package net.bluemind.webmodule.authenticationfilter;

import com.auth0.jwt.JWT;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.interfaces.Claim;
import com.google.common.base.Strings;
import io.vertx.core.AsyncResult;
import io.vertx.core.Handler;
import io.vertx.core.MultiMap;
import io.vertx.core.buffer.Buffer;
import io.vertx.core.http.HttpClientRequest;
import io.vertx.core.http.HttpClientResponse;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.http.HttpMethod;
import io.vertx.core.http.HttpServerRequest;
import io.vertx.core.http.RequestOptions;
import io.vertx.core.json.DecodeException;
import io.vertx.core.json.JsonObject;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import net.bluemind.core.api.auth.AuthDomainProperties;
import net.bluemind.core.api.auth.AuthTypes;
import net.bluemind.core.api.fault.ErrorCode;
import net.bluemind.core.api.fault.ServerFault;
import net.bluemind.keycloak.api.IKeycloakUids;
import net.bluemind.keycloak.utils.endpoint.KeycloakEndpoints;
import net.bluemind.keydb.sessiondata.CodeVerifierCache;
import net.bluemind.keydb.sessiondata.SessionData;
import net.bluemind.keydb.sessiondata.SessionDataStore;
import net.bluemind.webmodule.authenticationfilter.internal.AuthenticationCookie;
import net.bluemind.webmodule.authenticationfilter.internal.ExternalCreds;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/bluemind/webmodule/authenticationfilter/OpenIdHandler.class */
public class OpenIdHandler extends AbstractAuthHandler implements Handler<HttpServerRequest> {
    public static final String JWT_SESSION_STATE = "session_state";
    private static final Logger logger = LoggerFactory.getLogger(OpenIdHandler.class);
    private static final Base64.Decoder b64UrlDecoder = Base64.getUrlDecoder();

    /* loaded from: input_file:net/bluemind/webmodule/authenticationfilter/OpenIdHandler$SessionConsumer.class */
    private class SessionConsumer implements Consumer<SessionData> {
        private final HttpServerRequest request;
        private final String domainUid;
        private final String realmId;
        private final boolean internalAuth;
        private final JsonObject jwtToken;
        private final String openIdClientSecret;

        public SessionConsumer(HttpServerRequest httpServerRequest, String str, String str2, boolean z, JsonObject jsonObject) {
            this.request = httpServerRequest;
            this.domainUid = str;
            this.realmId = IKeycloakUids.realmId(str);
            this.openIdClientSecret = str2;
            this.internalAuth = z;
            this.jwtToken = jsonObject;
        }

        @Override // java.util.function.Consumer
        public void accept(SessionData sessionData) {
            decorateResponse(sessionData);
            SessionDataStore.get().put(sessionData.setOpenId(this.jwtToken, this.realmId, this.openIdClientSecret, this.internalAuth, sessionData.createStamp + SessionDataStore.SESSIONID_REFRESH_PERIOD));
            if (OpenIdHandler.logger.isInfoEnabled()) {
                OpenIdHandler.logger.info("[{}] Session {} for user {} created, JWT SID: {}", new Object[]{this.request.path(), sessionData.authKey, sessionData.loginAtDomain, this.jwtToken.getValue(OpenIdHandler.JWT_SESSION_STATE)});
            }
        }

        public void decorateResponse(SessionData sessionData) {
            MultiMap headers = this.request.response().headers();
            JsonObject jsonObject = new JsonObject();
            jsonObject.put("sid", sessionData.authKey);
            jsonObject.put("domain_uid", this.domainUid);
            jsonObject.put("user_uid", sessionData.userUid);
            AuthenticationCookie.add(headers, AuthenticationCookie.OPENID_SESSION, jsonObject.encode());
            AuthenticationCookie.add(headers, AuthenticationCookie.BMPRIVACY, Boolean.toString("private".equals(JWT.decode(this.jwtToken.getString("access_token")).getClaim("bm_pubpriv").asString())));
        }
    }

