package io.helidon.security.providers.oidc;

import io.helidon.common.configurable.LruCache;
import io.helidon.common.configurable.ThreadPoolSupplier;
import io.helidon.common.http.FormParams;
import io.helidon.common.http.Http;
import io.helidon.common.http.MediaType;
import io.helidon.common.reactive.Single;
import io.helidon.common.serviceloader.HelidonServiceLoader;
import io.helidon.config.Config;
import io.helidon.security.providers.oidc.common.OidcConfig;
import io.helidon.security.providers.oidc.common.OidcCookieHandler;
import io.helidon.security.providers.oidc.common.Tenant;
import io.helidon.security.providers.oidc.common.TenantConfig;
import io.helidon.security.providers.oidc.common.spi.TenantConfigFinder;
import io.helidon.security.providers.oidc.common.spi.TenantConfigProvider;
import io.helidon.webclient.WebClient;
import io.helidon.webclient.WebClientRequestBuilder;
import io.helidon.webserver.Handler;
import io.helidon.webserver.ResponseHeaders;
import io.helidon.webserver.Routing;
import io.helidon.webserver.ServerRequest;
import io.helidon.webserver.ServerResponse;
import io.helidon.webserver.Service;
import io.helidon.webserver.cors.CorsSupport;
import io.helidon.webserver.cors.CrossOriginConfig;
import jakarta.json.JsonObject;
import java.net.URI;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.ServiceLoader;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ExecutorService;
import java.util.function.Supplier;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;

/* loaded from: input_file:io/helidon/security/providers/oidc/OidcSupport.class */
public final class OidcSupport implements Service {
    private static final Logger LOGGER = Logger.getLogger(OidcSupport.class.getName());
    private static final Supplier<ExecutorService> OIDC_SUPPORT_SERVICE = ThreadPoolSupplier.create("oidc-support");
    private static final String CODE_PARAM_NAME = "code";
    private static final String STATE_PARAM_NAME = "state";
    private static final String DEFAULT_REDIRECT = "/index.html";
    private final List<TenantConfigFinder> oidcConfigFinders;
    private final LruCache<String, Tenant> tenants = LruCache.create();
    private final OidcConfig oidcConfig;
    private final boolean enabled;
    private final CorsSupport corsSupport;

    /* loaded from: input_file:io/helidon/security/providers/oidc/OidcSupport$Builder.class */
    public static class Builder implements io.helidon.common.Builder<Builder, OidcSupport> {
        private static final int BUILDER_PRIORITY = 50000;
        private static final int DEFAULT_PRIORITY = 100000;
        private final HelidonServiceLoader.Builder<TenantConfigProvider> tenantConfigProviders = HelidonServiceLoader.builder(ServiceLoader.load(TenantConfigProvider.class)).defaultPriority(BUILDER_PRIORITY);
        private boolean enabled = true;
        private Config config = Config.empty();
        private OidcConfig oidcConfig;
        private List<TenantConfigFinder> tenantConfigFinders;

        private Builder() {
        }

        private static Optional<Config> findMyKey(Config config, String str) {
            return config.key().name().equals(str) ? Optional.of(config) : ((List) config.get("security.providers").asNodeList().orElseGet(List::of)).stream().filter(config2 -> {
                return config2.get(str).exists();
            }).findFirst().map(config3 -> {
                return config3.get(str);
            });
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public OidcSupport m4build() {
            if (this.enabled && this.oidcConfig == null) {
                throw new IllegalStateException("When OIDC and security is enabled, OIDC configuration must be provided");
            }
            this.tenantConfigFinders = (List) this.tenantConfigProviders.build().asList().stream().map(tenantConfigProvider -> {
                return tenantConfigProvider.createTenantConfigFinder(this.config);
            }).collect(Collectors.toList());
            return new OidcSupport(this);
        }

