package net.bluemind.webmodule.authenticationfilter;

import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.Claim;
import com.google.common.base.Strings;
import com.google.common.hash.HashFunction;
import com.google.common.hash.Hashing;
import io.netty.handler.codec.http.cookie.Cookie;
import io.netty.handler.codec.http.cookie.DefaultCookie;
import io.netty.handler.codec.http.cookie.ServerCookieDecoder;
import io.netty.handler.codec.http.cookie.ServerCookieEncoder;
import io.vertx.core.MultiMap;
import io.vertx.core.Vertx;
import io.vertx.core.buffer.Buffer;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.http.HttpMethod;
import io.vertx.core.http.HttpServerRequest;
import io.vertx.core.json.JsonObject;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.TimeUnit;
import net.bluemind.backend.cyrus.partitions.CyrusPartition;
import net.bluemind.core.api.BMVersion;
import net.bluemind.core.api.auth.AuthDomainProperties;
import net.bluemind.core.api.auth.AuthTypes;
import net.bluemind.keycloak.api.IKeycloakUids;
import net.bluemind.keycloak.utils.endpoint.KeycloakEndpoints;
import net.bluemind.keydb.sessiondata.CodeVerifierCache;
import net.bluemind.keydb.sessiondata.SessionData;
import net.bluemind.keydb.sessiondata.SessionDataStore;
import net.bluemind.lib.elasticsearch.config.ElasticsearchClientConfig;
import net.bluemind.lib.elasticsearch.config.IndexAliasMode;
import net.bluemind.lib.elasticsearch.config.Mode;
import net.bluemind.network.topology.Topology;
import net.bluemind.server.api.Server;
import net.bluemind.server.api.TagDescriptor;
import net.bluemind.webmodule.authenticationfilter.CasHandler;
import net.bluemind.webmodule.authenticationfilter.internal.AuthenticationCookie;
import net.bluemind.webmodule.authenticationfilter.internal.DomainsHelper;
import net.bluemind.webmodule.server.IWebFilter;
import net.bluemind.webmodule.server.NeedVertx;
import net.bluemind.webmodule.server.SecurityConfig;
import net.bluemind.webmodule.server.WebserverConfiguration;
import net.bluemind.webmodule.server.forward.ForwardedLocation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/bluemind/webmodule/authenticationfilter/AuthenticationFilter.class */
public class AuthenticationFilter implements IWebFilter, NeedVertx {
    private static final Logger logger = LoggerFactory.getLogger(AuthenticationFilter.class);
    private static final HashFunction sha256 = Hashing.sha256();
    private static final Base64.Encoder b64UrlEncoder = Base64.getUrlEncoder().withoutPadding();
    private static final ServerCookieDecoder cookieDecoder = ServerCookieDecoder.LAX;
    private static final String REDIRECT_PROTO = "https://";
    private Vertx vertx;
    private static volatile /* synthetic */ int[] $SWITCH_TABLE$net$bluemind$core$api$auth$AuthTypes;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/bluemind/webmodule/authenticationfilter/AuthenticationFilter$InvalidIdToken.class */
    public static class InvalidIdToken extends Exception {
        public final String sessionId;

        public InvalidIdToken() {
            this.sessionId = null;
        }

        public InvalidIdToken(String str) {
            this.sessionId = str;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/bluemind/webmodule/authenticationfilter/AuthenticationFilter$JWTInvalidSid.class */
    public static class JWTInvalidSid extends RuntimeException {
        private JWTInvalidSid() {
        }
    }

    public AuthenticationFilter() {
        logger.info("AuthenticationFilter filter created.");
    }

    public void setVertx(Vertx vertx) {
        this.vertx = vertx;
        vertx.eventBus().consumer("bm.core.session", message -> {
            JsonObject jsonObject = (JsonObject) message.body();
            if ("logout".equals(jsonObject.getString("operation"))) {
                SessionDataStore.get().invalidate(jsonObject.getString("sid"));
            }
        });
    }

