package org.wso2.carbon.identity.application.authenticator.oidc;

import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.client.OAuthClient;
import org.apache.oltu.oauth2.client.URLConnectionClient;
import org.apache.oltu.oauth2.client.request.OAuthClientRequest;
import org.apache.oltu.oauth2.client.response.OAuthAuthzResponse;
import org.apache.oltu.oauth2.client.response.OAuthClientResponse;
import org.apache.oltu.oauth2.client.response.OAuthJSONAccessTokenResponse;
import org.apache.oltu.oauth2.common.exception.OAuthProblemException;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.apache.oltu.oauth2.common.message.types.GrantType;
import org.apache.oltu.oauth2.common.utils.JSONUtils;
import org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.authenticator.oidc.OIDCAuthenticatorConstants;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.core.util.IdentityUtil;

/* loaded from: input_file:org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.class */
public class OpenIDConnectAuthenticator extends AbstractApplicationAuthenticator implements FederatedApplicationAuthenticator {
    private static final long serialVersionUID = -4154255583070524018L;
    private static Log log = LogFactory.getLog(OpenIDConnectAuthenticator.class);

    public boolean canHandle(HttpServletRequest httpServletRequest) {
        if (log.isTraceEnabled()) {
            log.trace("Inside OpenIDConnectAuthenticator.canHandle()");
        }
        if (httpServletRequest.getParameter(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE) == null || httpServletRequest.getParameter(OIDCAuthenticatorConstants.OAUTH2_PARAM_STATE) == null || !OIDCAuthenticatorConstants.LOGIN_TYPE.equals(getLoginType(httpServletRequest))) {
            return (httpServletRequest.getParameter(OIDCAuthenticatorConstants.OAUTH2_PARAM_STATE) == null || httpServletRequest.getParameter(OIDCAuthenticatorConstants.OAUTH2_ERROR) == null) ? false : true;
        }
        return true;
    }

    protected String getAuthorizationServerEndpoint(Map<String, String> map) {
        return null;
    }

    protected String getCallbackUrl(Map<String, String> map) {
        return null;
    }

    protected String getTokenEndpoint(Map<String, String> map) {
        return null;
    }

    protected String getState(String str, Map<String, String> map) {
        return str;
    }

    protected String getScope(String str, Map<String, String> map) {
        return str;
    }

    protected boolean requiredIDToken(Map<String, String> map) {
        return true;
    }

    protected String getAuthenticateUser(OAuthClientResponse oAuthClientResponse) {
        return null;
    }

    protected Map<ClaimMapping, String> getSubjectAttributes(OAuthClientResponse oAuthClientResponse) {
        return new HashMap();
    }

