package com.liferay.portal.security.sso.openid.connect.internal;

import com.liferay.petra.function.UnsafeConsumer;
import com.liferay.petra.string.StringBundler;
import com.liferay.portal.kernel.exception.PortalException;
import com.liferay.portal.kernel.exception.SystemException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.service.ServiceContext;
import com.liferay.portal.kernel.service.ServiceContextFactory;
import com.liferay.portal.kernel.util.Portal;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.security.sso.openid.connect.OpenIdConnectAuthenticationHandler;
import com.liferay.portal.security.sso.openid.connect.OpenIdConnectProvider;
import com.liferay.portal.security.sso.openid.connect.OpenIdConnectProviderRegistry;
import com.liferay.portal.security.sso.openid.connect.OpenIdConnectServiceException;
import com.liferay.portal.security.sso.openid.connect.internal.session.manager.OfflineOpenIdConnectSessionManager;
import com.liferay.portal.security.sso.openid.connect.internal.util.OpenIdConnectTokenRequestUtil;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.AuthenticationResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
import com.nimbusds.openid.connect.sdk.UserInfoRequest;
import com.nimbusds.openid.connect.sdk.UserInfoResponse;
import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;

@Component(immediate = true, service = {OpenIdConnectAuthenticationHandler.class})
/* loaded from: input_file:com/liferay/portal/security/sso/openid/connect/internal/OpenIdConnectAuthenticationHandlerImpl.class */
public class OpenIdConnectAuthenticationHandlerImpl implements OpenIdConnectAuthenticationHandler {
    private static final String _OPEN_ID_CONNECT_AUTHENTICATION_SESSION = OpenIdConnectAuthenticationHandlerImpl.class.getName() + "#OPEN_ID_CONNECT_AUTHENTICATION_SESSION";
    private static final Log _log = LogFactoryUtil.getLog(OpenIdConnectAuthenticationHandlerImpl.class);

    @Reference
    private OfflineOpenIdConnectSessionManager _offlineOpenIdConnectSessionManager;

    @Reference
    private OpenIdConnectProviderRegistry<OIDCClientMetadata, OIDCProviderMetadata> _openIdConnectProviderRegistry;

    @Reference
    private OpenIdConnectUserInfoProcessor _openIdConnectUserInfoProcessor;

    @Reference
    private Portal _portal;

    public void processAuthenticationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, UnsafeConsumer<Long, Exception> unsafeConsumer) throws Exception {
        HttpSession session = httpServletRequest.getSession();
        OpenIdConnectAuthenticationSession openIdConnectAuthenticationSession = (OpenIdConnectAuthenticationSession) session.getAttribute(_OPEN_ID_CONNECT_AUTHENTICATION_SESSION);
        session.removeAttribute(_OPEN_ID_CONNECT_AUTHENTICATION_SESSION);
        if (openIdConnectAuthenticationSession == null) {
            if (_log.isDebugEnabled()) {
                _log.debug("OpenId Connect authentication was not requested or removed");
                return;
            }
            return;
        }
        AuthenticationSuccessResponse _getAuthenticationSuccessResponse = _getAuthenticationSuccessResponse(httpServletRequest);
        _validateState(openIdConnectAuthenticationSession.getState(), _getAuthenticationSuccessResponse.getState());
        OpenIdConnectProvider findOpenIdConnectProvider = this._openIdConnectProviderRegistry.findOpenIdConnectProvider(this._portal.getCompanyId(httpServletRequest), openIdConnectAuthenticationSession.getProviderName());
        OIDCTokens request = OpenIdConnectTokenRequestUtil.request(_getAuthenticationSuccessResponse, openIdConnectAuthenticationSession.getNonce(), findOpenIdConnectProvider, _getLoginRedirectURI(httpServletRequest));
        UserInfo _requestUserInfo = _requestUserInfo(request.getAccessToken(), (OIDCProviderMetadata) findOpenIdConnectProvider.getOIDCProviderMetadata());
        ServiceContext serviceContextFactory = ServiceContextFactory.getInstance(httpServletRequest);
        long processUserInfo = this._openIdConnectUserInfoProcessor.processUserInfo(_requestUserInfo, this._portal.getCompanyId(httpServletRequest), serviceContextFactory.getPathMain(), serviceContextFactory.getPortalURL());
        unsafeConsumer.accept(Long.valueOf(processUserInfo));
        HttpSession session2 = httpServletRequest.getSession();
        long startOpenIdConnectSession = this._offlineOpenIdConnectSessionManager.startOpenIdConnectSession(request, openIdConnectAuthenticationSession.getProviderName());
        session2.setAttribute("OPEN_ID_CONNECT_SESSION", new OpenIdConnectSessionImpl(startOpenIdConnectSession, openIdConnectAuthenticationSession.getProviderName(), openIdConnectAuthenticationSession.getNonce(), openIdConnectAuthenticationSession.getState(), processUserInfo));
        session2.setAttribute("OPEN_ID_CONNECT_SESSION_ID", Long.valueOf(startOpenIdConnectSession));
    }

