package com.hazelcast.webmonitor.security.spi.impl.oidc;

import com.hazelcast.webmonitor.security.UserHasNoRolesException;
import com.hazelcast.webmonitor.security.spi.SecurityConfigApiException;
import com.hazelcast.webmonitor.security.spi.SecurityProvider;
import com.hazelcast.webmonitor.utils.StringUtil;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.SerializeException;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.TokenResponse;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.AuthenticationResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
import com.nimbusds.openid.connect.sdk.UserInfoRequest;
import com.nimbusds.openid.connect.sdk.UserInfoResponse;
import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.beans.ConstructorProperties;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.servlet.http.HttpSession;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.GrantedAuthority;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/classes/com/hazelcast/webmonitor/security/spi/impl/oidc/OidcHelper.class
 */
/* loaded from: input_file:com/hazelcast/webmonitor/security/spi/impl/oidc/OidcHelper.class */
public final class OidcHelper {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OidcHelper.class);
    private static final String SESSION_ATTR_OIDC_STATE = "oidc_state";
    private static final String SESSION_ATTR_OIDC_NONCE = "oidc_nonce";

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/classes/com/hazelcast/webmonitor/security/spi/impl/oidc/OidcHelper$Tokens.class
     */
    /* loaded from: input_file:com/hazelcast/webmonitor/security/spi/impl/oidc/OidcHelper$Tokens.class */
    public static final class Tokens {
        private final AccessToken accessToken;
        private final JWT idToken;

        @SuppressFBWarnings(justification = "generated code")
        @ConstructorProperties({"accessToken", "idToken"})
        public Tokens(AccessToken accessToken, JWT jwt) {
            this.accessToken = accessToken;
            this.idToken = jwt;
        }

        @SuppressFBWarnings(justification = "generated code")
        public AccessToken getAccessToken() {
            return this.accessToken;
        }

        @SuppressFBWarnings(justification = "generated code")
        public JWT getIdToken() {
            return this.idToken;
        }

        @SuppressFBWarnings(justification = "generated code")
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof Tokens)) {
                return false;
            }
            Tokens tokens = (Tokens) obj;
            AccessToken accessToken = getAccessToken();
            AccessToken accessToken2 = tokens.getAccessToken();
            if (accessToken == null) {
                if (accessToken2 != null) {
                    return false;
                }
            } else if (!accessToken.equals(accessToken2)) {
                return false;
            }
            JWT idToken = getIdToken();
            JWT idToken2 = tokens.getIdToken();
            return idToken == null ? idToken2 == null : idToken.equals(idToken2);
        }

        @SuppressFBWarnings(justification = "generated code")
        public int hashCode() {
            AccessToken accessToken = getAccessToken();
            int hashCode = (1 * 59) + (accessToken == null ? 43 : accessToken.hashCode());
            JWT idToken = getIdToken();
            return (hashCode * 59) + (idToken == null ? 43 : idToken.hashCode());
        }

        @SuppressFBWarnings(justification = "generated code")
        public String toString() {
            return "OidcHelper.Tokens(accessToken=" + getAccessToken() + ", idToken=" + getIdToken() + ")";
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/classes/com/hazelcast/webmonitor/security/spi/impl/oidc/OidcHelper$User.class
     */
    /* loaded from: input_file:com/hazelcast/webmonitor/security/spi/impl/oidc/OidcHelper$User.class */
    public static final class User {
        private final String id;
        private final String name;
        private final List<String> groups;

        @SuppressFBWarnings(justification = "generated code")
        @ConstructorProperties({"id", "name", "groups"})
        public User(String str, String str2, List<String> list) {
            this.id = str;
            this.name = str2;
            this.groups = list;
        }

        @SuppressFBWarnings(justification = "generated code")
        public String getId() {
            return this.id;
        }

        @SuppressFBWarnings(justification = "generated code")
        public String getName() {
            return this.name;
        }

        @SuppressFBWarnings(justification = "generated code")
        public List<String> getGroups() {
            return this.groups;
        }

        @SuppressFBWarnings(justification = "generated code")
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof User)) {
                return false;
            }
            User user = (User) obj;
            String id = getId();
            String id2 = user.getId();
            if (id == null) {
                if (id2 != null) {
                    return false;
                }
            } else if (!id.equals(id2)) {
                return false;
            }
            String name = getName();
            String name2 = user.getName();
            if (name == null) {
                if (name2 != null) {
                    return false;
                }
            } else if (!name.equals(name2)) {
                return false;
            }
            List<String> groups = getGroups();
            List<String> groups2 = user.getGroups();
            return groups == null ? groups2 == null : groups.equals(groups2);
        }

        @SuppressFBWarnings(justification = "generated code")
        public int hashCode() {
            String id = getId();
            int hashCode = (1 * 59) + (id == null ? 43 : id.hashCode());
            String name = getName();
            int hashCode2 = (hashCode * 59) + (name == null ? 43 : name.hashCode());
            List<String> groups = getGroups();
            return (hashCode2 * 59) + (groups == null ? 43 : groups.hashCode());
        }

