package fish.payara.security.openid;

import fish.payara.security.annotations.OpenIdAuthenticationDefinition;
import fish.payara.security.openid.api.OpenIdConstant;
import fish.payara.security.openid.api.OpenIdState;
import fish.payara.security.openid.api.RefreshToken;
import fish.payara.security.openid.controller.AuthenticationController;
import fish.payara.security.openid.controller.ConfigurationController;
import fish.payara.security.openid.controller.StateController;
import fish.payara.security.openid.controller.TokenController;
import fish.payara.security.openid.domain.LogoutConfiguration;
import fish.payara.security.openid.domain.OpenIdConfiguration;
import fish.payara.security.openid.domain.OpenIdContextImpl;
import fish.payara.security.openid.domain.RefreshTokenImpl;
import java.io.IOException;
import java.io.Serializable;
import java.io.StringReader;
import java.util.Objects;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.enterprise.inject.Typed;
import javax.inject.Inject;
import javax.json.Json;
import javax.json.JsonNumber;
import javax.json.JsonObject;
import javax.json.JsonReader;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.security.enterprise.AuthenticationException;
import javax.security.enterprise.AuthenticationStatus;
import javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
import javax.security.enterprise.authentication.mechanism.http.HttpMessageContext;
import javax.security.enterprise.identitystore.CredentialValidationResult;
import javax.security.enterprise.identitystore.IdentityStoreHandler;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.ws.rs.core.Response;
import org.eclipse.persistence.config.ResultSetType;
import org.glassfish.common.util.StringHelper;

@Typed({OpenIdAuthenticationMechanism.class})
/* loaded from: input_file:fish/payara/security/openid/OpenIdAuthenticationMechanism.class */
public class OpenIdAuthenticationMechanism implements HttpAuthenticationMechanism {
    private OpenIdConfiguration configuration;

    @Inject
    private OpenIdContextImpl context;

    @Inject
    private IdentityStoreHandler identityStoreHandler;

    @Inject
    private ConfigurationController configurationController;

    @Inject
    private AuthenticationController authenticationController;

    @Inject
    private TokenController tokenController;

    @Inject
    private StateController stateController;
    private static final Logger LOGGER = Logger.getLogger(OpenIdAuthenticationMechanism.class.getName());
    private static final String SESSION_LOCK_NAME = OpenIdAuthenticationMechanism.class.getName();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:fish/payara/security/openid/OpenIdAuthenticationMechanism$Lock.class */
    public static class Lock implements Serializable {
        private Lock() {
        }
    }

    public OpenIdAuthenticationMechanism() {
    }

    public OpenIdAuthenticationMechanism(OpenIdAuthenticationDefinition openIdAuthenticationDefinition) {
        this();
        setConfiguration(openIdAuthenticationDefinition);
    }

    public OpenIdAuthenticationMechanism setConfiguration(OpenIdAuthenticationDefinition openIdAuthenticationDefinition) {
        this.configuration = this.configurationController.buildConfig(openIdAuthenticationDefinition);
        return this;
    }

    @Override // javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism
    public AuthenticationStatus validateRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMessageContext httpMessageContext) throws AuthenticationException {
        if (Objects.isNull(httpServletRequest.getUserPrincipal())) {
            LOGGER.fine("UserPrincipal is not set, authenticate user using OpenId Connect protocol.");
            return authenticate(httpServletRequest, httpServletResponse, httpMessageContext);
        }
        try {
            httpMessageContext.getHandler().handle(new Callback[]{new CallerPrincipalCallback(httpMessageContext.getClientSubject(), httpServletRequest.getUserPrincipal())});
            LogoutConfiguration logoutConfiguration = this.configuration.getLogoutConfiguration();
            boolean isExpired = this.context.getAccessToken().isExpired();
            boolean isExpired2 = this.context.getIdentityToken().isExpired();
            if (logoutConfiguration.isIdentityTokenExpiry()) {
                LOGGER.log(Level.FINE, "UserPrincipal is set, check if Identity Token is valid.");
            }
            if (logoutConfiguration.isAccessTokenExpiry()) {
                LOGGER.log(Level.FINE, "UserPrincipal is set, check if Access Token is valid.");
            }
            if ((isExpired || isExpired2) && this.configuration.isTokenAutoRefresh()) {
                if (isExpired) {
                    LOGGER.fine("Access Token is expired. Request new Access Token with Refresh Token.");
                }
                if (isExpired2) {
                    LOGGER.fine("Identity Token is expired. Request new Identity Token with Refresh Token.");
                }
                return reAuthenticate(httpMessageContext);
            }
            if ((!logoutConfiguration.isAccessTokenExpiry() || !isExpired) && (!logoutConfiguration.isIdentityTokenExpiry() || !isExpired2)) {
                return AuthenticationStatus.SUCCESS;
            }
            this.context.logout(httpServletRequest, httpServletResponse);
            return AuthenticationStatus.SEND_FAILURE;
        } catch (IOException | UnsupportedCallbackException e) {
            throw new AuthenticationException("Failed to register CallerPrincipalCallback.", e);
        }
    }

