package com.atlassian.plugins.authentication.sso.web.oidc;

import com.atlassian.plugins.authentication.api.config.IdpConfigService;
import com.atlassian.plugins.authentication.api.config.JustInTimeConfig;
import com.atlassian.plugins.authentication.api.config.SsoType;
import com.atlassian.plugins.authentication.api.config.oidc.OidcConfig;
import com.atlassian.plugins.authentication.sso.util.ApplicationStateValidator;
import com.atlassian.plugins.authentication.sso.web.AbstractConsumerServlet;
import com.atlassian.plugins.authentication.sso.web.AuthenticationHandlerNotConfiguredException;
import com.atlassian.plugins.authentication.sso.web.AuthenticationHandlerProvider;
import com.atlassian.plugins.authentication.sso.web.SessionData;
import com.atlassian.plugins.authentication.sso.web.SessionDataService;
import com.atlassian.plugins.authentication.sso.web.usercontext.AuthenticationFailedException;
import com.atlassian.plugins.authentication.sso.web.usercontext.PrincipalResolver;
import com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.ProvisioningService;
import com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.mapping.MappingExpression;
import com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.mapping.OidcUserDataFromIdpMapper;
import com.atlassian.plugins.authentication.sso.web.usercontext.rememberme.RememberMeCookieHandler;
import com.atlassian.sal.api.ApplicationProperties;
import com.atlassian.sal.api.auth.AuthenticationListener;
import com.atlassian.sal.api.message.I18nResolver;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Maps;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.SerializeException;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.oauth2.sdk.token.Tokens;
import com.nimbusds.openid.connect.sdk.AuthenticationResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.UserInfoRequest;
import com.nimbusds.openid.connect.sdk.UserInfoResponse;
import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import com.nimbusds.openid.connect.sdk.validators.IDTokenClaimsVerifier;
import java.io.IOException;
import java.net.URI;
import java.security.Principal;
import java.text.ParseException;
import java.time.Duration;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.annotation.Nonnull;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.minidev.json.JSONObject;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/plugins/authentication/sso/web/oidc/OidcConsumerServlet.class */
public class OidcConsumerServlet extends AbstractConsumerServlet {
    public static final String CALLBACK_URL = "/plugins/servlet/oidc/callback";
    private final AuthenticationHandlerProvider authenticationHandlerProvider;
    private final OidcUserDataFromIdpMapper mapper;
    private final OidcTimeouts oidcTimeouts;
    private static final Logger log = LoggerFactory.getLogger(OidcConsumerServlet.class);
    private static final String MAX_CLOCK_SKEW_PROPERTY_NAME = "com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.maxClockSkewSeconds";
    private static final Duration MAX_CLOCK_SKEW = (Duration) Optional.ofNullable(System.getProperty(MAX_CLOCK_SKEW_PROPERTY_NAME)).map(Integer::parseInt).map((v0) -> {
        return Duration.ofSeconds(v0);
    }).orElse(Duration.ofSeconds(60));

