package org.codelibs.fess.sso.aad;

import com.microsoft.aad.adal4j.AuthenticationCallback;
import com.microsoft.aad.adal4j.AuthenticationContext;
import com.microsoft.aad.adal4j.AuthenticationResult;
import com.microsoft.aad.adal4j.ClientCredential;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import java.io.IOException;
import java.net.URI;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.StringUtils;
import org.codelibs.core.lang.StringUtil;
import org.codelibs.core.net.UuidUtil;
import org.codelibs.core.stream.StreamUtil;
import org.codelibs.curl.Curl;
import org.codelibs.curl.CurlResponse;
import org.codelibs.elasticsearch.runner.net.EcrCurl;
import org.codelibs.fess.app.web.base.login.ActionResponseCredential;
import org.codelibs.fess.app.web.base.login.AzureAdCredential;
import org.codelibs.fess.app.web.base.login.FessLoginAssist;
import org.codelibs.fess.crawler.Constants;
import org.codelibs.fess.exception.SsoLoginException;
import org.codelibs.fess.sso.SsoAuthenticator;
import org.codelibs.fess.util.ComponentUtil;
import org.dbflute.optional.OptionalEntity;
import org.lastaflute.web.login.credential.LoginCredential;
import org.lastaflute.web.response.HtmlResponse;
import org.lastaflute.web.util.LaRequestUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/codelibs/fess/sso/aad/AzureAdAuthenticator.class */
public class AzureAdAuthenticator implements SsoAuthenticator {
    private static final Logger logger = LoggerFactory.getLogger(AzureAdAuthenticator.class);
    protected static final String AZUREAD_STATE_TTL = "aad.state.ttl";
    protected static final String AZUREAD_AUTHORITY = "aad.authority";
    protected static final String AZUREAD_TENANT = "aad.tenant";
    protected static final String AZUREAD_CLIENT_SECRET = "aad.client.secret";
    protected static final String AZUREAD_CLIENT_ID = "aad.client.id";
    protected static final String AZUREAD_REPLY_URL = "aad.reply.url";
    protected static final String STATES = "aadStates";
    protected static final String STATE = "state";
    protected static final String ERROR = "error";
    protected static final String ERROR_DESCRIPTION = "error_description";
    protected static final String ERROR_URI = "error_uri";
    protected static final String ID_TOKEN = "id_token";
    protected static final String CODE = "code";
    protected long acquisitionTimeout = 30000;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/codelibs/fess/sso/aad/AzureAdAuthenticator$StateData.class */
    public class StateData {
        private final String nonce;
        private final long expiration;

        public StateData(String str, long j) {
            this.nonce = str;
            this.expiration = j;
        }

        public String getNonce() {
            return this.nonce;
        }

        public long getExpiration() {
            return this.expiration;
        }

        public String toString() {
            return "StateData [nonce=" + this.nonce + ", expiration=" + this.expiration + "]";
        }
    }

    @PostConstruct
    public void init() {
        ComponentUtil.getSsoManager().register(this);
    }

    @Override // org.codelibs.fess.sso.SsoAuthenticator
    public LoginCredential getLoginCredential() {
        return (LoginCredential) LaRequestUtil.getOptionalRequest().map(httpServletRequest -> {
            if (httpServletRequest.getSession(false) == null || !containsAuthenticationData(httpServletRequest)) {
                return new ActionResponseCredential(() -> {
                    return HtmlResponse.fromRedirectPathAsIs(getAuthUrl(httpServletRequest));
                });
            }
            try {
                return processAuthenticationData(httpServletRequest);
            } catch (Exception e) {
                if (!logger.isDebugEnabled()) {
                    return null;
                }
                logger.debug("Failed to process a login request on AzureAD.", e);
                return null;
            }
        }).orElse((Object) null);
    }

    protected String getAuthUrl(HttpServletRequest httpServletRequest) {
        String create = UuidUtil.create();
        String create2 = UuidUtil.create();
        storeStateInSession(httpServletRequest.getSession(), create, create2);
        String str = getAuthority() + getTenant() + "/oauth2/authorize?response_type=code&scope=directory.read.all&response_mode=form_post&redirect_uri=" + URLEncoder.encode(getReplyUrl(httpServletRequest), Constants.UTF_8_CHARSET) + "&client_id=" + getClientId() + "&resource=https%3a%2f%2fgraph.microsoft.com&state=" + create + "&nonce=" + create2;
        if (logger.isDebugEnabled()) {
            logger.debug("redirect to: {}", str);
        }
        return str;
    }

