package org.ametys.plugins.extrausermgt.authentication.aad;

import com.microsoft.aad.msal4j.AuthorizationCodeParameters;
import com.microsoft.aad.msal4j.AuthorizationRequestUrlParameters;
import com.microsoft.aad.msal4j.ClientCredentialFactory;
import com.microsoft.aad.msal4j.ConfidentialClientApplication;
import com.microsoft.aad.msal4j.IAccount;
import com.microsoft.aad.msal4j.IAuthenticationResult;
import com.microsoft.aad.msal4j.Prompt;
import com.microsoft.aad.msal4j.ResponseMode;
import com.microsoft.aad.msal4j.SilentParameters;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.IOException;
import java.net.URI;
import java.util.Date;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import org.ametys.core.authentication.AbstractCredentialProvider;
import org.ametys.core.authentication.BlockingCredentialProvider;
import org.ametys.core.authentication.NonBlockingCredentialProvider;
import org.ametys.core.user.UserIdentity;
import org.ametys.plugins.extrausermgt.authentication.oidc.AbstractOIDCCredentialProvider;
import org.ametys.runtime.authentication.AccessDeniedException;
import org.apache.avalon.framework.context.Context;
import org.apache.avalon.framework.context.ContextException;
import org.apache.avalon.framework.context.Contextualizable;
import org.apache.avalon.framework.service.ServiceException;
import org.apache.avalon.framework.service.ServiceManager;
import org.apache.avalon.framework.service.Serviceable;
import org.apache.cocoon.ProcessingException;
import org.apache.cocoon.components.ContextHelper;
import org.apache.cocoon.environment.ObjectModelHelper;
import org.apache.cocoon.environment.Redirector;
import org.apache.cocoon.environment.Request;
import org.apache.cocoon.environment.Session;

/* loaded from: input_file:org/ametys/plugins/extrausermgt/authentication/aad/AADCredentialProvider.class */
public class AADCredentialProvider extends AbstractCredentialProvider implements BlockingCredentialProvider, NonBlockingCredentialProvider, Contextualizable, Serviceable {
    private Context _context;
    private String _clientID;
    private String _clientSecret;
    private String _tenant;
    private boolean _prompt;
    private boolean _silent;
    private AzureADScopesExtensionPoint _azureADScopesExtensionPoint;

    public void service(ServiceManager serviceManager) throws ServiceException {
        this._azureADScopesExtensionPoint = (AzureADScopesExtensionPoint) serviceManager.lookup(AzureADScopesExtensionPoint.ROLE);
    }

    public void contextualize(Context context) throws ContextException {
        this._context = context;
    }

    public void init(String str, String str2, Map<String, Object> map, String str3) throws Exception {
        super.init(str, str2, map, str3);
        this._clientID = (String) map.get("authentication.aad.appid");
        this._clientSecret = (String) map.get("authentication.aad.clientsecret");
        this._tenant = (String) map.get("authentication.aad.tenant");
        this._prompt = ((Boolean) map.get("authentication.aad.prompt")).booleanValue();
        this._silent = ((Boolean) map.get("authentication.aad.silent")).booleanValue();
    }

    private ConfidentialClientApplication _getClient() throws Exception {
        return ConfidentialClientApplication.builder(this._clientID, ClientCredentialFactory.createFromSecret(this._clientSecret)).authority("https://login.microsoftonline.com/" + this._tenant).build();
    }

    public boolean blockingIsStillConnected(UserIdentity userIdentity, Redirector redirector) throws Exception {
        Session session = ObjectModelHelper.getRequest(ContextHelper.getObjectModel(this._context)).getSession(true);
        if (new Date().before((Date) session.getAttribute("aad_expirationDate"))) {
            return true;
        }
        ConfidentialClientApplication _getClient = _getClient();
        IAccount iAccount = (IAccount) session.getAttribute("aad_account");
        String str = (String) session.getAttribute("aad_tokenCache");
        SilentParameters build = SilentParameters.builder(Set.of("openid"), iAccount).build();
        _getClient.tokenCache().deserialize(str);
        IAuthenticationResult iAuthenticationResult = (IAuthenticationResult) _getClient.acquireTokenSilently(build).get();
        session.setAttribute("aad_expirationDate", SignedJWT.parse(iAuthenticationResult.idToken()).getJWTClaimsSet().getExpirationTime());
        session.setAttribute("aad_tokenCache", _getClient.tokenCache().serialize());
        session.setAttribute("aad_account", iAuthenticationResult.account());
        return true;
    }

    public boolean nonBlockingIsStillConnected(UserIdentity userIdentity, Redirector redirector) throws Exception {
        return blockingIsStillConnected(userIdentity, redirector);
    }

