package io.vertx.ext.auth.oauth2.impl;

import io.vertx.core.AsyncResult;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.Vertx;
import io.vertx.core.impl.logging.Logger;
import io.vertx.core.impl.logging.LoggerFactory;
import io.vertx.core.json.DecodeException;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.JWTOptions;
import io.vertx.ext.auth.NoSuchKeyIdException;
import io.vertx.ext.auth.PubSecKeyOptions;
import io.vertx.ext.auth.User;
import io.vertx.ext.auth.authentication.CredentialValidationException;
import io.vertx.ext.auth.authentication.Credentials;
import io.vertx.ext.auth.authentication.TokenCredentials;
import io.vertx.ext.auth.authentication.UsernamePasswordCredentials;
import io.vertx.ext.auth.impl.jose.JWK;
import io.vertx.ext.auth.impl.jose.JWT;
import io.vertx.ext.auth.oauth2.AccessToken;
import io.vertx.ext.auth.oauth2.OAuth2Auth;
import io.vertx.ext.auth.oauth2.OAuth2FlowType;
import io.vertx.ext.auth.oauth2.OAuth2Options;
import io.vertx.ext.auth.oauth2.OAuth2RBAC;
import io.vertx.ext.auth.oauth2.Oauth2Credentials;
import java.util.Iterator;

/* loaded from: input_file:io/vertx/ext/auth/oauth2/impl/OAuth2AuthProviderImpl.class */
public class OAuth2AuthProviderImpl implements OAuth2Auth {
    private static final Logger LOG = LoggerFactory.getLogger(OAuth2AuthProviderImpl.class);
    private final Vertx vertx;
    private final OAuth2Options config;
    private final OAuth2API api;
    private volatile JWT jwt = new JWT();
    private long updateTimerId = -1;
    private Handler<String> missingKeyHandler;

    public OAuth2AuthProviderImpl(Vertx vertx, OAuth2Options oAuth2Options) {
        this.vertx = vertx;
        this.config = oAuth2Options;
        this.api = new OAuth2API(vertx, oAuth2Options);
        this.config.replaceVariables(true);
        this.config.validate();
        this.jwt.nonceAlgorithm(this.config.getJWTOptions().getNonceAlgorithm());
        if (oAuth2Options.getPubSecKeys() != null) {
            Iterator<PubSecKeyOptions> it = oAuth2Options.getPubSecKeys().iterator();
            while (it.hasNext()) {
                this.jwt.addJWK(new JWK(it.next()));
            }
        }
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    public OAuth2Auth jWKSet(Handler<AsyncResult<Void>> handler) {
        this.api.jwkSet(asyncResult -> {
            if (asyncResult.failed()) {
                handler.handle(Future.failedFuture(asyncResult.cause()));
                return;
            }
            if (this.updateTimerId != -1) {
                this.vertx.cancelTimer(this.updateTimerId);
            }
            JsonObject jsonObject = (JsonObject) asyncResult.result();
            JWT nonceAlgorithm = new JWT().nonceAlgorithm(this.config.getJWTOptions().getNonceAlgorithm());
            Iterator it = jsonObject.getJsonArray("keys").iterator();
            while (it.hasNext()) {
                try {
                    nonceAlgorithm.addJWK(new JWK((JsonObject) it.next()));
                } catch (RuntimeException e) {
                    LOG.warn("Skipped unsupported JWK: " + e.getMessage());
                }
            }
            synchronized (this) {
                this.jwt = nonceAlgorithm;
            }
            if (jsonObject.containsKey("maxAge")) {
                long longValue = (jsonObject.getLong("maxAge").longValue() * 1000) - Math.max(0, this.config.getJWTOptions().getLeeway());
                if (longValue > 0) {
                    this.updateTimerId = this.vertx.setPeriodic(longValue, l -> {
                        jWKSet(asyncResult -> {
                            if (asyncResult.failed()) {
                                LOG.warn("Failed to auto-update JWK Set", asyncResult.cause());
                            }
                        });
                    });
                } else {
                    this.updateTimerId = -1L;
                }
            }
            handler.handle(Future.succeededFuture());
        });
        return this;
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    public OAuth2Auth missingKeyHandler(Handler<String> handler) {
        this.missingKeyHandler = handler;
        return this;
    }

