package com.predic8.membrane.core.interceptor.oauth2;

import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.apache.ApacheHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.predic8.membrane.annot.MCAttribute;
import com.predic8.membrane.annot.MCElement;
import com.predic8.membrane.core.Constants;
import com.predic8.membrane.core.Router;
import com.predic8.membrane.core.exchange.Exchange;
import com.predic8.membrane.core.http.Request;
import com.predic8.membrane.core.http.Response;
import com.predic8.membrane.core.interceptor.LogInterceptor;
import com.predic8.membrane.core.interceptor.authentication.session.SessionManager;
import com.predic8.membrane.core.transport.http.HttpClient;
import com.predic8.membrane.core.transport.http.client.HttpClientConfiguration;
import com.predic8.membrane.core.util.URIFactory;
import com.predic8.membrane.core.util.URLParamUtil;
import com.predic8.membrane.core.util.Util;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Required;

@MCElement(name = "google", topLevel = false)
/* loaded from: input_file:service-proxy-core-4.2.0.jar:com/predic8/membrane/core/interceptor/oauth2/GoogleAuthorizationService.class */
public class GoogleAuthorizationService extends AuthorizationService {
    private static Log log = LogFactory.getLog(GoogleAuthorizationService.class.getName());
    private String clientId;
    private String clientSecret;
    private HttpClientConfiguration httpClientConfiguration;
    private HttpClient httpClient;
    private JsonFactory factory;
    private GoogleIdTokenVerifier verifier;
    private URIFactory uriFactory;

    public String getClientId() {
        return this.clientId;
    }

    @Required
    @MCAttribute
    public void setClientId(String str) {
        this.clientId = str;
    }

    public String getClientSecret() {
        return this.clientSecret;
    }

    @Required
    @MCAttribute
    public void setClientSecret(String str) {
        this.clientSecret = str;
    }

    public HttpClientConfiguration getHttpClientConfiguration() {
        return this.httpClientConfiguration;
    }

    @MCAttribute
    public void setHttpClientConfiguration(HttpClientConfiguration httpClientConfiguration) {
        this.httpClientConfiguration = httpClientConfiguration;
    }

    @Override // com.predic8.membrane.core.interceptor.oauth2.AuthorizationService
    public void init(Router router) {
        this.httpClient = this.httpClientConfiguration == null ? router.getResolverMap().getHTTPSchemaResolver().getHttpClient() : new HttpClient(this.httpClientConfiguration);
        this.factory = new JacksonFactory();
        this.verifier = new GoogleIdTokenVerifier(new ApacheHttpTransport(), this.factory);
        this.uriFactory = router.getUriFactory();
    }

    @Override // com.predic8.membrane.core.interceptor.oauth2.AuthorizationService
    public String getLoginURL(String str, String str2, String str3) {
        return "https://accounts.google.com/o/oauth2/auth?client_id=" + this.clientId + ".apps.googleusercontent.com&response_type=code&scope=openid%20email&redirect_uri=" + str2 + "oauth2callback&state=security_token%3D" + str + "%26url%3D" + str3;
    }

    @Override // com.predic8.membrane.core.interceptor.oauth2.AuthorizationService
    public boolean handleRequest(Exchange exchange, String str, String str2, SessionManager.Session session) throws Exception {
        if (!"/oauth2callback".equals(this.uriFactory.create(exchange.getDestinations().get(0)).getPath())) {
            return false;
        }
        try {
            Map<String, String> params = URLParamUtil.getParams(this.uriFactory, exchange);
            String str3 = params.get("state");
            if (str3 == null) {
                throw new RuntimeException("No CSRF token.");
            }
            Map<String, String> parseQueryString = URLParamUtil.parseQueryString(str3);
            if (parseQueryString == null || !parseQueryString.containsKey("security_token")) {
                throw new RuntimeException("No CSRF token.");
            }
            if (!parseQueryString.get("security_token").equals(str)) {
                throw new RuntimeException("CSRF token mismatch.");
            }
            String str4 = parseQueryString.get("url");
            if (str4 == null) {
                str4 = "/";
            }
            if (log.isDebugEnabled()) {
                log.debug("CSRF token match.");
            }
            String str5 = params.get("code");
            if (str5 == null) {
                throw new RuntimeException("No code received.");
            }
            Exchange buildExchange = new Request.Builder().post("https://www.googleapis.com/oauth2/v3/token").header("Content-Type", "application/x-www-form-urlencoded").header("Host", "www.googleapis.com").header("Accept", "*/*").header("User-Agent", Constants.USERAGENT).body("code=" + str5 + "&client_id=" + this.clientId + ".apps.googleusercontent.com&client_secret=" + this.clientSecret + "&redirect_uri=" + str2 + "oauth2callback&grant_type=authorization_code").buildExchange();
            LogInterceptor logInterceptor = null;
            if (log.isDebugEnabled()) {
                logInterceptor = new LogInterceptor();
                logInterceptor.setHeaderOnly(false);
                logInterceptor.handleRequest(buildExchange);
            }
            Response response = this.httpClient.call(buildExchange).getResponse();
            if (response.getStatusCode() != 200) {
                response.getBody().read();
                throw new RuntimeException("Google Authentication server returned " + response.getStatusCode() + DefaultAdvisorAutoProxyCreator.SEPARATOR);
            }
            if (log.isDebugEnabled()) {
                logInterceptor.handleResponse(buildExchange);
            }
            HashMap<String, String> parseSimpleJSONResponse = Util.parseSimpleJSONResponse(response);
            if (!parseSimpleJSONResponse.containsKey("id_token")) {
                throw new RuntimeException("No id_token received.");
            }
            GoogleIdToken parse = GoogleIdToken.parse(this.factory, parseSimpleJSONResponse.get("id_token"));
            if (parse == null) {
                throw new RuntimeException("Token cannot be parsed");
            }
            if (!this.verifier.verify(parse) || !parse.verifyAudience(Collections.singletonList(this.clientId + ".apps.googleusercontent.com"))) {
                throw new RuntimeException("Invalid token");
            }
            Map<String, String> userAttributes = session.getUserAttributes();
            synchronized (userAttributes) {
                userAttributes.put("headerX-Authenticated-Email", parse.getPayload().getEmail());
            }
            session.authorize();
            exchange.setResponse(Response.redirect(str4, false).build());
            return true;
        } catch (Exception e) {
            exchange.setResponse(Response.badRequest().body(e.getMessage()).build());
            return false;
        }
    }
}