    public void handle(HttpServerRequest httpServerRequest) {
        ArrayList arrayList = new ArrayList(httpServerRequest.headers().getAll("X-Forwarded-For"));
        arrayList.add(httpServerRequest.remoteAddress().host());
        JsonObject requestStateParam = getRequestStateParam(httpServerRequest, arrayList);
        if (Strings.isNullOrEmpty(httpServerRequest.params().get("code")) || requestStateParam == null) {
            if (logger.isDebugEnabled()) {
                logger.error("[{}][{}] null or empty 'code' or invalid 'state' request parameter", arrayList, httpServerRequest.path());
            }
            httpServerRequest.response().headers().add(HttpHeaders.LOCATION, "/");
            httpServerRequest.response().setStatusCode(302);
            httpServerRequest.response().end();
            return;
        }
        if (sessionExists(httpServerRequest)) {
            httpServerRequest.response().headers().add(HttpHeaders.LOCATION, getRedirectTo(httpServerRequest, requestStateParam.getString("path")));
            httpServerRequest.response().setStatusCode(302);
            httpServerRequest.response().end();
            return;
        }
        String string = requestStateParam.getString("codeVerifierKey");
        String andRemove = CodeVerifierCache.getAndRemove(string);
        if (Strings.isNullOrEmpty(andRemove)) {
            error(httpServerRequest, false, new Throwable("OpenId codeVerifier key '" + string + "' not found in cache (expired ?), ignore request from [" + String.join(",", arrayList) + "]"));
            return;
        }
        String string2 = requestStateParam.getString("domain_uid");
        String realmId = IKeycloakUids.realmId(string2);
        Map<String, String> forDomain = DomainsSettings.forDomain(string2);
        try {
            boolean useBlueMindKeycloak = AuthTypes.get(forDomain.get(AuthDomainProperties.AUTH_TYPE.name())).useBlueMindKeycloak();
            this.httpClient.request(new RequestOptions().setMethod(HttpMethod.POST).setAbsoluteURI(tokenEndpoint(realmId, useBlueMindKeycloak, forDomain)), asyncResult -> {
                String str = (String) forDomain.get(AuthDomainProperties.OPENID_CLIENT_SECRET.name());
                if (!asyncResult.succeeded()) {
                    error(httpServerRequest, asyncResult.cause());
                    return;
                }
                HttpClientRequest httpClientRequest = (HttpClientRequest) asyncResult.result();
                httpClientRequest.response(asyncResult -> {
                    tokenEndpointResponseHandler(httpServerRequest, arrayList, string2, useBlueMindKeycloak, str, requestStateParam, asyncResult);
                });
                MultiMap headers = httpClientRequest.headers();
                headers.add(HttpHeaders.ACCEPT_CHARSET, StandardCharsets.UTF_8.name());
                headers.add(HttpHeaders.CONTENT_TYPE, "application/x-www-form-urlencoded");
                byte[] bytes = ((((((useBlueMindKeycloak ? "grant_type=authorization_code" + "&client_id=" + IKeycloakUids.clientId(realmId) : "grant_type=authorization_code" + "&client_id=" + encode((String) forDomain.get(AuthDomainProperties.OPENID_CLIENT_ID.name()))) + "&client_secret=" + encode(str)) + "&code=" + encode(httpServerRequest.params().get("code"))) + "&code_verifier=" + encode(andRemove)) + "&redirect_uri=" + encode("https://" + httpServerRequest.authority().host() + "/auth/openid")) + "&scope=openid").getBytes(StandardCharsets.UTF_8);
                headers.add(HttpHeaders.CONTENT_LENGTH, Integer.toString(bytes.length));
                httpClientRequest.write(Buffer.buffer(bytes));
                httpClientRequest.end();
            });
        } catch (Exception e) {
            error(httpServerRequest, e);
            httpServerRequest.response().end();
        }
    }

    private JsonObject getRequestStateParam(HttpServerRequest httpServerRequest, List<String> list) {
        String str = httpServerRequest.params().get("state");
        if (str == null || str.isBlank()) {
            if (!logger.isDebugEnabled()) {
                return null;
            }
            logger.error("[{}][{}] 'state' parameter is null or blank", list, httpServerRequest.path());
            return null;
        }
        try {
            return new JsonObject(new String(b64UrlDecoder.decode(str.getBytes())));
        } catch (DecodeException | IllegalArgumentException | IndexOutOfBoundsException e) {
            if (!logger.isDebugEnabled()) {
                return null;
            }
            logger.error("[{}][{}] invalid 'state' parameter", new Object[]{list, httpServerRequest.path(), e});
            return null;
        }
    }

