package org.apache.submarine.server.security.oidc;

import java.util.Map;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.submarine.commons.utils.SubmarineConfVars;
import org.apache.submarine.commons.utils.SubmarineConfiguration;
import org.apache.submarine.server.security.SecurityProvider;
import org.apache.submarine.server.security.common.AuthFlowType;
import org.apache.submarine.server.security.common.CommonConfig;
import org.apache.submarine.server.security.common.RegistryUserActionAdapter;
import org.pac4j.core.client.Client;
import org.pac4j.core.config.Config;
import org.pac4j.core.http.callback.NoParameterCallbackUrlResolver;
import org.pac4j.core.http.url.DefaultUrlResolver;
import org.pac4j.core.matching.matcher.csrf.CsrfTokenGeneratorMatcher;
import org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator;
import org.pac4j.core.profile.UserProfile;
import org.pac4j.http.client.direct.HeaderClient;
import org.pac4j.oidc.client.OidcClient;
import org.pac4j.oidc.config.OidcConfiguration;
import org.pac4j.oidc.credentials.authenticator.UserInfoOidcAuthenticator;
import org.pac4j.oidc.profile.OidcProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/submarine/server/security/oidc/OidcSecurityProvider.class */
public class OidcSecurityProvider extends SecurityProvider<OidcFilter, OidcProfile> {
    private static final Logger LOG = LoggerFactory.getLogger(OidcSecurityProvider.class);
    private final RegistryUserActionAdapter userActionAdapter = new RegistryUserActionAdapter();

    @Override // org.apache.submarine.server.security.SecurityProvider
    public AuthFlowType getAuthFlowType() {
        return AuthFlowType.SESSION;
    }

    @Override // org.apache.submarine.server.security.SecurityProvider
    public Class<OidcFilter> getFilterClass() {
        return OidcFilter.class;
    }

    @Override // org.apache.submarine.server.security.SecurityProvider
    public Config createConfig() {
        OidcConfiguration oidcConfiguration = new OidcConfiguration();
        oidcConfiguration.setClientId(OidcConfig.CLIENT_ID);
        oidcConfiguration.setSecret(OidcConfig.CLIENT_SECRET);
        oidcConfiguration.setDiscoveryURI(OidcConfig.DISCOVER_URI);
        oidcConfiguration.setExpireSessionWithToken(true);
        oidcConfiguration.setUseNonce(true);
        oidcConfiguration.setReadTimeout(5000);
        oidcConfiguration.setMaxAge(Integer.valueOf(OidcConfig.MAX_AGE));
        Client oidcClient = new OidcClient(oidcConfiguration);
        oidcClient.setUrlResolver(new DefaultUrlResolver(true));
        oidcClient.setCallbackUrlResolver(new NoParameterCallbackUrlResolver());
        Config config = new Config(OidcCallbackResource.SELF_URL, new Client[]{oidcClient, new HeaderClient(CommonConfig.AUTH_HEADER, CommonConfig.BEARER_HEADER_PREFIX, new UserInfoOidcAuthenticator(oidcConfiguration))});
        SubmarineConfiguration submarineConfiguration = SubmarineConfiguration.getInstance();
        CsrfTokenGeneratorMatcher csrfTokenGeneratorMatcher = new CsrfTokenGeneratorMatcher(new DefaultCsrfTokenGenerator());
        csrfTokenGeneratorMatcher.setSecure(Boolean.valueOf(submarineConfiguration.getBoolean(SubmarineConfVars.ConfVars.SUBMARINE_COOKIE_SECURE)));
        csrfTokenGeneratorMatcher.setHttpOnly(Boolean.valueOf(submarineConfiguration.getBoolean(SubmarineConfVars.ConfVars.SUBMARINE_COOKIE_HTTP_ONLY)));
        config.setMatchers(Map.of("csrfToken", csrfTokenGeneratorMatcher));
        return config;
    }

    @Override // org.apache.submarine.server.security.SecurityProvider
    public String getClient(HttpServletRequest httpServletRequest) {
        return "OidcClient,HeaderClient";
    }

    @Override // org.apache.submarine.server.security.SecurityProvider
    public Optional<OidcProfile> perform(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return Optional.ofNullable((UserProfile) createSecurityLogic().perform(createWebContext(httpServletRequest, httpServletResponse), createSessionStore(httpServletRequest, httpServletResponse), getConfig(), (webContext, sessionStore, collection, objArr) -> {
            if (!collection.isEmpty()) {
                return collection.iterator().next();
            }
            LOG.warn("No profiles found after OIDC auth.");
            return null;
        }, createHttpActionAdapter(), getClient(httpServletRequest), "isAuthenticated", "", new Object[0]));
    }

    @Override // org.apache.submarine.server.security.SecurityProvider
    public void callback(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        createCallbackLogic().perform(createWebContext(httpServletRequest, httpServletResponse), createSessionStore(httpServletRequest, httpServletResponse), getConfig(), this.userActionAdapter, "/", false, "oidcClient");
    }

    @Override // org.apache.submarine.server.security.SecurityProvider
    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String str = OidcConfig.LOGOUT_REDIRECT_URI;
        if (StringUtils.isBlank(str)) {
            str = httpServletRequest.getParameter("redirect_url");
        }
        createLogoutLogic().perform(createWebContext(httpServletRequest, httpServletResponse), createSessionStore(httpServletRequest, httpServletResponse), getConfig(), createHttpActionAdapter(), str, "/", true, true, true);
    }
}