    public CompletableFuture<HttpServerRequest> filter(HttpServerRequest httpServerRequest, WebserverConfiguration webserverConfiguration) {
        Optional<ForwardedLocation> findFirst = webserverConfiguration.getForwardedLocations().stream().filter(forwardedLocation -> {
            return httpServerRequest.path().startsWith(forwardedLocation.getPathPrefix());
        }).findFirst();
        if (needAuthentication(httpServerRequest, findFirst)) {
            return httpServerRequest.path().endsWith("/bluemind_sso_logout") ? logout(httpServerRequest) : httpServerRequest.path().endsWith("/bluemind_sso_logout/backchannel") ? backChannelLogout(httpServerRequest) : (CompletableFuture) findFirst.flatMap(forwardedLocation2 -> {
                return forwardedLocation2.resolve();
            }).map(resolvedLoc -> {
                return forwardedLocation(httpServerRequest);
            }).orElseGet(() -> {
                return notForwardedLocation(httpServerRequest);
            });
        }
        if (logger.isDebugEnabled()) {
            logger.debug("[{}] No auth needed", httpServerRequest.path());
        }
        return sessionExists(httpServerRequest).orElse(CompletableFuture.completedFuture(httpServerRequest));
    }

    private CompletableFuture<HttpServerRequest> notForwardedLocation(HttpServerRequest httpServerRequest) {
        return sessionExists(httpServerRequest).orElseGet(() -> {
            String domainUid = DomainsHelper.getDomainUid(httpServerRequest);
            if (isCasEnabled(domainUid)) {
                redirectToCasLogin(httpServerRequest, domainUid);
            } else {
                redirectToOpenIdServer(httpServerRequest, domainUid);
            }
            return CompletableFuture.completedFuture(null);
        });
    }

    private CompletableFuture<HttpServerRequest> forwardedLocation(HttpServerRequest httpServerRequest) {
        return sessionExists(httpServerRequest).orElseGet(() -> {
            String domainUid = DomainsHelper.getDomainUid(httpServerRequest);
            if (isCasEnabled(domainUid)) {
                redirectToCasLogin(httpServerRequest, domainUid);
            } else {
                httpServerRequest.response().setStatusCode(302);
                httpServerRequest.response().headers().add(HttpHeaders.LOCATION, "/bluemind_sso_logout");
                httpServerRequest.response().end();
            }
            return CompletableFuture.completedFuture(null);
        });
    }

    private void redirectToCasLogin(HttpServerRequest httpServerRequest, String str) {
        try {
            CasHandler.CASRequest.build(httpServerRequest, str).redirectToCasLogin();
        } catch (Exception e) {
            logger.error(e.getMessage(), e);
            httpServerRequest.response().setStatusCode(500).end();
        }
    }

    private Optional<CompletableFuture<HttpServerRequest>> sessionExists(HttpServerRequest httpServerRequest) {
        SessionDataStore sessionDataStore = SessionDataStore.get();
        Optional<String> sessionId = sessionId(httpServerRequest);
        sessionDataStore.getClass();
        return sessionId.map(sessionDataStore::getIfPresent).map(sessionData -> {
            if (logger.isDebugEnabled()) {
                logger.debug("[{}] Session data for session ID {} found in store", httpServerRequest.path(), sessionData.authKey);
            }
            decorate(httpServerRequest, sessionData);
            return CompletableFuture.completedFuture(httpServerRequest);
        });
    }