    protected void storeStateInSession(HttpSession httpSession, String str, String str2) {
        Map map = (Map) httpSession.getAttribute(STATES);
        if (map == null) {
            map = new HashMap();
            httpSession.setAttribute(STATES, map);
        }
        StateData stateData = new StateData(str2, System.currentTimeMillis());
        if (logger.isDebugEnabled()) {
            logger.debug("store {} in session", stateData);
        }
        map.put(str, stateData);
    }

    protected LoginCredential processAuthenticationData(HttpServletRequest httpServletRequest) {
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null) {
            requestURL.append('?').append(queryString);
        }
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : httpServletRequest.getParameterMap().entrySet()) {
            if (((String[]) entry.getValue()).length > 0) {
                hashMap.put((String) entry.getKey(), ((String[]) entry.getValue())[0]);
            }
        }
        if (logger.isDebugEnabled()) {
            logger.debug("process authentication: url: {}, params: {}", requestURL, hashMap);
        }
        StateData validateState = validateState(httpServletRequest.getSession(), hashMap.get(STATE));
        if (logger.isDebugEnabled()) {
            logger.debug("load {}", validateState);
        }
        AuthenticationErrorResponse parseAuthenticationResponse = parseAuthenticationResponse(requestURL.toString(), hashMap);
        if (!(parseAuthenticationResponse instanceof AuthenticationSuccessResponse)) {
            AuthenticationErrorResponse authenticationErrorResponse = parseAuthenticationResponse;
            throw new SsoLoginException(String.format("Request for auth code failed: %s - %s", authenticationErrorResponse.getErrorObject().getCode(), authenticationErrorResponse.getErrorObject().getDescription()));
        }
        AuthenticationSuccessResponse authenticationSuccessResponse = (AuthenticationSuccessResponse) parseAuthenticationResponse;
        validateAuthRespMatchesCodeFlow(authenticationSuccessResponse);
        AuthenticationResult accessToken = getAccessToken(authenticationSuccessResponse.getAuthorizationCode(), getReplyUrl(httpServletRequest));
        validateNonce(validateState, accessToken);
        return new AzureAdCredential(accessToken);
    }

    protected AuthenticationResponse parseAuthenticationResponse(String str, Map<String, String> map) {
        if (logger.isDebugEnabled()) {
            logger.debug("Parse: {} : {}", str, map);
        }
        try {
            return AuthenticationResponseParser.parse(new URI(str), map);
        } catch (Exception e) {
            throw new SsoLoginException("Failed to parse an authentication response.", e);
        }
    }

    protected void validateNonce(StateData stateData, AuthenticationResult authenticationResult) {
        String idToken = authenticationResult.getIdToken();
        if (logger.isDebugEnabled()) {
            logger.debug("idToken: {}", idToken);
        }
        try {
            JWTClaimsSet jWTClaimsSet = JWTParser.parse(idToken).getJWTClaimsSet();
            if (jWTClaimsSet == null) {
                throw new SsoLoginException("could not validate nonce");
            }
            String str = (String) jWTClaimsSet.getClaim("nonce");
            if (logger.isDebugEnabled()) {
                logger.debug("nonce: {}", str);
            }
            if (StringUtils.isEmpty(str) || !str.equals(stateData.getNonce())) {
                throw new SsoLoginException("could not validate nonce");
            }
        } catch (SsoLoginException e) {
            throw e;
        } catch (Exception e2) {
            throw new SsoLoginException("could not validate nonce", e2);
        }
    }

    public AuthenticationResult getAccessToken(String str) {
        String str2 = getAuthority() + getTenant() + "/";
        if (logger.isDebugEnabled()) {
            logger.debug("refreshToken: {}, authority: {}", str, str2);
        }
        ExecutorService executorService = null;
        try {
            try {
                executorService = Executors.newFixedThreadPool(1);
                AuthenticationResult authenticationResult = (AuthenticationResult) new AuthenticationContext(str2, true, executorService).acquireTokenByRefreshToken(str, new ClientCredential(getClientId(), getClientSecret()), (String) null, (AuthenticationCallback) null).get(this.acquisitionTimeout, TimeUnit.MILLISECONDS);
                if (authenticationResult == null) {
                    throw new SsoLoginException("authentication result was null");
                }
                if (executorService != null) {
                    executorService.shutdown();
                }
                return authenticationResult;
            } catch (Exception e) {
                throw new SsoLoginException("Failed to get a token.", e);
            }
        } catch (Throwable th) {
            if (executorService != null) {
                executorService.shutdown();
            }
            throw th;
        }
    }