        public Builder config(Config config) {
            config.get("enabled").asBoolean().ifPresent((v1) -> {
                enabled(v1);
            });
            if (this.enabled) {
                this.oidcConfig = OidcConfig.create(config);
                this.config = config;
            }
            config.get("discover-tenant-config-providers").asBoolean().ifPresent((v1) -> {
                discoverTenantConfigProviders(v1);
            });
            return this;
        }

        public Builder config(OidcConfig oidcConfig) {
            this.oidcConfig = oidcConfig;
            return this;
        }

        public Builder config(Config config, String str) {
            config.get("security.enabled").asBoolean().ifPresent((v1) -> {
                enabled(v1);
            });
            findMyKey(config, str).ifPresentOrElse(this::config, () -> {
                enabled(false);
            });
            return this;
        }

        public Builder enabled(boolean z) {
            this.enabled = z;
            return this;
        }

        public Builder discoverTenantConfigProviders(boolean z) {
            this.tenantConfigProviders.useSystemServiceLoader(z);
            return this;
        }

        public Builder addTenantConfigFinder(TenantConfigFinder tenantConfigFinder) {
            return addTenantConfigFinder(tenantConfigFinder, BUILDER_PRIORITY);
        }

        public Builder addTenantConfigFinder(TenantConfigFinder tenantConfigFinder, int i) {
            this.tenantConfigProviders.addService(config -> {
                return tenantConfigFinder;
            }, i);
            return this;
        }
    }

    private OidcSupport(Builder builder) {
        this.oidcConfig = builder.oidcConfig;
        this.enabled = builder.enabled;
        if (!this.enabled) {
            this.corsSupport = null;
            this.oidcConfigFinders = List.of();
        } else {
            this.corsSupport = prepareCrossOriginSupport(this.oidcConfig.redirectUri(), this.oidcConfig.crossOriginConfig());
            this.oidcConfigFinders = List.copyOf(builder.tenantConfigFinders);
            this.oidcConfigFinders.forEach(tenantConfigFinder -> {
                LruCache<String, Tenant> lruCache = this.tenants;
                Objects.requireNonNull(lruCache);
                tenantConfigFinder.onChange((v1) -> {
                    r1.remove(v1);
                });
            });
        }
    }

    public static OidcSupport create(Config config, String str) {
        return builder().config(config, str).m4build();
    }

    public static OidcSupport create(Config config) {
        return builder().config(config, OidcProviderService.PROVIDER_CONFIG_KEY).m4build();
    }

    public static OidcSupport create(OidcConfig oidcConfig) {
        return builder().config(oidcConfig).m4build();
    }

    public static Builder builder() {
        return new Builder();
    }

    public void update(Routing.Rules rules) {
        if (this.enabled) {
            if (this.corsSupport != null) {
                rules.any(this.oidcConfig.redirectUri(), new Handler[]{this.corsSupport});
            }
            rules.get(this.oidcConfig.redirectUri(), new Handler[]{this::processOidcRedirect});
            if (this.oidcConfig.logoutEnabled()) {
                if (this.corsSupport != null) {
                    rules.any(this.oidcConfig.logoutUri(), new Handler[]{this.corsSupport});
                }
                rules.get(this.oidcConfig.logoutUri(), new Handler[]{this::processLogout});
            }
            rules.any(new Handler[]{this::addRequestAsHeader});
        }
    }

    private void processLogout(ServerRequest serverRequest, ServerResponse serverResponse) {
        findTenantName(serverRequest).forSingle(str -> {
            processTenantLogout(serverRequest, serverResponse, str);
        });
    }

    private void processTenantLogout(ServerRequest serverRequest, ServerResponse serverResponse, String str) {
        obtainCurrentTenant(str).forSingle(tenant -> {
            logoutWithTenant(serverRequest, serverResponse, tenant);
        });
    }

