package org.openmetadata.service.security;

import com.fasterxml.jackson.core.type.TypeReference;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.AuthorizationGrant;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.RefreshTokenGrant;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.pkce.CodeChallenge;
import com.nimbusds.oauth2.sdk.pkce.CodeChallengeMethod;
import com.nimbusds.oauth2.sdk.pkce.CodeVerifier;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.oauth2.sdk.util.JSONObjectUtils;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import com.nimbusds.openid.connect.sdk.validators.BadJWTExceptions;
import java.io.BufferedWriter;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.Provider;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.TreeMap;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.ws.rs.BadRequestException;
import net.minidev.json.JSONObject;
import org.openmetadata.common.utils.CommonUtil;
import org.openmetadata.schema.api.security.AuthenticationConfiguration;
import org.openmetadata.schema.api.security.AuthorizerConfiguration;
import org.openmetadata.schema.auth.ServiceTokenType;
import org.openmetadata.schema.entity.teams.User;
import org.openmetadata.schema.security.client.OidcClientConfig;
import org.openmetadata.schema.type.Include;
import org.openmetadata.service.Entity;
import org.openmetadata.service.auth.JwtResponse;
import org.openmetadata.service.security.jwt.JWTTokenGenerator;
import org.openmetadata.service.util.JsonUtils;
import org.openmetadata.service.util.UserUtil;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.core.util.HttpUtils;
import org.pac4j.oidc.client.AzureAd2Client;
import org.pac4j.oidc.client.GoogleOidcClient;
import org.pac4j.oidc.client.OidcClient;
import org.pac4j.oidc.config.AzureAd2OidcConfiguration;
import org.pac4j.oidc.config.OidcConfiguration;
import org.pac4j.oidc.config.PrivateKeyJWTClientAuthnMethodConfig;
import org.pac4j.oidc.credentials.OidcCredentials;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/openmetadata/service/security/AuthenticationCodeFlowHandler.class */
public class AuthenticationCodeFlowHandler {
    private static final Logger LOG = LoggerFactory.getLogger(AuthenticationCodeFlowHandler.class);
    private static final Collection<ClientAuthenticationMethod> SUPPORTED_METHODS = Arrays.asList(ClientAuthenticationMethod.CLIENT_SECRET_POST, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, ClientAuthenticationMethod.PRIVATE_KEY_JWT, ClientAuthenticationMethod.NONE);
    public static final String DEFAULT_PRINCIPAL_DOMAIN = "openmetadata.org";
    public static final String OIDC_CREDENTIAL_PROFILE = "oidcCredentialProfile";
    private final OidcClient client;
    private final List<String> claimsOrder;
    private final Map<String, String> claimsMapping;
    private final String serverUrl;
    private final ClientAuthentication clientAuthentication;
    private final String principalDomain;
    private final int tokenValidity;

    public AuthenticationCodeFlowHandler(AuthenticationConfiguration authenticationConfiguration, AuthorizerConfiguration authorizerConfiguration) {
        CommonHelper.assertNotNull("OidcConfiguration", authenticationConfiguration.getOidcConfiguration());
        CommonHelper.assertNotBlank("CallbackUrl", authenticationConfiguration.getOidcConfiguration().getCallbackUrl());
        CommonHelper.assertNotBlank("ServerUrl", authenticationConfiguration.getOidcConfiguration().getServerUrl());
        this.client = buildOidcClient(authenticationConfiguration.getOidcConfiguration());
        this.client.setCallbackUrl(authenticationConfiguration.getOidcConfiguration().getCallbackUrl());
        this.clientAuthentication = getClientAuthentication(this.client.getConfiguration());
        this.serverUrl = authenticationConfiguration.getOidcConfiguration().getServerUrl();
        this.claimsOrder = authenticationConfiguration.getJwtPrincipalClaims();
        this.claimsMapping = (Map) CommonUtil.listOrEmpty(authenticationConfiguration.getJwtPrincipalClaimsMapping()).stream().map(str -> {
            return str.split(":");
        }).collect(Collectors.toMap(strArr -> {
            return strArr[0];
        }, strArr2 -> {
            return strArr2[1];
        }));
        validatePrincipalClaimsMapping(this.claimsMapping);
        this.principalDomain = authorizerConfiguration.getPrincipalDomain();
        this.tokenValidity = authenticationConfiguration.getOidcConfiguration().getTokenValidity().intValue();
    }

