package io.quarkus.oidc.runtime;

import io.netty.handler.codec.http.HttpResponseStatus;
import io.quarkus.logging.Log;
import io.quarkus.oidc.AuthorizationCodeTokens;
import io.quarkus.oidc.IdTokenCredential;
import io.quarkus.oidc.JavaScriptRequestChecker;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.SecurityEvent;
import io.quarkus.oidc.UserInfo;
import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.quarkus.security.AuthenticationCompletionException;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.AuthenticationRedirectException;
import io.quarkus.security.identity.IdentityProviderManager;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.spi.runtime.BlockingSecurityExecutor;
import io.quarkus.security.spi.runtime.SecurityEventHelper;
import io.quarkus.vertx.http.runtime.security.ChallengeData;
import io.smallrye.jwt.algorithm.KeyEncryptionAlgorithm;
import io.smallrye.jwt.build.Jwt;
import io.smallrye.jwt.build.JwtClaimsBuilder;
import io.smallrye.jwt.util.KeyUtils;
import io.smallrye.mutiny.Uni;
import io.vertx.core.MultiMap;
import io.vertx.core.http.Cookie;
import io.vertx.core.http.CookieSameSite;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.http.impl.CookieImpl;
import io.vertx.core.http.impl.ServerCookie;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.RoutingContext;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.UUID;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.regex.Pattern;
import org.eclipse.microprofile.jwt.Claims;
import org.jboss.logging.Logger;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.lang.JoseException;

/* loaded from: input_file:io/quarkus/oidc/runtime/CodeAuthenticationMechanism.class */
public class CodeAuthenticationMechanism extends AbstractOidcAuthenticationMechanism {
    public static final String SESSION_MAX_AGE_PARAM = "session-max-age";
    static final String AMP = "&";
    static final String EQ = "=";
    static final String COOKIE_DELIM = "|";
    static final String STATE_COOKIE_RESTORE_PATH = "restore-path";
    static final String NO_OIDC_COOKIES_AVAILABLE = "no_oidc_cookies";
    private static final String INTERNAL_IDTOKEN_HEADER = "internal";
    private final BlockingTaskRunner<String> createTokenStateRequestContext;
    private final BlockingTaskRunner<AuthorizationCodeTokens> getTokenStateRequestContext;
    private final SecureRandom secureRandom = new SecureRandom();
    static final Pattern COOKIE_PATTERN = Pattern.compile("\\|");
    static final Uni<Void> VOID_UNI = Uni.createFrom().voidItem();
    private static final Logger LOG = Logger.getLogger(CodeAuthenticationMechanism.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/oidc/runtime/CodeAuthenticationMechanism$LogoutCall.class */
    public class LogoutCall implements Function<SecurityIdentity, Uni<?>> {
        RoutingContext context;
        TenantConfigContext configContext;
        String idToken;

        LogoutCall(RoutingContext routingContext, TenantConfigContext tenantConfigContext, String str) {
            this.context = routingContext;
            this.configContext = tenantConfigContext;
            this.idToken = str;
        }

        @Override // java.util.function.Function
        public Uni<Void> apply(SecurityIdentity securityIdentity) {
            if (!CodeAuthenticationMechanism.this.isRpInitiatedLogout(this.context, this.configContext)) {
                return (CodeAuthenticationMechanism.this.isBackChannelLogoutPendingAndValid(this.configContext, securityIdentity) || CodeAuthenticationMechanism.this.isFrontChannelLogoutValid(this.context, this.configContext, securityIdentity)) ? CodeAuthenticationMechanism.this.removeSessionCookie(this.context, this.configContext.oidcConfig).map(new Function<Void, Void>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.LogoutCall.1
                    @Override // java.util.function.Function
                    public Void apply(Void r4) {
                        throw new LogoutException();
                    }
                }) : CodeAuthenticationMechanism.VOID_UNI;
            }
            CodeAuthenticationMechanism.LOG.debug("Performing an RP initiated logout");
            CodeAuthenticationMechanism.this.fireEvent(SecurityEvent.Type.OIDC_LOGOUT_RP_INITIATED, securityIdentity);
            return CodeAuthenticationMechanism.this.buildLogoutRedirectUriUni(this.context, this.configContext, this.idToken);
        }
    }

    public CodeAuthenticationMechanism(BlockingSecurityExecutor blockingSecurityExecutor) {
        this.createTokenStateRequestContext = new BlockingTaskRunner<>(blockingSecurityExecutor);
        this.getTokenStateRequestContext = new BlockingTaskRunner<>(blockingSecurityExecutor);
    }

    public Uni<SecurityIdentity> authenticate(final RoutingContext routingContext, final IdentityProviderManager identityProviderManager, final OidcTenantConfig oidcTenantConfig) {
        final Map<String, Cookie> cookieMap = routingContext.request().cookieMap();
        final String sessionCookie = OidcUtils.getSessionCookie(routingContext.data(), cookieMap, oidcTenantConfig);
        if (sessionCookie != null) {
            LOG.debug("Session cookie is present, starting the reauthentication");
            return this.resolver.resolveContext(routingContext).onItem().transformToUni(new Function<TenantConfigContext, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.1
                @Override // java.util.function.Function
                public Uni<SecurityIdentity> apply(TenantConfigContext tenantConfigContext) {
                    return CodeAuthenticationMechanism.this.reAuthenticate(sessionCookie, routingContext, identityProviderManager, tenantConfigContext);
                }
            });
        }
        if (!isStateCookieAvailable(cookieMap)) {
            routingContext.put(NO_OIDC_COOKIES_AVAILABLE, Boolean.TRUE);
            return Uni.createFrom().optional(Optional.empty());
        }
        if (OidcTenantConfig.Authentication.ResponseMode.FORM_POST != oidcTenantConfig.authentication.responseMode.orElse(OidcTenantConfig.Authentication.ResponseMode.QUERY)) {
            return processRedirectFromOidc(routingContext, oidcTenantConfig, identityProviderManager, routingContext.queryParams(), cookieMap);
        }
        if (OidcUtils.isFormUrlEncodedRequest(routingContext)) {
            return OidcUtils.getFormUrlEncodedData(routingContext).onItem().transformToUni(new Function<MultiMap, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.2
                @Override // java.util.function.Function
                public Uni<? extends SecurityIdentity> apply(MultiMap multiMap) {
                    return CodeAuthenticationMechanism.this.processRedirectFromOidc(routingContext, oidcTenantConfig, identityProviderManager, multiMap, cookieMap);
                }
            });
        }
        LOG.debug("HTTP POST and " + HttpHeaders.APPLICATION_X_WWW_FORM_URLENCODED.toString() + " content type must be used with the form_post response mode");
        return Uni.createFrom().failure(new AuthenticationFailedException());
    }

    private boolean isStateCookieAvailable(Map<String, Cookie> map) {
        Iterator<String> it = map.keySet().iterator();
        while (it.hasNext()) {
            if (it.next().startsWith(OidcUtils.STATE_COOKIE_NAME)) {
                return true;
            }
        }
        return false;
    }

