package org.openmetadata.service.security;

import com.fasterxml.jackson.core.type.TypeReference;
import com.google.common.collect.ImmutableMap;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import java.io.BufferedWriter;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.net.HttpURLConnection;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.Provider;
import java.text.ParseException;
import java.time.Instant;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.TreeMap;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.client.Invocation;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.SecurityContext;
import org.openmetadata.common.utils.CommonUtil;
import org.openmetadata.schema.security.client.OidcClientConfig;
import org.openmetadata.service.OpenMetadataApplicationConfig;
import org.openmetadata.service.util.JsonUtils;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.core.util.HttpUtils;
import org.pac4j.oidc.client.AzureAd2Client;
import org.pac4j.oidc.client.GoogleOidcClient;
import org.pac4j.oidc.client.OidcClient;
import org.pac4j.oidc.config.AzureAd2OidcConfiguration;
import org.pac4j.oidc.config.OidcConfiguration;
import org.pac4j.oidc.config.PrivateKeyJWTClientAuthnMethodConfig;
import org.pac4j.oidc.credentials.OidcCredentials;
import org.pac4j.oidc.credentials.authenticator.OidcAuthenticator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/openmetadata/service/security/SecurityUtil.class */
public final class SecurityUtil {
    public static final String DEFAULT_PRINCIPAL_DOMAIN = "openmetadata.org";
    private static final Logger LOG = LoggerFactory.getLogger(SecurityUtil.class);
    private static final Collection<ClientAuthenticationMethod> SUPPORTED_METHODS = Arrays.asList(ClientAuthenticationMethod.CLIENT_SECRET_POST, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, ClientAuthenticationMethod.PRIVATE_KEY_JWT, ClientAuthenticationMethod.NONE);

    private SecurityUtil() {
    }

    public static String getUserName(SecurityContext securityContext) {
        Principal userPrincipal = securityContext.getUserPrincipal();
        if (userPrincipal == null) {
            return null;
        }
        return userPrincipal.getName().split("[/@]")[0];
    }

    public static Map<String, String> authHeaders(String str) {
        ImmutableMap.Builder builder = ImmutableMap.builder();
        if (str != null) {
            builder.put(CatalogOpenIdAuthorizationRequestFilter.X_AUTH_PARAMS_EMAIL_HEADER, str);
        }
        return builder.build();
    }

    public static String getPrincipalName(Map<String, String> map) {
        String str;
        if (map == null || (str = map.get(CatalogOpenIdAuthorizationRequestFilter.X_AUTH_PARAMS_EMAIL_HEADER)) == null) {
            return null;
        }
        return str.split("@")[0];
    }

    public static String getDomain(OpenMetadataApplicationConfig openMetadataApplicationConfig) {
        String principalDomain = openMetadataApplicationConfig.getAuthorizerConfiguration().getPrincipalDomain();
        return CommonUtil.nullOrEmpty(principalDomain) ? DEFAULT_PRINCIPAL_DOMAIN : principalDomain;
    }

    public static Invocation.Builder addHeaders(WebTarget webTarget, Map<String, String> map) {
        return map != null ? webTarget.request().header(CatalogOpenIdAuthorizationRequestFilter.X_AUTH_PARAMS_EMAIL_HEADER, map.get(CatalogOpenIdAuthorizationRequestFilter.X_AUTH_PARAMS_EMAIL_HEADER)) : webTarget.request();
    }

