package org.yamcs.security;

import com.google.gson.Gson;
import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import org.yamcs.InitException;
import org.yamcs.Spec;
import org.yamcs.YConfiguration;
import org.yamcs.http.auth.JwtHelper;
import org.yamcs.http.auth.LoginRequest;

/* loaded from: input_file:org/yamcs/security/OpenIDAuthModule.class */
public class OpenIDAuthModule implements AuthModule {
    private String clientId;
    private String clientSecret;
    private String authorizationEndpoint;
    private String tokenEndpoint;
    private String scope;
    private String[] nameAttributes;
    private String[] displayNameAttributes;
    private String[] emailAttributes;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/yamcs/security/OpenIDAuthModule$OpenIDAuthenticationInfo.class */
    public static class OpenIDAuthenticationInfo extends AuthenticationInfo {
        public String idToken;
        public String accessToken;

        OpenIDAuthenticationInfo(AuthModule authModule, String str, String str2, String str3) {
            super(authModule, str3);
            this.idToken = str;
            this.accessToken = str2;
        }
    }

    @Override // org.yamcs.security.AuthModule
    public Spec getSpec() {
        Spec spec = new Spec();
        spec.addOption("name", Spec.OptionType.LIST_OR_ELEMENT).withElementType(Spec.OptionType.STRING).withDefault(Arrays.asList("preferred_username", "nickname", "email"));
        spec.addOption("email", Spec.OptionType.LIST_OR_ELEMENT).withElementType(Spec.OptionType.STRING).withDefault("email");
        spec.addOption("displayName", Spec.OptionType.LIST_OR_ELEMENT).withElementType(Spec.OptionType.STRING).withDefault("name");
        Spec spec2 = new Spec();
        spec2.addOption("authorizationEndpoint", Spec.OptionType.STRING).withRequired(true);
        spec2.addOption("tokenEndpoint", Spec.OptionType.STRING).withRequired(true);
        spec2.addOption("clientId", Spec.OptionType.STRING).withRequired(true);
        spec2.addOption("clientSecret", Spec.OptionType.STRING).withRequired(true).withSecret(true);
        spec2.addOption("scope", Spec.OptionType.STRING).withDefault("openid profile email");
        spec2.addOption("attributes", Spec.OptionType.MAP).withSpec(spec).withApplySpecDefaults(true);
        return spec2;
    }

    @Override // org.yamcs.security.AuthModule
    public void init(YConfiguration yConfiguration) throws InitException {
        this.authorizationEndpoint = yConfiguration.getString("authorizationEndpoint");
        this.tokenEndpoint = yConfiguration.getString("tokenEndpoint");
        this.scope = yConfiguration.getString("scope");
        this.clientId = yConfiguration.getString("clientId");
        this.clientSecret = yConfiguration.getString("clientSecret");
        YConfiguration config = yConfiguration.getConfig("attributes");
        this.nameAttributes = (String[]) config.getList("name").toArray(new String[0]);
        this.displayNameAttributes = (String[]) config.getList("displayName").toArray(new String[0]);
        this.emailAttributes = (String[]) config.getList("email").toArray(new String[0]);
    }

    @Override // org.yamcs.security.AuthModule
    public AuthenticationInfo getAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        if (!(authenticationToken instanceof ThirdPartyAuthorizationCode)) {
            return null;
        }
        String principal = ((ThirdPartyAuthorizationCode) authenticationToken).getPrincipal();
        if (!principal.startsWith("oidc ")) {
            return null;
        }
        try {
            return authenticateByCode(JwtHelper.decodeUnverified(principal.substring(5)));
        } catch (JwtHelper.JwtDecodeException e) {
            throw new AuthenticationException("Invalid JWT", e);
        }
    }

