package org.gluu.oxtrust.action;

import java.io.IOException;
import java.io.Serializable;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import javax.enterprise.context.SessionScoped;
import javax.faces.application.FacesMessage;
import javax.faces.context.FacesContext;
import javax.inject.Inject;
import javax.inject.Named;
import javax.servlet.http.Cookie;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.WebTarget;
import org.codehaus.jettison.json.JSONException;
import org.gluu.config.oxtrust.AppConfiguration;
import org.gluu.jsf2.message.FacesMessages;
import org.gluu.jsf2.service.FacesService;
import org.gluu.model.GluuStatus;
import org.gluu.model.user.UserRole;
import org.gluu.oxauth.client.OpenIdConfigurationResponse;
import org.gluu.oxauth.client.TokenClient;
import org.gluu.oxauth.client.TokenResponse;
import org.gluu.oxauth.client.UserInfoClient;
import org.gluu.oxauth.client.UserInfoResponse;
import org.gluu.oxauth.model.exception.InvalidJwtException;
import org.gluu.oxauth.model.jwt.Jwt;
import org.gluu.oxtrust.model.GluuCustomPerson;
import org.gluu.oxtrust.model.User;
import org.gluu.oxtrust.security.Identity;
import org.gluu.oxtrust.security.OauthData;
import org.gluu.oxtrust.service.ConfigurationService;
import org.gluu.oxtrust.service.EncryptionService;
import org.gluu.oxtrust.service.OpenIdService;
import org.gluu.oxtrust.service.PersonService;
import org.gluu.oxtrust.service.SecurityService;
import org.gluu.oxtrust.util.OxTrustApiConstants;
import org.gluu.util.ArrayHelper;
import org.gluu.util.StringHelper;
import org.gluu.util.security.StringEncrypter;
import org.slf4j.Logger;

@SessionScoped
@Named("authenticator")
/* loaded from: input_file:org/gluu/oxtrust/action/Authenticator.class */
public class Authenticator implements Serializable {
    private static final String LOGIN_FAILED_OX_TRUST = "Login failed, oxTrust wasn't allowed to access user data";
    private static final long serialVersionUID = -3975272457541385597L;

    @Inject
    private Logger log;

    @Inject
    private Identity identity;

    @Inject
    private FacesService facesService;

    @Inject
    private PersonService personService;

    @Inject
    private SecurityService securityService;

    @Inject
    private ConfigurationService configurationService;

    @Inject
    private OpenIdService openIdService;

    @Inject
    private FacesMessages facesMessages;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private EncryptionService encryptionService;

    public boolean preAuthenticate() throws IOException, Exception {
        boolean z = true;
        if (!this.identity.isLoggedIn()) {
            z = oAuthLogin();
        }
        return z;
    }

    protected String authenticate() {
        try {
            String userUid = this.identity.getOauthData().getUserUid();
            String idToken = this.identity.getOauthData().getIdToken();
            if (StringHelper.isEmpty(userUid) || StringHelper.isEmpty(idToken)) {
                this.log.error("User is not authenticated");
                return "no_permissions";
            }
            this.identity.getCredentials().setUsername(userUid);
            this.log.info("Authenticating user '{}'", userUid);
            User findUserByUserName = findUserByUserName(userUid);
            if (findUserByUserName == null) {
                this.log.error("Person '{}' not found in LDAP", userUid);
                return "no_permissions";
            }
            if (!GluuStatus.EXPIRED.getValue().equals(findUserByUserName.getAttribute("gluuStatus")) && !GluuStatus.REGISTER.getValue().equals(findUserByUserName.getAttribute("gluuStatus"))) {
                postLogin(findUserByUserName);
                this.log.info("User '{}' authenticated successfully", userUid);
                return "success";
            }
            HashMap hashMap = new HashMap();
            hashMap.put(OxTrustApiConstants.INUM, findUserByUserName.getInum());
            this.facesService.redirect("/register.xhtml", hashMap);
            return "register";
        } catch (Exception e) {
            this.log.error("Failed to authenticate user '{}'", (Object) null, e);
            return "no_permissions";
        }
    }

    private void postLogin(User user) {
        this.identity.login();
        this.log.debug("Configuring application after user '{}' login", user.getUid());
        this.identity.setUser(findPersonByDn(user.getDn()));
        UserRole[] userRoles = this.securityService.getUserRoles(user);
        if (ArrayHelper.isNotEmpty(userRoles)) {
            this.log.debug("Get '{}' user roles", Arrays.toString(userRoles));
        } else {
            this.log.debug("Get 0 user roles");
        }
        for (UserRole userRole : userRoles) {
            this.identity.addRole(userRole.getRoleName());
        }
    }

