package org.pac4j.oidc.client;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.DefaultResourceRetriever;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.http.ResourceRetriever;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
import com.nimbusds.openid.connect.sdk.UserInfoRequest;
import com.nimbusds.openid.connect.sdk.UserInfoResponse;
import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.pac4j.core.client.ClientType;
import org.pac4j.core.client.IndirectClient;
import org.pac4j.core.client.RedirectAction;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.exception.RequiresHttpAction;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.oidc.credentials.OidcCredentials;
import org.pac4j.oidc.profile.OidcProfile;

/* loaded from: input_file:org/pac4j/oidc/client/OidcClient.class */
public class OidcClient extends IndirectClient<OidcCredentials, OidcProfile> {
    private static final String STATE_ATTRIBUTE = "oidcStateAttribute";
    private static final String NONCE_ATTRIBUTE = "oidcNonceAttribute";
    private static final int DEFAULT_MAX_CLOCK_SKEW = 30;
    private String clientId;
    private String secret;
    private URI redirectURI;
    private String discoveryURI;
    private IDTokenValidator idTokenValidator;
    private OIDCProviderMetadata oidcProvider;
    private Map<String, String> authParams;
    private String scope;
    private ClientAuthentication clientAuthentication;
    private ClientID _clientID;
    private Secret _secret;
    private boolean useNonce;
    private JWSAlgorithm preferredJwsAlgorithm;
    private Map<String, String> customParams = new HashMap();
    private int maxClockSkew = DEFAULT_MAX_CLOCK_SKEW;
    private int connectTimeout = 500;
    private int readTimeout = 5000;

    public OidcClient() {
    }

    public OidcClient(String str, String str2, String str3) {
        this.clientId = str;
        this.secret = str2;
        this.discoveryURI = str3;
    }

    public ClientType getClientType() {
        return ClientType.OPENID_CONNECT_PROTOCOL;
    }

    public void setDiscoveryURI(String str) {
        this.discoveryURI = str;
    }

    public String getDiscoveryURI() {
        return this.discoveryURI;
    }

    public void setClientID(String str) {
        this.clientId = str;
    }

    public String getClientID() {
        return this.clientId;
    }

    public void setSecret(String str) {
        this.secret = str;
    }

    public String getSecret() {
        return this.secret;
    }

    public void setScope(String str) {
        this.scope = str;
    }

    public String getScope() {
        return this.scope;
    }

    public IDTokenValidator getIdTokenValidator() {
        return this.idTokenValidator;
    }

    public void addCustomParam(String str, String str2) {
        this.customParams.put(str, str2);
    }

    public void setCustomParams(Map<String, String> map) {
        CommonHelper.assertNotNull("customParams", map);
        this.customParams = map;
    }

    public Map<String, String> getCustomParams() {
        return this.customParams;
    }

    public int getConnectTimeout() {
        return this.connectTimeout;
    }

    public void setConnectTimeout(int i) {
        this.connectTimeout = i;
    }

    public int getReadTimeout() {
        return this.readTimeout;
    }

    public void setReadTimeout(int i) {
        this.readTimeout = i;
    }

    public Map<String, String> getAuthParams() {
        return this.authParams;
    }

    public OIDCProviderMetadata getProviderMetadata() {
        return this.oidcProvider;
    }

    public URI getRedirectURI() {
        return this.redirectURI;
    }

    public ClientAuthentication getClientAuthentication() {
        return this.clientAuthentication;
    }

