package org.gluu.oxtrust.action;

import java.io.IOException;
import java.io.Serializable;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.acl.Group;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import javax.faces.context.FacesContext;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.StringUtils;
import org.codehaus.jettison.json.JSONException;
import org.gluu.oxtrust.ldap.service.ApplianceService;
import org.gluu.oxtrust.ldap.service.AuthenticationService;
import org.gluu.oxtrust.ldap.service.IPersonService;
import org.gluu.oxtrust.ldap.service.SecurityService;
import org.gluu.oxtrust.model.GluuCustomPerson;
import org.gluu.oxtrust.model.User;
import org.gluu.oxtrust.security.OauthData;
import org.gluu.oxtrust.service.AuthenticationSessionService;
import org.gluu.oxtrust.util.OxTrustConstants;
import org.gluu.oxtrust.util.Utils;
import org.gluu.site.ldap.persistence.exception.AuthenticationException;
import org.jboss.resteasy.client.ClientRequest;
import org.jboss.seam.Component;
import org.jboss.seam.ScopeType;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Out;
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.contexts.Contexts;
import org.jboss.seam.core.Events;
import org.jboss.seam.faces.FacesMessages;
import org.jboss.seam.faces.Redirect;
import org.jboss.seam.log.Log;
import org.jboss.seam.navigation.Pages;
import org.jboss.seam.security.Credentials;
import org.jboss.seam.security.Identity;
import org.jboss.seam.security.SimplePrincipal;
import org.xdi.config.oxtrust.ApplicationConfiguration;
import org.xdi.ldap.model.GluuStatus;
import org.xdi.model.GluuUserRole;
import org.xdi.oxauth.client.TokenClient;
import org.xdi.oxauth.client.TokenResponse;
import org.xdi.oxauth.client.UserInfoClient;
import org.xdi.oxauth.client.UserInfoResponse;
import org.xdi.oxauth.client.ValidateTokenClient;
import org.xdi.oxauth.client.ValidateTokenResponse;
import org.xdi.util.ArrayHelper;
import org.xdi.util.StringHelper;
import org.xdi.util.security.StringEncrypter;

@Name("authenticator")
@Scope(ScopeType.SESSION)
/* loaded from: input_file:org/gluu/oxtrust/action/Authenticator.class */
public class Authenticator implements Serializable {
    private static final long serialVersionUID = -3975272457541385597L;

    @Logger
    private Log log;

    @In
    private Identity identity;

    @In
    private AuthenticationService authenticationService;

    @In
    private Credentials credentials;

    @In
    Redirect redirect;

    @In
    private IPersonService personService;

    @In
    private SecurityService securityService;

    @In(create = true)
    private SsoLoginAction ssoLoginAction;

    @In
    private transient ApplianceService applianceService;

    @In
    private FacesMessages facesMessages;
    String viewIdBeforeLoginRedirect;

    @In(create = true)
    @Out(scope = ScopeType.SESSION, required = false)
    private OauthData oauthData;

    @In("#{oxTrustConfiguration.applicationConfiguration}")
    private ApplicationConfiguration applicationConfiguration;

    @In("#{oxTrustConfiguration.cryptoConfigurationSalt}")
    private String cryptoConfigurationSalt;

    public boolean preAuthenticate() throws IOException, Exception {
        boolean z = true;
        if (!isOxAuthAuth()) {
            z = externalAuthenticate();
        } else if (!this.identity.isLoggedIn()) {
            z = oAuthLogin();
        }
        return z;
    }

