package io.quarkus.oidc.runtime;

import io.netty.handler.codec.http.HttpResponseStatus;
import io.quarkus.logging.Log;
import io.quarkus.oidc.AuthorizationCodeTokens;
import io.quarkus.oidc.IdTokenCredential;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.SecurityEvent;
import io.quarkus.oidc.UserInfo;
import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.quarkus.security.AuthenticationCompletionException;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.AuthenticationRedirectException;
import io.quarkus.security.identity.IdentityProviderManager;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.vertx.http.runtime.security.ChallengeData;
import io.smallrye.jwt.algorithm.KeyEncryptionAlgorithm;
import io.smallrye.jwt.build.Jwt;
import io.smallrye.jwt.build.JwtClaimsBuilder;
import io.smallrye.jwt.util.KeyUtils;
import io.smallrye.mutiny.Uni;
import io.vertx.core.MultiMap;
import io.vertx.core.http.Cookie;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.http.impl.CookieImpl;
import io.vertx.core.http.impl.ServerCookie;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.RoutingContext;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.UUID;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.regex.Pattern;
import org.eclipse.microprofile.jwt.Claims;
import org.jboss.logging.Logger;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.lang.JoseException;

/* loaded from: input_file:io/quarkus/oidc/runtime/CodeAuthenticationMechanism.class */
public class CodeAuthenticationMechanism extends AbstractOidcAuthenticationMechanism {
    static final String AMP = "&";
    static final String EQ = "=";
    static final String UNDERSCORE = "_";
    static final String COOKIE_DELIM = "|";
    static final String SESSION_MAX_AGE_PARAM = "session-max-age";
    static final String STATE_COOKIE_RESTORE_PATH = "restore-path";
    static final String NO_OIDC_COOKIES_AVAILABLE = "no_oidc_cookies";
    private static final String INTERNAL_IDTOKEN_HEADER = "internal";
    private final BlockingTaskRunner<String> createTokenStateRequestContext = new BlockingTaskRunner<>();
    private final BlockingTaskRunner<AuthorizationCodeTokens> getTokenStateRequestContext = new BlockingTaskRunner<>();
    private final SecureRandom secureRandom = new SecureRandom();
    static final Pattern COOKIE_PATTERN = Pattern.compile("\\|");
    static final Uni<Void> VOID_UNI = Uni.createFrom().voidItem();
    static final Integer MAX_COOKIE_VALUE_LENGTH = 4096;
    private static final Logger LOG = Logger.getLogger(CodeAuthenticationMechanism.class);

    public Uni<SecurityIdentity> authenticate(final RoutingContext routingContext, final IdentityProviderManager identityProviderManager, final OidcTenantConfig oidcTenantConfig) {
        final Cookie cookie = routingContext.request().getCookie(getSessionCookieName(oidcTenantConfig));
        if (cookie != null) {
            LOG.debug("Session cookie is present, starting the reauthentication");
            routingContext.put(OidcUtils.SESSION_COOKIE_NAME, cookie.getName());
            return this.resolver.resolveContext(routingContext).onItem().transformToUni(new Function<TenantConfigContext, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.1
                @Override // java.util.function.Function
                public Uni<SecurityIdentity> apply(TenantConfigContext tenantConfigContext) {
                    return CodeAuthenticationMechanism.this.reAuthenticate(cookie, routingContext, identityProviderManager, tenantConfigContext);
                }
            });
        }
        final Cookie cookie2 = routingContext.request().getCookie(getStateCookieName(oidcTenantConfig));
        if (cookie2 == null) {
            routingContext.put(NO_OIDC_COOKIES_AVAILABLE, Boolean.TRUE);
            return Uni.createFrom().optional(Optional.empty());
        }
        LOG.debug("State cookie is present, processing an expected redirect from the OIDC provider");
        if (OidcTenantConfig.Authentication.ResponseMode.FORM_POST != oidcTenantConfig.authentication.responseMode.orElse(OidcTenantConfig.Authentication.ResponseMode.QUERY)) {
            return processRedirectFromOidc(routingContext, oidcTenantConfig, identityProviderManager, cookie2, routingContext.queryParams());
        }
        if (OidcUtils.isFormUrlEncodedRequest(routingContext)) {
            return OidcUtils.getFormUrlEncodedData(routingContext).onItem().transformToUni(new Function<MultiMap, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.2
                @Override // java.util.function.Function
                public Uni<? extends SecurityIdentity> apply(MultiMap multiMap) {
                    return CodeAuthenticationMechanism.this.processRedirectFromOidc(routingContext, oidcTenantConfig, identityProviderManager, cookie2, multiMap);
                }
            });
        }
        LOG.debug("HTTP POST and " + HttpHeaders.APPLICATION_X_WWW_FORM_URLENCODED.toString() + " content type must be used with the form_post response mode");
        return Uni.createFrom().failure(new AuthenticationFailedException());
    }