    private OidcClient buildOidcClient(OidcClientConfig oidcClientConfig) {
        OidcClient oidcClient;
        String id = oidcClientConfig.getId();
        String secret = oidcClientConfig.getSecret();
        if (!CommonHelper.isNotBlank(id) || !CommonHelper.isNotBlank(secret)) {
            throw new IllegalArgumentException("Client ID and Client Secret is required to create OidcClient");
        }
        OidcConfiguration oidcConfiguration = new OidcConfiguration();
        oidcConfiguration.setClientId(id);
        oidcConfiguration.setResponseMode("query");
        if (CommonHelper.isNotBlank(secret)) {
            oidcConfiguration.setSecret(secret);
        }
        String responseType = oidcClientConfig.getResponseType();
        if (CommonHelper.isNotBlank(responseType)) {
            oidcConfiguration.setResponseType(responseType);
        }
        String scope = oidcClientConfig.getScope();
        if (CommonHelper.isNotBlank(scope)) {
            oidcConfiguration.setScope(scope);
        }
        String discoveryUri = oidcClientConfig.getDiscoveryUri();
        if (CommonHelper.isNotBlank(discoveryUri)) {
            oidcConfiguration.setDiscoveryURI(discoveryUri);
        }
        String useNonce = oidcClientConfig.getUseNonce();
        if (CommonHelper.isNotBlank(useNonce)) {
            oidcConfiguration.setUseNonce(Boolean.parseBoolean(useNonce));
        }
        String preferredJwsAlgorithm = oidcClientConfig.getPreferredJwsAlgorithm();
        if (CommonHelper.isNotBlank(preferredJwsAlgorithm)) {
            oidcConfiguration.setPreferredJwsAlgorithm(JWSAlgorithm.parse(preferredJwsAlgorithm));
        }
        String maxClockSkew = oidcClientConfig.getMaxClockSkew();
        if (CommonHelper.isNotBlank(maxClockSkew)) {
            oidcConfiguration.setMaxClockSkew(Integer.parseInt(maxClockSkew));
        }
        String value = oidcClientConfig.getClientAuthenticationMethod().value();
        if (CommonHelper.isNotBlank(value)) {
            oidcConfiguration.setClientAuthenticationMethod(ClientAuthenticationMethod.parse(value));
        }
        oidcConfiguration.setDisablePkce(oidcClientConfig.getDisablePkce().booleanValue());
        if (oidcClientConfig.getCustomParams() != null) {
            for (int i = 1; i <= 5; i++) {
                if (oidcClientConfig.getCustomParams().containsKey(String.format("customParamKey%d", Integer.valueOf(i)))) {
                    oidcConfiguration.addCustomParam((String) oidcClientConfig.getCustomParams().get(String.format("customParamKey%d", Integer.valueOf(i))), (String) oidcClientConfig.getCustomParams().get(String.format("customParamValue%d", Integer.valueOf(i))));
                }
            }
        }
        String type = oidcClientConfig.getType();
        if ("azure".equalsIgnoreCase(type)) {
            AzureAd2OidcConfiguration azureAd2OidcConfiguration = new AzureAd2OidcConfiguration(oidcConfiguration);
            String tenant = oidcClientConfig.getTenant();
            if (CommonHelper.isNotBlank(tenant)) {
                azureAd2OidcConfiguration.setTenant(tenant);
            }
            oidcClient = new AzureAd2Client(azureAd2OidcConfiguration);
        } else if ("google".equalsIgnoreCase(type)) {
            oidcClient = new GoogleOidcClient(oidcConfiguration);
            oidcClient.getConfiguration().getCustomParams().put("access_type", "offline");
        } else {
            oidcClient = new OidcClient(oidcConfiguration);
        }
        oidcClient.setName(String.format("OMOidcClient%s", oidcClient.getName()));
        return oidcClient;
    }

