package org.apache.qpid.server.security.auth.manager.oauth2;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import javax.xml.bind.DatatypeConverter;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.plugin.QpidServiceLoader;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.manager.AbstractAuthenticationManager;
import org.apache.qpid.server.util.ConnectionBuilder;
import org.apache.qpid.server.util.ParameterizedTypes;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.class */
public class OAuth2AuthenticationProviderImpl extends AbstractAuthenticationManager<OAuth2AuthenticationProviderImpl> implements OAuth2AuthenticationProvider<OAuth2AuthenticationProviderImpl> {
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth2AuthenticationProviderImpl.class);
    private static final String UTF8 = StandardCharsets.UTF_8.name();
    private final ObjectMapper _objectMapper;

    @ManagedAttributeField
    private URI _authorizationEndpointURI;

    @ManagedAttributeField
    private URI _tokenEndpointURI;

    @ManagedAttributeField
    private URI _identityResolverEndpointURI;

    @ManagedAttributeField
    private boolean _tokenEndpointNeedsAuth;

    @ManagedAttributeField
    private URI _postLogoutURI;

    @ManagedAttributeField
    private String _clientId;

    @ManagedAttributeField
    private String _clientSecret;

    @ManagedAttributeField
    private TrustStore _trustStore;

    @ManagedAttributeField
    private String _scope;

    @ManagedAttributeField
    private String _identityResolverType;
    private OAuth2IdentityResolverService _identityResolverService;
    private List<String> _tlsProtocolWhiteList;
    private List<String> _tlsProtocolBlackList;
    private List<String> _tlsCipherSuiteWhiteList;
    private List<String> _tlsCipherSuiteBlackList;
    private int _connectTimeout;
    private int _readTimeout;

    /* JADX INFO: Access modifiers changed from: protected */
    @ManagedObjectFactoryConstructor
    public OAuth2AuthenticationProviderImpl(Map<String, Object> map, Broker<?> broker) {
        super(map, broker);
        this._objectMapper = new ObjectMapper();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.security.auth.manager.AbstractAuthenticationManager, org.apache.qpid.server.model.AbstractConfiguredObject
    public void onOpen() {
        super.onOpen();
        this._identityResolverService = (OAuth2IdentityResolverService) new QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).get(getIdentityResolverType());
        this._tlsProtocolWhiteList = (List) getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, "qpid.security.tls.protocolWhiteList");
        this._tlsProtocolBlackList = (List) getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, "qpid.security.tls.protocolBlackList");
        this._tlsCipherSuiteWhiteList = (List) getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, "qpid.security.tls.cipherSuiteWhiteList");
        this._tlsCipherSuiteBlackList = (List) getContextValue(List.class, ParameterizedTypes.LIST_OF_STRINGS, "qpid.security.tls.cipherSuiteBlackList");
        this._connectTimeout = ((Integer) getContextValue(Integer.class, OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_CONNECT_TIMEOUT)).intValue();
        this._readTimeout = ((Integer) getContextValue(Integer.class, OAuth2AuthenticationProvider.AUTHENTICATION_OAUTH2_READ_TIMEOUT)).intValue();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void validateChange(ConfiguredObject<?> configuredObject, Set<String> set) {
        super.validateChange(configuredObject, set);
        OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider = (OAuth2AuthenticationProvider) configuredObject;
        validateResolver(oAuth2AuthenticationProvider);
        validateSecureEndpoints(oAuth2AuthenticationProvider);
        validatePostLogoutURI(oAuth2AuthenticationProvider);
    }

