package pl.edu.icm.unity.oauth.rp.verificator;

import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import eu.unicore.util.configuration.ConfigurationException;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.engine.api.authn.AbstractCredentialVerificatorFactory;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.CredentialVerificator;
import pl.edu.icm.unity.engine.api.authn.LocalAuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.remote.AbstractRemoteVerificator;
import pl.edu.icm.unity.engine.api.authn.remote.RemoteAttribute;
import pl.edu.icm.unity.engine.api.authn.remote.RemoteAuthnResultTranslator;
import pl.edu.icm.unity.engine.api.authn.remote.RemoteIdentity;
import pl.edu.icm.unity.engine.api.authn.remote.RemotelyAuthenticatedInput;
import pl.edu.icm.unity.engine.api.utils.PrototypeComponent;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.oauth.BaseRemoteASProperties;
import pl.edu.icm.unity.oauth.as.OAuthTokenRepository;
import pl.edu.icm.unity.oauth.as.token.OAuthTokenEndpoint;
import pl.edu.icm.unity.oauth.as.token.TokenInfoResource;
import pl.edu.icm.unity.oauth.client.AttributeFetchResult;
import pl.edu.icm.unity.oauth.client.profile.OpenIdProfileFetcher;
import pl.edu.icm.unity.oauth.client.profile.PlainProfileFetcher;
import pl.edu.icm.unity.oauth.rp.AccessTokenExchange;
import pl.edu.icm.unity.oauth.rp.OAuthRPProperties;
import pl.edu.icm.unity.oauth.rp.verificator.ResultsCache;
import pl.edu.icm.unity.types.translation.TranslationProfile;

@PrototypeComponent
/* loaded from: input_file:pl/edu/icm/unity/oauth/rp/verificator/BearerTokenVerificator.class */
public class BearerTokenVerificator extends AbstractRemoteVerificator implements AccessTokenExchange {
    private static final Logger log = Log.getLogger("unity.server.oauth", BearerTokenVerificator.class);
    public static final String NAME = "oauth-rp";
    public static final String DESC = "Verifies OAuth access tokens against an OAuth Authorization Server";
    private OAuthRPProperties verificatorProperties;
    private TokenVerificatorProtocol tokenChecker;
    private PKIManagement pkiMan;
    private OAuthTokenRepository tokensDAO;
    private TranslationProfile translationProfile;
    private ResultsCache cache;

    @Component
    /* loaded from: input_file:pl/edu/icm/unity/oauth/rp/verificator/BearerTokenVerificator$Factory.class */
    public static class Factory extends AbstractCredentialVerificatorFactory {
        @Autowired
        public Factory(ObjectFactory<BearerTokenVerificator> objectFactory) throws EngineException {
            super(BearerTokenVerificator.NAME, BearerTokenVerificator.DESC, objectFactory);
        }
    }

    @Autowired
    public BearerTokenVerificator(PKIManagement pKIManagement, OAuthTokenRepository oAuthTokenRepository, RemoteAuthnResultTranslator remoteAuthnResultTranslator) {
        super(NAME, DESC, AccessTokenExchange.ID, remoteAuthnResultTranslator);
        this.pkiMan = pKIManagement;
        this.tokensDAO = oAuthTokenRepository;
    }

    public String getSerializedConfiguration() throws InternalException {
        StringWriter stringWriter = new StringWriter();
        try {
            this.verificatorProperties.getProperties().store(stringWriter, OAuthTokenEndpoint.PATH);
            return stringWriter.toString();
        } catch (IOException e) {
            throw new InternalException("Can't serialize OAuth RP verificator configuration", e);
        }
    }

    public void setSerializedConfiguration(String str) throws InternalException {
        try {
            Properties properties = new Properties();
            properties.load(new StringReader(str));
            this.verificatorProperties = new OAuthRPProperties(properties, this.pkiMan, this.tokensDAO);
            this.tokenChecker = this.verificatorProperties.getTokenChecker();
            this.translationProfile = getTranslationProfile(this.verificatorProperties, "translationProfile", "embeddedTranslationProfile");
            int i = -1;
            if (this.verificatorProperties.isSet(OAuthRPProperties.CACHE_TIME)) {
                i = this.verificatorProperties.getIntValue(OAuthRPProperties.CACHE_TIME).intValue();
            }
            this.cache = new ResultsCache(i);
        } catch (IOException e) {
            throw new InternalException("Invalid configuration of the OAuth RP verificator(?)", e);
        } catch (ConfigurationException e2) {
            throw new InternalException("Invalid configuration of the OAuth RP verificator", e2);
        }
    }

