

    protected ClientAuthentication getClientAuthentication() {
        return new ClientSecretBasic(this._clientID, this._clientSecret);
    }

    public boolean blockingGrantAnonymousRequest() {
        return false;
    }

    public boolean blockingIsStillConnected(UserIdentity userIdentity, Redirector redirector) throws Exception {
        Session session = ContextHelper.getRequest(this._context).getSession(true);
        if (new Date().before((Date) session.getAttribute(EXPDATE_SESSION_ATTRIBUTE))) {
            return true;
        }
        OIDCTokens requestToken = requestToken(getClientAuthentication(), (AuthorizationGrant) new RefreshTokenGrant((RefreshToken) session.getAttribute(REFRESH_TOKEN_SESSION_ATTRIBUTE)));
        JWT iDToken = requestToken.getIDToken();
        AccessToken accessToken = requestToken.getAccessToken();
        session.setAttribute(EXPDATE_SESSION_ATTRIBUTE, validateIdToken(iDToken).getExpirationTime());
        session.setAttribute(TOKEN_SESSION_ATTRIBUTE, accessToken);
        return true;
    }

    public UserIdentity blockingGetUserIdentity(Redirector redirector) throws Exception {
        Request request = ContextHelper.getRequest(this._context);
        Session session = request.getSession(true);
        URI _buildRedirectUri = _buildRedirectUri();
        getLogger().debug("OIDCCredentialProvider callback URI: {}", _buildRedirectUri);
        String parameter = request.getParameter("code");
        if (parameter == null || session.getAttribute(STATE_SESSION_ATTRIBUTE) == null) {
            signIn(redirector, _buildRedirectUri, session);
            return null;
        }
        checkState();
        OIDCTokens requestToken = requestToken(new AuthorizationCode(parameter), _buildRedirectUri);
        JWT iDToken = requestToken.getIDToken();
        AccessToken accessToken = requestToken.getAccessToken();
        session.setAttribute(REFRESH_TOKEN_SESSION_ATTRIBUTE, requestToken.getRefreshToken());
        IDTokenClaimsSet validateIdToken = validateIdToken(iDToken);
        validateIdToken.getExpirationTime();
        session.setAttribute(EXPDATE_SESSION_ATTRIBUTE, validateIdToken.getExpirationTime());
        return getUserIdentity(getUserInfo(accessToken), request, redirector);
    }

    public void blockingUserNotAllowed(Redirector redirector) throws Exception {
    }

    public void blockingUserAllowed(UserIdentity userIdentity, Redirector redirector) throws Exception {
        redirector.redirect(true, (String) ContextHelper.getRequest(this._context).getSession(true).getAttribute(REDIRECT_URI_SESSION_ATTRIBUTE));
    }

    public boolean requiresNewWindow() {
        return true;
    }

    private UserPopulation _getPopulation(Request request) {
        List list = (List) request.getAttribute("Runtime:UserPopulationsList");
        if (list.size() == 1) {
            return (UserPopulation) list.get(0);
        }
        String str = (String) request.getAttribute("Runtime:CurrentUserPopulationId");
        if (StringUtils.isNotBlank(str)) {
            return (UserPopulation) list.stream().filter(userPopulation -> {
                return StringUtils.equals(userPopulation.getId(), str);
            }).findFirst().get();
        }
        throw new IllegalStateException("The " + getClass().getName() + " does not work when population is not known");
    }

    protected abstract void initUrisScope() throws AccessDeniedException;

    private URI _buildRedirectUri() throws URISyntaxException {
        Request request = ContextHelper.getRequest(this._context);
        StringBuilder sb = new StringBuilder(request.getRequestURI());
        String queryString = request.getQueryString();
        if (queryString != null) {
            String str = (String) Stream.of((Object[]) StringUtils.split(queryString, "&")).filter(str2 -> {
                return !StringUtils.startsWithAny(str2, new CharSequence[]{"code=", "state="});
            }).collect(Collectors.joining("&"));
            if (StringUtils.isNotEmpty(str)) {
                sb.append("?");
                sb.append(str);
            }
        }
        request.getSession(true).setAttribute(REDIRECT_URI_SESSION_ATTRIBUTE, sb.toString());
        return buildAbsoluteURI(request, "/_extra-user-management/oidc-callback");
    }

    protected URI buildAbsoluteURI(Request request, String str) {
        StringBuilder append = new StringBuilder().append(request.getScheme()).append("://").append(request.getServerName());
        if (request.isSecure()) {
            if (request.getServerPort() != 443) {
                append.append(":");
                append.append(request.getServerPort());
            }
        } else if (request.getServerPort() != 80) {
            append.append(":");
            append.append(request.getServerPort());
        }
        append.append(request.getContextPath());
        append.append(str);
        return URI.create(append.toString());
    }

    protected void signIn(Redirector redirector, URI uri, Session session) throws ProcessingException, IOException {
        State state = new State();
        session.setAttribute(STATE_SESSION_ATTRIBUTE, state);
        redirector.redirect(false, new AuthenticationRequest(this._authUri, new ResponseType(new ResponseType.Value[]{ResponseType.Value.CODE}), this._scope, this._clientID, uri, state, (Nonce) null).toURI().toString() + "&access_type=offline");
    }

