package org.eclipse.jetty.security.openid;

import java.io.IOException;
import java.io.Serializable;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.concurrent.ExecutionException;
import java.util.function.Function;
import org.eclipse.jetty.http.HttpFields;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.http.HttpMethod;
import org.eclipse.jetty.http.HttpURI;
import org.eclipse.jetty.http.HttpVersion;
import org.eclipse.jetty.http.MimeTypes;
import org.eclipse.jetty.security.AuthenticationState;
import org.eclipse.jetty.security.Authenticator;
import org.eclipse.jetty.security.Constraint;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserIdentity;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.security.authentication.SessionAuthentication;
import org.eclipse.jetty.server.FormFields;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.server.Session;
import org.eclipse.jetty.util.Blocker;
import org.eclipse.jetty.util.Callback;
import org.eclipse.jetty.util.Fields;
import org.eclipse.jetty.util.MultiMap;
import org.eclipse.jetty.util.URIUtil;
import org.eclipse.jetty.util.UrlEncoded;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/jetty/security/openid/OpenIdAuthenticator.class */
public class OpenIdAuthenticator extends LoginAuthenticator {
    private static final Logger LOG = LoggerFactory.getLogger(OpenIdAuthenticator.class);
    public static final String CLAIMS = "org.eclipse.jetty.security.openid.claims";
    public static final String RESPONSE = "org.eclipse.jetty.security.openid.response";
    public static final String ISSUER = "org.eclipse.jetty.security.openid.issuer";
    public static final String REDIRECT_PATH = "org.eclipse.jetty.security.openid.redirect_path";
    public static final String LOGOUT_REDIRECT_PATH = "org.eclipse.jetty.security.openid.logout_redirect_path";
    public static final String ERROR_PAGE = "org.eclipse.jetty.security.openid.error_page";
    public static final String J_URI = "org.eclipse.jetty.security.openid.URI";
    public static final String J_POST = "org.eclipse.jetty.security.openid.POST";
    public static final String J_METHOD = "org.eclipse.jetty.security.openid.METHOD";
    public static final String J_SECURITY_CHECK = "/j_security_check";
    public static final String ERROR_PARAMETER = "error_description_jetty";
    private static final String CSRF_MAP = "org.eclipse.jetty.security.openid.csrf_map";

    @Deprecated
    public static final String CSRF_TOKEN = "org.eclipse.jetty.security.openid.csrf_token";
    private final SecureRandom _secureRandom;
    private OpenIdConfiguration _openIdConfiguration;
    private String _redirectPath;
    private String _logoutRedirectPath;
    private String _errorPage;
    private String _errorPath;
    private String _errorQuery;
    private boolean _alwaysSaveUri;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/jetty/security/openid/OpenIdAuthenticator$MRUMap.class */
    public static class MRUMap extends LinkedHashMap<String, UriRedirectInfo> {
        private static final long serialVersionUID = 5375723072014233L;
        private final int _size;

        private MRUMap(int i) {
            this._size = i;
        }

        @Override // java.util.LinkedHashMap
        protected boolean removeEldestEntry(Map.Entry<String, UriRedirectInfo> entry) {
            return size() > this._size;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/jetty/security/openid/OpenIdAuthenticator$UriRedirectInfo.class */
    public static class UriRedirectInfo implements Serializable {
        private static final long serialVersionUID = 139567755844461433L;
        private final HttpURI _uri;
        private final String _method;
        private final MultiMap<String> _formParameters;

        public UriRedirectInfo(Request request) {
            this._uri = request.getHttpURI();
            this._method = request.getMethod();
            if (MimeTypes.Type.FORM_ENCODED.is(request.getHeaders().get(HttpHeader.CONTENT_TYPE)) && HttpMethod.POST.is(request.getMethod())) {
                this._formParameters = new MultiMap<>();
            } else {
                this._formParameters = null;
            }
        }

        public HttpURI getUri() {
            return this._uri;
        }

        public String getMethod() {
            return this._method;
        }

        public MultiMap<String> getFormParameters() {
            return this._formParameters;
        }
    }

    public OpenIdAuthenticator() {
        this(null, J_SECURITY_CHECK, null);
    }

    public OpenIdAuthenticator(OpenIdConfiguration openIdConfiguration) {
        this(openIdConfiguration, J_SECURITY_CHECK, null);
    }