        @SuppressFBWarnings(justification = "generated code")
        public String toString() {
            return "OidcHelper.User(id=" + getId() + ", name=" + getName() + ", groups=" + getGroups() + ")";
        }
    }

    private OidcHelper() {
    }

    public static Collection<? extends GrantedAuthority> mapGroupsToRoles(User user, OidcConfig oidcConfig) {
        if (user.getGroups().contains(oidcConfig.getAdminGroup())) {
            return Collections.singleton(SecurityProvider.ADMIN_AUTHORITY);
        }
        if (user.getGroups().contains(oidcConfig.getUserGroup())) {
            return Collections.singleton(SecurityProvider.USER_AUTHORITY);
        }
        if (user.getGroups().contains(oidcConfig.getReadonlyUserGroup())) {
            return Collections.singleton(SecurityProvider.READONLY_USER_AUTHORITY);
        }
        if (user.getGroups().contains(oidcConfig.getMetricsOnlyGroup())) {
            return Collections.singleton(SecurityProvider.METRICS_ONLY_AUTHORITY);
        }
        throw new UserHasNoRolesException();
    }

    public static JSONObject fetchUserInfo(AccessToken accessToken, OidcConfig oidcConfig) {
        try {
            try {
                HTTPResponse send = new UserInfoRequest(new URI(oidcConfig.getUserInfoEndpoint()), (BearerAccessToken) accessToken).toHTTPRequest().send();
                logResponse("User info response", send);
                try {
                    UserInfoResponse parse = UserInfoResponse.parse(send);
                    if (!(parse instanceof UserInfoErrorResponse)) {
                        return ((UserInfoSuccessResponse) parse).getUserInfo().toJSONObject();
                    }
                    throw new OidcAuthenticationException("Received error response instead of UserInfo response: " + describeError(((UserInfoErrorResponse) parse).getErrorObject()));
                } catch (ParseException e) {
                    throw new OidcAuthenticationException("Failed to parse UserInfo response.", e);
                }
            } catch (SerializeException | IOException e2) {
                throw new OidcAuthenticationException("Failed to fetch user info.", e2);
            }
        } catch (URISyntaxException e3) {
            throw new SecurityConfigApiException("Failed to fetch user info.", e3);
        }
    }

    private static String describeError(ErrorObject errorObject) {
        return String.format("Code=%s HttpStatusCode=%s URI=%s Description=%s", errorObject.getCode(), Integer.valueOf(errorObject.getHTTPStatusCode()), errorObject.getURI(), errorObject.getDescription());
    }

    public static IDTokenClaimsSet verifyIdToken(JWT jwt, String str, OidcConfig oidcConfig) {
        try {
            try {
                return new IDTokenValidator(new Issuer(oidcConfig.getIssuer()), new ClientID(oidcConfig.getClientId()), JWSAlgorithm.parse(oidcConfig.getJwsAlgorithm()), new URL(oidcConfig.getJwkSetEndpoint())).validate(jwt, new Nonce(str));
            } catch (JOSEException | BadJOSEException e) {
                throw new OidcAuthenticationException("Failed to verify ID token.", e);
            }
        } catch (MalformedURLException e2) {
            throw new SecurityConfigApiException("Failed to create validator for ID token.", e2);
        }
    }

    public static Tokens retrieveTokens(AuthorizationCode authorizationCode, OidcConfig oidcConfig) {
        try {
            try {
                HTTPRequest hTTPRequest = new TokenRequest(new URI(oidcConfig.getTokenEndpoint()), new ClientSecretBasic(new ClientID(oidcConfig.getClientId()), new Secret(oidcConfig.getClientSecret())), new AuthorizationCodeGrant(authorizationCode, new URI(oidcConfig.getRedirectURL()))).toHTTPRequest();
                logPostRequest("Token request", hTTPRequest);
                HTTPResponse send = hTTPRequest.send();
                logResponse("Token response", send);
                try {
                    TokenResponse parse = OIDCTokenResponseParser.parse(send);
                    if (parse instanceof TokenErrorResponse) {
                        throw new OidcAuthenticationException("Received error response instead of TokenResponse: " + describeError(((TokenErrorResponse) parse).getErrorObject()));
                    }
                    AccessTokenResponse accessTokenResponse = (AccessTokenResponse) parse;
                    return new Tokens(accessTokenResponse.getTokens().toOIDCTokens().getAccessToken(), accessTokenResponse.getTokens().toOIDCTokens().getIDToken());
                } catch (ParseException e) {
                    throw new OidcAuthenticationException("Failed to parse token response.", e);
                }
            } catch (SerializeException | IOException e2) {
                throw new OidcAuthenticationException("Failed to retrieve tokens.", e2);
            }
        } catch (URISyntaxException e3) {
            throw new SecurityConfigApiException("Failed to create token request.", e3);
        }
    }

