package org.wso2.carbon.apimgt.authenticator.oidc;

import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.transport.http.HTTPConstants;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.osgi.framework.BundleContext;
import org.osgi.util.tracker.ServiceTracker;
import org.osgi.util.tracker.ServiceTrackerCustomizer;
import org.wso2.carbon.apimgt.authenticator.oidc.OIDCAuthenticatorBEConstants;
import org.wso2.carbon.apimgt.authenticator.oidc.common.AuthClient;
import org.wso2.carbon.apimgt.authenticator.oidc.common.AuthenticationToken;
import org.wso2.carbon.apimgt.authenticator.oidc.common.ServerConfiguration;
import org.wso2.carbon.apimgt.authenticator.oidc.internal.OIDCAuthBEDataHolder;
import org.wso2.carbon.apimgt.authenticator.oidc.util.Util;
import org.wso2.carbon.core.security.AuthenticatorsConfiguration;
import org.wso2.carbon.core.services.authentication.CarbonServerAuthenticator;
import org.wso2.carbon.core.services.util.CarbonAuthenticationUtil;
import org.wso2.carbon.core.util.AnonymousSessionUtil;
import org.wso2.carbon.core.util.PermissionUpdateUtil;
import org.wso2.carbon.registry.core.service.RegistryService;
import org.wso2.carbon.user.core.UserRealm;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.AuthenticationObserver;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/apimgt/authenticator/oidc/OIDCAuthenticator.class */
public class OIDCAuthenticator implements CarbonServerAuthenticator {
    private static final int DEFAULT_PRIORITY_LEVEL = 3;
    private static final String AUTHENTICATOR_NAME = "OIDCAuthenticator";
    public static final Log log = LogFactory.getLog(OIDCAuthenticator.class);

    public String login(String str, String str2) {
        try {
            HttpSession httpSession = getHttpSession();
            RealmService realmService = OIDCAuthBEDataHolder.getInstance().getRealmService();
            RegistryService registryService = OIDCAuthBEDataHolder.getInstance().getRegistryService();
            ServerConfiguration serverConfiguration = getServerConfiguration();
            AuthClient clientConfiguration = getClientConfiguration();
            AuthenticationToken authenticationToken = getAuthenticationToken(getTokenFromTokenEP(serverConfiguration, clientConfiguration, str));
            String userName = getUserName(authenticationToken, serverConfiguration);
            if (userName == null || userName.equals("")) {
                log.error("Authentication Request is rejected. User Name is Null");
                return null;
            }
            String tenantDomain = MultitenantUtils.getTenantDomain(userName);
            int tenantId = realmService.getTenantManager().getTenantId(tenantDomain);
            handleAuthenticationStarted(tenantId);
            if (isResponseSignatureValidationEnabled() && !validateSignature(serverConfiguration, clientConfiguration, authenticationToken, str2)) {
                log.error("Authentication Request is rejected.  Signature validation failed.");
                CarbonAuthenticationUtil.onFailedAdminLogin(httpSession, userName, tenantId, "OIDC Authentication", "Invalid Signature");
                handleAuthenticationCompleted(tenantId, false);
                return null;
            }
            String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(userName);
            UserRealm realmByTenantDomain = AnonymousSessionUtil.getRealmByTenantDomain(registryService, realmService, tenantDomain);
            PermissionUpdateUtil.updatePermissionTree(tenantId);
            if (realmByTenantDomain.getAuthorizationManager().isUserAuthorized(tenantAwareUsername, "/permission/admin/login", "ui.execute")) {
                CarbonAuthenticationUtil.onSuccessAdminLogin(httpSession, tenantAwareUsername, tenantId, tenantDomain, "OIDC Authentication");
                handleAuthenticationCompleted(tenantId, true);
                return tenantAwareUsername;
            }
            log.error("Authentication Request is rejected. Authorization Failure.");
            CarbonAuthenticationUtil.onFailedAdminLogin(httpSession, tenantAwareUsername, tenantId, "OIDC Authentication", "Invalid credential");
            handleAuthenticationCompleted(tenantId, false);
            return null;
        } catch (Exception e) {
            log.error("System error while Authenticating/Authorizing User : " + e.getMessage(), e);
            return null;
        }
    }

