package com.liferay.portal.security.sso.openid.connect.internal;

import com.liferay.oauth.client.persistence.model.OAuthClientEntry;
import com.liferay.oauth.client.persistence.service.OAuthClientEntryLocalService;
import com.liferay.petra.function.UnsafeConsumer;
import com.liferay.petra.string.StringBundler;
import com.liferay.portal.kernel.exception.PortalException;
import com.liferay.portal.kernel.exception.SystemException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.service.ServiceContextFactory;
import com.liferay.portal.kernel.util.HashMapBuilder;
import com.liferay.portal.kernel.util.Portal;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.security.sso.openid.connect.OpenIdConnectAuthenticationHandler;
import com.liferay.portal.security.sso.openid.connect.OpenIdConnectServiceException;
import com.liferay.portal.security.sso.openid.connect.internal.session.manager.OfflineOpenIdConnectSessionManager;
import com.liferay.portal.security.sso.openid.connect.internal.util.OpenIdConnectProviderUtil;
import com.liferay.portal.security.sso.openid.connect.internal.util.OpenIdConnectRequestParametersUtil;
import com.liferay.portal.security.sso.openid.connect.internal.util.OpenIdConnectTokenRequestUtil;
import com.nimbusds.langtag.LangTag;
import com.nimbusds.langtag.LangTagException;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.pkce.CodeChallenge;
import com.nimbusds.oauth2.sdk.pkce.CodeChallengeMethod;
import com.nimbusds.oauth2.sdk.pkce.CodeVerifier;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.oauth2.sdk.util.JSONObjectUtils;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.AuthenticationResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
import com.nimbusds.openid.connect.sdk.UserInfoRequest;
import com.nimbusds.openid.connect.sdk.UserInfoResponse;
import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import net.minidev.json.JSONObject;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;

@Component(service = {OpenIdConnectAuthenticationHandler.class})
/* loaded from: input_file:com/liferay/portal/security/sso/openid/connect/internal/OpenIdConnectAuthenticationHandlerImpl.class */
public class OpenIdConnectAuthenticationHandlerImpl implements OpenIdConnectAuthenticationHandler {
    private static final String _OPEN_ID_CONNECT_AUTHENTICATION_SESSION = OpenIdConnectAuthenticationHandlerImpl.class.getName() + "#OPEN_ID_CONNECT_AUTHENTICATION_SESSION";
    private static final Log _log = LogFactoryUtil.getLog(OpenIdConnectAuthenticationHandlerImpl.class);

    @Reference
    private AuthorizationServerMetadataResolver _authorizationServerMetadataResolver;

    @Reference
    private OAuthClientEntryLocalService _oAuthClientEntryLocalService;

    @Reference
    private OfflineOpenIdConnectSessionManager _offlineOpenIdConnectSessionManager;

    @Reference
    private OIDCUserInfoProcessor _oidcUserInfoProcessor;

    @Reference
    private Portal _portal;