    @Override // org.apache.qpid.server.security.auth.manager.AbstractAuthenticationManager, org.apache.qpid.server.model.AbstractConfiguredObject
    public void onValidate() {
        super.onValidate();
        validateResolver(this);
        validateSecureEndpoints(this);
        validatePostLogoutURI(this);
    }

    private void validateSecureEndpoints(OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider) {
        if (!"https".equals(oAuth2AuthenticationProvider.getAuthorizationEndpointURI().getScheme())) {
            throw new IllegalConfigurationException(String.format("Authorization endpoint is not secure: '%s'", oAuth2AuthenticationProvider.getAuthorizationEndpointURI()));
        }
        if (!"https".equals(oAuth2AuthenticationProvider.getTokenEndpointURI().getScheme())) {
            throw new IllegalConfigurationException(String.format("Token endpoint is not secure: '%s'", oAuth2AuthenticationProvider.getTokenEndpointURI()));
        }
        if (!"https".equals(oAuth2AuthenticationProvider.getIdentityResolverEndpointURI().getScheme())) {
            throw new IllegalConfigurationException(String.format("Identity resolver endpoint is not secure: '%s'", oAuth2AuthenticationProvider.getIdentityResolverEndpointURI()));
        }
    }

    private void validatePostLogoutURI(OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider) {
        if (oAuth2AuthenticationProvider.getPostLogoutURI() != null) {
            String scheme = oAuth2AuthenticationProvider.getPostLogoutURI().getScheme();
            if (!"https".equals(scheme) && !"http".equals(scheme)) {
                throw new IllegalConfigurationException(String.format("Post logout URI does not have a http or https scheme: '%s'", oAuth2AuthenticationProvider.getPostLogoutURI()));
            }
        }
    }

    private void validateResolver(OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider) {
        OAuth2IdentityResolverService oAuth2IdentityResolverService = (OAuth2IdentityResolverService) new QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).get(oAuth2AuthenticationProvider.getIdentityResolverType());
        if (oAuth2IdentityResolverService == null) {
            throw new IllegalConfigurationException("Unknown identity resolver " + oAuth2AuthenticationProvider.getType());
        }
        oAuth2IdentityResolverService.validate(oAuth2AuthenticationProvider);
    }

    @Override // org.apache.qpid.server.model.AuthenticationProvider
    public List<String> getMechanisms() {
        return Collections.singletonList(OAuth2SaslServer.MECHANISM);
    }

    @Override // org.apache.qpid.server.model.AuthenticationProvider
    public SaslServer createSaslServer(String str, String str2, Principal principal) throws SaslException {
        if (OAuth2SaslServer.MECHANISM.equals(str)) {
            return new OAuth2SaslServer();
        }
        throw new SaslException("Unknown mechanism: " + str);
    }

    @Override // org.apache.qpid.server.model.AuthenticationProvider
    public AuthenticationResult authenticate(SaslServer saslServer, byte[] bArr) {
        byte[] bArr2;
        if (bArr != null) {
            bArr2 = bArr;
        } else {
            try {
                bArr2 = new byte[0];
            } catch (SaslException e) {
                return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, (Exception) e);
            }
        }
        return saslServer.isComplete() ? authenticateViaAccessToken((String) saslServer.getNegotiatedProperty(OAuth2SaslServer.ACCESS_TOKEN_PROPERTY)) : new AuthenticationResult(saslServer.evaluateResponse(bArr2), AuthenticationResult.AuthenticationStatus.CONTINUE);
    }