    private AuthenticationStatus authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMessageContext httpMessageContext) throws AuthenticationException {
        if (httpMessageContext.isProtected() && Objects.isNull(httpServletRequest.getUserPrincipal())) {
            return this.authenticationController.authenticateUser(this.configuration, httpServletRequest, httpServletResponse);
        }
        Optional<OpenIdState> from = OpenIdState.from(httpServletRequest.getParameter("state"));
        String buildRedirectURI = this.configuration.buildRedirectURI(httpServletRequest);
        if (!from.isPresent()) {
            return httpMessageContext.doNothing();
        }
        if (!httpServletRequest.getRequestURL().toString().equals(buildRedirectURI)) {
            LOGGER.log(Level.INFO, "OpenID Redirect URL {0} not matched with request URL {1}", new Object[]{buildRedirectURI, httpServletRequest.getRequestURL().toString()});
            return httpMessageContext.notifyContainerAboutLogin(CredentialValidationResult.NOT_VALIDATED_RESULT);
        }
        Optional<OpenIdState> optional = this.stateController.get(this.configuration, httpServletRequest, httpServletResponse);
        if (!optional.isPresent()) {
            LOGGER.fine("Expected state not found");
            return httpMessageContext.notifyContainerAboutLogin(CredentialValidationResult.NOT_VALIDATED_RESULT);
        }
        if (optional.equals(from)) {
            return validateAuthorizationCode(httpMessageContext);
        }
        LOGGER.fine("Inconsistent received state, value not matched");
        return httpMessageContext.notifyContainerAboutLogin(CredentialValidationResult.INVALID_RESULT);
    }

    private AuthenticationStatus validateAuthorizationCode(HttpMessageContext httpMessageContext) {
        HttpServletRequest request = httpMessageContext.getRequest();
        HttpServletResponse response = httpMessageContext.getResponse();
        String parameter = request.getParameter("error");
        String parameter2 = request.getParameter(OpenIdConstant.ERROR_DESCRIPTION_PARAM);
        if (!StringHelper.isEmpty(parameter)) {
            LOGGER.log(Level.WARNING, "Error occurred in receiving Authorization Code : {0} caused by {1}", new Object[]{parameter, parameter2});
            return httpMessageContext.notifyContainerAboutLogin(CredentialValidationResult.INVALID_RESULT);
        }
        this.stateController.remove(this.configuration, request, response);
        LOGGER.finer("Authorization Code received, now fetching Access token & Id token");
        Response tokens = this.tokenController.getTokens(this.configuration, request);
        JsonObject readJsonObject = readJsonObject((String) tokens.readEntity(String.class));
        if (tokens.getStatus() == Response.Status.OK.getStatusCode()) {
            updateContext(readJsonObject);
            CredentialValidationResult validate = this.identityStoreHandler.validate(new OpenIdCredential(readJsonObject, httpMessageContext, this.configuration));
            httpMessageContext.setRegisterSession(validate.getCallerPrincipal().getName(), validate.getCallerGroups());
            return httpMessageContext.notifyContainerAboutLogin(validate);
        }
        LOGGER.log(Level.WARNING, "Error occurred in validating Authorization Code : {0} caused by {1}", new Object[]{readJsonObject.getString("error", "Unknown Error"), readJsonObject.getString(OpenIdConstant.ERROR_DESCRIPTION_PARAM, ResultSetType.Unknown)});
        return httpMessageContext.notifyContainerAboutLogin(CredentialValidationResult.INVALID_RESULT);
    }

