package org.wso2.carbon.identity.application.authenticator.oauth2;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.client.OAuthClient;
import org.apache.oltu.oauth2.client.URLConnectionClient;
import org.apache.oltu.oauth2.client.request.OAuthClientRequest;
import org.apache.oltu.oauth2.client.response.OAuthAuthzResponse;
import org.apache.oltu.oauth2.client.response.OAuthClientResponse;
import org.apache.oltu.oauth2.common.exception.OAuthProblemException;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.apache.oltu.oauth2.common.message.types.GrantType;
import org.apache.oltu.oauth2.common.utils.JSONUtils;
import org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.ApplicationAuthenticatorException;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.exception.MisconfigurationException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.ClaimConfig;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.core.util.IdentityUtil;

/* loaded from: input_file:org/wso2/carbon/identity/application/authenticator/oauth2/Oauth2GenericAuthenticator.class */
public class Oauth2GenericAuthenticator extends AbstractApplicationAuthenticator implements FederatedApplicationAuthenticator {
    private static final long serialVersionUID = 8654763286341993633L;
    private static final Log logger = LogFactory.getLog(Oauth2GenericAuthenticator.class);

    protected void initiateAuthenticationRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        if (logger.isDebugEnabled()) {
            logger.debug("Initiating authentication request");
        }
        String generateState = generateState();
        try {
            Map<String, String> authenticatorProperties = getAuthenticatorProperties(authenticationContext);
            String clientId = getClientId(authenticatorProperties);
            String callbackURL = getCallbackURL(authenticatorProperties, httpServletRequest.getServerName(), httpServletRequest.getServerPort());
            String authorizationServerEndpoint = getAuthorizationServerEndpoint(authenticatorProperties);
            String str = authenticatorProperties.get("Scope");
            String str2 = generateState + "," + Oauth2GenericAuthenticatorConstants.OAUTH2_LOGIN_TYPE;
            authenticationContext.setContextIdentifier(generateState);
            OAuthClientRequest buildQueryMessage = OAuthClientRequest.authorizationLocation(authorizationServerEndpoint).setClientId(clientId).setResponseType(Oauth2GenericAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE).setRedirectURI(callbackURL).setState(str2).setScope(str).buildQueryMessage();
            if (logger.isDebugEnabled()) {
                logger.debug("Authorization Request: " + buildQueryMessage.getLocationUri());
            }
            httpServletResponse.sendRedirect(buildQueryMessage.getLocationUri());
        } catch (OAuthSystemException | MisconfigurationException e) {
            logger.error("Error while building authorization request.", e);
            throw new AuthenticationFailedException("Error while building authorization request.", e);
        } catch (IOException e2) {
            logger.error("Error while redirecting to the login page.", e2);
            throw new AuthenticationFailedException("Error while redirecting to the login page.", e2);
        }
    }

    protected void processAuthenticationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        if (logger.isDebugEnabled()) {
            logger.debug("Processing authentication response");
        }
        try {
            Map<String, String> authenticatorProperties = getAuthenticatorProperties(authenticationContext);
            String userInfo = getUserInfo(Boolean.valueOf(Boolean.parseBoolean(authenticatorProperties.get(Oauth2GenericAuthenticatorConstants.SELF_CONTAINED_TOKEN_ENABLED))), getToken(getTokenEndpoint(authenticatorProperties), getClientId(authenticatorProperties), getClientSecret(authenticatorProperties), getAuthorizationCode(httpServletRequest), getCallbackURL(authenticatorProperties, httpServletRequest.getServerName(), httpServletRequest.getServerPort()), Boolean.valueOf(Boolean.parseBoolean(authenticatorProperties.get(Oauth2GenericAuthenticatorConstants.IS_BASIC_AUTH_ENABLED)))), authenticatorProperties);
            if (logger.isDebugEnabled()) {
                logger.debug("User info: " + userInfo);
            }
            buildClaims(authenticationContext, userInfo);
        } catch (ApplicationAuthenticatorException | MisconfigurationException e) {
            logger.error("Error while processing authentication response.", e);
            throw new AuthenticationFailedException("Error while processing authentication response.", e);
        }
    }