    public void processAuthenticationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, UnsafeConsumer<Long, Exception> unsafeConsumer) throws Exception {
        HttpSession session = httpServletRequest.getSession();
        OpenIdConnectAuthenticationSession openIdConnectAuthenticationSession = (OpenIdConnectAuthenticationSession) session.getAttribute(_OPEN_ID_CONNECT_AUTHENTICATION_SESSION);
        session.removeAttribute(_OPEN_ID_CONNECT_AUTHENTICATION_SESSION);
        if (openIdConnectAuthenticationSession == null) {
            if (_log.isDebugEnabled()) {
                _log.debug("OpenId Connect authentication was not requested or removed");
                return;
            }
            return;
        }
        AuthenticationSuccessResponse _getAuthenticationSuccessResponse = _getAuthenticationSuccessResponse(httpServletRequest);
        _validateState(openIdConnectAuthenticationSession.getState(), _getAuthenticationSuccessResponse.getState());
        OAuthClientEntry oAuthClientEntry = this._oAuthClientEntryLocalService.getOAuthClientEntry(openIdConnectAuthenticationSession.getOAuthClientEntryId());
        OIDCClientInformation parse = OIDCClientInformation.parse(JSONObjectUtils.parse(oAuthClientEntry.getInfoJSON()));
        OIDCProviderMetadata resolveOIDCProviderMetadata = this._authorizationServerMetadataResolver.resolveOIDCProviderMetadata(oAuthClientEntry.getAuthServerWellKnownURI());
        OIDCTokens request = OpenIdConnectTokenRequestUtil.request(_getAuthenticationSuccessResponse, openIdConnectAuthenticationSession.getCodeVerifier(), openIdConnectAuthenticationSession.getNonce(), parse, resolveOIDCProviderMetadata, _getLoginRedirectURI(httpServletRequest), oAuthClientEntry.getTokenRequestParametersJSON());
        long processUserInfo = this._oidcUserInfoProcessor.processUserInfo(this._portal.getCompanyId(httpServletRequest), String.valueOf(resolveOIDCProviderMetadata.getIssuer()), ServiceContextFactory.getInstance(httpServletRequest), _requestUserInfoJSON(request.getAccessToken(), resolveOIDCProviderMetadata), oAuthClientEntry.getOIDCUserInfoMapperJSON());
        unsafeConsumer.accept(Long.valueOf(processUserInfo));
        HttpSession session2 = httpServletRequest.getSession();
        long startOpenIdConnectSession = this._offlineOpenIdConnectSessionManager.startOpenIdConnectSession(oAuthClientEntry.getAuthServerWellKnownURI(), String.valueOf(parse.getID()), request, processUserInfo);
        session2.setAttribute("OPEN_ID_CONNECT_SESSION", new OpenIdConnectSessionImpl(startOpenIdConnectSession, oAuthClientEntry.getAuthServerWellKnownURI(), openIdConnectAuthenticationSession.getNonce(), openIdConnectAuthenticationSession.getState(), processUserInfo));
        session2.setAttribute("OPEN_ID_CONNECT_SESSION_ID", Long.valueOf(startOpenIdConnectSession));
    }

    public void requestAuthentication(long j, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws PortalException {
        HttpSession session = httpServletRequest.getSession();
        if (((Long) session.getAttribute("OPEN_ID_CONNECT_SESSION_ID")) != null) {
            session.removeAttribute("OPEN_ID_CONNECT_SESSION_ID");
        }
        CodeVerifier codeVerifier = new CodeVerifier();
        OAuthClientEntry oAuthClientEntry = this._oAuthClientEntryLocalService.getOAuthClientEntry(j);
        HashMap build = HashMapBuilder.put("code_challenge", CodeChallenge.compute(CodeChallengeMethod.S256, codeVerifier)).put(IDTokenClaimsSet.NONCE_CLAIM_NAME, new Nonce()).put("redirect_uri", _getLoginRedirectURI(httpServletRequest)).put("state", new State()).put("ui_Locals", _getLangTags(httpServletRequest)).build();
        try {
            URI _getAuthenticationRequestURI = _getAuthenticationRequestURI(this._authorizationServerMetadataResolver.resolveOIDCProviderMetadata(oAuthClientEntry.getAuthServerWellKnownURI()).getAuthorizationEndpointURI(), oAuthClientEntry.getAuthRequestParametersJSON(), oAuthClientEntry.getClientId(), build);
            if (_log.isDebugEnabled()) {
                _log.debug("Authentication request query: " + _getAuthenticationRequestURI.getQuery());
            }
            httpServletResponse.sendRedirect(_getAuthenticationRequestURI.toString());
            session.setAttribute(_OPEN_ID_CONNECT_AUTHENTICATION_SESSION, new OpenIdConnectAuthenticationSession(codeVerifier, (Nonce) build.get(IDTokenClaimsSet.NONCE_CLAIM_NAME), j, (State) build.get("state")));
        } catch (Exception e) {
            throw new PortalException(e);
        }
    }

    public void requestAuthentication(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws PortalException {
        requestAuthentication(OpenIdConnectProviderUtil.getOAuthClientEntryId(this._portal.getCompanyId(httpServletRequest), str, this._oAuthClientEntryLocalService), httpServletRequest, httpServletResponse);
    }

    private URI _getAuthenticationRequestURI(URI uri, String str, String str2, Map<String, Object> map) throws Exception {
        JSONObject parse = JSONObjectUtils.parse(str);
        AuthenticationRequest.Builder uiLocales = new AuthenticationRequest.Builder(OpenIdConnectRequestParametersUtil.getResponseType(parse), OpenIdConnectRequestParametersUtil.getScope(parse), new ClientID(str2), (URI) map.get("redirect_uri")).endpointURI(uri).codeChallenge((CodeChallenge) map.get("code_challenge"), CodeChallengeMethod.S256).nonce((Nonce) map.get(IDTokenClaimsSet.NONCE_CLAIM_NAME)).resources(OpenIdConnectRequestParametersUtil.getResourceURIs(parse)).state((State) map.get("state")).uiLocales((List) map.get("ui_locales"));
        uiLocales.getClass();
        OpenIdConnectRequestParametersUtil.consumeCustomRequestParameters(uiLocales::customParameter, parse);
        return uiLocales.build().toURI();
    }

