package de.gematik.idp.client;

import de.gematik.idp.authentication.AuthenticationChallenge;
import de.gematik.idp.authentication.UriUtils;
import de.gematik.idp.client.data.AuthenticationRequest;
import de.gematik.idp.client.data.AuthenticationResponse;
import de.gematik.idp.client.data.AuthorizationRequest;
import de.gematik.idp.client.data.AuthorizationResponse;
import de.gematik.idp.client.data.DiscoveryDocumentResponse;
import de.gematik.idp.client.data.TokenRequest;
import de.gematik.idp.crypto.CryptoLoader;
import de.gematik.idp.crypto.EcKeyUtility;
import de.gematik.idp.crypto.Nonce;
import de.gematik.idp.data.IdpErrorResponse;
import de.gematik.idp.error.IdpErrorType;
import de.gematik.idp.field.ClaimName;
import de.gematik.idp.token.IdpJwe;
import de.gematik.idp.token.JsonWebToken;
import java.net.URI;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.Base64;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Consumer;
import java.util.function.Supplier;
import java.util.function.UnaryOperator;
import java.util.stream.Collectors;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import kong.unirest.core.GetRequest;
import kong.unirest.core.HttpRequest;
import kong.unirest.core.HttpResponse;
import kong.unirest.core.JsonNode;
import kong.unirest.core.MultipartBody;
import kong.unirest.core.Unirest;
import kong.unirest.core.json.JSONObject;
import kong.unirest.jackson.JacksonObjectMapper;
import lombok.Generated;
import org.jose4j.jwt.JwtClaims;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/gematik/idp/client/AuthenticatorClient.class */
public class AuthenticatorClient {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(AuthenticatorClient.class);
    private static final String USER_AGENT = "IdP-Client";

    public AuthenticatorClient() {
        Unirest.config().reset();
        Unirest.config().followRedirects(false);
        Unirest.config().setObjectMapper(new JacksonObjectMapper());
    }

    public static Map<String, String> getAllHeaderElementsAsMap(HttpRequest httpRequest) {
        return (Map) httpRequest.getHeaders().all().stream().collect(Collectors.toMap((v0) -> {
            return v0.getName();
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    public static Map<String, Object> getAllFieldElementsAsMap(MultipartBody multipartBody) {
        return (Map) multipartBody.multiParts().stream().collect(Collectors.toMap((v0) -> {
            return v0.getName();
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    private static PublicKey getPublicKey(JSONObject jSONObject) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
        return EcKeyUtility.genECPublicKey("brainpoolP256r1", jSONObject.getString("x"), jSONObject.getString("y"));
    }

    public AuthorizationResponse doAuthorizationRequest(AuthorizationRequest authorizationRequest, UnaryOperator<GetRequest> unaryOperator, Consumer<HttpResponse<AuthenticationChallenge>> consumer) {
        HttpResponse<AuthenticationChallenge> asObject = ((GetRequest) unaryOperator.apply((GetRequest) Unirest.get(authorizationRequest.getLink()).queryString(ClaimName.CLIENT_ID.getJoseName(), authorizationRequest.getClientId()).queryString(ClaimName.RESPONSE_TYPE.getJoseName(), "code").queryString(ClaimName.REDIRECT_URI.getJoseName(), authorizationRequest.getRedirectUri()).queryString(ClaimName.STATE.getJoseName(), authorizationRequest.getState()).queryString(ClaimName.CODE_CHALLENGE.getJoseName(), authorizationRequest.getCodeChallenge()).queryString(ClaimName.CODE_CHALLENGE_METHOD.getJoseName(), authorizationRequest.getCodeChallengeMethod()).queryString(ClaimName.SCOPE.getJoseName(), String.join(" ", authorizationRequest.getScopes())).queryString("nonce", authorizationRequest.getNonce()).header("User-Agent", USER_AGENT).header("Accept", "application/json"))).asObject(AuthenticationChallenge.class);
        consumer.accept(asObject);
        checkResponseForErrorsAndThrowIfAny(asObject);
        return AuthorizationResponse.builder().authenticationChallenge((AuthenticationChallenge) asObject.getBody()).build();
    }