    private Uni<SecurityIdentity> processRedirectFromOidc(final RoutingContext routingContext, final OidcTenantConfig oidcTenantConfig, final IdentityProviderManager identityProviderManager, final MultiMap multiMap, Map<String, Cookie> map) {
        List all = multiMap.getAll("state");
        if (all.size() != 1) {
            return stateParamIsMissing(oidcTenantConfig, routingContext, map, all.size() > 1);
        }
        Cookie cookie = routingContext.request().getCookie(getStateCookieName(oidcTenantConfig) + (oidcTenantConfig.authentication.allowMultipleCodeFlows ? "_" + ((String) all.get(0)) : ""));
        if (cookie == null) {
            return stateCookieIsMissing(oidcTenantConfig, routingContext, map);
        }
        final String[] split = COOKIE_PATTERN.split(cookie.getValue());
        OidcUtils.removeCookie(routingContext, oidcTenantConfig, cookie.getName());
        if (!split[0].equals(all.get(0))) {
            LOG.debug("State cookie value does not match the state query parameter value, completing the code flow with HTTP status 401");
            return Uni.createFrom().failure(new AuthenticationCompletionException());
        }
        LOG.debug("State cookie is present, processing an expected redirect from the OIDC provider");
        if (multiMap.contains("code")) {
            LOG.debug("Authorization code is present, completing the code flow");
            return this.resolver.resolveContext(routingContext).onItem().transformToUni(new Function<TenantConfigContext, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.3
                @Override // java.util.function.Function
                public Uni<SecurityIdentity> apply(TenantConfigContext tenantConfigContext) {
                    return CodeAuthenticationMechanism.this.performCodeFlow(identityProviderManager, routingContext, tenantConfigContext, multiMap, split);
                }
            });
        }
        if (!multiMap.contains("error")) {
            LOG.error("State cookie is present but neither 'code' nor 'error' query parameter is returned");
            return Uni.createFrom().failure(new AuthenticationCompletionException());
        }
        OidcUtils.removeCookie(routingContext, oidcTenantConfig, cookie.getName());
        LOG.debugf("Authentication has failed, error: %s, description: %s", multiMap.get("error"), multiMap.get("error_description"));
        if (oidcTenantConfig.authentication.errorPath.isPresent()) {
            return this.resolver.resolveContext(routingContext).onItem().transformToUni(new Function<TenantConfigContext, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.4
                @Override // java.util.function.Function
                public Uni<SecurityIdentity> apply(TenantConfigContext tenantConfigContext) {
                    String restorePath;
                    int indexOf;
                    URI create = URI.create(routingContext.request().absoluteURI());
                    String str = null;
                    CodeAuthenticationStateBean codeAuthenticationBean = CodeAuthenticationMechanism.this.getCodeAuthenticationBean(split, tenantConfigContext);
                    if (codeAuthenticationBean != null && codeAuthenticationBean.getRestorePath() != null && (indexOf = (restorePath = codeAuthenticationBean.getRestorePath()).indexOf("?")) >= 0 && indexOf + 1 < restorePath.length()) {
                        str = restorePath.substring(indexOf + 1);
                    }
                    StringBuilder sb = new StringBuilder(CodeAuthenticationMechanism.this.buildUri(routingContext, CodeAuthenticationMechanism.this.isForceHttps(oidcTenantConfig), create.getAuthority(), oidcTenantConfig.authentication.errorPath.get()));
                    sb.append('?').append(CodeAuthenticationMechanism.this.getRequestParametersAsQuery(create, multiMap, oidcTenantConfig));
                    if (str != null) {
                        sb.append('&').append(str);
                    }
                    String sb2 = sb.toString();
                    CodeAuthenticationMechanism.LOG.debugf("Error URI: %s", sb2);
                    return Uni.createFrom().failure(new AuthenticationRedirectException(sb2));
                }
            });
        }
        LOG.error("Authentication has failed but no error handler is found, completing the code flow with HTTP status 401");
        return Uni.createFrom().failure(new AuthenticationCompletionException());
    }

    private Uni<SecurityIdentity> stateParamIsMissing(OidcTenantConfig oidcTenantConfig, RoutingContext routingContext, Map<String, Cookie> map, boolean z) {
        if (!z) {
            LOG.debug("State parameter can not be empty if the state cookie is present");
            return stateCookieIsNotMatched(oidcTenantConfig, routingContext, map);
        }
        LOG.warn("State query parameter can not be multi-valued if the state cookie is present");
        removeStateCookies(oidcTenantConfig, routingContext, map);
        return Uni.createFrom().failure(new AuthenticationCompletionException());
    }

    private Uni<SecurityIdentity> stateCookieIsMissing(OidcTenantConfig oidcTenantConfig, RoutingContext routingContext, Map<String, Cookie> map) {
        LOG.debug("Matching state cookie is not found");
        return stateCookieIsNotMatched(oidcTenantConfig, routingContext, map);
    }

    private Uni<SecurityIdentity> stateCookieIsNotMatched(OidcTenantConfig oidcTenantConfig, RoutingContext routingContext, Map<String, Cookie> map) {
        if (!oidcTenantConfig.authentication.allowMultipleCodeFlows || routingContext.request().path().equals(getRedirectPath(oidcTenantConfig, routingContext))) {
            if (oidcTenantConfig.authentication.failOnMissingStateParam) {
                removeStateCookies(oidcTenantConfig, routingContext, map);
                return Uni.createFrom().failure(new AuthenticationCompletionException());
            }
            if (!oidcTenantConfig.authentication.allowMultipleCodeFlows) {
                removeStateCookies(oidcTenantConfig, routingContext, map);
            }
        }
        routingContext.put(NO_OIDC_COOKIES_AVAILABLE, Boolean.TRUE);
        return Uni.createFrom().optional(Optional.empty());
    }

    private void removeStateCookies(OidcTenantConfig oidcTenantConfig, RoutingContext routingContext, Map<String, Cookie> map) {
        for (String str : map.keySet()) {
            if (str.startsWith(OidcUtils.STATE_COOKIE_NAME)) {
                OidcUtils.removeCookie(routingContext, oidcTenantConfig, str);
            }
        }
    }

    private String getRequestParametersAsQuery(URI uri, MultiMap multiMap, OidcTenantConfig oidcTenantConfig) {
        return OidcTenantConfig.Authentication.ResponseMode.FORM_POST == oidcTenantConfig.authentication.responseMode.orElse(OidcTenantConfig.Authentication.ResponseMode.QUERY) ? OidcCommonUtils.encodeForm(new io.vertx.mutiny.core.MultiMap(multiMap)).toString() : uri.getRawQuery();
    }