    private AuthenticationSuccessResponse _getAuthenticationSuccessResponse(HttpServletRequest httpServletRequest) throws OpenIdConnectServiceException.AuthenticationException {
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        if (Validator.isNotNull(httpServletRequest.getQueryString())) {
            requestURL.append("?");
            requestURL.append(httpServletRequest.getQueryString());
        }
        try {
            AuthenticationResponse parse = AuthenticationResponseParser.parse(new URI(requestURL.toString()));
            if (parse instanceof AuthenticationErrorResponse) {
                throw new OpenIdConnectServiceException.AuthenticationException(((AuthenticationErrorResponse) parse).getErrorObject().toJSONObject().toString());
            }
            return (AuthenticationSuccessResponse) parse;
        } catch (ParseException | URISyntaxException e) {
            throw new OpenIdConnectServiceException.AuthenticationException(StringBundler.concat(new Object[]{"Unable to process response from ", requestURL, ": ", e.getMessage()}), e);
        }
    }

    private List<LangTag> _getLangTags(HttpServletRequest httpServletRequest) {
        Locale locale = this._portal.getLocale(httpServletRequest);
        if (locale == null) {
            return null;
        }
        try {
            return Collections.singletonList(new LangTag(locale.getLanguage()));
        } catch (LangTagException e) {
            if (!_log.isDebugEnabled()) {
                return null;
            }
            _log.debug("Unable to create a lang tag with locale " + locale.getLanguage(), e);
            return null;
        }
    }

    private URI _getLoginRedirectURI(HttpServletRequest httpServletRequest) {
        try {
            return new URI(StringBundler.concat(new String[]{this._portal.getPortalURL(httpServletRequest), this._portal.getPathContext(), "/c/portal/login/openidconnect"}));
        } catch (URISyntaxException e) {
            throw new SystemException("Unable to generate OpenId Connect login redirect URI: " + e.getMessage(), e);
        }
    }

    private String _requestUserInfoJSON(AccessToken accessToken, OIDCProviderMetadata oIDCProviderMetadata) throws OpenIdConnectServiceException.UserInfoException {
        HTTPRequest hTTPRequest = new UserInfoRequest(oIDCProviderMetadata.getUserInfoEndpointURI(), (BearerAccessToken) accessToken).toHTTPRequest();
        hTTPRequest.setAccept("text/html, image/gif, image/jpeg, */*; q=0.2, */*; q=0.2");
        try {
            UserInfoResponse parse = UserInfoResponse.parse(hTTPRequest.send());
            if (parse instanceof UserInfoErrorResponse) {
                throw new OpenIdConnectServiceException.UserInfoException(((UserInfoErrorResponse) parse).getErrorObject().toJSONObject().toString());
            }
            UserInfoSuccessResponse userInfoSuccessResponse = (UserInfoSuccessResponse) parse;
            UserInfo userInfo = userInfoSuccessResponse.getUserInfo();
            if (userInfo == null) {
                userInfo = new UserInfo(userInfoSuccessResponse.getUserInfoJWT().getJWTClaimsSet());
            }
            return userInfo.toJSONString();
        } catch (ParseException | java.text.ParseException e) {
            throw new OpenIdConnectServiceException.UserInfoException(StringBundler.concat(new Object[]{"Unable to parse user information response from ", oIDCProviderMetadata.getUserInfoEndpointURI(), ": ", e.getMessage()}), e);
        } catch (IOException e2) {
            throw new OpenIdConnectServiceException.UserInfoException(StringBundler.concat(new Object[]{"Unable to get user information from ", oIDCProviderMetadata.getUserInfoEndpointURI(), ": ", e2.getMessage()}), e2);
        }
    }

    private void _validateState(State state, State state2) throws Exception {
        if (!state2.equals(state)) {
            throw new OpenIdConnectServiceException.AuthenticationException(StringBundler.concat(new String[]{"Requested value \"", state.getValue(), "\" and approved state \"", state2.getValue(), "\" do not match"}));
        }
    }
}
