package com.liferay.portal.security.sso.openid.connect.internal.session.manager;

import com.liferay.counter.kernel.service.CounterLocalService;
import com.liferay.oauth.client.persistence.model.OAuthClientEntry;
import com.liferay.oauth.client.persistence.service.OAuthClientEntryLocalService;
import com.liferay.portal.configuration.metatype.bnd.util.ConfigurableUtil;
import com.liferay.portal.kernel.cluster.ClusterExecutor;
import com.liferay.portal.kernel.cluster.ClusterNode;
import com.liferay.portal.kernel.lock.LockManager;
import com.liferay.portal.kernel.messaging.BaseMessageListener;
import com.liferay.portal.kernel.messaging.Message;
import com.liferay.portal.kernel.scheduler.SchedulerEngineHelper;
import com.liferay.portal.kernel.scheduler.SchedulerEntryImpl;
import com.liferay.portal.kernel.scheduler.TimeUnit;
import com.liferay.portal.kernel.scheduler.TriggerFactory;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.security.sso.openid.connect.configuration.OpenIdConnectConfiguration;
import com.liferay.portal.security.sso.openid.connect.internal.AuthorizationServerMetadataResolver;
import com.liferay.portal.security.sso.openid.connect.internal.util.OpenIdConnectTokenRequestUtil;
import com.liferay.portal.security.sso.openid.connect.persistence.model.OpenIdConnectSession;
import com.liferay.portal.security.sso.openid.connect.persistence.service.OpenIdConnectSessionLocalService;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.oauth2.sdk.util.JSONObjectUtils;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import java.util.Date;
import java.util.Map;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.time.DateUtils;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;

@Component(configurationPid = {"com.liferay.portal.security.sso.openid.connect.configuration.OpenIdConnectConfiguration"}, configurationPolicy = ConfigurationPolicy.OPTIONAL, immediate = true, service = {OfflineOpenIdConnectSessionManager.class})
/* loaded from: input_file:com/liferay/portal/security/sso/openid/connect/internal/session/manager/OfflineOpenIdConnectSessionManager.class */
public class OfflineOpenIdConnectSessionManager {

    @Reference
    private AuthorizationServerMetadataResolver _authorizationServerMetadataResolver;

    @Reference
    private ClusterExecutor _clusterExecutor;

    @Reference
    private CounterLocalService _counterLocalService;

    @Reference
    private LockManager _lockManager;

    @Reference
    private OAuthClientEntryLocalService _oAuthClientEntryLocalService;
    private volatile OpenIdConnectMessageListener _openIdConnectMessageListener;

    @Reference
    private OpenIdConnectSessionLocalService _openIdConnectSessionLocalService;

    @Reference
    private SchedulerEngineHelper _schedulerEngineHelper;
    private volatile long _tokenRefreshOffsetMillis = DateUtils.MILLIS_PER_MINUTE;
    private volatile int _tokenRefreshScheduledInterval = 480;

    @Reference
    private TriggerFactory _triggerFactory;

    /* loaded from: input_file:com/liferay/portal/security/sso/openid/connect/internal/session/manager/OfflineOpenIdConnectSessionManager$OpenIdConnectMessageListener.class */
    private class OpenIdConnectMessageListener extends BaseMessageListener {
        private final LockManager _lockManager;

        public OpenIdConnectMessageListener(LockManager lockManager) {
            this._lockManager = lockManager;
        }