    private Uni<SecurityIdentity> reAuthenticate(String str, final RoutingContext routingContext, final IdentityProviderManager identityProviderManager, final TenantConfigContext tenantConfigContext) {
        routingContext.put(TenantConfigContext.class.getName(), tenantConfigContext);
        return this.resolver.getTokenStateManager().getTokens(routingContext, tenantConfigContext.oidcConfig, str, this.getTokenStateRequestContext).onFailure(AuthenticationCompletionException.class).recoverWithUni(new Function<Throwable, Uni<? extends AuthorizationCodeTokens>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.6
            @Override // java.util.function.Function
            public Uni<AuthorizationCodeTokens> apply(Throwable th) {
                return CodeAuthenticationMechanism.this.removeSessionCookie(routingContext, tenantConfigContext.oidcConfig).replaceWith(Uni.createFrom().failure(th));
            }
        }).chain(new Function<AuthorizationCodeTokens, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.5
            @Override // java.util.function.Function
            public Uni<? extends SecurityIdentity> apply(final AuthorizationCodeTokens authorizationCodeTokens) {
                routingContext.put("access_token", authorizationCodeTokens.getAccessToken());
                routingContext.put(AuthorizationCodeTokens.class.getName(), authorizationCodeTokens);
                final String decryptIdTokenIfEncryptedByProvider = CodeAuthenticationMechanism.decryptIdTokenIfEncryptedByProvider(tenantConfigContext, authorizationCodeTokens.getIdToken());
                return CodeAuthenticationMechanism.this.authenticate(identityProviderManager, routingContext, new IdTokenCredential(decryptIdTokenIfEncryptedByProvider, CodeAuthenticationMechanism.this.isInternalIdToken(decryptIdTokenIfEncryptedByProvider, tenantConfigContext))).call(new LogoutCall(routingContext, tenantConfigContext, authorizationCodeTokens.getIdToken())).onFailure().recoverWithUni(new Function<Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.5.1
                    @Override // java.util.function.Function
                    public Uni<? extends SecurityIdentity> apply(Throwable th) {
                        if (th instanceof AuthenticationRedirectException) {
                            CodeAuthenticationMechanism.LOG.debug("Redirecting after the reauthentication");
                            return Uni.createFrom().failure((AuthenticationRedirectException) th);
                        }
                        if (th instanceof LogoutException) {
                            CodeAuthenticationMechanism.LOG.debugf("User has been logged out, authentication challenge is required", new Object[0]);
                            return Uni.createFrom().failure(new AuthenticationFailedException(th));
                        }
                        if (th instanceof TokenAutoRefreshException) {
                            SecurityIdentity securityIdentity = ((TokenAutoRefreshException) th).getSecurityIdentity();
                            if (CodeAuthenticationMechanism.this.isLogout(routingContext, tenantConfigContext, securityIdentity)) {
                                return Uni.createFrom().item(securityIdentity).call(new LogoutCall(routingContext, tenantConfigContext, authorizationCodeTokens.getIdToken()));
                            }
                            if (authorizationCodeTokens.getRefreshToken() != null) {
                                CodeAuthenticationMechanism.LOG.debug("Token auto-refresh is starting");
                                return CodeAuthenticationMechanism.this.refreshSecurityIdentity(tenantConfigContext, decryptIdTokenIfEncryptedByProvider, authorizationCodeTokens.getRefreshToken(), routingContext, identityProviderManager, true, securityIdentity);
                            }
                            CodeAuthenticationMechanism.LOG.debug("Token auto-refresh is required but is not possible because the refresh token is null");
                            return securityIdentity != null ? Uni.createFrom().item(securityIdentity) : Uni.createFrom().failure(new AuthenticationFailedException(th.getCause()));
                        }
                        if (!((th.getCause() instanceof InvalidJwtException) && th.getCause().hasErrorCode(1))) {
                            CodeAuthenticationMechanism.logAuthenticationError(routingContext, th);
                            return CodeAuthenticationMechanism.this.removeSessionCookie(routingContext, tenantConfigContext.oidcConfig).replaceWith(Uni.createFrom().failure(th.getCause() instanceof AuthenticationCompletionException ? th.getCause() : new AuthenticationCompletionException(th.getCause())));
                        }
                        if (CodeAuthenticationMechanism.this.isRpInitiatedLogout(routingContext, tenantConfigContext)) {
                            CodeAuthenticationMechanism.LOG.debug("Session has expired, performing an RP initiated logout");
                            CodeAuthenticationMechanism.this.fireEvent(SecurityEvent.Type.OIDC_LOGOUT_RP_INITIATED_SESSION_EXPIRED, Map.of(SecurityEvent.SESSION_TOKENS_PROPERTY, authorizationCodeTokens));
                            Uni item = Uni.createFrom().item((SecurityIdentity) null);
                            RoutingContext routingContext2 = routingContext;
                            TenantConfigContext tenantConfigContext2 = tenantConfigContext;
                            String str2 = decryptIdTokenIfEncryptedByProvider;
                            return item.call(() -> {
                                return CodeAuthenticationMechanism.this.buildLogoutRedirectUriUni(routingContext2, tenantConfigContext2, str2);
                            });
                        }
                        if (!tenantConfigContext.oidcConfig.token.refreshExpired) {
                            if (tenantConfigContext.oidcConfig.authentication.getSessionExpiredPath().isPresent()) {
                                return CodeAuthenticationMechanism.this.redirectToSessionExpiredPage(routingContext, tenantConfigContext);
                            }
                            CodeAuthenticationMechanism.LOG.debug("Token has expired, token refresh is not allowed, redirecting to re-authenticate");
                            return Uni.createFrom().failure(new AuthenticationFailedException(th.getCause()));
                        }
                        if (authorizationCodeTokens.getRefreshToken() != null) {
                            CodeAuthenticationMechanism.LOG.debug("Token has expired, trying to refresh it");
                            return CodeAuthenticationMechanism.this.refreshSecurityIdentity(tenantConfigContext, decryptIdTokenIfEncryptedByProvider, authorizationCodeTokens.getRefreshToken(), routingContext, identityProviderManager, false, null);
                        }
                        if (tenantConfigContext.oidcConfig.authentication.getSessionExpiredPath().isPresent()) {
                            return CodeAuthenticationMechanism.this.redirectToSessionExpiredPage(routingContext, tenantConfigContext);
                        }
                        CodeAuthenticationMechanism.LOG.debug("Token has expired, token refresh is not possible because the refresh token is null");
                        return Uni.createFrom().failure(new AuthenticationFailedException(th.getCause()));
                    }
                });
            }
        });
    }

    private Uni<SecurityIdentity> redirectToSessionExpiredPage(RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
        String sb = new StringBuilder(buildUri(routingContext, isForceHttps(tenantConfigContext.oidcConfig), URI.create(routingContext.request().absoluteURI()).getAuthority(), tenantConfigContext.oidcConfig.authentication.getSessionExpiredPath().get())).toString();
        LOG.debugf("Session Expired URI: %s", sb);
        return removeSessionCookie(routingContext, tenantConfigContext.oidcConfig).chain(() -> {
            return Uni.createFrom().failure(new AuthenticationRedirectException(sb));
        });
    }

    private static String decryptIdTokenIfEncryptedByProvider(TenantConfigContext tenantConfigContext, String str) {
        if ((tenantConfigContext.provider.tokenDecryptionKey != null || tenantConfigContext.provider.client.getClientJwtKey() != null) && OidcUtils.isEncryptedToken(str)) {
            try {
                return OidcUtils.decryptString(str, tenantConfigContext.provider.tokenDecryptionKey != null ? tenantConfigContext.provider.tokenDecryptionKey : tenantConfigContext.provider.client.getClientJwtKey(), KeyEncryptionAlgorithm.RSA_OAEP);
            } catch (JoseException e) {
                Log.debugf("Failed to decrypt a token: %s, a token introspection will be attempted instead", e.getMessage());
            }
        }
        return str;
    }

    private boolean isLogout(RoutingContext routingContext, TenantConfigContext tenantConfigContext, SecurityIdentity securityIdentity) {
        return isRpInitiatedLogout(routingContext, tenantConfigContext) || isBackChannelLogoutPending(tenantConfigContext, securityIdentity) || isFrontChannelLogoutValid(routingContext, tenantConfigContext, securityIdentity);
    }

    private boolean isBackChannelLogoutPending(TenantConfigContext tenantConfigContext, SecurityIdentity securityIdentity) {
        BackChannelLogoutTokenCache backChannelLogoutTokenCache;
        if (tenantConfigContext.oidcConfig.logout.backchannel.path.isEmpty() || (backChannelLogoutTokenCache = this.resolver.getBackChannelLogoutTokens().get(tenantConfigContext.oidcConfig.getTenantId().get())) == null) {
            return false;
        }
        return backChannelLogoutTokenCache.containsTokenVerification(OidcUtils.decodeJwtContent(securityIdentity.getPrincipal().getRawToken()).getString(tenantConfigContext.oidcConfig.logout.backchannel.getLogoutTokenKey()));
    }

    private boolean isBackChannelLogoutPendingAndValid(TenantConfigContext tenantConfigContext, SecurityIdentity securityIdentity) {
        BackChannelLogoutTokenCache backChannelLogoutTokenCache;
        if (tenantConfigContext.oidcConfig.logout.backchannel.path.isEmpty() || (backChannelLogoutTokenCache = this.resolver.getBackChannelLogoutTokens().get(tenantConfigContext.oidcConfig.getTenantId().get())) == null) {
            return false;
        }
        JsonObject decodeJwtContent = OidcUtils.decodeJwtContent(securityIdentity.getPrincipal().getRawToken());
        TokenVerificationResult removeTokenVerification = backChannelLogoutTokenCache.removeTokenVerification(decodeJwtContent.getString(tenantConfigContext.oidcConfig.logout.backchannel.getLogoutTokenKey()));
        if (removeTokenVerification == null) {
            return false;
        }
        String string = decodeJwtContent.getString(Claims.iss.name());
        String string2 = removeTokenVerification.localVerificationResult.getString(Claims.iss.name());
        if (string2 != null && !string2.equals(string)) {
            LOG.debugf("Logout token issuer does not match the ID token issuer", new Object[0]);
            return false;
        }
        String string3 = decodeJwtContent.getString(Claims.sub.name());
        String string4 = removeTokenVerification.localVerificationResult.getString(Claims.sub.name());
        if (string4 != null && string3 != null && !string4.equals(string3)) {
            LOG.debugf("Logout token subject does not match the ID token subject", new Object[0]);
            return false;
        }
        String string5 = decodeJwtContent.getString("sid");
        String string6 = removeTokenVerification.localVerificationResult.getString("sid");
        if (string6 != null && string5 != null && !string6.equals(string5)) {
            LOG.debugf("Logout token session id does not match the ID token session id", new Object[0]);
            return false;
        }
        LOG.debugf("Backchannel logout request for the tenant %s has been completed", tenantConfigContext.oidcConfig.tenantId.get());
        fireEvent(SecurityEvent.Type.OIDC_BACKCHANNEL_LOGOUT_COMPLETED, securityIdentity);
        return true;
    }