    private void redirectToOpenIdServer(HttpServerRequest httpServerRequest, String str) {
        String realmId = IKeycloakUids.realmId(str);
        Map map = (Map) DomainsSettings.get().get(str);
        String uuid = UUID.randomUUID().toString();
        String path = getPath(httpServerRequest);
        JsonObject jsonObject = new JsonObject();
        jsonObject.put("codeVerifierKey", uuid);
        jsonObject.put("path", path);
        jsonObject.put("domain_uid", str);
        String encodeToString = b64UrlEncoder.encodeToString(jsonObject.encode().getBytes());
        String createCodeVerifier = createCodeVerifier();
        CodeVerifierCache.put(uuid, createCodeVerifier);
        String encodeToString2 = b64UrlEncoder.encodeToString(sha256.hashString(createCodeVerifier, StandardCharsets.UTF_8).asBytes());
        try {
            String str2 = (String) map.get(AuthDomainProperties.AUTH_TYPE.name());
            String str3 = (((((((AuthTypes.INTERNAL.name().equals(str2) || AuthTypes.KERBEROS.name().equals(str2)) ? KeycloakEndpoints.authorizationEndpoint(realmId) + "?client_id=" + IKeycloakUids.clientId(realmId) : ((String) map.get(AuthDomainProperties.OPENID_AUTHORISATION_ENDPOINT.name())) + "?client_id=" + encode((String) map.get(AuthDomainProperties.OPENID_CLIENT_ID.name()))) + "&redirect_uri=" + encode("https://" + httpServerRequest.authority().host() + "/auth/openid")) + "&code_challenge=" + encode(encodeToString2)) + "&state=" + encode(encodeToString)) + "&code_challenge_method=S256") + "&response_type=code") + "&scope=openid";
            DefaultCookie defaultCookie = new DefaultCookie(AuthenticationCookie.BMREDIRECT, path);
            defaultCookie.setPath("/");
            defaultCookie.setHttpOnly(false);
            if (SecurityConfig.secureCookies) {
                defaultCookie.setSecure(true);
            }
            httpServerRequest.response().headers().add(HttpHeaders.SET_COOKIE, ServerCookieEncoder.LAX.encode(defaultCookie));
            httpServerRequest.response().headers().add(HttpHeaders.LOCATION, str3);
            httpServerRequest.response().setStatusCode(302);
        } catch (NullPointerException e) {
            logger.error("Unable to get OPENID location", e);
            httpServerRequest.response().setStatusCode(500);
        }
        httpServerRequest.response().end();
    }

    private String getPath(HttpServerRequest httpServerRequest) {
        String str;
        String str2 = (String) Optional.ofNullable(httpServerRequest.path()).orElse("/");
        if ("/visio/".equals(str2)) {
            return httpServerRequest.headers().get(HttpHeaders.REFERER);
        }
        String str3 = httpServerRequest.params().get("askedUri");
        if (Strings.isNullOrEmpty(str3)) {
            str = str2 + (httpServerRequest.query() != null ? "?" + httpServerRequest.query() : "");
        } else {
            str = str3;
        }
        return str;
    }

    private boolean isCasEnabled(String str) {
        return AuthTypes.CAS.name().equals((String) ((Map) DomainsSettings.get().get(str)).get(AuthDomainProperties.AUTH_TYPE.name()));
    }

    private boolean needAuthentication(HttpServerRequest httpServerRequest, Optional<ForwardedLocation> optional) {
        if (!optional.isPresent()) {
            return true;
        }
        ForwardedLocation forwardedLocation = optional.get();
        return !forwardedLocation.isWhitelisted(httpServerRequest.uri()) && forwardedLocation.needAuth();
    }

