package be.atbash.ee.security.sso.server.rememberme;

import be.atbash.ee.security.octopus.authc.AuthenticationInfo;
import be.atbash.ee.security.octopus.config.Debug;
import be.atbash.ee.security.octopus.config.OctopusCoreConfiguration;
import be.atbash.ee.security.octopus.rememberme.CookieRememberMeManager;
import be.atbash.ee.security.octopus.subject.PrincipalCollection;
import be.atbash.ee.security.octopus.subject.Subject;
import be.atbash.ee.security.octopus.subject.SubjectContext;
import be.atbash.ee.security.octopus.subject.UserPrincipal;
import be.atbash.ee.security.octopus.subject.WebSubject;
import be.atbash.ee.security.octopus.subject.support.WebSubjectContext;
import be.atbash.ee.security.octopus.token.AuthenticationToken;
import be.atbash.ee.security.octopus.util.WebUtils;
import be.atbash.ee.security.sso.server.config.OctopusSSOServerConfiguration;
import be.atbash.ee.security.sso.server.cookie.SSOHelper;
import be.atbash.ee.security.sso.server.store.SSOTokenStore;
import be.atbash.ee.security.sso.server.store.TokenStoreInfo;
import be.atbash.util.StringUtils;
import be.atbash.util.exception.AtbashUnexpectedException;
import java.util.UUID;
import javax.annotation.PostConstruct;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.inject.Specializes;
import javax.inject.Inject;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ApplicationScoped
@Specializes
/* loaded from: input_file:be/atbash/ee/security/sso/server/rememberme/SSOCookieRememberMeManager.class */
public class SSOCookieRememberMeManager extends CookieRememberMeManager {
    private Logger logger = LoggerFactory.getLogger(SSOCookieRememberMeManager.class);

    @Inject
    private OctopusCoreConfiguration octopusConfig;

    @Inject
    private OctopusSSOServerConfiguration ssoServerConfiguration;

    @Inject
    private SSOTokenStore tokenStore;

    @Inject
    private SSOHelper ssoHelper;

    @PostConstruct
    public void init() {
        super.init();
    }

    public void onSuccessfulLogin(Subject subject, AuthenticationToken authenticationToken, AuthenticationInfo authenticationInfo) {
        if (!(subject instanceof WebSubject)) {
            throw new AtbashUnexpectedException("subject needs to be of type WebSubject");
        }
        if (StringUtils.hasText(this.ssoHelper.getSSOClientId((WebSubject) subject))) {
            rememberIdentity(subject, authenticationInfo);
        } else {
            super.onSuccessfulLogin(subject, authenticationToken, authenticationInfo);
        }
    }

    protected void rememberIdentity(Subject subject, PrincipalCollection principalCollection) {
        UserPrincipal primaryPrincipal = principalCollection.getPrimaryPrincipal();
        String uuid = UUID.randomUUID().toString();
        primaryPrincipal.addUserInfo("OCTOPUS_SSO_COOKIE_TOKEN", uuid);
        rememberSerializedIdentity(subject, encrypt(uuid.getBytes()));
    }

    protected Cookie createCookie(String str, HttpServletRequest httpServletRequest) {
        Cookie cookie = new Cookie(getCookieName(), str);
        cookie.setHttpOnly(true);
        cookie.setMaxAge(this.ssoServerConfiguration.getSSOCookieTimeToLive());
        cookie.setSecure(this.ssoServerConfiguration.isSSOCookieSecure());
        cookie.setPath(calculatePath(httpServletRequest));
        return cookie;
    }

    protected String getCookieName() {
        return this.ssoServerConfiguration.getSSOCookieName();
    }

    public PrincipalCollection getRememberedPrincipals(SubjectContext subjectContext) {
        PrincipalCollection principalCollection = null;
        if (!(subjectContext instanceof WebSubjectContext)) {
            throw new AtbashUnexpectedException("subjectContext needs to be of type WebSubjectContext");
        }
        HttpServletRequest httpRequest = WebUtils.getHttpRequest((WebSubjectContext) subjectContext);
        if (!WebUtils.getRequestUri(httpRequest).contains("/octopus/")) {
            return null;
        }
        try {
            byte[] rememberedSerializedIdentity = getRememberedSerializedIdentity(subjectContext);
            if (rememberedSerializedIdentity != null && rememberedSerializedIdentity.length > 0) {
                UserPrincipal retrieveUserFromCookieToken = retrieveUserFromCookieToken(this.cipherService != null ? new String(this.cipherService.decrypt(rememberedSerializedIdentity, this.decryptionCipherKey).getBytes()) : new String(rememberedSerializedIdentity), httpRequest);
                if (retrieveUserFromCookieToken != null) {
                    showDebugInfo(retrieveUserFromCookieToken);
                    principalCollection = new PrincipalCollection(retrieveUserFromCookieToken);
                }
            }
        } catch (RuntimeException e) {
            principalCollection = onRememberedPrincipalFailure(e, subjectContext);
        }
        return principalCollection;
    }

    private UserPrincipal retrieveUserFromCookieToken(String str, HttpServletRequest httpServletRequest) {
        UserPrincipal userPrincipal = null;
        TokenStoreInfo userByCookieToken = this.tokenStore.getUserByCookieToken(str);
        if (verifyCookieInformation(userByCookieToken, httpServletRequest)) {
            userPrincipal = userByCookieToken.getUserPrincipal();
        }
        return userPrincipal;
    }

    private boolean verifyCookieInformation(TokenStoreInfo tokenStoreInfo, HttpServletRequest httpServletRequest) {
        boolean z = tokenStoreInfo != null;
        if (z) {
            z = httpServletRequest.getRemoteAddr().equals(tokenStoreInfo.getRemoteHost());
        }
        if (z) {
            z = httpServletRequest.getHeader("User-Agent").equals(tokenStoreInfo.getUserAgent());
        }
        return z;
    }

    private void showDebugInfo(UserPrincipal userPrincipal) {
        if (this.octopusConfig.showDebugFor().contains(Debug.SSO_FLOW)) {
            this.logger.info(String.format("(SSO Server) User %s is authenticated from SSO Cookie %s (=cookie token)", userPrincipal.getName(), userPrincipal.getUserInfo("OCTOPUS_SSO_COOKIE_TOKEN")));
        }
    }
}
