package org.pac4j.oidc.credentials.authenticator;

import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.AuthorizationGrant;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.RefreshTokenGrant;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.pkce.CodeVerifier;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.credentials.authenticator.Authenticator;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.oidc.client.OidcClient;
import org.pac4j.oidc.config.OidcConfiguration;
import org.pac4j.oidc.credentials.OidcCredentials;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/pac4j/oidc/credentials/authenticator/OidcAuthenticator.class */
public class OidcAuthenticator implements Authenticator {
    private static final Logger logger = LoggerFactory.getLogger(OidcAuthenticator.class);
    private static final Collection<ClientAuthenticationMethod> SUPPORTED_METHODS = Arrays.asList(ClientAuthenticationMethod.CLIENT_SECRET_POST, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, ClientAuthenticationMethod.NONE);
    protected OidcConfiguration configuration;
    protected OidcClient client;
    private ClientAuthentication clientAuthentication;

    public OidcAuthenticator(OidcConfiguration oidcConfiguration, OidcClient oidcClient) {
        ClientAuthenticationMethod clientAuthenticationMethod;
        CommonHelper.assertNotNull("configuration", oidcConfiguration);
        CommonHelper.assertNotNull("client", oidcClient);
        this.configuration = oidcConfiguration;
        this.client = oidcClient;
        ClientID clientID = new ClientID(oidcConfiguration.getClientId());
        if (oidcConfiguration.getSecret() != null) {
            List tokenEndpointAuthMethods = oidcConfiguration.findProviderMetadata().getTokenEndpointAuthMethods();
            ClientAuthenticationMethod preferredAuthenticationMethod = getPreferredAuthenticationMethod(oidcConfiguration);
            if (!CommonHelper.isNotEmpty(tokenEndpointAuthMethods)) {
                clientAuthenticationMethod = preferredAuthenticationMethod != null ? preferredAuthenticationMethod : ClientAuthenticationMethod.getDefault();
                logger.info("Provider metadata does not provide Token endpoint authentication methods. Using: {}", clientAuthenticationMethod);
            } else if (preferredAuthenticationMethod == null) {
                clientAuthenticationMethod = firstSupportedMethod(tokenEndpointAuthMethods);
            } else {
                if (!tokenEndpointAuthMethods.contains(preferredAuthenticationMethod)) {
                    throw new TechnicalException("Preferred authentication method (" + preferredAuthenticationMethod + ") not supported by provider according to provider metadata (" + tokenEndpointAuthMethods + ").");
                }
                clientAuthenticationMethod = preferredAuthenticationMethod;
            }
            if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientAuthenticationMethod)) {
                this.clientAuthentication = new ClientSecretPost(clientID, new Secret(oidcConfiguration.getSecret()));
            } else {
                if (!ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientAuthenticationMethod)) {
                    throw new TechnicalException("Unsupported client authentication method: " + clientAuthenticationMethod);
                }
                this.clientAuthentication = new ClientSecretBasic(clientID, new Secret(oidcConfiguration.getSecret()));
            }
        }
    }

    private static ClientAuthenticationMethod getPreferredAuthenticationMethod(OidcConfiguration oidcConfiguration) {
        ClientAuthenticationMethod clientAuthenticationMethod = oidcConfiguration.getClientAuthenticationMethod();
        if (clientAuthenticationMethod == null) {
            return null;
        }
        if (SUPPORTED_METHODS.contains(clientAuthenticationMethod)) {
            return clientAuthenticationMethod;
        }
        throw new TechnicalException("Configured authentication method (" + clientAuthenticationMethod + ") is not supported.");
    }

    private static ClientAuthenticationMethod firstSupportedMethod(List<ClientAuthenticationMethod> list) {
        Stream<ClientAuthenticationMethod> stream = list.stream();
        Collection<ClientAuthenticationMethod> collection = SUPPORTED_METHODS;
        Objects.requireNonNull(collection);
        Optional<ClientAuthenticationMethod> findFirst = stream.filter((v1) -> {
            return r1.contains(v1);
        }).findFirst();
        if (findFirst.isPresent()) {
            return findFirst.get();
        }
        throw new TechnicalException("None of the Token endpoint provider metadata authentication methods are supported: " + list);
    }

    public void validate(Credentials credentials, WebContext webContext, SessionStore sessionStore) {
        OidcCredentials oidcCredentials = (OidcCredentials) credentials;
        AuthorizationCode code = oidcCredentials.getCode();
        if (code != null) {
            try {
                String computeFinalCallbackUrl = this.client.computeFinalCallbackUrl(webContext);
                executeTokenRequest(createTokenRequest(new AuthorizationCodeGrant(code, new URI(computeFinalCallbackUrl), (CodeVerifier) this.configuration.getValueRetriever().retrieve(this.client.getCodeVerifierSessionAttributeName(), this.client, webContext, sessionStore).orElse(null))), oidcCredentials);
            } catch (IOException | URISyntaxException | ParseException e) {
                throw new TechnicalException(e);
            }
        }
    }

    public void refresh(OidcCredentials oidcCredentials) {
        RefreshToken refreshToken = oidcCredentials.getRefreshToken();
        if (refreshToken != null) {
            try {
                executeTokenRequest(createTokenRequest(new RefreshTokenGrant(refreshToken)), oidcCredentials);
            } catch (IOException | ParseException e) {
                throw new TechnicalException(e);
            }
        }
    }

    protected TokenRequest createTokenRequest(AuthorizationGrant authorizationGrant) {
        return this.clientAuthentication != null ? new TokenRequest(this.configuration.findProviderMetadata().getTokenEndpointURI(), this.clientAuthentication, authorizationGrant) : new TokenRequest(this.configuration.findProviderMetadata().getTokenEndpointURI(), new ClientID(this.configuration.getClientId()), authorizationGrant);
    }

    private void executeTokenRequest(TokenRequest tokenRequest, OidcCredentials oidcCredentials) throws IOException, ParseException {
        HTTPRequest hTTPRequest = tokenRequest.toHTTPRequest();
        this.configuration.configureHttpRequest(hTTPRequest);
        HTTPResponse send = hTTPRequest.send();
        logger.debug("Token response: status={}, content={}", Integer.valueOf(send.getStatusCode()), send.getContent());
        TokenErrorResponse parse = OIDCTokenResponseParser.parse(send);
        if (parse instanceof TokenErrorResponse) {
            ErrorObject errorObject = parse.getErrorObject();
            throw new TechnicalException("Bad token response, error=" + errorObject.getCode() + ", description=" + errorObject.getDescription());
        }
        logger.debug("Token response successful");
        OIDCTokens oIDCTokens = ((OIDCTokenResponse) parse).getOIDCTokens();
        oidcCredentials.setAccessToken(oIDCTokens.getAccessToken());
        oidcCredentials.setRefreshToken(oIDCTokens.getRefreshToken());
        if (oIDCTokens.getIDToken() != null) {
            oidcCredentials.setIdToken(oIDCTokens.getIDToken());
        }
    }

    public ClientAuthentication getClientAuthentication() {
        return this.clientAuthentication;
    }

    public void setClientAuthentication(ClientAuthentication clientAuthentication) {
        this.clientAuthentication = clientAuthentication;
    }
}
