package org.cloudfoundry.identity.uaa.provider.oauth;

import com.fasterxml.jackson.core.type.TypeReference;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import org.apache.commons.codec.binary.Base64;
import org.cloudfoundry.identity.uaa.authentication.manager.ExternalGroupAuthorizationEvent;
import org.cloudfoundry.identity.uaa.authentication.manager.ExternalLoginAuthenticationManager;
import org.cloudfoundry.identity.uaa.authentication.manager.InvitedUserAuthenticatedEvent;
import org.cloudfoundry.identity.uaa.oauth.CommonSignatureVerifier;
import org.cloudfoundry.identity.uaa.oauth.DisableIdTokenResponseTypeFilter;
import org.cloudfoundry.identity.uaa.oauth.token.CompositeAccessToken;
import org.cloudfoundry.identity.uaa.provider.AbstractXOAuthIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
import org.cloudfoundry.identity.uaa.provider.RawXOAuthIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.provider.XOIDCIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserPrototype;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.cloudfoundry.identity.uaa.util.TokenValidation;
import org.cloudfoundry.identity.uaa.util.UaaHttpRequestUtils;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.core.ParameterizedTypeReference;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.StringUtils;
import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.HttpServerErrorException;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.context.request.RequestAttributes;
import org.springframework.web.context.request.RequestContextHolder;

/* loaded from: input_file:org/cloudfoundry/identity/uaa/provider/oauth/XOAuthAuthenticationManager.class */
public class XOAuthAuthenticationManager extends ExternalLoginAuthenticationManager {
    private RestTemplate restTemplate = new RestTemplate();
    private IdentityProviderProvisioning providerProvisioning;

    public XOAuthAuthenticationManager(IdentityProviderProvisioning identityProviderProvisioning) {
        this.providerProvisioning = identityProviderProvisioning;
    }

    @Override // org.cloudfoundry.identity.uaa.authentication.manager.ExternalLoginAuthenticationManager
    protected UaaUser getUser(Authentication authentication) {
        AbstractXOAuthIdentityProviderDefinition abstractXOAuthIdentityProviderDefinition;
        Map<String, Object> claimsFromToken;
        XOAuthCodeToken xOAuthCodeToken = (XOAuthCodeToken) authentication;
        setOrigin(xOAuthCodeToken.getOrigin());
        IdentityProvider retrieveByOrigin = this.providerProvisioning.retrieveByOrigin(getOrigin(), IdentityZoneHolder.get().getId());
        if (retrieveByOrigin == null || !(retrieveByOrigin.getConfig() instanceof AbstractXOAuthIdentityProviderDefinition) || (claimsFromToken = getClaimsFromToken(xOAuthCodeToken, (abstractXOAuthIdentityProviderDefinition = (AbstractXOAuthIdentityProviderDefinition) retrieveByOrigin.getConfig()))) == null) {
            return null;
        }
        Map<String, Object> attributeMappings = abstractXOAuthIdentityProviderDefinition.getAttributeMappings();
        String str = (String) claimsFromToken.get("email");
        String str2 = (String) attributeMappings.get("user_name");
        String str3 = StringUtils.hasText(str2) ? (String) claimsFromToken.get(str2) : (String) claimsFromToken.get("preferred_username");
        if (str == null) {
            str = generateEmailIfNull(str3);
        }
        return new UaaUser(new UaaUserPrototype().withEmail(str).withGivenName((String) claimsFromToken.get("given_name")).withFamilyName((String) claimsFromToken.get("family_name")).withPhoneNumber((String) claimsFromToken.get("phone_number")).withModified(new Date()).withUsername(str3).withPassword("").withAuthorities(extractXOAuthUserAuthorities(attributeMappings, claimsFromToken)).withCreated(new Date()).withOrigin(getOrigin()).withExternalId(null).withVerified(true).withZoneId(IdentityZoneHolder.get().getId()).withSalt(null).withPasswordLastModified(null));
    }

