package org.openmetadata.service.security;

import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.pkce.CodeChallenge;
import com.nimbusds.oauth2.sdk.pkce.CodeChallengeMethod;
import com.nimbusds.oauth2.sdk.pkce.CodeVerifier;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.Nonce;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.oidc.client.OidcClient;
import org.pac4j.oidc.credentials.OidcCredentials;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@WebServlet({"/api/v1/auth/login"})
/* loaded from: input_file:org/openmetadata/service/security/AuthLoginServlet.class */
public class AuthLoginServlet extends HttpServlet {
    private static final Logger LOG = LoggerFactory.getLogger(AuthLoginServlet.class);
    public static final String OIDC_CREDENTIAL_PROFILE = "oidcCredentialProfile";
    private final OidcClient client;
    private final List<String> claimsOrder;
    private final String serverUrl;

    public AuthLoginServlet(OidcClient oidcClient, String str, List<String> list) {
        this.client = oidcClient;
        this.serverUrl = str;
        this.claimsOrder = list;
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            Optional<OidcCredentials> userCredentialsFromSession = SecurityUtil.getUserCredentialsFromSession(httpServletRequest, this.client);
            if (userCredentialsFromSession.isPresent()) {
                SecurityUtil.sendRedirectWithToken(httpServletResponse, userCredentialsFromSession.get(), this.serverUrl, this.claimsOrder);
            } else {
                Map<String, String> buildParams = buildParams();
                buildParams.put("redirect_uri", this.client.getCallbackUrl());
                addStateAndNonceParameters(httpServletRequest, buildParams);
                buildParams.put("prompt", "login");
                buildParams.put("max_age", "0");
                String buildAuthenticationRequestUrl = buildAuthenticationRequestUrl(buildParams);
                LOG.debug("Authentication request url: {}", buildAuthenticationRequestUrl);
                httpServletResponse.sendRedirect(buildAuthenticationRequestUrl);
            }
        } catch (Exception e) {
            SecurityUtil.getErrorMessage(httpServletResponse, new TechnicalException(e));
        }
    }

    protected Map<String, String> buildParams() {
        HashMap hashMap = new HashMap();
        hashMap.put("scope", this.client.getConfiguration().getScope());
        hashMap.put("response_type", this.client.getConfiguration().getResponseType());
        hashMap.put("response_mode", "query");
        hashMap.putAll(this.client.getConfiguration().getCustomParams());
        hashMap.put("client_id", this.client.getConfiguration().getClientId());
        return new HashMap(hashMap);
    }

    protected void addStateAndNonceParameters(HttpServletRequest httpServletRequest, Map<String, String> map) {
        if (this.client.getConfiguration().isWithState()) {
            State state = new State(CommonHelper.randomString(10));
            map.put("state", state.getValue());
            httpServletRequest.getSession().setAttribute(this.client.getStateSessionAttributeName(), state);
        }
        if (this.client.getConfiguration().isUseNonce()) {
            Nonce nonce = new Nonce();
            map.put("nonce", nonce.getValue());
            httpServletRequest.getSession().setAttribute(this.client.getNonceSessionAttributeName(), nonce.getValue());
        }
        CodeChallengeMethod findPkceMethod = this.client.getConfiguration().findPkceMethod();
        if (findPkceMethod != null) {
            CodeVerifier codeVerifier = new CodeVerifier(CommonHelper.randomString(10));
            httpServletRequest.getSession().setAttribute(this.client.getCodeVerifierSessionAttributeName(), codeVerifier);
            map.put("code_challenge", CodeChallenge.compute(findPkceMethod, codeVerifier).getValue());
            map.put("code_challenge_method", findPkceMethod.getValue());
        }
    }

    protected String buildAuthenticationRequestUrl(Map<String, String> map) {
        try {
            return this.client.getConfiguration().getProviderMetadata().getAuthorizationEndpointURI().toString() + "?" + AuthenticationRequest.parse((Map) map.entrySet().stream().collect(Collectors.toMap((v0) -> {
                return v0.getKey();
            }, entry -> {
                return Collections.singletonList((String) entry.getValue());
            }))).toQueryString();
        } catch (Exception e) {
            throw new TechnicalException(e);
        }
    }

    public static void writeJsonResponse(HttpServletResponse httpServletResponse, String str) throws IOException {
        httpServletResponse.setContentType("application/json");
        httpServletResponse.setCharacterEncoding("UTF-8");
        httpServletResponse.getOutputStream().print(str);
        httpServletResponse.getOutputStream().flush();
        httpServletResponse.setStatus(200);
    }
}