    @Inject
    public OidcConsumerServlet(ApplicationProperties applicationProperties, IdpConfigService idpConfigService, AuthenticationHandlerProvider authenticationHandlerProvider, PrincipalResolver principalResolver, SessionDataService sessionDataService, AuthenticationListener authenticationListener, I18nResolver i18nResolver, RememberMeCookieHandler rememberMeCookieHandler, ApplicationStateValidator applicationStateValidator, ProvisioningService provisioningService, OidcUserDataFromIdpMapper oidcUserDataFromIdpMapper, OidcTimeouts oidcTimeouts) {
        super(applicationProperties, principalResolver, sessionDataService, authenticationListener, i18nResolver, rememberMeCookieHandler, applicationStateValidator, idpConfigService, provisioningService);
        this.authenticationHandlerProvider = authenticationHandlerProvider;
        this.mapper = oidcUserDataFromIdpMapper;
        this.oidcTimeouts = oidcTimeouts;
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        AuthenticationSuccessResponse parseResponse = parseResponse(httpServletRequest);
        SessionData orElseThrow = this.sessionDataService.getSessionData(httpServletRequest, httpServletResponse, parseResponse.getState().getValue()).orElseThrow(() -> {
            return new AuthenticationFailedException("Unknown state in response");
        });
        OidcConfig fetchOidcConfigFromSession = fetchOidcConfigFromSession(orElseThrow);
        this.applicationStateValidator.checkCanProcessAuthenticationRequest(fetchOidcConfigFromSession);
        OIDCTokens oidcTokens = getOidcTokens(parseResponse, fetchOidcConfigFromSession);
        String username = getUsername(oidcTokens, orElseThrow, fetchOidcConfigFromSession);
        JustInTimeConfig justInTimeConfig = fetchOidcConfigFromSession.getJustInTimeConfig();
        Optional empty = Optional.empty();
        if (justInTimeConfig.isEnabled().orElse(false).booleanValue()) {
            this.provisioningService.handleJustInTimeProvisioning(this.mapper.mapUser(oidcTokens, username, fetchOidcConfigFromSession), httpServletRequest);
        }
        Principal principal = (Principal) empty.orElseGet(() -> {
            return this.principalResolver.resolvePrincipal(username, httpServletRequest).orElseThrow(() -> {
                return new AuthenticationFailedException("Received SSO request for user " + username + ", but the user does not exist");
            });
        });
        if (!this.principalResolver.isAllowedToAuthenticate(principal, httpServletRequest)) {
            throw new AuthenticationFailedException("Received SSO request for user " + username + ", but the user is not permitted to log in");
        }
        authenticationSuccess(httpServletRequest, httpServletResponse, principal, "oidc.authentication.successful");
        String extractTargetUrlOrReturnBaseUrl = this.sessionDataService.extractTargetUrlOrReturnBaseUrl(Optional.of(orElseThrow));
        log.debug("Authenticated user {} from IDP with ID '{}', redirecting to {}", new Object[]{principal.getName(), fetchOidcConfigFromSession.getId(), extractTargetUrlOrReturnBaseUrl});
        refreshRememberMeCookieIfNeeded(fetchOidcConfigFromSession, httpServletRequest, httpServletResponse, principal);
        httpServletResponse.sendRedirect(extractTargetUrlOrReturnBaseUrl);
    }

    private String getUsername(OIDCTokens oIDCTokens, SessionData sessionData, OidcConfig oidcConfig) {
        Preconditions.checkState(sessionData.getAuthenticationRequest() instanceof OidcAuthenticationRequest);
        OidcAuthenticationRequest oidcAuthenticationRequest = (OidcAuthenticationRequest) sessionData.getAuthenticationRequest();
        try {
            JWTClaimsSet jWTClaimsSet = oIDCTokens.getIDToken().getJWTClaimsSet();
            new IDTokenClaimsVerifier(new Issuer(oidcConfig.getIssuer()), new ClientID(oidcConfig.getClientId()), Nonce.parse(oidcAuthenticationRequest.getNonce()), (int) MAX_CLOCK_SKEW.getSeconds()).verify(jWTClaimsSet, null);
            return new MappingExpression(Strings.isNullOrEmpty(oidcConfig.getUsernameClaim()) ? "${sub}" : oidcConfig.getUsernameClaim()).evaluateWithValues(str -> {
                return getUsernameFromCustomClaim(oidcConfig, oIDCTokens, jWTClaimsSet, str);
            });
        } catch (BadJWTException | ParseException e) {
            throw new AuthenticationFailedException("ID token parsing failed", e);
        }
    }

    @NotNull
    private OIDCTokens getOidcTokens(AuthenticationSuccessResponse authenticationSuccessResponse, OidcConfig oidcConfig) {
        return exchangeAuthorizationCodeForTokens(prepareTokenRequest(authenticationSuccessResponse.getAuthorizationCode(), oidcConfig));
    }

    private AuthenticationSuccessResponse parseResponse(HttpServletRequest httpServletRequest) {
        try {
            AuthenticationResponse parse = AuthenticationResponseParser.parse(URI.create(httpServletRequest.getRequestURL().toString()), (Map<String, List<String>>) Maps.transformValues(httpServletRequest.getParameterMap(), (v0) -> {
                return ImmutableList.copyOf(v0);
            }));
            if (parse.indicatesSuccess()) {
                return parse.toSuccessResponse();
            }
            throw toException("Error when fetching authorization response", parse.toErrorResponse().getErrorObject());
        } catch (com.nimbusds.oauth2.sdk.ParseException e) {
            throw new AuthenticationFailedException("Parsing authentication response failed", e);
        }
    }

    private OidcConfig fetchOidcConfigFromSession(SessionData sessionData) {
        return OidcConfig.from(this.idpConfigService.getIdpConfig(Long.valueOf(sessionData.getIdpConfigId()))).orElseThrow(() -> {
            return new AuthenticationHandlerNotConfiguredException("Session IDP Config is not OIDC in OIDC callback");
        });
    }

