package be.atbash.ee.security.sso.server.filter;

import be.atbash.ee.security.octopus.SecurityUtils;
import be.atbash.ee.security.octopus.filter.AccessControlFilter;
import be.atbash.ee.security.octopus.filter.authc.AbstractUserFilter;
import be.atbash.ee.security.octopus.util.WebUtils;
import be.atbash.ee.security.sso.server.client.ClientInfo;
import be.atbash.ee.security.sso.server.client.ClientInfoRetriever;
import be.atbash.ee.security.sso.server.cookie.SSOHelper;
import be.atbash.ee.security.sso.server.token.OIDCEndpointToken;
import be.atbash.util.CDIUtils;
import be.atbash.util.exception.AtbashUnexpectedException;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.oauth2.sdk.AbstractRequest;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResourceOwnerPasswordCredentialsGrant;
import com.nimbusds.oauth2.sdk.ResponseMode;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.verifier.ClientAuthenticationVerifier;
import com.nimbusds.oauth2.sdk.auth.verifier.ClientX509CertificateBindingVerifier;
import com.nimbusds.oauth2.sdk.auth.verifier.Context;
import com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException;
import com.nimbusds.oauth2.sdk.http.CommonContentTypes;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.util.MultivaluedMapUtils;
import com.nimbusds.oauth2.sdk.util.StringUtils;
import com.nimbusds.oauth2.sdk.util.URLUtils;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import java.io.IOException;
import java.lang.annotation.Annotation;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.PostConstruct;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ApplicationScoped
/* loaded from: input_file:be/atbash/ee/security/sso/server/filter/OIDCEndpointFilter.class */
public class OIDCEndpointFilter extends AccessControlFilter {
    private static final Logger LOGGER = LoggerFactory.getLogger(OIDCEndpointFilter.class);
    private static List<String> DEFAULT_FILTERS = Arrays.asList("user", "authenticated");
    private AbstractUserFilter userFilter;

    @Inject
    private SSOHelper ssoHelper;

    @Inject
    private ClientInfoRetriever clientInfoRetriever;

    @Inject
    private OctopusClientCredentialsSelector selector;

    /* loaded from: input_file:be/atbash/ee/security/sso/server/filter/OIDCEndpointFilter$EndpointType.class */
    enum EndpointType {
        AUTHENTICATE,
        TOKEN
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:be/atbash/ee/security/sso/server/filter/OIDCEndpointFilter$ErrorInfo.class */
    public static class ErrorInfo {
        private URI redirectURI;
        private State state;
        private ErrorObject errorObject;

        ErrorInfo(Map<String, List<String>> map, ErrorObject errorObject) {
            this.state = State.parse((String) MultivaluedMapUtils.getFirstValue(map, "state"));
            this.redirectURI = getRedirectURI(map);
            this.errorObject = errorObject;
        }

        ErrorInfo(AuthenticationRequest authenticationRequest, ErrorObject errorObject) {
            this.state = authenticationRequest.getState();
            this.redirectURI = authenticationRequest.getRedirectionURI();
            this.errorObject = errorObject;
        }

        ErrorInfo(ErrorObject errorObject) {
            this.errorObject = errorObject;
        }

        private URI getRedirectURI(Map<String, List<String>> map) {
            List<String> list = map.get("redirect_uri");
            if (list == null) {
                return null;
            }
            URI uri = null;
            String str = list.get(0);
            if (StringUtils.isNotBlank(str)) {
                try {
                    uri = new URI(str);
                } catch (URISyntaxException e) {
                }
            }
            return uri;
        }

        URI getRedirectURI() {
            return this.redirectURI;
        }

        State getState() {
            return this.state;
        }

        ErrorObject getErrorObject() {
            return this.errorObject;
        }
    }

    @PostConstruct
    public void init() {
        setName("oidcFilter");
        this.userFilter = determineUserFilter();
    }

    private AbstractUserFilter determineUserFilter() {
        ArrayList arrayList = new ArrayList();
        AbstractUserFilter abstractUserFilter = null;
        for (AbstractUserFilter abstractUserFilter2 : CDIUtils.retrieveInstances(AbstractUserFilter.class, new Annotation[0])) {
            if ("user".equals(abstractUserFilter2.getName())) {
                abstractUserFilter = abstractUserFilter2;
            }
            if (!DEFAULT_FILTERS.contains(abstractUserFilter2.getName())) {
                arrayList.add(abstractUserFilter2);
            }
        }
        if (arrayList.size() > 1) {
            throw new AtbashUnexpectedException("Unable to determine filter : TODO implement config parameter.");
        }
        return arrayList.isEmpty() ? abstractUserFilter : (AbstractUserFilter) arrayList.get(0);
    }