    public AuthenticationResponse performAuthentication(AuthenticationRequest authenticationRequest, UnaryOperator<MultipartBody> unaryOperator, Consumer<HttpResponse<String>> consumer) {
        HttpResponse<String> asString = ((MultipartBody) unaryOperator.apply((MultipartBody) Unirest.post(authenticationRequest.getAuthenticationEndpointUrl()).field("signed_challenge", authenticationRequest.getSignedChallenge().getRawString()).contentType("application/x-www-form-urlencoded").header("User-Agent", USER_AGENT))).asString();
        consumer.accept(asString);
        checkResponseForErrorsAndThrowIfAny(asString);
        String retrieveLocationFromResponse = retrieveLocationFromResponse(asString);
        return AuthenticationResponse.builder().code(UriUtils.extractParameterValue(retrieveLocationFromResponse, "code")).location(retrieveLocationFromResponse).ssoToken((String) UriUtils.extractParameterValueOptional(retrieveLocationFromResponse, "ssotoken").orElse(null)).build();
    }

    private void checkResponseForErrorsAndThrowIfAny(HttpResponse<?> httpResponse) {
        if (httpResponse.getStatus() == 302) {
            checkForForwardingExceptionAndThrowIfPresent(httpResponse.getHeaders().getFirst("Location"));
        }
        if (httpResponse.getStatus() / 100 == 4) {
            IdpErrorResponse idpErrorResponse = new IdpErrorResponse();
            try {
                idpErrorResponse = (IdpErrorResponse) httpResponse.mapError(IdpErrorResponse.class);
            } catch (Exception e) {
            }
            throw new IdpClientRuntimeException("Unexpected Server-Response " + httpResponse.getStatus() + " " + ((String) httpResponse.mapError(String.class)), Optional.ofNullable(idpErrorResponse.getCode()), Optional.ofNullable(idpErrorResponse.getError()));
        }
    }

    private void checkForForwardingExceptionAndThrowIfPresent(String str) {
        UriUtils.extractParameterValueOptional(str, "error").ifPresent(str2 -> {
            Optional empty = Optional.empty();
            Optional empty2 = Optional.empty();
            try {
                empty = UriUtils.extractParameterValueOptional(str, "gematik_code");
                empty2 = UriUtils.extractParameterValueOptional(str, "error_description").flatMap(IdpErrorType::fromSerializationValue);
            } catch (Exception e) {
            }
            throw new IdpClientRuntimeException("Server-Error with message: " + ((String) UriUtils.extractParameterValueOptional(str, "gematik_code").map(str2 -> {
                return str2 + ": ";
            }).orElse("")) + ((String) UriUtils.extractParameterValueOptional(str, "error_description").orElse(str2)), empty, empty2);
        });
    }

    public AuthenticationResponse performAuthenticationWithSsoToken(AuthenticationRequest authenticationRequest, UnaryOperator<MultipartBody> unaryOperator, Consumer<HttpResponse<String>> consumer) {
        HttpResponse<String> asString = ((MultipartBody) unaryOperator.apply((MultipartBody) Unirest.post(authenticationRequest.getAuthenticationEndpointUrl()).field("ssotoken", authenticationRequest.getSsoToken()).field("unsigned_challenge", authenticationRequest.getChallengeToken().getRawString()).contentType("application/x-www-form-urlencoded").header("User-Agent", USER_AGENT).header("Accept", "application/json"))).asString();
        consumer.accept(asString);
        checkResponseForErrorsAndThrowIfAny(asString);
        String retrieveLocationFromResponse = retrieveLocationFromResponse(asString);
        return AuthenticationResponse.builder().code(UriUtils.extractParameterValue(retrieveLocationFromResponse, "code")).location(retrieveLocationFromResponse).build();
    }