    @VisibleForTesting
    @Nonnull
    OIDCTokens exchangeAuthorizationCodeForTokens(TokenRequest tokenRequest) {
        try {
            HTTPRequest hTTPRequest = tokenRequest.toHTTPRequest();
            hTTPRequest.setConnectTimeout(this.oidcTimeouts.getConnectTimeoutInMillis());
            hTTPRequest.setReadTimeout(this.oidcTimeouts.getReadTimeoutInMillis());
            HTTPResponse send = hTTPRequest.send();
            if (send.getStatusCode() == 200) {
                return OIDCTokenResponse.parse(send).getOIDCTokens();
            }
            ErrorObject errorObject = TokenErrorResponse.parse(send).getErrorObject();
            if (errorObject.getCode() == null && errorObject.getDescription() == null) {
                log.debug("Received invalid response when exchanging authorization tokens: {}", send.getContent());
            }
            throw toException("Exchanging authorization tokens failed", errorObject);
        } catch (com.nimbusds.oauth2.sdk.ParseException | SerializeException | IOException e) {
            throw new AuthenticationFailedException("Exchanging authorization tokens failed.", e);
        }
    }

    private String getUsernameFromCustomClaim(OidcConfig oidcConfig, OIDCTokens oIDCTokens, JWTClaimsSet jWTClaimsSet, String str) {
        try {
            log.debug("Looking for a username in ID token by checking custom claim [{}]", str);
            String stringClaim = jWTClaimsSet.getStringClaim(str);
            if (!Strings.isNullOrEmpty(stringClaim)) {
                return stringClaim;
            }
            log.debug("Custom claim with a username in ID token not found. Request to the userinfo endpoint will be sent.");
            return getUsernameFromUserInfoEndpoint(oIDCTokens, str, oidcConfig.getUserInfoEndpoint());
        } catch (ParseException e) {
            throw new AuthenticationFailedException("ID token parsing failed", e);
        }
    }

    @Nonnull
    private String getUsernameFromUserInfoEndpoint(Tokens tokens, String str, String str2) {
        JSONObject jSONObject = getUserInfoResponse(new UserInfoRequest(URI.create(str2), (BearerAccessToken) tokens.getAccessToken())).getUserInfo().toJSONObject();
        String asString = jSONObject.getAsString(str);
        if (!Strings.isNullOrEmpty(asString)) {
            return asString;
        }
        log.debug("Couldn't find claim representing username [{}] within the set of claims returned from userinfo endpoint: {}", str, jSONObject.keySet().toString());
        throw new AuthenticationFailedException("Couldn't find claim representing username");
    }

    @VisibleForTesting
    @Nonnull
    UserInfoSuccessResponse getUserInfoResponse(UserInfoRequest userInfoRequest) {
        try {
            HTTPRequest hTTPRequest = userInfoRequest.toHTTPRequest();
            hTTPRequest.setReadTimeout(this.oidcTimeouts.getReadTimeoutInMillis());
            hTTPRequest.setConnectTimeout(this.oidcTimeouts.getConnectTimeoutInMillis());
            UserInfoResponse parse = UserInfoResponse.parse(hTTPRequest.send());
            if (parse.indicatesSuccess()) {
                return parse.toSuccessResponse();
            }
            throw toException("Error when fetching data from userinfo endpoint", parse.toErrorResponse().getErrorObject());
        } catch (com.nimbusds.oauth2.sdk.ParseException | SerializeException | IOException e) {
            throw new AuthenticationFailedException("Error when fetching data from userinfo endpoint");
        }
    }

    private AuthenticationFailedException toException(String str, ErrorObject errorObject) {
        return new AuthenticationFailedException(str + ". Error: " + errorObject.toJSONObject().toString());
    }

    @Nonnull
    private TokenRequest prepareTokenRequest(AuthorizationCode authorizationCode, OidcConfig oidcConfig) {
        return new TokenRequest(URI.create(oidcConfig.getTokenEndpoint()), new ClientSecretBasic(new ClientID(oidcConfig.getClientId()), new Secret(oidcConfig.getClientSecret())), new AuthorizationCodeGrant(authorizationCode, getRedirectUri()));
    }

    @Nonnull
    private URI getRedirectUri() {
        return URI.create(this.authenticationHandlerProvider.getAuthenticationHandler(SsoType.OIDC).getConsumerServletUrl());
    }

    private void refreshRememberMeCookieIfNeeded(OidcConfig oidcConfig, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Principal principal) {
        if (oidcConfig.isEnableRememberMe()) {
            this.rememberMeCookieHandler.refreshRememberMeCookie(httpServletRequest, httpServletResponse, principal);
            log.debug("Refreshed 'remember me' cookie for {}", principal.getName());
        }
    }
}