    private void logoutWithTenant(ServerRequest serverRequest, ServerResponse serverResponse, Tenant tenant) {
        OidcCookieHandler idTokenCookieHandler = this.oidcConfig.idTokenCookieHandler();
        OidcCookieHandler oidcCookieHandler = this.oidcConfig.tokenCookieHandler();
        OidcCookieHandler tenantCookieHandler = this.oidcConfig.tenantCookieHandler();
        Optional first = serverRequest.headers().cookies().first(idTokenCookieHandler.cookieName());
        if (!first.isEmpty()) {
            idTokenCookieHandler.decrypt((String) first.get()).forSingle(str -> {
                StringBuilder sb = new StringBuilder(tenant.logoutEndpointUri() + "?id_token_hint=" + str + "&post_logout_redirect_uri=" + postLogoutUri(serverRequest));
                serverRequest.queryParams().first(STATE_PARAM_NAME).ifPresent(str -> {
                    sb.append("&state=").append(str);
                });
                ResponseHeaders headers = serverResponse.headers();
                headers.addCookie(oidcCookieHandler.removeCookie().build());
                headers.addCookie(idTokenCookieHandler.removeCookie().build());
                headers.addCookie(tenantCookieHandler.removeCookie().build());
                serverResponse.status(Http.Status.TEMPORARY_REDIRECT_307).addHeader("Location", new String[]{sb.toString()}).send();
            }).exceptionallyAccept(th -> {
                sendError(serverResponse, th);
            });
        } else {
            LOGGER.finest("Logout request invoked without ID Token cookie");
            serverResponse.status(Http.Status.FORBIDDEN_403).send();
        }
    }

    private Single<String> findTenantName(ServerRequest serverRequest) {
        LinkedList linkedList = new LinkedList();
        Optional empty = Optional.empty();
        if (this.oidcConfig.useParam()) {
            empty = serverRequest.queryParams().first(this.oidcConfig.tenantParamName());
            if (empty.isEmpty()) {
                linkedList.add("query-param");
            }
        }
        if (this.oidcConfig.useCookie() && empty.isEmpty()) {
            Optional findCookie = this.oidcConfig.tenantCookieHandler().findCookie(serverRequest.headers().toMap());
            if (findCookie.isPresent()) {
                return (Single) findCookie.get();
            }
            linkedList.add("cookie");
        }
        if (empty.isPresent()) {
            return Single.just((String) empty.get());
        }
        if (LOGGER.isLoggable(Level.FINEST)) {
            LOGGER.finest("Missing tenant id, could not find in either of: " + linkedList + "Falling back to the default tenant id: @default");
        }
        return Single.just("@default");
    }

    private Single<Tenant> obtainCurrentTenant(String str) {
        Optional optional = this.tenants.get(str);
        return optional.isPresent() ? Single.just((Tenant) optional.get()) : Single.create(CompletableFuture.supplyAsync(() -> {
            Tenant tenant = (Tenant) this.oidcConfigFinders.stream().map(tenantConfigFinder -> {
                return tenantConfigFinder.config(str);
            }).flatMap((v0) -> {
                return v0.stream();
            }).map(tenantConfig -> {
                return Tenant.create(this.oidcConfig, tenantConfig);
            }).findFirst().orElseGet(() -> {
                return Tenant.create(this.oidcConfig, this.oidcConfig.tenantConfig(str));
            });
            return (Tenant) this.tenants.computeValue(str, () -> {
                return Optional.of(tenant);
            }).get();
        }, OIDC_SUPPORT_SERVICE.get()));
    }

    private void addRequestAsHeader(ServerRequest serverRequest, ServerResponse serverResponse) {
        Map map = (Map) serverRequest.context().get("security.addHeaders", Map.class).map(map2 -> {
            return map2;
        }).orElseGet(() -> {
            HashMap hashMap = new HashMap();
            serverRequest.context().register("security.addHeaders", hashMap);
            return hashMap;
        });
        String query = serverRequest.query();
        if (null == query || query.isEmpty()) {
            map.put("X_ORIG_URI_HEADER", List.of(serverRequest.uri().getPath()));
        } else {
            map.put("X_ORIG_URI_HEADER", List.of(serverRequest.uri().getPath() + "?" + query));
        }
        serverRequest.next();
    }