    public boolean onPreHandle(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
        boolean onPreHandle;
        HttpServletRequest http = WebUtils.toHttp(servletRequest);
        String requestURI = http.getRequestURI();
        if (requestURI.contains(";")) {
            requestURI = requestURI.substring(0, requestURI.indexOf(59));
        }
        ErrorInfo errorInfo = null;
        EndpointType endpointType = null;
        if (requestURI.endsWith("authenticate")) {
            errorInfo = checksForAuthenticateEndpoint(http);
            endpointType = EndpointType.AUTHENTICATE;
        }
        if (requestURI.endsWith("token")) {
            errorInfo = checksForTokenEndpoint(http);
            endpointType = EndpointType.TOKEN;
        }
        if (endpointType == null) {
            throw new AtbashUnexpectedException("Endpoint URL not recognized by the OIDCEndpointFilter " + requestURI);
        }
        if (errorInfo != null) {
            showErrorMessage(WebUtils.toHttp(servletResponse), endpointType, errorInfo);
            onPreHandle = false;
        } else {
            onPreHandle = super.onPreHandle(servletRequest, servletResponse);
        }
        return onPreHandle;
    }

    private void showErrorMessage(HttpServletResponse httpServletResponse, EndpointType endpointType, ErrorInfo errorInfo) {
        switch (endpointType) {
            case AUTHENTICATE:
                if (errorInfo.getRedirectURI() == null) {
                    try {
                        httpServletResponse.getWriter().println(errorInfo.getErrorObject().getDescription());
                        return;
                    } catch (IOException e) {
                        throw new AtbashUnexpectedException(e);
                    }
                } else {
                    try {
                        httpServletResponse.sendRedirect(new AuthenticationErrorResponse(errorInfo.getRedirectURI(), errorInfo.getErrorObject(), errorInfo.getState(), ResponseMode.QUERY).toHTTPResponse().getLocation().toString());
                        return;
                    } catch (IOException e2) {
                        throw new AtbashUnexpectedException(e2);
                    }
                }
            case TOKEN:
                httpServletResponse.setStatus(400);
                httpServletResponse.setHeader("Content-Type", "application/json");
                try {
                    httpServletResponse.getWriter().println(new TokenErrorResponse(errorInfo.getErrorObject()).toJSONObject().toJSONString());
                    return;
                } catch (IOException e3) {
                    throw new AtbashUnexpectedException(e3);
                }
            default:
                throw new IllegalArgumentException(String.format("EndpointType %s not supported", endpointType));
        }
    }

    protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
        return isLoginRequest(servletRequest) || getSubject().getPrincipal() != null;
    }

    protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
        saveRequestAndRedirectToLogin(servletRequest, servletResponse);
        return false;
    }

    private ErrorInfo checksForTokenEndpoint(HttpServletRequest httpServletRequest) {
        ErrorInfo errorInfo = null;
        boolean z = false;
        TokenRequest tokenRequest = null;
        try {
            HTTPRequest.Method valueOf = HTTPRequest.Method.valueOf(httpServletRequest.getMethod());
            URL url = new URL(httpServletRequest.getRequestURL().toString());
            HTTPRequest hTTPRequest = new HTTPRequest(valueOf, url);
            hTTPRequest.setAuthorization(httpServletRequest.getHeader("Authorization"));
            hTTPRequest.setContentType(CommonContentTypes.APPLICATION_URLENCODED);
            hTTPRequest.setQuery(httpServletRequest.getReader().readLine());
            tokenRequest = TokenRequest.parse(hTTPRequest);
            GrantType type = tokenRequest.getAuthorizationGrant().getType();
            if (type.requiresClientAuthentication() || tokenRequest.getClientAuthentication() != null) {
                errorInfo = checkClientCredentials(tokenRequest, url, hTTPRequest, type);
                z = true;
            }
            if (errorInfo == null && GrantType.PASSWORD.equals(type)) {
                if (hasIdScopes(tokenRequest) && tokenRequest.getClientAuthentication() == null) {
                    errorInfo = new ErrorInfo(new ErrorObject("OCT-SSO-SERVER-013", "Scope requires client Authentication"));
                } else {
                    ResourceOwnerPasswordCredentialsGrant authorizationGrant = tokenRequest.getAuthorizationGrant();
                    SecurityUtils.getSubject().login(new OIDCEndpointToken(new ClientSecretBasic(new ClientID(authorizationGrant.getUsername()), authorizationGrant.getPassword()).getClientID()));
                    z = true;
                }
            }
        } catch (MalformedURLException e) {
            errorInfo = new ErrorInfo(new ErrorObject("OCT-SSO-SERVER-100", "invalid URL"));
        } catch (ParseException e2) {
            errorInfo = new ErrorInfo(e2.getErrorObject());
        } catch (IOException e3) {
            throw new AtbashUnexpectedException(e3);
        }
        if (!z && errorInfo == null) {
            errorInfo = new ErrorInfo(new ErrorObject("OCT-SSO-SERVER-014", "Client authentication required"));
        }
        if (errorInfo == null) {
            httpServletRequest.setAttribute(AbstractRequest.class.getName(), tokenRequest);
        }
        return errorInfo;
    }