    public boolean authenticate() {
        String str = null;
        try {
            if (isBasicAuth()) {
                str = this.identity.getCredentials().getUsername();
                this.log.info("Authenticating user '{0}'", new Object[]{str});
                boolean z = false;
                try {
                    z = this.authenticationService.authenticate(str, this.credentials.getPassword());
                } catch (AuthenticationException e) {
                    this.log.error("Failed to authenticate user: '{0}'", e, new Object[]{str});
                }
                if (!z) {
                    return false;
                }
            } else {
                if (!isOxAuthAuth()) {
                    return false;
                }
                str = this.oauthData.getUserUid();
                this.identity.getCredentials().setUsername(str);
                this.log.info("Authenticating user '{0}'", new Object[]{str});
            }
            User findUserByUserName = findUserByUserName(str);
            if (findUserByUserName == null) {
                this.log.error("Person '{0}' not found in LDAP", new Object[]{str});
                return false;
            }
            if (!GluuStatus.EXPIRED.getValue().equals(findUserByUserName.getAttribute(OxTrustConstants.gluuStatus)) && !GluuStatus.REGISTER.getValue().equals(findUserByUserName.getAttribute(OxTrustConstants.gluuStatus))) {
                postLogin(findUserByUserName);
                this.log.info("User '{0}' authenticated successfully", new Object[]{str});
                return true;
            }
            this.redirect.setViewId("/register.xhtml");
            this.redirect.setParameter(OxTrustConstants.inum, findUserByUserName.getInum());
            this.redirect.execute();
            return false;
        } catch (Exception e2) {
            this.log.error("Failed to authenticate user '{0}'", e2, new Object[]{str});
            return false;
        }
    }

    public boolean authenticateBasicWebService() {
        String username = this.identity.getCredentials().getUsername();
        this.log.info("Authenticating user '{0}'", new Object[]{username});
        boolean z = false;
        try {
            z = this.authenticationService.authenticate(username, this.credentials.getPassword());
        } catch (AuthenticationException e) {
            this.log.error("Failed to authenticate user: '{0}'", e, new Object[]{username});
        }
        if (z) {
            return postAuthenticateWebService(username);
        }
        return false;
    }

    public boolean authenticateBearerWebService() {
        String username = this.identity.getCredentials().getUsername();
        this.log.info("Authenticating user '{0}'", new Object[]{username});
        return postAuthenticateWebService(username);
    }

    public boolean postAuthenticateWebService(String str) {
        try {
            User findUserByUserName = findUserByUserName(str);
            if (findUserByUserName == null) {
                this.log.error("Person '{0}' not found in LDAP", new Object[]{str});
                return false;
            }
            this.identity.acceptExternallyAuthenticatedPrincipal(new SimplePrincipal(str));
            this.identity.quietLogin();
            postLogin(findUserByUserName);
            this.log.info("User '{0}' authenticated successfully", new Object[]{str});
            return true;
        } catch (Exception e) {
            this.log.error("Failed to authenticate user '{0}'", e, new Object[]{str});
            return false;
        }
    }

    private void postLogin(User user) {
        this.log.debug("Configuring application after user '{0}' login", new Object[]{user.getUid()});
        Contexts.getSessionContext().set(OxTrustConstants.CURRENT_PERSON, findPersonByDn(user.getDn()));
        GluuUserRole[] userRoles = this.securityService.getUserRoles(user);
        if (ArrayHelper.isNotEmpty(userRoles)) {
            this.log.debug("Get '{0}' user roles", new Object[]{Arrays.toString(userRoles)});
        } else {
            this.log.debug("Get 0 user roles", new Object[0]);
        }
        for (GluuUserRole gluuUserRole : userRoles) {
            this.identity.addRole(gluuUserRole.getRoleName());
        }
        if (this.log.isDebugEnabled()) {
            for (Group group : this.identity.getSubject().getPrincipals(Group.class)) {
                if ("Roles".equals(group.getName())) {
                    this.log.debug("Using next user roles: '{0}'", new Object[]{group.members()});
                    return;
                }
            }
        }
    }

    private User findUserByUserName(String str) {
        User user = null;
        try {
            user = this.personService.getUserByUid(str);
        } catch (Exception e) {
            this.log.error("Failed to find user '{0}' in ldap", e, new Object[]{str});
        }
        return user;
    }

    private GluuCustomPerson findPersonByDn(String str) {
        GluuCustomPerson gluuCustomPerson = null;
        try {
            gluuCustomPerson = this.personService.getPersonByDn(str);
        } catch (Exception e) {
            this.log.error("Failed to find person '{0}' in ldap", e, new Object[]{str});
        }
        return gluuCustomPerson;
    }