    private String getTokenFromTokenEP(ServerConfiguration serverConfiguration, AuthClient authClient, String str) throws IOException {
        String clientId = authClient.getClientId();
        String clientSecret = authClient.getClientSecret();
        String authorizationType = authClient.getAuthorizationType();
        String redirectURI = authClient.getRedirectURI();
        DefaultHttpClient defaultHttpClient = new DefaultHttpClient();
        HttpPost httpPost = new HttpPost(serverConfiguration.getTokenEndpointUri());
        ArrayList arrayList = new ArrayList();
        arrayList.add(new BasicNameValuePair("grant_type", authorizationType));
        arrayList.add(new BasicNameValuePair("code", str));
        arrayList.add(new BasicNameValuePair("redirect_uri", redirectURI));
        httpPost.setEntity(new UrlEncodedFormEntity(arrayList));
        httpPost.setHeader("Authorization", String.format("Basic %s", Base64.encode(String.format("%s:%s", clientId, clientSecret))).trim());
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(defaultHttpClient.execute(httpPost).getEntity().getContent()));
        String str2 = "";
        while (true) {
            String readLine = bufferedReader.readLine();
            if (readLine == null) {
                return str2;
            }
            str2 = str2 + readLine;
            log.debug("Response from Token Endpoint : " + str2);
        }
    }

    private AuthClient getClientConfiguration() {
        AuthClient authClient = new AuthClient();
        Map parameters = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig("OIDCAuthenticator").getParameters();
        authClient.setClientId((String) parameters.get(OIDCAuthenticatorBEConstants.CLIENT_ID));
        authClient.setClientSecret((String) parameters.get(OIDCAuthenticatorBEConstants.CLIENT_SECRET));
        authClient.setAuthorizationType((String) parameters.get(OIDCAuthenticatorBEConstants.CLIENT_AUTHORIZATION_TYPE));
        authClient.setRedirectURI((String) parameters.get(OIDCAuthenticatorBEConstants.CLIENT_REDIRECT_URI));
        authClient.setClientAlgorithm((String) parameters.get(OIDCAuthenticatorBEConstants.CLIENT_ALGORITHM));
        return authClient;
    }

    private ServerConfiguration getServerConfiguration() {
        ServerConfiguration serverConfiguration = new ServerConfiguration();
        Map parameters = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig("OIDCAuthenticator").getParameters();
        serverConfiguration.setIssuer((String) parameters.get(OIDCAuthenticatorBEConstants.IDENTITY_PROVIDER_URI));
        serverConfiguration.setJwksUri((String) parameters.get(OIDCAuthenticatorBEConstants.JWKS_URL));
        serverConfiguration.setUserInfoUri((String) parameters.get(OIDCAuthenticatorBEConstants.USER_INFO_URI));
        serverConfiguration.setTokenEndpointUri((String) parameters.get(OIDCAuthenticatorBEConstants.TOKEN_ENDPOINT_URI));
        return serverConfiguration;
    }

    private AuthenticationToken getAuthenticationToken(String str) throws Exception {
        JsonElement parse = new JsonParser().parse(str);
        if (!parse.isJsonObject()) {
            throw new Exception("Token Endpoint did not return a JSON object: " + parse);
        }
        JsonObject asJsonObject = parse.getAsJsonObject();
        if (asJsonObject.get("error") != null) {
            String asString = asJsonObject.get("error").getAsString();
            log.error("Token Endpoint returned: " + asString);
            throw new Exception("Unable to obtain Access Token.  Token Endpoint returned: " + asString);
        }
        String str2 = null;
        if (!asJsonObject.has("access_token")) {
            throw new Exception("Token Endpoint did not return an access_token: " + str);
        }
        String asString2 = asJsonObject.get("access_token").getAsString();
        if (!asJsonObject.has("id_token")) {
            log.error("Token Endpoint did not return an id_token");
            throw new Exception("Token Endpoint did not return an id_token");
        }
        String asString3 = asJsonObject.get("id_token").getAsString();
        if (asJsonObject.has("refresh_token")) {
            str2 = asJsonObject.get("refresh_token").getAsString();
        }
        return new AuthenticationToken(asString3, asString2, str2);
    }

    private String getUserName(AuthenticationToken authenticationToken, ServerConfiguration serverConfiguration) throws Exception {
        JsonElement parse = new JsonParser().parse(Util.getUserInfo(serverConfiguration, authenticationToken));
        if (!parse.isJsonObject()) {
            log.error("User Info Json did not return a JSON object: " + parse);
            throw new Exception("User Info Json did not return a JSON object: " + parse);
        }
        JsonObject asJsonObject = parse.getAsJsonObject();
        if (!asJsonObject.has("preferred_username")) {
            throw new Exception("User Info JSON did not return an preferred_username");
        }
        String asString = asJsonObject.get("preferred_username").getAsString();
        log.debug("User name taken from user info endpoint : " + asString);
        return asString;
    }

