package org.apache.qpid.server.management.plugin.auth;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessControlException;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
import org.apache.qpid.server.management.plugin.HttpManagementUtil;
import org.apache.qpid.server.management.plugin.HttpRequestInteractiveAuthenticator;
import org.apache.qpid.server.management.plugin.controller.LegacyConfiguredObject;
import org.apache.qpid.server.management.plugin.preferences.QueryPreferenceValue;
import org.apache.qpid.server.model.NamedAddressSpace;
import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.plugin.PluggableService;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider;
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@PluggableService
/* loaded from: input_file:org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.class */
public class OAuth2InteractiveAuthenticator implements HttpRequestInteractiveAuthenticator {
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth2InteractiveAuthenticator.class);
    private static final String TYPE = "OAuth2";
    private static final int STATE_NONCE_BIT_SIZE = 256;
    static final String STATE_NAME = "stateNonce";
    static final String REDIRECT_URI_SESSION_ATTRIBUTE = "redirectURI";
    static final String ORIGINAL_REQUEST_URI_SESSION_ATTRIBUTE = "originalRequestURI";
    private static final Map<String, Integer> ERROR_RESPONSES;
    private final SecureRandom _random = new SecureRandom();

    /* loaded from: input_file:org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator$FailedAuthenticationHandler.class */
    static class FailedAuthenticationHandler implements HttpRequestInteractiveAuthenticator.AuthenticationHandler {
        private final int _errorCode;
        private final Throwable _throwable;
        private final String _message;

        FailedAuthenticationHandler(int i, String str) {
            this(i, str, null);
        }

        FailedAuthenticationHandler(int i, String str, Throwable th) {
            this._errorCode = i;
            this._message = str;
            this._throwable = th;
        }

        @Override // org.apache.qpid.server.management.plugin.HttpRequestInteractiveAuthenticator.AuthenticationHandler
        public void handleAuthentication(HttpServletResponse httpServletResponse) throws IOException {
            if (this._throwable != null) {
                httpServletResponse.sendError(this._errorCode, this._message + ": " + this._throwable);
            } else {
                httpServletResponse.sendError(this._errorCode, this._message);
            }
        }
    }