    public void handleLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            LOG.debug("Performing Auth Login For User Session: {} ", httpServletRequest.getSession().getId());
            Optional<OidcCredentials> userCredentialsFromSession = getUserCredentialsFromSession(httpServletRequest);
            if (userCredentialsFromSession.isPresent()) {
                LOG.debug("Auth Tokens Located from Session: {} ", httpServletRequest.getSession().getId());
                sendRedirectWithToken(httpServletResponse, userCredentialsFromSession.get());
            } else {
                LOG.debug("Performing Auth Code Flow to Idp: {} ", httpServletRequest.getSession().getId());
                Map<String, String> buildLoginParams = buildLoginParams();
                buildLoginParams.put("redirect_uri", this.client.getCallbackUrl());
                addStateAndNonceParameters(this.client, httpServletRequest, buildLoginParams);
                if (this.client instanceof GoogleOidcClient) {
                    buildLoginParams.put("prompt", "consent");
                } else {
                    buildLoginParams.put("prompt", "login");
                }
                buildLoginParams.put("max_age", "0");
                String buildLoginAuthenticationRequestUrl = buildLoginAuthenticationRequestUrl(buildLoginParams);
                LOG.debug("Authentication request url: {}", buildLoginAuthenticationRequestUrl);
                httpServletResponse.sendRedirect(buildLoginAuthenticationRequestUrl);
            }
        } catch (Exception e) {
            getErrorMessage(httpServletResponse, new TechnicalException(e));
        }
    }

    public void handleCallback(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            LOG.debug("Performing Auth Callback For User Session: {} ", httpServletRequest.getSession().getId());
            String callbackUrl = this.client.getCallbackUrl();
            AuthenticationErrorResponse parse = AuthenticationResponseParser.parse(new URI(callbackUrl), retrieveCallbackParameters(httpServletRequest));
            if (parse instanceof AuthenticationErrorResponse) {
                LOG.error("Bad authentication response, error={}", parse.getErrorObject());
                throw new TechnicalException("Bad authentication response");
            }
            LOG.debug("Authentication response successful");
            AuthenticationSuccessResponse authenticationSuccessResponse = (AuthenticationSuccessResponse) parse;
            OIDCProviderMetadata providerMetadata = this.client.getConfiguration().getProviderMetadata();
            if (providerMetadata.supportsAuthorizationResponseIssuerParam() && !providerMetadata.getIssuer().equals(authenticationSuccessResponse.getIssuer())) {
                throw new TechnicalException("Issuer mismatch, possible mix-up attack.");
            }
            validateStateIfRequired(httpServletRequest, httpServletResponse, authenticationSuccessResponse);
            OidcCredentials buildCredentials = buildCredentials(authenticationSuccessResponse);
            validateAndSendTokenRequest(httpServletRequest, buildCredentials, callbackUrl);
            if (buildCredentials.getRefreshToken() == null) {
                LOG.error("Refresh token is null for user session: {}", httpServletRequest.getSession().getId());
            }
            validateNonceIfRequired(httpServletRequest, buildCredentials.getIdToken().getJWTClaimsSet());
            httpServletRequest.getSession().setAttribute(OIDC_CREDENTIAL_PROFILE, buildCredentials);
            sendRedirectWithToken(httpServletResponse, buildCredentials);
        } catch (Exception e) {
            getErrorMessage(httpServletResponse, e);
        }
    }

    public void handleLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            LOG.debug("Performing application logout");
            HttpSession session = httpServletRequest.getSession(false);
            if (session != null) {
                LOG.debug("Invalidating the session for logout");
                session.invalidate();
                httpServletResponse.sendRedirect(this.serverUrl);
            } else {
                LOG.error("No session store available for this web context");
            }
        } catch (Exception e) {
            LOG.error("[Auth Logout] Error while performing logout", e);
        }
    }

    public void handleRefresh(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            LOG.debug("Performing Auth Refresh For User Session: {} ", httpServletRequest.getSession().getId());
            Optional<OidcCredentials> userCredentialsFromSession = getUserCredentialsFromSession(httpServletRequest);
            if (userCredentialsFromSession.isPresent()) {
                LOG.debug("Credentials Found For User Session: {} ", httpServletRequest.getSession().getId());
                JwtResponse jwtResponse = new JwtResponse();
                jwtResponse.setAccessToken(userCredentialsFromSession.get().getIdToken().getParsedString());
                jwtResponse.setExpiryDuration(Long.valueOf(userCredentialsFromSession.get().getIdToken().getJWTClaimsSet().getExpirationTime().toInstant().getEpochSecond()));
                writeJsonResponse(httpServletResponse, JsonUtils.pojoToJson(jwtResponse));
            } else {
                LOG.debug("Credentials Not Found For User Session: {}, Redirect to Logout ", httpServletRequest.getSession().getId());
                httpServletResponse.sendRedirect(String.format("%s/logout", this.serverUrl));
            }
        } catch (Exception e) {
            getErrorMessage(httpServletResponse, new TechnicalException(e));
        }
    }

