package org.gluu.oxauth.client.supergluu;

import org.apache.log4j.Logger;
import org.gluu.oxauth.client.TokenClient;
import org.gluu.oxauth.client.TokenRequest;
import org.gluu.oxauth.client.TokenResponse;
import org.gluu.oxauth.client.supergluu.impl.ICryptoProviderFactory;
import org.gluu.oxauth.client.supergluu.impl.IHttpClientFactory;
import org.gluu.oxauth.client.supergluu.impl.SessionStatusClient;
import org.gluu.oxauth.client.supergluu.impl.SessionStatusResponse;
import org.gluu.oxauth.client.supergluu.impl.http.HttpContextFactory;
import org.gluu.oxauth.model.common.AuthenticationMethod;
import org.gluu.oxauth.model.common.GrantType;
import org.gluu.oxauth.model.crypto.AbstractCryptoProvider;
import org.gluu.oxauth.model.exception.InvalidJwtException;
import org.gluu.oxauth.model.jwt.Jwt;
import org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor;
import org.json.JSONObject;

/* loaded from: input_file:org/gluu/oxauth/client/supergluu/SuperGluuAuthClient.class */
public class SuperGluuAuthClient {
    private static final String ACR_VALUES_PARAM_NAME = "acr_values";
    private static final String STEP_PARAM_NAME = "__step";
    private static final String PASSWORD_PARAM_NAME = "__password";
    private static final String SESSION_ID_PARAM_NAME = "__session_id";
    private static final String REMOTE_IP_PARAM_NAME = "__remote_ip";
    private static final String SESSION_ID_CLAIM_NAME = "__session_id";
    private static final String AUTH_SCHEME_PARAM_NAME = "__auth_scheme";
    private static final String INITIATE_AUTH_STEP_NAME = "initiate_auth";
    private static final String RESEND_NOTIFICATION_STEP_NAME = "resend_notification";
    private static final String VERIFY_AUTH_STEP_NAME = "verify_auth";
    private static final Logger log = Logger.getLogger(SuperGluuAuthClient.class);
    private AuthenticationContext authContext;
    private SuperGluuAuthClientConfig config;
    private AbstractCryptoProvider cryptoProvider;
    private TokenClient tokenClient;
    private SessionStatusClient sessionStatusClient;
    private JSONObject serverKeyset;
    private SuperGluuAuthScheme authScheme;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/gluu/oxauth/client/supergluu/SuperGluuAuthClient$AuthenticationContext.class */
    public class AuthenticationContext {
        private String sessionId = "";

        public AuthenticationContext() {
        }

        public String getSessionId() {
            return this.sessionId;
        }

        public void setSessionId(String str) {
            this.sessionId = str;
        }
    }

    public SuperGluuAuthClient(SuperGluuAuthClientConfig superGluuAuthClientConfig, IHttpClientFactory iHttpClientFactory) {
        this.authContext = new AuthenticationContext();
        this.config = superGluuAuthClientConfig;
        this.cryptoProvider = null;
        this.tokenClient = new TokenClient(superGluuAuthClientConfig.getTokenEndpointUrl());
        this.tokenClient.setExecutor(createExecutor(iHttpClientFactory));
        this.sessionStatusClient = new SessionStatusClient(superGluuAuthClientConfig.getSessionStatusUrl());
        this.sessionStatusClient.setExecutor(createExecutor(iHttpClientFactory, true));
        this.authScheme = SuperGluuAuthScheme.TWO_STEP;
    }

    public SuperGluuAuthClient(SuperGluuAuthClientConfig superGluuAuthClientConfig, IHttpClientFactory iHttpClientFactory, ICryptoProviderFactory iCryptoProviderFactory, JSONObject jSONObject) {
        this.authContext = new AuthenticationContext();
        this.config = superGluuAuthClientConfig;
        this.cryptoProvider = iCryptoProviderFactory.newCryptoProvider();
        this.serverKeyset = jSONObject;
        this.tokenClient = new TokenClient(superGluuAuthClientConfig.getTokenEndpointUrl());
        this.tokenClient.setExecutor(createExecutor(iHttpClientFactory));
        this.sessionStatusClient = new SessionStatusClient(superGluuAuthClientConfig.getSessionStatusUrl());
        this.sessionStatusClient.setExecutor(createExecutor(iHttpClientFactory, true));
        this.authScheme = SuperGluuAuthScheme.TWO_STEP;
    }