    private User findUserByUserName(String str) {
        User user = null;
        try {
            user = this.personService.getUserByUid(str);
        } catch (Exception e) {
            this.log.error("Failed to find user '{}' in ldap", str, e);
        }
        return user;
    }

    private GluuCustomPerson findPersonByDn(String str) {
        GluuCustomPerson gluuCustomPerson = null;
        try {
            gluuCustomPerson = this.personService.getPersonByDn(str);
        } catch (Exception e) {
            this.log.error("Failed to find person '{}' in ldap", str, e);
        }
        return gluuCustomPerson;
    }

    public boolean oAuthLogin() throws IOException, Exception {
        WebTarget target = ClientBuilder.newClient().target(this.openIdService.getOpenIdConfiguration().getAuthorizationEndpoint());
        String oxAuthClientId = this.appConfiguration.getOxAuthClientId();
        String oxAuthClientScope = this.appConfiguration.getOxAuthClientScope();
        String uuid = UUID.randomUUID().toString();
        String uuid2 = UUID.randomUUID().toString();
        WebTarget queryParam = target.queryParam("client_id", new Object[]{oxAuthClientId}).queryParam("redirect_uri", new Object[]{this.appConfiguration.getLoginRedirectUrl()}).queryParam("response_type", new Object[]{"code"}).queryParam("scope", new Object[]{oxAuthClientScope}).queryParam("nonce", new Object[]{uuid}).queryParam("state", new Object[]{uuid2});
        this.identity.getSessionMap().put("nonce", uuid);
        this.identity.getSessionMap().put("state", uuid2);
        String oxTrustAuthenticationMode = this.configurationService.getConfiguration(new String[]{"oxTrustAuthenticationMode"}).getOxTrustAuthenticationMode();
        if (StringHelper.isNotEmpty(oxTrustAuthenticationMode)) {
            queryParam = queryParam.queryParam("acr_values", new Object[]{oxTrustAuthenticationMode});
            this.identity.getSessionMap().put("acr_values", oxTrustAuthenticationMode);
        }
        this.facesService.redirectToExternalURL(queryParam.getUri().toString().replaceAll("%2B", "+"));
        return true;
    }

    public String oAuthGetAccessToken() throws JSONException {
        String authorizationEndpoint = this.openIdService.getOpenIdConfiguration().getAuthorizationEndpoint();
        String oxAuthHost = getOxAuthHost(authorizationEndpoint);
        if (StringHelper.isEmpty(oxAuthHost)) {
            this.log.info("Failed to determine oxAuth host using oxAuthAuthorizeUrl: '{}'", authorizationEndpoint);
            this.facesMessages.add(FacesMessage.SEVERITY_ERROR, LOGIN_FAILED_OX_TRUST);
            return "no_permissions";
        }
        Map requestParameterMap = FacesContext.getCurrentInstance().getExternalContext().getRequestParameterMap();
        Map requestCookieMap = FacesContext.getCurrentInstance().getExternalContext().getRequestCookieMap();
        String str = (String) requestParameterMap.get("code");
        if (!StringHelper.equals((String) this.identity.getSessionMap().get("state"), (String) requestParameterMap.get("state"))) {
            this.log.error("No state sent. Error: " + ((String) requestParameterMap.get("error")) + ". Error description: " + ((String) requestParameterMap.get("error_description")));
            this.facesMessages.add(FacesMessage.SEVERITY_ERROR, LOGIN_FAILED_OX_TRUST);
            return "no_permissions";
        }
        Object obj = requestCookieMap.get("session_state");
        String str2 = null;
        if (obj != null) {
            str2 = ((Cookie) obj).getValue();
        }
        if (str == null) {
            this.log.error("No authorization code sent. Error: " + ((String) requestParameterMap.get("error")) + ". Error description: " + ((String) requestParameterMap.get("error_description")));
            this.facesMessages.add(FacesMessage.SEVERITY_ERROR, LOGIN_FAILED_OX_TRUST);
            return "no_permissions";
        }
        this.log.info("authorizationCode : " + str);
        String str3 = (String) requestParameterMap.get("scope");
        this.log.info(" scopes : " + str3);
        String oxAuthClientId = this.appConfiguration.getOxAuthClientId();
        this.log.info("clientID : " + oxAuthClientId);
        String oxAuthClientPassword = this.appConfiguration.getOxAuthClientPassword();
        if (oxAuthClientPassword != null) {
            try {
                oxAuthClientPassword = this.encryptionService.decrypt(oxAuthClientPassword);
            } catch (StringEncrypter.EncryptionException e) {
                this.log.error("Failed to decrypt client password", e);
            }
        }
        String requestAccessToken = requestAccessToken(oxAuthHost, str, str2, str3, oxAuthClientId, oxAuthClientPassword);
        if ("no_permissions".equals(requestAccessToken)) {
            this.facesMessages.add(FacesMessage.SEVERITY_ERROR, LOGIN_FAILED_OX_TRUST);
        } else if ("failure".equals(requestAccessToken)) {
            this.facesMessages.add(FacesMessage.SEVERITY_ERROR, "Login failed");
        }
        return requestAccessToken;
    }

