package io.helidon.security.providers.oidc;

import io.helidon.common.HelidonServiceLoader;
import io.helidon.common.Weight;
import io.helidon.common.configurable.LruCache;
import io.helidon.common.context.Context;
import io.helidon.common.context.Contexts;
import io.helidon.common.mapper.OptionalValue;
import io.helidon.common.parameters.Parameters;
import io.helidon.config.Config;
import io.helidon.cors.CrossOriginConfig;
import io.helidon.http.HeaderNames;
import io.helidon.http.HeaderValues;
import io.helidon.http.ServerRequestHeaders;
import io.helidon.http.ServerResponseHeaders;
import io.helidon.http.Status;
import io.helidon.security.SecurityException;
import io.helidon.security.jwt.SignedJwt;
import io.helidon.security.providers.oidc.common.OidcConfig;
import io.helidon.security.providers.oidc.common.OidcCookieHandler;
import io.helidon.security.providers.oidc.common.Tenant;
import io.helidon.security.providers.oidc.common.TenantConfig;
import io.helidon.security.providers.oidc.common.spi.TenantConfigFinder;
import io.helidon.security.providers.oidc.common.spi.TenantConfigProvider;
import io.helidon.webclient.api.HttpClientRequest;
import io.helidon.webclient.api.HttpClientResponse;
import io.helidon.webclient.api.WebClient;
import io.helidon.webserver.cors.CorsSupport;
import io.helidon.webserver.http.Handler;
import io.helidon.webserver.http.HttpFeature;
import io.helidon.webserver.http.HttpRouting;
import io.helidon.webserver.http.ServerRequest;
import io.helidon.webserver.http.ServerResponse;
import jakarta.json.Json;
import jakarta.json.JsonBuilderFactory;
import jakarta.json.JsonObject;
import jakarta.json.JsonReaderFactory;
import java.io.StringReader;
import java.lang.System;
import java.net.URI;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.ServiceLoader;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;

@Weight(800.0d)
/* loaded from: input_file:io/helidon/security/providers/oidc/OidcFeature.class */
public final class OidcFeature implements HttpFeature {
    static final JsonReaderFactory JSON_READER_FACTORY = Json.createReaderFactory(Map.of());
    static final JsonBuilderFactory JSON_BUILDER_FACTORY = Json.createBuilderFactory(Map.of());
    private static final System.Logger LOGGER = System.getLogger(OidcFeature.class.getName());
    private static final String CODE_PARAM_NAME = "code";
    private static final String STATE_PARAM_NAME = "state";
    private static final String DEFAULT_REDIRECT = "/index.html";
    private final List<TenantConfigFinder> oidcConfigFinders;
    private final LruCache<String, Tenant> tenants = LruCache.create();
    private final OidcConfig oidcConfig;
    private final OidcCookieHandler tokenCookieHandler;
    private final OidcCookieHandler idTokenCookieHandler;
    private final OidcCookieHandler refreshTokenCookieHandler;
    private final OidcCookieHandler tenantCookieHandler;
    private final OidcCookieHandler stateCookieHandler;
    private final boolean enabled;
    private final CorsSupport corsSupport;

    /* loaded from: input_file:io/helidon/security/providers/oidc/OidcFeature$Builder.class */
    public static class Builder implements io.helidon.common.Builder<Builder, OidcFeature> {
        private static final int BUILDER_WEIGHT = 50000;
        private static final int DEFAULT_WEIGHT = 100000;
        private final HelidonServiceLoader.Builder<TenantConfigProvider> tenantConfigProviders = HelidonServiceLoader.builder(ServiceLoader.load(TenantConfigProvider.class)).defaultWeight(100000.0d);
        private boolean enabled = true;
        private Config config = Config.empty();
        private OidcConfig oidcConfig;
        private List<TenantConfigFinder> tenantConfigFinders;

        private Builder() {
        }

        private static Optional<Config> findMyKey(Config config, String str) {
            return config.key().name().equals(str) ? Optional.of(config) : ((List) config.get("security.providers").asNodeList().orElseGet(List::of)).stream().filter(config2 -> {
                return config2.get(str).exists();
            }).findFirst().map(config3 -> {
                return config3.get(str);
            });
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public OidcFeature m2build() {
            if (this.enabled && this.oidcConfig == null) {
                throw new IllegalStateException("When OIDC and security is enabled, OIDC configuration must be provided");
            }
            this.tenantConfigFinders = (List) this.tenantConfigProviders.build().asList().stream().map(tenantConfigProvider -> {
                return tenantConfigProvider.createTenantConfigFinder(this.config);
            }).collect(Collectors.toList());
            return new OidcFeature(this);
        }