    public void setCryptoProvider(AbstractCryptoProvider abstractCryptoProvider) {
        this.cryptoProvider = abstractCryptoProvider;
    }

    public void setAuthScheme(SuperGluuAuthScheme superGluuAuthScheme) {
        this.authScheme = superGluuAuthScheme;
    }

    public Boolean initiateAuthentication(String str, String str2) {
        return initiateAuthentication(str, str2, null);
    }

    public Boolean initiateAuthentication(String str, String str2, String str3) {
        this.tokenClient.setRequest(createInitiateAuthTokenRequest(str, str2, str3));
        TokenResponse exec = this.tokenClient.exec();
        if (exec == null || !(exec == null || exec.getStatus() == 200)) {
            if (exec != null) {
                log.debug("SuperGluu initial auth failed. Response: " + exec.getEntity());
            } else {
                log.debug("SuperGluu initial auth failed. No response");
            }
            return false;
        }
        if (this.authScheme == SuperGluuAuthScheme.ONE_STEP) {
            return true;
        }
        String idToken = exec.getIdToken();
        if (idToken != null && (idToken == null || !idToken.isEmpty())) {
            return Boolean.valueOf(extractSessionIdFromIdToken(idToken));
        }
        log.debug("SuperGluu initial auth failed. No id_token returned. " + exec.getEntity());
        return false;
    }

    public Boolean resendPushNotification(String str, String str2) {
        return resendPushNotification(str, str2, null);
    }

    public Boolean resendPushNotification(String str, String str2, String str3) {
        this.tokenClient.setRequest(createResendNotificationTokenRequest(str, str2, str3));
        TokenResponse exec = this.tokenClient.exec();
        if (exec != null && (exec == null || exec.getStatus() == 200)) {
            return Boolean.valueOf(verifyIdTokenSignature(exec.getIdToken()));
        }
        if (exec != null) {
            log.debug("SuperGluu resend push notification failed. Response: " + exec.getEntity());
        } else {
            log.debug("SuperGluu resend push notification failed. No response");
        }
        return false;
    }

    public Boolean verifyAuthentication(String str, String str2) {
        this.tokenClient.setRequest(createVerifyAuthTokenRequest(str, str2));
        TokenResponse exec = this.tokenClient.exec();
        if (exec != null && (exec == null || exec.getStatus() == 200)) {
            return Boolean.valueOf(verifyIdTokenSignature(exec.getIdToken()));
        }
        if (exec != null) {
            log.debug("SuperGluu auth verify failed. Response: " + exec.getEntity());
        } else {
            log.debug("SuperGluu auth verify failed. No response");
        }
        return false;
    }

    public SuperGluuAuthStatus checkAuthenticationStatus() {
        this.sessionStatusClient.setSessionId(this.authContext.getSessionId());
        SessionStatusResponse execGetStatus = this.sessionStatusClient.execGetStatus();
        if (execGetStatus != null && (execGetStatus == null || execGetStatus.getStatus() == 200)) {
            return execGetStatus.isAuthenticated() ? SuperGluuAuthStatus.AUTHENTICATED : SuperGluuAuthStatus.UNAUTHENTICATED;
        }
        if (execGetStatus != null) {
            log.debug("SuperGluu auth status check failed. Response: " + execGetStatus.getEntity());
        } else {
            log.debug("SuperGluu auth status check failed. No response");
        }
        return SuperGluuAuthStatus.UNAUTHENTICATED;
    }

    private final ApacheHttpClient4Executor createExecutor(IHttpClientFactory iHttpClientFactory) {
        return createExecutor(iHttpClientFactory, false);
    }

    private final ApacheHttpClient4Executor createExecutor(IHttpClientFactory iHttpClientFactory, boolean z) {
        return z ? new ApacheHttpClient4Executor(iHttpClientFactory.newHttpClient(), HttpContextFactory.newHttpContext()) : new ApacheHttpClient4Executor(iHttpClientFactory.newHttpClient());
    }

    private final TokenRequest createInitiateAuthTokenRequest(String str, String str2, String str3) {
        TokenRequest tokenRequest = new TokenRequest(GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS);
        if (this.config.hasScopes()) {
            tokenRequest.setScope(this.config.getScopesAsString());
        }
        if (this.config.hasAcrValue()) {
            tokenRequest.addCustomParameter(ACR_VALUES_PARAM_NAME, this.config.getAcrValue());
        }
        if (str3 != null) {
            tokenRequest.addCustomParameter(REMOTE_IP_PARAM_NAME, str3);
        }
        tokenRequest.addCustomParameter(STEP_PARAM_NAME, INITIATE_AUTH_STEP_NAME);
        tokenRequest.addCustomParameter(AUTH_SCHEME_PARAM_NAME, this.authScheme.schemeName());
        configureTokenRequestAuthentication(tokenRequest, str, str2);
        return tokenRequest;
    }

