package org.eclipse.jetty.security.openid;

import java.io.IOException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.Iterator;
import java.util.Objects;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.eclipse.jetty.http.HttpMethod;
import org.eclipse.jetty.http.MimeTypes;
import org.eclipse.jetty.security.Authenticator;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.security.authentication.DeferredAuthentication;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.security.authentication.SessionAuthentication;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.util.MultiMap;
import org.eclipse.jetty.util.URIUtil;
import org.eclipse.jetty.util.UrlEncoded;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;

/* loaded from: input_file:org/eclipse/jetty/security/openid/OpenIdAuthenticator.class */
public class OpenIdAuthenticator extends LoginAuthenticator {
    private static final Logger LOG = Log.getLogger(OpenIdAuthenticator.class);
    public static final String CLAIMS = "org.eclipse.jetty.security.openid.claims";
    public static final String RESPONSE = "org.eclipse.jetty.security.openid.response";
    public static final String ERROR_PAGE = "org.eclipse.jetty.security.openid.error_page";
    public static final String J_URI = "org.eclipse.jetty.security.openid.URI";
    public static final String J_POST = "org.eclipse.jetty.security.openid.POST";
    public static final String J_METHOD = "org.eclipse.jetty.security.openid.METHOD";
    public static final String CSRF_TOKEN = "org.eclipse.jetty.security.openid.csrf_token";
    public static final String J_SECURITY_CHECK = "/j_security_check";
    public static final String ERROR_PARAMETER = "error_description_jetty";
    private OpenIdConfiguration _configuration;
    private String _errorPage;
    private String _errorPath;
    private String _errorQuery;
    private boolean _alwaysSaveUri;

    /* loaded from: input_file:org/eclipse/jetty/security/openid/OpenIdAuthenticator$OpenIdAuthentication.class */
    public static class OpenIdAuthentication extends UserAuthentication implements Authentication.ResponseSent {
        public OpenIdAuthentication(String str, UserIdentity userIdentity) {
            super(str, userIdentity);
        }

        public String toString() {
            return "OpenId" + super.toString();
        }
    }

    public OpenIdAuthenticator() {
    }

    public OpenIdAuthenticator(OpenIdConfiguration openIdConfiguration, String str) {
        this._configuration = openIdConfiguration;
        if (str != null) {
            setErrorPage(str);
        }
    }

    public void setConfiguration(Authenticator.AuthConfiguration authConfiguration) {
        super.setConfiguration(authConfiguration);
        String initParameter = authConfiguration.getInitParameter(ERROR_PAGE);
        if (initParameter != null) {
            setErrorPage(initParameter);
        }
        if (this._configuration != null) {
            return;
        }
        LoginService loginService = authConfiguration.getLoginService();
        if (!(loginService instanceof OpenIdLoginService)) {
            throw new IllegalArgumentException("invalid LoginService");
        }
        this._configuration = ((OpenIdLoginService) loginService).getConfiguration();
    }

    public String getAuthMethod() {
        return "OPENID";
    }

    public void setAlwaysSaveUri(boolean z) {
        this._alwaysSaveUri = z;
    }

    public boolean isAlwaysSaveUri() {
        return this._alwaysSaveUri;
    }

    private void setErrorPage(String str) {
        if (str == null || str.trim().length() == 0) {
            this._errorPath = null;
            this._errorPage = null;
            return;
        }
        if (!str.startsWith("/")) {
            LOG.warn("error-page must start with /", new Object[0]);
            str = "/" + str;
        }
        this._errorPage = str;
        this._errorPath = str;
        this._errorQuery = "";
        int indexOf = this._errorPath.indexOf(63);
        if (indexOf > 0) {
            this._errorPath = this._errorPage.substring(0, indexOf);
            this._errorQuery = this._errorPage.substring(indexOf + 1);
        }
    }

    public UserIdentity login(String str, Object obj, ServletRequest servletRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("login {} {} {}", new Object[]{str, obj, servletRequest});
        }
        UserIdentity login = super.login(str, obj, servletRequest);
        if (login != null) {
            HttpSession session = ((HttpServletRequest) servletRequest).getSession();
            session.setAttribute("org.eclipse.jetty.security.UserIdentity", new SessionAuthentication(getAuthMethod(), login, obj));
            session.setAttribute(CLAIMS, ((OpenIdCredentials) obj).getClaims());
            session.setAttribute(RESPONSE, ((OpenIdCredentials) obj).getResponse());
        }
        return login;
    }