    private Uni<SecurityIdentity> processRedirectFromOidc(final RoutingContext routingContext, OidcTenantConfig oidcTenantConfig, final IdentityProviderManager identityProviderManager, Cookie cookie, final MultiMap multiMap) {
        final String[] split = COOKIE_PATTERN.split(cookie.getValue());
        OidcUtils.removeCookie(routingContext, oidcTenantConfig, cookie.getName());
        if (!isStateValid(multiMap, split[0])) {
            return Uni.createFrom().failure(new AuthenticationCompletionException());
        }
        if (multiMap.contains("code")) {
            LOG.debug("Authorization code is present, completing the code flow");
            return this.resolver.resolveContext(routingContext).onItem().transformToUni(new Function<TenantConfigContext, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.3
                @Override // java.util.function.Function
                public Uni<SecurityIdentity> apply(TenantConfigContext tenantConfigContext) {
                    return CodeAuthenticationMechanism.this.performCodeFlow(identityProviderManager, routingContext, tenantConfigContext, multiMap, split);
                }
            });
        }
        if (!multiMap.contains("error")) {
            LOG.debug("State cookie is present but neither 'code' nor 'error' query parameter is returned");
            return Uni.createFrom().failure(new AuthenticationCompletionException());
        }
        OidcUtils.removeCookie(routingContext, oidcTenantConfig, cookie.getName());
        LOG.debugf("Authentication has failed, error: %s, description: %s", multiMap.get("error"), multiMap.get("error_description"));
        if (!oidcTenantConfig.authentication.errorPath.isPresent()) {
            return Uni.createFrom().failure(new AuthenticationCompletionException());
        }
        URI create = URI.create(routingContext.request().absoluteURI());
        StringBuilder sb = new StringBuilder(buildUri(routingContext, isForceHttps(oidcTenantConfig), create.getAuthority(), oidcTenantConfig.authentication.errorPath.get()));
        sb.append('?').append(getRequestParametersAsQuery(create, multiMap, oidcTenantConfig));
        String sb2 = sb.toString();
        LOG.debugf("Error URI: %s", sb2);
        return Uni.createFrom().failure(new AuthenticationRedirectException(sb2));
    }

    private String getRequestParametersAsQuery(URI uri, MultiMap multiMap, OidcTenantConfig oidcTenantConfig) {
        return OidcTenantConfig.Authentication.ResponseMode.FORM_POST == oidcTenantConfig.authentication.responseMode.orElse(OidcTenantConfig.Authentication.ResponseMode.QUERY) ? OidcCommonUtils.encodeForm(new io.vertx.mutiny.core.MultiMap(multiMap)).toString() : uri.getRawQuery();
    }

    private boolean isStateValid(MultiMap multiMap, String str) {
        List all = multiMap.getAll("state");
        if (all.size() != 1) {
            LOG.debug("State parameter can not be empty or multi-valued");
            return false;
        }
        if (str.equals(all.get(0))) {
            return true;
        }
        LOG.debug("State cookie value does not match the state query parameter value");
        return false;
    }

    private Uni<SecurityIdentity> reAuthenticate(final Cookie cookie, final RoutingContext routingContext, final IdentityProviderManager identityProviderManager, final TenantConfigContext tenantConfigContext) {
        routingContext.put(TenantConfigContext.class.getName(), tenantConfigContext);
        return this.resolver.getTokenStateManager().getTokens(routingContext, tenantConfigContext.oidcConfig, cookie.getValue(), this.getTokenStateRequestContext).chain(new Function<AuthorizationCodeTokens, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.4
            @Override // java.util.function.Function
            public Uni<? extends SecurityIdentity> apply(final AuthorizationCodeTokens authorizationCodeTokens) {
                if (CodeAuthenticationMechanism.this.isBackChannelLogoutPendingAndValid(tenantConfigContext, authorizationCodeTokens.getIdToken())) {
                    CodeAuthenticationMechanism.LOG.debug("Performing a requested back-channel logout");
                    return OidcUtils.removeSessionCookie(routingContext, tenantConfigContext.oidcConfig, cookie.getName(), CodeAuthenticationMechanism.this.resolver.getTokenStateManager()).chain(new Function<Void, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.4.1
                        @Override // java.util.function.Function
                        public Uni<SecurityIdentity> apply(Void r3) {
                            return Uni.createFrom().nullItem();
                        }
                    });
                }
                routingContext.put("access_token", authorizationCodeTokens.getAccessToken());
                routingContext.put(AuthorizationCodeTokens.class.getName(), authorizationCodeTokens);
                return CodeAuthenticationMechanism.this.authenticate(identityProviderManager, routingContext, new IdTokenCredential(CodeAuthenticationMechanism.decryptIdTokenIfEncryptedByProvider(tenantConfigContext, authorizationCodeTokens.getIdToken()), CodeAuthenticationMechanism.this.isInternalIdToken(authorizationCodeTokens.getIdToken(), tenantConfigContext))).call(new Function<SecurityIdentity, Uni<?>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.4.3
                    @Override // java.util.function.Function
                    public Uni<Void> apply(SecurityIdentity securityIdentity) {
                        if (!CodeAuthenticationMechanism.this.isLogout(routingContext, tenantConfigContext)) {
                            return CodeAuthenticationMechanism.VOID_UNI;
                        }
                        CodeAuthenticationMechanism.LOG.debug("Performing an RP initiated logout");
                        CodeAuthenticationMechanism.this.fireEvent(SecurityEvent.Type.OIDC_LOGOUT_RP_INITIATED, securityIdentity);
                        return CodeAuthenticationMechanism.this.buildLogoutRedirectUriUni(routingContext, tenantConfigContext, authorizationCodeTokens.getIdToken());
                    }
                }).onFailure().recoverWithUni(new Function<Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.4.2
                    @Override // java.util.function.Function
                    public Uni<? extends SecurityIdentity> apply(Throwable th) {
                        if (th instanceof AuthenticationRedirectException) {
                            CodeAuthenticationMechanism.LOG.debug("Redirecting after the reauthentication");
                            throw ((AuthenticationRedirectException) th);
                        }
                        if (th instanceof TokenAutoRefreshException) {
                            if (authorizationCodeTokens.getRefreshToken() != null) {
                                CodeAuthenticationMechanism.LOG.debug("Token auto-refresh is starting");
                                return CodeAuthenticationMechanism.this.refreshSecurityIdentity(tenantConfigContext, authorizationCodeTokens.getRefreshToken(), routingContext, identityProviderManager, true, ((TokenAutoRefreshException) th).getSecurityIdentity());
                            }
                            CodeAuthenticationMechanism.LOG.debug("Token auto-refresh is required it is not possible because the refresh token is null");
                            return Uni.createFrom().item(((TokenAutoRefreshException) th).getSecurityIdentity());
                        }
                        if (!((th.getCause() instanceof InvalidJwtException) && th.getCause().hasErrorCode(1))) {
                            CodeAuthenticationMechanism.LOG.debugf("Authentication failure: %s", th.getCause());
                            throw new AuthenticationCompletionException(th.getCause());
                        }
                        if (authorizationCodeTokens.getRefreshToken() == null) {
                            CodeAuthenticationMechanism.LOG.debug("Token has expired, token refresh is not possible because the refresh token is null");
                            throw new AuthenticationFailedException(th.getCause());
                        }
                        if (tenantConfigContext.oidcConfig.token.refreshExpired) {
                            CodeAuthenticationMechanism.LOG.debug("Token has expired, trying to refresh it");
                            return CodeAuthenticationMechanism.this.refreshSecurityIdentity(tenantConfigContext, authorizationCodeTokens.getRefreshToken(), routingContext, identityProviderManager, false, null);
                        }
                        CodeAuthenticationMechanism.LOG.debug("Token has expired, token refresh is not allowed");
                        throw new AuthenticationFailedException(th.getCause());
                    }
                });
            }
        });
    }