    protected AuthenticationResult getAccessToken(AuthorizationCode authorizationCode, String str) {
        String str2 = getAuthority() + getTenant() + "/";
        String value = authorizationCode.getValue();
        if (logger.isDebugEnabled()) {
            logger.debug("authCode: {}, authority: {}, uri: {}", new Object[]{value, str2, str});
        }
        ClientCredential clientCredential = new ClientCredential(getClientId(), getClientSecret());
        ExecutorService executorService = null;
        try {
            try {
                executorService = Executors.newFixedThreadPool(1);
                AuthenticationResult authenticationResult = (AuthenticationResult) new AuthenticationContext(str2, true, executorService).acquireTokenByAuthorizationCode(value, new URI(str), clientCredential, (AuthenticationCallback) null).get(this.acquisitionTimeout, TimeUnit.MILLISECONDS);
                if (authenticationResult == null) {
                    throw new SsoLoginException("authentication result was null");
                }
                if (executorService != null) {
                    executorService.shutdown();
                }
                return authenticationResult;
            } catch (Exception e) {
                throw new SsoLoginException("Failed to get a token.", e);
            }
        } catch (Throwable th) {
            if (executorService != null) {
                executorService.shutdown();
            }
            throw th;
        }
    }

    protected void validateAuthRespMatchesCodeFlow(AuthenticationSuccessResponse authenticationSuccessResponse) {
        if (authenticationSuccessResponse.getIDToken() != null || authenticationSuccessResponse.getAccessToken() != null || authenticationSuccessResponse.getAuthorizationCode() == null) {
            throw new SsoLoginException("unexpected set of artifacts received");
        }
    }

    protected StateData validateState(HttpSession httpSession, String str) {
        StateData removeStateFromSession;
        if (!StringUtils.isNotEmpty(str) || (removeStateFromSession = removeStateFromSession(httpSession, str)) == null) {
            throw new SsoLoginException("could not validate state");
        }
        return removeStateFromSession;
    }

    protected StateData removeStateFromSession(HttpSession httpSession, String str) {
        Map map = (Map) httpSession.getAttribute(STATES);
        if (map == null) {
            return null;
        }
        long currentTimeMillis = System.currentTimeMillis();
        ((List) map.entrySet().stream().filter(entry -> {
            return (currentTimeMillis - ((StateData) entry.getValue()).getExpiration()) / 1000 > getStateTtl();
        }).map((v0) -> {
            return v0.getKey();
        }).collect(Collectors.toList())).forEach(str2 -> {
            if (logger.isDebugEnabled()) {
                logger.debug("remove old state: {}", str2);
            }
            map.remove(str2);
        });
        StateData stateData = (StateData) map.get(str);
        if (stateData == null) {
            return null;
        }
        if (logger.isDebugEnabled()) {
            logger.debug("restore {} from session", stateData);
        }
        map.remove(str);
        return stateData;
    }

    protected boolean containsAuthenticationData(HttpServletRequest httpServletRequest) {
        if (!httpServletRequest.getMethod().equalsIgnoreCase("POST")) {
            return false;
        }
        Map parameterMap = httpServletRequest.getParameterMap();
        return parameterMap.containsKey(ERROR) || parameterMap.containsKey(ID_TOKEN) || parameterMap.containsKey(CODE);
    }