    public void logout(ServletRequest servletRequest) {
        super.logout(servletRequest);
        HttpSession session = ((HttpServletRequest) servletRequest).getSession(false);
        if (session == null) {
            return;
        }
        session.removeAttribute("org.eclipse.jetty.security.UserIdentity");
        session.removeAttribute(CLAIMS);
        session.removeAttribute(RESPONSE);
    }

    public void prepareRequest(ServletRequest servletRequest) {
        String str;
        String str2;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null || session.getAttribute("org.eclipse.jetty.security.UserIdentity") == null || (str = (String) session.getAttribute(J_URI)) == null || str.length() == 0 || (str2 = (String) session.getAttribute(J_METHOD)) == null || str2.length() == 0) {
            return;
        }
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        if (httpServletRequest.getQueryString() != null) {
            requestURL.append("?").append(httpServletRequest.getQueryString());
        }
        if (str.equals(requestURL.toString())) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Restoring original method {} for {} with method {}", new Object[]{str2, str, httpServletRequest.getMethod()});
            }
            Request.getBaseRequest(servletRequest).setMethod(str2);
        }
    }

    public Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
        HttpSession session;
        String str;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        Request request = (Request) Objects.requireNonNull(Request.getBaseRequest(httpServletRequest));
        Response response = request.getResponse();
        String requestURI = httpServletRequest.getRequestURI();
        if (requestURI == null) {
            requestURI = "/";
        }
        if (!z && !isJSecurityCheck(requestURI)) {
            return new DeferredAuthentication(this);
        }
        if (isErrorPage(URIUtil.addPaths(httpServletRequest.getServletPath(), httpServletRequest.getPathInfo())) && !DeferredAuthentication.isDeferred(httpServletResponse)) {
            return new DeferredAuthentication(this);
        }
        try {
            session = httpServletRequest.getSession();
        } catch (IOException e) {
            throw new ServerAuthException(e);
        }
        if (httpServletRequest.isRequestedSessionIdFromURL()) {
            sendError(httpServletRequest, httpServletResponse, "Session ID must be a cookie to support OpenID authentication");
            return Authentication.SEND_FAILURE;
        }
        if (isJSecurityCheck(requestURI)) {
            String parameter = httpServletRequest.getParameter("code");
            if (parameter != null) {
                String parameter2 = httpServletRequest.getParameter("state");
                String str2 = (String) session.getAttribute(CSRF_TOKEN);
                if (str2 == null || !str2.equals(parameter2)) {
                    sendError(httpServletRequest, httpServletResponse, "auth failed: invalid state parameter");
                    return Authentication.SEND_FAILURE;
                }
                UserIdentity login = login(null, new OpenIdCredentials(parameter, getRedirectUri(httpServletRequest)), httpServletRequest);
                if (login != null) {
                    synchronized (session) {
                        str = (String) session.getAttribute(J_URI);
                        if (str == null || str.length() == 0) {
                            str = httpServletRequest.getContextPath();
                            if (str.length() == 0) {
                                str = "/";
                            }
                        }
                    }
                    OpenIdAuthentication openIdAuthentication = new OpenIdAuthentication(getAuthMethod(), login);
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("authenticated {}->{}", new Object[]{openIdAuthentication, str});
                    }
                    httpServletResponse.setContentLength(0);
                    response.sendRedirect(str, true);
                    return openIdAuthentication;
                }
            }
            sendError(httpServletRequest, httpServletResponse, null);
            return Authentication.SEND_FAILURE;
        }
        Authentication.User user = (Authentication) session.getAttribute("org.eclipse.jetty.security.UserIdentity");
        if (user != null) {
            if (!(user instanceof Authentication.User) || this._loginService == null || this._loginService.validate(user.getUserIdentity())) {
                synchronized (session) {
                    String str3 = (String) session.getAttribute(J_URI);
                    if (str3 != null) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("auth retry {}->{}", new Object[]{user, str3});
                        }
                        StringBuffer requestURL = httpServletRequest.getRequestURL();
                        if (httpServletRequest.getQueryString() != null) {
                            requestURL.append("?").append(httpServletRequest.getQueryString());
                        }
                        if (str3.equals(requestURL.toString())) {
                            MultiMap multiMap = (MultiMap) session.getAttribute(J_POST);
                            if (multiMap != null) {
                                if (LOG.isDebugEnabled()) {
                                    LOG.debug("auth rePOST {}->{}", new Object[]{user, str3});
                                }
                                request.setContentParameters(multiMap);
                            }
                            session.removeAttribute(J_URI);
                            session.removeAttribute(J_METHOD);
                            session.removeAttribute(J_POST);
                        }
                    }
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("auth {}", new Object[]{user});
                }
                return user;
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("auth revoked {}", new Object[]{user});
            }
            session.removeAttribute("org.eclipse.jetty.security.UserIdentity");
        }
        if (DeferredAuthentication.isDeferred(httpServletResponse)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("auth deferred {}", new Object[]{session.getId()});
            }
            return Authentication.UNAUTHENTICATED;
        }
        synchronized (session) {
            if (session.getAttribute(J_URI) == null || isAlwaysSaveUri()) {
                StringBuffer requestURL2 = httpServletRequest.getRequestURL();
                if (httpServletRequest.getQueryString() != null) {
                    requestURL2.append("?").append(httpServletRequest.getQueryString());
                }
                session.setAttribute(J_URI, requestURL2.toString());
                session.setAttribute(J_METHOD, httpServletRequest.getMethod());
                if (MimeTypes.Type.FORM_ENCODED.is(servletRequest.getContentType()) && HttpMethod.POST.is(httpServletRequest.getMethod())) {
                    MultiMap multiMap2 = new MultiMap();
                    request.extractFormParameters(multiMap2);
                    session.setAttribute(J_POST, multiMap2);
                }
            }
        }
        String challengeUri = getChallengeUri(httpServletRequest);
        if (LOG.isDebugEnabled()) {
            LOG.debug("challenge {}->{}", new Object[]{session.getId(), challengeUri});
        }
        response.sendRedirect(challengeUri, true);
        return Authentication.SEND_CONTINUE;
        throw new ServerAuthException(e);
    }