    private static String decryptIdTokenIfEncryptedByProvider(TenantConfigContext tenantConfigContext, String str) {
        if ((tenantConfigContext.provider.tokenDecryptionKey != null || tenantConfigContext.provider.client.getClientJwtKey() != null) && OidcUtils.isEncryptedToken(str)) {
            try {
                return OidcUtils.decryptString(str, tenantConfigContext.provider.tokenDecryptionKey != null ? tenantConfigContext.provider.tokenDecryptionKey : tenantConfigContext.provider.client.getClientJwtKey(), KeyEncryptionAlgorithm.RSA_OAEP);
            } catch (JoseException e) {
                Log.debugf("Failed to decrypt a token: %s, a token introspection will be attempted instead", e.getMessage());
            }
        }
        return str;
    }

    private boolean isBackChannelLogoutPendingAndValid(TenantConfigContext tenantConfigContext, String str) {
        TokenVerificationResult remove = this.resolver.getBackChannelLogoutTokens().remove(tenantConfigContext.oidcConfig.getTenantId().get());
        if (remove == null) {
            return false;
        }
        try {
            TokenVerificationResult verifyJwtToken = tenantConfigContext.provider.verifyJwtToken(str);
            String string = verifyJwtToken.localVerificationResult.getString(Claims.iss.name());
            String string2 = remove.localVerificationResult.getString(Claims.iss.name());
            if (string2 != null && !string2.equals(string)) {
                LOG.debugf("Logout token issuer does not match the ID token issuer", new Object[0]);
                return false;
            }
            String string3 = verifyJwtToken.localVerificationResult.getString(Claims.sub.name());
            String string4 = remove.localVerificationResult.getString(Claims.sub.name());
            if (string4 != null && string3 != null && !string4.equals(string3)) {
                LOG.debugf("Logout token subject does not match the ID token subject", new Object[0]);
                return false;
            }
            String string5 = verifyJwtToken.localVerificationResult.getString("sid");
            String string6 = remove.localVerificationResult.getString("sid");
            if (string6 == null || string5 == null || string6.equals(string5)) {
                return true;
            }
            LOG.debugf("Logout token session id does not match the ID token session id", new Object[0]);
            return false;
        } catch (InvalidJwtException e) {
            LOG.debugf("Unable to complete the back channel logout request for the tenant %s", tenantConfigContext.oidcConfig.tenantId.get());
            return false;
        }
    }

    private boolean isInternalIdToken(String str, TenantConfigContext tenantConfigContext) {
        JsonObject decodeJwtHeaders;
        if (tenantConfigContext.oidcConfig.authentication.idTokenRequired.orElse(true).booleanValue() || (decodeJwtHeaders = OidcUtils.decodeJwtHeaders(str)) == null) {
            return false;
        }
        return decodeJwtHeaders.getBoolean(INTERNAL_IDTOKEN_HEADER, false).booleanValue();
    }

    private boolean isJavaScript(RoutingContext routingContext) {
        String header = routingContext.request().getHeader("X-Requested-With");
        return "JavaScript".equals(header) || "XMLHttpRequest".equals(header);
    }

    private boolean shouldAutoRedirect(TenantConfigContext tenantConfigContext, RoutingContext routingContext) {
        if (isJavaScript(routingContext)) {
            return tenantConfigContext.oidcConfig.authentication.javaScriptAutoRedirect;
        }
        return true;
    }

    public Uni<ChallengeData> getChallenge(final RoutingContext routingContext) {
        return this.resolver.resolveContext(routingContext).onItem().transformToUni(new Function<TenantConfigContext, Uni<? extends ChallengeData>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.5
            @Override // java.util.function.Function
            public Uni<ChallengeData> apply(TenantConfigContext tenantConfigContext) {
                return CodeAuthenticationMechanism.this.getChallengeInternal(routingContext, tenantConfigContext);
            }
        });
    }