    public static OidcClient tryCreateOidcClient(OidcClientConfig oidcClientConfig) {
        OidcClient oidcClient;
        String id = oidcClientConfig.getId();
        String secret = oidcClientConfig.getSecret();
        if (!CommonHelper.isNotBlank(id) || !CommonHelper.isNotBlank(secret)) {
            throw new IllegalArgumentException("Client ID and Client Secret is required to create OidcClient");
        }
        OidcConfiguration oidcConfiguration = new OidcConfiguration();
        oidcConfiguration.setClientId(id);
        oidcConfiguration.setResponseMode("query");
        if (CommonHelper.isNotBlank(secret)) {
            oidcConfiguration.setSecret(secret);
        }
        String responseType = oidcClientConfig.getResponseType();
        if (CommonHelper.isNotBlank(responseType)) {
            oidcConfiguration.setResponseType(responseType);
        }
        String scope = oidcClientConfig.getScope();
        if (CommonHelper.isNotBlank(scope)) {
            oidcConfiguration.setScope(scope);
        }
        String discoveryUri = oidcClientConfig.getDiscoveryUri();
        if (CommonHelper.isNotBlank(discoveryUri)) {
            oidcConfiguration.setDiscoveryURI(discoveryUri);
        }
        String useNonce = oidcClientConfig.getUseNonce();
        if (CommonHelper.isNotBlank(useNonce)) {
            oidcConfiguration.setUseNonce(Boolean.parseBoolean(useNonce));
        }
        String preferredJwsAlgorithm = oidcClientConfig.getPreferredJwsAlgorithm();
        if (CommonHelper.isNotBlank(preferredJwsAlgorithm)) {
            oidcConfiguration.setPreferredJwsAlgorithm(JWSAlgorithm.parse(preferredJwsAlgorithm));
        }
        String maxClockSkew = oidcClientConfig.getMaxClockSkew();
        if (CommonHelper.isNotBlank(maxClockSkew)) {
            oidcConfiguration.setMaxClockSkew(Integer.parseInt(maxClockSkew));
        }
        String value = oidcClientConfig.getClientAuthenticationMethod().value();
        if (CommonHelper.isNotBlank(value)) {
            oidcConfiguration.setClientAuthenticationMethod(ClientAuthenticationMethod.parse(value));
        }
        oidcConfiguration.setDisablePkce(oidcClientConfig.getDisablePkce().booleanValue());
        if (oidcClientConfig.getCustomParams() != null) {
            for (int i = 1; i <= 5; i++) {
                if (oidcClientConfig.getCustomParams().containsKey(String.format("customParamKey%d", Integer.valueOf(i)))) {
                    oidcConfiguration.addCustomParam((String) oidcClientConfig.getCustomParams().get(String.format("customParamKey%d", Integer.valueOf(i))), (String) oidcClientConfig.getCustomParams().get(String.format("customParamValue%d", Integer.valueOf(i))));
                }
            }
        }
        String type = oidcClientConfig.getType();
        if ("azure".equalsIgnoreCase(type)) {
            AzureAd2OidcConfiguration azureAd2OidcConfiguration = new AzureAd2OidcConfiguration(oidcConfiguration);
            String tenant = oidcClientConfig.getTenant();
            if (CommonHelper.isNotBlank(tenant)) {
                azureAd2OidcConfiguration.setTenant(tenant);
            }
            oidcClient = new AzureAd2Client(azureAd2OidcConfiguration);
        } else if ("google".equalsIgnoreCase(type)) {
            oidcClient = new GoogleOidcClient(oidcConfiguration);
            oidcClient.getConfiguration().getCustomParams().put("access_type", "offline");
        } else {
            oidcClient = new OidcClient(oidcConfiguration);
        }
        oidcClient.setName(String.format("OMOidcClient%s", oidcClient.getName()));
        return oidcClient;
    }

