package fish.payara.security.oauth2;

import com.sun.enterprise.util.SystemPropertyConstants;
import com.sun.faces.context.UrlBuilder;
import fish.payara.security.annotations.OAuth2AuthenticationDefinition;
import fish.payara.security.oauth2.api.OAuth2State;
import fish.payara.security.openid.api.OpenIdConstant;
import java.io.StringReader;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.el.ELProcessor;
import javax.enterprise.inject.Typed;
import javax.enterprise.inject.spi.CDI;
import javax.inject.Inject;
import javax.json.Json;
import javax.json.JsonObject;
import javax.json.JsonReader;
import javax.security.enterprise.AuthenticationException;
import javax.security.enterprise.AuthenticationStatus;
import javax.security.enterprise.authentication.mechanism.http.AutoApplySession;
import javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
import javax.security.enterprise.authentication.mechanism.http.HttpMessageContext;
import javax.security.enterprise.credential.RememberMeCredential;
import javax.security.enterprise.identitystore.CredentialValidationResult;
import javax.security.enterprise.identitystore.IdentityStoreHandler;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.eclipse.microprofile.config.Config;
import org.eclipse.microprofile.config.ConfigProvider;
import org.eclipse.persistence.config.ResultSetType;
import org.glassfish.config.support.TranslatedConfigView;

@Typed({OAuth2AuthenticationMechanism.class})
@AutoApplySession
/* loaded from: input_file:fish/payara/security/oauth2/OAuth2AuthenticationMechanism.class */
public class OAuth2AuthenticationMechanism implements HttpAuthenticationMechanism {
    private static final Logger logger = Logger.getLogger("OAuth2Mechanism");
    private final ELProcessor elProcessor;
    private String authEndpoint;
    private String tokenEndpoint;
    private String clientID;
    private char[] clientSecret;
    private String redirectURI;
    private String scopes;
    private String[] extraParameters;

    @Inject
    private OAuth2State state;

    @Inject
    private OAuth2StateHolder tokenHolder;

    @Inject
    private IdentityStoreHandler identityStoreHandler;

    public OAuth2AuthenticationMechanism() {
        this.elProcessor = new ELProcessor();
        this.elProcessor.getELManager().addELResolver(CDI.current().getBeanManager().getELResolver());
    }

    public OAuth2AuthenticationMechanism(OAuth2AuthenticationDefinition oAuth2AuthenticationDefinition) {
        this();
        setDefinition(oAuth2AuthenticationDefinition);
    }

    public OAuth2AuthenticationMechanism setDefinition(OAuth2AuthenticationDefinition oAuth2AuthenticationDefinition) {
        Config config = ConfigProvider.getConfig();
        this.authEndpoint = getConfiguredValue(oAuth2AuthenticationDefinition.authEndpoint(), config, OAuth2AuthenticationDefinition.OAUTH2_MP_AUTH_ENDPOINT);
        this.tokenEndpoint = getConfiguredValue(oAuth2AuthenticationDefinition.tokenEndpoint(), config, OAuth2AuthenticationDefinition.OAUTH2_MP_TOKEN_ENDPOINT);
        this.clientID = getConfiguredValue(oAuth2AuthenticationDefinition.clientId(), config, OAuth2AuthenticationDefinition.OAUTH2_MP_CLIENT_ID);
        this.clientSecret = getConfiguredValue(oAuth2AuthenticationDefinition.clientSecret(), config, OAuth2AuthenticationDefinition.OAUTH2_MP_CLIENT_SECRET).toCharArray();
        this.redirectURI = getConfiguredValue(oAuth2AuthenticationDefinition.redirectURI(), config, OAuth2AuthenticationDefinition.OAUTH2_MP_REDIRECT_URI);
        this.scopes = getConfiguredValue(oAuth2AuthenticationDefinition.scope(), config, OAuth2AuthenticationDefinition.OAUTH2_MP_SCOPE);
        String[] extraParameters = oAuth2AuthenticationDefinition.extraParameters();
        this.extraParameters = new String[extraParameters.length];
        for (int i = 0; i < extraParameters.length; i++) {
            this.extraParameters[i] = getConfiguredValue(extraParameters[i], config, extraParameters[i]);
        }
        return this;
    }

    @Override // javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism
    public AuthenticationStatus validateRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMessageContext httpMessageContext) throws AuthenticationException {
        if (httpMessageContext.isProtected() && httpServletRequest.getUserPrincipal() == null) {
            return redirectForAuth(httpMessageContext);
        }
        String parameter = httpServletRequest.getParameter("state");
        if (!httpServletRequest.getRequestURL().toString().equals(this.redirectURI) || parameter == null) {
            logger.log(Level.FINEST, "Authentication mechanism doing nothing");
            return httpMessageContext.doNothing();
        }
        if (parameter.equals(this.state.getState())) {
            return validateCallback(httpServletRequest, httpMessageContext);
        }
        logger.log(Level.FINE, "Inconsistent recieved state. This may be caused by using the back button in the browser.");
        return httpMessageContext.notifyContainerAboutLogin(CredentialValidationResult.NOT_VALIDATED_RESULT);
    }