    private AuthenticationInfo authenticateByCode(JsonObject jsonObject) throws AuthenticationException {
        String asString = jsonObject.get("code").getAsString();
        String asString2 = jsonObject.get(LoginRequest.REDIRECT_URI).getAsString();
        try {
            HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(this.tokenEndpoint).openConnection();
            httpURLConnection.setRequestMethod("POST");
            httpURLConnection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
            httpURLConnection.setRequestProperty("Authorization", "Basic " + Base64.getEncoder().encodeToString((this.clientId + ":" + this.clientSecret).getBytes(StandardCharsets.UTF_8)));
            HashMap hashMap = new HashMap();
            hashMap.put("grant_type", "authorization_code");
            hashMap.put("code", asString);
            hashMap.put(LoginRequest.REDIRECT_URI, asString2);
            httpURLConnection.setDoOutput(true);
            httpURLConnection.getOutputStream().write(encodeRequestBody(hashMap));
            if (httpURLConnection.getResponseCode() != 200) {
                throw new AuthenticationException(((JsonObject) new Gson().fromJson(new BufferedReader(new InputStreamReader(httpURLConnection.getErrorStream(), StandardCharsets.UTF_8)), JsonObject.class)).toString());
            }
            JsonObject jsonObject2 = (JsonObject) new Gson().fromJson(new BufferedReader(new InputStreamReader(httpURLConnection.getInputStream(), StandardCharsets.UTF_8)), JsonObject.class);
            String asString3 = jsonObject2.get("id_token").getAsString();
            return createAuthenticationInfo(asString3, jsonObject2.get("access_token").getAsString(), JwtHelper.decodeUnverified(asString3));
        } catch (IOException | JwtHelper.JwtDecodeException e) {
            throw new AuthenticationException(e.getMessage(), e);
        }
    }

    private OpenIDAuthenticationInfo createAuthenticationInfo(String str, String str2, JsonObject jsonObject) {
        OpenIDAuthenticationInfo openIDAuthenticationInfo = new OpenIDAuthenticationInfo(this, str, str2, findAttribute(jsonObject, this.nameAttributes));
        openIDAuthenticationInfo.setEmail(findAttribute(jsonObject, this.emailAttributes));
        openIDAuthenticationInfo.setDisplayName(findAttribute(jsonObject, this.displayNameAttributes));
        JsonObject jsonObject2 = new JsonObject();
        jsonObject2.add("iss", jsonObject.get("iss"));
        jsonObject2.add("sub", jsonObject.get("sub"));
        openIDAuthenticationInfo.addExternalIdentity(getClass().getName(), jsonObject2.toString());
        return openIDAuthenticationInfo;
    }

    private String findAttribute(JsonObject jsonObject, String[] strArr) {
        for (String str : strArr) {
            JsonElement jsonElement = jsonObject.get(str);
            if (jsonElement != null) {
                return jsonElement.getAsString();
            }
        }
        return null;
    }

    @Override // org.yamcs.security.AuthModule
    public AuthorizationInfo getAuthorizationInfo(AuthenticationInfo authenticationInfo) throws AuthorizationException {
        return new AuthorizationInfo();
    }

    @Override // org.yamcs.security.AuthModule
    public boolean verifyValidity(AuthenticationInfo authenticationInfo) {
        return true;
    }

    public String getClientId() {
        return this.clientId;
    }

    public String getAuthorizationEndpoint() {
        return this.authorizationEndpoint;
    }

    public String getScope() {
        return this.scope;
    }

    private static byte[] encodeRequestBody(Map<String, String> map) {
        try {
            StringBuilder sb = new StringBuilder();
            for (Map.Entry<String, String> entry : map.entrySet()) {
                if (sb.length() != 0) {
                    sb.append('&');
                }
                sb.append(URLEncoder.encode(entry.getKey(), StandardCharsets.UTF_8.name()));
                sb.append('=');
                sb.append(URLEncoder.encode(entry.getValue(), StandardCharsets.UTF_8.name()));
            }
            return sb.toString().getBytes(StandardCharsets.UTF_8);
        } catch (UnsupportedEncodingException e) {
            throw new Error(e);
        }
    }
}