    private Optional<String> sessionId(HttpServerRequest httpServerRequest) {
        Set decode = cookieDecoder.decode((String) Optional.ofNullable(httpServerRequest.headers().get("cookie")).orElse(""));
        Optional findFirst = decode.stream().filter(cookie -> {
            return AuthenticationCookie.OPENID_SESSION.equals(cookie.name());
        }).findFirst();
        if (findFirst.isPresent()) {
            JsonObject jsonObject = new JsonObject(((Cookie) findFirst.get()).value());
            if (logger.isDebugEnabled()) {
                logger.debug("[{}] Session ID {} found in {} cookie", new Object[]{httpServerRequest.path(), jsonObject.getString("sid"), AuthenticationCookie.OPENID_SESSION});
            }
            return Optional.of(jsonObject.getString("sid"));
        }
        Optional findFirst2 = decode.stream().filter(cookie2 -> {
            return AuthenticationCookie.BMSID.equals(cookie2.name());
        }).findFirst();
        if (findFirst2.isPresent()) {
            if (logger.isDebugEnabled()) {
                logger.debug("[{}] Session ID {} found in {} cookie", new Object[]{httpServerRequest.path(), ((Cookie) findFirst2.get()).value(), AuthenticationCookie.BMSID});
            }
            return Optional.of(((Cookie) findFirst2.get()).value());
        }
        if (logger.isDebugEnabled()) {
            logger.debug("[{}] No session ID found", httpServerRequest.path());
        }
        return Optional.empty();
    }

    private CompletableFuture<HttpServerRequest> logout(HttpServerRequest httpServerRequest) {
        String str;
        AuthenticationCookie.purge(httpServerRequest);
        String domainUid = DomainsHelper.getDomainUid(httpServerRequest);
        Map map = (Map) DomainsSettings.get().get(domainUid);
        switch ($SWITCH_TABLE$net$bluemind$core$api$auth$AuthTypes()[AuthTypes.get((String) map.get(AuthDomainProperties.AUTH_TYPE.name())).ordinal()]) {
            case 3:
                str = (((String) map.get(AuthDomainProperties.CAS_URL.name())) + "logout") + ((String) getRedirectUrl(httpServerRequest).map(str2 -> {
                    return "?url=" + str2;
                }).orElse(""));
                break;
            case 4:
                sessionId(httpServerRequest).ifPresent(str3 -> {
                    this.vertx.setTimer(TimeUnit.SECONDS.toMillis(10L), l -> {
                        this.vertx.executeBlocking(() -> {
                            new AuthProvider(this.vertx, domainUid).logout(str3);
                            return l;
                        }, false);
                    });
                });
                str = (String) map.get(AuthDomainProperties.OPENID_END_SESSION_ENDPOINT.name());
                break;
            default:
                try {
                    String orElseThrow = sessionId(httpServerRequest).orElseThrow(InvalidIdToken::new);
                    str = (KeycloakEndpoints.endSessionEndpoint(IKeycloakUids.realmId(domainUid)) + ((String) getRedirectUrl(httpServerRequest).map(str4 -> {
                        return "?post_logout_redirect_uri=" + str4;
                    }).orElse(""))) + ((String) Optional.ofNullable(SessionDataStore.get().getIfPresent(orElseThrow)).map(sessionData -> {
                        return sessionData.jwtToken;
                    }).map(jsonObject -> {
                        return jsonObject.getString("id_token");
                    }).map(str5 -> {
                        return "&id_token_hint=" + str5;
                    }).orElseThrow(() -> {
                        return new InvalidIdToken(orElseThrow);
                    }));
                    break;
                } catch (InvalidIdToken e) {
                    str = "/";
                    if (e.sessionId != null) {
                        new AuthProvider(this.vertx, domainUid).logout(e.sessionId);
                        break;
                    }
                }
                break;
        }
        httpServerRequest.response().headers().add(HttpHeaders.LOCATION, str == null ? "/" : str);
        httpServerRequest.response().setStatusCode(302);
        httpServerRequest.response().end();
        return CompletableFuture.completedFuture(null);
    }

    private CompletableFuture<HttpServerRequest> backChannelLogout(HttpServerRequest httpServerRequest) {
        if (!isValidRequest(httpServerRequest)) {
            logger.info("Backchannel logout: invalid session");
            return CompletableFuture.completedFuture(null);
        }
        httpServerRequest.setExpectMultipart(true).endHandler(r5 -> {
            backChannelLogoutProcesRequest(httpServerRequest);
        }).exceptionHandler(th -> {
            logger.error("JWT logout token process error from {}: {}", new Object[]{httpServerRequest.headers().getAll("X-Forwarded-For"), th.getMessage(), th});
            backChannelLogoutError(httpServerRequest, "JWT logout token process error: " + th.getMessage());
        });
        if (!httpServerRequest.isEnded()) {
            httpServerRequest.resume();
        }
        return CompletableFuture.completedFuture(null);
    }