    private void processOidcRedirect(ServerRequest serverRequest, ServerResponse serverResponse) {
        serverRequest.queryParams().first(CODE_PARAM_NAME).ifPresentOrElse(str -> {
            processCode(str, serverRequest, serverResponse);
        }, () -> {
            processError(serverRequest, serverResponse);
        });
    }

    private void processCode(String str, ServerRequest serverRequest, ServerResponse serverResponse) {
        String str2 = (String) serverRequest.queryParams().first(this.oidcConfig.tenantParamName()).orElse("@default");
        obtainCurrentTenant(str2).forSingle(tenant -> {
            processCodeWithTenant(str, serverRequest, serverResponse, str2, tenant);
        });
    }

    private void processCodeWithTenant(String str, ServerRequest serverRequest, ServerResponse serverResponse, String str2, Tenant tenant) {
        TenantConfig tenantConfig = tenant.tenantConfig();
        WebClient appWebClient = tenant.appWebClient();
        FormParams.Builder add = FormParams.builder().add("grant_type", new String[]{"authorization_code"}).add(CODE_PARAM_NAME, new String[]{str}).add("redirect_uri", new String[]{redirectUri(serverRequest, str2)});
        WebClientRequestBuilder accept = appWebClient.post().uri(tenant.tokenEndpointUri()).accept(new MediaType[]{MediaType.APPLICATION_JSON});
        OidcUtil.updateRequest(OidcConfig.RequestType.CODE_TO_TOKEN, tenantConfig, add);
        OidcConfig.postJsonResponse(accept, add.build(), jsonObject -> {
            return processJsonResponse(serverRequest, serverResponse, jsonObject, str2);
        }, (responseStatus, str3) -> {
            return processError(serverResponse, responseStatus, str3);
        }, (th, str4) -> {
            return processError(serverResponse, th, str4);
        }).ignoreElement();
    }

    private Object postLogoutUri(ServerRequest serverRequest) {
        URI postLogoutUri = this.oidcConfig.postLogoutUri();
        if (postLogoutUri.getHost() != null) {
            return postLogoutUri.toString();
        }
        String path = postLogoutUri.getPath();
        String str = path.startsWith("/") ? path : "/" + path;
        Optional first = serverRequest.headers().first("host");
        if (first.isPresent()) {
            return ((this.oidcConfig.forceHttpsRedirects() || serverRequest.isSecure()) ? "https" : "http") + "://" + ((String) first.get()) + str;
        }
        LOGGER.warning("Request without Host header received, yet post logout URI does not define a host");
        return this.oidcConfig.toString();
    }

    private String redirectUri(ServerRequest serverRequest, String str) {
        String redirectUriWithHost;
        Optional first = serverRequest.headers().first("host");
        if (first.isPresent()) {
            redirectUriWithHost = this.oidcConfig.redirectUriWithHost((serverRequest.isSecure() ? "https" : "http") + "://" + ((String) first.get()));
        } else {
            redirectUriWithHost = this.oidcConfig.redirectUriWithHost();
        }
        if ("@default".equals(str)) {
            return redirectUriWithHost;
        }
        return redirectUriWithHost + (redirectUriWithHost.contains("?") ? "&" : "?") + encode(this.oidcConfig.tenantParamName()) + "=" + encode(str);
    }

