package org.cloudfoundry.identity.uaa.authentication.manager;

import java.net.URL;
import java.util.Arrays;
import java.util.Map;
import org.cloudfoundry.identity.uaa.authentication.ProviderConfigurationException;
import org.cloudfoundry.identity.uaa.authentication.UaaLoginHint;
import org.cloudfoundry.identity.uaa.impl.config.RestTemplateConfig;
import org.cloudfoundry.identity.uaa.oauth.DisableIdTokenResponseTypeFilter;
import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
import org.cloudfoundry.identity.uaa.provider.OIDCIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationManager;
import org.cloudfoundry.identity.uaa.provider.oauth.XOAuthCodeToken;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.core.ParameterizedTypeReference;
import org.springframework.dao.DataAccessException;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.ProviderNotFoundException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.util.Base64Utils;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:org/cloudfoundry/identity/uaa/authentication/manager/PasswordGrantAuthenticationManager.class */
public class PasswordGrantAuthenticationManager implements AuthenticationManager {
    private DynamicZoneAwareAuthenticationManager zoneAwareAuthzAuthenticationManager;
    private IdentityProviderProvisioning identityProviderProvisioning;
    private RestTemplateConfig restTemplateConfig;
    private XOAuthAuthenticationManager xoAuthAuthenticationManager;

    public PasswordGrantAuthenticationManager(DynamicZoneAwareAuthenticationManager dynamicZoneAwareAuthenticationManager, IdentityProviderProvisioning identityProviderProvisioning, RestTemplateConfig restTemplateConfig, XOAuthAuthenticationManager xOAuthAuthenticationManager) {
        this.zoneAwareAuthzAuthenticationManager = dynamicZoneAwareAuthenticationManager;
        this.identityProviderProvisioning = identityProviderProvisioning;
        this.restTemplateConfig = restTemplateConfig;
        this.xoAuthAuthenticationManager = xOAuthAuthenticationManager;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        UaaLoginHint extractLoginHint = this.zoneAwareAuthzAuthenticationManager.extractLoginHint(authentication);
        return (extractLoginHint == null || extractLoginHint.getOrigin() == null || extractLoginHint.getOrigin().equals("uaa") || extractLoginHint.getOrigin().equals("ldap")) ? this.zoneAwareAuthzAuthenticationManager.authenticate(authentication) : oidcPasswordGrant(authentication, extractLoginHint);
    }

    private Authentication oidcPasswordGrant(Authentication authentication, UaaLoginHint uaaLoginHint) {
        try {
            IdentityProvider retrieveByOrigin = this.identityProviderProvisioning.retrieveByOrigin(uaaLoginHint.getOrigin(), IdentityZoneHolder.get().getId());
            if (!retrieveByOrigin.isActive() || !"oidc1.0".equals(retrieveByOrigin.getType()) || !(retrieveByOrigin.getConfig() instanceof OIDCIdentityProviderDefinition)) {
                throw new ProviderConfigurationException("The origin provided does not match an active OpenID Connect provider.");
            }
            OIDCIdentityProviderDefinition config = retrieveByOrigin.getConfig();
            if (!config.isPasswordGrantEnabled()) {
                throw new ProviderConfigurationException("External OpenID Connect provider is not configured for password grant.");
            }
            URL tokenUrl = config.getTokenUrl();
            String relyingPartyId = config.getRelyingPartyId();
            String relyingPartySecret = config.getRelyingPartySecret();
            if (relyingPartyId == null || relyingPartySecret == null) {
                throw new ProviderConfigurationException("External OpenID Connect provider configuration is missing relyingPartyId or relyingPartySecret.");
            }
            String str = authentication.getPrincipal() instanceof String ? (String) authentication.getPrincipal() : null;
            String str2 = authentication.getCredentials() instanceof String ? (String) authentication.getCredentials() : null;
            if (str == null || str2 == null) {
                throw new BadCredentialsException("Request is missing username or password.");
            }
            RestTemplate trustingRestTemplate = config.isSkipSslValidation() ? this.restTemplateConfig.trustingRestTemplate() : this.restTemplateConfig.nonTrustingRestTemplate();
            HttpHeaders httpHeaders = new HttpHeaders();
            httpHeaders.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));
            httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
            httpHeaders.add("Authorization", "Basic " + Base64Utils.encodeToString((relyingPartyId + ":" + relyingPartySecret).getBytes()));
            LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
            linkedMultiValueMap.add("grant_type", "password");
            linkedMultiValueMap.add("response_type", DisableIdTokenResponseTypeFilter.ID_TOKEN);
            linkedMultiValueMap.add("username", str);
            linkedMultiValueMap.add("password", str2);
            String str3 = null;
            try {
                ResponseEntity exchange = trustingRestTemplate.exchange(tokenUrl.toString(), HttpMethod.POST, new HttpEntity(linkedMultiValueMap, httpHeaders), new ParameterizedTypeReference<Map<String, String>>() { // from class: org.cloudfoundry.identity.uaa.authentication.manager.PasswordGrantAuthenticationManager.1
                }, new Object[0]);
                if (exchange.hasBody()) {
                    str3 = (String) ((Map) exchange.getBody()).get(DisableIdTokenResponseTypeFilter.ID_TOKEN);
                }
                if (str3 == null) {
                    throw new BadCredentialsException("Could not obtain id_token from external OpenID Connect provider.");
                }
                return this.xoAuthAuthenticationManager.authenticate(new XOAuthCodeToken(null, null, null, str3, null, null));
            } catch (HttpClientErrorException e) {
                throw new BadCredentialsException(e.getResponseBodyAsString(), e);
            }
        } catch (DataAccessException e2) {
            throw new ProviderNotFoundException("The origin provided in the login hint is invalid.");
        }
    }
}