    private boolean isBasicAuth() {
        return Utils.isBasicAuth();
    }

    private boolean isOxAuthAuth() {
        return !isBasicAuth();
    }

    public void processLogout() throws Exception {
        this.ssoLoginAction.logout();
        oAuthlLogout();
        postLogout();
    }

    public String postLogout() {
        if (!this.identity.isLoggedIn()) {
            return OxTrustConstants.RESULT_SUCCESS;
        }
        this.identity.logout();
        return OxTrustConstants.RESULT_SUCCESS;
    }

    public void oAuthlLogout() throws Exception {
        if (StringHelper.isEmpty(this.oauthData.getUserUid())) {
            return;
        }
        ClientRequest clientRequest = new ClientRequest(this.applicationConfiguration.getOxAuthLogoutUrl());
        clientRequest.queryParameter(OxTrustConstants.OXAUTH_ID_TOKEN_HINT, this.oauthData.getIdToken());
        clientRequest.queryParameter(OxTrustConstants.OXAUTH_POST_LOGOUT_REDIRECT_URI, this.applicationConfiguration.getLogoutRedirectUrl());
        this.oauthData.setUserUid(null);
        this.oauthData.setIdToken(null);
        this.oauthData.setSessionState(null);
        this.oauthData = null;
        FacesContext.getCurrentInstance().getExternalContext().redirect(clientRequest.getUri());
    }

    public boolean shibboleth2Authenticate() {
        boolean z;
        this.log.debug("Checking if user authenticated with shibboleth already", new Object[0]);
        HttpServletRequest httpServletRequest = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
        String authType = httpServletRequest.getAuthType();
        String header = httpServletRequest.getHeader("REMOTE_USER");
        String header2 = httpServletRequest.getHeader("remote_user");
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String str = (String) headerNames.nextElement();
            this.log.trace(str + "-->" + httpServletRequest.getHeader(str), new Object[0]);
        }
        this.log.debug("Username is " + header, new Object[0]);
        this.log.debug("UsernameLower is " + header2, new Object[0]);
        this.log.debug("AuthType is " + authType, new Object[0]);
        Map requestHeaderValuesMap = FacesContext.getCurrentInstance().getExternalContext().getRequestHeaderValuesMap();
        for (String str2 : requestHeaderValuesMap.keySet()) {
            this.log.trace(str2 + "==>" + StringUtils.join((Object[]) requestHeaderValuesMap.get(str2)), new Object[0]);
        }
        if (StringHelper.isEmpty(header) || StringHelper.isEmpty(authType) || !authType.equals("shibboleth")) {
            return false;
        }
        User personByEmail = Pattern.compile(".+@.+\\.[a-z]+").matcher(header).matches() ? this.personService.getPersonByEmail(header) : this.personService.getUserByUid(header);
        if (personByEmail == null) {
            return false;
        }
        this.log.debug("Person Inum is " + personByEmail.getInum(), new Object[0]);
        if (GluuStatus.ACTIVE.getValue().equals(personByEmail.getAttribute(OxTrustConstants.gluuStatus))) {
            this.credentials.setUsername(personByEmail.getUid());
            SimplePrincipal simplePrincipal = new SimplePrincipal(personByEmail.getUid());
            this.log.debug("Principal is " + simplePrincipal.toString(), new Object[0]);
            this.identity.acceptExternallyAuthenticatedPrincipal(simplePrincipal);
            this.log.info("User '{0}' authenticated with shibboleth already", new Object[]{header});
            this.identity.quietLogin();
            postLogin(personByEmail);
            Contexts.getSessionContext().set(OxTrustConstants.APPLICATION_AUTHORIZATION_TYPE, OxTrustConstants.APPLICATION_AUTHORIZATION_NAME_SHIBBOLETH2);
            z = true;
            if (Events.exists()) {
                this.facesMessages.clear();
                Events.instance().raiseEvent("org.jboss.seam.security.loginSuccessful", new Object[0]);
            }
        } else {
            z = false;
        }
        return z;
    }

    public boolean externalAuthenticate() {
        return this.identity.isLoggedIn() || shibboleth2Authenticate();
    }