    private String buildLoginAuthenticationRequestUrl(Map<String, String> map) {
        try {
            return this.client.getConfiguration().getProviderMetadata().getAuthorizationEndpointURI().toString() + "?" + AuthenticationRequest.parse((Map) map.entrySet().stream().collect(Collectors.toMap((v0) -> {
                return v0.getKey();
            }, entry -> {
                return Collections.singletonList((String) entry.getValue());
            }))).toQueryString();
        } catch (Exception e) {
            throw new TechnicalException(e);
        }
    }

    private Map<String, String> buildLoginParams() {
        HashMap hashMap = new HashMap();
        hashMap.put("scope", this.client.getConfiguration().getScope());
        hashMap.put("response_type", this.client.getConfiguration().getResponseType());
        hashMap.put("response_mode", "query");
        hashMap.putAll(this.client.getConfiguration().getCustomParams());
        hashMap.put("client_id", this.client.getConfiguration().getClientId());
        return new HashMap(hashMap);
    }

    private Optional<OidcCredentials> getUserCredentialsFromSession(HttpServletRequest httpServletRequest) throws URISyntaxException {
        OidcCredentials oidcCredentials = (OidcCredentials) httpServletRequest.getSession().getAttribute(OIDC_CREDENTIAL_PROFILE);
        if (oidcCredentials != null && oidcCredentials.getRefreshToken() != null) {
            LOG.trace("Credentials found in session: {}", oidcCredentials);
            renewOidcCredentials(httpServletRequest, oidcCredentials);
            return Optional.of(oidcCredentials);
        }
        if (oidcCredentials == null) {
            LOG.error("No credentials found against session. ID: {}", httpServletRequest.getSession().getId());
        } else {
            LOG.error("No refresh token found against session. ID: {}", httpServletRequest.getSession().getId());
        }
        return Optional.empty();
    }

    private void validateAndSendTokenRequest(HttpServletRequest httpServletRequest, OidcCredentials oidcCredentials, String str) throws IOException, ParseException, URISyntaxException {
        if (oidcCredentials.getCode() != null) {
            LOG.debug("Initiating Token Request for User Session: {} ", httpServletRequest.getSession().getId());
            executeAuthorizationCodeTokenRequest(createTokenRequest(new AuthorizationCodeGrant(oidcCredentials.getCode(), new URI(str), (CodeVerifier) httpServletRequest.getSession().getAttribute(this.client.getCodeVerifierSessionAttributeName()))), oidcCredentials);
        }
    }

    private void validateStateIfRequired(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationSuccessResponse authenticationSuccessResponse) {
        if (this.client.getConfiguration().isWithState()) {
            State state = (State) httpServletRequest.getSession().getAttribute(this.client.getStateSessionAttributeName());
            if (state == null || CommonHelper.isBlank(state.getValue())) {
                getErrorMessage(httpServletResponse, new TechnicalException("Missing state parameter"));
                return;
            }
            State state2 = authenticationSuccessResponse.getState();
            if (state2 == null) {
                throw new TechnicalException("Missing state parameter");
            }
            LOG.debug("Request state: {}/response state: {}", state, state2);
            if (!state.equals(state2)) {
                throw new TechnicalException("State parameter is different from the one sent in authentication request.");
            }
        }
    }

    private OidcCredentials buildCredentials(AuthenticationSuccessResponse authenticationSuccessResponse) {
        OidcCredentials oidcCredentials = new OidcCredentials();
        AuthorizationCode authorizationCode = authenticationSuccessResponse.getAuthorizationCode();
        if (authorizationCode != null) {
            oidcCredentials.setCode(authorizationCode);
        }
        JWT iDToken = authenticationSuccessResponse.getIDToken();
        if (iDToken != null) {
            oidcCredentials.setIdToken(iDToken);
        }
        AccessToken accessToken = authenticationSuccessResponse.getAccessToken();
        if (accessToken != null) {
            oidcCredentials.setAccessToken(accessToken);
        }
        return oidcCredentials;
    }