    public Uni<ChallengeData> getChallengeInternal(final RoutingContext routingContext, final TenantConfigContext tenantConfigContext) {
        LOG.debug("Starting an authentication challenge");
        return removeSessionCookie(routingContext, tenantConfigContext.oidcConfig).chain(new Function<Void, Uni<? extends ChallengeData>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.6
            @Override // java.util.function.Function
            public Uni<ChallengeData> apply(Void r8) {
                if (routingContext.get(CodeAuthenticationMechanism.NO_OIDC_COOKIES_AVAILABLE) != null && CodeAuthenticationMechanism.this.isRedirectFromProvider(routingContext, tenantConfigContext)) {
                    CodeAuthenticationMechanism.LOG.debug("The state cookie is missing after the redirect from OpenId Connect Provider, authentication has failed");
                    return Uni.createFrom().item(new ChallengeData(401, "WWW-Authenticate", "OIDC"));
                }
                if (!CodeAuthenticationMechanism.this.shouldAutoRedirect(tenantConfigContext, routingContext)) {
                    return Uni.createFrom().item(new ChallengeData(499, "WWW-Authenticate", "OIDC"));
                }
                StringBuilder sb = new StringBuilder(168);
                sb.append("response_type").append(CodeAuthenticationMechanism.EQ).append("code");
                if (OidcTenantConfig.Authentication.ResponseMode.FORM_POST == tenantConfigContext.oidcConfig.authentication.responseMode.orElse(OidcTenantConfig.Authentication.ResponseMode.QUERY)) {
                    sb.append(CodeAuthenticationMechanism.AMP).append("response_mode").append(CodeAuthenticationMechanism.EQ).append(tenantConfigContext.oidcConfig.authentication.responseMode.get().toString().toLowerCase());
                }
                sb.append(CodeAuthenticationMechanism.AMP).append("client_id").append(CodeAuthenticationMechanism.EQ).append(OidcCommonUtils.urlEncode((String) tenantConfigContext.oidcConfig.clientId.get()));
                List<String> emptyList = tenantConfigContext.oidcConfig.getAuthentication().scopes.isPresent() ? tenantConfigContext.oidcConfig.getAuthentication().scopes.get() : Collections.emptyList();
                ArrayList arrayList = new ArrayList(emptyList.size() + 1);
                if (tenantConfigContext.oidcConfig.getAuthentication().addOpenidScope.orElse(true).booleanValue()) {
                    arrayList.add("openid");
                }
                arrayList.addAll(emptyList);
                sb.append(CodeAuthenticationMechanism.AMP).append("scope").append(CodeAuthenticationMechanism.EQ).append(OidcCommonUtils.urlEncode(String.join(" ", arrayList)));
                String redirectPath = CodeAuthenticationMechanism.this.getRedirectPath(tenantConfigContext, routingContext);
                String buildUri = CodeAuthenticationMechanism.this.buildUri(routingContext, CodeAuthenticationMechanism.this.isForceHttps(tenantConfigContext.oidcConfig), redirectPath);
                CodeAuthenticationMechanism.LOG.debugf("Authentication request redirect_uri parameter: %s", buildUri);
                sb.append(CodeAuthenticationMechanism.AMP).append("redirect_uri").append(CodeAuthenticationMechanism.EQ).append(OidcCommonUtils.urlEncode(buildUri));
                PkceStateBean createPkceStateBean = CodeAuthenticationMechanism.this.createPkceStateBean(tenantConfigContext);
                sb.append(CodeAuthenticationMechanism.AMP).append("state").append(CodeAuthenticationMechanism.EQ).append(CodeAuthenticationMechanism.this.generateCodeFlowState(routingContext, tenantConfigContext, redirectPath, createPkceStateBean != null ? createPkceStateBean.getCodeVerifier() : null));
                if (createPkceStateBean != null) {
                    sb.append(CodeAuthenticationMechanism.AMP).append("code_challenge").append(CodeAuthenticationMechanism.EQ).append(createPkceStateBean.getCodeChallenge());
                    sb.append(CodeAuthenticationMechanism.AMP).append("code_challenge_method").append(CodeAuthenticationMechanism.EQ).append("S256");
                }
                CodeAuthenticationMechanism.addExtraParamsToUri(sb, tenantConfigContext.oidcConfig.authentication.getExtraParams());
                String str = tenantConfigContext.provider.getMetadata().getAuthorizationUri() + "?" + sb.toString();
                CodeAuthenticationMechanism.LOG.debugf("Code flow redirect to: %s", str);
                return Uni.createFrom().item(new ChallengeData(HttpResponseStatus.FOUND.code(), HttpHeaders.LOCATION, str));
            }
        });
    }

    private boolean isRedirectFromProvider(RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
        String header = routingContext.request().getHeader(HttpHeaders.REFERER);
        return header != null && header.startsWith(tenantConfigContext.provider.getMetadata().getAuthorizationUri());
    }

    private PkceStateBean createPkceStateBean(TenantConfigContext tenantConfigContext) {
        if (!tenantConfigContext.oidcConfig.authentication.pkceRequired.orElse(false).booleanValue()) {
            return null;
        }
        PkceStateBean pkceStateBean = new PkceStateBean();
        Base64.Encoder withoutPadding = Base64.getUrlEncoder().withoutPadding();
        byte[] bArr = new byte[32];
        this.secureRandom.nextBytes(bArr);
        String encodeToString = withoutPadding.encodeToString(bArr);
        pkceStateBean.setCodeVerifier(encodeToString);
        try {
            pkceStateBean.setCodeChallenge(withoutPadding.encodeToString(OidcUtils.getSha256Digest(encodeToString.getBytes(StandardCharsets.ISO_8859_1))));
            return pkceStateBean;
        } catch (Exception e) {
            throw new AuthenticationFailedException(e);
        }
    }