        public Builder config(Config config) {
            config.get("enabled").asBoolean().ifPresent((v1) -> {
                enabled(v1);
            });
            if (this.enabled) {
                this.oidcConfig = OidcConfig.create(config);
            }
            return this;
        }

        public Builder config(OidcConfig oidcConfig) {
            this.oidcConfig = oidcConfig;
            return this;
        }

        public Builder config(Config config, String str) {
            config.get("security.enabled").asBoolean().ifPresent((v1) -> {
                enabled(v1);
            });
            findMyKey(config, str).ifPresentOrElse(this::config, () -> {
                enabled(false);
            });
            return this;
        }

        public Builder enabled(boolean z) {
            this.enabled = z;
            return this;
        }

        public Builder discoverTenantConfigProviders(boolean z) {
            this.tenantConfigProviders.useSystemServiceLoader(z);
            return this;
        }

        public Builder addTenantConfigFinder(TenantConfigFinder tenantConfigFinder) {
            return addTenantConfigFinder(tenantConfigFinder, BUILDER_WEIGHT);
        }

        public Builder addTenantConfigFinder(TenantConfigFinder tenantConfigFinder, int i) {
            this.tenantConfigProviders.addService(config -> {
                return tenantConfigFinder;
            }, i);
            return this;
        }
    }

    private OidcFeature(Builder builder) {
        this.oidcConfig = builder.oidcConfig;
        this.enabled = builder.enabled;
        if (!this.enabled) {
            this.tokenCookieHandler = null;
            this.idTokenCookieHandler = null;
            this.refreshTokenCookieHandler = null;
            this.tenantCookieHandler = null;
            this.stateCookieHandler = null;
            this.corsSupport = null;
            this.oidcConfigFinders = List.of();
            return;
        }
        this.tokenCookieHandler = this.oidcConfig.tokenCookieHandler();
        this.idTokenCookieHandler = this.oidcConfig.idTokenCookieHandler();
        this.refreshTokenCookieHandler = this.oidcConfig.refreshTokenCookieHandler();
        this.tenantCookieHandler = this.oidcConfig.tenantCookieHandler();
        this.stateCookieHandler = this.oidcConfig.stateCookieHandler();
        this.corsSupport = prepareCrossOriginSupport(this.oidcConfig.redirectUri(), this.oidcConfig.crossOriginConfig());
        this.oidcConfigFinders = List.copyOf(builder.tenantConfigFinders);
        this.oidcConfigFinders.forEach(tenantConfigFinder -> {
            LruCache<String, Tenant> lruCache = this.tenants;
            Objects.requireNonNull(lruCache);
            tenantConfigFinder.onChange((v1) -> {
                r1.remove(v1);
            });
        });
    }

    public static OidcFeature create(Config config, String str) {
        return builder().config(config, str).m2build();
    }

    public static OidcFeature create(Config config) {
        return builder().config(config, OidcProviderService.PROVIDER_CONFIG_KEY).m2build();
    }

    public static OidcFeature create(OidcConfig oidcConfig) {
        return builder().config(oidcConfig).m2build();
    }

    public static Builder builder() {
        return new Builder();
    }

    public void setup(HttpRouting.Builder builder) {
        if (this.enabled) {
            if (this.corsSupport != null) {
                builder.any(this.oidcConfig.redirectUri(), new Handler[]{this.corsSupport});
            }
            builder.get(this.oidcConfig.redirectUri(), new Handler[]{this::processOidcRedirect});
            if (this.oidcConfig.logoutEnabled()) {
                if (this.corsSupport != null) {
                    builder.any(this.oidcConfig.logoutUri(), new Handler[]{this.corsSupport});
                }
                builder.get(this.oidcConfig.logoutUri(), new Handler[]{this::processLogout});
            }
            builder.any(new Handler[]{this::addRequestAsHeader});
        }
    }

    private void processLogout(ServerRequest serverRequest, ServerResponse serverResponse) {
        processTenantLogout(serverRequest, serverResponse, findTenantName(serverRequest));
    }

    private String findTenantName(ServerRequest serverRequest) {
        LinkedList linkedList = new LinkedList();
        OptionalValue optionalValue = null;
        if (this.oidcConfig.useParam()) {
            optionalValue = serverRequest.query().first(this.oidcConfig.tenantParamName());
            if (optionalValue.isEmpty()) {
                linkedList.add("query-param");
            }
        }
        if (this.oidcConfig.useCookie() && optionalValue == null) {
            Optional findCookie = this.oidcConfig.tenantCookieHandler().findCookie(serverRequest.headers().toMap());
            if (findCookie.isPresent()) {
                return (String) findCookie.get();
            }
            linkedList.add("cookie");
        }
        if (optionalValue != null) {
            return (String) optionalValue.get();
        }
        if (!LOGGER.isLoggable(System.Logger.Level.TRACE)) {
            return "@default";
        }
        LOGGER.log(System.Logger.Level.TRACE, "Missing tenant id, could not find in either of: " + String.valueOf(linkedList) + "Falling back to the default tenant id: @default");
        return "@default";
    }