    protected void buildClaims(AuthenticationContext authenticationContext, String str) throws ApplicationAuthenticatorException {
        if (str == null) {
            throw new ApplicationAuthenticatorException("Decoded json object is null");
        }
        Map<String, Object> parseJSON = JSONUtils.parseJSON(str);
        if (logger.isDebugEnabled()) {
            logger.debug("Building user claims");
        }
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, Object> entry : parseJSON.entrySet()) {
            hashMap.put(ClaimMapping.build(entry.getKey(), entry.getKey(), (String) null, false), entry.getValue().toString());
            if (logger.isDebugEnabled() && IdentityUtil.isTokenLoggable("UserClaims")) {
                logger.debug("Adding claim mapping : " + entry.getKey() + " <> " + entry.getKey() + " : " + entry.getValue());
            }
        }
        ClaimConfig claimConfig = authenticationContext.getExternalIdP().getIdentityProvider().getClaimConfig();
        if (StringUtils.isBlank(claimConfig.getUserClaimURI())) {
            claimConfig.setUserClaimURI(Oauth2GenericAuthenticatorConstants.EMAIL);
        }
        String federatedSubjectFromClaims = FrameworkUtils.getFederatedSubjectFromClaims(authenticationContext.getExternalIdP().getIdentityProvider(), hashMap);
        if (StringUtils.isBlank(federatedSubjectFromClaims)) {
            setSubject(authenticationContext, parseJSON);
        } else {
            authenticationContext.setSubject(AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(federatedSubjectFromClaims));
        }
        authenticationContext.getSubject().setUserAttributes(hashMap);
    }

    protected void setSubject(AuthenticationContext authenticationContext, Map<String, Object> map) throws ApplicationAuthenticatorException {
        String obj = map.get(authenticationContext.getExternalIdP().getIdentityProvider().getClaimConfig().getUserClaimURI()).toString();
        if (StringUtils.isBlank(obj)) {
            throw new ApplicationAuthenticatorException("Authenticated user identifier is empty");
        }
        authenticationContext.setSubject(AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(obj));
    }

    protected String getToken(String str, String str2, String str3, String str4, String str5, Boolean bool) throws ApplicationAuthenticatorException {
        String param = getOauthResponse(new OAuthClient(new URLConnectionClient()), buildTokenRequest(str, str2, str3, str4, str5, bool)).getParam(Oauth2GenericAuthenticatorConstants.ACCESS_TOKEN);
        if (!StringUtils.isBlank(param)) {
            return param;
        }
        if (logger.isDebugEnabled()) {
            logger.debug("Access token is empty or null");
        }
        throw new ApplicationAuthenticatorException("Access token is empty or null");
    }

    protected String getAuthorizationCode(HttpServletRequest httpServletRequest) throws ApplicationAuthenticatorException {
        try {
            return OAuthAuthzResponse.oauthCodeAuthzResponse(httpServletRequest).getCode();
        } catch (OAuthProblemException e) {
            throw new ApplicationAuthenticatorException("Exception while reading authorization code.", e);
        }
    }

    private OAuthClientResponse getOauthResponse(OAuthClient oAuthClient, OAuthClientRequest oAuthClientRequest) throws ApplicationAuthenticatorException {
        try {
            return oAuthClient.accessToken(oAuthClientRequest);
        } catch (OAuthSystemException | OAuthProblemException e) {
            if (logger.isDebugEnabled()) {
                logger.debug(e.getMessage());
            }
            throw new ApplicationAuthenticatorException(e.getMessage());
        }
    }

    protected OAuthClientRequest buildTokenRequest(String str, String str2, String str3, String str4, String str5, Boolean bool) throws ApplicationAuthenticatorException {
        OAuthClientRequest buildBodyMessage;
        try {
            if (bool.booleanValue()) {
                buildBodyMessage = OAuthClientRequest.tokenLocation(str).setGrantType(GrantType.AUTHORIZATION_CODE).setRedirectURI(str5).setCode(str4).buildBodyMessage();
                buildBodyMessage.addHeader("Authorization", Oauth2GenericAuthenticatorConstants.AUTH_TYPE + new String(Base64.encodeBase64((str2 + ":" + str3).getBytes())));
            } else {
                buildBodyMessage = OAuthClientRequest.tokenLocation(str).setClientId(str2).setClientSecret(str3).setGrantType(GrantType.AUTHORIZATION_CODE).setCode(str4).setRedirectURI(str5).buildBodyMessage();
            }
            return buildBodyMessage;
        } catch (OAuthSystemException e) {
            throw new ApplicationAuthenticatorException("Exception while building access token request.", e);
        }
    }

