package com.liferay.portal.security.sso.openid.connect.internal;

import com.liferay.petra.string.StringBundler;
import com.liferay.portal.kernel.exception.PortalException;
import com.liferay.portal.kernel.exception.SystemException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.service.ServiceContext;
import com.liferay.portal.kernel.service.ServiceContextFactory;
import com.liferay.portal.kernel.util.Portal;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.security.sso.openid.connect.OpenIdConnectFlowState;
import com.liferay.portal.security.sso.openid.connect.OpenIdConnectProvider;
import com.liferay.portal.security.sso.openid.connect.OpenIdConnectProviderRegistry;
import com.liferay.portal.security.sso.openid.connect.OpenIdConnectServiceException;
import com.liferay.portal.security.sso.openid.connect.OpenIdConnectServiceHandler;
import com.liferay.portal.security.sso.openid.connect.OpenIdConnectSession;
import com.liferay.portal.security.sso.openid.connect.internal.provider.OpenIdConnectSessionProviderImpl;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.AuthorizationGrant;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.RefreshTokenGrant;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.TokenResponse;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.oauth2.sdk.token.Tokens;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.AuthenticationResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
import com.nimbusds.openid.connect.sdk.UserInfoRequest;
import com.nimbusds.openid.connect.sdk.UserInfoResponse;
import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Date;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;

@Component(immediate = true, service = {OpenIdConnectServiceHandler.class})
/* loaded from: input_file:com/liferay/portal/security/sso/openid/connect/internal/OpenIdConnectServiceHandlerImpl.class */
public class OpenIdConnectServiceHandlerImpl implements OpenIdConnectServiceHandler {
    private static final Log _log = LogFactoryUtil.getLog(OpenIdConnectServiceHandlerImpl.class);

    @Reference
    private OpenIdConnectProviderRegistry<OIDCClientMetadata, OIDCProviderMetadata> _openIdConnectProviderRegistry;

    @Reference
    private OpenIdConnectSessionProviderImpl _openIdConnectSessionProviderImpl;

    @Reference
    private OpenIdConnectUserInfoProcessor _openIdConnectUserInfoProcessor;

    @Reference
    private Portal _portal;

    public boolean hasValidOpenIdConnectSession(HttpSession httpSession) throws OpenIdConnectServiceException.NoOpenIdConnectSessionException {
        OpenIdConnectSessionImpl openIdConnectSessionImpl = getOpenIdConnectSessionImpl(httpSession);
        if (hasValidAccessToken(openIdConnectSessionImpl)) {
            return true;
        }
        try {
            return refreshAuthToken(openIdConnectSessionImpl);
        } catch (OpenIdConnectServiceException e) {
            _log.error("Unable to refresh auth token: " + e.getMessage(), e);
            return false;
        }
    }

    public void processAuthenticationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws PortalException {
        AuthenticationSuccessResponse authenticationSuccessResponse = getAuthenticationSuccessResponse(httpServletRequest);
        HttpSession session = httpServletRequest.getSession();
        OpenIdConnectSessionImpl openIdConnectSessionImpl = getOpenIdConnectSessionImpl(session);
        if (!OpenIdConnectFlowState.AUTH_REQUESTED.equals(openIdConnectSessionImpl.getOpenIdConnectFlowState())) {
            throw new OpenIdConnectServiceException.AuthenticationException(StringBundler.concat(new Object[]{"OpenId Connect login flow is not in the ", OpenIdConnectFlowState.AUTH_REQUESTED, " state: ", openIdConnectSessionImpl.getOpenIdConnectFlowState()}));
        }
        validateState(openIdConnectSessionImpl.getState(), authenticationSuccessResponse.getState());
        OpenIdConnectProvider<OIDCClientMetadata, OIDCProviderMetadata> findOpenIdConnectProvider = this._openIdConnectProviderRegistry.findOpenIdConnectProvider(openIdConnectSessionImpl.getOpenIdProviderName());
        OIDCProviderMetadata oIDCProviderMetadata = (OIDCProviderMetadata) findOpenIdConnectProvider.getOIDCProviderMetadata();
        updateSessionTokens(openIdConnectSessionImpl, requestIdToken(authenticationSuccessResponse, getOIDCClientInformation(findOpenIdConnectProvider), oIDCProviderMetadata, getLoginRedirectURI(httpServletRequest), openIdConnectSessionImpl.getNonce(), findOpenIdConnectProvider.geTokenConnectionTimeout()), System.currentTimeMillis(), false);
        ServiceContext serviceContextFactory = ServiceContextFactory.getInstance(httpServletRequest);
        processUserInfo(this._portal.getCompanyId(httpServletRequest), openIdConnectSessionImpl, oIDCProviderMetadata, serviceContextFactory.getPathMain(), serviceContextFactory.getPortalURL());
        openIdConnectSessionImpl.setOpenIdConnectFlowState(OpenIdConnectFlowState.AUTH_COMPLETE);
        OpenIdConnectSessionProviderImpl openIdConnectSessionProviderImpl = this._openIdConnectSessionProviderImpl;
        OpenIdConnectSessionProviderImpl.setOpenIdConnectSession(session, openIdConnectSessionImpl);
    }