    public OAuth2Options getConfig() {
        return this.config;
    }

    public void authenticate(JsonObject jsonObject, Handler<AsyncResult<User>> handler) {
        if (jsonObject.containsKey("access_token")) {
            Credentials tokenCredentials = new TokenCredentials(jsonObject.getString("access_token"));
            if (jsonObject.containsKey("scopes")) {
                Iterator it = jsonObject.getJsonArray("scopes").iterator();
                while (it.hasNext()) {
                    tokenCredentials.addScope((String) it.next());
                }
            }
            authenticate(tokenCredentials, handler);
            return;
        }
        switch (this.config.getFlow()) {
            case AUTH_CODE:
                if (jsonObject.containsKey("code")) {
                    authenticate(new Oauth2Credentials().setCode(jsonObject.getString("code")).setCodeVerifier(jsonObject.getString("codeVerifier")).setRedirectUri(jsonObject.getString("redirectUri")), handler);
                    return;
                }
                break;
            case CLIENT:
                if (jsonObject.size() == 0) {
                    Oauth2Credentials oauth2Credentials = new Oauth2Credentials();
                    if (jsonObject.containsKey("scopes")) {
                        Iterator it2 = jsonObject.getJsonArray("scopes").iterator();
                        while (it2.hasNext()) {
                            oauth2Credentials.addScope((String) it2.next());
                        }
                    }
                    authenticate(oauth2Credentials, handler);
                    return;
                }
                break;
            case PASSWORD:
                if (jsonObject.containsKey("username") && jsonObject.containsKey("password")) {
                    Oauth2Credentials password = new Oauth2Credentials().setUsername(jsonObject.getString("username")).setPassword(jsonObject.getString("password"));
                    if (jsonObject.containsKey("scopes")) {
                        Iterator it3 = jsonObject.getJsonArray("scopes").iterator();
                        while (it3.hasNext()) {
                            password.addScope((String) it3.next());
                        }
                    }
                    authenticate(password, handler);
                    return;
                }
                break;
            case AUTH_JWT:
            case AAD_OBO:
                if (jsonObject.containsKey("assertion")) {
                    authenticate(new Oauth2Credentials().setAssertion(jsonObject.getString("assertion")), handler);
                    return;
                } else {
                    authenticate(new Oauth2Credentials().setJwt(jsonObject), handler);
                    return;
                }
        }
        handler.handle(Future.failedFuture("can't parse token: " + jsonObject));
    }