    /* JADX WARN: Type inference failed for: r0v46, types: [java.io.OutputStream, java.io.InputStream] */
    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public AuthenticationResult authenticateViaAuthorizationCode(String str, String str2) {
        try {
            URL url = getTokenEndpointURI().toURL();
            ConnectionBuilder connectionBuilder = new ConnectionBuilder(url);
            connectionBuilder.setConnectTimeout(this._connectTimeout).setReadTimeout(this._readTimeout);
            if (getTrustStore() != null) {
                try {
                    connectionBuilder.setTrustMangers(getTrustStore().getTrustManagers());
                } catch (GeneralSecurityException e) {
                    throw new ServerScopedRuntimeException("Cannot initialise TLS", e);
                }
            }
            connectionBuilder.setTlsProtocolWhiteList(getTlsProtocolWhiteList()).setTlsProtocolBlackList(getTlsProtocolBlackList()).setTlsCipherSuiteWhiteList(getTlsCipherSuiteWhiteList()).setTlsCipherSuiteBlackList(getTlsCipherSuiteBlackList());
            LOGGER.debug("About to call token endpoint '{}'", url);
            HttpURLConnection build = connectionBuilder.build();
            build.setDoOutput(true);
            build.setRequestProperty("Accept-Charset", UTF8);
            build.setRequestProperty("Content-Type", "application/x-www-form-urlencoded;charset=" + UTF8);
            build.setRequestProperty("Accept", "application/json");
            if (getTokenEndpointNeedsAuth()) {
                build.setRequestProperty("Authorization", "Basic " + DatatypeConverter.printBase64Binary((getClientId() + ":" + getClientSecret()).getBytes()));
            }
            HashMap hashMap = new HashMap();
            hashMap.put("code", str);
            hashMap.put("client_id", getClientId());
            hashMap.put("client_secret", getClientSecret());
            hashMap.put("redirect_uri", str2);
            hashMap.put("grant_type", "authorization_code");
            hashMap.put("response_type", "token");
            byte[] bytes = OAuth2Utils.buildRequestQuery(hashMap).getBytes(UTF8);
            build.connect();
            ?? outputStream = build.getOutputStream();
            Throwable th = null;
            try {
                try {
                    outputStream.write(bytes);
                    if (outputStream != 0) {
                        if (0 != 0) {
                            try {
                                outputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            outputStream.close();
                        }
                    }
                    try {
                        try {
                            InputStream responseStream = OAuth2Utils.getResponseStream(build);
                            Throwable th3 = null;
                            int responseCode = build.getResponseCode();
                            LOGGER.debug("Call to token endpoint '{}' complete, response code : {}", url, Integer.valueOf(responseCode));
                            Map map = (Map) this._objectMapper.readValue(responseStream, Map.class);
                            if (responseCode != 200) {
                                IllegalStateException illegalStateException = new IllegalStateException(String.format("Token endpoint failed, response code %d, error '%s', description '%s'", Integer.valueOf(responseCode), map.get("error"), map.get("error_description")));
                                LOGGER.error("Call to token endpoint failed", illegalStateException);
                                AuthenticationResult authenticationResult = new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, illegalStateException);
                                if (responseStream != null) {
                                    if (0 != 0) {
                                        try {
                                            responseStream.close();
                                        } catch (Throwable th4) {
                                            th3.addSuppressed(th4);
                                        }
                                    } else {
                                        responseStream.close();
                                    }
                                }
                                return authenticationResult;
                            }
                            Object obj = map.get("access_token");
                            if (obj != null) {
                                AuthenticationResult authenticateViaAccessToken = authenticateViaAccessToken(String.valueOf(obj));
                                if (responseStream != null) {
                                    if (0 != 0) {
                                        try {
                                            responseStream.close();
                                        } catch (Throwable th5) {
                                            th3.addSuppressed(th5);
                                        }
                                    } else {
                                        responseStream.close();
                                    }
                                }
                                return authenticateViaAccessToken;
                            }
                            IllegalStateException illegalStateException2 = new IllegalStateException("Token endpoint response did not include 'access_token'");
                            LOGGER.error("Unexpected token endpoint response", illegalStateException2);
                            AuthenticationResult authenticationResult2 = new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, illegalStateException2);
                            if (responseStream != null) {
                                if (0 != 0) {
                                    try {
                                        responseStream.close();
                                    } catch (Throwable th6) {
                                        th3.addSuppressed(th6);
                                    }