    public void requestAuthentication(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws PortalException {
        OpenIdConnectProvider<OIDCClientMetadata, OIDCProviderMetadata> findOpenIdConnectProvider = this._openIdConnectProviderRegistry.findOpenIdConnectProvider(str);
        HttpSession session = httpServletRequest.getSession();
        OpenIdConnectSessionImpl openIdConnectSessionImpl = getOpenIdConnectSessionImpl(session, str);
        if (openIdConnectSessionImpl == null) {
            openIdConnectSessionImpl = new OpenIdConnectSessionImpl(str, new Nonce(), new State());
        }
        URI authenticationRequestURI = getAuthenticationRequestURI(getLoginRedirectURI(httpServletRequest), findOpenIdConnectProvider, openIdConnectSessionImpl.getNonce(), openIdConnectSessionImpl.getState(), Scope.parse(findOpenIdConnectProvider.getScopes()));
        try {
            httpServletResponse.sendRedirect(authenticationRequestURI.toString());
            openIdConnectSessionImpl.setOpenIdConnectFlowState(OpenIdConnectFlowState.AUTH_REQUESTED);
            OpenIdConnectSessionProviderImpl openIdConnectSessionProviderImpl = this._openIdConnectSessionProviderImpl;
            OpenIdConnectSessionProviderImpl.setOpenIdConnectSession(session, openIdConnectSessionImpl);
        } catch (IOException e) {
            throw new SystemException(StringBundler.concat(new String[]{"Unable to send user to OpenId Connect service ", authenticationRequestURI.toString(), ": ", e.getMessage()}), e);
        }
    }

    protected URI getAuthenticationRequestURI(URI uri, OpenIdConnectProvider<OIDCClientMetadata, OIDCProviderMetadata> openIdConnectProvider, Nonce nonce, State state, Scope scope) throws OpenIdConnectServiceException.ProviderException {
        return new AuthenticationRequest(((OIDCProviderMetadata) openIdConnectProvider.getOIDCProviderMetadata()).getAuthorizationEndpointURI(), new ResponseType(ResponseType.Value.CODE), scope, getOIDCClientInformation(openIdConnectProvider).getID(), uri, state, nonce).toURI();
    }

    protected AuthenticationSuccessResponse getAuthenticationSuccessResponse(HttpServletRequest httpServletRequest) throws OpenIdConnectServiceException.AuthenticationException {
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        if (Validator.isNotNull(httpServletRequest.getQueryString())) {
            requestURL.append("?");
            requestURL.append(httpServletRequest.getQueryString());
        }
        try {
            AuthenticationResponse parse = AuthenticationResponseParser.parse(new URI(requestURL.toString()));
            if (parse instanceof AuthenticationErrorResponse) {
                throw new OpenIdConnectServiceException.AuthenticationException(((AuthenticationErrorResponse) parse).getErrorObject().toJSONObject().toString());
            }
            return (AuthenticationSuccessResponse) parse;
        } catch (ParseException | URISyntaxException e) {
            throw new OpenIdConnectServiceException.AuthenticationException(StringBundler.concat(new String[]{"Unable to process response from ", requestURL.toString(), ": ", e.getMessage()}), e);
        }
    }

    protected URI getLoginRedirectURI(HttpServletRequest httpServletRequest) {
        try {
            StringBundler stringBundler = new StringBundler(3);
            stringBundler.append(this._portal.getPortalURL(httpServletRequest));
            stringBundler.append(this._portal.getPathContext());
            stringBundler.append("/c/portal/login/openidconnect");
            return new URI(stringBundler.toString());
        } catch (URISyntaxException e) {
            throw new SystemException("Unable to generate OpenId Connect login redirect URI: " + e.getMessage(), e);
        }
    }

    protected OIDCClientInformation getOIDCClientInformation(OpenIdConnectProvider<OIDCClientMetadata, OIDCProviderMetadata> openIdConnectProvider) {
        return new OIDCClientInformation(new ClientID(openIdConnectProvider.getClientId()), new Date(), (OIDCClientMetadata) openIdConnectProvider.getOIDCClientMetadata(), new Secret(openIdConnectProvider.getClientSecret()));
    }