    protected void checkState() throws AccessDeniedException {
        Request request = ContextHelper.getRequest(this._context);
        Session session = request.getSession(true);
        if (session.getAttribute(STATE_SESSION_ATTRIBUTE).toString().equals(request.getParameter("state"))) {
            session.setAttribute(STATE_SESSION_ATTRIBUTE, (Object) null);
        } else {
            getLogger().error("OIDC state mismatch. Method checkState of AbstractOIDCCredentialProvider");
            throw new AccessDeniedException("OIDC state mismatch");
        }
    }

    protected OIDCTokens requestToken(AuthorizationCode authorizationCode, URI uri) throws AccessDeniedException {
        try {
            try {
                OIDCTokenResponse parse = OIDCTokenResponseParser.parse(new TokenRequest(this._tokenEndpointUri, getClientAuthentication(), new AuthorizationCodeGrant(authorizationCode, uri)).toHTTPRequest().send());
                if (!(parse instanceof TokenErrorResponse)) {
                    return parse.getOIDCTokens();
                }
                getLogger().error("OIDC token request invalid token response instance of TokenErrorResponse in method requestToken from AbstractOIDCCredentialProvider");
                throw new AccessDeniedException("OIDC token request result invalid");
            } catch (ParseException e) {
                getLogger().error("OIDC token request result invalid ", e);
                throw new AccessDeniedException("OIDC token request result invalid");
            }
        } catch (SerializeException | IOException e2) {
            getLogger().error("OIDC token request failed ", e2);
            throw new AccessDeniedException("OIDC token request failed");
        }
    }

    protected OIDCTokens requestToken(ClientAuthentication clientAuthentication, AuthorizationGrant authorizationGrant) throws AccessDeniedException, URISyntaxException {
        try {
            try {
                OIDCTokenResponse parse = OIDCTokenResponseParser.parse(new TokenRequest(this._tokenEndpointUri, clientAuthentication, authorizationGrant).toHTTPRequest().send());
                if (!(parse instanceof TokenErrorResponse)) {
                    return parse.getOIDCTokens();
                }
                getLogger().error("OIDC token request result invalid: tokenResponse instance of TokenErrorResponse in method requestToken from AbstractOIDCCredentialProvider");
                throw new AccessDeniedException("OIDC token request result invalid");
            } catch (ParseException e) {
                getLogger().error("OIDC token request result invalid ", e);
                throw new AccessDeniedException("OIDC token request result invalid");
            }
        } catch (SerializeException | IOException e2) {
            getLogger().error("OIDC token request failed ", e2);
            throw new AccessDeniedException("OIDC token request failed");
        }
    }

    protected IDTokenClaimsSet validateIdToken(JWT jwt) throws AccessDeniedException {
        try {
            return new IDTokenValidator(this._iss, this._clientID, JWSAlgorithm.RS256, this._jwkSetURL).validate(jwt, (Nonce) null);
        } catch (JOSEException e) {
            getLogger().error("OIDC error while validating token", e);
            throw new AccessDeniedException("OIDC error while validating token");
        } catch (BadJOSEException e2) {
            getLogger().error("OIDC invalid : issuer, clientId, jwsAlg or jwkSetURL", e2);
            throw new AccessDeniedException("OIDC invalid signature issuer, clientId, jwsAlg or jwkSetURL");
        }
    }

    protected UserInfo getUserInfo(AccessToken accessToken) throws IOException, ParseException {
        UserInfoResponse parse = UserInfoResponse.parse(new UserInfoRequest(this._userInfoEndpoint, accessToken).toHTTPRequest().send());
        if (parse.indicatesSuccess()) {
            return parse.toSuccessResponse().getUserInfo();
        }
        String jSONString = parse.toErrorResponse().getErrorObject().toJSONObject().toJSONString();
        getLogger().error("Failed to retrieve the user info. The server indicate the following error :\n" + jSONString);
        throw new AccessDeniedException("Failed to retrieve the user info. The server indicate the following error :\n" + jSONString);
    }

    protected UserIdentity getUserIdentity(UserInfo userInfo, Request request, Redirector redirector) throws NotUniqueUserException {
        String emailAddress = userInfo.getEmailAddress();
        if (emailAddress == null) {
            getLogger().error("Email not found, connection canceled ");
            throw new AccessDeniedException("Email not found, connection canceled");
        }
        UserPopulation _getPopulation = _getPopulation(request);
        UserIdentity _getUserIdentity = _getUserIdentity(emailAddress, _getPopulation);
        if (_getUserIdentity != null) {
            return _getUserIdentity;
        }
        String givenName = userInfo.getGivenName();
        String familyName = userInfo.getFamilyName();
        if (givenName == null || familyName == null) {
            getLogger().info("The fields could not be pre-filled");
        }
        this._endOfAuthenticationProcess.unexistingUser(emailAddress, givenName, familyName, _getPopulation, redirector, request);
        return null;
    }

    private UserIdentity _getUserIdentity(String str, UserPopulation userPopulation) throws NotUniqueUserException {
        for (UserDirectory userDirectory : userPopulation.getUserDirectories()) {
            User user = userDirectory.getUser(str);
            if (user == null) {
                user = userDirectory.getUserByEmail(str);
            }
            if (user != null) {
                return user.getIdentity();
            }
        }
        return null;
    }
}