    private void validateNonceIfRequired(HttpServletRequest httpServletRequest, JWTClaimsSet jWTClaimsSet) throws BadJOSEException {
        if (this.client.getConfiguration().isUseNonce()) {
            String str = (String) httpServletRequest.getSession().getAttribute(this.client.getNonceSessionAttributeName());
            if (!CommonHelper.isNotBlank(str)) {
                throw new TechnicalException("Missing nonce parameter from Session.");
            }
            try {
                String stringClaim = jWTClaimsSet.getStringClaim("nonce");
                if (stringClaim == null) {
                    throw BadJWTExceptions.MISSING_NONCE_CLAIM_EXCEPTION;
                }
                if (!str.equals(stringClaim)) {
                    throw new BadJWTException("Unexpected JWT nonce (nonce) claim: " + stringClaim);
                }
            } catch (java.text.ParseException e) {
                throw new BadJWTException("Invalid JWT nonce (nonce) claim: " + e.getMessage());
            }
        }
    }

    protected Map<String, List<String>> retrieveCallbackParameters(HttpServletRequest httpServletRequest) {
        Map parameterMap = httpServletRequest.getParameterMap();
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : parameterMap.entrySet()) {
            hashMap.put((String) entry.getKey(), Arrays.asList((String[]) entry.getValue()));
        }
        return hashMap;
    }

    private void writeJsonResponse(HttpServletResponse httpServletResponse, String str) throws IOException {
        httpServletResponse.setContentType("application/json");
        httpServletResponse.setCharacterEncoding("UTF-8");
        httpServletResponse.getOutputStream().print(str);
        httpServletResponse.getOutputStream().flush();
        httpServletResponse.setStatus(200);
    }

    private ClientAuthentication getClientAuthentication(OidcConfiguration oidcConfiguration) {
        ClientAuthenticationMethod clientAuthenticationMethod;
        ClientID clientID = new ClientID(oidcConfiguration.getClientId());
        ClientSecretPost clientSecretPost = null;
        if (oidcConfiguration.getSecret() != null) {
            List<ClientAuthenticationMethod> tokenEndpointAuthMethods = oidcConfiguration.findProviderMetadata().getTokenEndpointAuthMethods();
            ClientAuthenticationMethod preferredAuthenticationMethod = getPreferredAuthenticationMethod(oidcConfiguration);
            if (!CommonHelper.isNotEmpty(tokenEndpointAuthMethods)) {
                clientAuthenticationMethod = preferredAuthenticationMethod != null ? preferredAuthenticationMethod : ClientAuthenticationMethod.getDefault();
                LOG.info("Provider metadata does not provide Token endpoint authentication methods. Using: {}", clientAuthenticationMethod);
            } else if (preferredAuthenticationMethod == null) {
                clientAuthenticationMethod = firstSupportedMethod(tokenEndpointAuthMethods);
            } else {
                if (!tokenEndpointAuthMethods.contains(preferredAuthenticationMethod)) {
                    throw new TechnicalException("Preferred authentication method (" + preferredAuthenticationMethod + ") not supported by provider according to provider metadata (" + tokenEndpointAuthMethods + ").");
                }
                clientAuthenticationMethod = preferredAuthenticationMethod;
            }
            if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientAuthenticationMethod)) {
                clientSecretPost = new ClientSecretPost(clientID, new Secret(oidcConfiguration.getSecret()));
            } else if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientAuthenticationMethod)) {
                clientSecretPost = new ClientSecretBasic(clientID, new Secret(oidcConfiguration.getSecret()));
            } else if (ClientAuthenticationMethod.PRIVATE_KEY_JWT.equals(clientAuthenticationMethod)) {
                PrivateKeyJWTClientAuthnMethodConfig privateKeyJWTClientAuthnMethodConfig = oidcConfiguration.getPrivateKeyJWTClientAuthnMethodConfig();
                CommonHelper.assertNotNull("privateKetJwtConfig", privateKeyJWTClientAuthnMethodConfig);
                JWSAlgorithm jwsAlgorithm = privateKeyJWTClientAuthnMethodConfig.getJwsAlgorithm();
                CommonHelper.assertNotNull("privateKetJwtConfig.getJwsAlgorithm()", jwsAlgorithm);
                PrivateKey privateKey = privateKeyJWTClientAuthnMethodConfig.getPrivateKey();
                CommonHelper.assertNotNull("privateKetJwtConfig.getPrivateKey()", privateKey);
                try {
                    clientSecretPost = new PrivateKeyJWT(clientID, oidcConfiguration.findProviderMetadata().getTokenEndpointURI(), jwsAlgorithm, privateKey, privateKeyJWTClientAuthnMethodConfig.getKeyID(), (Provider) null);
                } catch (JOSEException e) {
                    throw new TechnicalException("Cannot instantiate private key JWT client authentication method", e);
                }
            }
        }
        return clientSecretPost;
    }

