package io.okdp.spark.authc;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.JWKSourceBuilder;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import io.okdp.spark.authc.config.Constants;
import io.okdp.spark.authc.config.HttpSecurityConfig;
import io.okdp.spark.authc.config.OidcConfig;
import io.okdp.spark.authc.exception.AuthenticationException;
import io.okdp.spark.authc.model.AccessToken;
import io.okdp.spark.authc.model.PersistedToken;
import io.okdp.spark.authc.model.WellKnownConfiguration;
import io.okdp.spark.authc.provider.AuthProvider;
import io.okdp.spark.authc.provider.IdentityProviderFactory;
import io.okdp.spark.authc.provider.impl.store.CookieSessionStore;
import io.okdp.spark.authc.utils.HttpAuthenticationUtils;
import io.okdp.spark.authc.utils.JsonUtils;
import io.okdp.spark.authc.utils.PreconditionsUtils;
import io.okdp.spark.authc.utils.TokenUtils;
import io.okdp.spark.authc.utils.exception.Try;
import io.okdp.spark.authz.OidcGroupMappingServiceProvider;
import io.okdp_shaded.apache.hc.core5.http.HttpStatus;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.text.ParseException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Optional;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import one.util.streamex.StreamEx;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/okdp/spark/authc/OidcAuthFilter.class */
public class OidcAuthFilter implements Filter, Constants {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(OidcAuthFilter.class);
    private AuthProvider authProvider;
    private ConfigurableJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor();
    private String jwtHeader;

    public void init(FilterConfig filterConfig) throws ServletException {
        String checkNotNull = PreconditionsUtils.checkNotNull((String) Optional.ofNullable(filterConfig.getInitParameter(Constants.AUTH_ISSUER_URI)).orElse(System.getenv("AUTH_ISSUER_URI")), Constants.AUTH_ISSUER_URI);
        String checkNotNull2 = PreconditionsUtils.checkNotNull((String) Optional.ofNullable(filterConfig.getInitParameter(Constants.AUTH_CLIENT_ID)).orElse(System.getenv("AUTH_CLIENT_ID")), Constants.AUTH_CLIENT_ID);
        String str = (String) Optional.ofNullable(filterConfig.getInitParameter(Constants.AUTH_CLIENT_SECRET)).orElse(System.getenv("AUTH_CLIENT_SECRET"));
        String checkNotNull3 = PreconditionsUtils.checkNotNull((String) Optional.ofNullable(filterConfig.getInitParameter(Constants.AUTH_REDIRECT_URI)).orElse(System.getenv("AUTH_REDIRECT_URI")), Constants.AUTH_REDIRECT_URI);
        Boolean valueOf = Boolean.valueOf((String) Optional.ofNullable(filterConfig.getInitParameter(Constants.AUTH_COOKE_IS_SECURE)).orElse((String) Optional.ofNullable(System.getenv("AUTH_COOKE_IS_SECURE")).orElse(Constants.AUTH_COOKE_DEFAULT_IS_SECURE)));
        String checkNotNull4 = PreconditionsUtils.checkNotNull((String) Optional.ofNullable(filterConfig.getInitParameter(Constants.AUTH_SCOPE)).orElse(System.getenv("AUTH_SCOPE")), Constants.AUTH_SCOPE);
        String checkNotNull5 = PreconditionsUtils.checkNotNull((String) Optional.ofNullable(filterConfig.getInitParameter(Constants.AUTH_COOKIE_ENCRYPTION_KEY)).orElse(System.getenv("AUTH_COOKIE_ENCRYPTION_KEY")), Constants.AUTH_COOKIE_ENCRYPTION_KEY);
        int parseInt = Integer.parseInt((String) Optional.ofNullable(filterConfig.getInitParameter(Constants.AUTH_COOKE_MAX_AGE_MINUTES)).orElse((String) Optional.ofNullable(System.getenv("AUTH_COOKE_MAX_AGE_SECONDS")).orElse(String.valueOf(Constants.AUTH_COOKE_DEFAULT_MAX_AGE_MINUTES))));
        String str2 = (String) Optional.ofNullable(filterConfig.getInitParameter(Constants.AUTH_USE_PKCE)).orElse((String) Optional.ofNullable(System.getenv("AUTH_USE_PKCE")).orElse("auto"));
        String str3 = (String) Optional.ofNullable(filterConfig.getInitParameter(Constants.AUTH_USER_ID)).orElse((String) Optional.ofNullable(System.getenv("AUTH_USER_ID")).orElse("Email"));
        this.jwtHeader = (String) Optional.ofNullable(filterConfig.getInitParameter(Constants.JWT_HEADER)).orElse((String) Optional.ofNullable(System.getenv("JWT_HEADER")).orElse("jwt_token"));
        String str4 = (String) Optional.ofNullable(filterConfig.getInitParameter(Constants.JWT_HEADER_SIGNING_ALG)).orElse((String) Optional.ofNullable(System.getenv("JWT_HEADER_SIGNING_ALG")).orElse("RS256, ES256"));
        Optional or = Optional.ofNullable(filterConfig.getInitParameter(Constants.JWT_HEADER_ISSUER)).or(() -> {
            return Optional.ofNullable(System.getenv("JWT_HEADER_ISSUER"));
        });