    public static ClientAuthentication getClientAuthentication(OidcConfiguration oidcConfiguration) {
        ClientAuthenticationMethod clientAuthenticationMethod;
        ClientID clientID = new ClientID(oidcConfiguration.getClientId());
        ClientSecretPost clientSecretPost = null;
        if (oidcConfiguration.getSecret() != null) {
            List tokenEndpointAuthMethods = oidcConfiguration.findProviderMetadata().getTokenEndpointAuthMethods();
            ClientAuthenticationMethod preferredAuthenticationMethod = getPreferredAuthenticationMethod(oidcConfiguration);
            if (!CommonHelper.isNotEmpty(tokenEndpointAuthMethods)) {
                clientAuthenticationMethod = preferredAuthenticationMethod != null ? preferredAuthenticationMethod : ClientAuthenticationMethod.getDefault();
                LOG.info("Provider metadata does not provide Token endpoint authentication methods. Using: {}", clientAuthenticationMethod);
            } else if (preferredAuthenticationMethod == null) {
                clientAuthenticationMethod = firstSupportedMethod(tokenEndpointAuthMethods);
            } else {
                if (!tokenEndpointAuthMethods.contains(preferredAuthenticationMethod)) {
                    throw new TechnicalException("Preferred authentication method (" + preferredAuthenticationMethod + ") not supported by provider according to provider metadata (" + tokenEndpointAuthMethods + ").");
                }
                clientAuthenticationMethod = preferredAuthenticationMethod;
            }
            if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientAuthenticationMethod)) {
                clientSecretPost = new ClientSecretPost(clientID, new Secret(oidcConfiguration.getSecret()));
            } else if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientAuthenticationMethod)) {
                clientSecretPost = new ClientSecretBasic(clientID, new Secret(oidcConfiguration.getSecret()));
            } else if (ClientAuthenticationMethod.PRIVATE_KEY_JWT.equals(clientAuthenticationMethod)) {
                PrivateKeyJWTClientAuthnMethodConfig privateKeyJWTClientAuthnMethodConfig = oidcConfiguration.getPrivateKeyJWTClientAuthnMethodConfig();
                CommonHelper.assertNotNull("privateKetJwtConfig", privateKeyJWTClientAuthnMethodConfig);
                JWSAlgorithm jwsAlgorithm = privateKeyJWTClientAuthnMethodConfig.getJwsAlgorithm();
                CommonHelper.assertNotNull("privateKetJwtConfig.getJwsAlgorithm()", jwsAlgorithm);
                PrivateKey privateKey = privateKeyJWTClientAuthnMethodConfig.getPrivateKey();
                CommonHelper.assertNotNull("privateKetJwtConfig.getPrivateKey()", privateKey);
                try {
                    clientSecretPost = new PrivateKeyJWT(clientID, oidcConfiguration.findProviderMetadata().getTokenEndpointURI(), jwsAlgorithm, privateKey, privateKeyJWTClientAuthnMethodConfig.getKeyID(), (Provider) null);
                } catch (JOSEException e) {
                    throw new TechnicalException("Cannot instantiate private key JWT client authentication method", e);
                }
            }
        }
        return clientSecretPost;
    }

    private static ClientAuthenticationMethod getPreferredAuthenticationMethod(OidcConfiguration oidcConfiguration) {
        ClientAuthenticationMethod clientAuthenticationMethod = oidcConfiguration.getClientAuthenticationMethod();
        if (clientAuthenticationMethod == null) {
            return null;
        }
        if (SUPPORTED_METHODS.contains(clientAuthenticationMethod)) {
            return clientAuthenticationMethod;
        }
        throw new TechnicalException("Configured authentication method (" + clientAuthenticationMethod + ") is not supported.");
    }

    private static ClientAuthenticationMethod firstSupportedMethod(List<ClientAuthenticationMethod> list) {
        Stream<ClientAuthenticationMethod> stream = list.stream();
        Collection<ClientAuthenticationMethod> collection = SUPPORTED_METHODS;
        Objects.requireNonNull(collection);
        Optional<ClientAuthenticationMethod> findFirst = stream.filter((v1) -> {
            return r1.contains(v1);
        }).findFirst();
        if (findFirst.isPresent()) {
            return findFirst.get();
        }
        throw new TechnicalException("None of the Token endpoint provider metadata authentication methods are supported: " + list);
    }

    public static void getErrorMessage(HttpServletResponse httpServletResponse, Exception exc) {
        httpServletResponse.setContentType("text/html; charset=UTF-8");
        LOG.error("[Auth Callback Servlet] Failed in Auth Login : {}", exc.getMessage());
        httpServletResponse.getOutputStream().println(String.format("<p> [Auth Callback Servlet] Failed in Auth Login : %s </p>", exc.getMessage()));
    }

    public static void sendRedirectWithToken(HttpServletResponse httpServletResponse, OidcCredentials oidcCredentials, String str, List<String> list, String str2) throws ParseException, IOException {
        JWT idToken = oidcCredentials.getIdToken();
        TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
        treeMap.putAll(idToken.getJWTClaimsSet().getClaims());
        Stream<String> stream = list.stream();
        Objects.requireNonNull(treeMap);
        Optional<String> findFirst = stream.filter((v1) -> {
            return r1.containsKey(v1);
        }).findFirst();
        Objects.requireNonNull(treeMap);
        Optional<U> map = findFirst.map((v1) -> {
            return r1.get(v1);
        });
        Class<String> cls = String.class;
        Objects.requireNonNull(String.class);
        String str3 = (String) map.map(cls::cast).orElseThrow(() -> {
            return new AuthenticationException("Invalid JWT token, none of the following claims are present " + list);
        });
        String str4 = str3.contains("@") ? str3.split("@")[0] : str3;
        httpServletResponse.sendRedirect(String.format("%s/auth/callback?id_token=%s&email=%s&name=%s", str, oidcCredentials.getIdToken().getParsedString(), String.format("%s@%s", str4, str2), str4));
    }