    private void processTenantLogout(ServerRequest serverRequest, ServerResponse serverResponse, String str) {
        logoutWithTenant(serverRequest, serverResponse, obtainCurrentTenant(str));
    }

    private Tenant obtainCurrentTenant(String str) {
        Optional optional = this.tenants.get(str);
        if (optional.isPresent()) {
            return (Tenant) optional.get();
        }
        Tenant tenant = (Tenant) this.oidcConfigFinders.stream().map(tenantConfigFinder -> {
            return tenantConfigFinder.config(str);
        }).flatMap((v0) -> {
            return v0.stream();
        }).map(tenantConfig -> {
            return Tenant.create(this.oidcConfig, tenantConfig);
        }).findFirst().orElseGet(() -> {
            return Tenant.create(this.oidcConfig, this.oidcConfig.tenantConfig(str));
        });
        return (Tenant) this.tenants.computeValue(str, () -> {
            return Optional.of(tenant);
        }).get();
    }

    private void logoutWithTenant(ServerRequest serverRequest, ServerResponse serverResponse, Tenant tenant) {
        OptionalValue first = serverRequest.headers().cookies().first(this.idTokenCookieHandler.cookieName());
        if (first.isEmpty()) {
            LOGGER.log(System.Logger.Level.TRACE, "Logout request invoked without ID Token cookie");
            serverResponse.status(Status.FORBIDDEN_403).send();
            return;
        }
        try {
            StringBuilder sb = new StringBuilder(String.valueOf(tenant.logoutEndpointUri()) + "?id_token_hint=" + this.idTokenCookieHandler.decrypt((String) first.get()) + "&post_logout_redirect_uri=" + String.valueOf(postLogoutUri(serverRequest)));
            serverRequest.query().first(STATE_PARAM_NAME).ifPresent(str -> {
                sb.append("&state=").append(str);
            });
            ServerResponseHeaders headers = serverResponse.headers();
            headers.addCookie(this.tokenCookieHandler.removeCookie().build());
            headers.addCookie(this.idTokenCookieHandler.removeCookie().build());
            headers.addCookie(this.tenantCookieHandler.removeCookie().build());
            headers.addCookie(this.refreshTokenCookieHandler.removeCookie().build());
            serverResponse.status(Status.TEMPORARY_REDIRECT_307).header(HeaderNames.LOCATION, new String[]{sb.toString()}).send();
        } catch (Exception e) {
            sendError(serverResponse, e);
        }
    }

    private void addRequestAsHeader(ServerRequest serverRequest, ServerResponse serverResponse) {
        Context context = (Context) Contexts.context().orElseThrow(() -> {
            return new SecurityException("Context must be available");
        });
        Map map = (Map) context.get("security.addHeaders", Map.class).map(map2 -> {
            return map2;
        }).orElseGet(() -> {
            HashMap hashMap = new HashMap();
            context.register("security.addHeaders", hashMap);
            return hashMap;
        });
        String rawValue = serverRequest.query().rawValue();
        if (rawValue.isEmpty()) {
            map.put("X_ORIG_URI_HEADER", List.of(serverRequest.path().rawPath()));
        } else {
            map.put("X_ORIG_URI_HEADER", List.of(serverRequest.path().rawPath() + "?" + rawValue));
        }
        serverResponse.next();
    }

    private void processOidcRedirect(ServerRequest serverRequest, ServerResponse serverResponse) {
        serverRequest.query().first(CODE_PARAM_NAME).ifPresentOrElse(str -> {
            processCode(str, serverRequest, serverResponse);
        }, () -> {
            processError(serverRequest, serverResponse);
        });
    }

    private void processCode(String str, ServerRequest serverRequest, ServerResponse serverResponse) {
        String str2 = (String) serverRequest.query().first(this.oidcConfig.tenantParamName()).orElse("@default");
        processCodeWithTenant(str, serverRequest, serverResponse, str2, obtainCurrentTenant(str2));
    }