    protected void internalInit(WebContext webContext) {
        JWSAlgorithm jWSAlgorithm;
        CommonHelper.assertNotBlank(getClientID(), "clientID cannot be blank");
        CommonHelper.assertNotBlank(getSecret(), "secret cannot be blank");
        CommonHelper.assertNotBlank(getDiscoveryURI(), "discoveryURI cannot be blank");
        this.authParams = new HashMap();
        if (StringUtils.isNotBlank(getScope())) {
            this.authParams.put("scope", getScope());
        } else {
            this.authParams.put("scope", "openid profile email");
        }
        this.authParams.put("response_type", "code");
        String computeFinalCallbackUrl = computeFinalCallbackUrl(webContext);
        this.authParams.put("redirect_uri", computeFinalCallbackUrl);
        this.authParams.putAll(getCustomParams());
        this.authParams.put("client_id", getClientID());
        this.authParams.put("client_secret", getSecret());
        this._clientID = new ClientID(getClientID());
        this._secret = new Secret(getSecret());
        try {
            this.oidcProvider = OIDCProviderMetadata.parse(createResourceRetriever().retrieveResource(new URL(getDiscoveryURI())).getContent());
            this.redirectURI = new URI(computeFinalCallbackUrl);
            List iDTokenJWSAlgs = getProviderMetadata().getIDTokenJWSAlgs();
            CommonHelper.assertTrue(iDTokenJWSAlgs != null && iDTokenJWSAlgs.size() > 0, "There must at least one JWS algorithm supported on the OpenID Connect provider side");
            if (iDTokenJWSAlgs.contains(getPreferredJwsAlgorithm())) {
                jWSAlgorithm = getPreferredJwsAlgorithm();
            } else {
                jWSAlgorithm = (JWSAlgorithm) iDTokenJWSAlgs.get(0);
                this.logger.warn("Preferred JWS algorithm: {} not available. Defaulting to: {}", getPreferredJwsAlgorithm(), jWSAlgorithm);
            }
            if (CommonHelper.isNotBlank(getSecret()) && (jWSAlgorithm == JWSAlgorithm.HS256 || jWSAlgorithm == JWSAlgorithm.HS384 || jWSAlgorithm == JWSAlgorithm.HS512)) {
                this.idTokenValidator = createHMACTokenValidator(jWSAlgorithm, this._clientID, this._secret);
            } else {
                this.idTokenValidator = createRSATokenValidator(jWSAlgorithm, this._clientID);
            }
            getIdTokenValidator().setMaxClockSkew(getMaxClockSkew());
            ClientAuthenticationMethod clientAuthenticationMethod = (getProviderMetadata().getTokenEndpointAuthMethods() == null || getProviderMetadata().getTokenEndpointAuthMethods().size() <= 0) ? ClientAuthenticationMethod.getDefault() : (ClientAuthenticationMethod) getProviderMetadata().getTokenEndpointAuthMethods().get(0);
            if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientAuthenticationMethod)) {
                this.clientAuthentication = new ClientSecretPost(this._clientID, this._secret);
            } else if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientAuthenticationMethod)) {
                this.clientAuthentication = new ClientSecretBasic(this._clientID, this._secret);
            }
        } catch (IOException | ParseException | URISyntaxException e) {
            throw new TechnicalException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public IDTokenValidator createRSATokenValidator(JWSAlgorithm jWSAlgorithm, ClientID clientID) throws MalformedURLException {
        return new IDTokenValidator(getProviderMetadata().getIssuer(), clientID, jWSAlgorithm, getProviderMetadata().getJWKSetURI().toURL());
    }

    protected IDTokenValidator createHMACTokenValidator(JWSAlgorithm jWSAlgorithm, ClientID clientID, Secret secret) {
        return new IDTokenValidator(getProviderMetadata().getIssuer(), clientID, jWSAlgorithm, secret);
    }

    protected ResourceRetriever createResourceRetriever() {
        return new DefaultResourceRetriever(getConnectTimeout(), getReadTimeout());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* renamed from: newClient, reason: merged with bridge method [inline-methods] */
    public IndirectClient<OidcCredentials, OidcProfile> m1newClient() {
        OidcClient oidcClient = new OidcClient();
        oidcClient.setClientID(getClientID());
        oidcClient.setSecret(getSecret());
        oidcClient.setDiscoveryURI(getDiscoveryURI());
        oidcClient.setAuthParams(getAuthParams());
        oidcClient.setUseNonce(isUseNonce());
        oidcClient.setPreferredJwsAlgorithm(getPreferredJwsAlgorithm());
        oidcClient.setMaxClockSkew(getMaxClockSkew());
        oidcClient.setConnectTimeout(getConnectTimeout());
        oidcClient.setReadTimeout(getReadTimeout());
        return oidcClient;
    }