    public AuthenticationResponse performAuthenticationWithAltAuth(AuthenticationRequest authenticationRequest, UnaryOperator<MultipartBody> unaryOperator, Consumer<HttpResponse<String>> consumer) {
        HttpResponse<String> asString = ((MultipartBody) unaryOperator.apply((MultipartBody) Unirest.post(authenticationRequest.getAuthenticationEndpointUrl()).field("encrypted_signed_authentication_data", authenticationRequest.getEncryptedSignedAuthenticationData().getRawString()).contentType("application/x-www-form-urlencoded").header("User-Agent", USER_AGENT).header("Accept", "application/json"))).asString();
        consumer.accept(asString);
        checkResponseForErrorsAndThrowIfAny(asString);
        String retrieveLocationFromResponse = retrieveLocationFromResponse(asString);
        return AuthenticationResponse.builder().code(UriUtils.extractParameterValue(retrieveLocationFromResponse, "code")).location(retrieveLocationFromResponse).build();
    }

    private String retrieveLocationFromResponse(HttpResponse<String> httpResponse) {
        if (httpResponse.getStatus() != 302) {
            throw new IdpClientRuntimeException("Unexpected status code in response: " + httpResponse.getStatus());
        }
        return httpResponse.getHeaders().getFirst("Location");
    }

    public IdpTokenResult retrieveAccessToken(TokenRequest tokenRequest, UnaryOperator<MultipartBody> unaryOperator, Consumer<HttpResponse<JsonNode>> consumer) {
        byte[] randomBytes = Nonce.randomBytes(32);
        SecretKeySpec secretKeySpec = new SecretKeySpec(randomBytes, "AES");
        HttpResponse<JsonNode> asJson = ((MultipartBody) unaryOperator.apply((MultipartBody) Unirest.post(tokenRequest.getTokenUrl()).field("grant_type", "authorization_code").field("client_id", tokenRequest.getClientId()).field("code", tokenRequest.getCode()).field("key_verifier", buildKeyVerifierToken(randomBytes, tokenRequest.getCodeVerifier(), tokenRequest.getIdpEnc()).getRawString()).field("redirect_uri", tokenRequest.getRedirectUrl()).contentType("application/x-www-form-urlencoded").header("User-Agent", USER_AGENT).header("Accept", "application/json"))).asJson();
        consumer.accept(asJson);
        checkResponseForErrorsAndThrowIfAny(asJson);
        JSONObject object = ((JsonNode) asJson.getBody()).getObject();
        return IdpTokenResult.builder().tokenType(((JsonNode) asJson.getBody()).getObject().getString("token_type")).expiresIn(((JsonNode) asJson.getBody()).getObject().getInt("expires_in")).accessToken(decryptToken(secretKeySpec, object.get("access_token"))).idToken(decryptToken(secretKeySpec, object.get("id_token"))).ssoToken(tokenRequest.getSsoToken() == null ? null : new IdpJwe(tokenRequest.getSsoToken())).build();
    }

    private JsonWebToken decryptToken(SecretKey secretKey, Object obj) {
        Optional ofNullable = Optional.ofNullable(obj);
        Class<String> cls = String.class;
        Objects.requireNonNull(String.class);
        Optional filter = ofNullable.filter(cls::isInstance);
        Class<String> cls2 = String.class;
        Objects.requireNonNull(String.class);
        return (JsonWebToken) filter.map(cls2::cast).map(IdpJwe::new).map(idpJwe -> {
            return idpJwe.decryptNestedJwt(secretKey);
        }).orElseThrow(() -> {
            return new IdpClientRuntimeException("Unable to extract Access-Token from response!");
        });
    }

    private IdpJwe buildKeyVerifierToken(byte[] bArr, String str, PublicKey publicKey) {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setStringClaim(ClaimName.TOKEN_KEY.getJoseName(), new String(Base64.getUrlEncoder().withoutPadding().encode(bArr)));
        jwtClaims.setStringClaim(ClaimName.CODE_VERIFIER.getJoseName(), str);
        return IdpJwe.createWithPayloadAndEncryptWithKey(jwtClaims.toJson(), publicKey, "JSON");
    }