    private void tokenEndpointResponseHandler(HttpServerRequest httpServerRequest, List<String> list, String str, boolean z, String str2, JsonObject jsonObject, AsyncResult<HttpClientResponse> asyncResult) {
        if (!asyncResult.succeeded()) {
            error(httpServerRequest, asyncResult.cause());
            return;
        }
        HttpClientResponse httpClientResponse = (HttpClientResponse) asyncResult.result();
        if (httpClientResponse.statusCode() != 200) {
            error(httpServerRequest, false, new ServerFault("Invalid request to domain " + str + " token endpoint, HTTP code: " + httpClientResponse.statusCode(), ErrorCode.INVALID_PARAMETER));
        } else {
            httpClientResponse.body(asyncResult2 -> {
                try {
                    JsonObject jsonObject2 = new JsonObject(new String(((Buffer) asyncResult2.result()).getBytes()));
                    SessionData fromSessionState = SessionDataStore.get().getFromSessionState((String) jsonObject2.getValue(JWT_SESSION_STATE));
                    if (fromSessionState == null) {
                        validateToken(httpServerRequest, list, str, z, getRedirectTo(httpServerRequest, jsonObject.getString("path")), jsonObject2, new SessionConsumer(httpServerRequest, str, str2, z, jsonObject2));
                        return;
                    }
                    logger.info("BlueMind session {} already exists for JWT session_state {}, don't create a new one, redirect to {}", new Object[]{fromSessionState.authKey, jsonObject2.getValue(JWT_SESSION_STATE), getRedirectTo(httpServerRequest, jsonObject.getString("path"))});
                    new SessionConsumer(httpServerRequest, str, str2, z, jsonObject2).decorateResponse(fromSessionState);
                    httpServerRequest.response().headers().add(HttpHeaders.LOCATION, getRedirectTo(httpServerRequest, jsonObject.getString("path")));
                    httpServerRequest.response().setStatusCode(302);
                    httpServerRequest.response().end();
                } catch (DecodeException | NullPointerException unused) {
                    String str3 = new String(((Buffer) asyncResult2.result()).getBytes());
                    error(httpServerRequest, false, new ServerFault("Invalid response from domain " + str + " token endpoint: " + str3.substring(0, Math.min(30, str3.length())), ErrorCode.INVALID_PARAMETER));
                }
            });
        }
    }

    private String getRedirectTo(HttpServerRequest httpServerRequest, String str) {
        if (str == null) {
            str = "/";
        }
        if (logger.isDebugEnabled()) {
            logger.debug("[{}] Redirect to {}", httpServerRequest.path(), str);
        }
        return str;
    }

    private boolean sessionExists(HttpServerRequest httpServerRequest) {
        String header = httpServerRequest.getHeader("BMSessionId");
        return (header == null || SessionDataStore.get().getIfPresent(header) == null) ? false : true;
    }

    private String tokenEndpoint(String str, boolean z, Map<String, String> map) {
        return z ? KeycloakEndpoints.tokenEndpoint(str) : map.get(AuthDomainProperties.OPENID_TOKEN_ENDPOINT.name());
    }

    private String encode(String str) {
        return URLEncoder.encode(str, StandardCharsets.UTF_8);
    }

    private void validateToken(HttpServerRequest httpServerRequest, List<String> list, String str, boolean z, String str2, JsonObject jsonObject, Consumer<SessionData> consumer) {
        try {
            Claim claim = JWT.decode(jsonObject.getString("access_token")).getClaim("email");
            if (claim.isMissing() || claim.isNull()) {
                error(httpServerRequest, new Throwable("Failed to validate id_token: no email"));
                return;
            }
            AuthProvider authProvider = new AuthProvider(this.vertx, str, z);
            ExternalCreds externalCreds = new ExternalCreds();
            externalCreds.setLoginAtDomain(claim.asString());
            createSession(httpServerRequest, authProvider, list, externalCreds, str2, consumer);
        } catch (JWTDecodeException e) {
            logger.error("Unexpected token endpoint response : {}", jsonObject);
            throw e;
        }
    }
}
