package io.gravitee.rest.api.portal.rest.resource.auth;

import com.fasterxml.jackson.databind.JsonNode;
import io.gravitee.rest.api.idp.api.authentication.UserDetails;
import io.gravitee.rest.api.model.UserEntity;
import io.gravitee.rest.api.model.configuration.identity.IdentityProviderActivationReferenceType;
import io.gravitee.rest.api.model.configuration.identity.SocialIdentityProviderEntity;
import io.gravitee.rest.api.portal.rest.model.PayloadInput;
import io.gravitee.rest.api.portal.rest.utils.BlindTrustManager;
import io.gravitee.rest.api.security.utils.AuthoritiesProvider;
import io.gravitee.rest.api.service.SocialIdentityProviderService;
import io.gravitee.rest.api.service.builder.JerseyClientBuilder;
import io.gravitee.rest.api.service.common.GraviteeContext;
import io.gravitee.rest.api.service.configuration.identity.IdentityProviderActivationService;
import jakarta.annotation.PostConstruct;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.validation.Valid;
import jakarta.validation.constraints.NotNull;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.client.Client;
import jakarta.ws.rs.client.ClientBuilder;
import jakarta.ws.rs.client.Entity;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import java.util.Map;
import java.util.Set;
import javax.inject.Singleton;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import org.glassfish.jersey.internal.util.collection.MultivaluedStringMap;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;

@Singleton
/* loaded from: input_file:io/gravitee/rest/api/portal/rest/resource/auth/OAuth2AuthenticationResource.class */
public class OAuth2AuthenticationResource extends AbstractAuthenticationResource {
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth2AuthenticationResource.class);

    @Autowired
    private SocialIdentityProviderService socialIdentityProviderService;

    @Autowired
    private AuthoritiesProvider authoritiesProvider;
    private Client client;
    private static final String ACCESS_TOKEN_PROPERTY = "access_token";
    private static final String ID_TOKEN_PROPERTY = "id_token";

    @PostConstruct
    public void initClient() throws NoSuchAlgorithmException, KeyManagementException {
        boolean booleanValue = ((Boolean) this.environment.getProperty("security.trustAll", Boolean.class, false)).booleanValue();
        ClientBuilder newBuilder = JerseyClientBuilder.newBuilder(this.environment);
        if (booleanValue) {
            SSLContext sSLContext = SSLContext.getInstance("TLSv1.2");
            sSLContext.init(null, new TrustManager[]{new BlindTrustManager()}, null);
            newBuilder.sslContext(sSLContext);
        }
        this.client = newBuilder.build();
    }

    @POST
    @Produces({"application/json"})
    @Path("_exchange")
    public Response tokenExchange(@PathParam("identity") String str, @QueryParam("token") String str2, @Context HttpServletResponse httpServletResponse) {
        SocialIdentityProviderEntity findById = this.socialIdentityProviderService.findById(str, new IdentityProviderActivationService.ActivationTarget(GraviteeContext.getCurrentEnvironment(), IdentityProviderActivationReferenceType.ENVIRONMENT));
        if (findById == null) {
            return Response.status(Response.Status.NOT_FOUND).build();
        }
        if (findById.getTokenIntrospectionEndpoint() == null) {
            return Response.status(Response.Status.BAD_REQUEST).entity("Token exchange is not supported for this identity provider").build();
        }
        MultivaluedStringMap multivaluedStringMap = new MultivaluedStringMap();
        multivaluedStringMap.add("token", str2);
        Response post = this.client.target(findById.getTokenIntrospectionEndpoint()).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).header("Authorization", String.format("Basic %s", Base64.getEncoder().encodeToString((findById.getClientId() + ":" + findById.getClientSecret()).getBytes()))).post(Entity.form(multivaluedStringMap));
        multivaluedStringMap.clear();
        if (post.getStatus() == Response.Status.OK.getStatusCode()) {
            JsonNode jsonNode = (JsonNode) post.readEntity(JsonNode.class);
            return jsonNode.path("active").asBoolean(true) ? authenticateUser(findById, httpServletResponse, str2, null, null) : Response.status(Response.Status.UNAUTHORIZED).entity(jsonNode).build();
        }
        LOGGER.error("Token exchange failed with status {}: {}\n{}", new Object[]{Integer.valueOf(post.getStatus()), post.getStatusInfo(), getResponseEntityAsString(post)});
        return Response.status(post.getStatusInfo()).entity(post.getEntity()).build();
    }