    protected OpenIdConnectSessionImpl getOpenIdConnectSessionImpl(HttpSession httpSession) throws OpenIdConnectServiceException.NoOpenIdConnectSessionException {
        OpenIdConnectSessionImpl openIdConnectSessionImpl = getOpenIdConnectSessionImpl(httpSession, null);
        if (openIdConnectSessionImpl == null) {
            throw new OpenIdConnectServiceException.NoOpenIdConnectSessionException("HTTP session does contain an OpenId Connect session");
        }
        return openIdConnectSessionImpl;
    }

    protected OpenIdConnectSessionImpl getOpenIdConnectSessionImpl(HttpSession httpSession, String str) {
        OpenIdConnectSession openIdConnectSession = this._openIdConnectSessionProviderImpl.getOpenIdConnectSession(httpSession);
        if (!(openIdConnectSession instanceof OpenIdConnectSessionImpl)) {
            return null;
        }
        OpenIdConnectSessionImpl openIdConnectSessionImpl = (OpenIdConnectSessionImpl) openIdConnectSession;
        if (Validator.isNull(str) || str.equals(openIdConnectSessionImpl.getOpenIdProviderName())) {
            return openIdConnectSessionImpl;
        }
        return null;
    }

    protected boolean hasValidAccessToken(OpenIdConnectSessionImpl openIdConnectSessionImpl) {
        AccessToken accessToken = openIdConnectSessionImpl.getAccessToken();
        if (accessToken == null) {
            return false;
        }
        return System.currentTimeMillis() - openIdConnectSessionImpl.getLoginTime() < accessToken.getLifetime() * 1000;
    }

    protected void processUserInfo(long j, OpenIdConnectSessionImpl openIdConnectSessionImpl, OIDCProviderMetadata oIDCProviderMetadata, String str, String str2) throws PortalException {
        UserInfo requestUserInfo = requestUserInfo(openIdConnectSessionImpl.getAccessToken(), oIDCProviderMetadata);
        openIdConnectSessionImpl.setLoginUserId(this._openIdConnectUserInfoProcessor.processUserInfo(requestUserInfo, j, str, str2));
        openIdConnectSessionImpl.setUserInfoJSONObject(requestUserInfo.toJSONObject());
    }

    protected boolean refreshAuthToken(OpenIdConnectSessionImpl openIdConnectSessionImpl) throws OpenIdConnectServiceException {
        if (hasValidAccessToken(openIdConnectSessionImpl)) {
            return true;
        }
        if (_log.isInfoEnabled()) {
            _log.info("User session auth token is invalid, attempting to use refresh token to obtain a valid auth token");
        }
        RefreshToken refreshToken = openIdConnectSessionImpl.getRefreshToken();
        if (refreshToken == null) {
            if (!_log.isInfoEnabled()) {
                return false;
            }
            _log.info("Unable to refresh auth token because no refresh token is supplied");
            return false;
        }
        OpenIdConnectProvider<OIDCClientMetadata, OIDCProviderMetadata> findOpenIdConnectProvider = this._openIdConnectProviderRegistry.findOpenIdConnectProvider(openIdConnectSessionImpl.getOpenIdProviderName());
        updateSessionTokens(openIdConnectSessionImpl, requestRefreshToken(refreshToken, getOIDCClientInformation(findOpenIdConnectProvider), (OIDCProviderMetadata) findOpenIdConnectProvider.getOIDCProviderMetadata(), findOpenIdConnectProvider.geTokenConnectionTimeout()), System.currentTimeMillis(), true);
        return true;
    }

    protected Tokens requestIdToken(AuthenticationSuccessResponse authenticationSuccessResponse, OIDCClientInformation oIDCClientInformation, OIDCProviderMetadata oIDCProviderMetadata, URI uri, Nonce nonce, int i) throws OpenIdConnectServiceException.TokenException {
        return requestTokens(oIDCClientInformation, oIDCProviderMetadata, nonce, new AuthorizationCodeGrant(authenticationSuccessResponse.getAuthorizationCode(), uri), i);
    }

    protected Tokens requestRefreshToken(RefreshToken refreshToken, OIDCClientInformation oIDCClientInformation, OIDCProviderMetadata oIDCProviderMetadata, int i) throws OpenIdConnectServiceException {
        return requestTokens(oIDCClientInformation, oIDCProviderMetadata, null, new RefreshTokenGrant(refreshToken), i);
    }

