package com.stormpath.sdk.servlet.filter.account;

import com.stormpath.sdk.account.Account;
import com.stormpath.sdk.application.Application;
import com.stormpath.sdk.authc.AuthenticationResult;
import com.stormpath.sdk.client.Client;
import com.stormpath.sdk.lang.Assert;
import com.stormpath.sdk.lang.Strings;
import com.stormpath.sdk.oauth.AccessTokenResult;
import com.stormpath.sdk.oauth.Authenticators;
import com.stormpath.sdk.oauth.OAuthGrantRequestAuthenticationResult;
import com.stormpath.sdk.oauth.OAuthRequests;
import com.stormpath.sdk.servlet.application.ApplicationResolver;
import com.stormpath.sdk.servlet.authc.impl.TransientAuthenticationResult;
import com.stormpath.sdk.servlet.client.ClientResolver;
import com.stormpath.sdk.servlet.config.CookieConfig;
import com.stormpath.sdk.servlet.http.CookieSaver;
import com.stormpath.sdk.servlet.http.Resolver;
import com.stormpath.sdk.servlet.http.Saver;
import com.stormpath.sdk.servlet.util.AntPathMatcher;
import com.stormpath.sdk.servlet.util.RedirectUrlBuilder;
import com.stormpath.sdk.servlet.util.SecureRequiredExceptForLocalhostResolver;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.io.UnsupportedEncodingException;
import java.util.Date;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.joda.time.DateTime;
import org.joda.time.Seconds;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/stormpath/sdk/servlet/filter/account/CookieAuthenticationResultSaver.class */
public class CookieAuthenticationResultSaver implements Saver<AuthenticationResult> {
    private static final Logger log = LoggerFactory.getLogger(CookieAuthenticationResultSaver.class);
    private static final int DEFAULT_COOKIE_MAX_AGE = 259200;
    private Resolver<Boolean> secureCookieRequired;
    private boolean secureWarned = false;
    private final CookieConfig accessTokenCookieConfig;
    private final CookieConfig refreshTokenCookieConfig;

    public CookieAuthenticationResultSaver(CookieConfig cookieConfig, CookieConfig cookieConfig2, Resolver<Boolean> resolver) {
        Assert.notNull(cookieConfig, "accessTokenCookieConfig cannot be null.");
        Assert.notNull(cookieConfig2, "refreshTokenCookieConfig cannot be null.");
        Assert.notNull(resolver, "secureCookieRequired cannot be null.");
        this.accessTokenCookieConfig = cookieConfig;
        this.refreshTokenCookieConfig = cookieConfig2;
        this.secureCookieRequired = resolver;
    }

    @Override // com.stormpath.sdk.servlet.http.Saver
    public void set(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationResult authenticationResult) {
        Client client = ClientResolver.INSTANCE.getClient((ServletRequest) httpServletRequest);
        byte[] bytes = client.getApiKey().getSecret().getBytes();
        if (authenticationResult == null) {
            remove(httpServletRequest, httpServletResponse);
            return;
        }
        if (authenticationResult instanceof AccessTokenResult) {
            AccessTokenResult accessTokenResult = (AccessTokenResult) authenticationResult;
            String accessToken = accessTokenResult.getTokenResponse().getAccessToken();
            String refreshToken = accessTokenResult.getTokenResponse().getRefreshToken();
            getAccessTokenCookieSaver(httpServletRequest, getMaxAge(accessToken, bytes)).set(httpServletRequest, httpServletResponse, accessToken);
            if (Strings.hasText(refreshToken)) {
                getRefreshTokenCookieSaver(httpServletRequest, getMaxAge(refreshToken, bytes)).set(httpServletRequest, httpServletResponse, refreshToken);
            }
        }
        if (authenticationResult instanceof TransientAuthenticationResult) {
            Account account = authenticationResult.getAccount();
            Application application = ApplicationResolver.INSTANCE.getApplication((ServletRequest) httpServletRequest);
            try {
                OAuthGrantRequestAuthenticationResult authenticate = Authenticators.ID_SITE_AUTHENTICATOR.forApplication(application).authenticate(OAuthRequests.IDSITE_AUTHENTICATION_REQUEST.builder().setToken(Jwts.builder().setHeaderParam("kid", client.getApiKey().getId()).setSubject(account.getHref()).setIssuedAt(new Date()).setIssuer(application.getHref()).setAudience(client.getApiKey().getId()).setExpiration(DateTime.now().plusMinutes(1).toDate()).claim("status", "AUTHENTICATED").signWith(SignatureAlgorithm.HS256, client.getApiKey().getSecret().getBytes(RedirectUrlBuilder.DEFAULT_ENCODING_SCHEME)).compact()).build());
                String accessTokenString = authenticate.getAccessTokenString();
                String refreshTokenString = authenticate.getRefreshTokenString();
                getAccessTokenCookieSaver(httpServletRequest, getMaxAge(accessTokenString, bytes)).set(httpServletRequest, httpServletResponse, accessTokenString);
                getRefreshTokenCookieSaver(httpServletRequest, getMaxAge(refreshTokenString, bytes)).set(httpServletRequest, httpServletResponse, refreshTokenString);
            } catch (UnsupportedEncodingException e) {
                log.error("Error get the client API Secret", e);
            }
        }
    }