    public String getType() {
        return TYPE;
    }

    @Override // org.apache.qpid.server.management.plugin.HttpRequestInteractiveAuthenticator
    public HttpRequestInteractiveAuthenticator.AuthenticationHandler getAuthenticationHandler(HttpServletRequest httpServletRequest, HttpManagementConfiguration httpManagementConfiguration) {
        Port<?> mo6getPort = httpManagementConfiguration.mo6getPort(httpServletRequest);
        if (!(httpManagementConfiguration.getAuthenticationProvider(httpServletRequest) instanceof OAuth2AuthenticationProvider)) {
            return null;
        }
        OAuth2AuthenticationProvider oAuth2AuthenticationProvider = (OAuth2AuthenticationProvider) httpManagementConfiguration.getAuthenticationProvider(httpServletRequest);
        try {
            Map<String, String> requestParameters = getRequestParameters(httpServletRequest);
            String str = requestParameters.get("error");
            if (str != null) {
                int decodeErrorAsResponseCode = decodeErrorAsResponseCode(str);
                String str2 = requestParameters.get("error_description");
                if (decodeErrorAsResponseCode == 403) {
                    LOGGER.debug("Resource owner denies the access request");
                    return new FailedAuthenticationHandler(decodeErrorAsResponseCode, "Resource owner denies the access request");
                }
                LOGGER.warn("Authorization endpoint failed, error : '{}', error description '{}'", str, str2);
                return new FailedAuthenticationHandler(decodeErrorAsResponseCode, String.format("Authorization request failed :'%s'", str));
            }
            String str3 = requestParameters.get("code");
            if (str3 == null) {
                String buildAuthorizationRedirectURL = buildAuthorizationRedirectURL(httpServletRequest, oAuth2AuthenticationProvider);
                return httpServletResponse -> {
                    LOGGER.debug("Sending redirect to authorization endpoint {}", oAuth2AuthenticationProvider.getAuthorizationEndpointURI(httpManagementConfiguration.mo6getPort(httpServletRequest).getAddressSpace(httpServletRequest.getServerName())));
                    httpServletResponse.sendRedirect(buildAuthorizationRedirectURL);
                };
            }
            HttpSession session = httpServletRequest.getSession();
            String str4 = requestParameters.get(LegacyConfiguredObject.STATE);
            if (str4 == null) {
                LOGGER.warn("Deny login attempt with wrong state: {}", str4);
                return new FailedAuthenticationHandler(400, "No state set on request with authorization code grant: " + httpServletRequest);
            }
            if (!checkState(httpServletRequest, str4)) {
                LOGGER.warn("Deny login attempt with wrong state: {}", str4);
                return new FailedAuthenticationHandler(401, "Received request with wrong state: " + str4);
            }
            String str5 = (String) session.getAttribute(HttpManagementUtil.getRequestSpecificAttributeName(REDIRECT_URI_SESSION_ATTRIBUTE, httpServletRequest));
            String str6 = (String) session.getAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ORIGINAL_REQUEST_URI_SESSION_ATTRIBUTE, httpServletRequest));
            NamedAddressSpace addressSpace = httpManagementConfiguration.mo6getPort(httpServletRequest).getAddressSpace(httpServletRequest.getServerName());
            return httpServletResponse2 -> {
                AuthenticationResult authenticateViaAuthorizationCode = oAuth2AuthenticationProvider.authenticateViaAuthorizationCode(str3, str5, addressSpace);
                try {
                    Subject subject = mo6getPort.getSubjectCreator(httpServletRequest.isSecure(), httpServletRequest.getServerName()).createResultWithGroups(authenticateViaAuthorizationCode).getSubject();
                    if (subject == null) {
                        throw new SecurityException("Only authenticated users can access the management interface");
                    }
                    HttpManagementUtil.createServletConnectionSubjectAssertManagementAccessAndSave(oAuth2AuthenticationProvider.getParent(), httpServletRequest, subject);
                    LOGGER.debug("Successful login. Redirect to original resource {}", str6);
                    httpServletResponse2.sendRedirect(str6);
                } catch (SecurityException e) {
                    if (e instanceof AccessControlException) {
                        LOGGER.info("User '{}' is not authorised for management", authenticateViaAuthorizationCode.getMainPrincipal());
                        httpServletResponse2.sendError(403, "User is not authorised for management");
                    } else {
                        LOGGER.info("Authentication failed", authenticateViaAuthorizationCode.getCause());
                        httpServletResponse2.sendError(401);
                    }
                }
            };
        } catch (IllegalArgumentException e) {
            return new FailedAuthenticationHandler(400, "Some request parameters are included more than once " + httpServletRequest, e);
        }
    }

    @Override // org.apache.qpid.server.management.plugin.HttpRequestInteractiveAuthenticator
    public HttpRequestInteractiveAuthenticator.LogoutHandler getLogoutHandler(HttpServletRequest httpServletRequest, HttpManagementConfiguration httpManagementConfiguration) {
        if (!(httpManagementConfiguration.getAuthenticationProvider(httpServletRequest) instanceof OAuth2AuthenticationProvider)) {
            return null;
        }
        OAuth2AuthenticationProvider authenticationProvider = httpManagementConfiguration.getAuthenticationProvider(httpServletRequest);
        if (authenticationProvider.getPostLogoutURI() == null) {
            return null;
        }
        String uri = authenticationProvider.getPostLogoutURI().toString();
        return httpServletResponse -> {
            httpServletResponse.sendRedirect(uri);
        };
    }

