package be.atbash.ee.security.sso.server.endpoint;

import be.atbash.ee.security.octopus.SecurityUtils;
import be.atbash.ee.security.octopus.authc.AuthenticationException;
import be.atbash.ee.security.octopus.config.Debug;
import be.atbash.ee.security.octopus.config.OctopusCoreConfiguration;
import be.atbash.ee.security.octopus.sso.core.token.OctopusSSOToken;
import be.atbash.ee.security.octopus.subject.UserPrincipal;
import be.atbash.ee.security.octopus.token.UsernamePasswordToken;
import be.atbash.ee.security.sso.server.client.ClientInfoRetriever;
import be.atbash.ee.security.sso.server.config.OctopusSSOServerConfiguration;
import be.atbash.ee.security.sso.server.endpoint.helper.OIDCTokenHelper;
import be.atbash.ee.security.sso.server.store.OIDCStoreData;
import be.atbash.ee.security.sso.server.store.SSOTokenStore;
import be.atbash.util.StringUtils;
import be.atbash.util.exception.AtbashIllegalActionException;
import be.atbash.util.exception.AtbashUnexpectedException;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.AbstractRequest;
import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.AuthorizationGrant;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResourceOwnerPasswordCredentialsGrant;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.TokenResponse;
import com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.oauth2.sdk.token.Tokens;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import java.io.IOException;
import javax.inject.Inject;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@WebServlet({"/octopus/sso/token"})
/* loaded from: input_file:be/atbash/ee/security/sso/server/endpoint/TokenServlet.class */
public class TokenServlet extends HttpServlet {
    private static final Logger LOGGER = LoggerFactory.getLogger(TokenServlet.class);

    @Inject
    private OctopusSSOServerConfiguration ssoServerConfiguration;

    @Inject
    private SSOTokenStore tokenStore;

    @Inject
    private OIDCTokenHelper oidcTokenHelper;

    @Inject
    private ClientInfoRetriever clientInfoRetriever;

    @Inject
    private OctopusCoreConfiguration coreConfiguration;

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        TokenRequest tokenRequest = (TokenRequest) httpServletRequest.getAttribute(AbstractRequest.class.getName());
        AccessTokenResponse accessTokenResponse = null;
        AuthorizationGrant authorizationGrant = tokenRequest.getAuthorizationGrant();
        try {
            if (authorizationGrant instanceof AuthorizationCodeGrant) {
                accessTokenResponse = getResponseAuthorizationGrant(httpServletResponse, tokenRequest, (AuthorizationCodeGrant) authorizationGrant);
            }
            if (authorizationGrant instanceof ResourceOwnerPasswordCredentialsGrant) {
                accessTokenResponse = getResponsePasswordGrant(httpServletRequest, tokenRequest, (ResourceOwnerPasswordCredentialsGrant) authorizationGrant);
            }
            if (accessTokenResponse != null) {
                httpServletResponse.setContentType("application/json");
                if (!accessTokenResponse.indicatesSuccess()) {
                    httpServletResponse.setStatus(400);
                }
                httpServletResponse.getWriter().append((CharSequence) accessTokenResponse.toHTTPResponse().getContentAsJSONObject().toJSONString());
            }
        } catch (Exception e) {
            throw new AtbashUnexpectedException(e);
        }
    }

    private TokenResponse getResponsePasswordGrant(HttpServletRequest httpServletRequest, TokenRequest tokenRequest, ResourceOwnerPasswordCredentialsGrant resourceOwnerPasswordCredentialsGrant) {
        try {
            SecurityUtils.getSubject().login(new UsernamePasswordToken(resourceOwnerPasswordCredentialsGrant.getUsername(), resourceOwnerPasswordCredentialsGrant.getPassword().getValue()));
            return createTokensForPasswordGrant(httpServletRequest, tokenRequest);
        } catch (ParseException e) {
            throw new AtbashUnexpectedException(e);
        } catch (AuthenticationException e2) {
            return new TokenErrorResponse(new ErrorObject("unauthorized_client", "ResourceOwnerPasswordCredentialsGrant is not allowed for client_id"));
        }
    }