    private boolean isFrontChannelLogoutValid(RoutingContext routingContext, TenantConfigContext tenantConfigContext, SecurityIdentity securityIdentity) {
        if (!isEqualToRequestPath(tenantConfigContext.oidcConfig.logout.frontchannel.path, routingContext, tenantConfigContext)) {
            return false;
        }
        JsonObject decodeJwtContent = OidcUtils.decodeJwtContent(securityIdentity.getPrincipal().getRawToken());
        String string = decodeJwtContent.getString(Claims.iss.name());
        List queryParam = routingContext.queryParam(Claims.iss.name());
        if (queryParam != null && queryParam.size() == 1 && !((String) queryParam.get(0)).equals(string)) {
            LOG.debugf("Frontchannel issuer parameter does not match the ID token issuer", new Object[0]);
            return false;
        }
        String string2 = decodeJwtContent.getString("sid");
        List queryParam2 = routingContext.queryParam("sid");
        if (queryParam2 != null && queryParam2.size() == 1 && !((String) queryParam2.get(0)).equals(string2)) {
            LOG.debugf("Frontchannel session id parameter does not match the ID token session id", new Object[0]);
            return false;
        }
        LOG.debugf("Frontchannel logout request for the tenant %s has been completed", tenantConfigContext.oidcConfig.tenantId.get());
        fireEvent(SecurityEvent.Type.OIDC_FRONTCHANNEL_LOGOUT_COMPLETED, securityIdentity);
        return true;
    }

    private boolean isInternalIdToken(String str, TenantConfigContext tenantConfigContext) {
        JsonObject decodeJwtHeaders;
        if (tenantConfigContext.oidcConfig.authentication.idTokenRequired.orElse(true).booleanValue() || (decodeJwtHeaders = OidcUtils.decodeJwtHeaders(str)) == null) {
            return false;
        }
        return decodeJwtHeaders.getBoolean(INTERNAL_IDTOKEN_HEADER, false).booleanValue();
    }

    private boolean isIdTokenRequired(TenantConfigContext tenantConfigContext) {
        return tenantConfigContext.oidcConfig.authentication.isIdTokenRequired().orElse(true).booleanValue();
    }

    private boolean isJavaScript(RoutingContext routingContext) {
        JavaScriptRequestChecker javaScriptRequestChecker = this.resolver.getJavaScriptRequestChecker();
        if (javaScriptRequestChecker != null) {
            return javaScriptRequestChecker.isJavaScriptRequest(routingContext);
        }
        String header = routingContext.request().getHeader("X-Requested-With");
        return "JavaScript".equals(header) || "XMLHttpRequest".equals(header);
    }

    private boolean shouldAutoRedirect(TenantConfigContext tenantConfigContext, RoutingContext routingContext) {
        if (isJavaScript(routingContext)) {
            return tenantConfigContext.oidcConfig.authentication.javaScriptAutoRedirect;
        }
        return true;
    }

    public Uni<ChallengeData> getChallenge(final RoutingContext routingContext) {
        return this.resolver.resolveContext(routingContext).onItem().transformToUni(new Function<TenantConfigContext, Uni<? extends ChallengeData>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.7
            @Override // java.util.function.Function
            public Uni<ChallengeData> apply(TenantConfigContext tenantConfigContext) {
                return CodeAuthenticationMechanism.this.getChallengeInternal(routingContext, tenantConfigContext);
            }
        });
    }

    public Uni<ChallengeData> getChallengeInternal(final RoutingContext routingContext, final TenantConfigContext tenantConfigContext) {
        OidcTenantConfig resolvedConfig;
        LOG.debugf("Starting an authentication challenge for tenant %s", tenantConfigContext.oidcConfig.tenantId.get());
        OidcTenantConfig oidcTenantConfig = tenantConfigContext.oidcConfig;
        String str = (String) routingContext.get(OidcUtils.TENANT_ID_SET_BY_SESSION_COOKIE);
        if (str != null && !str.equals(oidcTenantConfig.tenantId.orElse(OidcUtils.DEFAULT_TENANT_ID)) && (resolvedConfig = this.resolver.getResolvedConfig(str)) != null) {
            oidcTenantConfig = resolvedConfig;
            LOG.debugf("Removing the session cookie for the previous tenant id: %s", str);
            OidcUtils.getSessionCookie(routingContext, oidcTenantConfig);
        }
        return removeSessionCookie(routingContext, oidcTenantConfig).chain(new Function<Void, Uni<? extends ChallengeData>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.8
            @Override // java.util.function.Function
            public Uni<ChallengeData> apply(Void r10) {
                if (routingContext.get(CodeAuthenticationMechanism.NO_OIDC_COOKIES_AVAILABLE) != null && CodeAuthenticationMechanism.this.isRedirectFromProvider(routingContext, tenantConfigContext)) {
                    CodeAuthenticationMechanism.LOG.warn("The state cookie is missing after the redirect from OpenId Connect Provider, authentication has failed");
                    return Uni.createFrom().item(new ChallengeData(401, "WWW-Authenticate", "OIDC"));
                }
                if (!CodeAuthenticationMechanism.this.shouldAutoRedirect(tenantConfigContext, routingContext)) {
                    return Uni.createFrom().item(new ChallengeData(499, "WWW-Authenticate", "OIDC"));
                }
                StringBuilder sb = new StringBuilder(168);
                sb.append("response_type").append(CodeAuthenticationMechanism.EQ).append("code");
                if (OidcTenantConfig.Authentication.ResponseMode.FORM_POST == tenantConfigContext.oidcConfig.authentication.responseMode.orElse(OidcTenantConfig.Authentication.ResponseMode.QUERY)) {
                    sb.append(CodeAuthenticationMechanism.AMP).append("response_mode").append(CodeAuthenticationMechanism.EQ).append(tenantConfigContext.oidcConfig.authentication.responseMode.get().toString().toLowerCase());
                }
                sb.append(CodeAuthenticationMechanism.AMP).append("client_id").append(CodeAuthenticationMechanism.EQ).append(OidcCommonUtils.urlEncode((String) tenantConfigContext.oidcConfig.clientId.get()));
                sb.append(CodeAuthenticationMechanism.AMP).append("scope").append(CodeAuthenticationMechanism.EQ).append(OidcUtils.encodeScopes(tenantConfigContext.oidcConfig));
                MultiMap multiMap = null;
                if (!tenantConfigContext.oidcConfig.getAuthentication().forwardParams.isEmpty()) {
                    multiMap = routingContext.queryParams();
                    for (String str2 : tenantConfigContext.oidcConfig.getAuthentication().forwardParams.get()) {
                        if (multiMap.contains(str2)) {
                            Iterator it = multiMap.getAll(str2).iterator();
                            while (it.hasNext()) {
                                sb.append(CodeAuthenticationMechanism.AMP).append(str2).append(CodeAuthenticationMechanism.EQ).append(OidcCommonUtils.urlEncode((String) it.next()));
                            }
                            multiMap.remove(str2);
                        }
                    }
                }
                String redirectPath = CodeAuthenticationMechanism.this.getRedirectPath(tenantConfigContext.oidcConfig, routingContext);
                String buildUri = CodeAuthenticationMechanism.this.buildUri(routingContext, CodeAuthenticationMechanism.this.isForceHttps(tenantConfigContext.oidcConfig), redirectPath);
                CodeAuthenticationMechanism.LOG.debugf("Authentication request redirect_uri parameter: %s", buildUri);
                sb.append(CodeAuthenticationMechanism.AMP).append("redirect_uri").append(CodeAuthenticationMechanism.EQ).append(OidcCommonUtils.urlEncode(buildUri));
                PkceStateBean createPkceStateBean = CodeAuthenticationMechanism.this.createPkceStateBean(tenantConfigContext);
                String uuid = tenantConfigContext.oidcConfig.authentication.nonceRequired ? UUID.randomUUID().toString() : null;
                sb.append(CodeAuthenticationMechanism.AMP).append("state").append(CodeAuthenticationMechanism.EQ).append(CodeAuthenticationMechanism.this.generateCodeFlowState(routingContext, tenantConfigContext, redirectPath, multiMap, createPkceStateBean != null ? createPkceStateBean.getCodeVerifier() : null, uuid));
                if (createPkceStateBean != null) {
                    sb.append(CodeAuthenticationMechanism.AMP).append("code_challenge").append(CodeAuthenticationMechanism.EQ).append(createPkceStateBean.getCodeChallenge());
                    sb.append(CodeAuthenticationMechanism.AMP).append("code_challenge_method").append(CodeAuthenticationMechanism.EQ).append("S256");
                }
                if (uuid != null) {
                    sb.append(CodeAuthenticationMechanism.AMP).append("nonce").append(CodeAuthenticationMechanism.EQ).append(uuid);
                }
                CodeAuthenticationMechanism.addExtraParamsToUri(sb, tenantConfigContext.oidcConfig.authentication.getExtraParams());
                String str3 = tenantConfigContext.provider.getMetadata().getAuthorizationUri() + "?" + sb.toString();
                CodeAuthenticationMechanism.LOG.debugf("Code flow redirect to: %s", str3);
                return Uni.createFrom().item(new ChallengeData(HttpResponseStatus.FOUND.code(), HttpHeaders.LOCATION, str3));
            }
        });
    }