    public List<Property> getConfigurationProperties() {
        ArrayList arrayList = new ArrayList();
        Property property = new Property();
        property.setName(Oauth2GenericAuthenticatorConstants.CLIENT_ID);
        property.setDisplayName(Oauth2GenericAuthenticatorConstants.CLIENT_ID_DP);
        property.setRequired(true);
        property.setDescription(Oauth2GenericAuthenticatorConstants.CLIENT_ID_DESC);
        property.setDisplayOrder(1);
        arrayList.add(property);
        Property property2 = new Property();
        property2.setName(Oauth2GenericAuthenticatorConstants.CLIENT_SECRET);
        property2.setDisplayName(Oauth2GenericAuthenticatorConstants.CLIENT_SECRET_DP);
        property2.setRequired(true);
        property2.setConfidential(true);
        property2.setDescription(Oauth2GenericAuthenticatorConstants.CLIENT_SECRET_DESC);
        property2.setDisplayOrder(2);
        arrayList.add(property2);
        Property property3 = new Property();
        property3.setName(Oauth2GenericAuthenticatorConstants.CALLBACK_URL);
        property3.setDisplayName(Oauth2GenericAuthenticatorConstants.CALLBACK_URL_DP);
        property3.setRequired(true);
        property3.setDescription(Oauth2GenericAuthenticatorConstants.CALLBACK_URL_DESC);
        property3.setDisplayOrder(3);
        arrayList.add(property3);
        Property property4 = new Property();
        property4.setName(Oauth2GenericAuthenticatorConstants.OAUTH2_AUTHZ_URL);
        property4.setDisplayName(Oauth2GenericAuthenticatorConstants.OAUTH2_AUTHZ_URL_DP);
        property4.setRequired(true);
        property4.setDescription(Oauth2GenericAuthenticatorConstants.OAUTH2_AUTHZ_URL_DESC);
        property4.setDisplayOrder(4);
        arrayList.add(property4);
        Property property5 = new Property();
        property5.setName(Oauth2GenericAuthenticatorConstants.OAUTH2_TOKEN_URL);
        property5.setDisplayName(Oauth2GenericAuthenticatorConstants.OAUTH2_TOKEN_URL_DP);
        property5.setRequired(true);
        property5.setDescription(Oauth2GenericAuthenticatorConstants.OAUTH2_TOKEN_URL_DESC);
        property5.setDisplayOrder(5);
        arrayList.add(property5);
        Property property6 = new Property();
        property6.setName(Oauth2GenericAuthenticatorConstants.OAUTH2_USER_INFO_URL);
        property6.setDisplayName(Oauth2GenericAuthenticatorConstants.OAUTH2_USER_INFO_URL_DP);
        property6.setRequired(true);
        property6.setDescription(Oauth2GenericAuthenticatorConstants.OAUTH2_USER_INFO_URL_DESC);
        property6.setDisplayOrder(6);
        arrayList.add(property6);
        Property property7 = new Property();
        property7.setName("Scope");
        property7.setDisplayName("Scope");
        property7.setRequired(false);
        property7.setDescription(Oauth2GenericAuthenticatorConstants.SCOPE_DESC);
        property7.setDisplayOrder(7);
        arrayList.add(property7);
        Property property8 = new Property();
        property8.setName(Oauth2GenericAuthenticatorConstants.IS_BASIC_AUTH_ENABLED);
        property8.setDisplayName(Oauth2GenericAuthenticatorConstants.IS_BASIC_AUTH_ENABLED_DP);
        property8.setRequired(false);
        property8.setDescription(Oauth2GenericAuthenticatorConstants.IS_BASIC_AUTH_ENABLED_DESC);
        property8.setType(Oauth2GenericAuthenticatorConstants.VAR_TYPE_BOOLEAN);
        property8.setDisplayOrder(8);
        property8.setDefaultValue("false");
        arrayList.add(property8);
        Property property9 = new Property();
        property9.setName(Oauth2GenericAuthenticatorConstants.SELF_CONTAINED_TOKEN_ENABLED);
        property9.setDisplayName(Oauth2GenericAuthenticatorConstants.SELF_CONTAINED_TOKEN_ENABLED_DP);
        property9.setRequired(false);
        property9.setDescription(Oauth2GenericAuthenticatorConstants.SELF_CONTAINED_TOKEN_ENABLED_DESC);
        property9.setType(Oauth2GenericAuthenticatorConstants.VAR_TYPE_BOOLEAN);
        property9.setDisplayOrder(9);
        property9.setDefaultValue("false");
        arrayList.add(property9);
        return arrayList;
    }