    private List<? extends GrantedAuthority> extractXOAuthUserAuthorities(Map<String, Object> map, Map<String, Object> map2) {
        LinkedList linkedList = new LinkedList();
        if (map.get("external_groups") instanceof String) {
            linkedList.add((String) map.get("external_groups"));
        } else if (map.get("external_groups") instanceof Collection) {
            linkedList.addAll((Collection) map.get("external_groups"));
        }
        HashSet hashSet = new HashSet();
        Iterator it = linkedList.iterator();
        while (it.hasNext()) {
            Object obj = map2.get((String) it.next());
            if (obj instanceof String) {
                hashSet.addAll(Arrays.asList(((String) obj).split(",")));
            } else if (obj instanceof Collection) {
                hashSet.addAll((Collection) obj);
            }
        }
        ArrayList arrayList = new ArrayList();
        Iterator it2 = hashSet.iterator();
        while (it2.hasNext()) {
            arrayList.add(new XOAuthUserAuthority((String) it2.next()));
        }
        return arrayList;
    }

    @Override // org.cloudfoundry.identity.uaa.authentication.manager.ExternalLoginAuthenticationManager
    protected UaaUser userAuthenticated(Authentication authentication, UaaUser uaaUser, UaaUser uaaUser2) {
        boolean z = false;
        boolean isAcceptedInvitationAuthentication = isAcceptedInvitationAuthentication();
        String email = uaaUser.getEmail();
        if (isAcceptedInvitationAuthentication) {
            String str = (String) RequestContextHolder.currentRequestAttributes().getAttribute("user_id", 1);
            UaaUser retrieveUserById = getUserDatabase().retrieveUserById(str);
            if (email != null && !email.equalsIgnoreCase(retrieveUserById.getEmail())) {
                throw new BadCredentialsException("OAuth User email mismatch. Authenticated email doesn't match invited email.");
            }
            publish(new InvitedUserAuthenticatedEvent(retrieveUserById));
            uaaUser2 = getUserDatabase().retrieveUserById(str);
        }
        if (authentication.getPrincipal() != null && haveUserAttributesChanged(uaaUser2, uaaUser)) {
            uaaUser2 = uaaUser2.modifyAttributes(email, uaaUser.getGivenName(), uaaUser.getFamilyName(), uaaUser.getPhoneNumber()).modifyUsername(uaaUser.getUsername());
            z = true;
        }
        publish(new ExternalGroupAuthorizationEvent(uaaUser2, z, uaaUser.getAuthorities(), true));
        return getUserDatabase().retrieveUserById(uaaUser2.getId());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.cloudfoundry.identity.uaa.authentication.manager.ExternalLoginAuthenticationManager
    public boolean isAddNewShadowUser() {
        if (super.isAddNewShadowUser()) {
            return this.providerProvisioning.retrieveByOrigin(getOrigin(), IdentityZoneHolder.get().getId()).getConfig().isAddShadowUserOnLogin();
        }
        return false;
    }

    protected boolean isAcceptedInvitationAuthentication() {
        Boolean bool;
        try {
            RequestAttributes currentRequestAttributes = RequestContextHolder.currentRequestAttributes();
            if (currentRequestAttributes == null || (bool = (Boolean) currentRequestAttributes.getAttribute("IS_INVITE_ACCEPTANCE", 1)) == null) {
                return false;
            }
            return bool.booleanValue();
        } catch (IllegalStateException e) {
            this.logger.debug("Unable to retrieve request attributes during SAML authentication.");
            return false;
        }
    }

    public RestTemplate getRestTemplate() {
        return this.restTemplate;
    }

    private String getResponseType(AbstractXOAuthIdentityProviderDefinition abstractXOAuthIdentityProviderDefinition) {
        if (RawXOAuthIdentityProviderDefinition.class.isAssignableFrom(abstractXOAuthIdentityProviderDefinition.getClass())) {
            return "token";
        }
        if (XOIDCIdentityProviderDefinition.class.isAssignableFrom(abstractXOAuthIdentityProviderDefinition.getClass())) {
            return DisableIdTokenResponseTypeFilter.ID_TOKEN;
        }
        throw new IllegalArgumentException("Unknown type for provider.");
    }