    public void updateMemberOf(AzureAdCredential.AzureAdUser azureAdUser) {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        arrayList.addAll(getDefaultGroupList());
        arrayList2.addAll(getDefaultRoleList());
        try {
            CurlResponse execute = Curl.get("https://graph.microsoft.com/v1.0/me/memberOf").header("Authorization", "Bearer " + azureAdUser.getAuthenticationResult().getAccessToken()).header("Accept", "application/json").execute();
            try {
                Map map = (Map) execute.getContent(EcrCurl.jsonParser);
                if (map.containsKey(org.codelibs.fess.Constants.ITEM_VALUE)) {
                    for (Map map2 : (List) map.get(org.codelibs.fess.Constants.ITEM_VALUE)) {
                        if (logger.isDebugEnabled()) {
                            logger.debug("member: {}", map2);
                        }
                        String str = (String) map2.get("id");
                        if (StringUtil.isBlank(str)) {
                            logger.warn("id is empty: {}", map2);
                        } else {
                            String str2 = (String) map2.get("@odata.type");
                            if (str2 == null) {
                                logger.warn("@odata.type is null: {}", map2);
                            } else {
                                String lowerCase = str2.toLowerCase(Locale.ENGLISH);
                                if (lowerCase.contains("group")) {
                                    arrayList.add(str);
                                } else if (lowerCase.contains("role")) {
                                    arrayList2.add(str);
                                } else {
                                    if (logger.isDebugEnabled()) {
                                        logger.debug("unknown @odata.type: {}", map2);
                                    }
                                    arrayList.add(str);
                                }
                            }
                        }
                    }
                } else if (map.containsKey(ERROR)) {
                    logger.warn("Failed to access groups/roles: {}", map);
                }
                if (execute != null) {
                    execute.close();
                }
            } finally {
            }
        } catch (IOException e) {
            logger.warn("Failed to access groups/roles in AzureAD.", e);
        }
        azureAdUser.setGroups((String[]) arrayList.toArray(i -> {
            return new String[i];
        }));
        azureAdUser.setRoles((String[]) arrayList2.toArray(i2 -> {
            return new String[i2];
        }));
    }

    protected List<String> getDefaultGroupList() {
        String systemProperty = ComponentUtil.getFessConfig().getSystemProperty("aad.default.groups");
        return StringUtil.isBlank(systemProperty) ? Collections.emptyList() : (List) StreamUtil.split(systemProperty, ",").get(stream -> {
            return (List) stream.filter(StringUtil::isNotBlank).map(str -> {
                return str.trim();
            }).collect(Collectors.toList());
        });
    }

    protected List<String> getDefaultRoleList() {
        String systemProperty = ComponentUtil.getFessConfig().getSystemProperty("aad.default.roles");
        return StringUtil.isBlank(systemProperty) ? Collections.emptyList() : (List) StreamUtil.split(systemProperty, ",").get(stream -> {
            return (List) stream.filter(StringUtil::isNotBlank).map(str -> {
                return str.trim();
            }).collect(Collectors.toList());
        });
    }

    protected String getClientId() {
        return ComponentUtil.getFessConfig().getSystemProperty(AZUREAD_CLIENT_ID, org.codelibs.fess.Constants.DEFAULT_IGNORE_FAILURE_TYPE);
    }

    protected String getClientSecret() {
        return ComponentUtil.getFessConfig().getSystemProperty(AZUREAD_CLIENT_SECRET, org.codelibs.fess.Constants.DEFAULT_IGNORE_FAILURE_TYPE);
    }

    protected String getTenant() {
        return ComponentUtil.getFessConfig().getSystemProperty(AZUREAD_TENANT, org.codelibs.fess.Constants.DEFAULT_IGNORE_FAILURE_TYPE);
    }

    protected String getAuthority() {
        return ComponentUtil.getFessConfig().getSystemProperty(AZUREAD_AUTHORITY, "https://login.microsoftonline.com/");
    }

    protected long getStateTtl() {
        return Long.parseLong(ComponentUtil.getFessConfig().getSystemProperty(AZUREAD_STATE_TTL, "3600"));
    }

    protected String getReplyUrl(HttpServletRequest httpServletRequest) {
        String systemProperty = ComponentUtil.getFessConfig().getSystemProperty(AZUREAD_REPLY_URL, org.codelibs.fess.Constants.DEFAULT_IGNORE_FAILURE_TYPE);
        return StringUtil.isNotBlank(systemProperty) ? systemProperty : httpServletRequest.getRequestURL().toString();
    }

    @Override // org.codelibs.fess.sso.SsoAuthenticator
    public void resolveCredential(FessLoginAssist.LoginCredentialResolver loginCredentialResolver) {
        loginCredentialResolver.resolve(AzureAdCredential.class, azureAdCredential -> {
            return OptionalEntity.of(azureAdCredential.getUser());
        });
    }

    public void setAcquisitionTimeout(long j) {
        this.acquisitionTimeout = j;
    }
}