        Optional or2 = Optional.ofNullable(filterConfig.getInitParameter(Constants.JWT_HEADER_JWKS_URI)).or(() -> {
            return Optional.ofNullable(System.getenv("JWT_HEADER_JWKS_URI"));
        });
        log.info("Initializing OIDC Auth filter ({}: <{}>,  {}: <{}>) ...", new Object[]{Constants.AUTH_ISSUER_URI, checkNotNull, Constants.AUTH_CLIENT_ID, checkNotNull2});
        Optional.ofNullable(str).ifPresentOrElse(str5 -> {
            log.info("Client Secret provided - Running with Confidential Client with PKCE support set to '{}'", str2);
        }, () -> {
            log.info("Client Secret not provided - Running with Public Client with PKCE support set to '{}'", str2);
        });
        OidcConfig build = OidcConfig.builder().issuerUri(checkNotNull).clientId(checkNotNull2).clientSecret(str).redirectUri(checkNotNull3).responseType("code").scope(checkNotNull4).usePKCE(str2).identityProvider(IdentityProviderFactory.from(TokenUtils.capitalize(str3))).wellKnownConfiguration((WellKnownConfiguration) JsonUtils.loadJsonFromUrl(String.format("%s%s", checkNotNull, Constants.AUTH_ISSUER_WELL_KNOWN_CONFIGURATION), WellKnownConfiguration.class)).build();
        log.info("Your OIDC provider well known configuration: \nAuthorization Endpoint: {}, \nToken Endpoint: {}, \nUser Info Endpoint: {}, \nSupported Scopes: {}, \nPKCE Supported Code Challenge Methods: {}, \nJWKS URI: {}, \n", new Object[]{build.wellKnownConfiguration().authorizationEndpoint(), build.wellKnownConfiguration().tokenEndpoint(), build.wellKnownConfiguration().userInfoEndpoint(), build.wellKnownConfiguration().scopesSupported(), build.wellKnownConfiguration().supportedPKCECodeChallengeMethods(), build.wellKnownConfiguration().jwksUri()});
        PreconditionsUtils.warnUnsupportedScopes(build.wellKnownConfiguration().scopesSupported(), checkNotNull4, String.format("%s|env: %s", Constants.AUTH_SCOPE, "AUTH_SCOPE"));
        PreconditionsUtils.assertCookieSecure(build.redirectUri(), valueOf, String.format("%s|env: %s", Constants.AUTH_COOKE_IS_SECURE, "AUTH_COOKE_IS_SECURE"));
        PreconditionsUtils.assertSupportePKCE(build.wellKnownConfiguration().supportedPKCECodeChallengeMethods(), str2, str, String.format("%s|env: %s", Constants.AUTH_CLIENT_SECRET, "AUTH_COOKE_IS_SECURE"));
        log.info("Initializing OIDC Auth Provider (Cookie based storage for High Available session persistence/cookie name: {}, max-age (minutes): {}) ...", Constants.AUTH_COOKE_NAME, Integer.valueOf(parseInt));
        this.authProvider = HttpSecurityConfig.create(build).authorizeRequests(".*/.*\\.css", ".*/.*\\.js", ".*/.*\\.png", "/api/v1/version").sessionStore(CookieSessionStore.of(Constants.AUTH_COOKE_NAME, HttpAuthenticationUtils.domain(build.redirectUri()), valueOf, checkNotNull5, Integer.valueOf(parseInt * 60))).configure();
        try {
            this.jwtProcessor.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier(new JOSEObjectType("jwt"), new JOSEObjectType("at+jwt")));
            this.jwtProcessor.setJWSKeySelector(new JWSVerificationKeySelector((Set<JWSAlgorithm>) StreamEx.split((CharSequence) str4, ',').map((v0) -> {
                return v0.trim();
            }).map(JWSAlgorithm::parse).toSet(), JWKSourceBuilder.create(new URL((String) or2.orElse(build.wellKnownConfiguration().jwksUri()))).retrying(true).build()));
            this.jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier(new JWTClaimsSet.Builder().issuer((String) or.orElse(build.wellKnownConfiguration().issuer())).build(), new HashSet(Arrays.asList("sub", "iat", "exp"))));
        } catch (MalformedURLException e) {
            throw new ServletException(e);
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (this.authProvider.isAuthorized(servletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        Optional<String> cookieValue = HttpAuthenticationUtils.getCookieValue(Constants.AUTH_COOKE_NAME, servletRequest);
        if (cookieValue.isPresent()) {
            PersistedToken persistedToken = (PersistedToken) this.authProvider.httpSecurityConfig().sessionStore().readToken(cookieValue.get());
            if (persistedToken.isExpired()) {
                AccessToken accessToken = null;
                if (persistedToken.hasRefreshToken()) {
                    log.info("The user {} token was expired, renewing ... ", persistedToken.userInfo().email());
                    accessToken = (AccessToken) Try.of(() -> {
                        return this.authProvider.refreshToken(persistedToken.refreshToken());
                    }).onException(authenticationException -> {