    public OpenIdAuthenticator(OpenIdConfiguration openIdConfiguration, String str) {
        this(openIdConfiguration, J_SECURITY_CHECK, str);
    }

    public OpenIdAuthenticator(OpenIdConfiguration openIdConfiguration, String str, String str2) {
        this(openIdConfiguration, str, str2, null);
    }

    public OpenIdAuthenticator(OpenIdConfiguration openIdConfiguration, String str, String str2, String str3) {
        this._secureRandom = new SecureRandom();
        this._openIdConfiguration = openIdConfiguration;
        setRedirectPath(str);
        if (str2 != null) {
            setErrorPage(str2);
        }
        if (str3 != null) {
            setLogoutRedirectPath(str3);
        }
    }

    public void setConfiguration(Authenticator.Configuration configuration) {
        if (this._openIdConfiguration == null) {
            LoginService loginService = configuration.getLoginService();
            if (!(loginService instanceof OpenIdLoginService)) {
                throw new IllegalArgumentException("invalid LoginService " + String.valueOf(loginService));
            }
            this._openIdConfiguration = ((OpenIdLoginService) loginService).getConfiguration();
        }
        String parameter = configuration.getParameter(REDIRECT_PATH);
        if (parameter != null) {
            setRedirectPath(parameter);
        }
        String parameter2 = configuration.getParameter(ERROR_PAGE);
        if (parameter2 != null) {
            setErrorPage(parameter2);
        }
        String parameter3 = configuration.getParameter(LOGOUT_REDIRECT_PATH);
        if (parameter3 != null) {
            setLogoutRedirectPath(parameter3);
        }
        super.setConfiguration(new OpenIdAuthenticatorConfiguration(this._openIdConfiguration, configuration));
    }

    public String getAuthenticationType() {
        return "OPENID";
    }

    @Deprecated
    public void setAlwaysSaveUri(boolean z) {
        this._alwaysSaveUri = z;
    }

    @Deprecated
    public boolean isAlwaysSaveUri() {
        return this._alwaysSaveUri;
    }

    public void setRedirectPath(String str) {
        if (str == null) {
            LOG.warn("redirect path must not be null, defaulting to /j_security_check");
            str = J_SECURITY_CHECK;
        } else if (!str.startsWith("/")) {
            LOG.warn("redirect path must start with /");
            str = "/" + str;
        }
        this._redirectPath = str;
    }

    public void setLogoutRedirectPath(String str) {
        if (str == null) {
            LOG.warn("redirect path must not be null, defaulting to /");
            str = "/";
        } else if (!str.startsWith("/")) {
            LOG.warn("redirect path must start with /");
            str = "/" + str;
        }
        this._logoutRedirectPath = str;
    }

    public void setErrorPage(String str) {
        if (str == null || str.trim().length() == 0) {
            this._errorPath = null;
            this._errorPage = null;
            return;
        }
        if (!str.startsWith("/")) {
            LOG.warn("error-page must start with /");
            str = "/" + str;
        }
        this._errorPage = str;
        this._errorPath = str;
        this._errorQuery = "";
        int indexOf = this._errorPath.indexOf(63);
        if (indexOf > 0) {
            this._errorPath = this._errorPage.substring(0, indexOf);
            this._errorQuery = this._errorPage.substring(indexOf + 1);
        }
    }

    public UserIdentity login(String str, Object obj, Request request, Response response) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("login {} {} {}", new Object[]{str, obj, request});
        }
        UserIdentity login = super.login(str, obj, request, response);
        if (login != null) {
            Session session = request.getSession(true);
            SessionAuthentication sessionAuthentication = new SessionAuthentication(getAuthenticationType(), login, obj);
            synchronized (session) {
                session.setAttribute("org.eclipse.jetty.security.UserIdentity", sessionAuthentication);
                session.setAttribute(CLAIMS, ((OpenIdCredentials) obj).getClaims());
                session.setAttribute(RESPONSE, ((OpenIdCredentials) obj).getResponse());
                session.setAttribute(ISSUER, this._openIdConfiguration.getIssuer());
            }
        }
        return login;
    }