    private void backChannelLogoutProcesRequest(HttpServerRequest httpServerRequest) {
        Claim claim = JWT.decode(httpServerRequest.getFormAttribute("logout_token")).getClaim("sid");
        if (claim.isMissing() || claim.isNull()) {
            throw new JWTInvalidSid();
        }
        SessionData fromSessionState = SessionDataStore.get().getFromSessionState(claim.asString());
        if (fromSessionState != null) {
            new AuthProvider(this.vertx, fromSessionState.domainUid).logout(fromSessionState);
        } else {
            logger.warn("Backchannel logout: session not found for JWTSid {}", claim.asString());
        }
        backChannelLogoutSuccess(httpServerRequest);
    }

    public void backChannelLogoutSuccess(HttpServerRequest httpServerRequest) {
        logger.debug("Bachchannel logout successfully");
        backChannelResponse(httpServerRequest, 200, new JsonObject().put("status", "ok").toBuffer());
    }

    public void backChannelLogoutError(HttpServerRequest httpServerRequest, String str) {
        backChannelResponse(httpServerRequest, 400, new JsonObject().put("error", "invalid_request").put("error_description", str).toBuffer());
    }

    public void backChannelResponse(HttpServerRequest httpServerRequest, int i, Buffer buffer) {
        httpServerRequest.response().putHeader(HttpHeaders.CACHE_CONTROL, "no-store").setStatusCode(i).end(buffer);
    }

    private boolean isValidRequest(HttpServerRequest httpServerRequest) {
        if (httpServerRequest.method() != HttpMethod.POST) {
            backChannelLogoutError(httpServerRequest, "Request must use POST method");
            return false;
        }
        if (!httpServerRequest.headers().get(HttpHeaders.CONTENT_TYPE).contentEquals(HttpHeaders.APPLICATION_X_WWW_FORM_URLENCODED.toString())) {
            backChannelLogoutError(httpServerRequest, "Invalid request content");
            return false;
        }
        Long l = null;
        try {
            l = Long.valueOf(Long.parseLong(httpServerRequest.headers().get(HttpHeaders.CONTENT_LENGTH)));
        } catch (NumberFormatException unused) {
        }
        if (l != null && l.longValue() <= 100000) {
            return true;
        }
        logger.error("Backchannel request too Big: {}", l);
        backChannelLogoutError(httpServerRequest, "Too big");
        return false;
    }

    private Optional<String> getRedirectUrl(HttpServerRequest httpServerRequest) {
        try {
            return Optional.ofNullable(URLEncoder.encode("https://" + URI.create(httpServerRequest.absoluteURI()).toURL().getHost() + "/", StandardCharsets.UTF_8.toString()));
        } catch (UnsupportedEncodingException | MalformedURLException e) {
            logger.warn("Unable to get logout redirect URL", e);
            return Optional.empty();
        }
    }

    private String createCodeVerifier() {
        byte[] bArr = new byte[32];
        new SecureRandom().nextBytes(bArr);
        return b64UrlEncoder.encodeToString(bArr);
    }