    public void authenticate(Credentials credentials, Handler<AsyncResult<User>> handler) {
        try {
            if (credentials instanceof UsernamePasswordCredentials) {
                UsernamePasswordCredentials usernamePasswordCredentials = (UsernamePasswordCredentials) credentials;
                usernamePasswordCredentials.checkValid((Object) null);
                authenticate(new Oauth2Credentials().setUsername(usernamePasswordCredentials.getUsername()).setPassword(usernamePasswordCredentials.getPassword()), handler);
                return;
            }
            if (credentials instanceof TokenCredentials) {
                TokenCredentials tokenCredentials = (TokenCredentials) credentials;
                tokenCredentials.checkValid((Object) null);
                switch (this.config.getFlow()) {
                    case AUTH_JWT:
                    case AAD_OBO:
                        authenticate(new Oauth2Credentials().setAssertion(tokenCredentials.getToken()).setJwt(this.config.getExtraParameters()).setScopes(tokenCredentials.getScopes()), handler);
                        return;
                    default:
                        User createUser = createUser(new JsonObject().put("access_token", tokenCredentials.getToken()), false);
                        if (createUser.attributes().containsKey("accessToken") && !this.jwt.isUnsecure() && !createUser.expired(this.config.getJWTOptions().getLeeway())) {
                            handler.handle(Future.succeededFuture(createUser));
                            return;
                        }
                        if (this.config.getIntrospectionPath() != null) {
                            this.api.tokenIntrospection("access_token", tokenCredentials.getToken(), asyncResult -> {
                                String clientId;
                                if (asyncResult.failed()) {
                                    handler.handle(Future.failedFuture(asyncResult.cause()));
                                    return;
                                }
                                JsonObject jsonObject = (JsonObject) asyncResult.result();
                                if (jsonObject.containsKey("active") && !jsonObject.getBoolean("active", false).booleanValue()) {
                                    handler.handle(Future.failedFuture("Inactive Token"));
                                    return;
                                }
                                if (jsonObject.containsKey("client_id") && (clientId = this.config.getClientId()) != null && !clientId.equals(jsonObject.getString("client_id"))) {
                                    LOG.info("Introspect client_id doesn't match configured client_id");
                                }
                                User createUser2 = createUser(jsonObject, createUser.attributes().containsKey("missing-kid"));
                                if (createUser2.expired(this.config.getJWTOptions().getLeeway())) {
                                    handler.handle(Future.failedFuture("Used is expired."));
                                } else {
                                    handler.handle(Future.succeededFuture(createUser2));
                                }
                            });
                            return;
                        } else if (createUser.attributes().containsKey("missing-kid")) {
                            handler.handle(Future.failedFuture(new NoSuchKeyIdException(createUser.attributes().getString("missing-kid"))));
                            return;
                        } else {
                            handler.handle(Future.failedFuture("Can't authenticate access_token: Provider doesn't support token introspection"));
                            return;
                        }
                }
            }
            Oauth2Credentials oauth2Credentials = (Oauth2Credentials) credentials;
            oauth2Credentials.checkValid(this.config.getFlow());
            JsonObject jsonObject = new JsonObject();
            switch (this.config.getFlow()) {
                case AUTH_CODE:
                    jsonObject.put("code", oauth2Credentials.getCode());
                    if (oauth2Credentials.getRedirectUri() != null) {
                        jsonObject.put("redirect_uri", oauth2Credentials.getRedirectUri());
                    }
                    if (oauth2Credentials.getCodeVerifier() != null) {
                        jsonObject.put("code_verifier", oauth2Credentials.getCodeVerifier());
                        break;
                    }
                    break;
                case CLIENT:
                    if (oauth2Credentials.getScopes() != null) {
                        jsonObject.put("scope", String.join(this.config.getScopeSeparator(), oauth2Credentials.getScopes()));
                        break;
                    }
                    break;
                case PASSWORD:
                    jsonObject.put("username", oauth2Credentials.getUsername()).put("password", oauth2Credentials.getPassword());
                    if (oauth2Credentials.getScopes() != null) {
                        jsonObject.put("scope", String.join(this.config.getScopeSeparator(), oauth2Credentials.getScopes()));
                        break;
                    }
                    break;
                case AUTH_JWT:
                    jsonObject.put("assertion", this.jwt.sign(oauth2Credentials.getJwt(), this.config.getJWTOptions()));
                    if (oauth2Credentials.getScopes() != null) {
                        jsonObject.put("scope", String.join(this.config.getScopeSeparator(), oauth2Credentials.getScopes()));
                        break;
                    }
                    break;
                case AAD_OBO:
                    jsonObject.put("requested_token_use", "on_behalf_of").put("assertion", oauth2Credentials.getAssertion());
                    if (oauth2Credentials.getScopes() != null) {
                        jsonObject.put("scope", String.join(this.config.getScopeSeparator(), oauth2Credentials.getScopes()));
                        break;
                    }
                    break;
                default:
                    handler.handle(Future.failedFuture("Current flow does not allow acquiring a token by the replay party"));
                    return;
            }
            this.api.token(this.config.getFlow().getGrantType(), jsonObject, asyncResult2 -> {
                if (asyncResult2.failed()) {
                    handler.handle(Future.failedFuture(asyncResult2.cause()));
                    return;
                }
                User createUser2 = createUser((JsonObject) asyncResult2.result(), false);
                if (createUser2.expired(this.config.getJWTOptions().getLeeway())) {
                    handler.handle(Future.failedFuture("Used is expired."));
                } else {
                    handler.handle(Future.succeededFuture(createUser2));
                }
            });
        } catch (ClassCastException | CredentialValidationException e) {
            handler.handle(Future.failedFuture(e));
        }
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    public String authorizeURL(JsonObject jsonObject) {
        return this.api.authorizeURL(jsonObject);
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    public OAuth2Auth refresh(User user, Handler<AsyncResult<User>> handler) {
        this.api.token("refresh_token", new JsonObject().put("refresh_token", user.principal().getString("refresh_token")), asyncResult -> {
            if (asyncResult.failed()) {
                handler.handle(Future.failedFuture(asyncResult.cause()));
                return;
            }
            User createUser = createUser((JsonObject) asyncResult.result(), false);
            if (createUser.expired(this.config.getJWTOptions().getLeeway())) {
                handler.handle(Future.failedFuture("Used is expired."));
            } else {
                handler.handle(Future.succeededFuture(createUser));
            }
        });
        return this;
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    public OAuth2Auth revoke(User user, String str, Handler<AsyncResult<Void>> handler) {
        this.api.tokenRevocation(str, user.principal().getString(str), handler);
        return this;
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    public OAuth2Auth userInfo(User user, Handler<AsyncResult<JsonObject>> handler) {
        this.api.userInfo(user.principal().getString("access_token"), this.jwt, asyncResult -> {
            if (asyncResult.succeeded()) {
                JsonObject jsonObject = (JsonObject) asyncResult.result();
                String string = user.principal().getString("sub", user.attributes().getString("sub"));
                String string2 = jsonObject.getString("sub");
                if ((string != null || string2 != null) && string != null && string2 != null && !string.equals(string2)) {
                    handler.handle(Future.failedFuture("Used 'sub' does not match UserInfo 'sub'."));
                    return;
                }
                copyProperties(jsonObject, user.attributes(), true, "sub", "name", "email", "picture");
            }
            handler.handle(asyncResult);
        });
        return this;
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    public String endSessionURL(User user, JsonObject jsonObject) {
        return this.api.endSessionURL(user.principal().getString("id_token"), jsonObject);
    }