    public void requestAuthentication(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws PortalException {
        OpenIdConnectProvider<OIDCClientMetadata, OIDCProviderMetadata> findOpenIdConnectProvider = this._openIdConnectProviderRegistry.findOpenIdConnectProvider(this._portal.getCompanyId(httpServletRequest), str);
        HttpSession session = httpServletRequest.getSession();
        Long l = (Long) session.getAttribute("OPEN_ID_CONNECT_SESSION_ID");
        if (l != null) {
            this._offlineOpenIdConnectSessionManager.endOpenIdConnectSession(l.longValue());
            session.removeAttribute("OPEN_ID_CONNECT_SESSION_ID");
        }
        Nonce nonce = new Nonce();
        State state = new State();
        URI _getAuthenticationRequestURI = _getAuthenticationRequestURI(_getLoginRedirectURI(httpServletRequest), nonce, findOpenIdConnectProvider, Scope.parse(findOpenIdConnectProvider.getScopes()), state);
        try {
            httpServletResponse.sendRedirect(_getAuthenticationRequestURI.toString());
            session.setAttribute(_OPEN_ID_CONNECT_AUTHENTICATION_SESSION, new OpenIdConnectAuthenticationSession(nonce, str, state));
        } catch (IOException e) {
            throw new SystemException(StringBundler.concat(new String[]{"Unable to send user to OpenId Connect service ", _getAuthenticationRequestURI.toString(), ": ", e.getMessage()}), e);
        }
    }

    private URI _getAuthenticationRequestURI(URI uri, Nonce nonce, OpenIdConnectProvider<OIDCClientMetadata, OIDCProviderMetadata> openIdConnectProvider, Scope scope, State state) throws OpenIdConnectServiceException.ProviderException {
        return new AuthenticationRequest(((OIDCProviderMetadata) openIdConnectProvider.getOIDCProviderMetadata()).getAuthorizationEndpointURI(), new ResponseType(ResponseType.Value.CODE), scope, new ClientID(openIdConnectProvider.getClientId()), uri, state, nonce).toURI();
    }

    private AuthenticationSuccessResponse _getAuthenticationSuccessResponse(HttpServletRequest httpServletRequest) throws OpenIdConnectServiceException.AuthenticationException {
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        if (Validator.isNotNull(httpServletRequest.getQueryString())) {
            requestURL.append("?");
            requestURL.append(httpServletRequest.getQueryString());
        }
        try {
            AuthenticationResponse parse = AuthenticationResponseParser.parse(new URI(requestURL.toString()));
            if (parse instanceof AuthenticationErrorResponse) {
                throw new OpenIdConnectServiceException.AuthenticationException(((AuthenticationErrorResponse) parse).getErrorObject().toJSONObject().toString());
            }
            return (AuthenticationSuccessResponse) parse;
        } catch (ParseException | URISyntaxException e) {
            throw new OpenIdConnectServiceException.AuthenticationException(StringBundler.concat(new String[]{"Unable to process response from ", requestURL.toString(), ": ", e.getMessage()}), e);
        }
    }

    private URI _getLoginRedirectURI(HttpServletRequest httpServletRequest) {
        try {
            return new URI(StringBundler.concat(new String[]{this._portal.getPortalURL(httpServletRequest), this._portal.getPathContext(), "/c/portal/login/openidconnect"}));
        } catch (URISyntaxException e) {
            throw new SystemException("Unable to generate OpenId Connect login redirect URI: " + e.getMessage(), e);
        }
    }

    private UserInfo _requestUserInfo(AccessToken accessToken, OIDCProviderMetadata oIDCProviderMetadata) throws OpenIdConnectServiceException.UserInfoException {
        HTTPRequest hTTPRequest = new UserInfoRequest(oIDCProviderMetadata.getUserInfoEndpointURI(), (BearerAccessToken) accessToken).toHTTPRequest();
        hTTPRequest.setAccept("text/html, image/gif, image/jpeg, */*; q=0.2, */*; q=0.2");
        try {
            try {
                UserInfoResponse parse = UserInfoResponse.parse(hTTPRequest.send());
                if (parse instanceof UserInfoErrorResponse) {
                    throw new OpenIdConnectServiceException.UserInfoException(((UserInfoErrorResponse) parse).getErrorObject().toJSONObject().toString());
                }
                UserInfoSuccessResponse userInfoSuccessResponse = (UserInfoSuccessResponse) parse;
                UserInfo userInfo = userInfoSuccessResponse.getUserInfo();
                return userInfo != null ? userInfo : new UserInfo(userInfoSuccessResponse.getUserInfoJWT().getJWTClaimsSet());
            } catch (IOException e) {
                throw new OpenIdConnectServiceException.UserInfoException(StringBundler.concat(new Object[]{"Unable to get user information from ", oIDCProviderMetadata.getUserInfoEndpointURI(), ": ", e.getMessage()}), e);
            }
        } catch (ParseException | java.text.ParseException e2) {
            throw new OpenIdConnectServiceException.UserInfoException(StringBundler.concat(new Object[]{"Unable to parse user information response from ", oIDCProviderMetadata.getUserInfoEndpointURI(), ": ", e2.getMessage()}), e2);
        }
    }

    private void _validateState(State state, State state2) throws Exception {
        if (!state2.equals(state)) {
            throw new OpenIdConnectServiceException.AuthenticationException(StringBundler.concat(new String[]{"Requested value \"", state.getValue(), "\" and approved state \"", state2.getValue(), "\" do not match"}));
        }
    }
}