    private static ClientAuthenticationMethod getPreferredAuthenticationMethod(OidcConfiguration oidcConfiguration) {
        ClientAuthenticationMethod clientAuthenticationMethod = oidcConfiguration.getClientAuthenticationMethod();
        if (clientAuthenticationMethod == null) {
            return null;
        }
        if (SUPPORTED_METHODS.contains(clientAuthenticationMethod)) {
            return clientAuthenticationMethod;
        }
        throw new TechnicalException("Configured authentication method (" + clientAuthenticationMethod + ") is not supported.");
    }

    private ClientAuthenticationMethod firstSupportedMethod(List<ClientAuthenticationMethod> list) {
        Stream<ClientAuthenticationMethod> stream = list.stream();
        Collection<ClientAuthenticationMethod> collection = SUPPORTED_METHODS;
        Objects.requireNonNull(collection);
        Optional<ClientAuthenticationMethod> findFirst = stream.filter((v1) -> {
            return r1.contains(v1);
        }).findFirst();
        if (findFirst.isPresent()) {
            return findFirst.get();
        }
        throw new TechnicalException("None of the Token endpoint provider metadata authentication methods are supported: " + list);
    }

    public static void getErrorMessage(HttpServletResponse httpServletResponse, Exception exc) {
        httpServletResponse.setContentType("text/html; charset=UTF-8");
        LOG.error("[Auth Callback Servlet] Failed in Auth Login : {}", exc.getMessage());
        httpServletResponse.getOutputStream().println(String.format("<p> [Auth Callback Servlet] Failed in Auth Login : %s </p>", exc.getMessage()));
    }

    private void sendRedirectWithToken(HttpServletResponse httpServletResponse, OidcCredentials oidcCredentials) throws java.text.ParseException, IOException {
        JWT idToken = oidcCredentials.getIdToken();
        TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
        treeMap.putAll(idToken.getJWTClaimsSet().getClaims());
        httpServletResponse.sendRedirect(String.format("%s/auth/callback?id_token=%s&email=%s&name=%s", this.serverUrl, oidcCredentials.getIdToken().getParsedString(), SecurityUtil.findEmailFromClaims(this.claimsMapping, this.claimsOrder, treeMap, this.principalDomain), findUserNameFromClaims(this.claimsMapping, this.claimsOrder, treeMap)));
    }

    private void renewOidcCredentials(HttpServletRequest httpServletRequest, OidcCredentials oidcCredentials) {
        LOG.debug("Renewing Credentials for User Session {}", httpServletRequest.getSession().getId());
        OidcConfiguration configuration = this.client.getConfiguration();
        if (configuration instanceof AzureAd2OidcConfiguration) {
            refreshAccessTokenAzureAd2Token((AzureAd2OidcConfiguration) configuration, oidcCredentials);
        } else {
            refreshTokenRequest(httpServletRequest, oidcCredentials);
        }
        httpServletRequest.getSession().setAttribute(OIDC_CREDENTIAL_PROFILE, oidcCredentials);
    }