    private void processCodeWithTenant(String str, ServerRequest serverRequest, ServerResponse serverResponse, String str2, Tenant tenant) {
        Optional findCookie = this.stateCookieHandler.findCookie(serverRequest.headers().toMap());
        if (findCookie.isEmpty()) {
            processError(serverResponse, Status.UNAUTHORIZED_401, "State cookie needs to be provided upon redirect");
            return;
        }
        JsonObject readObject = JSON_READER_FACTORY.createReader(new StringReader(new String(Base64.getDecoder().decode((String) findCookie.get()), StandardCharsets.UTF_8))).readObject();
        serverResponse.headers().addCookie(this.stateCookieHandler.removeCookie().build());
        if (!readObject.getString(STATE_PARAM_NAME).equals(serverRequest.query().get(STATE_PARAM_NAME))) {
            processError(serverResponse, Status.UNAUTHORIZED_401, "State of the original request and obtained from identity server does not match");
            return;
        }
        TenantConfig tenantConfig = tenant.tenantConfig();
        WebClient appWebClient = tenant.appWebClient();
        Parameters.Builder add = Parameters.builder("oidc-form-params").add("grant_type", new String[]{"authorization_code"}).add(CODE_PARAM_NAME, new String[]{str}).add("redirect_uri", new String[]{redirectUri(serverRequest, str2)});
        HttpClientRequest header = appWebClient.post().uri(tenant.tokenEndpointUri()).header(HeaderValues.ACCEPT_JSON);
        OidcUtil.updateRequest(OidcConfig.RequestType.CODE_TO_TOKEN, tenantConfig, add);
        try {
            HttpClientResponse submit = header.submit(add.build());
            try {
                if (submit.status().family() == Status.Family.SUCCESSFUL) {
                    try {
                        processJsonResponse(serverRequest, serverResponse, (JsonObject) submit.as(JsonObject.class), str2, readObject);
                    } catch (Exception e) {
                        processError(serverResponse, e, "Failed to read JSON from response");
                    }
                } else {
                    try {
                        String str3 = (String) submit.as(String.class);
                        try {
                            processError(serverResponse, submit.status(), str3);
                        } catch (Exception e2) {
                            throw new SecurityException("Failed to process request: " + str3);
                        }
                    } catch (Exception e3) {
                        processError(serverResponse, e3, "Failed to process error entity");
                        if (submit != null) {
                            submit.close();
                            return;
                        }
                        return;
                    }
                }
                if (submit != null) {
                    submit.close();
                }
            } finally {
            }
        } catch (Exception e4) {
            processError(serverResponse, e4, "Failed to invoke request");
        }
    }

    private Object postLogoutUri(ServerRequest serverRequest) {
        URI postLogoutUri = this.oidcConfig.postLogoutUri();
        if (postLogoutUri.getHost() != null) {
            return postLogoutUri.toString();
        }
        String path = postLogoutUri.getPath();
        String str = path.startsWith("/") ? path : "/" + path;
        ServerRequestHeaders headers = serverRequest.headers();
        if (headers.contains(HeaderNames.HOST)) {
            return ((this.oidcConfig.forceHttpsRedirects() || serverRequest.isSecure()) ? "https" : "http") + "://" + ((String) headers.get(HeaderNames.HOST).get()) + str;
        }
        LOGGER.log(System.Logger.Level.WARNING, "Request without Host header received, yet post logout URI does not define a host");
        return this.oidcConfig.toString();
    }

    private String redirectUri(ServerRequest serverRequest, String str) {
        String redirectUriWithHost;
        Optional first = serverRequest.headers().first(HeaderNames.HOST);
        if (first.isPresent()) {
            redirectUriWithHost = this.oidcConfig.redirectUriWithHost((serverRequest.isSecure() ? "https" : "http") + "://" + ((String) first.get()));
        } else {
            redirectUriWithHost = this.oidcConfig.redirectUriWithHost();
        }
        if ("@default".equals(str)) {
            return redirectUriWithHost;
        }
        return redirectUriWithHost + (redirectUriWithHost.contains("?") ? "&" : "?") + encode(this.oidcConfig.tenantParamName()) + "=" + encode(str);
    }