    protected void initiateAuthenticationRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        String[] split;
        try {
            Map<String, String> authenticatorProperties = authenticationContext.getAuthenticatorProperties();
            if (authenticatorProperties == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Error while retrieving properties. Authenticator Properties cannot be null");
                }
                throw new AuthenticationFailedException("Error while retrieving properties. Authenticator Properties cannot be null");
            }
            String str = authenticatorProperties.get("ClientId");
            String authorizationServerEndpoint = getAuthorizationServerEndpoint(authenticatorProperties);
            if (authorizationServerEndpoint == null) {
                authorizationServerEndpoint = authenticatorProperties.get(OIDCAuthenticatorConstants.OAUTH2_AUTHZ_URL);
            }
            String callbackUrl = getCallbackUrl(authenticatorProperties);
            if (callbackUrl == null) {
                callbackUrl = IdentityUtil.getServerURL("commonauth");
            }
            String state = getState(authenticationContext.getContextIdentifier() + "," + OIDCAuthenticatorConstants.LOGIN_TYPE, authenticatorProperties);
            String str2 = authenticatorProperties.get("commonAuthQueryParams");
            HashMap hashMap = new HashMap();
            if (str2 != null && (split = str2.split("&")) != null && split.length > 0) {
                for (String str3 : split) {
                    String[] split2 = str3.split("=");
                    hashMap.put(split2[0], split2[1]);
                }
                authenticationContext.setProperty("oidc:param.map", hashMap);
            }
            String str4 = (String) hashMap.get("scope");
            if (str4 == null) {
                str4 = OIDCAuthenticatorConstants.OAUTH_OIDC_SCOPE;
            }
            String locationUri = ((str2 != null && str2.toLowerCase().contains("scope=") && str2.toLowerCase().contains("redirect_uri=")) ? OAuthClientRequest.authorizationLocation(authorizationServerEndpoint).setClientId(str).setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE).setState(state).buildQueryMessage() : (str2 == null || !str2.toLowerCase().contains("scope=")) ? (str2 == null || !str2.toLowerCase().contains("redirect_uri=")) ? OAuthClientRequest.authorizationLocation(authorizationServerEndpoint).setClientId(str).setRedirectURI(callbackUrl).setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE).setScope(getScope(str4, authenticatorProperties)).setState(state).buildQueryMessage() : OAuthClientRequest.authorizationLocation(authorizationServerEndpoint).setClientId(str).setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE).setScope(OIDCAuthenticatorConstants.OAUTH_OIDC_SCOPE).setState(state).buildQueryMessage() : OAuthClientRequest.authorizationLocation(authorizationServerEndpoint).setClientId(str).setRedirectURI(callbackUrl).setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE).setState(state).buildQueryMessage()).getLocationUri();
            String parameter = httpServletRequest.getParameter("domain");
            if (parameter != null) {
                locationUri = locationUri + "&fidp=" + parameter;
            }
            if (str2 != null) {
                locationUri = !str2.startsWith("&") ? locationUri + "&" + str2 : locationUri + str2;
            }
            httpServletResponse.sendRedirect(locationUri);
        } catch (OAuthSystemException e) {
            log.error("Exception while building authorization code request", e);
            throw new AuthenticationFailedException(e.getMessage(), e);
        } catch (IOException e2) {
            log.error("Exception while sending to the login page", e2);
            throw new AuthenticationFailedException(e2.getMessage(), e2);
        }
    }

    protected void processAuthenticationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        try {
            Map<String, String> authenticatorProperties = authenticationContext.getAuthenticatorProperties();
            String str = authenticatorProperties.get("ClientId");
            String str2 = authenticatorProperties.get("ClientSecret");
            String tokenEndpoint = getTokenEndpoint(authenticatorProperties);
            if (tokenEndpoint == null) {
                tokenEndpoint = authenticatorProperties.get(OIDCAuthenticatorConstants.OAUTH2_TOKEN_URL);
            }
            String callbackUrl = getCallbackUrl(authenticatorProperties);
            if (callbackUrl == null) {
                callbackUrl = IdentityUtil.getServerURL("commonauth");
            }
            Map map = (Map) authenticationContext.getProperty("oidc:param.map");
            if (map != null && map.containsKey("redirect_uri")) {
                callbackUrl = (String) map.get("redirect_uri");
            }
            OAuthClientResponse oauthResponse = getOauthResponse(new OAuthClient(new URLConnectionClient()), getaccessRequest(tokenEndpoint, str, OAuthAuthzResponse.oauthCodeAuthzResponse(httpServletRequest).getCode(), str2, callbackUrl));
            String param = oauthResponse.getParam(OIDCAuthenticatorConstants.ACCESS_TOKEN);
            String param2 = oauthResponse.getParam(OIDCAuthenticatorConstants.ID_TOKEN);
            if (param == null || (param2 == null && requiredIDToken(authenticatorProperties))) {
                throw new AuthenticationFailedException("Authentication Failed");
            }
            authenticationContext.setProperty(OIDCAuthenticatorConstants.ACCESS_TOKEN, param);
            if (param2 != null) {
                authenticationContext.setProperty(OIDCAuthenticatorConstants.ID_TOKEN, param2);
                Map parseJSON = JSONUtils.parseJSON(new String(Base64.decodeBase64(param2.split("\\.")[1].getBytes())));
                if (parseJSON == null) {
                    if (log.isDebugEnabled()) {
                        log.debug("Decoded json object is null");
                    }
                    throw new AuthenticationFailedException("Decoded json object is null");
                }
                HashMap hashMap = new HashMap();
                for (Map.Entry entry : parseJSON.entrySet()) {
                    hashMap.put(ClaimMapping.build((String) entry.getKey(), (String) entry.getKey(), (String) null, false), entry.getValue().toString());
                    if (log.isDebugEnabled()) {
                        log.debug("Adding claim mapping : " + ((String) entry.getKey()) + " <> " + ((String) entry.getKey()) + " : " + entry.getValue());
                    }
                }
                String str3 = null;
                if ("true".equalsIgnoreCase((String) authenticationContext.getAuthenticatorProperties().get("IsUserIdInClaims"))) {
                    str3 = getSubjectFromUserIDClaimURI(authenticationContext);
                    if (str3 == null && log.isDebugEnabled()) {
                        log.debug("Subject claim could not be found amongst subject attributes. Defaulting to sub attribute in IDToken.");
                    }
                }
                if (str3 == null) {
                    str3 = (String) parseJSON.get(OIDCAuthenticatorConstants.Claim.SUB);
                }
                if (str3 == null) {
                    throw new AuthenticationFailedException("Cannot find federated User Identifier");
                }
                AuthenticatedUser createFederateAuthenticatedUserFromSubjectIdentifier = AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(str3);
                createFederateAuthenticatedUserFromSubjectIdentifier.setUserAttributes(hashMap);
                authenticationContext.setSubject(createFederateAuthenticatedUserFromSubjectIdentifier);
            } else {
                AuthenticatedUser createFederateAuthenticatedUserFromSubjectIdentifier2 = AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(getAuthenticateUser(oauthResponse));
                createFederateAuthenticatedUserFromSubjectIdentifier2.setUserAttributes(getSubjectAttributes(oauthResponse));
                authenticationContext.setSubject(createFederateAuthenticatedUserFromSubjectIdentifier2);
            }
        } catch (OAuthProblemException e) {
            log.error(e.getMessage(), e);
            throw new AuthenticationFailedException(e.getMessage(), e);
        }
    }