    public void logout(Request request, Response response) {
        attemptLogoutRedirect(request, response);
        logoutWithoutRedirect(request, response);
    }

    private void logoutWithoutRedirect(Request request, Response response) {
        super.logout(request, response);
        Session session = request.getSession(false);
        if (session == null) {
            return;
        }
        synchronized (session) {
            session.removeAttribute("org.eclipse.jetty.security.UserIdentity");
            session.removeAttribute(CLAIMS);
            session.removeAttribute(RESPONSE);
            session.removeAttribute(ISSUER);
        }
    }

    private boolean hasExpiredIdToken(Session session) {
        Map map;
        if (session == null || (map = (Map) session.getAttribute(CLAIMS)) == null) {
            return false;
        }
        return OpenIdCredentials.checkExpiry(map);
    }

    private void attemptLogoutRedirect(Request request, Response response) {
        try {
            String endSessionEndpoint = this._openIdConfiguration.getEndSessionEndpoint();
            String str = null;
            if (this._logoutRedirectPath != null) {
                str = HttpURI.build().scheme(request.getHttpURI().getScheme()).host(Request.getServerName(request)).port(Request.getServerPort(request)).path(URIUtil.compactPath(Request.getContextPath(request) + this._logoutRedirectPath)).toString();
            }
            Session session = request.getSession(false);
            if (endSessionEndpoint == null || session == null) {
                if (str != null) {
                    sendRedirect(request, response, str);
                    return;
                }
                return;
            }
            Object attribute = session.getAttribute(RESPONSE);
            if (attribute instanceof Map) {
                sendRedirect(request, response, endSessionEndpoint + "?id_token_hint=" + UrlEncoded.encodeString((String) ((Map) attribute).get("id_token"), StandardCharsets.UTF_8) + (str == null ? "" : "&post_logout_redirect_uri=" + UrlEncoded.encodeString(str, StandardCharsets.UTF_8)));
            } else if (str != null) {
                sendRedirect(request, response, str);
            }
        } catch (Throwable th) {
            LOG.warn("failed to redirect to end_session_endpoint", th);
        }
    }

    private void sendRedirect(Request request, Response response, String str) throws IOException {
        Blocker.Callback callback = Blocker.callback();
        try {
            Response.sendRedirect(request, response, callback, str);
            callback.block();
            if (callback != null) {
                callback.close();
            }
        } catch (Throwable th) {
            if (callback != null) {
                try {
                    callback.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public Request prepareRequest(Request request, AuthenticationState authenticationState) {
        if (authenticationState instanceof AuthenticationState.Succeeded) {
            Session session = request.getSession(false);
            if (session == null) {
                return request;
            }
            if (request.getHttpURI().equals((HttpURI) session.getAttribute(J_URI))) {
                session.removeAttribute(J_URI);
                Fields fields = (Fields) session.removeAttribute(J_POST);
                if (fields != null) {
                    request.setAttribute(FormFields.class.getName(), fields);
                }
                final String str = (String) session.removeAttribute(J_METHOD);
                if (str != null && request.getMethod().equals(str)) {
                    return new Request.Wrapper(this, request) { // from class: org.eclipse.jetty.security.openid.OpenIdAuthenticator.1
                        final /* synthetic */ OpenIdAuthenticator this$0;

                        {
                            this.this$0 = this;
                        }

                        public String getMethod() {
                            return str;
                        }
                    };
                }
            }
        }
        return request;
    }

    protected Fields getParameters(Request request) {
        try {
            return Fields.combine(Request.extractQueryParameters(request), (Fields) FormFields.from(request).get());
        } catch (InterruptedException | ExecutionException e) {
            throw new RuntimeException(e);
        }
    }

    public Constraint.Authorization getConstraintAuthentication(String str, Constraint.Authorization authorization, Function<Boolean, Session> function) {
        Session apply = function.apply(false);
        if ((!this._openIdConfiguration.isLogoutWhenIdTokenIsExpired() || !hasExpiredIdToken(apply)) && !isJSecurityCheck(str)) {
            return isErrorPage(str) ? Constraint.Authorization.ALLOWED : authorization;
        }
        return Constraint.Authorization.ANY_USER;
    }