    private void sendError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
        Response response = ((Request) Objects.requireNonNull(Request.getBaseRequest(httpServletRequest))).getResponse();
        if (LOG.isDebugEnabled()) {
            LOG.debug("OpenId authentication FAILED: {}", new Object[]{str});
        }
        if (this._errorPage == null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("auth failed 403", new Object[0]);
            }
            if (httpServletResponse != null) {
                httpServletResponse.sendError(403);
                return;
            }
            return;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("auth failed {}", new Object[]{this._errorPage});
        }
        String addPaths = URIUtil.addPaths(httpServletRequest.getContextPath(), this._errorPage);
        if (str != null) {
            addPaths = URIUtil.addPathQuery(URIUtil.addPaths(httpServletRequest.getContextPath(), this._errorPath), URIUtil.addQueries("error_description_jetty=" + UrlEncoded.encodeString(str), this._errorQuery));
        }
        response.sendRedirect(addPaths, true);
    }

    public boolean isJSecurityCheck(String str) {
        char charAt;
        int indexOf = str.indexOf(J_SECURITY_CHECK);
        if (indexOf < 0) {
            return false;
        }
        int length = indexOf + J_SECURITY_CHECK.length();
        return length == str.length() || (charAt = str.charAt(length)) == ';' || charAt == '#' || charAt == '/' || charAt == '?';
    }

    public boolean isErrorPage(String str) {
        return str != null && str.equals(this._errorPath);
    }

    private String getRedirectUri(HttpServletRequest httpServletRequest) {
        StringBuffer stringBuffer = new StringBuffer(128);
        URIUtil.appendSchemeHostPort(stringBuffer, httpServletRequest.getScheme(), httpServletRequest.getServerName(), httpServletRequest.getServerPort());
        stringBuffer.append(httpServletRequest.getContextPath());
        stringBuffer.append(J_SECURITY_CHECK);
        return stringBuffer.toString();
    }

    protected String getChallengeUri(HttpServletRequest httpServletRequest) {
        String bigInteger;
        HttpSession session = httpServletRequest.getSession();
        synchronized (session) {
            bigInteger = session.getAttribute(CSRF_TOKEN) == null ? new BigInteger(130, new SecureRandom()).toString(32) : (String) session.getAttribute(CSRF_TOKEN);
            session.setAttribute(CSRF_TOKEN, bigInteger);
        }
        StringBuilder sb = new StringBuilder();
        Iterator<String> it = this._configuration.getScopes().iterator();
        while (it.hasNext()) {
            sb.append(" ").append(it.next());
        }
        return this._configuration.getAuthEndpoint() + "?client_id=" + UrlEncoded.encodeString(this._configuration.getClientId(), StandardCharsets.UTF_8) + "&redirect_uri=" + UrlEncoded.encodeString(getRedirectUri(httpServletRequest), StandardCharsets.UTF_8) + "&scope=openid" + UrlEncoded.encodeString(sb.toString(), StandardCharsets.UTF_8) + "&state=" + bigInteger + "&response_type=code";
    }

    public boolean secureResponse(ServletRequest servletRequest, ServletResponse servletResponse, boolean z, Authentication.User user) {
        return true;
    }
}
