package org.codelibs.fess.sso.oic;

import com.google.api.client.auth.oauth2.AuthorizationCodeRequestUrl;
import com.google.api.client.auth.oauth2.AuthorizationCodeTokenRequest;
import com.google.api.client.auth.oauth2.TokenResponse;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.JsonParser;
import com.google.api.client.json.JsonToken;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.client.util.Base64;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.codelibs.core.lang.StringUtil;
import org.codelibs.core.net.UuidUtil;
import org.codelibs.fess.app.web.base.login.ActionResponseCredential;
import org.codelibs.fess.app.web.base.login.FessLoginAssist;
import org.codelibs.fess.app.web.base.login.OpenIdConnectCredential;
import org.codelibs.fess.crawler.Constants;
import org.codelibs.fess.helper.SambaHelper;
import org.codelibs.fess.sso.SsoAuthenticator;
import org.codelibs.fess.util.ComponentUtil;
import org.dbflute.optional.OptionalEntity;
import org.lastaflute.web.login.credential.LoginCredential;
import org.lastaflute.web.response.HtmlResponse;
import org.lastaflute.web.util.LaRequestUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/codelibs/fess/sso/oic/OpenIdConnectAuthenticator.class */
public class OpenIdConnectAuthenticator implements SsoAuthenticator {
    private static final Logger logger = LoggerFactory.getLogger(OpenIdConnectAuthenticator.class);
    protected static final String OIC_AUTH_SERVER_URL = "oic.auth.server.url";
    protected static final String OIC_CLIENT_ID = "oic.client.id";
    protected static final String OIC_SCOPE = "oic.scope";
    protected static final String OIC_REDIRECT_URL = "oic.redirect.url";
    protected static final String OIC_TOKEN_SERVER_URL = "oic.token.server.url";
    protected static final String OIC_CLIENT_SECRET = "oic.client.secret";
    protected static final String OIC_STATE = "OIC_STATE";
    protected final HttpTransport httpTransport = new NetHttpTransport();
    protected final JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();

    @PostConstruct
    public void init() {
        if (logger.isDebugEnabled()) {
            logger.debug("Initialize " + getClass().getSimpleName());
        }
        ComponentUtil.getSsoManager().register(this);
    }

    @Override // org.codelibs.fess.sso.SsoAuthenticator
    public LoginCredential getLoginCredential() {
        return (LoginCredential) LaRequestUtil.getOptionalRequest().map(httpServletRequest -> {
            if (logger.isDebugEnabled()) {
                logger.debug("Logging in with OpenID Connect Authenticator");
            }
            HttpSession session = httpServletRequest.getSession(false);
            if (session != null) {
                String str = (String) session.getAttribute(OIC_STATE);
                if (StringUtil.isNotBlank(str)) {
                    session.removeAttribute(OIC_STATE);
                    String parameter = httpServletRequest.getParameter("code");
                    String parameter2 = httpServletRequest.getParameter("state");
                    if (logger.isDebugEnabled()) {
                        logger.debug("code: {}, state(request): {}, state(session): {}", new Object[]{parameter, parameter2, str});
                    }
                    if (str.equals(parameter2) && StringUtil.isNotBlank(parameter)) {
                        return processCallback(httpServletRequest, parameter);
                    }
                    return null;
                }
            }
            return new ActionResponseCredential(() -> {
                return HtmlResponse.fromRedirectPathAsIs(getAuthUrl(httpServletRequest));
            });
        }).orElse((Object) null);
    }

    protected String getAuthUrl(HttpServletRequest httpServletRequest) {
        String create = UuidUtil.create();
        httpServletRequest.getSession().setAttribute(OIC_STATE, create);
        return new AuthorizationCodeRequestUrl(getOicAuthServerUrl(), getOicClientId()).setScopes(Arrays.asList(getOicScope())).setResponseTypes(Arrays.asList("code")).setRedirectUri(getOicRedirectUrl()).setState(create).build();
    }