    public AuthenticationState validateRequest(Request request, Response response, Callback callback) throws ServerAuthException {
        UriRedirectInfo removeAndClearCsrfMap;
        if (LOG.isDebugEnabled()) {
            LOG.debug("validateRequest({},{})", request, response);
        }
        String httpURI = request.getHttpURI().toString();
        if (httpURI == null) {
            httpURI = "/";
        }
        Session session = request.getSession(false);
        if (this._openIdConfiguration.isLogoutWhenIdTokenIsExpired() && hasExpiredIdToken(session)) {
            logoutWithoutRedirect(request, response);
        }
        if (session == null) {
            try {
                session = request.getSession(true);
            } catch (IOException e) {
                throw new ServerAuthException(e);
            }
        }
        if (session == null) {
            sendError(request, response, callback, "session could not be created");
            return AuthenticationState.SEND_FAILURE;
        }
        if (isJSecurityCheck(httpURI)) {
            Fields parameters = getParameters(request);
            String value = parameters.getValue("code");
            if (value == null) {
                sendError(request, response, callback, "auth failed: no code parameter");
                return AuthenticationState.SEND_FAILURE;
            }
            String value2 = parameters.getValue("state");
            if (value2 == null) {
                sendError(request, response, callback, "auth failed: no state parameter");
                return AuthenticationState.SEND_FAILURE;
            }
            synchronized (session) {
                removeAndClearCsrfMap = removeAndClearCsrfMap(session, value2);
            }
            if (removeAndClearCsrfMap == null) {
                sendError(request, response, callback, "auth failed: invalid state parameter");
                return AuthenticationState.SEND_FAILURE;
            }
            UserIdentity login = login(null, new OpenIdCredentials(value, getRedirectUri(request)), request, response);
            if (login == null) {
                sendError(request, response, callback, null);
                return AuthenticationState.SEND_FAILURE;
            }
            LoginAuthenticator.UserAuthenticationSent userAuthenticationSent = new LoginAuthenticator.UserAuthenticationSent(getAuthenticationType(), login);
            if (LOG.isDebugEnabled()) {
                LOG.debug("authenticated {}->{}", userAuthenticationSent, removeAndClearCsrfMap.getUri());
            }
            synchronized (session) {
                session.setAttribute(J_URI, removeAndClearCsrfMap.getUri().asImmutable());
                session.setAttribute(J_METHOD, removeAndClearCsrfMap.getMethod());
                session.setAttribute(J_POST, removeAndClearCsrfMap.getFormParameters());
            }
            response.getHeaders().put(HttpFields.CONTENT_LENGTH_0);
            Response.sendRedirect(request, response, callback, request.getConnectionMetaData().getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? 302 : 303, removeAndClearCsrfMap.getUri().toString(), true);
            return userAuthenticationSent;
        }
        AuthenticationState.Succeeded succeeded = (AuthenticationState) session.getAttribute("org.eclipse.jetty.security.UserIdentity");
        if (succeeded != null) {
            if (!(succeeded instanceof AuthenticationState.Succeeded) || this._loginService == null || this._loginService.validate(succeeded.getUserIdentity())) {
                synchronized (session) {
                    HttpURI httpURI2 = (HttpURI) session.getAttribute(J_URI);
                    if (httpURI2 != null) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("auth retry {}->{}", succeeded, httpURI2);
                        }
                        if (httpURI2.equals(request.getHttpURI())) {
                            if (((MultiMap) session.getAttribute(J_POST)) != null && LOG.isDebugEnabled()) {
                                LOG.debug("auth rePOST {}->{}", succeeded, httpURI2);
                            }
                            session.removeAttribute(J_URI);
                            session.removeAttribute(J_METHOD);
                            session.removeAttribute(J_POST);
                        }
                    }
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("auth {}", succeeded);
                }
                return succeeded;
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("auth revoked {}", succeeded);
            }
            logoutWithoutRedirect(request, response);
        }
        if (AuthenticationState.Deferred.isDeferred(response)) {
            if (!LOG.isDebugEnabled()) {
                return null;
            }
            LOG.debug("auth deferred {}", session.getId());
            return null;
        }
        synchronized (session) {
            if (session.getAttribute(J_URI) == null || this._alwaysSaveUri) {
                session.setAttribute(J_URI, request.getHttpURI().asImmutable());
                if (!HttpMethod.GET.is(request.getMethod())) {
                    session.setAttribute(J_METHOD, request.getMethod());
                }
                if (HttpMethod.POST.is(request.getMethod())) {
                    try {
                        session.setAttribute(J_POST, FormFields.from(request).get());
                    } catch (InterruptedException e2) {
                        throw new ServerAuthException(e2);
                    } catch (ExecutionException e3) {
                        throw new ServerAuthException(e3.getCause());
                    }
                }
            }
        }
        String challengeUri = getChallengeUri(request);
        if (LOG.isDebugEnabled()) {
            LOG.debug("challenge {}->{}", session.getId(), challengeUri);
        }
        Response.sendRedirect(request, response, callback, request.getConnectionMetaData().getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? 302 : 303, challengeUri, true);
        return AuthenticationState.CHALLENGE;
        throw new ServerAuthException(e);
    }