    private User createUser(JsonObject jsonObject, boolean z) {
        Long valueOf;
        User create = User.create(jsonObject);
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        String str = null;
        if (jsonObject.containsKey("expires_in")) {
            try {
                valueOf = jsonObject.getLong("expires_in");
            } catch (ClassCastException e) {
                valueOf = Long.valueOf(jsonObject.getString("expires_in"));
            }
            create.attributes().put("iat", Long.valueOf(currentTimeMillis)).put("exp", Long.valueOf(currentTimeMillis + valueOf.longValue()));
        }
        if (!this.jwt.isUnsecure()) {
            if (jsonObject.containsKey("access_token")) {
                try {
                    create.attributes().put("accessToken", validToken(this.jwt.decode(jsonObject.getString("access_token")), false));
                    copyProperties(create.attributes().getJsonObject("accessToken"), create.attributes(), true, "exp", "iat", "nbf", "sub");
                    create.attributes().put("rootClaim", "accessToken");
                } catch (NoSuchKeyIdException e2) {
                    if (!z) {
                        create.attributes().put("missing-kid", e2.id());
                        str = e2.id();
                        if (this.missingKeyHandler != null) {
                            this.missingKeyHandler.handle(e2.id());
                        } else {
                            LOG.trace("Cannot decode access token:", e2);
                        }
                    }
                } catch (DecodeException | IllegalStateException e3) {
                    LOG.trace("Cannot decode access token:", e3);
                }
            }
            if (jsonObject.containsKey("id_token")) {
                try {
                    create.attributes().put("idToken", validToken(this.jwt.decode(jsonObject.getString("id_token")), true));
                    copyProperties(create.attributes().getJsonObject("idToken"), create.attributes(), false, "sub", "name", "email", "picture");
                } catch (NoSuchKeyIdException e4) {
                    if (!z && !e4.id().equals(str)) {
                        create.attributes().put("missing-kid", e4.id());
                        if (this.missingKeyHandler != null) {
                            this.missingKeyHandler.handle(e4.id());
                        } else {
                            LOG.trace("Cannot decode access token:", e4);
                        }
                    }
                } catch (DecodeException | IllegalStateException e5) {
                    LOG.trace("Cannot decode id token:", e5);
                }
            }
        }
        return create;
    }