    private boolean validateSignature(ServerConfiguration serverConfiguration, AuthClient authClient, AuthenticationToken authenticationToken, String str) throws Exception {
        SignedJWT parse = JWTParser.parse(authenticationToken.getIdTokenValue());
        JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
        if (parse instanceof SignedJWT) {
            return Util.verifySignature(parse, serverConfiguration) && Util.validateIdClaims(serverConfiguration, authClient, parse, str, jWTClaimsSet);
        }
        if (parse instanceof PlainJWT) {
            log.error("Plain JWT not supported");
            throw new Exception("Plain JWT not supported");
        }
        log.error("JWT type not supported");
        throw new Exception("JWT type not supported");
    }

    private void handleAuthenticationStarted(int i) {
        BundleContext bundleContext = OIDCAuthBEDataHolder.getInstance().getBundleContext();
        if (bundleContext != null) {
            ServiceTracker serviceTracker = new ServiceTracker(bundleContext, AuthenticationObserver.class.getName(), (ServiceTrackerCustomizer) null);
            serviceTracker.open();
            Object[] services = serviceTracker.getServices();
            if (services != null) {
                for (Object obj : services) {
                    ((AuthenticationObserver) obj).startedAuthentication(i);
                }
            }
            serviceTracker.close();
        }
    }

    private void handleAuthenticationCompleted(int i, boolean z) {
        BundleContext bundleContext = OIDCAuthBEDataHolder.getInstance().getBundleContext();
        if (bundleContext != null) {
            ServiceTracker serviceTracker = new ServiceTracker(bundleContext, AuthenticationObserver.class.getName(), (ServiceTrackerCustomizer) null);
            serviceTracker.open();
            Object[] services = serviceTracker.getServices();
            if (services != null) {
                for (Object obj : services) {
                    ((AuthenticationObserver) obj).completedAuthentication(i, z);
                }
            }
            serviceTracker.close();
        }
    }

    public void logout() {
        Date time = Calendar.getInstance().getTime();
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat("'['yyyy-MM-dd HH:mm:ss,SSSS']'");
        HttpSession httpSession = getHttpSession();
        if (httpSession != null) {
            String str = (String) httpSession.getAttribute("wso2carbon.admin.logged.in");
            String str2 = (String) httpSession.getAttribute("DELEGATED_BY");
            if (str2 == null) {
                log.info("'" + str + "' logged out at " + simpleDateFormat.format(time));
            } else {
                log.info("'" + str + "' logged out at " + simpleDateFormat.format(time) + " delegated by " + str2);
            }
            httpSession.invalidate();
        }
    }

    public boolean isHandle(MessageContext messageContext) {
        return false;
    }

    public boolean isAuthenticated(MessageContext messageContext) {
        return ((String) ((HttpServletRequest) messageContext.getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST)).getSession().getAttribute("wso2carbon.admin.logged.in")) != null;
    }

    public boolean authenticateWithRememberMe(MessageContext messageContext) {
        return false;
    }

    public int getPriority() {
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig("OIDCAuthenticator");
        return (authenticatorConfig == null || authenticatorConfig.getPriority() <= 0) ? DEFAULT_PRIORITY_LEVEL : authenticatorConfig.getPriority();
    }

    public String getAuthenticatorName() {
        return "OIDCAuthenticator";
    }

    public boolean isDisabled() {
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig("OIDCAuthenticator");
        return authenticatorConfig != null && authenticatorConfig.isDisabled();
    }

    private boolean isResponseSignatureValidationEnabled() {
        String str;
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig("OIDCAuthenticator");
        if (authenticatorConfig == null || (str = (String) authenticatorConfig.getParameters().get(OIDCAuthenticatorBEConstants.PropertyConfig.RESPONSE_SIGNATURE_VALIDATION_ENABLED)) == null || !str.equalsIgnoreCase("false")) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Signature validation is enabled in the configuration");
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("Signature validation is disabled in the configuration");
        return false;
    }

    private HttpSession getHttpSession() {
        MessageContext currentMessageContext = MessageContext.getCurrentMessageContext();
        HttpSession httpSession = null;
        if (currentMessageContext != null) {
            httpSession = ((HttpServletRequest) currentMessageContext.getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST)).getSession();
        }
        return httpSession;
    }
}