    private String buildAuthorizationRedirectURL(HttpServletRequest httpServletRequest, OAuth2AuthenticationProvider oAuth2AuthenticationProvider) {
        String redirectUri = getRedirectUri(httpServletRequest);
        String originalRequestUri = getOriginalRequestUri(httpServletRequest);
        URI authorizationEndpointURI = oAuth2AuthenticationProvider.getAuthorizationEndpointURI(HttpManagementUtil.getPort(httpServletRequest).getAddressSpace(httpServletRequest.getServerName()));
        String uri = authorizationEndpointURI.toString();
        HttpSession session = httpServletRequest.getSession();
        session.setAttribute(HttpManagementUtil.getRequestSpecificAttributeName(REDIRECT_URI_SESSION_ATTRIBUTE, httpServletRequest), redirectUri);
        session.setAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ORIGINAL_REQUEST_URI_SESSION_ATTRIBUTE, httpServletRequest), originalRequestUri);
        HashMap hashMap = new HashMap();
        hashMap.put("client_id", oAuth2AuthenticationProvider.getClientId());
        hashMap.put("redirect_uri", redirectUri);
        hashMap.put("response_type", "code");
        hashMap.put(LegacyConfiguredObject.STATE, createState(httpServletRequest));
        if (oAuth2AuthenticationProvider.getScope() != null) {
            hashMap.put(QueryPreferenceValue.SCOPE_ATTRIBUTE, oAuth2AuthenticationProvider.getScope());
        }
        StringBuilder sb = new StringBuilder(uri);
        String query = authorizationEndpointURI.getQuery();
        if (query == null) {
            sb.append("?");
        } else if (query.length() > 0) {
            sb.append("&");
        }
        sb.append(OAuth2Utils.buildRequestQuery(hashMap));
        return sb.toString();
    }

    private String getOriginalRequestUri(HttpServletRequest httpServletRequest) {
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null) {
            requestURL.append("?").append(queryString);
        }
        return requestURL.toString();
    }

    private Map<String, String> getRequestParameters(HttpServletRequest httpServletRequest) {
        HashMap hashMap = new HashMap();
        Enumeration parameterNames = httpServletRequest.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            String str = (String) parameterNames.nextElement();
            String[] parameterValues = httpServletRequest.getParameterValues(str);
            if (parameterValues == null) {
                throw new IllegalArgumentException(String.format("Request parameter '%s' is null", str));
            }
            if (parameterValues.length != 1) {
                throw new IllegalArgumentException(String.format("Request parameter '%s' MUST NOT occur more than once", str));
            }
            hashMap.put(str, parameterValues[0]);
        }
        return hashMap;
    }

    private String getRedirectUri(HttpServletRequest httpServletRequest) {
        String servletPath = httpServletRequest.getServletPath() != null ? httpServletRequest.getServletPath() : QueryPreferenceValue.DEFAULT_SCOPE;
        String pathInfo = httpServletRequest.getPathInfo() != null ? httpServletRequest.getPathInfo() : QueryPreferenceValue.DEFAULT_SCOPE;
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        try {
            String uri = new URI(stringBuffer).normalize().toString();
            if (uri.endsWith(servletPath + pathInfo)) {
                return uri.substring(0, uri.length() - (servletPath.length() + pathInfo.length()));
            }
            throw new IllegalStateException(String.format("RequestURL has unexpected format '%s'", uri));
        } catch (URISyntaxException e) {
            throw new IllegalStateException(String.format("RequestURL has unexpected format '%s'", stringBuffer), e);
        }
    }

    private String createState(HttpServletRequest httpServletRequest) {
        byte[] bArr = new byte[32];
        this._random.nextBytes(bArr);
        String encodeToString = Base64.getUrlEncoder().encodeToString(bArr);
        httpServletRequest.getSession().setAttribute(HttpManagementUtil.getRequestSpecificAttributeName(STATE_NAME, httpServletRequest), encodeToString);
        return encodeToString;
    }

    private boolean checkState(HttpServletRequest httpServletRequest, String str) {
        HttpSession session = httpServletRequest.getSession();
        String str2 = (String) session.getAttribute(HttpManagementUtil.getRequestSpecificAttributeName(STATE_NAME, httpServletRequest));
        session.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(STATE_NAME, httpServletRequest));
        return str != null && str.equals(str2);
    }

    private int decodeErrorAsResponseCode(String str) {
        if (ERROR_RESPONSES.containsKey(str)) {
            return ERROR_RESPONSES.get(str).intValue();
        }
        return 500;
    }

    static {
        HashMap hashMap = new HashMap();
        hashMap.put("invalid_request", 400);
        hashMap.put("unauthorized_client", 400);
        hashMap.put("unsupported_response_type", 400);
        hashMap.put("invalid_scope", 400);
        hashMap.put("access_denied", 403);
        hashMap.put("server_error", 500);
        hashMap.put("temporarily_unavailable", 503);
        ERROR_RESPONSES = Collections.unmodifiableMap(hashMap);
    }
}