    public void refreshTokenRequest(HttpServletRequest httpServletRequest, OidcCredentials oidcCredentials) {
        RefreshToken refreshToken = oidcCredentials.getRefreshToken();
        if (refreshToken == null) {
            throw new BadRequestException("No refresh token available");
        }
        try {
            try {
                HTTPResponse executeTokenHttpRequest = executeTokenHttpRequest(createTokenRequest(new RefreshTokenGrant(refreshToken)));
                if (executeTokenHttpRequest.getStatusCode() != 200) {
                    throw new TechnicalException(String.format("Failed to refresh id_token, response code:%s , Error : %s", Integer.valueOf(executeTokenHttpRequest.getStatusCode()), executeTokenHttpRequest.getContent()));
                }
                JSONObject contentAsJSONObject = executeTokenHttpRequest.getContentAsJSONObject();
                if (contentAsJSONObject.containsKey("id_token")) {
                    if (contentAsJSONObject.get("id_token") == null) {
                        throw new ParseException("JSON object member with key " + "id_token" + " has null value");
                    }
                    LOG.info("Found a JWT token in the response, trying to parse it");
                    populateCredentialsFromTokenResponse(parseTokenResponseFromHttpResponse(executeTokenHttpRequest), oidcCredentials);
                    return;
                }
                LOG.info("Found an access token in the response, trying to parse it, Value : {}", JSONObjectUtils.getString(contentAsJSONObject, "access_token"));
                populateCredentialsFromTokenResponse(parseTokenResponseFromHttpResponse(executeTokenHttpRequest), oidcCredentials);
                OidcCredentials oidcCredentials2 = (OidcCredentials) httpServletRequest.getSession().getAttribute(OIDC_CREDENTIAL_PROFILE);
                TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
                treeMap.putAll(oidcCredentials2.getIdToken().getJWTClaimsSet().getClaims());
                String findUserNameFromClaims = SecurityUtil.findUserNameFromClaims(this.claimsMapping, this.claimsOrder, treeMap);
                User user = (User) Entity.getEntityByName(Entity.USER, findUserNameFromClaims, "id", Include.NON_DELETED);
                oidcCredentials.setIdToken(SignedJWT.parse(JWTTokenGenerator.getInstance().generateJWTToken(findUserNameFromClaims, UserUtil.getRoleListFromUser(user), !CommonUtil.nullOrEmpty(user.getIsAdmin()) && user.getIsAdmin().booleanValue(), user.getEmail(), this.tokenValidity, false, ServiceTokenType.OM_USER).getJWTToken()));
            } catch (IOException | ParseException e) {
                throw new TechnicalException(e);
            }
        } catch (java.text.ParseException e2) {
            throw new RuntimeException(e2);
        }
    }

    public static boolean isJWT(String str) {
        return str.split("\\.").length == 3;
    }

    private void refreshAccessTokenAzureAd2Token(AzureAd2OidcConfiguration azureAd2OidcConfiguration, OidcCredentials oidcCredentials) {
        try {
            try {
                HashMap hashMap = new HashMap();
                hashMap.put("Content-Type", "application/x-www-form-urlencoded");
                hashMap.put("Accept", "application/json");
                HttpURLConnection openPostConnection = HttpUtils.openPostConnection(azureAd2OidcConfiguration.findProviderMetadata().getTokenEndpointURI().toURL(), hashMap);
                BufferedWriter bufferedWriter = new BufferedWriter(new OutputStreamWriter(openPostConnection.getOutputStream(), StandardCharsets.UTF_8));
                bufferedWriter.write(azureAd2OidcConfiguration.makeOauth2TokenRequest(oidcCredentials.getRefreshToken().getValue()));
                bufferedWriter.close();
                if (openPostConnection.getResponseCode() != 200) {
                    throw new TechnicalException("request for access token failed: " + HttpUtils.buildHttpErrorMessage(openPostConnection));
                }
                oidcCredentials.setAccessToken(new BearerAccessToken((String) ((Map) JsonUtils.readValue(HttpUtils.readBody(openPostConnection), new TypeReference<Map<String, Object>>() { // from class: org.openmetadata.service.security.AuthenticationCodeFlowHandler.1
                })).get("access_token")));
                HttpUtils.closeConnection(openPostConnection);
            } catch (IOException e) {
                throw new TechnicalException(e);
            }
        } catch (Throwable th) {
            HttpUtils.closeConnection((HttpURLConnection) null);
            throw th;
        }
    }

    public static String findUserNameFromClaims(Map<String, String> map, List<String> list, Map<String, ?> map2) {
        if (CommonUtil.nullOrEmpty(map)) {
            String firstMatchJwtClaim = SecurityUtil.getFirstMatchJwtClaim(list, map2);
            return firstMatchJwtClaim.contains("@") ? firstMatchJwtClaim.split("@")[0] : firstMatchJwtClaim;
        }
        String claimOrObject = SecurityUtil.getClaimOrObject(map2.get(map.get(JwtFilter.USERNAME_CLAIM_KEY)));
        if (CommonUtil.nullOrEmpty(claimOrObject)) {
            throw new AuthenticationException("Invalid JWT token, 'username' claim is not present");
        }
        return claimOrObject;
    }

