package org.forgerock.jaspi.modules.openid;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessagePolicy;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import org.forgerock.caf.authentication.api.AsyncServerAuthModule;
import org.forgerock.caf.authentication.api.AuthenticationException;
import org.forgerock.caf.authentication.api.MessageInfoContext;
import org.forgerock.caf.authentication.framework.AuthenticationFramework;
import org.forgerock.http.protocol.Request;
import org.forgerock.http.protocol.Response;
import org.forgerock.jaspi.modules.openid.exceptions.OpenIdConnectVerificationException;
import org.forgerock.jaspi.modules.openid.resolvers.OpenIdResolver;
import org.forgerock.jaspi.modules.openid.resolvers.service.OpenIdResolverService;
import org.forgerock.jaspi.modules.openid.resolvers.service.OpenIdResolverServiceConfigurator;
import org.forgerock.jaspi.modules.openid.resolvers.service.OpenIdResolverServiceConfiguratorImpl;
import org.forgerock.jaspi.modules.openid.resolvers.service.OpenIdResolverServiceImpl;
import org.forgerock.json.jose.common.JwtReconstruction;
import org.forgerock.json.jose.exceptions.InvalidJwtException;
import org.forgerock.json.jose.exceptions.JwtReconstructionException;
import org.forgerock.json.jose.jws.SignedJwt;
import org.forgerock.json.jose.jwt.JwtClaimsSet;
import org.forgerock.util.promise.Promise;
import org.forgerock.util.promise.Promises;

/* loaded from: input_file:org/forgerock/jaspi/modules/openid/OpenIdConnectModule.class */
public class OpenIdConnectModule implements AsyncServerAuthModule {
    private static final int DEFAULT_READ_TIMEOUT = 5000;
    private static final int DEFAULT_CONN_TIMEOUT = 5000;
    public static final String READ_TIMEOUT_KEY = "readTimeout";
    public static final String CONNECTION_TIMEOUT_KEY = "connectionTimeout";
    public static final String HEADER_KEY = "openIdConnectHeader";
    public static final String RESOLVERS_KEY = "resolvers";
    private final JwtReconstruction constructor;
    private final OpenIdResolverServiceConfigurator serviceConfigurator;
    private String openIdConnectHeader;
    private OpenIdResolverService resolverService;
    private CallbackHandler callbackHandler;

    public OpenIdConnectModule() {
        this.constructor = new JwtReconstruction();
        this.serviceConfigurator = new OpenIdResolverServiceConfiguratorImpl();
    }

    OpenIdConnectModule(OpenIdResolverServiceConfigurator openIdResolverServiceConfigurator, JwtReconstruction jwtReconstruction, OpenIdResolverService openIdResolverService, CallbackHandler callbackHandler, String str) {
        this.serviceConfigurator = openIdResolverServiceConfigurator;
        this.constructor = jwtReconstruction;
        this.resolverService = openIdResolverService;
        this.callbackHandler = callbackHandler;
        this.openIdConnectHeader = str;
    }

    public String getModuleId() {
        return "OpenIdConnect";
    }

    public Promise<Void, AuthenticationException> initialize(MessagePolicy messagePolicy, MessagePolicy messagePolicy2, CallbackHandler callbackHandler, Map<String, Object> map) {
        this.openIdConnectHeader = (String) map.get(HEADER_KEY);
        this.callbackHandler = callbackHandler;
        Integer num = (Integer) map.get(READ_TIMEOUT_KEY);
        Integer num2 = (Integer) map.get(CONNECTION_TIMEOUT_KEY);
        if (this.openIdConnectHeader == null || this.openIdConnectHeader.isEmpty()) {
            AuthenticationFramework.LOG.debug("OpenIdConnectModule config is invalid. You must include the header key parameter");
            return Promises.newExceptionPromise(new AuthenticationException("OpenIdConnectModule configuration is invalid."));
        }
        if (num == null || num.intValue() < 0) {
            AuthenticationFramework.LOG.debug("Read Timeout setting invalid, set to default: {}", 5000);
            num = 5000;
        }
        if (num2 == null || num2.intValue() < 0) {
            AuthenticationFramework.LOG.debug("Connection Timeout setting invalid, set to default: {}", 5000);
            num2 = 5000;
        }
        List<Map<String, String>> list = (List) map.get(RESOLVERS_KEY);
        this.resolverService = new OpenIdResolverServiceImpl(num.intValue(), num2.intValue());
        if (this.serviceConfigurator.configureService(this.resolverService, list)) {
            return Promises.newResultPromise((Object) null);
        }
        AuthenticationFramework.LOG.debug("OpenIdConnectModule config is invalid. You must configure at least one valid resolver.");
        return Promises.newExceptionPromise(new AuthenticationException("OpenIdConnectModule configuration is invalid."));
    }

    public Promise<AuthStatus, AuthenticationException> validateRequest(MessageInfoContext messageInfoContext, Subject subject, Subject subject2) {
        String first = messageInfoContext.getRequest().getHeaders().getFirst(this.openIdConnectHeader);
        if (first == null || first.isEmpty()) {
            return Promises.newResultPromise(AuthStatus.SEND_FAILURE);
        }
        try {
            SignedJwt reconstructJwt = this.constructor.reconstructJwt(first, SignedJwt.class);
            JwtClaimsSet claimsSet = reconstructJwt.getClaimsSet();
            OpenIdResolver resolverForIssuer = this.resolverService.getResolverForIssuer(claimsSet.getIssuer());
            if (resolverForIssuer == null) {
                AuthenticationFramework.LOG.debug("No resolver found for the issuer: {}", claimsSet.getIssuer());
                return Promises.newResultPromise(AuthStatus.SEND_FAILURE);
            }
            try {
                resolverForIssuer.validateIdentity(reconstructJwt);
                this.callbackHandler.handle(new Callback[]{new CallerPrincipalCallback(subject, claimsSet.getSubject())});
                return Promises.newResultPromise(AuthStatus.SUCCESS);
            } catch (IOException | UnsupportedCallbackException e) {
                AuthenticationFramework.LOG.debug("Error setting user principal", e);
                return Promises.newExceptionPromise(new AuthenticationException(e.getMessage()));
            } catch (OpenIdConnectVerificationException e2) {
                AuthenticationFramework.LOG.debug("Unable to validate authenticated identity from JWT.", e2);
                return Promises.newResultPromise(AuthStatus.SEND_FAILURE);
            }
        } catch (InvalidJwtException e3) {
            AuthenticationFramework.LOG.debug("Invalid JWS in supplied header", e3);
            return Promises.newResultPromise(AuthStatus.SEND_FAILURE);
        } catch (JwtReconstructionException e4) {
            AuthenticationFramework.LOG.debug("Unable to reconstruct JWS from supplied header", e4);
            return Promises.newResultPromise(AuthStatus.SEND_FAILURE);
        }
    }

    public Promise<AuthStatus, AuthenticationException> secureResponse(MessageInfoContext messageInfoContext, Subject subject) {
        return Promises.newResultPromise(AuthStatus.SEND_SUCCESS);
    }

    public Promise<Void, AuthenticationException> cleanSubject(MessageInfoContext messageInfoContext, Subject subject) {
        return Promises.newResultPromise((Object) null);
    }

    public Collection<Class<?>> getSupportedMessageTypes() {
        return Arrays.asList(Request.class, Response.class);
    }
}