    @Override // pl.edu.icm.unity.oauth.rp.AccessTokenExchange
    public AuthenticationResult checkToken(BearerAccessToken bearerAccessToken) throws AuthenticationException {
        try {
            return checkTokenInterruptible(bearerAccessToken);
        } catch (Exception e) {
            throw new AuthenticationException("Authentication error ocurred", e);
        } catch (AuthenticationException e2) {
            throw e2;
        }
    }

    public AuthenticationResult checkTokenInterruptible(BearerAccessToken bearerAccessToken) throws Exception {
        ResultsCache.CacheEntry cached = this.cache.getCached(bearerAccessToken.getValue());
        if (cached != null) {
            TokenStatus tokenStatus = cached.getTokenStatus();
            if (cached.getTokenStatus().isValid() && checkScopes(tokenStatus)) {
                return getResultForNonInteractiveAuthn(assembleBaseResult(tokenStatus, cached.getAttributes(), getName()), this.translationProfile);
            }
            return LocalAuthenticationResult.failed();
        }
        TokenStatus checkToken = this.tokenChecker.checkToken(bearerAccessToken);
        if (!checkToken.isValid()) {
            this.cache.cache(bearerAccessToken.getValue(), checkToken, null);
            return LocalAuthenticationResult.failed();
        }
        if (!checkScopes(checkToken)) {
            this.cache.cache(bearerAccessToken.getValue(), checkToken, null);
            return LocalAuthenticationResult.failed();
        }
        AttributeFetchResult userProfileInformation = getUserProfileInformation(bearerAccessToken);
        this.cache.cache(bearerAccessToken.getValue(), checkToken, userProfileInformation);
        return getResultForNonInteractiveAuthn(assembleBaseResult(checkToken, userProfileInformation, getName()), this.translationProfile);
    }

    private boolean checkScopes(TokenStatus tokenStatus) {
        List listOfValues = this.verificatorProperties.getListOfValues(OAuthRPProperties.REQUIRED_SCOPES);
        if (!listOfValues.isEmpty() && tokenStatus.getScope() == null) {
            log.debug("The token validation didn't provide any scope, but there are required scopes");
            return false;
        }
        listOfValues.removeAll(tokenStatus.getScope().toStringList());
        if (listOfValues.isEmpty()) {
            return true;
        }
        log.debug("The following required scopes are not present: " + listOfValues);
        return false;
    }

    private AttributeFetchResult getUserProfileInformation(BearerAccessToken bearerAccessToken) throws AuthenticationException {
        boolean isSetOpenIdMode = this.verificatorProperties.isSetOpenIdMode();
        String value = this.verificatorProperties.getValue(BaseRemoteASProperties.PROFILE_ENDPOINT);
        AttributeFetchResult attributeFetchResult = new AttributeFetchResult();
        if (value == null) {
            log.debug("The profile endpoint is not defined, skipping the profile fetching");
            return attributeFetchResult;
        }
        try {
            return (isSetOpenIdMode ? new OpenIdProfileFetcher() : new PlainProfileFetcher()).fetchProfile(bearerAccessToken, value, this.verificatorProperties, new HashMap());
        } catch (Exception e) {
            throw new AuthenticationException("Can not fetch user's profile information", e);
        }
    }

    private RemotelyAuthenticatedInput assembleBaseResult(TokenStatus tokenStatus, AttributeFetchResult attributeFetchResult, String str) {
        RemotelyAuthenticatedInput remotelyAuthenticatedInput = new RemotelyAuthenticatedInput(str);
        Map<String, List<String>> attributes = attributeFetchResult.getAttributes();
        for (Map.Entry<String, List<String>> entry : attributes.entrySet()) {
            remotelyAuthenticatedInput.addAttribute(new RemoteAttribute(entry.getKey(), entry.getValue().toArray()));
        }
        if (attributes.containsKey(TokenInfoResource.SUBJECT)) {
            remotelyAuthenticatedInput.addIdentity(new RemoteIdentity(attributes.get(TokenInfoResource.SUBJECT).get(0), "identifier"));
        }
        if (tokenStatus.getSubject() != null) {
            remotelyAuthenticatedInput.addIdentity(new RemoteIdentity(tokenStatus.getSubject(), "identifier"));
        }
        if (tokenStatus.getScope() != null) {
            remotelyAuthenticatedInput.addAttribute(new RemoteAttribute(TokenInfoResource.SCOPE, tokenStatus.getScope().toStringList().toArray()));
        }
        if (attributes.containsKey(TokenInfoResource.SUBJECT) && tokenStatus.getSubject() != null && !tokenStatus.getSubject().equals(attributes.get(TokenInfoResource.SUBJECT).get(0))) {
            log.warn("Received subject from the profile endpoint differs from the subject established during access token verification. Will use subject from verification: " + tokenStatus.getSubject() + " ignored: " + attributes.get(TokenInfoResource.SUBJECT).get(0));
        }
        remotelyAuthenticatedInput.setRawAttributes(attributeFetchResult.getRawAttributes());
        return remotelyAuthenticatedInput;
    }

    public CredentialVerificator.VerificatorType getType() {
        return CredentialVerificator.VerificatorType.Remote;
    }
}