    private boolean isRedirectFromProvider(RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
        String header = routingContext.request().getHeader(HttpHeaders.REFERER);
        return header != null && header.startsWith(tenantConfigContext.provider.getMetadata().getAuthorizationUri());
    }

    private PkceStateBean createPkceStateBean(TenantConfigContext tenantConfigContext) {
        if (!tenantConfigContext.oidcConfig.authentication.pkceRequired.orElse(false).booleanValue()) {
            return null;
        }
        PkceStateBean pkceStateBean = new PkceStateBean();
        Base64.Encoder withoutPadding = Base64.getUrlEncoder().withoutPadding();
        byte[] bArr = new byte[32];
        this.secureRandom.nextBytes(bArr);
        String encodeToString = withoutPadding.encodeToString(bArr);
        pkceStateBean.setCodeVerifier(encodeToString);
        try {
            pkceStateBean.setCodeChallenge(withoutPadding.encodeToString(OidcUtils.getSha256Digest(encodeToString.getBytes(StandardCharsets.ISO_8859_1))));
            return pkceStateBean;
        } catch (Exception e) {
            LOG.errorf("Code challenge creation failure: %s", e.getMessage());
            throw new AuthenticationCompletionException(e);
        }
    }

    private Uni<SecurityIdentity> performCodeFlow(final IdentityProviderManager identityProviderManager, final RoutingContext routingContext, final TenantConfigContext tenantConfigContext, final MultiMap multiMap, String[] strArr) {
        String str = null;
        String str2 = null;
        final CodeAuthenticationStateBean codeAuthenticationBean = getCodeAuthenticationBean(strArr, tenantConfigContext);
        if (codeAuthenticationBean != null && codeAuthenticationBean.getRestorePath() != null) {
            String restorePath = codeAuthenticationBean.getRestorePath();
            int indexOf = restorePath.indexOf("?");
            if (indexOf >= 0) {
                str = isRestorePath(tenantConfigContext.oidcConfig.authentication) ? restorePath.substring(0, indexOf) : null;
                if (indexOf + 1 < restorePath.length()) {
                    str2 = restorePath.substring(indexOf + 1);
                }
            } else {
                str = restorePath;
            }
        }
        final String str3 = str;
        final String str4 = str2;
        String str5 = multiMap.get("code");
        LOG.debug("Exchanging the authorization code for the tokens");
        return getCodeFlowTokensUni(routingContext, tenantConfigContext, str5, codeAuthenticationBean != null ? codeAuthenticationBean.getCodeVerifier() : null).onItemOrFailure().transformToUni(new BiFunction<AuthorizationCodeTokens, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.9
            @Override // java.util.function.BiFunction
            public Uni<SecurityIdentity> apply(final AuthorizationCodeTokens authorizationCodeTokens, Throwable th) {
                boolean z;
                if (th != null) {
                    CodeAuthenticationMechanism.LOG.errorf("Exception during the code to token exchange: %s", th.getMessage());
                    return Uni.createFrom().failure(new AuthenticationCompletionException(th));
                }
                if (authorizationCodeTokens.getIdToken() == null) {
                    if (CodeAuthenticationMechanism.this.isIdTokenRequired(tenantConfigContext)) {
                        CodeAuthenticationMechanism.LOG.errorf("ID token is not available in the authorization code grant response", new Object[0]);
                        return Uni.createFrom().failure(new AuthenticationCompletionException());
                    }
                    authorizationCodeTokens.setIdToken(CodeAuthenticationMechanism.this.generateInternalIdToken(tenantConfigContext.oidcConfig, null, null, authorizationCodeTokens.getAccessTokenExpiresIn()));
                    z = true;
                } else {
                    if (!CodeAuthenticationMechanism.prepareNonceForVerification(routingContext, tenantConfigContext.oidcConfig, codeAuthenticationBean, authorizationCodeTokens.getIdToken())) {
                        return Uni.createFrom().failure(new AuthenticationCompletionException());
                    }
                    z = false;
                }
                routingContext.put("new_authentication", Boolean.TRUE);
                routingContext.put("access_token", authorizationCodeTokens.getAccessToken());
                routingContext.put(AuthorizationCodeTokens.class.getName(), authorizationCodeTokens);
                final String decryptIdTokenIfEncryptedByProvider = CodeAuthenticationMechanism.decryptIdTokenIfEncryptedByProvider(tenantConfigContext, authorizationCodeTokens.getIdToken());
                CodeAuthenticationMechanism.LOG.debug("Authorization code has been exchanged, verifying ID token");
                final boolean z2 = z;
                return CodeAuthenticationMechanism.this.authenticate(identityProviderManager, routingContext, new IdTokenCredential(decryptIdTokenIfEncryptedByProvider, z)).call(new Function<SecurityIdentity, Uni<?>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.9.3
                    @Override // java.util.function.Function
                    public Uni<Void> apply(SecurityIdentity securityIdentity) {
                        if (z2 && OidcUtils.cacheUserInfoInIdToken(CodeAuthenticationMechanism.this.resolver, tenantConfigContext.oidcConfig)) {
                            authorizationCodeTokens.setIdToken(CodeAuthenticationMechanism.this.generateInternalIdToken(tenantConfigContext.oidcConfig, (UserInfo) securityIdentity.getAttribute(OidcUtils.USER_INFO_ATTRIBUTE), null, authorizationCodeTokens.getAccessTokenExpiresIn()));
                        }
                        return CodeAuthenticationMechanism.this.processSuccessfulAuthentication(routingContext, tenantConfigContext, authorizationCodeTokens, decryptIdTokenIfEncryptedByProvider, securityIdentity);
                    }
                }).map(new Function<SecurityIdentity, SecurityIdentity>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.9.2
                    @Override // java.util.function.Function
                    public SecurityIdentity apply(SecurityIdentity securityIdentity) {
                        boolean isRemoveRedirectParameters = tenantConfigContext.oidcConfig.authentication.isRemoveRedirectParameters();
                        if (!isRemoveRedirectParameters && str3 == null && str4 == null) {
                            return securityIdentity;
                        }
                        URI create = URI.create(routingContext.request().absoluteURI());
                        StringBuilder sb = new StringBuilder(CodeAuthenticationMechanism.this.buildUri(routingContext, CodeAuthenticationMechanism.this.isForceHttps(tenantConfigContext.oidcConfig), create.getAuthority(), str3 != null ? str3 : create.getRawPath()));
                        if (!isRemoveRedirectParameters) {
                            sb.append('?').append(CodeAuthenticationMechanism.this.getRequestParametersAsQuery(create, multiMap, tenantConfigContext.oidcConfig));
                        }
                        if (str4 != null) {
                            sb.append(!isRemoveRedirectParameters ? "" : "?");
                            sb.append(str4);
                        }
                        String sb2 = sb.toString();
                        CodeAuthenticationMechanism.LOG.debugf("Removing code flow redirect parameters, final redirect URI: %s", sb2);
                        throw new AuthenticationRedirectException(sb2);
                    }
                }).onFailure().transform(new Function<Throwable, Throwable>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.9.1
                    @Override // java.util.function.Function
                    public Throwable apply(Throwable th2) {
                        if (th2 instanceof AuthenticationRedirectException) {
                            CodeAuthenticationMechanism.LOG.debugf("Starting the final redirect", new Object[0]);
                            return th2;
                        }
                        CodeAuthenticationMechanism.logAuthenticationError(routingContext, th2);
                        return new AuthenticationCompletionException(th2);
                    }
                });
            }
        });
    }