    private String processJsonResponse(ServerRequest serverRequest, ServerResponse serverResponse, JsonObject jsonObject, String str) {
        String string = jsonObject.getString("access_token");
        String string2 = jsonObject.getString("id_token", (String) null);
        String str2 = (String) serverRequest.queryParams().first(STATE_PARAM_NAME).orElse(DEFAULT_REDIRECT);
        serverResponse.status(Http.Status.TEMPORARY_REDIRECT_307);
        if (this.oidcConfig.useParam()) {
            str2 = str2 + (str2.contains("?") ? "&" : "?") + encode(this.oidcConfig.paramName()) + "=" + string;
            if (!"@default".equals(str)) {
                str2 = str2 + "&" + encode(this.oidcConfig.tenantParamName()) + "=" + encode(str);
            }
        }
        serverResponse.headers().add("Location", new String[]{increaseRedirectCounter(str2)});
        if (!this.oidcConfig.useCookie()) {
            serverResponse.send();
            return "done";
        }
        ResponseHeaders headers = serverResponse.headers();
        this.oidcConfig.tenantCookieHandler().createCookie(str).forSingle(builder -> {
            headers.addCookie(builder.build());
        }).exceptionallyAccept(th -> {
            sendError(serverResponse, th);
        });
        this.oidcConfig.tokenCookieHandler().createCookie(string).forSingle(builder2 -> {
            headers.addCookie(builder2.build());
            if (string2 == null || !this.oidcConfig.logoutEnabled()) {
                serverResponse.send();
            } else {
                this.oidcConfig.idTokenCookieHandler().createCookie(string2).forSingle(builder2 -> {
                    headers.addCookie(builder2.build());
                    serverResponse.send();
                }).exceptionallyAccept(th2 -> {
                    sendError(serverResponse, th2);
                });
            }
        }).exceptionallyAccept(th2 -> {
            sendError(serverResponse, th2);
        });
        return "done";
    }

    private String encode(String str) {
        return URLEncoder.encode(str, StandardCharsets.UTF_8);
    }

    private void sendError(ServerResponse serverResponse, Throwable th) {
        if (LOGGER.isLoggable(Level.FINEST)) {
            LOGGER.log(Level.FINEST, "Failed to process OIDC request", th);
        }
        serverResponse.status(Http.Status.INTERNAL_SERVER_ERROR_500).send();
    }

    private Optional<String> processError(ServerResponse serverResponse, Http.ResponseStatus responseStatus, String str) {
        LOGGER.log(Level.FINE, "Invalid token or failed request when connecting to OIDC Token Endpoint. Response: " + str + ", response status: " + responseStatus);
        sendErrorResponse(serverResponse);
        return Optional.empty();
    }

    private Optional<String> processError(ServerResponse serverResponse, Throwable th, String str) {
        LOGGER.log(Level.FINE, str, th);
        sendErrorResponse(serverResponse);
        return Optional.empty();
    }

    private void sendErrorResponse(ServerResponse serverResponse) {
        serverResponse.status(Http.Status.UNAUTHORIZED_401);
        serverResponse.send("Not a valid authorization code");
    }

    String increaseRedirectCounter(String str) {
        if (!str.contains("?")) {
            return str + "?" + this.oidcConfig.redirectAttemptParam() + "=1";
        }
        Matcher matcher = Pattern.compile(".*?(" + this.oidcConfig.redirectAttemptParam() + "=\\d+).*").matcher(str);
        if (!matcher.matches()) {
            return str + "&" + this.oidcConfig.redirectAttemptParam() + "=1";
        }
        String group = matcher.group(1);
        return str.replace(group, this.oidcConfig.redirectAttemptParam() + "=" + (Integer.parseInt(group.substring(group.lastIndexOf(61) + 1)) + 1));
    }

    private void processError(ServerRequest serverRequest, ServerResponse serverResponse) {
        String str = (String) serverRequest.queryParams().first("error").orElse("invalid_request");
        String str2 = (String) serverRequest.queryParams().first("error_description").orElseGet(() -> {
            return "Failed to process authorization request. Expected redirect from OIDC server with code parameter, but got: " + serverRequest.query();
        });
        LOGGER.log(Level.WARNING, () -> {
            return "Received request on OIDC endpoint with no code. Error: " + str + " Error description: " + str2;
        });
        serverResponse.status(Http.Status.BAD_REQUEST_400);
        serverResponse.send("{\"error\": \"" + str + "\", \"error_description\": \"" + str2 + "\"}");
    }

    private CorsSupport prepareCrossOriginSupport(String str, CrossOriginConfig crossOriginConfig) {
        if (crossOriginConfig == null) {
            return null;
        }
        return CorsSupport.builder().addCrossOrigin(str, crossOriginConfig).build();
    }
}