    private JsonObject validToken(JsonObject jsonObject, boolean z) throws IllegalStateException {
        String clientId;
        JWTOptions jWTOptions = this.config.getJWTOptions();
        if (jWTOptions.getAudience() != null && jsonObject.containsKey("aud")) {
            try {
                JsonArray add = jsonObject.getValue("aud") instanceof String ? new JsonArray().add(jsonObject.getValue("aud")) : jsonObject.getJsonArray("aud");
                if (add != null && add.size() > 0) {
                    for (String str : jWTOptions.getAudience()) {
                        if (!add.contains(str)) {
                            throw new IllegalStateException("Invalid JWT audience. expected: " + str);
                        }
                    }
                }
            } catch (RuntimeException e) {
                throw new IllegalStateException("User audience isn't a JsonArray or String");
            }
        }
        if (jWTOptions.getIssuer() != null && !jWTOptions.getIssuer().equals(jsonObject.getString("iss"))) {
            throw new IllegalStateException("Invalid JWT issuer");
        }
        if (!z || !jsonObject.containsKey("azp") || (clientId = this.config.getClientId()) == null || clientId.equals(jsonObject.getString("azp"))) {
            return jsonObject;
        }
        throw new IllegalStateException("Invalid authorised party != config.clientID");
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    @Deprecated
    public OAuth2Auth decodeToken(String str, Handler<AsyncResult<AccessToken>> handler) {
        try {
            handler.handle(Future.succeededFuture(createAccessToken(this.jwt.decode(str))));
        } catch (RuntimeException e) {
            handler.handle(Future.failedFuture(e));
        }
        return this;
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    @Deprecated
    public OAuth2Auth introspectToken(String str, String str2, Handler<AsyncResult<AccessToken>> handler) {
        this.api.tokenIntrospection(str2, str, asyncResult -> {
            if (asyncResult.failed()) {
                handler.handle(Future.failedFuture(asyncResult.cause()));
            } else {
                handler.handle(Future.succeededFuture(createAccessToken((JsonObject) asyncResult.result())));
            }
        });
        return this;
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    @Deprecated
    public OAuth2FlowType getFlowType() {
        return this.config.getFlow();
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2Auth
    @Deprecated
    public OAuth2Auth rbacHandler(OAuth2RBAC oAuth2RBAC) {
        return this;
    }

    @Deprecated
    private AccessToken createAccessToken(JsonObject jsonObject) {
        Long valueOf;
        Long l;
        AccessTokenImpl accessTokenImpl = new AccessTokenImpl(jsonObject, this);
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        if (jsonObject.containsKey("expires_in")) {
            try {
                valueOf = jsonObject.getLong("expires_in");
            } catch (ClassCastException e) {
                valueOf = Long.valueOf(jsonObject.getString("expires_in"));
            }
            accessTokenImpl.attributes().put("iat", Long.valueOf(currentTimeMillis)).put("exp", Long.valueOf(currentTimeMillis + valueOf.longValue()));
        }
        if (jsonObject.getString("access_token") != null) {
            try {
                accessTokenImpl.attributes().put("accessToken", this.jwt.decode(jsonObject.getString("access_token")));
                if (!accessTokenImpl.attributes().containsKey("exp") && (l = accessTokenImpl.attributes().getJsonObject("accessToken").getLong("exp")) != null) {
                    accessTokenImpl.attributes().put("exp", l);
                }
                accessTokenImpl.attributes().put("rootClaim", "accessToken");
            } catch (DecodeException | IllegalStateException e2) {
                LOG.trace("Cannot decode access token:", e2);
            } catch (NoSuchKeyIdException e3) {
                if (this.missingKeyHandler != null) {
                    this.missingKeyHandler.handle(e3.id());
                } else {
                    LOG.trace("Cannot decode access token:", e3);
                }
            }
        }
        if (jsonObject.getString("id_token") != null) {
            try {
                accessTokenImpl.attributes().put("idToken", this.jwt.decode(jsonObject.getString("id_token")));
            } catch (DecodeException | IllegalStateException e4) {
                LOG.trace("Cannot decode id token:", e4);
            } catch (NoSuchKeyIdException e5) {
                if (this.missingKeyHandler != null) {
                    this.missingKeyHandler.handle(e5.id());
                } else {
                    LOG.trace("Cannot decode access token:", e5);
                }
            }
        }
        return accessTokenImpl;
    }

    private static void copyProperties(JsonObject jsonObject, JsonObject jsonObject2, boolean z, String... strArr) {
        if (jsonObject == null || jsonObject2 == null) {
            return;
        }
        for (String str : strArr) {
            if (jsonObject.containsKey(str) && (!jsonObject2.containsKey(str) || z)) {
                jsonObject2.put(str, jsonObject.getValue(str));
            }
        }
    }
}