    protected String getUserInfoFromUserInfoEP(String str, String str2) throws ApplicationAuthenticatorException, MisconfigurationException {
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", Oauth2GenericAuthenticatorConstants.TOKEN_TYPE + str2);
        HttpURLConnection connect = connect(str);
        try {
            try {
                connect.setRequestMethod("GET");
                for (Map.Entry entry : hashMap.entrySet()) {
                    connect.setRequestProperty((String) entry.getKey(), (String) entry.getValue());
                }
                int responseCode = connect.getResponseCode();
                if (responseCode != 200) {
                    throw new ApplicationAuthenticatorException("Error while retrieving user info from URL: " + str + " Response Code: " + responseCode);
                }
                String readBody = readBody(connect.getInputStream());
                if (StringUtils.isBlank(readBody)) {
                    throw new ApplicationAuthenticatorException("Empty JSON response from user info endpoint. Unable to fetch user claims.");
                }
                return readBody;
            } catch (IOException e) {
                throw new ApplicationAuthenticatorException(e.getMessage(), e);
            }
        } finally {
            connect.disconnect();
        }
    }

    protected String getUserInfo(Boolean bool, String str, Map<String, String> map) throws MisconfigurationException, ApplicationAuthenticatorException {
        return bool.booleanValue() ? decodeAccessToken(str) : getUserInfoFromUserInfoEP(getUserInfoEndpoint(map), str);
    }

    protected String decodeAccessToken(String str) throws ApplicationAuthenticatorException {
        String[] split = str.split("\\.");
        if (split.length <= 1) {
            throw new ApplicationAuthenticatorException("Error while decoding access token. Token is not a self contained access token.");
        }
        String str2 = new String(Base64.decodeBase64(split[1]));
        if (StringUtils.isBlank(str2)) {
            throw new ApplicationAuthenticatorException("Error while decoding access token. Decoded token is null.");
        }
        return str2;
    }

    protected HttpURLConnection connect(String str) throws ApplicationAuthenticatorException, MisconfigurationException {
        try {
            return (HttpURLConnection) new URL(str).openConnection();
        } catch (MalformedURLException e) {
            throw new MisconfigurationException("Invalid URL. : " + str, e);
        } catch (IOException e2) {
            throw new ApplicationAuthenticatorException("Connection failed. : " + str, e2);
        }
    }

    protected String readBody(InputStream inputStream) throws ApplicationAuthenticatorException {
        try {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
            Throwable th = null;
            try {
                try {
                    StringBuilder sb = new StringBuilder();
                    while (true) {
                        String readLine = bufferedReader.readLine();
                        if (readLine == null) {
                            break;
                        }
                        sb.append(readLine);
                    }
                    String sb2 = sb.toString();
                    if (bufferedReader != null) {
                        if (0 != 0) {
                            try {
                                bufferedReader.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            bufferedReader.close();
                        }
                    }
                    return sb2;
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new ApplicationAuthenticatorException("Error while reading response.", e);
        }
    }

    protected boolean isOauth2CodeParamExists(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter(Oauth2GenericAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE) != null;
    }

    protected String getLoginType(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(Oauth2GenericAuthenticatorConstants.OAUTH2_PARAM_STATE);
        if (!StringUtils.isNotBlank(parameter) || parameter.split(",").length <= 1) {
            return null;
        }
        return parameter.split(",")[1];
    }