    public static AuthorizationCode extractAuthCode(URI uri, String str) throws ParseException {
        AuthenticationResponse parse = AuthenticationResponseParser.parse(uri);
        if (parse instanceof AuthenticationErrorResponse) {
            throw new OidcAuthenticationException("Received error response instead of AuthenticationResponse: " + describeError(((AuthenticationErrorResponse) parse).getErrorObject()));
        }
        AuthenticationSuccessResponse authenticationSuccessResponse = (AuthenticationSuccessResponse) parse;
        if (str.equals(authenticationSuccessResponse.getState().getValue())) {
            return authenticationSuccessResponse.getAuthorizationCode();
        }
        throw new OidcAuthenticationException("State in the received AuthenticationResponse doesn't match the previously sent state.");
    }

    public static User completeAuthentication(HttpSession httpSession, URI uri, OidcConfig oidcConfig) throws ParseException {
        try {
            LOGGER.debug("OpenID Connect Configuration: {}", oidcConfig);
            AuthorizationCode extractAuthCode = extractAuthCode(uri, (String) httpSession.getAttribute(SESSION_ATTR_OIDC_STATE));
            LOGGER.debug("Received auth code {}.", extractAuthCode);
            Tokens retrieveTokens = retrieveTokens(extractAuthCode, oidcConfig);
            LOGGER.debug("Retrieved tokens {}.", retrieveTokens);
            LOGGER.debug("ID Token contains the following claims: " + verifyIdToken(retrieveTokens.getIdToken(), (String) httpSession.getAttribute(SESSION_ATTR_OIDC_NONCE), oidcConfig).toJSONString());
            JSONObject fetchUserInfo = fetchUserInfo(retrieveTokens.getAccessToken(), oidcConfig);
            LOGGER.debug("User info: {}", fetchUserInfo);
            String asString = fetchUserInfo.getAsString("sub");
            if (StringUtil.isNullOrEmptyAfterTrim(asString)) {
                throw new OidcAuthenticationException("No 'sub' claim returned from the OpenID provider.");
            }
            String asString2 = fetchUserInfo.getAsString(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME);
            if (StringUtil.isNullOrEmptyAfterTrim(asString2)) {
                throw new OidcAuthenticationException("No 'preferred_username' claim returned from the OpenID provider.");
            }
            Object obj = fetchUserInfo.get("groups");
            List emptyList = obj instanceof JSONArray ? (List) Arrays.stream(((JSONArray) obj).toArray()).filter(obj2 -> {
                return obj2 instanceof String;
            }).map(obj3 -> {
                return (String) obj3;
            }).collect(Collectors.toList()) : Collections.emptyList();
            LOGGER.debug("Groups for user: {}", emptyList);
            User user = new User(asString, asString2, emptyList);
            httpSession.removeAttribute(SESSION_ATTR_OIDC_STATE);
            httpSession.removeAttribute(SESSION_ATTR_OIDC_NONCE);
            return user;
        } catch (Throwable th) {
            httpSession.removeAttribute(SESSION_ATTR_OIDC_STATE);
            httpSession.removeAttribute(SESSION_ATTR_OIDC_NONCE);
            throw th;
        }
    }

    public static String generateAuthenticationRequestURL(HttpSession httpSession, OidcConfig oidcConfig) {
        Scope parse = Scope.parse("openid profile groups");
        State state = new State();
        Nonce nonce = new Nonce();
        httpSession.setAttribute(SESSION_ATTR_OIDC_STATE, state.toString());
        httpSession.setAttribute(SESSION_ATTR_OIDC_NONCE, nonce.toString());
        try {
            return new AuthenticationRequest(new URI(oidcConfig.getAuthorizationEndpoint()), new ResponseType(ResponseType.Value.CODE), parse, new ClientID(oidcConfig.getClientId()), new URI(oidcConfig.getRedirectURL()), state, nonce).toURI().toString();
        } catch (URISyntaxException e) {
            throw new SecurityConfigApiException("Failed to generate authentication request URL.", e);
        }
    }

    private static void logPostRequest(String str, HTTPRequest hTTPRequest) {
        LOGGER.debug("{} Method: {} URL: {}\nHeaders:\n{}Body:\n{}", str, hTTPRequest.getMethod(), hTTPRequest.getURL(), mapToString(hTTPRequest.getHeaderMap()), hTTPRequest.getQuery());
    }

    private static void logResponse(String str, HTTPResponse hTTPResponse) {
        LOGGER.debug("{} Status Code: {} Status Message: {}\nHeaders:\n{}Content:\n{}", str, Integer.valueOf(hTTPResponse.getStatusCode()), hTTPResponse.getStatusMessage(), mapToString(hTTPResponse.getHeaderMap()), hTTPResponse.getContent());
    }

    @Nonnull
    private static String mapToString(Map<String, List<String>> map) {
        StringBuilder sb = new StringBuilder();
        for (Map.Entry<String, List<String>> entry : map.entrySet()) {
            sb.append(String.format("%s => %s%n", entry.getKey(), entry.getValue()));
        }
        return sb.toString();
    }
}