    protected LoginCredential processCallback(HttpServletRequest httpServletRequest, String str) {
        try {
            TokenResponse tokenUrl = getTokenUrl(str);
            String[] split = ((String) tokenUrl.get("id_token")).split("\\.");
            String str2 = new String(Base64.decodeBase64(split[0]), Constants.UTF_8_CHARSET);
            String str3 = new String(Base64.decodeBase64(split[1]), Constants.UTF_8_CHARSET);
            String str4 = new String(Base64.decodeBase64(split[2]), Constants.UTF_8_CHARSET);
            if (logger.isDebugEnabled()) {
                logger.debug("jwtHeader: {}", str2);
                logger.debug("jwtClaim: {}", str3);
                logger.debug("jwtSigniture: {}", str4);
            }
            HashMap hashMap = new HashMap();
            hashMap.put("accesstoken", tokenUrl.getAccessToken());
            hashMap.put("refreshtoken", tokenUrl.getRefreshToken() == null ? "null" : tokenUrl.getRefreshToken());
            hashMap.put("tokentype", tokenUrl.getTokenType());
            hashMap.put("expire", tokenUrl.getExpiresInSeconds());
            hashMap.put("jwtheader", str2);
            hashMap.put("jwtclaim", str3);
            hashMap.put("jwtsign", str4);
            if (logger.isDebugEnabled()) {
                logger.debug("attribute: {}", hashMap);
            }
            parseJwtClaim(str3, hashMap);
            return new OpenIdConnectCredential(hashMap);
        } catch (IOException e) {
            if (!logger.isDebugEnabled()) {
                return null;
            }
            logger.debug("Failed to process callbacked request.", e);
            return null;
        }
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:8:0x002f. Please report as an issue. */
    protected void parseJwtClaim(String str, Map<String, Object> map) throws IOException {
        JsonParser createJsonParser = this.jsonFactory.createJsonParser(str);
        while (createJsonParser.nextToken() != JsonToken.END_OBJECT) {
            String currentName = createJsonParser.getCurrentName();
            if (currentName != null) {
                createJsonParser.nextToken();
                boolean z = -1;
                switch (currentName.hashCode()) {
                    case -694544998:
                        if (currentName.equals("at_hash")) {
                            z = 4;
                            break;
                        }
                        break;
                    case 96944:
                        if (currentName.equals("aud")) {
                            z = 6;
                            break;
                        }
                        break;
                    case 97111:
                        if (currentName.equals("azp")) {
                            z = 2;
                            break;
                        }
                        break;
                    case 100893:
                        if (currentName.equals("exp")) {
                            z = 8;
                            break;
                        }
                        break;
                    case 104028:
                        if (currentName.equals("iat")) {
                            z = 7;
                            break;
                        }
                        break;
                    case 104585:
                        if (currentName.equals("iss")) {
                            z = false;
                            break;
                        }
                        break;
                    case 114240:
                        if (currentName.equals("sub")) {
                            z = true;
                            break;
                        }
                        break;
                    case 96619420:
                        if (currentName.equals("email")) {
                            z = 3;
                            break;
                        }
                        break;
                    case 1139299339:
                        if (currentName.equals("email_verified")) {
                            z = 5;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        map.put("iss", createJsonParser.getText());
                        break;
                    case true:
                        map.put("sub", createJsonParser.getText());
                        break;
                    case true:
                        map.put("azp", createJsonParser.getText());
                        break;
                    case true:
                        map.put("email", createJsonParser.getText());
                        break;
                    case true:
                        map.put("at_hash", createJsonParser.getText());
                        break;
                    case true:
                        map.put("email_verified", createJsonParser.getText());
                        break;
                    case SambaHelper.SID_TYPE_DELETED /* 6 */:
                        map.put("aud", createJsonParser.getText());
                        break;
                    case SambaHelper.SID_TYPE_INVALID /* 7 */:
                        map.put("iat", createJsonParser.getText());
                        break;
                    case SambaHelper.SID_TYPE_UNKNOWN /* 8 */:
                        map.put("exp", createJsonParser.getText());
                        break;
                }
            }
        }
    }

    protected TokenResponse getTokenUrl(String str) throws IOException {
        return new AuthorizationCodeTokenRequest(this.httpTransport, this.jsonFactory, new GenericUrl(getOicTokenServerUrl()), str).setGrantType("authorization_code").setRedirectUri(getOicRedirectUrl()).set("client_id", getOicClientId()).set("client_secret", getOicClientSecret()).execute();
    }

    protected String getOicClientSecret() {
        return ComponentUtil.getSystemProperties().getProperty(OIC_CLIENT_SECRET, org.codelibs.fess.Constants.DEFAULT_IGNORE_FAILURE_TYPE);
    }

    protected String getOicTokenServerUrl() {
        return ComponentUtil.getSystemProperties().getProperty(OIC_TOKEN_SERVER_URL, "https://accounts.google.com/o/oauth2/token");
    }

    protected String getOicRedirectUrl() {
        return ComponentUtil.getSystemProperties().getProperty(OIC_REDIRECT_URL, "http://localhost:8080/sso/");
    }

    protected String getOicScope() {
        return ComponentUtil.getSystemProperties().getProperty(OIC_SCOPE, org.codelibs.fess.Constants.DEFAULT_IGNORE_FAILURE_TYPE);
    }

    protected String getOicClientId() {
        return ComponentUtil.getSystemProperties().getProperty(OIC_CLIENT_ID, org.codelibs.fess.Constants.DEFAULT_IGNORE_FAILURE_TYPE);
    }

    protected String getOicAuthServerUrl() {
        return ComponentUtil.getSystemProperties().getProperty(OIC_AUTH_SERVER_URL, "https://accounts.google.com/o/oauth2/auth");
    }

    @Override // org.codelibs.fess.sso.SsoAuthenticator
    public void resolveCredential(FessLoginAssist.LoginCredentialResolver loginCredentialResolver) {
        loginCredentialResolver.resolve(OpenIdConnectCredential.class, openIdConnectCredential -> {
            return OptionalEntity.of(openIdConnectCredential.getUser());
        });
    }
}