    private Uni<SecurityIdentity> performCodeFlow(final IdentityProviderManager identityProviderManager, final RoutingContext routingContext, final TenantConfigContext tenantConfigContext, final MultiMap multiMap, String[] strArr) {
        String str = null;
        String str2 = null;
        CodeAuthenticationStateBean codeAuthenticationBean = getCodeAuthenticationBean(strArr, tenantConfigContext);
        if (codeAuthenticationBean != null && codeAuthenticationBean.getRestorePath() != null) {
            String restorePath = codeAuthenticationBean.getRestorePath();
            int indexOf = restorePath.indexOf("?");
            if (indexOf >= 0) {
                str = isRestorePath(tenantConfigContext.oidcConfig.authentication) ? restorePath.substring(0, indexOf) : null;
                if (indexOf + 1 < restorePath.length()) {
                    str2 = restorePath.substring(indexOf + 1);
                }
            } else {
                str = restorePath;
            }
        }
        final String str3 = str;
        final String str4 = str2;
        String str5 = multiMap.get("code");
        LOG.debug("Exchanging the authorization code for the tokens");
        return getCodeFlowTokensUni(routingContext, tenantConfigContext, str5, codeAuthenticationBean != null ? codeAuthenticationBean.getCodeVerifier() : null).onItemOrFailure().transformToUni(new BiFunction<AuthorizationCodeTokens, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.7
            @Override // java.util.function.BiFunction
            public Uni<SecurityIdentity> apply(final AuthorizationCodeTokens authorizationCodeTokens, Throwable th) {
                if (th != null) {
                    CodeAuthenticationMechanism.LOG.debugf("Exception during the code to token exchange: %s", th.getMessage());
                    return Uni.createFrom().failure(new AuthenticationCompletionException(th));
                }
                final boolean z = !tenantConfigContext.oidcConfig.authentication.isIdTokenRequired().orElse(true).booleanValue();
                if (authorizationCodeTokens.getIdToken() == null) {
                    if (!z) {
                        return Uni.createFrom().failure(new AuthenticationCompletionException("ID Token is not available"));
                    }
                    authorizationCodeTokens.setIdToken(CodeAuthenticationMechanism.this.generateInternalIdToken(tenantConfigContext.oidcConfig, null));
                }
                routingContext.put("new_authentication", Boolean.TRUE);
                routingContext.put("access_token", authorizationCodeTokens.getAccessToken());
                routingContext.put(AuthorizationCodeTokens.class.getName(), authorizationCodeTokens);
                final String decryptIdTokenIfEncryptedByProvider = CodeAuthenticationMechanism.decryptIdTokenIfEncryptedByProvider(tenantConfigContext, authorizationCodeTokens.getIdToken());
                CodeAuthenticationMechanism.LOG.debug("Authorization code has been exchanged, verifying ID token");
                return CodeAuthenticationMechanism.this.authenticate(identityProviderManager, routingContext, new IdTokenCredential(decryptIdTokenIfEncryptedByProvider, z)).call(new Function<SecurityIdentity, Uni<?>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.7.3
                    @Override // java.util.function.Function
                    public Uni<Void> apply(SecurityIdentity securityIdentity) {
                        if (z && tenantConfigContext.oidcConfig.allowUserInfoCache && tenantConfigContext.oidcConfig.cacheUserInfoInIdtoken) {
                            authorizationCodeTokens.setIdToken(CodeAuthenticationMechanism.this.generateInternalIdToken(tenantConfigContext.oidcConfig, (UserInfo) securityIdentity.getAttribute(OidcUtils.USER_INFO_ATTRIBUTE)));
                        }
                        return CodeAuthenticationMechanism.this.processSuccessfulAuthentication(routingContext, tenantConfigContext, authorizationCodeTokens, decryptIdTokenIfEncryptedByProvider, securityIdentity);
                    }
                }).map(new Function<SecurityIdentity, SecurityIdentity>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.7.2
                    @Override // java.util.function.Function
                    public SecurityIdentity apply(SecurityIdentity securityIdentity) {
                        boolean isRemoveRedirectParameters = tenantConfigContext.oidcConfig.authentication.isRemoveRedirectParameters();
                        if (!isRemoveRedirectParameters && str3 == null && str4 == null) {
                            return securityIdentity;
                        }
                        URI create = URI.create(routingContext.request().absoluteURI());
                        StringBuilder sb = new StringBuilder(CodeAuthenticationMechanism.this.buildUri(routingContext, CodeAuthenticationMechanism.this.isForceHttps(tenantConfigContext.oidcConfig), create.getAuthority(), str3 != null ? str3 : create.getRawPath()));
                        if (!isRemoveRedirectParameters) {
                            sb.append('?').append(CodeAuthenticationMechanism.this.getRequestParametersAsQuery(create, multiMap, tenantConfigContext.oidcConfig));
                        }
                        if (str4 != null) {
                            sb.append(!isRemoveRedirectParameters ? "" : "?");
                            sb.append(str4);
                        }
                        String sb2 = sb.toString();
                        CodeAuthenticationMechanism.LOG.debugf("Removing code flow redirect parameters, final redirect URI: %s", sb2);
                        throw new AuthenticationRedirectException(sb2);
                    }
                }).onFailure().transform(new Function<Throwable, Throwable>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.7.1
                    @Override // java.util.function.Function
                    public Throwable apply(Throwable th2) {
                        if (th2 instanceof AuthenticationRedirectException) {
                            CodeAuthenticationMechanism.LOG.debugf("Starting the final redirect", new Object[0]);
                            return th2;
                        }
                        CodeAuthenticationMechanism.LOG.debugf("ID token verification has failed: %s", th2.getMessage());
                        return new AuthenticationCompletionException(th2);
                    }
                });
            }
        });
    }

    private CodeAuthenticationStateBean getCodeAuthenticationBean(String[] strArr, TenantConfigContext tenantConfigContext) {
        if (strArr.length != 2) {
            return null;
        }
        CodeAuthenticationStateBean codeAuthenticationStateBean = new CodeAuthenticationStateBean();
        if (!tenantConfigContext.oidcConfig.authentication.pkceRequired.orElse(false).booleanValue()) {
            codeAuthenticationStateBean.setRestorePath(strArr[1]);
            return codeAuthenticationStateBean;
        }
        try {
            JsonObject decryptJson = OidcUtils.decryptJson(strArr[1], tenantConfigContext.getPkceSecretKey());
            codeAuthenticationStateBean.setRestorePath(decryptJson.getString(STATE_COOKIE_RESTORE_PATH));
            codeAuthenticationStateBean.setCodeVerifier(decryptJson.getString("code_verifier"));
            return codeAuthenticationStateBean;
        } catch (Exception e) {
            LOG.tracef("State cookie value can not be decrypted for the %s tenant", tenantConfigContext.oidcConfig.tenantId.get());
            throw new AuthenticationFailedException(e);
        }
    }