    private final TokenRequest createResendNotificationTokenRequest(String str, String str2, String str3) {
        TokenRequest tokenRequest = new TokenRequest(GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS);
        if (this.config.hasScopes()) {
            tokenRequest.setScope(this.config.getScopesAsString());
        }
        if (this.config.hasAcrValue()) {
            tokenRequest.addCustomParameter(ACR_VALUES_PARAM_NAME, this.config.getAcrValue());
        }
        if (this.authContext.getSessionId() != null) {
            tokenRequest.addCustomParameter("__session_id", this.authContext.getSessionId());
        }
        if (str3 != null) {
            tokenRequest.addCustomParameter(REMOTE_IP_PARAM_NAME, str3);
        }
        tokenRequest.addCustomParameter(STEP_PARAM_NAME, RESEND_NOTIFICATION_STEP_NAME);
        configureTokenRequestAuthentication(tokenRequest, str, str2);
        return tokenRequest;
    }

    private final TokenRequest createVerifyAuthTokenRequest(String str, String str2) {
        TokenRequest tokenRequest = new TokenRequest(GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS);
        if (this.config.hasScopes()) {
            tokenRequest.setScope(this.config.getScopesAsString());
        }
        if (this.config.hasAcrValue()) {
            tokenRequest.addCustomParameter(ACR_VALUES_PARAM_NAME, this.config.getAcrValue());
        }
        if (this.authContext.getSessionId() != null) {
            tokenRequest.addCustomParameter("__session_id", this.authContext.getSessionId());
        }
        tokenRequest.addCustomParameter(STEP_PARAM_NAME, VERIFY_AUTH_STEP_NAME);
        configureTokenRequestAuthentication(tokenRequest, str, str2);
        return tokenRequest;
    }

    private final void configureTokenRequestAuthentication(TokenRequest tokenRequest, String str, String str2) {
        tokenRequest.setAuthenticationMethod(this.config.getAuthenticationMethod());
        tokenRequest.setUsername(str);
        tokenRequest.setPassword("");
        if (str2 != null) {
            tokenRequest.addCustomParameter(PASSWORD_PARAM_NAME, str2);
        } else {
            tokenRequest.addCustomParameter(PASSWORD_PARAM_NAME, "");
        }
        if (AuthenticationMethod.CLIENT_SECRET_BASIC == this.config.getAuthenticationMethod()) {
            tokenRequest.setAuthUsername(this.config.getClientId());
            tokenRequest.setAuthPassword(this.config.getClientSecret());
        }
        if (AuthenticationMethod.PRIVATE_KEY_JWT == this.config.getAuthenticationMethod()) {
            tokenRequest.setKeyId(this.config.getKeyId());
            tokenRequest.setCryptoProvider(this.cryptoProvider);
            tokenRequest.setAlgorithm(this.config.getAlgorithm());
            tokenRequest.setAudience(this.config.getAudience());
            tokenRequest.setAuthUsername(this.config.getClientId());
        }
    }

    private boolean verifyJwtSignature(Jwt jwt) {
        try {
            return this.cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), jwt.getHeader().getKeyId(), this.serverKeyset, (String) null, jwt.getHeader().getAlgorithm());
        } catch (Exception e) {
            log.debug("JWT token signature verification failed", e);
            return false;
        }
    }

    private boolean verifyIdTokenSignature(String str) {
        try {
            return verifyJwtSignature(Jwt.parse(str));
        } catch (InvalidJwtException e) {
            log.debug("Id token validation failed.", e);
            return false;
        }
    }

    private boolean extractSessionIdFromIdToken(String str) {
        try {
            Jwt parse = Jwt.parse(str);
            if (!verifyJwtSignature(parse)) {
                log.debug("Jwt signature verification failed during session_id extraction");
                return false;
            }
            if (parse.getClaims().hasClaim("__session_id")) {
                this.authContext.setSessionId(parse.getClaims().getClaimAsString("__session_id"));
                return true;
            }
            log.debug("No session_id claim found in JWT token");
            return false;
        } catch (InvalidJwtException e) {
            log.debug("IdToken parse failed during sesion_id extraction.", e);
            return false;
        }
    }
}