    private OAuthClientRequest getaccessRequest(String str, String str2, String str3, String str4, String str5) throws AuthenticationFailedException {
        try {
            return OAuthClientRequest.tokenLocation(str).setGrantType(GrantType.AUTHORIZATION_CODE).setClientId(str2).setClientSecret(str4).setRedirectURI(str5).setCode(str3).buildBodyMessage();
        } catch (OAuthSystemException e) {
            if (log.isDebugEnabled()) {
                log.debug("Exception while building request for request access token", e);
            }
            throw new AuthenticationFailedException(e.getMessage(), e);
        }
    }

    private OAuthClientResponse getOauthResponse(OAuthClient oAuthClient, OAuthClientRequest oAuthClientRequest) throws AuthenticationFailedException {
        OAuthJSONAccessTokenResponse oAuthJSONAccessTokenResponse = null;
        try {
            oAuthJSONAccessTokenResponse = oAuthClient.accessToken(oAuthClientRequest);
        } catch (OAuthProblemException e) {
            if (log.isDebugEnabled()) {
                log.debug("Exception while requesting access token", e);
            }
        } catch (OAuthSystemException e2) {
            if (log.isDebugEnabled()) {
                log.debug("Exception while requesting access token", e2);
            }
            throw new AuthenticationFailedException(e2.getMessage(), e2);
        }
        return oAuthJSONAccessTokenResponse;
    }

    public String getContextIdentifier(HttpServletRequest httpServletRequest) {
        if (log.isTraceEnabled()) {
            log.trace("Inside OpenIDConnectAuthenticator.getContextIdentifier()");
        }
        String parameter = httpServletRequest.getParameter(OIDCAuthenticatorConstants.OAUTH2_PARAM_STATE);
        if (parameter != null) {
            return parameter.split(",")[0];
        }
        return null;
    }

    private String getLoginType(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(OIDCAuthenticatorConstants.OAUTH2_PARAM_STATE);
        if (parameter != null) {
            return parameter.split(",")[1];
        }
        return null;
    }

    public String getFriendlyName() {
        return "openidconnect";
    }

    public String getName() {
        return OIDCAuthenticatorConstants.AUTHENTICATOR_NAME;
    }

    public String getClaimDialectURI() {
        return "http://wso2.org/oidc/claim";
    }

    protected String getSubjectFromUserIDClaimURI(AuthenticationContext authenticationContext) {
        String str = null;
        try {
            str = FrameworkUtils.getFederatedSubjectFromClaims(authenticationContext, getClaimDialectURI());
        } catch (Exception e) {
            if (log.isDebugEnabled()) {
                log.debug("Couldn't find the subject claim from claim mappings ", e);
            }
        }
        return str;
    }
}