    private String generateInternalIdToken(OidcTenantConfig oidcTenantConfig, UserInfo userInfo) {
        JwtClaimsBuilder claims = Jwt.claims();
        if (userInfo != null) {
            claims.claim(OidcUtils.USER_INFO_ATTRIBUTE, userInfo.getJsonObject());
        }
        return claims.jws().header(INTERNAL_IDTOKEN_HEADER, true).sign(KeyUtils.createSecretKeyFromSecret(OidcCommonUtils.clientSecret(oidcTenantConfig.credentials)));
    }

    private Uni<Void> processSuccessfulAuthentication(final RoutingContext routingContext, final TenantConfigContext tenantConfigContext, final AuthorizationCodeTokens authorizationCodeTokens, final String str, final SecurityIdentity securityIdentity) {
        LOG.debug("ID token has been verified, removing the existing session cookie if any and creating a new one");
        return removeSessionCookie(routingContext, tenantConfigContext.oidcConfig).chain(new Function<Void, Uni<? extends Void>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.8
            @Override // java.util.function.Function
            public Uni<? extends Void> apply(Void r8) {
                JsonObject decodeJwtContent = OidcUtils.decodeJwtContent(str);
                if (!decodeJwtContent.containsKey("exp") || !decodeJwtContent.containsKey("iat")) {
                    CodeAuthenticationMechanism.LOG.debug("ID Token is required to contain 'exp' and 'iat' claims");
                    throw new AuthenticationCompletionException();
                }
                long longValue = decodeJwtContent.getLong("exp").longValue() - decodeJwtContent.getLong("iat").longValue();
                CodeAuthenticationMechanism.LOG.debugf("ID token is valid for %d seconds", longValue);
                if (tenantConfigContext.oidcConfig.token.lifespanGrace.isPresent()) {
                    longValue += tenantConfigContext.oidcConfig.token.lifespanGrace.getAsInt();
                }
                if (tenantConfigContext.oidcConfig.token.refreshExpired) {
                    longValue += tenantConfigContext.oidcConfig.authentication.sessionAgeExtension.getSeconds();
                }
                final long j = longValue;
                routingContext.put(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM, Long.valueOf(longValue));
                routingContext.put(TenantConfigContext.class.getName(), tenantConfigContext);
                CodeAuthenticationMechanism.this.resolver.getBackChannelLogoutTokens().remove(tenantConfigContext.oidcConfig.tenantId.get());
                return CodeAuthenticationMechanism.this.resolver.getTokenStateManager().createTokenState(routingContext, tenantConfigContext.oidcConfig, authorizationCodeTokens, CodeAuthenticationMechanism.this.createTokenStateRequestContext).map(new Function<String, Void>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.8.1
                    @Override // java.util.function.Function
                    public Void apply(String str2) {
                        if (CodeAuthenticationMechanism.createCookie(routingContext, tenantConfigContext.oidcConfig, CodeAuthenticationMechanism.getSessionCookieName(tenantConfigContext.oidcConfig), str2, j).getValue().length() >= CodeAuthenticationMechanism.MAX_COOKIE_VALUE_LENGTH.intValue()) {
                            CodeAuthenticationMechanism.LOG.warnf("Session cookie length for the tenant %s is equal or greater than %d bytes. Browsers may ignore this cookie which will cause a new challenge for the authenticated users. Recommendations: 1. Set 'quarkus.oidc.token-state-manager.split-tokens=true' to have the ID, access and refresh tokens stored in separate cookies. 2. Set 'quarkus.oidc.token-state-manager.strategy=id-refresh-tokens' if you do not need to use the access token as a source of roles or to request UserInfo or propagate it to the downstream services. 3. Register a custom 'quarkus.oidc.TokenStateManager' CDI bean with the alternative priority set to 1.", tenantConfigContext.oidcConfig.tenantId.get(), CodeAuthenticationMechanism.MAX_COOKIE_VALUE_LENGTH);
                        }
                        CodeAuthenticationMechanism.this.fireEvent(SecurityEvent.Type.OIDC_LOGIN, securityIdentity);
                        return null;
                    }
                });
            }
        });
    }

    private void fireEvent(SecurityEvent.Type type, SecurityIdentity securityIdentity) {
        if (this.resolver.isSecurityEventObserved()) {
            this.resolver.getSecurityEvent().fire(new SecurityEvent(type, securityIdentity));
        }
    }

    private String getRedirectPath(TenantConfigContext tenantConfigContext, RoutingContext routingContext) {
        OidcTenantConfig.Authentication authentication = tenantConfigContext.oidcConfig.getAuthentication();
        return authentication.getRedirectPath().isPresent() ? authentication.getRedirectPath().get() : routingContext.request().path();
    }

    private String generateCodeFlowState(RoutingContext routingContext, TenantConfigContext tenantConfigContext, String str, String str2) {
        String uuid = UUID.randomUUID().toString();
        String str3 = uuid;
        boolean isRestorePath = isRestorePath(tenantConfigContext.oidcConfig.getAuthentication());
        if (isRestorePath || str2 != null) {
            CodeAuthenticationStateBean codeAuthenticationStateBean = new CodeAuthenticationStateBean();
            if (isRestorePath) {
                String query = routingContext.request().query();
                String path = (str.equals(routingContext.request().path()) && query == null) ? "" : routingContext.request().path();
                if (query != null) {
                    path = path + "?" + query;
                }
                if (!path.isEmpty()) {
                    codeAuthenticationStateBean.setRestorePath(path);
                }
            }
            codeAuthenticationStateBean.setCodeVerifier(str2);
            if (!codeAuthenticationStateBean.isEmpty()) {
                str3 = str3 + "|" + encodeExtraStateValue(codeAuthenticationStateBean, tenantConfigContext);
            }
        } else if (routingContext.request().query() != null) {
            CodeAuthenticationStateBean codeAuthenticationStateBean2 = new CodeAuthenticationStateBean();
            codeAuthenticationStateBean2.setRestorePath("?" + routingContext.request().query());
            str3 = str3 + "|" + encodeExtraStateValue(codeAuthenticationStateBean2, tenantConfigContext);
        }
        createCookie(routingContext, tenantConfigContext.oidcConfig, getStateCookieName(tenantConfigContext.oidcConfig), str3, 1800L);
        return uuid;
    }