    protected void remove(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        getAccessTokenCookieSaver(httpServletRequest, -1).set(httpServletRequest, httpServletResponse, (String) null);
        getRefreshTokenCookieSaver(httpServletRequest, -1).set(httpServletRequest, httpServletResponse, (String) null);
    }

    protected boolean isCookieSecure(HttpServletRequest httpServletRequest, CookieConfig cookieConfig) {
        boolean isSecure = cookieConfig.isSecure();
        Resolver<Boolean> resolver = this.secureCookieRequired;
        boolean booleanValue = resolver.get(httpServletRequest, null).booleanValue();
        boolean z = (isSecure && (booleanValue || (resolver instanceof SecureRequiredExceptForLocalhostResolver))) ? false : true;
        if (!this.secureWarned && z) {
            this.secureWarned = true;
            log.warn("INSECURE IDENTITY COOKIE CONFIGURATION: Your current Stormpath SDK account cookie configuration allows insecure identity cookies (transmission over non-HTTPS connections)!  This should typically never occur otherwise your users will be susceptible to man-in-the-middle attacks.  For more information in Servlet-only environments, please see the Security Notice here: https://docs.stormpath.com/java/servlet-plugin/login.html#https-required and the documentation on authentication state here: https://docs.stormpath.com/java/servlet-plugin/login.html#authentication-state and here: https://docs.stormpath.com/java/servlet-plugin/login.html#cookie-config (the callout entitled 'Secure Cookies').  If you are using Spring Boot, Spring Boot-specific documentation for these concepts are here: https://docs.stormpath.com/java/spring-boot-web/login.html#security-notice https://docs.stormpath.com/java/spring-boot-web/login.html#authentication-state and https://docs.stormpath.com/java/spring-boot-web/login.html#cookie-storage");
        }
        return isSecure && booleanValue;
    }

    private CookieSaver getRefreshTokenCookieSaver(HttpServletRequest httpServletRequest, int i) {
        return getCookieSaver(this.refreshTokenCookieConfig, httpServletRequest, i);
    }

    private CookieSaver getAccessTokenCookieSaver(HttpServletRequest httpServletRequest, int i) {
        return getCookieSaver(this.accessTokenCookieConfig, httpServletRequest, i);
    }

    private CookieSaver getCookieSaver(final CookieConfig cookieConfig, HttpServletRequest httpServletRequest, final int i) {
        final boolean isCookieSecure = isCookieSecure(httpServletRequest, cookieConfig);
        String clean = Strings.clean(cookieConfig.getPath());
        if (!Strings.hasText(clean)) {
            clean = Strings.clean(httpServletRequest.getContextPath());
        }
        if (!Strings.hasText(clean)) {
            clean = AntPathMatcher.DEFAULT_PATH_SEPARATOR;
        }
        final String str = clean;
        return new CookieSaver(new CookieConfig() { // from class: com.stormpath.sdk.servlet.filter.account.CookieAuthenticationResultSaver.1
            @Override // com.stormpath.sdk.servlet.config.CookieConfig
            public String getName() {
                return cookieConfig.getName();
            }

            @Override // com.stormpath.sdk.servlet.config.CookieConfig
            public String getComment() {
                return cookieConfig.getComment();
            }

            @Override // com.stormpath.sdk.servlet.config.CookieConfig
            public String getDomain() {
                return cookieConfig.getDomain();
            }

            @Override // com.stormpath.sdk.servlet.config.CookieConfig
            public int getMaxAge() {
                return i;
            }

            @Override // com.stormpath.sdk.servlet.config.CookieConfig
            public String getPath() {
                return str;
            }

            @Override // com.stormpath.sdk.servlet.config.CookieConfig
            public boolean isSecure() {
                return isCookieSecure;
            }

            @Override // com.stormpath.sdk.servlet.config.CookieConfig
            public boolean isHttpOnly() {
                return cookieConfig.isHttpOnly();
            }
        });
    }

    private int getMaxAge(String str, byte[] bArr) {
        Jws parseClaimsJws = Jwts.parser().setSigningKey(bArr).parseClaimsJws(str);
        DateTime dateTime = new DateTime(((Claims) parseClaimsJws.getBody()).getIssuedAt());
        return Seconds.secondsBetween(dateTime, new DateTime(((Claims) parseClaimsJws.getBody()).getExpiration())).getSeconds() - Seconds.secondsBetween(dateTime, DateTime.now()).getSeconds();
    }
}