    private boolean hasIdScopes(TokenRequest tokenRequest) {
        return tokenRequest.getScope() != null && (tokenRequest.getScope().contains("openid") || tokenRequest.getScope().contains("octopus"));
    }

    private ErrorInfo checkClientCredentials(TokenRequest tokenRequest, URL url, HTTPRequest hTTPRequest, GrantType grantType) {
        ErrorInfo errorInfo = null;
        ClientAuthentication clientAuthentication = tokenRequest.getClientAuthentication();
        HashSet hashSet = new HashSet();
        hashSet.add(new Audience(url.toExternalForm()));
        try {
            new ClientAuthenticationVerifier(this.selector, (ClientX509CertificateBindingVerifier) null, hashSet).verify(clientAuthentication, (Set) null, (Context) null);
        } catch (JOSEException e) {
            errorInfo = new ErrorInfo(new ErrorObject("OCT-SSO-SERVER-011", "invalid JWT"));
        } catch (InvalidClientException e2) {
            LOGGER.info(e2.getMessage());
            errorInfo = new ErrorInfo(e2.getErrorObject());
        }
        if (errorInfo == null) {
            if (checkRedirectURI(hTTPRequest, this.clientInfoRetriever.retrieveInfo(clientAuthentication.getClientID().getValue()), grantType)) {
                SecurityUtils.getSubject().login(new OIDCEndpointToken(clientAuthentication.getClientID()));
            } else {
                errorInfo = new ErrorInfo(new ErrorObject("OCT-SSO-SERVER-012", "Invalid \"redirect_uri\" parameter: "));
            }
        }
        return errorInfo;
    }

    private boolean checkRedirectURI(HTTPRequest hTTPRequest, ClientInfo clientInfo, GrantType grantType) {
        boolean z = true;
        if (GrantType.AUTHORIZATION_CODE.equals(grantType) || GrantType.IMPLICIT.equals(grantType)) {
            z = checkCallbackUrl(clientInfo, (String) MultivaluedMapUtils.getFirstValue(hTTPRequest.getQueryParameters(), "redirect_uri"));
        }
        return z;
    }

    private boolean checkCallbackUrl(ClientInfo clientInfo, String str) {
        boolean equals = clientInfo.getActualCallbackURL().equals(str);
        if (!equals && clientInfo.hasMultipleCallbackURL()) {
            Iterator<String> it = clientInfo.getAdditionalCallbackURLs().iterator();
            while (!equals && it.hasNext()) {
                equals = it.next().equals(str);
            }
        }
        return equals;
    }

    private ErrorInfo checksForAuthenticateEndpoint(HttpServletRequest httpServletRequest) {
        String queryString = httpServletRequest.getQueryString();
        try {
            AuthenticationRequest parse = AuthenticationRequest.parse(queryString);
            String value = parse.getClientID().getValue();
            ClientInfo retrieveInfo = this.clientInfoRetriever.retrieveInfo(value);
            if (retrieveInfo == null) {
                LOGGER.info("Unknown \"client_id\" parameter value = " + value);
                return new ErrorInfo(parse, OAuth2Error.INVALID_CLIENT.appendDescription(": Unknown \"client_id\" parameter value"));
            }
            if (!checkCallbackUrl(retrieveInfo, parse.getRedirectionURI().toString())) {
                LOGGER.info("Unknown \"redirect_uri\" parameter value = " + parse.getRedirectionURI());
                return new ErrorInfo(parse, OAuth2Error.INVALID_CLIENT.appendDescription(": Unknown \"redirect_uri\" parameter value"));
            }
            this.ssoHelper.markAsSSOLogin(httpServletRequest, value);
            httpServletRequest.setAttribute(AbstractRequest.class.getName(), parse);
            return null;
        } catch (ParseException e) {
            LOGGER.info(e.getMessage());
            return new ErrorInfo((Map<String, List<String>>) URLUtils.parseParameters(queryString), e.getErrorObject());
        }
    }

    public String getLoginUrl() {
        return this.userFilter.getLoginUrl();
    }
}