    private String requestAccessToken(String str, String str2, String str3, String str4, String str5, String str6) {
        OpenIdConfigurationResponse openIdConfiguration = this.openIdService.getOpenIdConfiguration();
        TokenClient tokenClient = new TokenClient(openIdConfiguration.getTokenEndpoint());
        this.log.info("Sending request to token endpoint");
        String loginRedirectUrl = this.appConfiguration.getLoginRedirectUrl();
        this.log.info("redirectURI : " + loginRedirectUrl);
        TokenResponse execAuthorizationCode = tokenClient.execAuthorizationCode(str2, loginRedirectUrl, str5, str6);
        this.log.debug(" tokenResponse : " + execAuthorizationCode);
        if (execAuthorizationCode == null) {
            this.log.error("Get empty token response. User rcan't log into application");
            return "no_permissions";
        }
        this.log.debug(" tokenResponse.getErrorType() : " + execAuthorizationCode.getErrorType());
        String accessToken = execAuthorizationCode.getAccessToken();
        this.log.debug(" accessToken : " + accessToken);
        String idToken = execAuthorizationCode.getIdToken();
        this.log.debug(" idToken : " + idToken);
        if (idToken == null) {
            this.log.error("Failed to get id_token");
            return "no_permissions";
        }
        this.log.info("Session validation successful. User is logged in");
        UserInfoResponse execUserInfo = new UserInfoClient(openIdConfiguration.getUserInfoEndpoint()).execUserInfo(accessToken);
        if (execUserInfo == null) {
            this.log.error("Get empty token response. User can't log into application");
            return "no_permissions";
        }
        try {
            Jwt parse = Jwt.parse(idToken);
            if (!StringHelper.equals((String) this.identity.getSessionMap().get("nonce"), (String) parse.getClaims().getClaim("nonce"))) {
                this.log.error("User info response :  nonce is not matching.");
                return "no_permissions";
            }
            List list = (List) execUserInfo.getClaims().get("user_name");
            if (list == null || list.size() == 0) {
                this.log.error("User info response doesn't contains uid claim");
                return "no_permissions";
            }
            if (this.identity.getSessionMap().containsKey("acr_values")) {
                String str7 = (String) this.identity.getSessionMap().get("acr_values");
                String issuer = openIdConfiguration.getIssuer();
                String str8 = (String) parse.getClaims().getClaim("iss");
                if (issuer == null || str8 == null || !issuer.equals(str8)) {
                    this.log.error("User info response :  Issuer.");
                    return "no_permissions";
                }
                List claimAsStringList = parse.getClaims().getClaimAsStringList("acr");
                if (claimAsStringList == null || claimAsStringList.size() == 0 || !claimAsStringList.contains(str7)) {
                    this.log.error("User info response doesn't contains acr claim");
                    return "no_permissions";
                }
                if (!claimAsStringList.contains(str7)) {
                    this.log.error("User info response contains acr='{}' claim but expected acr='{}'", claimAsStringList, str7);
                    return "no_permissions";
                }
            }
            OauthData oauthData = this.identity.getOauthData();
            oauthData.setHost(str);
            oauthData.setUserUid((String) list.get(0));
            oauthData.setAccessToken(accessToken);
            oauthData.setAccessTokenExpirationInSeconds(execAuthorizationCode.getExpiresIn().intValue());
            oauthData.setScopes(str4);
            oauthData.setIdToken(idToken);
            oauthData.setSessionState(str3);
            this.identity.setWorkingParameter("session_sso_state", Boolean.FALSE);
            this.log.info("user uid:" + oauthData.getUserUid());
            return authenticate();
        } catch (InvalidJwtException e) {
            this.log.error("Failed to parse id_token");
            return "no_permissions";
        }
    }

    private String getOxAuthHost(String str) {
        try {
            URL url = new URL(str);
            return String.format("%s://%s:%s", url.getProtocol(), url.getHost(), Integer.valueOf(url.getPort()));
        } catch (MalformedURLException e) {
            this.log.error("Invalid oxAuth authorization URI: '{}'", str, e);
            return null;
        }
    }
}