    private String processJsonResponse(ServerRequest serverRequest, ServerResponse serverResponse, JsonObject jsonObject, String str, JsonObject jsonObject2) {
        String string = jsonObject.getString("access_token");
        String string2 = jsonObject.getString("id_token", (String) null);
        String string3 = jsonObject.getString("refresh_token", (String) null);
        if (!((String) SignedJwt.parseToken(string2).getJwt().nonce().orElseThrow(() -> {
            return new IllegalStateException("Nonce is required to be present in the id token");
        })).equals(jsonObject2.getString("nonce"))) {
            throw new IllegalStateException("Original nonce and the one obtained from id token does not match");
        }
        String string4 = jsonObject2.getString("originalUri", DEFAULT_REDIRECT);
        serverResponse.status(Status.TEMPORARY_REDIRECT_307);
        if (this.oidcConfig.useParam()) {
            string4 = string4 + (string4.contains("?") ? "&" : "?") + encode(this.oidcConfig.paramName()) + "=" + string;
            if (string2 != null) {
                string4 = string4 + "&" + encode(this.oidcConfig.idTokenParamName()) + "=" + string2;
            }
            if (!"@default".equals(str)) {
                string4 = string4 + "&" + encode(this.oidcConfig.tenantParamName()) + "=" + encode(str);
            }
        }
        serverResponse.headers().add(HeaderNames.LOCATION, new String[]{increaseRedirectCounter(string4)});
        if (!this.oidcConfig.useCookie()) {
            serverResponse.send();
            return "done";
        }
        try {
            String encodeToString = Base64.getEncoder().encodeToString(JSON_BUILDER_FACTORY.createObjectBuilder().add("accessToken", string).add("remotePeer", serverRequest.remotePeer().host()).build().toString().getBytes(StandardCharsets.UTF_8));
            ServerResponseHeaders headers = serverResponse.headers();
            headers.addCookie(this.oidcConfig.tenantCookieHandler().createCookie(str).build());
            headers.addCookie(this.tokenCookieHandler.createCookie(encodeToString).build());
            if (string3 != null) {
                headers.addCookie(this.refreshTokenCookieHandler.createCookie(string3).build());
            }
            if (string2 != null) {
                headers.addCookie(this.idTokenCookieHandler.createCookie(string2).build());
            }
            serverResponse.send();
            return "done";
        } catch (Exception e) {
            sendError(serverResponse, e);
            return "done";
        }
    }

    private String encode(String str) {
        return URLEncoder.encode(str, StandardCharsets.UTF_8);
    }

    private void sendError(ServerResponse serverResponse, Throwable th) {
        if (LOGGER.isLoggable(System.Logger.Level.TRACE)) {
            LOGGER.log(System.Logger.Level.TRACE, "Failed to process OIDC request", th);
        }
        serverResponse.status(Status.INTERNAL_SERVER_ERROR_500).send();
    }

    private Optional<String> processError(ServerResponse serverResponse, Status status, String str) {
        LOGGER.log(System.Logger.Level.DEBUG, "Invalid token or failed request when connecting to OIDC Token Endpoint. Response: " + str + ", response status: " + String.valueOf(status));
        sendErrorResponse(serverResponse);
        return Optional.empty();
    }

    private Optional<String> processError(ServerResponse serverResponse, Throwable th, String str) {
        LOGGER.log(System.Logger.Level.DEBUG, str, th);
        sendErrorResponse(serverResponse);
        return Optional.empty();
    }

    private void sendErrorResponse(ServerResponse serverResponse) {
        serverResponse.status(Status.UNAUTHORIZED_401);
        serverResponse.send("Not a valid authorization code");
    }

    String increaseRedirectCounter(String str) {
        if (!str.contains("?")) {
            return str + "?" + this.oidcConfig.redirectAttemptParam() + "=1";
        }
        Matcher matcher = Pattern.compile(".*?(" + this.oidcConfig.redirectAttemptParam() + "=\\d+).*").matcher(str);
        if (!matcher.matches()) {
            return str + "&" + this.oidcConfig.redirectAttemptParam() + "=1";
        }
        String group = matcher.group(1);
        return str.replace(group, this.oidcConfig.redirectAttemptParam() + "=" + (Integer.parseInt(group.substring(group.lastIndexOf(61) + 1)) + 1));
    }

    private void processError(ServerRequest serverRequest, ServerResponse serverResponse) {
        String str = (String) serverRequest.query().first("error").orElse("invalid_request");
        String str2 = (String) serverRequest.query().first("error_description").orElseGet(() -> {
            return "Failed to process authorization request. Expected redirect from OIDC server with code parameter, but got: " + String.valueOf(serverRequest.query());
        });
        LOGGER.log(System.Logger.Level.WARNING, () -> {
            return "Received request on OIDC endpoint with no code. Error: " + str + " Error description: " + str2;
        });
        serverResponse.status(Status.BAD_REQUEST_400);
        serverResponse.send("{\"error\": \"" + str + "\", \"error_description\": \"" + str2 + "\"}");
    }

    private CorsSupport prepareCrossOriginSupport(String str, CrossOriginConfig crossOriginConfig) {
        if (crossOriginConfig == null) {
            return null;
        }
        return CorsSupport.builder().addCrossOrigin(str, crossOriginConfig).build();
    }
}