    protected Tokens requestTokens(OIDCClientInformation oIDCClientInformation, OIDCProviderMetadata oIDCProviderMetadata, Nonce nonce, AuthorizationGrant authorizationGrant, int i) throws OpenIdConnectServiceException.TokenException {
        ClientSecretBasic clientSecretBasic = new ClientSecretBasic(oIDCClientInformation.getID(), oIDCClientInformation.getSecret());
        URI tokenEndpointURI = oIDCProviderMetadata.getTokenEndpointURI();
        try {
            TokenResponse parse = OIDCTokenResponseParser.parse(new TokenRequest(tokenEndpointURI, clientSecretBasic, authorizationGrant).toHTTPRequest().send());
            if (parse instanceof TokenErrorResponse) {
                throw new OpenIdConnectServiceException.TokenException(((TokenErrorResponse) parse).getErrorObject().toJSONObject().toString());
            }
            OIDCTokenResponse oIDCTokenResponse = (OIDCTokenResponse) parse;
            validateToken(oIDCClientInformation, nonce, oIDCProviderMetadata, oIDCTokenResponse, i);
            return oIDCTokenResponse.getTokens();
        } catch (ParseException e) {
            throw new OpenIdConnectServiceException.TokenException(StringBundler.concat(new Object[]{"Unable to parse tokens response from ", tokenEndpointURI, ": ", e.getMessage()}), e);
        } catch (IOException e2) {
            throw new OpenIdConnectServiceException.TokenException(StringBundler.concat(new Object[]{"Unable to get tokens from ", tokenEndpointURI, ": ", e2.getMessage()}), e2);
        }
    }

    protected UserInfo requestUserInfo(AccessToken accessToken, OIDCProviderMetadata oIDCProviderMetadata) throws OpenIdConnectServiceException.UserInfoException {
        HTTPRequest hTTPRequest = new UserInfoRequest(oIDCProviderMetadata.getUserInfoEndpointURI(), (BearerAccessToken) accessToken).toHTTPRequest();
        hTTPRequest.setAccept("text/html, image/gif, image/jpeg, */*; q=0.2, */*; q=0.2");
        try {
            try {
                UserInfoResponse parse = UserInfoResponse.parse(hTTPRequest.send());
                if (parse instanceof UserInfoErrorResponse) {
                    throw new OpenIdConnectServiceException.UserInfoException(((UserInfoErrorResponse) parse).getErrorObject().toJSONObject().toString());
                }
                UserInfoSuccessResponse userInfoSuccessResponse = (UserInfoSuccessResponse) parse;
                UserInfo userInfo = userInfoSuccessResponse.getUserInfo();
                return userInfo != null ? userInfo : new UserInfo(userInfoSuccessResponse.getUserInfoJWT().getJWTClaimsSet());
            } catch (IOException e) {
                throw new OpenIdConnectServiceException.UserInfoException(StringBundler.concat(new Object[]{"Unable to get user information from ", oIDCProviderMetadata.getUserInfoEndpointURI(), ": ", e.getMessage()}), e);
            }
        } catch (ParseException | java.text.ParseException e2) {
            throw new OpenIdConnectServiceException.UserInfoException(StringBundler.concat(new Object[]{"Unable to parse user information response from ", oIDCProviderMetadata.getUserInfoEndpointURI(), ": ", e2.getMessage()}), e2);
        }
    }

    protected void updateSessionTokens(OpenIdConnectSessionImpl openIdConnectSessionImpl, Tokens tokens, long j, boolean z) {
        openIdConnectSessionImpl.setAccessToken(tokens.getAccessToken());
        if (!z || (z && tokens.getRefreshToken() != null)) {
            openIdConnectSessionImpl.setRefreshToken(tokens.getRefreshToken());
        }
        openIdConnectSessionImpl.setLoginTime(j);
    }

    protected void validateState(State state, State state2) throws OpenIdConnectServiceException {
        if (!state2.equals(state)) {
            throw new OpenIdConnectServiceException.AuthenticationException(StringBundler.concat(new String[]{"Requested value \"", state.getValue(), "\" and approved state \"", state2.getValue(), "\" do not match"}));
        }
    }

    protected IDTokenClaimsSet validateToken(OIDCClientInformation oIDCClientInformation, Nonce nonce, OIDCProviderMetadata oIDCProviderMetadata, OIDCTokenResponse oIDCTokenResponse, int i) throws OpenIdConnectServiceException.TokenException {
        try {
            return new IDTokenValidator(oIDCProviderMetadata.getIssuer(), oIDCClientInformation.getID(), oIDCClientInformation.getOIDCMetadata().getIDTokenJWSAlg(), oIDCProviderMetadata.getJWKSetURI().toURL(), new DefaultResourceRetriever(i, i)).validate(oIDCTokenResponse.getOIDCTokens().getIDToken(), nonce);
        } catch (JOSEException | BadJOSEException e) {
            throw new OpenIdConnectServiceException.TokenException("Unable to validate tokens: " + e.getMessage(), e);
        } catch (MalformedURLException e2) {
            throw new OpenIdConnectServiceException.TokenException("Invalid JSON web key URL: " + e2.getMessage(), e2);
        }
    }
}