    private void decorate(HttpServerRequest httpServerRequest, SessionData sessionData) {
        MultiMap headers = httpServerRequest.headers();
        headers.add("BMSessionId", sessionData.authKey);
        headers.add("BMUserId", sessionData.userUid);
        headers.add("BMUserLogin", sessionData.login);
        headers.add("BMAccountType", sessionData.accountType);
        headers.add("BMUserLATD", sessionData.loginAtDomain);
        if (sessionData.defaultEmail != null) {
            headers.add("BMUserDefaultEmail", sessionData.defaultEmail);
        }
        headers.add("BMMailboxCopyGuid", sessionData.mailboxCopyGuid);
        headers.add("BMUserDomainId", sessionData.domainUid);
        addIfPresent(headers, sessionData.givenNames, "BMUserFirstName");
        addIfPresent(headers, sessionData.familyNames, "BMUserLastName");
        addIfPresent(headers, sessionData.formatedName, sessionData.login, "BMUserFormatedName");
        headers.add("BMRoles", sessionData.rolesAsString);
        headers.add("BMUserMailPerms", "true");
        headers.add("bmMailPerms", "true");
        Map map = sessionData.settings;
        String str = (String) map.get("lang");
        headers.add("BMLang", str == null ? "en" : str);
        String str2 = (String) map.get("default_app");
        if (sessionData.loginAtDomain.equals("admin0@global.virt")) {
            str2 = "/adminconsole/";
        }
        headers.add("BMDefaultApp", str2 != null ? str2 : "/webapp/mail/");
        headers.add("BMPrivateComputer", sessionData.privateComputer);
        headers.add("BMHasIM", "true");
        headers.add("BMVersion", BMVersion.getVersion());
        headers.add("BMBrandVersion", BMVersion.getVersionName());
        if (sessionData.dataLocation != null) {
            headers.add("BMDataLocation", sessionData.dataLocation);
            headers.add("BMPartition", CyrusPartition.forServerAndDomain(sessionData.dataLocation, sessionData.domainUid).name);
            Topology.getIfAvailable().ifPresent(iServiceTopology -> {
                headers.add("bmTopoCore", ((Server) iServiceTopology.any(TagDescriptor.bm_core.getTag()).value).address());
                headers.add("bmTopoEs", ((Server) iServiceTopology.any(TagDescriptor.bm_es.getTag()).value).address());
                headers.add("bmTopoEsAliasCount", String.valueOf(100 * ElasticsearchClientConfig.getMaxAliasMultiplier()));
                headers.add("bmTopoEsRingMode", IndexAliasMode.getMode() == Mode.RING ? "true" : "false");
                headers.add("bmTopoImap", ((Server) iServiceTopology.datalocation(sessionData.dataLocation).value).address());
                iServiceTopology.anyIfPresent("cti/frontend").ifPresent(itemValue -> {
                    headers.add("bmTopoCti", ((Server) itemValue.value).address());
                });
            });
        }
    }

    private void addIfPresent(MultiMap multiMap, String str, String str2, String str3) {
        if (addIfPresent(multiMap, str, str3)) {
            return;
        }
        addIfPresent(multiMap, str2, str3);
    }

    private boolean addIfPresent(MultiMap multiMap, String str, String str2) {
        if (str == null) {
            return false;
        }
        multiMap.add(str2, Base64.getEncoder().encodeToString(str.getBytes()));
        return true;
    }

    private String encode(String str) {
        return URLEncoder.encode(str, StandardCharsets.UTF_8);
    }

    static /* synthetic */ int[] $SWITCH_TABLE$net$bluemind$core$api$auth$AuthTypes() {
        int[] iArr = $SWITCH_TABLE$net$bluemind$core$api$auth$AuthTypes;
        if (iArr != null) {
            return iArr;
        }
        int[] iArr2 = new int[AuthTypes.values().length];
        try {
            iArr2[AuthTypes.CAS.ordinal()] = 3;
        } catch (NoSuchFieldError unused) {
        }
        try {
            iArr2[AuthTypes.INTERNAL.ordinal()] = 1;
        } catch (NoSuchFieldError unused2) {
        }
        try {
            iArr2[AuthTypes.KERBEROS.ordinal()] = 2;
        } catch (NoSuchFieldError unused3) {
        }
        try {
            iArr2[AuthTypes.OPENID.ordinal()] = 4;
        } catch (NoSuchFieldError unused4) {
        }
        $SWITCH_TABLE$net$bluemind$core$api$auth$AuthTypes = iArr2;
        return iArr2;
    }
}