    public boolean blockingGrantAnonymousRequest() {
        return false;
    }

    public boolean nonBlockingGrantAnonymousRequest() {
        return false;
    }

    private String _getRequestURI(Request request) {
        StringBuilder sb = new StringBuilder();
        if (request.isSecure()) {
            sb.append("https://").append(request.getServerName());
            if (request.getServerPort() != 443) {
                sb.append(":");
                sb.append(request.getServerPort());
            }
        } else {
            sb.append("http://").append(request.getServerName());
            if (request.getServerPort() != 80) {
                sb.append(":");
                sb.append(request.getServerPort());
            }
        }
        sb.append(request.getContextPath());
        sb.append("/_extra-user-management/oidc-callback");
        return sb.toString();
    }

    private UserIdentity _login(boolean z, Redirector redirector) throws Exception {
        Request request = ObjectModelHelper.getRequest(ContextHelper.getObjectModel(this._context));
        Session session = request.getSession(true);
        ConfidentialClientApplication _getClient = _getClient();
        String _getRequestURI = _getRequestURI(request);
        getLogger().debug("AADCredentialProvider callback URI: {}", _getRequestURI);
        String str = (String) session.getAttribute("aad_code");
        if (str != null) {
            return _getUserIdentityFromCode(str, session, _getClient, _getRequestURI);
        }
        boolean z2 = false;
        if (z) {
            z2 = "true".equals(session.getAttribute("aad_silent"));
        }
        String parameter = request.getParameter("code");
        if (parameter != null) {
            if (!((String) session.getAttribute("aad_state")).equals(request.getParameter("state"))) {
                throw new AccessDeniedException("AAD state mismatch");
            }
            session.setAttribute("aad_state", (Object) null);
            session.setAttribute("aad_code", parameter);
            redirector.redirect(true, (String) session.getAttribute(AbstractOIDCCredentialProvider.REDIRECT_URI_SESSION_ATTRIBUTE));
            return null;
        }
        if (z2) {
            return null;
        }
        if (z) {
            session.setAttribute("aad_silent", "true");
        }
        String uuid = UUID.randomUUID().toString();
        session.setAttribute("aad_state", uuid);
        String requestURI = request.getRequestURI();
        if (request.getQueryString() != null) {
            requestURI = requestURI + "?" + request.getQueryString();
        }
        session.setAttribute(AbstractOIDCCredentialProvider.REDIRECT_URI_SESSION_ATTRIBUTE, requestURI);
        String uuid2 = UUID.randomUUID().toString();
        session.setAttribute("aad_nonce", uuid2);
        AuthorizationRequestUrlParameters.Builder nonce = AuthorizationRequestUrlParameters.builder(_getRequestURI, this._azureADScopesExtensionPoint.getScopes()).responseMode(ResponseMode.QUERY).state(uuid).nonce(uuid2);
        if (z) {
            nonce.prompt(Prompt.NONE);
        } else if (this._prompt) {
            nonce.prompt(Prompt.SELECT_ACCOUNT);
        }
        redirector.redirect(false, _getClient.getAuthorizationRequestUrl(nonce.build()).toString());
        return null;
    }

    private UserIdentity _getUserIdentityFromCode(String str, Session session, ConfidentialClientApplication confidentialClientApplication, String str2) throws Exception {
        IAuthenticationResult iAuthenticationResult = (IAuthenticationResult) confidentialClientApplication.acquireToken(AuthorizationCodeParameters.builder(str, new URI(str2)).scopes(this._azureADScopesExtensionPoint.getScopes()).build()).get();
        JWTClaimsSet jWTClaimsSet = SignedJWT.parse(iAuthenticationResult.idToken()).getJWTClaimsSet();
        if (!((String) session.getAttribute("aad_nonce")).equals((String) jWTClaimsSet.getClaims().get("nonce"))) {
            throw new AccessDeniedException("AAD nonce mismatch");
        }
        session.setAttribute("aad_nonce", (Object) null);
        session.setAttribute("aad_expirationDate", jWTClaimsSet.getExpirationTime());
        session.setAttribute("aad_tokenCache", confidentialClientApplication.tokenCache().serialize());
        session.setAttribute("aad_account", iAuthenticationResult.account());
        session.setAttribute(AbstractOIDCCredentialProvider.TOKEN_SESSION_ATTRIBUTE, iAuthenticationResult.accessToken());
        return new UserIdentity(iAuthenticationResult.account().username(), (String) null);
    }

    public UserIdentity blockingGetUserIdentity(Redirector redirector) throws Exception {
        return _login(false, redirector);
    }

    public UserIdentity nonBlockingGetUserIdentity(Redirector redirector) throws Exception {
        if (this._silent) {
            return _login(true, redirector);
        }
        return null;
    }

    public void blockingUserNotAllowed(Redirector redirector) {
    }

    public void nonBlockingUserNotAllowed(Redirector redirector) throws Exception {
    }

    public void blockingUserAllowed(UserIdentity userIdentity, Redirector redirector) throws ProcessingException, IOException {
    }

    public void nonBlockingUserAllowed(UserIdentity userIdentity, Redirector redirector) {
    }

    public boolean requiresNewWindow() {
        return true;
    }
}