    private AuthenticationStatus validateCallback(HttpServletRequest httpServletRequest, HttpMessageContext httpMessageContext) {
        logger.log(Level.FINER, "User Authenticated, now getting authorisation token");
        Client newClient = ClientBuilder.newClient();
        Form param = new Form().param(OpenIdConstant.GRANT_TYPE, OpenIdConstant.AUTHORIZATION_CODE).param(OpenIdConstant.CLIENT_ID, this.clientID).param(OpenIdConstant.CLIENT_SECRET, new String(this.clientSecret)).param("code", httpServletRequest.getParameter("code")).param("state", this.state.getState());
        if (this.redirectURI != null && !this.redirectURI.isEmpty()) {
            param.param(OpenIdConstant.REDIRECT_URI, this.redirectURI);
        }
        if (this.scopes != null && !this.scopes.isEmpty()) {
            param.param("scope", this.scopes);
        }
        for (String str : this.extraParameters) {
            String[] split = str.split("=");
            param.param(split[0], split[1]);
        }
        Response post = newClient.target(this.tokenEndpoint).request().accept(MediaType.APPLICATION_JSON).header("referer", httpServletRequest.getRequestURL().toString()).post(Entity.form(param));
        String str2 = (String) post.readEntity(String.class);
        JsonObject readJsonObject = readJsonObject(str2);
        logger.log(Level.FINEST, "Response code from endpoint: {0}", Integer.valueOf(post.getStatus()));
        if (post.getStatus() != 200) {
            logger.log(Level.WARNING, "[OAUTH-001] Error occurred authenticating user: {0} caused by {1}", new Object[]{readJsonObject.getString("error", "Unknown Error"), readJsonObject.getString(OpenIdConstant.ERROR_DESCRIPTION_PARAM, ResultSetType.Unknown)});
            return httpMessageContext.notifyContainerAboutLogin(CredentialValidationResult.INVALID_RESULT);
        }
        this.tokenHolder.setAccessToken(readJsonObject.getString(OpenIdConstant.ACCESS_TOKEN));
        this.tokenHolder.setRefreshToken(readJsonObject.getString(OpenIdConstant.REFRESH_TOKEN, null));
        this.tokenHolder.setScope(readJsonObject.getString("scope", null));
        String string = readJsonObject.getString(OpenIdConstant.EXPIRES_IN, null);
        if (string != null) {
            this.tokenHolder.setExpiresIn(Integer.valueOf(Integer.parseInt(string)));
        }
        return httpMessageContext.notifyContainerAboutLogin(this.identityStoreHandler.validate(new RememberMeCredential(str2)));
    }

    private JsonObject readJsonObject(String str) {
        JsonReader createReader = Json.createReader(new StringReader(str));
        Throwable th = null;
        try {
            try {
                JsonObject readObject = createReader.readObject();
                if (createReader != null) {
                    if (0 != 0) {
                        try {
                            createReader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        createReader.close();
                    }
                }
                return readObject;
            } finally {
            }
        } catch (Throwable th3) {
            if (createReader != null) {
                if (th != null) {
                    try {
                        createReader.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    createReader.close();
                }
            }
            throw th3;
        }
    }

    private AuthenticationStatus redirectForAuth(HttpMessageContext httpMessageContext) {
        logger.log(Level.FINEST, "Redirecting for authentication to {0}", this.authEndpoint);
        StringBuilder sb = new StringBuilder(this.authEndpoint);
        sb.append("?client_id=").append(this.clientID);
        sb.append("&state=").append(this.state.getState());
        sb.append("&response_type=code");
        if (this.redirectURI != null && !this.redirectURI.isEmpty()) {
            sb.append("&redirect_uri=").append(this.redirectURI);
        }
        if (this.scopes != null && !this.scopes.isEmpty()) {
            sb.append("&scope=").append(this.scopes);
        }
        for (String str : this.extraParameters) {
            sb.append(UrlBuilder.PARAMETER_PAIR_SEPARATOR).append(str);
        }
        return httpMessageContext.redirect(sb.toString());
    }

    private String getConfiguredValue(String str, Config config, String str2) {
        Optional optionalValue = config.getOptionalValue(str2, String.class);
        if (optionalValue.isPresent()) {
            return (String) optionalValue.get();
        }
        String str3 = (String) TranslatedConfigView.getTranslatedValue(str);
        if (isELExpression(str)) {
            str3 = (String) this.elProcessor.getValue(toRawExpression(str3), String.class);
        }
        return str3;
    }

    private static boolean isELExpression(String str) {
        return !str.isEmpty() && isDeferredExpression(str);
    }

    private static boolean isDeferredExpression(String str) {
        return str.startsWith("#{") && str.endsWith(SystemPropertyConstants.CLOSE);
    }

    private static String toRawExpression(String str) {
        return str.substring(2, str.length() - 1);
    }
}