    @POST
    @Produces({"application/json"})
    public Response exchangeAuthorizationCode(@PathParam("identity") String str, @Valid @NotNull(message = "Input must not be null.") PayloadInput payloadInput, @Context HttpServletResponse httpServletResponse) throws IOException {
        SocialIdentityProviderEntity findById = this.socialIdentityProviderService.findById(str, new IdentityProviderActivationService.ActivationTarget(GraviteeContext.getCurrentEnvironment(), IdentityProviderActivationReferenceType.ENVIRONMENT));
        if (findById == null) {
            return Response.status(Response.Status.NOT_FOUND).build();
        }
        MultivaluedStringMap multivaluedStringMap = new MultivaluedStringMap();
        multivaluedStringMap.add("client_id", payloadInput.getClientId());
        multivaluedStringMap.add("redirect_uri", payloadInput.getRedirectUri());
        multivaluedStringMap.add("client_secret", findById.getClientSecret());
        multivaluedStringMap.add("code", payloadInput.getCode());
        multivaluedStringMap.add("code_verifier", payloadInput.getCodeVerifier());
        multivaluedStringMap.add("grant_type", payloadInput.getGrantType());
        Response post = this.client.target(findById.getTokenEndpoint()).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).post(Entity.form(multivaluedStringMap));
        multivaluedStringMap.clear();
        if (post.getStatus() == Response.Status.OK.getStatusCode()) {
            Map<String, Object> responseEntity = getResponseEntity(post);
            return authenticateUser(findById, httpServletResponse, (String) responseEntity.get("access_token"), (String) responseEntity.get("id_token"), payloadInput.getState());
        }
        LOGGER.error("Exchange authorization code failed with status {}: {}\n{}", new Object[]{Integer.valueOf(post.getStatus()), post.getStatusInfo(), getResponseEntityAsString(post)});
        return Response.status(Response.Status.UNAUTHORIZED).build();
    }

    private Response authenticateUser(SocialIdentityProviderEntity socialIdentityProviderEntity, HttpServletResponse httpServletResponse, String str, String str2, String str3) {
        Response response = this.client.target(socialIdentityProviderEntity.getUserInfoEndpoint()).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).header("Authorization", String.format(socialIdentityProviderEntity.getAuthorizationHeader(), str)).get();
        String responseEntityAsString = getResponseEntityAsString(response);
        if (response.getStatus() == Response.Status.OK.getStatusCode()) {
            return processUser(socialIdentityProviderEntity, httpServletResponse, responseEntityAsString, str3, str, str2);
        }
        LOGGER.error("User info failed with status {}: {}\n{}", new Object[]{Integer.valueOf(response.getStatus()), response.getStatusInfo(), responseEntityAsString});
        return Response.status(response.getStatusInfo()).build();
    }

    private Response processUser(SocialIdentityProviderEntity socialIdentityProviderEntity, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4) {
        UserEntity createOrUpdateUserFromSocialIdentityProvider = this.userService.createOrUpdateUserFromSocialIdentityProvider(GraviteeContext.getExecutionContext(), socialIdentityProviderEntity, str);
        String id = createOrUpdateUserFromSocialIdentityProvider.getId();
        Set retrieveAuthorities = this.authoritiesProvider.retrieveAuthorities(createOrUpdateUserFromSocialIdentityProvider.getId());
        UserDetails userDetails = new UserDetails(id, "", retrieveAuthorities);
        userDetails.setEmail(createOrUpdateUserFromSocialIdentityProvider.getEmail());
        userDetails.setOrganizationId(createOrUpdateUserFromSocialIdentityProvider.getOrganizationId());
        SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(userDetails, (Object) null, retrieveAuthorities));
        return connectUser(id, str2, httpServletResponse, str3, str4);
    }
}
