package br.com.techne.cronos.paas.oidc.sdk.oauth2.filter;

import br.com.techne.cronos.paas.oidc.sdk.oauth2.AuthConfig;
import br.com.techne.cronos.paas.oidc.sdk.oauth2.OAuth2Lib;
import br.com.techne.cronos.paas.oidc.sdk.oauth2.OidcUser;
import br.com.techne.cronos.paas.oidc.sdk.oauth2.annotation.Secured;
import br.com.techne.cronos.paas.util.Logger;
import br.com.techne.cronos.paas.util.Validator;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.TokenResponse;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.openid.connect.sdk.OIDCAccessTokenResponse;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import javax.annotation.Priority;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Provider;
import net.minidev.json.JSONObject;

@Provider
@Priority(1000)
@Secured
/* loaded from: input_file:br/com/techne/cronos/paas/oidc/sdk/oauth2/filter/OidcAuthenticationFilter.class */
public class OidcAuthenticationFilter implements ContainerRequestFilter {
    private Logger logger = Logger.getLogger(OidcAuthenticationFilter.class);

    @Context
    private UriInfo uriInfo;

    @Context
    private HttpServletRequest httpServletRequest;

    @Context
    private HttpServletResponse httpServletResponse;

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (isAuthenticated(containerRequestContext)) {
            return;
        }
        attemptAuthentication(containerRequestContext);
    }

    private boolean isAuthenticated(ContainerRequestContext containerRequestContext) {
        SecurityContext securityContext = containerRequestContext.getSecurityContext();
        return securityContext != null && (securityContext instanceof OidcSecurityContext) && OAuth2Lib.isAuthenticated((OidcUser) securityContext.getUserPrincipal());
    }

    private void attemptAuthentication(ContainerRequestContext containerRequestContext) throws IOException {
        if (!Validator.isNullOrEmpty(this.httpServletRequest.getParameter("error"))) {
            this.logger.debug(String.format("Tratando request com erro: %s", this.httpServletRequest.getParameter("error")));
            handleError(containerRequestContext);
        } else if (!this.uriInfo.getPath().endsWith("oauth2/callback") || Validator.isNullOrEmpty(this.httpServletRequest.getParameter("code"))) {
            this.logger.debug("Inicializando \"OpenID Connect Authorization Flow\".");
            handleAuthorizationRequest(containerRequestContext);
        } else {
            this.logger.debug("Tratando \"Authorization Server\" response CODE para obtenção de um ACCESS_TOKEN.");
            handleAuthorizationCodeResponse(containerRequestContext);
        }
    }

    private void handleAuthorizationRequest(ContainerRequestContext containerRequestContext) throws IOException {
        OidcUser oidcUser = new OidcUser();
        oidcUser.originalUrl = this.httpServletRequest.getRequestURL().toString();
        this.httpServletRequest.getSession().setAttribute(OAuth2Lib.OIDC_USER, oidcUser);
        try {
            containerRequestContext.abortWith(Response.status(Response.Status.SEE_OTHER).location(new URI(OAuth2Lib.composeAuthzRequestURL().toString())).build());
        } catch (URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }

    private void handleAuthorizationCodeResponse(ContainerRequestContext containerRequestContext) throws IOException {
        HttpSession session = this.httpServletRequest.getSession();
        OidcUser oidcUser = (OidcUser) session.getAttribute(OAuth2Lib.OIDC_USER);
        if (oidcUser == null) {
            oidcUser = new OidcUser();
            oidcUser.originalUrl = this.httpServletRequest.getRequestURL().toString();
        }
        if (oidcUser.userId == null || oidcUser.userId.length() == 0) {
            OIDCAccessTokenResponse accessToken = OAuth2Lib.getAccessToken(OAuth2Lib.parseAuthenticationRequest(this.httpServletRequest).getAuthorizationCode());
            OIDCAccessTokenResponse oIDCAccessTokenResponse = accessToken;
            BearerAccessToken accessToken2 = oIDCAccessTokenResponse.getAccessToken();
            RefreshToken refreshToken = oIDCAccessTokenResponse.getRefreshToken();
            JWT iDToken = oIDCAccessTokenResponse.getIDToken();
            SignedJWT signedToken = OAuth2Lib.getSignedToken((TokenResponse) accessToken);
            JSONObject tokenKey = OAuth2Lib.getTokenKey(accessToken2);
            if (signedToken != null && !OAuth2Lib.verifySignedToken(signedToken, tokenKey)) {
                this.httpServletResponse.sendError(403, "Invalid Id Token signature");
                return;
            }
            JSONObject userInfo = OAuth2Lib.getUserInfo(accessToken2);
            oidcUser.userInfo = userInfo;
            oidcUser.userId = userInfo.get("user_id").toString();
            oidcUser.userName = userInfo.get("user_name").toString();
            oidcUser.name = userInfo.get("name") != null ? userInfo.get("name").toString() : "";
            oidcUser.givenName = userInfo.get("given_name") != null ? userInfo.get("given_name").toString() : "";
            oidcUser.familyName = userInfo.get("family_name") != null ? userInfo.get("family_name").toString() : "";
            oidcUser.accessToken = accessToken2;
            oidcUser.refreshToken = refreshToken;
            oidcUser.idToken = iDToken;
            containerRequestContext.setSecurityContext(new OidcSecurityContext(oidcUser));
            session.setAttribute(OAuth2Lib.OIDC_USER, oidcUser);
        }
        try {
            containerRequestContext.abortWith(Response.status(Response.Status.SEE_OTHER).location(new URI(!Validator.isNullOrEmpty(AuthConfig.DEFAULT_REDIRECT_URI) ? AuthConfig.DEFAULT_REDIRECT_URI : oidcUser.originalUrl)).build());
        } catch (URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }

    private void handleError(ContainerRequestContext containerRequestContext) {
        containerRequestContext.abortWith(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(String.format("Authorization Endpoint Error: %s - %s - %s", this.httpServletRequest.getParameter("error"), this.httpServletRequest.getParameter("error_description"), this.httpServletRequest.getParameter("error_uri"))).build());
    }
}