    public static boolean isCredentialsExpired(OidcCredentials oidcCredentials) throws ParseException {
        Date expirationTime = oidcCredentials.getIdToken().getJWTClaimsSet().getExpirationTime();
        return expirationTime != null && expirationTime.toInstant().isBefore(Instant.now().plusSeconds(30L));
    }

    public static Optional<OidcCredentials> getUserCredentialsFromSession(HttpServletRequest httpServletRequest, OidcClient oidcClient) throws ParseException {
        OidcCredentials oidcCredentials = (OidcCredentials) httpServletRequest.getSession().getAttribute(AuthLoginServlet.OIDC_CREDENTIAL_PROFILE);
        if (oidcCredentials != null && oidcCredentials.getRefreshToken() != null) {
            removeOrRenewOidcCredentials(httpServletRequest, oidcClient, oidcCredentials);
            return Optional.of(oidcCredentials);
        }
        if (oidcCredentials == null) {
            LOG.error("No credentials found against session. ID: {}", httpServletRequest.getSession().getId());
        } else {
            LOG.error("No refresh token found against session. ID: {}", httpServletRequest.getSession().getId());
        }
        return Optional.empty();
    }

    private static void removeOrRenewOidcCredentials(HttpServletRequest httpServletRequest, OidcClient oidcClient, OidcCredentials oidcCredentials) throws ParseException {
        boolean z = false;
        if (isCredentialsExpired(oidcCredentials)) {
            LOG.debug("Expired credentials found, trying to renew.");
            z = true;
            AzureAd2OidcConfiguration configuration = oidcClient.getConfiguration();
            if (configuration instanceof AzureAd2OidcConfiguration) {
                refreshAccessTokenAzureAd2Token(configuration, oidcCredentials);
            } else {
                new OidcAuthenticator(oidcClient.getConfiguration(), oidcClient).refresh(oidcCredentials);
            }
        }
        if (z) {
            httpServletRequest.getSession().setAttribute(AuthLoginServlet.OIDC_CREDENTIAL_PROFILE, oidcCredentials);
        }
    }

    private static void refreshAccessTokenAzureAd2Token(AzureAd2OidcConfiguration azureAd2OidcConfiguration, OidcCredentials oidcCredentials) {
        try {
            try {
                HashMap hashMap = new HashMap();
                hashMap.put("Content-Type", "application/x-www-form-urlencoded");
                hashMap.put("Accept", "application/json");
                HttpURLConnection openPostConnection = HttpUtils.openPostConnection(azureAd2OidcConfiguration.findProviderMetadata().getTokenEndpointURI().toURL(), hashMap);
                BufferedWriter bufferedWriter = new BufferedWriter(new OutputStreamWriter(openPostConnection.getOutputStream(), StandardCharsets.UTF_8));
                bufferedWriter.write(azureAd2OidcConfiguration.makeOauth2TokenRequest(oidcCredentials.getRefreshToken().getValue()));
                bufferedWriter.close();
                if (openPostConnection.getResponseCode() != 200) {
                    throw new TechnicalException("request for access token failed: " + HttpUtils.buildHttpErrorMessage(openPostConnection));
                }
                oidcCredentials.setAccessToken(new BearerAccessToken((String) ((Map) JsonUtils.readValue(HttpUtils.readBody(openPostConnection), new TypeReference<Map<String, Object>>() { // from class: org.openmetadata.service.security.SecurityUtil.1
                })).get("access_token")));
                HttpUtils.closeConnection(openPostConnection);
            } catch (IOException e) {
                throw new TechnicalException(e);
            }
        } catch (Throwable th) {
            HttpUtils.closeConnection((HttpURLConnection) null);
            throw th;
        }
    }
}