    protected boolean isOauthStateParamExists(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter(Oauth2GenericAuthenticatorConstants.OAUTH2_PARAM_STATE) != null && Oauth2GenericAuthenticatorConstants.OAUTH2_LOGIN_TYPE.equals(getLoginType(httpServletRequest));
    }

    public boolean canHandle(HttpServletRequest httpServletRequest) {
        return isOauthStateParamExists(httpServletRequest) && isOauth2CodeParamExists(httpServletRequest);
    }

    public String getContextIdentifier(HttpServletRequest httpServletRequest) {
        try {
            return OAuthAuthzResponse.oauthCodeAuthzResponse(httpServletRequest).getState().split(",")[0];
        } catch (IndexOutOfBoundsException e) {
            logger.error("No state returned", e);
            return null;
        } catch (OAuthProblemException e2) {
            logger.error("No context", e2);
            return null;
        }
    }

    protected String generateState() {
        return new BigInteger(130, new SecureRandom()).toString(32);
    }

    public String getFriendlyName() {
        return "OAUTH2";
    }

    public String getName() {
        return "OAUTH2";
    }

    protected String getTokenEndpoint(Map<String, String> map) throws MisconfigurationException {
        String str = map.get(Oauth2GenericAuthenticatorConstants.OAUTH2_TOKEN_URL);
        if (StringUtils.isBlank(str)) {
            throw new MisconfigurationException("Error while retrieving properties. Token endpoint cannot be null.");
        }
        return str;
    }

    protected String getAuthorizationServerEndpoint(Map<String, String> map) throws MisconfigurationException {
        String str = map.get(Oauth2GenericAuthenticatorConstants.OAUTH2_AUTHZ_URL);
        if (StringUtils.isBlank(str)) {
            throw new MisconfigurationException("Error while retrieving properties. Authorization server endpoint cannot be null.");
        }
        return str;
    }

    protected String getUserInfoEndpoint(Map<String, String> map) throws MisconfigurationException {
        String str = map.get(Oauth2GenericAuthenticatorConstants.OAUTH2_USER_INFO_URL);
        if (StringUtils.isBlank(str)) {
            throw new MisconfigurationException("Error while retrieving properties. User info endpoint cannot be null.");
        }
        return str;
    }

    private Map<String, String> getAuthenticatorProperties(AuthenticationContext authenticationContext) throws MisconfigurationException {
        Map<String, String> authenticatorProperties = authenticationContext.getAuthenticatorProperties();
        if (authenticatorProperties == null) {
            throw new MisconfigurationException("Error while retrieving properties. Authenticator Properties cannot be null.");
        }
        for (Map.Entry<String, String> entry : authenticatorProperties.entrySet()) {
            entry.setValue(StringUtils.trim(entry.getValue()));
        }
        return authenticatorProperties;
    }

    private String getClientId(Map<String, String> map) throws MisconfigurationException {
        String str = map.get(Oauth2GenericAuthenticatorConstants.CLIENT_ID);
        if (StringUtils.isBlank(str)) {
            throw new MisconfigurationException("Error while retrieving properties. Client ID cannot be null.");
        }
        return str;
    }

    private String getClientSecret(Map<String, String> map) throws MisconfigurationException {
        String str = map.get(Oauth2GenericAuthenticatorConstants.CLIENT_SECRET);
        if (StringUtils.isBlank(str)) {
            throw new MisconfigurationException("Error while retrieving properties. Client secret cannot be null.");
        }
        return str;
    }

    private String getCallbackURL(Map<String, String> map, String str, int i) throws MisconfigurationException {
        String str2 = map.get(Oauth2GenericAuthenticatorConstants.CALLBACK_URL);
        if (!StringUtils.isBlank(str2)) {
            return str2;
        }
        try {
            return new URL(Oauth2GenericAuthenticatorConstants.DEFAULT_PROTOCOL_IDENTIFIER, str, i, Oauth2GenericAuthenticatorConstants.CALLBACK_URL_DEFAULT).toString();
        } catch (MalformedURLException e) {
            throw new MisconfigurationException(e.getMessage(), e);
        }
    }
}