    private TokenResponse createTokensForPasswordGrant(HttpServletRequest httpServletRequest, TokenRequest tokenRequest) throws ParseException {
        IDTokenClaimsSet iDTokenClaimsSet = null;
        OIDCStoreData oIDCStoreData = new OIDCStoreData(new BearerAccessToken(this.ssoServerConfiguration.getOIDCTokenLength(), this.ssoServerConfiguration.getSSOAccessTokenTimeToLive(), tokenRequest.getScope()));
        UserPrincipal principal = SecurityUtils.getSubject().getPrincipal();
        if (StringUtils.hasText((String) principal.getUserInfo("OCTOPUS_SSO_COOKIE_TOKEN"))) {
            throw new AtbashIllegalActionException("Cannot allow password grant when SSO cookie is found");
        }
        if (tokenRequest.getScope() != null && tokenRequest.getScope().contains("openid")) {
            ClientID clientID = tokenRequest.getClientAuthentication().getClientID();
            iDTokenClaimsSet = this.oidcTokenHelper.defineIDToken(httpServletRequest, principal, clientID);
            oIDCStoreData.setClientId(clientID);
        }
        if (oIDCStoreData.getClientId() != null && !this.clientInfoRetriever.retrieveInfo(oIDCStoreData.getClientId().getValue()).isDirectAccessAllowed()) {
            return new TokenErrorResponse(new ErrorObject("unauthorized_client", "ResourceOwnerPasswordCredentialsGrant is not allowed for client_id"));
        }
        oIDCStoreData.setIdTokenClaimsSet(iDTokenClaimsSet);
        oIDCStoreData.setScope(tokenRequest.getScope());
        this.tokenStore.addLoginFromClient(principal, null, httpServletRequest.getHeader("User-Agent"), httpServletRequest.getRemoteAddr(), oIDCStoreData);
        return defineResponse(oIDCStoreData);
    }

    private AccessTokenResponse getResponseAuthorizationGrant(HttpServletResponse httpServletResponse, TokenRequest tokenRequest, AuthorizationCodeGrant authorizationCodeGrant) throws ParseException {
        OIDCStoreData oIDCDataByAuthorizationCode = this.tokenStore.getOIDCDataByAuthorizationCode(authorizationCodeGrant.getAuthorizationCode(), tokenRequest.getClientAuthentication().getClientID());
        if (oIDCDataByAuthorizationCode == null) {
            showErrorMessage(httpServletResponse, InvalidClientException.EXPIRED_SECRET);
            return null;
        }
        if (this.coreConfiguration.showDebugFor().contains(Debug.SSO_FLOW)) {
            LOGGER.info(String.format("(SSO Server) Exchange Authorization code in an Access token ( %s -> %s )", authorizationCodeGrant.getAuthorizationCode(), oIDCDataByAuthorizationCode.getAccessToken().getValue()));
        }
        return defineResponse(oIDCDataByAuthorizationCode);
    }

    private void showErrorMessage(HttpServletResponse httpServletResponse, InvalidClientException invalidClientException) {
        httpServletResponse.setStatus(400);
        try {
            httpServletResponse.getWriter().println(new TokenErrorResponse(invalidClientException.getErrorObject()).toJSONObject().toJSONString());
        } catch (IOException e) {
            throw new AtbashUnexpectedException(e);
        }
    }

    private AccessTokenResponse defineResponse(OIDCStoreData oIDCStoreData) throws ParseException {
        OIDCTokenResponse accessTokenResponse;
        if (oIDCStoreData.getIdTokenClaimsSet() != null) {
            SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), oIDCStoreData.getIdTokenClaimsSet().toJWTClaimsSet());
            try {
                signedJWT.sign(new MACSigner(this.clientInfoRetriever.retrieveInfo(oIDCStoreData.getClientId().getValue()).getIdTokenSecretByte()));
                accessTokenResponse = new OIDCTokenResponse(new OIDCTokens(signedJWT, oIDCStoreData.getAccessToken(), (RefreshToken) null));
            } catch (JOSEException e) {
                throw new AtbashUnexpectedException(e);
            }
        } else {
            accessTokenResponse = new AccessTokenResponse(new Tokens(oIDCStoreData.getAccessToken(), (RefreshToken) null));
        }
        return accessTokenResponse;
    }

    private void showDebugInfo(OctopusSSOToken octopusSSOToken) {
        if (this.coreConfiguration.showDebugFor().contains(Debug.SSO_FLOW)) {
            LOGGER.info(String.format("(SSO Server) User %s is authenticated and cookie written if needed.", octopusSSOToken.getFullName()));
        }
    }
}