    private boolean isRestorePath(OidcTenantConfig.Authentication authentication) {
        return authentication.isRestorePathAfterRedirect() || !authentication.redirectPath.isPresent();
    }

    private String encodeExtraStateValue(CodeAuthenticationStateBean codeAuthenticationStateBean, TenantConfigContext tenantConfigContext) {
        if (codeAuthenticationStateBean.getCodeVerifier() == null) {
            return codeAuthenticationStateBean.getRestorePath();
        }
        JsonObject jsonObject = new JsonObject();
        jsonObject.put("code_verifier", codeAuthenticationStateBean.getCodeVerifier());
        if (codeAuthenticationStateBean.getRestorePath() != null) {
            jsonObject.put(STATE_COOKIE_RESTORE_PATH, codeAuthenticationStateBean.getRestorePath());
        }
        try {
            return OidcUtils.encryptJson(jsonObject, tenantConfigContext.getPkceSecretKey());
        } catch (Exception e) {
            throw new AuthenticationFailedException(e);
        }
    }

    private String generatePostLogoutState(RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
        OidcUtils.removeCookie(routingContext, tenantConfigContext.oidcConfig, getPostLogoutCookieName(tenantConfigContext.oidcConfig));
        return createCookie(routingContext, tenantConfigContext.oidcConfig, getPostLogoutCookieName(tenantConfigContext.oidcConfig), UUID.randomUUID().toString(), 1800L).getValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ServerCookie createCookie(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig, String str, String str2, long j) {
        CookieImpl cookieImpl = new CookieImpl(str, str2);
        cookieImpl.setHttpOnly(true);
        cookieImpl.setSecure(oidcTenantConfig.authentication.cookieForceSecure || routingContext.request().isSSL());
        cookieImpl.setMaxAge(j);
        LOG.debugf(str + " cookie 'max-age' parameter is set to %d", j);
        OidcTenantConfig.Authentication authentication = oidcTenantConfig.getAuthentication();
        OidcUtils.setCookiePath(routingContext, authentication, cookieImpl);
        if (authentication.cookieDomain.isPresent()) {
            cookieImpl.setDomain(authentication.getCookieDomain().get());
        }
        routingContext.response().addCookie(cookieImpl);
        return cookieImpl;
    }

    private String buildUri(RoutingContext routingContext, boolean z, String str) {
        return buildUri(routingContext, z, URI.create(routingContext.request().absoluteURI()).getAuthority(), str);
    }

    private String buildUri(RoutingContext routingContext, boolean z, String str, String str2) {
        String header;
        String scheme = z ? "https" : routingContext.request().scheme();
        String str3 = "";
        if (this.resolver.isEnableHttpForwardedPrefix() && (header = routingContext.request().getHeader("X-Forwarded-Prefix")) != null && !header.equals("/") && !header.equals("//")) {
            str3 = header;
            if (str3.endsWith("/")) {
                str3 = str3.substring(0, str3.length() - 1);
            }
        }
        return scheme + "://" + str + str3 + str2;
    }

    private boolean isLogout(RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
        Optional<String> optional = tenantConfigContext.oidcConfig.logout.path;
        if (optional.isPresent()) {
            return routingContext.request().absoluteURI().equals(buildUri(routingContext, false, optional.get()));
        }
        return false;
    }

    private Uni<SecurityIdentity> refreshSecurityIdentity(final TenantConfigContext tenantConfigContext, String str, final RoutingContext routingContext, final IdentityProviderManager identityProviderManager, final boolean z, SecurityIdentity securityIdentity) {
        return refreshTokensUni(tenantConfigContext, str).onItemOrFailure().transformToUni(new BiFunction<AuthorizationCodeTokens, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.9
            @Override // java.util.function.BiFunction
            public Uni<SecurityIdentity> apply(final AuthorizationCodeTokens authorizationCodeTokens, Throwable th) {
                if (th != null) {
                    CodeAuthenticationMechanism.LOG.errorf("ID token refresh has failed: %s", th.getMessage());
                    if (!z) {
                        return Uni.createFrom().failure(new AuthenticationFailedException(th));
                    }
                    CodeAuthenticationMechanism.LOG.debug("Using the current SecurityIdentity since the ID token is still valid");
                    return Uni.createFrom().item(((TokenAutoRefreshException) th).getSecurityIdentity());
                }
                routingContext.put("access_token", authorizationCodeTokens.getAccessToken());
                routingContext.put(AuthorizationCodeTokens.class.getName(), authorizationCodeTokens);
                routingContext.put("refresh_token_grant_response", Boolean.TRUE);
                final String decryptIdTokenIfEncryptedByProvider = CodeAuthenticationMechanism.decryptIdTokenIfEncryptedByProvider(tenantConfigContext, authorizationCodeTokens.getIdToken());
                CodeAuthenticationMechanism.LOG.debug("Verifying the refreshed ID token");
                return CodeAuthenticationMechanism.this.authenticate(identityProviderManager, routingContext, new IdTokenCredential(decryptIdTokenIfEncryptedByProvider)).call(new Function<SecurityIdentity, Uni<?>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.9.3
                    @Override // java.util.function.Function
                    public Uni<Void> apply(SecurityIdentity securityIdentity2) {
                        return CodeAuthenticationMechanism.this.processSuccessfulAuthentication(routingContext, tenantConfigContext, authorizationCodeTokens, decryptIdTokenIfEncryptedByProvider, securityIdentity2);
                    }
                }).map(new Function<SecurityIdentity, SecurityIdentity>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.9.2
                    @Override // java.util.function.Function
                    public SecurityIdentity apply(SecurityIdentity securityIdentity2) {
                        CodeAuthenticationMechanism.this.fireEvent(z ? SecurityEvent.Type.OIDC_SESSION_REFRESHED : SecurityEvent.Type.OIDC_SESSION_EXPIRED_AND_REFRESHED, securityIdentity2);
                        return securityIdentity2;
                    }
                }).onFailure().transform(new Function<Throwable, Throwable>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.9.1
                    @Override // java.util.function.Function
                    public Throwable apply(Throwable th2) {
                        CodeAuthenticationMechanism.LOG.debugf("Verifying the refreshed ID token failed %s", th2.getMessage());
                        return new AuthenticationFailedException(th2);
                    }
                });
            }
        });
    }