                        log.warn("Unable to renew access token from refresh token, removing cookie and attempt to re-authenticate ....., cause: {}", authenticationException.getMessage());
                    });
                } else {
                    log.info("The user {} token was expired, removing cookie and attempt to re-authenticate ... ", persistedToken.userInfo().email());
                }
                ((HttpServletResponse) servletResponse).addCookie((Cookie) this.authProvider.httpSecurityConfig().sessionStore().save((PersistedToken) Optional.ofNullable(accessToken).map(accessToken2 -> {
                    return this.authProvider.httpSecurityConfig().toPersistedToken(accessToken2);
                }).orElse(null)));
            }
            OidcGroupMappingServiceProvider.addUserAndGroups(persistedToken.id(), persistedToken.userInfo().getGroupsAndRoles());
            filterChain.doFilter(new PrincipalHttpServletRequestWrapper((HttpServletRequest) servletRequest, persistedToken.id()), servletResponse);
            return;
        }
        Optional<String> headerValue = HttpAuthenticationUtils.getHeaderValue(this.jwtHeader, servletRequest);
        if (headerValue.isPresent()) {
            try {
                log.debug("JWT Header : {}", headerValue.get());
                PersistedToken persistedToken2 = this.authProvider.httpSecurityConfig().toPersistedToken(this.jwtProcessor.process(headerValue.get(), (String) null));
                OidcGroupMappingServiceProvider.addUserAndGroups(persistedToken2.id(), persistedToken2.userInfo().getGroupsAndRoles());
                OidcGroupMappingServiceProvider.addUserAndGroups(persistedToken2.id(), persistedToken2.userInfo().getGroupsAndRoles());
                filterChain.doFilter(new PrincipalHttpServletRequestWrapper((HttpServletRequest) servletRequest, persistedToken2.id()), servletResponse);
                return;
            } catch (JOSEException | ParseException e) {
                log.error("Error Parsing JWT Token : {}", e.getMessage());
            } catch (BadJOSEException e2) {
                log.error("Error on JWT Token validation : {}", e2.getMessage());
            }
        } else {
            log.debug("No JWT header ({}) found", this.jwtHeader);
        }
        if (Optional.ofNullable(servletRequest.getParameter("code")).isEmpty()) {
            Try.of(() -> {
                return PreconditionsUtils.checkAuthLogin(servletRequest);
            }).onException(authenticationException2 -> {
                HttpAuthenticationUtils.sendError(servletResponse, authenticationException2.getHttpStatusCode(), authenticationException2.getMessage());
            });
            this.authProvider.redirectUserToAuthorizationEndpoint(servletResponse);
            return;
        }
        PersistedToken persistedToken3 = this.authProvider.httpSecurityConfig().toPersistedToken((AccessToken) Try.of(() -> {
            return this.authProvider.requestAccessToken(servletRequest, servletResponse);
        }).onException(authenticationException3 -> {
            HttpAuthenticationUtils.sendError(servletResponse, authenticationException3.getHttpStatusCode(), authenticationException3.getMessage());
        }));
        log.info("Successfully authenticated user ({}): email {} sub {} (roles: {}, groups: {})", new Object[]{persistedToken3.userInfo().name(), persistedToken3.userInfo().email(), persistedToken3.userInfo().sub(), persistedToken3.userInfo().roles(), persistedToken3.userInfo().groups()});
        Try.of(() -> {
            return (String) Optional.ofNullable(persistedToken3.id()).orElseThrow(() -> {
                return new AuthenticationException(HttpStatus.SC_UNAUTHORIZED, "Your oidc provider returned an empty user id and may have expired your oidc session! Please try to delete your oidc provider cookie from the browser and try again!");
            });
        }).onException(authenticationException4 -> {
            HttpAuthenticationUtils.sendError(servletResponse, authenticationException4.getHttpStatusCode(), authenticationException4.getMessage());
        });
        ((HttpServletResponse) servletResponse).addCookie((Cookie) this.authProvider.httpSecurityConfig().sessionStore().save(persistedToken3));
        OidcGroupMappingServiceProvider.addUserAndGroups(persistedToken3.id(), persistedToken3.userInfo().getGroupsAndRoles());
        servletResponse.getWriter().print(String.format("<script type=\"text/javascript\">window.location.href = '%s'</script>", ((HttpServletRequest) servletRequest).getRequestURI()));
    }

    public void destroy() {
        log.info("OIDC Auth filter destroyed");
    }
}