    private static void logAuthenticationError(RoutingContext routingContext, Throwable th) {
        String errorMessage = errorMessage(th);
        if (routingContext.get("access_token") != null && routingContext.get("code_flow_access_token_result") == null) {
            LOG.errorf("Access token verification has failed: %s. ID token has not been verified yet", errorMessage);
        } else {
            LOG.errorf("ID token verification has failed: %s", errorMessage);
        }
    }

    private static boolean prepareNonceForVerification(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig, CodeAuthenticationStateBean codeAuthenticationStateBean, String str) {
        if (!oidcTenantConfig.authentication.nonceRequired) {
            return true;
        }
        if (codeAuthenticationStateBean == null || codeAuthenticationStateBean.getNonce() == null) {
            LOG.errorf("ID token 'nonce' is required but the authentication request 'nonce' is not found in the state cookie", new Object[0]);
            return false;
        }
        routingContext.put("nonce", codeAuthenticationStateBean.getNonce());
        return true;
    }

    private static String errorMessage(Throwable th) {
        return th.getCause() != null ? th.getCause().getMessage() : th.getMessage();
    }

    private CodeAuthenticationStateBean getCodeAuthenticationBean(String[] strArr, TenantConfigContext tenantConfigContext) {
        if (strArr.length != 2) {
            return null;
        }
        CodeAuthenticationStateBean codeAuthenticationStateBean = new CodeAuthenticationStateBean();
        OidcTenantConfig.Authentication authentication = tenantConfigContext.oidcConfig.authentication;
        if (!authentication.pkceRequired.orElse(false).booleanValue() && !authentication.nonceRequired) {
            codeAuthenticationStateBean.setRestorePath(strArr[1]);
            return codeAuthenticationStateBean;
        }
        try {
            JsonObject decryptJson = OidcUtils.decryptJson(strArr[1], tenantConfigContext.getStateEncryptionKey());
            codeAuthenticationStateBean.setRestorePath(decryptJson.getString(STATE_COOKIE_RESTORE_PATH));
            codeAuthenticationStateBean.setCodeVerifier(decryptJson.getString("code_verifier"));
            codeAuthenticationStateBean.setNonce(decryptJson.getString("nonce"));
            return codeAuthenticationStateBean;
        } catch (Exception e) {
            LOG.errorf("State cookie value can not be decrypted for the %s tenant", tenantConfigContext.oidcConfig.tenantId.get());
            throw new AuthenticationCompletionException(e);
        }
    }

    private String generateInternalIdToken(OidcTenantConfig oidcTenantConfig, UserInfo userInfo, String str, Long l) {
        JwtClaimsBuilder claims = Jwt.claims();
        if (str != null) {
            AbstractJsonObjectResponse abstractJsonObjectResponse = new AbstractJsonObjectResponse(OidcUtils.decodeJwtContentAsString(str)) { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.10
            };
            for (String str2 : abstractJsonObjectResponse.getPropertyNames()) {
                if (!str2.equals(Claims.iat.name()) && !str2.equals(Claims.exp.name())) {
                    claims.claim(str2, abstractJsonObjectResponse.get(str2));
                }
            }
        }
        if (userInfo != null) {
            claims.claim(OidcUtils.USER_INFO_ATTRIBUTE, userInfo.getJsonObject());
        }
        if (oidcTenantConfig.authentication.internalIdTokenLifespan.isPresent()) {
            claims.expiresIn(oidcTenantConfig.authentication.internalIdTokenLifespan.get().getSeconds());
        } else if (l != null) {
            claims.expiresIn(l.longValue());
        }
        claims.audience((String) oidcTenantConfig.getClientId().get());
        return claims.jws().header(INTERNAL_IDTOKEN_HEADER, true).sign(KeyUtils.createSecretKeyFromSecret(OidcCommonUtils.clientSecret(oidcTenantConfig.credentials)));
    }

    private Uni<Void> processSuccessfulAuthentication(final RoutingContext routingContext, final TenantConfigContext tenantConfigContext, final AuthorizationCodeTokens authorizationCodeTokens, final String str, final SecurityIdentity securityIdentity) {
        LOG.debug("ID token has been verified, removing the existing session cookie if any and creating a new one");
        return removeSessionCookie(routingContext, tenantConfigContext.oidcConfig).chain(new Function<Void, Uni<? extends Void>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.11
            @Override // java.util.function.Function
            public Uni<? extends Void> apply(Void r8) {
                JsonObject decodeJwtContent = OidcUtils.decodeJwtContent(str);
                if (!decodeJwtContent.containsKey("exp") || !decodeJwtContent.containsKey("iat")) {
                    CodeAuthenticationMechanism.LOG.error("ID Token is required to contain 'exp' and 'iat' claims");
                    throw new AuthenticationCompletionException();
                }
                long longValue = decodeJwtContent.getLong("exp").longValue() - decodeJwtContent.getLong("iat").longValue();
                CodeAuthenticationMechanism.LOG.debugf("ID token is valid for %d seconds", longValue);
                if (tenantConfigContext.oidcConfig.token.lifespanGrace.isPresent()) {
                    longValue += tenantConfigContext.oidcConfig.token.lifespanGrace.getAsInt();
                }
                if (tenantConfigContext.oidcConfig.token.refreshExpired && authorizationCodeTokens.getRefreshToken() != null) {
                    longValue += tenantConfigContext.oidcConfig.authentication.sessionAgeExtension.getSeconds();
                }
                final long j = longValue;
                routingContext.put(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM, Long.valueOf(longValue));
                routingContext.put(TenantConfigContext.class.getName(), tenantConfigContext);
                CodeAuthenticationMechanism.this.resolver.getBackChannelLogoutTokens().remove(tenantConfigContext.oidcConfig.tenantId.get());
                return CodeAuthenticationMechanism.this.resolver.getTokenStateManager().createTokenState(routingContext, tenantConfigContext.oidcConfig, authorizationCodeTokens, CodeAuthenticationMechanism.this.createTokenStateRequestContext).map(new Function<String, Void>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.11.1
                    @Override // java.util.function.Function
                    public Void apply(String str2) {
                        String sessionCookieName = OidcUtils.getSessionCookieName(tenantConfigContext.oidcConfig);
                        CodeAuthenticationMechanism.LOG.debugf("Session cookie length for the tenant %s is %d bytes.", tenantConfigContext.oidcConfig.tenantId.get(), Integer.valueOf(str2.length()));
                        if (str2.length() > OidcUtils.MAX_COOKIE_VALUE_LENGTH.intValue()) {
                            CodeAuthenticationMechanism.LOG.debugf("Session cookie length for the tenant %s is greater than %d bytes. The cookie will be split to chunks to avoid browsers ignoring it. Alternative recommendations: 1. Set 'quarkus.oidc.token-state-manager.split-tokens=true' to have the ID, access and refresh tokens stored in separate cookies. 2. Set 'quarkus.oidc.token-state-manager.strategy=id-refresh-tokens' if you do not need to use the access token as a source of roles or to request UserInfo or propagate it to the downstream services. 3. Decrease the encrypted session cookie's length by enabling a direct encryption algorithm with 'quarkus.oidc.token-state-manager.encryption-algorithm=dir'. 4. Decrease the session cookie's length by disabling its encryption with 'quarkus.oidc.token-state-manager.encryption-required=false' but only if it is considered to be safe in your application's network. 5. Use the 'quarkus-oidc-db-token-state-manager' extension or register a custom 'quarkus.oidc.TokenStateManager' CDI bean with the alternative priority set to 1 and save the tokens on the server.", tenantConfigContext.oidcConfig.tenantId.get(), OidcUtils.MAX_COOKIE_VALUE_LENGTH);
                            int i = 1;
                            int i2 = 0;
                            while (i2 < str2.length()) {
                                int intValue = i2 + OidcUtils.MAX_COOKIE_VALUE_LENGTH.intValue();
                                String substring = str2.substring(i2, intValue < str2.length() ? intValue : str2.length());
                                String str3 = sessionCookieName + "_chunk_" + i;
                                CodeAuthenticationMechanism.LOG.debugf("Creating the %s session cookie chunk, size: %d", str3, Integer.valueOf(substring.length()));
                                CodeAuthenticationMechanism.createCookie(routingContext, tenantConfigContext.oidcConfig, str3, substring, j, true);
                                i2 = intValue;
                                i++;
                            }
                        } else {
                            CodeAuthenticationMechanism.createCookie(routingContext, tenantConfigContext.oidcConfig, sessionCookieName, str2, j, true);
                        }
                        CodeAuthenticationMechanism.this.fireEvent(SecurityEvent.Type.OIDC_LOGIN, securityIdentity);
                        return null;
                    }
                });
            }
        });
    }