    private Uni<AuthorizationCodeTokens> refreshTokensUni(TenantConfigContext tenantConfigContext, final String str) {
        return tenantConfigContext.provider.refreshTokens(str).onItem().transform(new Function<AuthorizationCodeTokens, AuthorizationCodeTokens>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.10
            @Override // java.util.function.Function
            public AuthorizationCodeTokens apply(AuthorizationCodeTokens authorizationCodeTokens) {
                return authorizationCodeTokens.getRefreshToken() != null ? authorizationCodeTokens : new AuthorizationCodeTokens(authorizationCodeTokens.getIdToken(), authorizationCodeTokens.getAccessToken(), str);
            }
        });
    }

    private Uni<AuthorizationCodeTokens> getCodeFlowTokensUni(RoutingContext routingContext, TenantConfigContext tenantConfigContext, String str, String str2) {
        String buildUri = buildUri(routingContext, isForceHttps(tenantConfigContext.oidcConfig), getRedirectPath(tenantConfigContext, routingContext));
        LOG.debugf("Token request redirect_uri parameter: %s", buildUri);
        return tenantConfigContext.provider.getCodeFlowTokens(str, buildUri, str2);
    }

    private String buildLogoutRedirectUri(TenantConfigContext tenantConfigContext, String str, RoutingContext routingContext) {
        StringBuilder sb = new StringBuilder(tenantConfigContext.provider.getMetadata().getEndSessionUri());
        if (str != null || tenantConfigContext.oidcConfig.logout.postLogoutPath.isPresent()) {
            sb.append("?");
        }
        if (str != null) {
            sb.append("id_token_hint").append(EQ).append(str);
        }
        if (tenantConfigContext.oidcConfig.logout.postLogoutPath.isPresent()) {
            sb.append(AMP).append(tenantConfigContext.oidcConfig.logout.getPostLogoutUriParam()).append(EQ).append(buildUri(routingContext, isForceHttps(tenantConfigContext.oidcConfig), tenantConfigContext.oidcConfig.logout.postLogoutPath.get()));
            sb.append(AMP).append("state").append(EQ).append(generatePostLogoutState(routingContext, tenantConfigContext));
        }
        addExtraParamsToUri(sb, tenantConfigContext.oidcConfig.logout.extraParams);
        return sb.toString();
    }

    private static void addExtraParamsToUri(StringBuilder sb, Map<String, String> map) {
        if (map != null) {
            for (Map.Entry<String, String> entry : map.entrySet()) {
                sb.append(AMP).append(entry.getKey()).append(EQ).append(OidcCommonUtils.urlEncode(entry.getValue()));
            }
        }
    }

    private boolean isForceHttps(OidcTenantConfig oidcTenantConfig) {
        return oidcTenantConfig.authentication.forceRedirectHttpsScheme.orElse(false).booleanValue();
    }

    private Uni<Void> buildLogoutRedirectUriUni(final RoutingContext routingContext, final TenantConfigContext tenantConfigContext, final String str) {
        return removeSessionCookie(routingContext, tenantConfigContext.oidcConfig).map(new Function<Void, Void>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.11
            @Override // java.util.function.Function
            public Void apply(Void r8) {
                throw new AuthenticationRedirectException(CodeAuthenticationMechanism.this.buildLogoutRedirectUri(tenantConfigContext, str, routingContext));
            }
        });
    }

    private static String getStateCookieName(OidcTenantConfig oidcTenantConfig) {
        return "q_auth" + getCookieSuffix(oidcTenantConfig);
    }

    private static String getPostLogoutCookieName(OidcTenantConfig oidcTenantConfig) {
        return "q_post_logout" + getCookieSuffix(oidcTenantConfig);
    }

    private static String getSessionCookieName(OidcTenantConfig oidcTenantConfig) {
        return "q_session" + getCookieSuffix(oidcTenantConfig);
    }

    private Uni<Void> removeSessionCookie(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig) {
        return OidcUtils.removeSessionCookie(routingContext, oidcTenantConfig, getSessionCookieName(oidcTenantConfig), this.resolver.getTokenStateManager());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getCookieSuffix(OidcTenantConfig oidcTenantConfig) {
        String str = oidcTenantConfig.tenantId.get();
        boolean isPresent = oidcTenantConfig.authentication.cookieSuffix.isPresent();
        String str2 = (isPresent || !OidcUtils.DEFAULT_TENANT_ID.equals(str)) ? "_" + str : "";
        return isPresent ? str2 + "_" + oidcTenantConfig.authentication.cookieSuffix.get() : str2;
    }
}
