package be.atbash.ee.security.octopus.sso.callback;

import be.atbash.ee.security.octopus.config.Debug;
import be.atbash.ee.security.octopus.config.OctopusCoreConfiguration;
import be.atbash.ee.security.octopus.sso.client.JWSAlgorithmFactory;
import be.atbash.ee.security.octopus.sso.client.OpenIdVariableClientData;
import be.atbash.ee.security.octopus.sso.client.config.OctopusSSOServerClientConfiguration;
import be.atbash.ee.security.octopus.sso.core.OctopusRetrievalException;
import be.atbash.util.exception.AtbashUnexpectedException;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientSecretJWT;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import com.nimbusds.openid.connect.sdk.validators.IDTokenClaimsVerifier;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import javax.annotation.PostConstruct;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ApplicationScoped
/* loaded from: input_file:be/atbash/ee/security/octopus/sso/callback/ExchangeForAccessCode.class */
public class ExchangeForAccessCode {
    private Logger logger = LoggerFactory.getLogger(SSOCallbackServlet.class);

    @Inject
    private OctopusCoreConfiguration coreConfiguration;

    @Inject
    private OctopusSSOServerClientConfiguration serverConfiguration;

    @Inject
    private JWSAlgorithmFactory jwsAlgorithmFactory;

    @Inject
    private CallbackErrorHandler callbackErrorHandler;
    private JWSAlgorithm algorithm;

    @PostConstruct
    public void init() {
        this.algorithm = this.jwsAlgorithmFactory.determineOptimalAlgorithm(this.serverConfiguration.getSSOClientSecret());
    }

    public BearerAccessToken doExchange(HttpServletResponse httpServletResponse, OpenIdVariableClientData openIdVariableClientData, AuthorizationCode authorizationCode) {
        BearerAccessToken bearerAccessToken = null;
        showDebugInfo(authorizationCode.getValue());
        try {
            AuthorizationCodeGrant authorizationCodeGrant = new AuthorizationCodeGrant(authorizationCode, new URI(openIdVariableClientData.getRootURL() + "/sso/SSOCallback"));
            URI uri = new URI(this.serverConfiguration.getTokenEndpoint());
            OIDCTokenResponse parse = OIDCTokenResponseParser.parse(new TokenRequest(uri, new ClientSecretJWT(new ClientID(this.serverConfiguration.getSSOClientId()), uri, this.algorithm, new Secret(new String(this.serverConfiguration.getSSOClientSecret(), StandardCharsets.UTF_8))), authorizationCodeGrant, (Scope) null).toHTTPRequest().send());
            if (parse instanceof OIDCTokenResponse) {
                OIDCTokens oIDCTokens = parse.getOIDCTokens();
                JWT iDToken = oIDCTokens.getIDToken();
                bearerAccessToken = oIDCTokens.getBearerAccessToken();
                verifyJWT(iDToken);
                new IDTokenClaimsVerifier(new Issuer(this.serverConfiguration.getOctopusSSOServer()), new ClientID(this.serverConfiguration.getSSOClientId()), openIdVariableClientData.getNonce(), 0).verify(iDToken.getJWTClaimsSet(), (SecurityContext) null);
            } else {
                ErrorObject errorObject = ((TokenErrorResponse) parse).getErrorObject();
                if (errorObject.getCode() == null || errorObject.getDescription() == null) {
                    errorObject = errorObject.setDescription(errorObject.getDescription() + " -- TokenErrorResponse for authorization code " + authorizationCode);
                }
                this.callbackErrorHandler.showErrorMessage(httpServletResponse, errorObject);
            }
        } catch (OctopusRetrievalException e) {
            bearerAccessToken = null;
            this.callbackErrorHandler.showErrorMessage(httpServletResponse, e.getErrorObject());
        } catch (IOException | URISyntaxException e2) {
            throw new AtbashUnexpectedException(e2);
        } catch (JOSEException e3) {
            this.callbackErrorHandler.showErrorMessage(httpServletResponse, new ErrorObject("OCT-SSO-CLIENT-019", "HMAC calculation failed"));
        } catch (ParseException e4) {
            this.callbackErrorHandler.showErrorMessage(httpServletResponse, new ErrorObject("OCT-SSO-CLIENT-018", "Parsing of Token endpoint response failed : " + e4.getMessage()));
        } catch (BadJWTException e5) {
            bearerAccessToken = null;
            this.callbackErrorHandler.showErrorMessage(httpServletResponse, new ErrorObject("OCT-SSO-CLIENT-016", "Validation of ID token JWT failed : " + e5.getMessage()));
        } catch (java.text.ParseException e6) {
            bearerAccessToken = null;
            this.callbackErrorHandler.showErrorMessage(httpServletResponse, new ErrorObject("OCT-SSO-CLIENT-017", "Parsing of ID Token failed : " + e6.getMessage()));
        }
        return bearerAccessToken;
    }

    private void verifyJWT(JWT jwt) throws OctopusRetrievalException {
        if (jwt instanceof SignedJWT) {
            try {
                if (((SignedJWT) jwt).verify(new MACVerifier(this.serverConfiguration.getSSOIdTokenSecret()))) {
                } else {
                    throw new OctopusRetrievalException(new ErrorObject("OCT-SSO-CLIENT-015", "JWT Signature Validation failed"));
                }
            } catch (JOSEException e) {
                throw new OctopusRetrievalException(new ErrorObject("OCT-SSO-CLIENT-015", "JWT Signature Validation failed"));
            }
        }
    }

    private void showDebugInfo(String str) {
        if (this.coreConfiguration.showDebugFor().contains(Debug.SSO_FLOW)) {
            this.logger.info(String.format("(SSO Client) Call SSO Server for User info (token = %s)", str));
        }
    }
}