    private void fireEvent(SecurityEvent.Type type, SecurityIdentity securityIdentity) {
        if (this.resolver.isSecurityEventObserved()) {
            SecurityEventHelper.fire(this.resolver.getSecurityEvent(), new SecurityEvent(type, securityIdentity));
        }
    }

    private void fireEvent(SecurityEvent.Type type, Map<String, Object> map) {
        if (this.resolver.isSecurityEventObserved()) {
            SecurityEventHelper.fire(this.resolver.getSecurityEvent(), new SecurityEvent(type, map));
        }
    }

    private String getRedirectPath(OidcTenantConfig oidcTenantConfig, RoutingContext routingContext) {
        OidcTenantConfig.Authentication authentication = oidcTenantConfig.getAuthentication();
        return authentication.getRedirectPath().isPresent() ? authentication.getRedirectPath().get() : routingContext.request().path();
    }

    private String generateCodeFlowState(RoutingContext routingContext, TenantConfigContext tenantConfigContext, String str, MultiMap multiMap, String str2, String str3) {
        String uuid = UUID.randomUUID().toString();
        String str4 = uuid;
        boolean isRestorePath = isRestorePath(tenantConfigContext.oidcConfig.getAuthentication());
        if (isRestorePath || str2 != null || str3 != null) {
            CodeAuthenticationStateBean codeAuthenticationStateBean = new CodeAuthenticationStateBean();
            if (isRestorePath) {
                String query = routingContext.request().query();
                String path = (str.equals(routingContext.request().path()) && query == null) ? "" : routingContext.request().path();
                if (query != null) {
                    String str5 = path + "?";
                    if (multiMap == null) {
                        path = str5 + query;
                    } else {
                        StringBuilder sb = new StringBuilder();
                        for (String str6 : multiMap.names()) {
                            for (String str7 : multiMap.getAll(str6)) {
                                if (sb.length() > 0) {
                                    sb.append(AMP);
                                }
                                sb.append(str6).append(EQ).append(OidcCommonUtils.urlEncode(str7));
                            }
                        }
                        path = str5 + sb.toString();
                    }
                }
                if (!path.isEmpty()) {
                    codeAuthenticationStateBean.setRestorePath(path);
                }
            }
            codeAuthenticationStateBean.setCodeVerifier(str2);
            codeAuthenticationStateBean.setNonce(str3);
            if (!codeAuthenticationStateBean.isEmpty()) {
                str4 = str4 + "|" + encodeExtraStateValue(codeAuthenticationStateBean, tenantConfigContext);
            }
        } else if (routingContext.request().query() != null) {
            CodeAuthenticationStateBean codeAuthenticationStateBean2 = new CodeAuthenticationStateBean();
            codeAuthenticationStateBean2.setRestorePath("?" + routingContext.request().query());
            str4 = str4 + "|" + encodeExtraStateValue(codeAuthenticationStateBean2, tenantConfigContext);
        }
        createCookie(routingContext, tenantConfigContext.oidcConfig, getStateCookieName(tenantConfigContext.oidcConfig) + (tenantConfigContext.oidcConfig.authentication.allowMultipleCodeFlows ? "_" + uuid : ""), str4, tenantConfigContext.oidcConfig.authentication.stateCookieAge.toSeconds());
        return uuid;
    }

    private boolean isRestorePath(OidcTenantConfig.Authentication authentication) {
        return authentication.isRestorePathAfterRedirect() || !authentication.redirectPath.isPresent();
    }

    private String encodeExtraStateValue(CodeAuthenticationStateBean codeAuthenticationStateBean, TenantConfigContext tenantConfigContext) {
        if (codeAuthenticationStateBean.getCodeVerifier() == null && codeAuthenticationStateBean.getNonce() == null) {
            return codeAuthenticationStateBean.getRestorePath();
        }
        JsonObject jsonObject = new JsonObject();
        if (codeAuthenticationStateBean.getCodeVerifier() != null) {
            jsonObject.put("code_verifier", codeAuthenticationStateBean.getCodeVerifier());
        }
        if (codeAuthenticationStateBean.getNonce() != null) {
            jsonObject.put("nonce", codeAuthenticationStateBean.getNonce());
        }
        if (codeAuthenticationStateBean.getRestorePath() != null) {
            jsonObject.put(STATE_COOKIE_RESTORE_PATH, codeAuthenticationStateBean.getRestorePath());
        }
        try {
            return OidcUtils.encryptJson(jsonObject, tenantConfigContext.getStateEncryptionKey());
        } catch (Exception e) {
            LOG.errorf("State containing the code verifier can not be encrypted: %s", e.getMessage());
            throw new AuthenticationCompletionException(e);
        }
    }

    private String generatePostLogoutState(RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
        OidcUtils.removeCookie(routingContext, tenantConfigContext.oidcConfig, getPostLogoutCookieName(tenantConfigContext.oidcConfig));
        return createCookie(routingContext, tenantConfigContext.oidcConfig, getPostLogoutCookieName(tenantConfigContext.oidcConfig), UUID.randomUUID().toString(), 1800L).getValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ServerCookie createCookie(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig, String str, String str2, long j) {
        return createCookie(routingContext, oidcTenantConfig, str, str2, j, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ServerCookie createCookie(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig, String str, String str2, long j, boolean z) {
        CookieImpl cookieImpl = new CookieImpl(str, str2);
        cookieImpl.setHttpOnly(true);
        cookieImpl.setSecure(oidcTenantConfig.authentication.cookieForceSecure || routingContext.request().isSSL());
        cookieImpl.setMaxAge(j);
        LOG.debugf(str + " cookie 'max-age' parameter is set to %d", j);
        OidcTenantConfig.Authentication authentication = oidcTenantConfig.getAuthentication();
        OidcUtils.setCookiePath(routingContext, authentication, cookieImpl);
        if (authentication.cookieDomain.isPresent()) {
            cookieImpl.setDomain(authentication.getCookieDomain().get());
        }
        if (z) {
            cookieImpl.setSameSite(CookieSameSite.valueOf(authentication.cookieSameSite.name()));
        }
        routingContext.response().addCookie(cookieImpl);
        return cookieImpl;
    }

    private String buildUri(RoutingContext routingContext, boolean z, String str) {
        return buildUri(routingContext, z, URI.create(routingContext.request().absoluteURI()).getAuthority(), str);
    }

    private String buildUri(RoutingContext routingContext, boolean z, String str, String str2) {
        String header;
        String scheme = z ? "https" : routingContext.request().scheme();
        String str3 = "";
        if (this.resolver.isEnableHttpForwardedPrefix() && (header = routingContext.request().getHeader("X-Forwarded-Prefix")) != null && !header.equals("/") && !header.equals("//")) {
            str3 = header;
            if (str3.endsWith("/")) {
                str3 = str3.substring(0, str3.length() - 1);
            }
        }
        return scheme + "://" + str + str3 + str2;
    }

    private boolean isRpInitiatedLogout(RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
        return isEqualToRequestPath(tenantConfigContext.oidcConfig.logout.path, routingContext, tenantConfigContext);
    }

    private boolean isEqualToRequestPath(Optional<String> optional, RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
        if (optional.isPresent()) {
            return routingContext.request().path().equals(optional.get());
        }
        return false;
    }