    public DiscoveryDocumentResponse retrieveDiscoveryDocument(String str, Optional<String> optional) {
        JsonWebToken jsonWebToken = new JsonWebToken((String) Unirest.get(patchIdpHost(str, optional)).header("User-Agent", USER_AGENT).asString().getBody());
        Supplier supplier = () -> {
            return new IdpClientRuntimeException("Incomplete Discovery Document encountered!");
        };
        return DiscoveryDocumentResponse.builder().authorizationEndpoint(patchIdpHost((String) jsonWebToken.getStringBodyClaim(ClaimName.AUTHORIZATION_ENDPOINT).orElseThrow(supplier), optional)).tokenEndpoint(patchIdpHost((String) jsonWebToken.getStringBodyClaim(ClaimName.TOKEN_ENDPOINT).orElseThrow(supplier), optional)).ssoEndpoint(patchIdpHost((String) jsonWebToken.getStringBodyClaim(ClaimName.SSO_ENDPOINT).orElseThrow(supplier), optional)).discSig((X509Certificate) jsonWebToken.getClientCertificateFromHeader().orElseThrow(supplier)).pairingEndpoint(patchIdpHost((String) jsonWebToken.getStringBodyClaim(ClaimName.URI_PAIR).orElse("<IDP DOES NOT SUPPORT ALTERNATIVE AUTHENTICATION>"), optional)).authPairEndpoint(patchIdpHost((String) jsonWebToken.getStringBodyClaim(ClaimName.AUTH_PAIR_ENDPOINT).orElse("<IDP DOES NOT SUPPORT ALTERNATIVE AUTHENTICATION>"), optional)).idpSig(retrieveServerCertFromLocation(patchIdpHost((String) jsonWebToken.getStringBodyClaim(ClaimName.URI_PUK_IDP_SIG).orElseThrow(supplier), optional))).idpEnc(retrieveServerPuKFromLocation(patchIdpHost((String) jsonWebToken.getStringBodyClaim(ClaimName.URI_PUK_IDP_ENC).orElseThrow(supplier), optional))).build();
    }

    private String patchIdpHost(String str, Optional<String> optional) {
        if (optional.isEmpty()) {
            return str;
        }
        try {
            URI uri = new URI(optional.get());
            URI uri2 = new URI(str);
            if (optional.get().contains("://")) {
                String str2 = ((String) Optional.ofNullable(uri.getScheme()).orElse(uri2.getScheme())) + "://" + ((String) Optional.ofNullable(uri.getRawAuthority()).orElse(uri2.getRawAuthority())) + ((String) Optional.ofNullable(uri.getPath()).orElse("")) + uri2.getPath();
                log.info("Patching URL. Original: {}, Patch: {}, Result: {}", new Object[]{str, optional.get(), str2});
                return str2;
            }
            String str3 = uri2.getScheme() + "://" + uri + uri2.getRawPath();
            log.info("Patching URL. Original: {}, Patch: {}, Result: {}", new Object[]{str, optional.get(), str3});
            return str3;
        } catch (Exception e) {
            throw new IdpClientRuntimeException("Error while patching with template '" + optional.get() + "'", e);
        }
    }

    private X509Certificate retrieveServerCertFromLocation(String str) {
        return CryptoLoader.getCertificateFromPem(Base64.getDecoder().decode(((JsonNode) Unirest.get(str).header("User-Agent", USER_AGENT).asJson().getBody()).getObject().getJSONArray(ClaimName.X509_CERTIFICATE_CHAIN.getJoseName()).getString(0)));
    }

    private PublicKey retrieveServerPuKFromLocation(String str) {
        try {
            return getPublicKey(((JsonNode) Unirest.get(str).header("User-Agent", USER_AGENT).asJson().getBody()).getObject());
        } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeySpecException e) {
            throw new IdpClientRuntimeException("Unable to construct public key from given uri '" + str + "', got " + e.getMessage());
        }
    }
}