    private AuthenticationStatus reAuthenticate(HttpMessageContext httpMessageContext) throws AuthenticationException {
        HttpServletRequest request = httpMessageContext.getRequest();
        HttpServletResponse response = httpMessageContext.getResponse();
        synchronized (getSessionLock(httpMessageContext.getRequest())) {
            boolean isExpired = this.context.getAccessToken().isExpired();
            boolean isExpired2 = this.context.getIdentityToken().isExpired();
            if (!isExpired && !isExpired2) {
                return AuthenticationStatus.SUCCESS;
            }
            if (isExpired) {
                LOGGER.fine("Access Token is expired. Request new Access Token with Refresh Token.");
            }
            if (isExpired2) {
                LOGGER.fine("Identity Token is expired. Request new Identity Token with Refresh Token.");
            }
            AuthenticationStatus authenticationStatus = (AuthenticationStatus) this.context.getRefreshToken().map(refreshToken -> {
                return refreshTokens(httpMessageContext, refreshToken);
            }).orElse(AuthenticationStatus.SEND_FAILURE);
            if (authenticationStatus != AuthenticationStatus.SUCCESS) {
                LOGGER.log(Level.FINE, "Failed to refresh token (Refresh Token might be invalid).");
                this.context.logout(request, response);
            }
            return authenticationStatus;
        }
    }

    private AuthenticationStatus refreshTokens(HttpMessageContext httpMessageContext, RefreshToken refreshToken) {
        Response refreshTokens = this.tokenController.refreshTokens(this.configuration, refreshToken);
        JsonObject readJsonObject = readJsonObject((String) refreshTokens.readEntity(String.class));
        if (refreshTokens.getStatus() == Response.Status.OK.getStatusCode()) {
            updateContext(readJsonObject);
            return httpMessageContext.notifyContainerAboutLogin(this.identityStoreHandler.validate(new OpenIdCredential(readJsonObject, httpMessageContext, this.configuration)));
        }
        LOGGER.log(Level.FINE, "Error occurred in refreshing Access Token and Refresh Token : {0} caused by {1}", new Object[]{readJsonObject.getString("error", "Unknown Error"), readJsonObject.getString(OpenIdConstant.ERROR_DESCRIPTION_PARAM, ResultSetType.Unknown)});
        return AuthenticationStatus.SEND_FAILURE;
    }

    private JsonObject readJsonObject(String str) {
        JsonReader createReader = Json.createReader(new StringReader(str));
        Throwable th = null;
        try {
            try {
                JsonObject readObject = createReader.readObject();
                if (createReader != null) {
                    if (0 != 0) {
                        try {
                            createReader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        createReader.close();
                    }
                }
                return readObject;
            } finally {
            }
        } catch (Throwable th3) {
            if (createReader != null) {
                if (th != null) {
                    try {
                        createReader.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    createReader.close();
                }
            }
            throw th3;
        }
    }

    private void updateContext(JsonObject jsonObject) {
        this.context.setOpenIdConfiguration(this.configuration);
        this.context.setTokenType(jsonObject.getString(OpenIdConstant.TOKEN_TYPE, null));
        String string = jsonObject.getString(OpenIdConstant.REFRESH_TOKEN, null);
        if (Objects.nonNull(string)) {
            this.context.setRefreshToken(new RefreshTokenImpl(string));
        }
        JsonNumber jsonNumber = jsonObject.getJsonNumber(OpenIdConstant.EXPIRES_IN);
        if (Objects.nonNull(jsonNumber)) {
            this.context.setExpiresIn(Long.valueOf(jsonNumber.longValue()));
        }
    }

    private Object getSessionLock(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession();
        Object attribute = session.getAttribute(SESSION_LOCK_NAME);
        if (Objects.isNull(attribute)) {
            synchronized (OpenIdAuthenticationMechanism.class) {
                attribute = session.getAttribute(SESSION_LOCK_NAME);
                if (Objects.isNull(attribute)) {
                    attribute = new Lock();
                    session.setAttribute(SESSION_LOCK_NAME, attribute);
                }
            }
        }
        return attribute;
    }
}