    private Uni<SecurityIdentity> refreshSecurityIdentity(final TenantConfigContext tenantConfigContext, String str, String str2, final RoutingContext routingContext, final IdentityProviderManager identityProviderManager, final boolean z, final SecurityIdentity securityIdentity) {
        return refreshTokensUni(tenantConfigContext, str, str2, z).onItemOrFailure().transformToUni(new BiFunction<AuthorizationCodeTokens, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.12
            @Override // java.util.function.BiFunction
            public Uni<SecurityIdentity> apply(final AuthorizationCodeTokens authorizationCodeTokens, Throwable th) {
                if (th == null) {
                    routingContext.put("access_token", authorizationCodeTokens.getAccessToken());
                    routingContext.put(AuthorizationCodeTokens.class.getName(), authorizationCodeTokens);
                    routingContext.put("refresh_token_grant_response", Boolean.TRUE);
                    final String decryptIdTokenIfEncryptedByProvider = CodeAuthenticationMechanism.decryptIdTokenIfEncryptedByProvider(tenantConfigContext, authorizationCodeTokens.getIdToken());
                    CodeAuthenticationMechanism.LOG.debug("Verifying the refreshed ID token");
                    return CodeAuthenticationMechanism.this.authenticate(identityProviderManager, routingContext, new IdTokenCredential(decryptIdTokenIfEncryptedByProvider, CodeAuthenticationMechanism.this.isInternalIdToken(decryptIdTokenIfEncryptedByProvider, tenantConfigContext))).call(new Function<SecurityIdentity, Uni<?>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.12.3
                        @Override // java.util.function.Function
                        public Uni<Void> apply(SecurityIdentity securityIdentity2) {
                            return CodeAuthenticationMechanism.this.processSuccessfulAuthentication(routingContext, tenantConfigContext, authorizationCodeTokens, decryptIdTokenIfEncryptedByProvider, securityIdentity2);
                        }
                    }).map(new Function<SecurityIdentity, SecurityIdentity>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.12.2
                        @Override // java.util.function.Function
                        public SecurityIdentity apply(SecurityIdentity securityIdentity2) {
                            CodeAuthenticationMechanism.this.fireEvent(z ? SecurityEvent.Type.OIDC_SESSION_REFRESHED : SecurityEvent.Type.OIDC_SESSION_EXPIRED_AND_REFRESHED, securityIdentity2);
                            return securityIdentity2;
                        }
                    }).onFailure().transform(new Function<Throwable, Throwable>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.12.1
                        @Override // java.util.function.Function
                        public Throwable apply(Throwable th2) {
                            CodeAuthenticationMechanism.LOG.debugf("Verifying the refreshed ID token failed %s", CodeAuthenticationMechanism.errorMessage(th2));
                            return new AuthenticationFailedException(th2);
                        }
                    });
                }
                CodeAuthenticationMechanism.LOG.debugf("ID token refresh has failed: %s", CodeAuthenticationMechanism.errorMessage(th));
                if (!z) {
                    return tenantConfigContext.oidcConfig.authentication.getSessionExpiredPath().isPresent() ? CodeAuthenticationMechanism.this.redirectToSessionExpiredPage(routingContext, tenantConfigContext) : Uni.createFrom().failure(new AuthenticationFailedException(th));
                }
                if (securityIdentity == null) {
                    return Uni.createFrom().failure(new AuthenticationFailedException(th));
                }
                CodeAuthenticationMechanism.LOG.debug("Using the current SecurityIdentity since the ID token is still valid");
                return Uni.createFrom().item(securityIdentity);
            }
        });
    }

    private Uni<AuthorizationCodeTokens> refreshTokensUni(final TenantConfigContext tenantConfigContext, final String str, final String str2, final boolean z) {
        return tenantConfigContext.provider.refreshTokens(str2).onItem().transform(new Function<AuthorizationCodeTokens, AuthorizationCodeTokens>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.13
            @Override // java.util.function.Function
            public AuthorizationCodeTokens apply(AuthorizationCodeTokens authorizationCodeTokens) {
                if (authorizationCodeTokens.getRefreshToken() == null) {
                    authorizationCodeTokens.setRefreshToken(str2);
                }
                if (authorizationCodeTokens.getIdToken() == null) {
                    if (!CodeAuthenticationMechanism.this.isIdTokenRequired(tenantConfigContext) && CodeAuthenticationMechanism.this.isInternalIdToken(str, tenantConfigContext)) {
                        authorizationCodeTokens.setIdToken(CodeAuthenticationMechanism.this.generateInternalIdToken(tenantConfigContext.oidcConfig, null, str, authorizationCodeTokens.getAccessTokenExpiresIn()));
                    } else {
                        if (!z) {
                            CodeAuthenticationMechanism.LOG.debugf("ID token is not returned in the refresh token grant response, re-authentication is required", new Object[0]);
                            throw new AuthenticationFailedException();
                        }
                        authorizationCodeTokens.setIdToken(str);
                    }
                }
                return authorizationCodeTokens;
            }
        });
    }

    private Uni<AuthorizationCodeTokens> getCodeFlowTokensUni(RoutingContext routingContext, TenantConfigContext tenantConfigContext, String str, String str2) {
        String redirectPath = getRedirectPath(tenantConfigContext.oidcConfig, routingContext);
        if (tenantConfigContext.oidcConfig.authentication.redirectPath.isPresent() && !tenantConfigContext.oidcConfig.authentication.redirectPath.get().equals(routingContext.request().path())) {
            LOG.warnf("Token redirect path %s does not match the current request path", routingContext.request().path());
            return Uni.createFrom().failure(new AuthenticationFailedException("Wrong redirect path"));
        }
        String buildUri = buildUri(routingContext, isForceHttps(tenantConfigContext.oidcConfig), redirectPath);
        LOG.debugf("Token request redirect_uri parameter: %s", buildUri);
        return tenantConfigContext.provider.getCodeFlowTokens(str, buildUri, str2);
    }

    private String buildLogoutRedirectUri(TenantConfigContext tenantConfigContext, String str, RoutingContext routingContext) {
        StringBuilder sb = new StringBuilder(tenantConfigContext.provider.getMetadata().getEndSessionUri());
        if (str != null || tenantConfigContext.oidcConfig.logout.postLogoutPath.isPresent()) {
            sb.append("?");
        }
        if (str != null) {
            sb.append("id_token_hint").append(EQ).append(str);
        }
        if (tenantConfigContext.oidcConfig.logout.postLogoutPath.isPresent()) {
            sb.append(AMP).append(tenantConfigContext.oidcConfig.logout.getPostLogoutUriParam()).append(EQ).append(OidcCommonUtils.urlEncode(buildUri(routingContext, isForceHttps(tenantConfigContext.oidcConfig), tenantConfigContext.oidcConfig.logout.postLogoutPath.get())));
            sb.append(AMP).append("state").append(EQ).append(generatePostLogoutState(routingContext, tenantConfigContext));
        }
        addExtraParamsToUri(sb, tenantConfigContext.oidcConfig.logout.extraParams);
        return sb.toString();
    }

    private static void addExtraParamsToUri(StringBuilder sb, Map<String, String> map) {
        if (map != null) {
            for (Map.Entry<String, String> entry : map.entrySet()) {
                if (!entry.getKey().equals("scope")) {
                    sb.append(AMP).append(entry.getKey()).append(EQ).append(OidcCommonUtils.urlEncode(entry.getValue()));
                }
            }
        }
    }

    private boolean isForceHttps(OidcTenantConfig oidcTenantConfig) {
        return oidcTenantConfig.authentication.forceRedirectHttpsScheme.orElse(false).booleanValue();
    }

    private Uni<Void> buildLogoutRedirectUriUni(final RoutingContext routingContext, final TenantConfigContext tenantConfigContext, final String str) {
        return removeSessionCookie(routingContext, tenantConfigContext.oidcConfig).map(new Function<Void, Void>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.14
            @Override // java.util.function.Function
            public Void apply(Void r6) {
                String buildLogoutRedirectUri = CodeAuthenticationMechanism.this.buildLogoutRedirectUri(tenantConfigContext, str, routingContext);
                CodeAuthenticationMechanism.LOG.debugf("Logout uri: %s", buildLogoutRedirectUri);
                throw new AuthenticationRedirectException(buildLogoutRedirectUri);
            }
        });
    }

    private static String getStateCookieName(OidcTenantConfig oidcTenantConfig) {
        return "q_auth" + OidcUtils.getCookieSuffix(oidcTenantConfig);
    }

    private static String getPostLogoutCookieName(OidcTenantConfig oidcTenantConfig) {
        return "q_post_logout" + OidcUtils.getCookieSuffix(oidcTenantConfig);
    }

    private Uni<Void> removeSessionCookie(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig) {
        return OidcUtils.removeSessionCookie(routingContext, oidcTenantConfig, this.resolver.getTokenStateManager());
    }
}