    protected boolean isDirectRedirection() {
        return false;
    }

    protected RedirectAction retrieveRedirectAction(WebContext webContext) {
        HashMap hashMap = new HashMap(getAuthParams());
        State state = new State();
        hashMap.put("state", state.getValue());
        webContext.setSessionAttribute(STATE_ATTRIBUTE, state);
        if (isUseNonce()) {
            Nonce nonce = new Nonce();
            hashMap.put("nonce", nonce.getValue());
            webContext.setSessionAttribute(NONCE_ATTRIBUTE, nonce.getValue());
        }
        try {
            String str = getProviderMetadata().getAuthorizationEndpointURI().toString() + "?" + AuthenticationRequest.parse(hashMap).toQueryString();
            this.logger.debug("Authentication request url : {}", str);
            return RedirectAction.redirect(str);
        } catch (Exception e) {
            throw new TechnicalException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* renamed from: retrieveCredentials, reason: merged with bridge method [inline-methods] */
    public OidcCredentials m0retrieveCredentials(WebContext webContext) throws RequiresHttpAction {
        try {
            AuthenticationErrorResponse parse = AuthenticationResponseParser.parse(getRedirectURI(), toSingleParameter(webContext.getRequestParameters()));
            if (parse instanceof AuthenticationErrorResponse) {
                this.logger.error("Bad authentication response, error={}", parse.getErrorObject());
                return null;
            }
            this.logger.debug("Authentication response successful, get authorization code");
            AuthenticationSuccessResponse authenticationSuccessResponse = (AuthenticationSuccessResponse) parse;
            if (authenticationSuccessResponse.getState().equals(webContext.getSessionAttribute(STATE_ATTRIBUTE))) {
                return new OidcCredentials(authenticationSuccessResponse.getAuthorizationCode(), getName());
            }
            throw new TechnicalException("State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery");
        } catch (ParseException e) {
            throw new TechnicalException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public OidcProfile retrieveUserProfile(OidcCredentials oidcCredentials, WebContext webContext) {
        try {
            HTTPRequest hTTPRequest = buildTokenRequest(oidcCredentials).toHTTPRequest();
            hTTPRequest.setConnectTimeout(getConnectTimeout());
            hTTPRequest.setReadTimeout(getReadTimeout());
            HTTPResponse send = hTTPRequest.send();
            this.logger.debug("Token response: status={}, content={}", Integer.valueOf(send.getStatusCode()), send.getContent());
            TokenErrorResponse parse = OIDCTokenResponseParser.parse(send);
            if (parse instanceof TokenErrorResponse) {
                this.logger.error("Bad token response, error={}", parse.getErrorObject());
                return null;
            }
            this.logger.debug("Token response successful");
            OIDCTokens oIDCTokens = ((OIDCTokenResponse) parse).getOIDCTokens();
            BearerAccessToken bearerAccessToken = (BearerAccessToken) oIDCTokens.getAccessToken();
            OidcProfile oidcProfile = new OidcProfile(bearerAccessToken);
            oidcProfile.setIdTokenString(oIDCTokens.getIDTokenString());
            if (getProviderMetadata().getUserInfoEndpointURI() != null) {
                HTTPRequest hTTPRequest2 = buildUserInfoRequest(bearerAccessToken).toHTTPRequest();
                hTTPRequest2.setConnectTimeout(getConnectTimeout());
                hTTPRequest2.setReadTimeout(getReadTimeout());
                HTTPResponse send2 = hTTPRequest2.send();
                this.logger.debug("Token response: status={}, content={}", Integer.valueOf(send2.getStatusCode()), send2.getContent());
                UserInfoErrorResponse parse2 = UserInfoResponse.parse(send2);
                if (parse2 instanceof UserInfoErrorResponse) {
                    this.logger.error("Bad User Info response, error={}", parse2.getErrorObject());
                } else {
                    UserInfo userInfo = ((UserInfoSuccessResponse) parse2).getUserInfo();
                    if (userInfo != null) {
                        oidcProfile.addAttributes(userInfo.toJWTClaimsSet().getClaims());
                    }
                }
            }
            IDTokenClaimsSet validate = getIdTokenValidator().validate(oIDCTokens.getIDToken(), isUseNonce() ? new Nonce((String) webContext.getSessionAttribute(NONCE_ATTRIBUTE)) : null);
            CommonHelper.assertNotNull("claimsSet", validate);
            oidcProfile.setId(validate.getSubject());
            return oidcProfile;
        } catch (Exception e) {
            throw new TechnicalException(e);
        }
    }

    protected TokenRequest buildTokenRequest(OidcCredentials oidcCredentials) {
        return new TokenRequest(getProviderMetadata().getTokenEndpointURI(), getClientAuthentication(), new AuthorizationCodeGrant(oidcCredentials.getCode(), getRedirectURI()));
    }

    protected UserInfoRequest buildUserInfoRequest(BearerAccessToken bearerAccessToken) {
        return new UserInfoRequest(getProviderMetadata().getUserInfoEndpointURI(), bearerAccessToken);
    }

    private Map<String, String> toSingleParameter(Map<String, String[]> map) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, String[]> entry : map.entrySet()) {
            hashMap.put(entry.getKey(), entry.getValue()[0]);
        }
        return hashMap;
    }

    private void setAuthParams(Map<String, String> map) {
        this.authParams = map;
    }

    public JWSAlgorithm getPreferredJwsAlgorithm() {
        return this.preferredJwsAlgorithm;
    }

    public void setPreferredJwsAlgorithm(JWSAlgorithm jWSAlgorithm) {
        this.preferredJwsAlgorithm = jWSAlgorithm;
    }

    public boolean isUseNonce() {
        return this.useNonce;
    }

    public void setUseNonce(boolean z) {
        this.useNonce = z;
    }

    public int getMaxClockSkew() {
        return this.maxClockSkew;
    }

    public void setMaxClockSkew(int i) {
        this.maxClockSkew = i;
    }
}