    private Map<String, Object> getClaimsFromToken(XOAuthCodeToken xOAuthCodeToken, AbstractXOAuthIdentityProviderDefinition abstractXOAuthIdentityProviderDefinition) {
        String tokenFromCode = getTokenFromCode(xOAuthCodeToken, abstractXOAuthIdentityProviderDefinition);
        if (tokenFromCode == null) {
            return null;
        }
        String tokenKey = abstractXOAuthIdentityProviderDefinition.getTokenKey();
        URL tokenKeyUrl = abstractXOAuthIdentityProviderDefinition.getTokenKeyUrl();
        if (!StringUtils.hasText(tokenKey) && tokenKeyUrl != null && StringUtils.hasText(tokenKeyUrl.toString())) {
            tokenKey = getTokenKeyFromOAuth(abstractXOAuthIdentityProviderDefinition, tokenKeyUrl.toString());
        }
        return (Map) JsonUtils.readValue(TokenValidation.validate(tokenFromCode).checkSignature(new CommonSignatureVerifier(tokenKey)).checkIssuer(StringUtils.isEmpty(abstractXOAuthIdentityProviderDefinition.getIssuer()) ? abstractXOAuthIdentityProviderDefinition.getTokenUrl().toString() : abstractXOAuthIdentityProviderDefinition.getIssuer()).checkAudience(abstractXOAuthIdentityProviderDefinition.getRelyingPartyId()).checkExpiry().throwIfInvalid().getJwt().getClaims(), new TypeReference<Map<String, Object>>() { // from class: org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationManager.1
        });
    }

    private String getTokenKeyFromOAuth(AbstractXOAuthIdentityProviderDefinition abstractXOAuthIdentityProviderDefinition, String str) {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add("Authorization", getClientAuthHeader(abstractXOAuthIdentityProviderDefinition));
        linkedMultiValueMap.add("Accept", "application/json");
        return (String) ((Map) this.restTemplate.exchange(str, HttpMethod.GET, new HttpEntity((Object) null, linkedMultiValueMap), new ParameterizedTypeReference<Map<String, Object>>() { // from class: org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationManager.2
        }, new Object[0]).getBody()).get("value");
    }

    private String getTokenFromCode(XOAuthCodeToken xOAuthCodeToken, AbstractXOAuthIdentityProviderDefinition abstractXOAuthIdentityProviderDefinition) {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add("grant_type", "authorization_code");
        linkedMultiValueMap.add("response_type", getResponseType(abstractXOAuthIdentityProviderDefinition));
        linkedMultiValueMap.add("code", xOAuthCodeToken.getCode());
        linkedMultiValueMap.add("redirect_uri", xOAuthCodeToken.getRedirectUrl());
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.add("Authorization", getClientAuthHeader(abstractXOAuthIdentityProviderDefinition));
        httpHeaders.add("Accept", "application/json");
        HttpEntity httpEntity = new HttpEntity(linkedMultiValueMap, httpHeaders);
        try {
            URI uri = abstractXOAuthIdentityProviderDefinition.getTokenUrl().toURI();
            try {
                if (abstractXOAuthIdentityProviderDefinition.isSkipSslValidation()) {
                    this.restTemplate.setRequestFactory(UaaHttpRequestUtils.getNoValidatingClientHttpRequestFactory());
                }
                return (String) ((Map) this.restTemplate.exchange(uri, HttpMethod.POST, httpEntity, new ParameterizedTypeReference<Map<String, String>>() { // from class: org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationManager.3
                }).getBody()).get(CompositeAccessToken.ID_TOKEN);
            } catch (HttpServerErrorException | HttpClientErrorException e) {
                throw e;
            }
        } catch (URISyntaxException e2) {
            return null;
        }
    }

    private String getClientAuthHeader(AbstractXOAuthIdentityProviderDefinition abstractXOAuthIdentityProviderDefinition) {
        return "Basic " + new String(Base64.encodeBase64((abstractXOAuthIdentityProviderDefinition.getRelyingPartyId() + ":" + abstractXOAuthIdentityProviderDefinition.getRelyingPartySecret()).getBytes()));
    }
}