    private void sendError(Request request, Response response, Callback callback, String str) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("OpenId authentication FAILED: {}", str);
        }
        if (this._errorPage == null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("auth failed 403");
            }
            if (response != null) {
                Response.writeError(request, response, callback, 403);
                return;
            }
            return;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("auth failed {}", this._errorPage);
        }
        String contextPath = Request.getContextPath(request);
        String addPaths = URIUtil.addPaths(contextPath, this._errorPage);
        if (str != null) {
            addPaths = URIUtil.addPathQuery(URIUtil.addPaths(contextPath, this._errorPath), URIUtil.addQueries("error_description_jetty=" + UrlEncoded.encodeString(str), this._errorQuery));
        }
        Response.sendRedirect(request, response, callback, request.getConnectionMetaData().getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? 302 : 303, addPaths, true);
    }

    public boolean isJSecurityCheck(String str) {
        char charAt;
        int indexOf = str.indexOf(this._redirectPath);
        if (indexOf < 0) {
            return false;
        }
        int length = indexOf + this._redirectPath.length();
        return length == str.length() || (charAt = str.charAt(length)) == ';' || charAt == '#' || charAt == '/' || charAt == '?';
    }

    public boolean isErrorPage(String str) {
        return str != null && str.equals(this._errorPath);
    }

    private String getRedirectUri(Request request) {
        StringBuilder newURIBuilder = URIUtil.newURIBuilder(request.getHttpURI().getScheme(), Request.getServerName(request), Request.getServerPort(request));
        newURIBuilder.append(URIUtil.addPaths(request.getContext().getContextPath(), this._redirectPath));
        return newURIBuilder.toString();
    }

    protected String getChallengeUri(Request request) {
        String bigInteger;
        Session session = request.getSession(true);
        synchronized (session) {
            Map<String, UriRedirectInfo> ensureCsrfMap = ensureCsrfMap(session);
            bigInteger = new BigInteger(130, this._secureRandom).toString(32);
            ensureCsrfMap.put(bigInteger, new UriRedirectInfo(request));
        }
        StringBuilder sb = new StringBuilder();
        Iterator<String> it = this._openIdConfiguration.getScopes().iterator();
        while (it.hasNext()) {
            sb.append(" ").append(it.next());
        }
        return this._openIdConfiguration.getAuthEndpoint() + "?client_id=" + UrlEncoded.encodeString(this._openIdConfiguration.getClientId(), StandardCharsets.UTF_8) + "&redirect_uri=" + UrlEncoded.encodeString(getRedirectUri(request), StandardCharsets.UTF_8) + "&scope=openid" + UrlEncoded.encodeString(sb.toString(), StandardCharsets.UTF_8) + "&state=" + bigInteger + "&response_type=code";
    }

    private UriRedirectInfo removeAndClearCsrfMap(Session session, String str) {
        Map map = (Map) session.getAttribute(CSRF_MAP);
        if (map == null) {
            return null;
        }
        UriRedirectInfo uriRedirectInfo = (UriRedirectInfo) map.get(str);
        map.clear();
        return uriRedirectInfo;
    }

    private Map<String, UriRedirectInfo> ensureCsrfMap(Session session) {
        Map<String, UriRedirectInfo> map = (Map) session.getAttribute(CSRF_MAP);
        if (map == null) {
            map = new MRUMap(64);
            session.setAttribute(CSRF_MAP, map);
        }
        return map;
    }
}