    public boolean oAuthLogin() throws IOException, Exception {
        ClientRequest clientRequest = new ClientRequest(this.applicationConfiguration.getOxAuthAuthorizeUrl());
        String oxAuthClientId = this.applicationConfiguration.getOxAuthClientId();
        String oxAuthClientScope = this.applicationConfiguration.getOxAuthClientScope();
        clientRequest.queryParameter(OxTrustConstants.OXAUTH_CLIENT_ID, oxAuthClientId);
        clientRequest.queryParameter(OxTrustConstants.OXAUTH_REDIRECT_URI, this.applicationConfiguration.getLoginRedirectUrl());
        clientRequest.queryParameter(OxTrustConstants.OXAUTH_RESPONSE_TYPE, "code+id_token");
        clientRequest.queryParameter(OxTrustConstants.OXAUTH_SCOPE, oxAuthClientScope);
        clientRequest.queryParameter(OxTrustConstants.OXAUTH_NONCE, OxTrustConstants.OXAUTH_NONCE);
        String oxTrustAuthenticationMode = this.applianceService.getAppliance(new String[]{"oxTrustAuthenticationMode"}).getOxTrustAuthenticationMode();
        if (StringHelper.isNotEmpty(oxTrustAuthenticationMode)) {
            clientRequest.queryParameter(OxTrustConstants.OXAUTH_AUTH_MODE, oxTrustAuthenticationMode);
        }
        if (this.viewIdBeforeLoginRedirect != null) {
            clientRequest.queryParameter(OxTrustConstants.OXAUTH_STATE, this.viewIdBeforeLoginRedirect);
        }
        FacesContext.getCurrentInstance().getExternalContext().redirect(clientRequest.getUri().replaceAll("%2B", "+"));
        return true;
    }