        protected void doReceive(Message message) throws Exception {
            for (OpenIdConnectSession openIdConnectSession : OfflineOpenIdConnectSessionManager.this._openIdConnectSessionLocalService.getAccessTokenExpirationDateOpenIdConnectSessions(new Date(System.currentTimeMillis() + OfflineOpenIdConnectSessionManager.this._tokenRefreshOffsetMillis), -1, -1)) {
                String valueOf = String.valueOf(openIdConnectSession.getOpenIdConnectSessionId());
                String _generateLockOwner = OfflineOpenIdConnectSessionManager.this._generateLockOwner();
                if (_generateLockOwner.equals(this._lockManager.lock(OpenIdConnectSession.class.getSimpleName(), valueOf, _generateLockOwner).getOwner())) {
                    OfflineOpenIdConnectSessionManager.this._extendOpenIdConnectSession(openIdConnectSession);
                    this._lockManager.unlock(OpenIdConnectSession.class.getSimpleName(), valueOf, _generateLockOwner);
                }
            }
        }
    }

    public boolean isOpenIdConnectSession(HttpSession httpSession) {
        return (httpSession == null || ((Long) httpSession.getAttribute("OPEN_ID_CONNECT_SESSION_ID")) == null) ? false : true;
    }

    public boolean isOpenIdConnectSessionExpired(HttpSession httpSession) {
        OpenIdConnectSession fetchOpenIdConnectSession;
        Long l = (Long) httpSession.getAttribute("OPEN_ID_CONNECT_SESSION_ID");
        if (l == null || (fetchOpenIdConnectSession = this._openIdConnectSessionLocalService.fetchOpenIdConnectSession(l.longValue())) == null) {
            return true;
        }
        if (System.currentTimeMillis() <= fetchOpenIdConnectSession.getAccessTokenExpirationDate().getTime() - this._tokenRefreshOffsetMillis) {
            return false;
        }
        String valueOf = String.valueOf(l);
        String _generateLockOwner = _generateLockOwner();
        if (!_generateLockOwner.equals(this._lockManager.lock(OpenIdConnectSession.class.getSimpleName(), valueOf, _generateLockOwner).getOwner())) {
            return false;
        }
        AccessToken _extendOpenIdConnectSession = _extendOpenIdConnectSession(fetchOpenIdConnectSession);
        this._lockManager.unlock(OpenIdConnectSession.class.getSimpleName(), valueOf, _generateLockOwner);
        return _extendOpenIdConnectSession == null;
    }

    public long startOpenIdConnectSession(String str, String str2, OIDCTokens oIDCTokens, long j) {
        OpenIdConnectSession fetchOpenIdConnectSession = this._openIdConnectSessionLocalService.fetchOpenIdConnectSession(j, str, str2);
        if (fetchOpenIdConnectSession == null) {
            fetchOpenIdConnectSession = this._openIdConnectSessionLocalService.createOpenIdConnectSession(this._counterLocalService.increment(OpenIdConnectSession.class.getName()));
        }
        _updateOpenIdConnectSession(oIDCTokens.getAccessToken(), str, str2, oIDCTokens.getIDTokenString(), oIDCTokens.getRefreshToken(), fetchOpenIdConnectSession, j);
        return fetchOpenIdConnectSession.getOpenIdConnectSessionId();
    }

    @Modified
    protected void activate(Map<String, Object> map) throws Exception {
        OpenIdConnectConfiguration openIdConnectConfiguration = (OpenIdConnectConfiguration) ConfigurableUtil.createConfigurable(OpenIdConnectConfiguration.class, map);
        if (openIdConnectConfiguration.tokenRefreshOffset() < 30) {
            throw new IllegalArgumentException("Token refresh offset needs to be at least 30 seconds");
        }
        this._tokenRefreshOffsetMillis = openIdConnectConfiguration.tokenRefreshOffset() * 1000;
        this._tokenRefreshScheduledInterval = openIdConnectConfiguration.tokenRefreshScheduledInterval();
        if (!openIdConnectConfiguration.enabled() || this._tokenRefreshScheduledInterval < 30) {
            if (this._openIdConnectMessageListener != null) {
                this._schedulerEngineHelper.unregister(this._openIdConnectMessageListener);
                this._openIdConnectMessageListener = null;
                return;
            }
            return;
        }
        this._openIdConnectMessageListener = new OpenIdConnectMessageListener(this._lockManager);
        this._schedulerEngineHelper.register(this._openIdConnectMessageListener, new SchedulerEntryImpl(OpenIdConnectMessageListener.class.getName(), this._triggerFactory.createTrigger(OpenIdConnectMessageListener.class.getName(), "com.liferay.portal.security.sso.openid.connect", (Date) null, (Date) null, this._tokenRefreshScheduledInterval, TimeUnit.SECOND)), "liferay/scheduler_dispatch");
    }