    public static void validatePrincipalClaimsMapping(Map<String, String> map) {
        if (CommonUtil.nullOrEmpty(map)) {
            return;
        }
        String str = map.get(JwtFilter.USERNAME_CLAIM_KEY);
        String str2 = map.get(JwtFilter.EMAIL_CLAIM_KEY);
        if (CommonUtil.nullOrEmpty(str) || CommonUtil.nullOrEmpty(str2)) {
            throw new IllegalArgumentException("Invalid JWT Principal Claims Mapping. Both username and email should be present");
        }
    }

    private HTTPResponse executeTokenHttpRequest(TokenRequest tokenRequest) throws IOException {
        HTTPRequest hTTPRequest = tokenRequest.toHTTPRequest();
        this.client.getConfiguration().configureHttpRequest(hTTPRequest);
        HTTPResponse send = hTTPRequest.send();
        LOG.debug("Token response: status={}, content={}", Integer.valueOf(send.getStatusCode()), send.getContent());
        return send;
    }

    private TokenRequest createTokenRequest(AuthorizationGrant authorizationGrant) {
        return this.clientAuthentication != null ? new TokenRequest(this.client.getConfiguration().findProviderMetadata().getTokenEndpointURI(), this.clientAuthentication, authorizationGrant) : new TokenRequest(this.client.getConfiguration().findProviderMetadata().getTokenEndpointURI(), new ClientID(this.client.getConfiguration().getClientId()), authorizationGrant);
    }

    private void addStateAndNonceParameters(OidcClient oidcClient, HttpServletRequest httpServletRequest, Map<String, String> map) {
        if (oidcClient.getConfiguration().isWithState()) {
            State state = new State(CommonHelper.randomString(10));
            map.put("state", state.getValue());
            httpServletRequest.getSession().setAttribute(oidcClient.getStateSessionAttributeName(), state);
        }
        if (oidcClient.getConfiguration().isUseNonce()) {
            Nonce nonce = new Nonce();
            map.put("nonce", nonce.getValue());
            httpServletRequest.getSession().setAttribute(oidcClient.getNonceSessionAttributeName(), nonce.getValue());
        }
        CodeChallengeMethod findPkceMethod = oidcClient.getConfiguration().findPkceMethod();
        if (findPkceMethod == null && !oidcClient.getConfiguration().isDisablePkce()) {
            findPkceMethod = CodeChallengeMethod.S256;
        }
        if (findPkceMethod != null) {
            CodeVerifier codeVerifier = new CodeVerifier(CommonHelper.randomString(43));
            httpServletRequest.getSession().setAttribute(oidcClient.getCodeVerifierSessionAttributeName(), codeVerifier);
            map.put("code_challenge", CodeChallenge.compute(findPkceMethod, codeVerifier).getValue());
            map.put("code_challenge_method", findPkceMethod.getValue());
        }
    }

    private void executeAuthorizationCodeTokenRequest(TokenRequest tokenRequest, OidcCredentials oidcCredentials) throws IOException, ParseException {
        populateCredentialsFromTokenResponse(parseTokenResponseFromHttpResponse(executeTokenHttpRequest(tokenRequest)), oidcCredentials);
    }

    private void populateCredentialsFromTokenResponse(OIDCTokenResponse oIDCTokenResponse, OidcCredentials oidcCredentials) {
        OIDCTokens oIDCTokens = oIDCTokenResponse.getOIDCTokens();
        oidcCredentials.setAccessToken(oIDCTokens.getAccessToken());
        oidcCredentials.setRefreshToken(oIDCTokens.getRefreshToken());
        if (oIDCTokens.getIDToken() != null) {
            oidcCredentials.setIdToken(oIDCTokens.getIDToken());
        }
    }

    private OIDCTokenResponse parseTokenResponseFromHttpResponse(HTTPResponse hTTPResponse) throws ParseException {
        TokenErrorResponse parse = OIDCTokenResponseParser.parse(hTTPResponse);
        if (parse instanceof TokenErrorResponse) {
            ErrorObject errorObject = parse.getErrorObject();
            throw new TechnicalException("Bad token response, error=" + errorObject.getCode() + ", description=" + errorObject.getDescription());
        }
        LOG.debug("Token response successful");
        return (OIDCTokenResponse) parse;
    }
}