    public String oAuthGetAccessToken() throws JSONException {
        String oxAuthAuthorizeUrl = this.applicationConfiguration.getOxAuthAuthorizeUrl();
        String oxAuthHost = getOxAuthHost(oxAuthAuthorizeUrl);
        if (StringHelper.isEmpty(oxAuthHost)) {
            this.log.info("Failed to determine oxAuth host using oxAuthAuthorizeUrl: '{0}'", new Object[]{oxAuthAuthorizeUrl});
            return OxTrustConstants.RESULT_NO_PERMISSIONS;
        }
        Map requestParameterMap = FacesContext.getCurrentInstance().getExternalContext().getRequestParameterMap();
        Map requestCookieMap = FacesContext.getCurrentInstance().getExternalContext().getRequestCookieMap();
        String str = (String) requestParameterMap.get(OxTrustConstants.OXAUTH_CODE);
        Object obj = requestCookieMap.get(OxTrustConstants.OXAUTH_SESSION_STATE);
        String str2 = null;
        if (obj != null) {
            str2 = ((Cookie) obj).getValue();
        }
        String str3 = (String) requestParameterMap.get(OxTrustConstants.OXAUTH_ID_TOKEN);
        if (str == null) {
            this.log.info("No authorization code sent. Error: " + ((String) requestParameterMap.get(OxTrustConstants.OXAUTH_ERROR)) + ". Error description: " + ((String) requestParameterMap.get(OxTrustConstants.OXAUTH_ERROR_DESCRIPTION)), new Object[0]);
            return OxTrustConstants.RESULT_NO_PERMISSIONS;
        }
        if (this.viewIdBeforeLoginRedirect != null && !this.viewIdBeforeLoginRedirect.equals("")) {
            Redirect.instance().setViewId(this.viewIdBeforeLoginRedirect);
            this.viewIdBeforeLoginRedirect = "";
        }
        this.log.info("authorizationCode : " + str, new Object[0]);
        String str4 = (String) requestParameterMap.get(OxTrustConstants.OXAUTH_SCOPE);
        this.log.info(" scopes : " + str4, new Object[0]);
        String oxAuthClientId = this.applicationConfiguration.getOxAuthClientId();
        this.log.info("clientID : " + oxAuthClientId, new Object[0]);
        String oxAuthClientPassword = this.applicationConfiguration.getOxAuthClientPassword();
        if (oxAuthClientPassword != null) {
            try {
                oxAuthClientPassword = StringEncrypter.defaultInstance().decrypt(oxAuthClientPassword, this.cryptoConfigurationSalt);
            } catch (StringEncrypter.EncryptionException e) {
                this.log.error("Failed to decrypt client password", e, new Object[0]);
            }
        }
        this.log.info("getting accessToken", new Object[0]);
        this.log.info("tokenURL : " + this.applicationConfiguration.getOxAuthTokenUrl(), new Object[0]);
        TokenClient tokenClient = new TokenClient(this.applicationConfiguration.getOxAuthTokenUrl());
        this.log.info("Sending request to token endpoint", new Object[0]);
        String loginRedirectUrl = this.applicationConfiguration.getLoginRedirectUrl();
        this.log.info("redirectURI : " + this.applicationConfiguration.getLoginRedirectUrl(), new Object[0]);
        TokenResponse execAuthorizationCode = tokenClient.execAuthorizationCode(str, loginRedirectUrl, oxAuthClientId, oxAuthClientPassword);
        this.log.info(" tokenResponse : " + execAuthorizationCode, new Object[0]);
        this.log.info(" tokenResponse.getErrorType() : " + execAuthorizationCode.getErrorType(), new Object[0]);
        String accessToken = execAuthorizationCode.getAccessToken();
        this.log.info(" accessToken : " + accessToken, new Object[0]);
        this.log.info(" validating AccessToken ", new Object[0]);
        ValidateTokenResponse execValidateToken = new ValidateTokenClient(this.applicationConfiguration.getOxAuthTokenValidationUrl()).execValidateToken(accessToken);
        this.log.info(" response3.getStatus() : " + execValidateToken.getStatus(), new Object[0]);
        this.log.info("validate check session status:" + execValidateToken.getStatus(), new Object[0]);
        if (execValidateToken.getErrorDescription() != null) {
            this.log.debug("validate token status message:" + execValidateToken.getErrorDescription(), new Object[0]);
        }
        if (execValidateToken.getStatus() != 200) {
            this.log.info("Token validation failed. User is NOT logged in", new Object[0]);
            return OxTrustConstants.RESULT_NO_PERMISSIONS;
        }
        this.log.info("Session validation successful. User is logged in", new Object[0]);
        UserInfoResponse execUserInfo = new UserInfoClient(this.applicationConfiguration.getOxAuthUserInfo()).execUserInfo(accessToken);
        this.oauthData.setHost(oxAuthHost);
        List list = (List) execUserInfo.getClaims().get("user_name");
        if (list == null || list.size() == 0) {
            this.log.error("User info response doesn't contains uid claim", new Object[0]);
            return OxTrustConstants.RESULT_NO_PERMISSIONS;
        }
        this.oauthData.setUserUid((String) list.get(0));
        this.oauthData.setAccessToken(accessToken);
        this.oauthData.setAccessTokenExpirationInSeconds(execValidateToken.getExpiresIn().intValue());
        this.oauthData.setScopes(str4);
        this.oauthData.setIdToken(str3);
        this.oauthData.setSessionState(str2);
        this.log.info("user uid:" + this.oauthData.getUserUid(), new Object[0]);
        Component.getInstance(AuthenticationSessionService.class);
        return OxTrustConstants.RESULT_SUCCESS;
    }

    private String getOxAuthHost(String str) {
        try {
            URL url = new URL(str);
            return String.format("%s://%s:%s", url.getProtocol(), url.getHost(), Integer.valueOf(url.getPort()));
        } catch (MalformedURLException e) {
            this.log.error("Invalid oxAuth authorization URI: '{0}'", e, new Object[]{str});
            return null;
        }
    }

    public void captureCurrentView() {
        FacesContext currentInstance = FacesContext.getCurrentInstance();
        if (currentInstance == null) {
            return;
        }
        this.viewIdBeforeLoginRedirect = Pages.getViewId(currentInstance);
    }

    public static Authenticator instance() {
        return (Authenticator) Component.getInstance(Authenticator.class, true);
    }
}