    @Deactivate
    protected void deactivate() {
        if (this._openIdConnectMessageListener != null) {
            this._schedulerEngineHelper.unregister(this._openIdConnectMessageListener);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AccessToken _extendOpenIdConnectSession(OpenIdConnectSession openIdConnectSession) {
        if (Validator.isNull(openIdConnectSession.getRefreshToken())) {
            this._openIdConnectSessionLocalService.deleteOpenIdConnectSession(openIdConnectSession);
            return null;
        }
        RefreshToken refreshToken = new RefreshToken(openIdConnectSession.getRefreshToken());
        OAuthClientEntry fetchOAuthClientEntry = this._oAuthClientEntryLocalService.fetchOAuthClientEntry(openIdConnectSession.getCompanyId(), openIdConnectSession.getAuthServerWellKnownURI(), openIdConnectSession.getClientId());
        if (fetchOAuthClientEntry == null) {
            this._openIdConnectSessionLocalService.deleteOpenIdConnectSession(openIdConnectSession);
            return null;
        }
        try {
            OIDCTokens request = OpenIdConnectTokenRequestUtil.request(OIDCClientInformation.parse(JSONObjectUtils.parse(fetchOAuthClientEntry.getInfoJSON())), this._authorizationServerMetadataResolver.resolveOIDCProviderMetadata(openIdConnectSession.getAuthServerWellKnownURI()), refreshToken, fetchOAuthClientEntry.getTokenRequestParametersJSON());
            _updateOpenIdConnectSession(request.getAccessToken(), openIdConnectSession, request.getRefreshToken());
            return request.getAccessToken();
        } catch (Exception e) {
            this._openIdConnectSessionLocalService.deleteOpenIdConnectSession(openIdConnectSession);
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String _generateLockOwner() {
        ClusterNode localClusterNode = this._clusterExecutor.getLocalClusterNode();
        Thread currentThread = Thread.currentThread();
        return localClusterNode != null ? localClusterNode.getClusterNodeId() + currentThread.getName() : currentThread.getName();
    }

    private void _updateOpenIdConnectSession(AccessToken accessToken, OpenIdConnectSession openIdConnectSession, RefreshToken refreshToken) {
        openIdConnectSession.setAccessToken(accessToken.toJSONString());
        if (refreshToken != null) {
            openIdConnectSession.setRefreshToken(refreshToken.toString());
        }
        long currentTimeMillis = System.currentTimeMillis();
        openIdConnectSession.setModifiedDate(new Date(currentTimeMillis));
        if (accessToken.getLifetime() > 0) {
            openIdConnectSession.setAccessTokenExpirationDate(new Date(currentTimeMillis + (accessToken.getLifetime() * 1000)));
        } else {
            openIdConnectSession.setAccessTokenExpirationDate(new Date(currentTimeMillis + DateUtils.MILLIS_PER_HOUR));
        }
        this._openIdConnectSessionLocalService.updateOpenIdConnectSession(openIdConnectSession);
    }

    private void _updateOpenIdConnectSession(AccessToken accessToken, String str, String str2, String str3, RefreshToken refreshToken, OpenIdConnectSession openIdConnectSession, long j) {
        openIdConnectSession.setUserId(j);
        openIdConnectSession.setAuthServerWellKnownURI(str);
        openIdConnectSession.setClientId(str2);
        openIdConnectSession.setIdToken(str3);
        _updateOpenIdConnectSession(accessToken, openIdConnectSession, refreshToken);
    }
}