                                } else {
                                    responseStream.close();
                                }
                            }
                            return authenticationResult2;
                        } catch (JsonProcessingException e2) {
                            IllegalStateException illegalStateException3 = new IllegalStateException(String.format("Token endpoint '%s' did not return json", url), e2);
                            LOGGER.error("Unexpected token endpoint response", e2);
                            return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, illegalStateException3);
                        }
                    } catch (Throwable th7) {
                        if (outputStream != 0) {
                            if (0 != 0) {
                                try {
                                    outputStream.close();
                                } catch (Throwable th8) {
                                    th.addSuppressed(th8);
                                }
                            } else {
                                outputStream.close();
                            }
                        }
                        throw th7;
                    }
                } finally {
                }
            } finally {
            }
        } catch (IOException e3) {
            LOGGER.error("Call to token endpoint failed", e3);
            return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e3);
        }
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public AuthenticationResult authenticateViaAccessToken(String str) {
        try {
            return new AuthenticationResult(new OAuth2UserPrincipal(this._identityResolverService.getUserPrincipal(this, str).getName(), str));
        } catch (IOException | IdentityResolverException e) {
            LOGGER.error("Call to identity resolver failed", e);
            return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
        }
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public URI getAuthorizationEndpointURI() {
        return this._authorizationEndpointURI;
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public URI getTokenEndpointURI() {
        return this._tokenEndpointURI;
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public URI getIdentityResolverEndpointURI() {
        return this._identityResolverEndpointURI;
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public URI getPostLogoutURI() {
        return this._postLogoutURI;
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public boolean getTokenEndpointNeedsAuth() {
        return this._tokenEndpointNeedsAuth;
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public String getIdentityResolverType() {
        return this._identityResolverType;
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public String getClientId() {
        return this._clientId;
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public String getClientSecret() {
        return this._clientSecret;
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public TrustStore getTrustStore() {
        return this._trustStore;
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public String getScope() {
        return this._scope;
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public URI getDefaultAuthorizationEndpointURI() {
        OAuth2IdentityResolverService oAuth2IdentityResolverService = (OAuth2IdentityResolverService) new QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).get(getIdentityResolverType());
        if (oAuth2IdentityResolverService == null) {
            return null;
        }
        return oAuth2IdentityResolverService.getDefaultAuthorizationEndpointURI(this);
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public URI getDefaultTokenEndpointURI() {
        OAuth2IdentityResolverService oAuth2IdentityResolverService = (OAuth2IdentityResolverService) new QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).get(getIdentityResolverType());
        if (oAuth2IdentityResolverService == null) {
            return null;
        }
        return oAuth2IdentityResolverService.getDefaultTokenEndpointURI(this);
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public URI getDefaultIdentityResolverEndpointURI() {
        OAuth2IdentityResolverService oAuth2IdentityResolverService = (OAuth2IdentityResolverService) new QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).get(getIdentityResolverType());
        if (oAuth2IdentityResolverService == null) {
            return null;
        }
        return oAuth2IdentityResolverService.getDefaultIdentityResolverEndpointURI(this);
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public String getDefaultScope() {
        OAuth2IdentityResolverService oAuth2IdentityResolverService = (OAuth2IdentityResolverService) new QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).get(getIdentityResolverType());
        if (oAuth2IdentityResolverService == null) {
            return null;
        }
        return oAuth2IdentityResolverService.getDefaultScope(this);
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public List<String> getTlsProtocolWhiteList() {
        return this._tlsProtocolWhiteList;
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public List<String> getTlsProtocolBlackList() {
        return this._tlsProtocolBlackList;
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public List<String> getTlsCipherSuiteWhiteList() {
        return this._tlsCipherSuiteWhiteList;
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public List<String> getTlsCipherSuiteBlackList() {
        return this._tlsCipherSuiteBlackList;
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public int getConnectTimeout() {
        return this._connectTimeout;
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider
    public int getReadTimeout() {
        return this._readTimeout;
    }

    public static Collection<String> validIdentityResolvers() {
        return new QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).keySet();
    }
}
