package io.okdp.spark.authc.provider.impl;

import io.okdp.spark.authc.config.Constants;
import io.okdp.spark.authc.config.HttpSecurityConfig;
import io.okdp.spark.authc.exception.AuthenticationException;
import io.okdp.spark.authc.model.AccessToken;
import io.okdp.spark.authc.model.AuthState;
import io.okdp.spark.authc.utils.HttpAuthenticationUtils;
import io.okdp.spark.authc.utils.JsonUtils;
import io.okdp.spark.authc.utils.PreconditionsUtils;
import io.okdp_shaded.apache.hc.client5.http.fluent.Form;
import io.okdp_shaded.apache.hc.client5.http.fluent.Request;
import io.okdp_shaded.apache.hc.core5.http.HttpStatus;
import io.okdp_shaded.apache.hc.core5.util.Timeout;
import java.io.IOException;
import java.util.Optional;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import lombok.NonNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/okdp/spark/authc/provider/impl/PKCEAuthorizationCodeAuthProvider.class */
public class PKCEAuthorizationCodeAuthProvider extends AbstractAuthorizationCodeAuthProvider {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(PKCEAuthorizationCodeAuthProvider.class);

    @NonNull
    private final HttpSecurityConfig httpSecurityConfig;

    @Generated
    /* loaded from: input_file:io/okdp/spark/authc/provider/impl/PKCEAuthorizationCodeAuthProvider$PKCEAuthorizationCodeAuthProviderBuilder.class */
    public static class PKCEAuthorizationCodeAuthProviderBuilder {

        @Generated
        private HttpSecurityConfig httpSecurityConfig;

        @Generated
        PKCEAuthorizationCodeAuthProviderBuilder() {
        }

        @Generated
        public PKCEAuthorizationCodeAuthProviderBuilder httpSecurityConfig(@NonNull HttpSecurityConfig httpSecurityConfig) {
            if (httpSecurityConfig == null) {
                throw new NullPointerException("httpSecurityConfig is marked non-null but is null");
            }
            this.httpSecurityConfig = httpSecurityConfig;
            return this;
        }

        @Generated
        public PKCEAuthorizationCodeAuthProvider build() {
            return new PKCEAuthorizationCodeAuthProvider(this.httpSecurityConfig);
        }

        @Generated
        public String toString() {
            return "PKCEAuthorizationCodeAuthProvider.PKCEAuthorizationCodeAuthProviderBuilder(httpSecurityConfig=" + this.httpSecurityConfig + ")";
        }
    }

    public PKCEAuthorizationCodeAuthProvider(@NonNull HttpSecurityConfig httpSecurityConfig) {
        super(httpSecurityConfig);
        if (httpSecurityConfig == null) {
            throw new NullPointerException("httpSecurityConfig is marked non-null but is null");
        }
        this.httpSecurityConfig = httpSecurityConfig;
        log.info("Running with PKCE Authorization Provider");
    }

    @Override // io.okdp.spark.authc.provider.AuthProvider
    public void redirectUserToAuthorizationEndpoint(ServletResponse servletResponse) throws AuthenticationException {
        AuthState randomState = AuthState.randomState();
        String format = String.format("%s?client_id=%s&redirect_uri=%s&response_type=%s&scope=%s&state=%s&code_challenge=%s&code_challenge_method=S256", this.httpSecurityConfig.oidcConfig().wellKnownConfiguration().authorizationEndpoint(), this.httpSecurityConfig.oidcConfig().clientId(), this.httpSecurityConfig.oidcConfig().redirectUri(), this.httpSecurityConfig.oidcConfig().responseType(), this.httpSecurityConfig.oidcConfig().scope(), randomState.state(), randomState.codeChallenge());
        try {
            ((HttpServletResponse) servletResponse).addCookie((Cookie) this.httpSecurityConfig.sessionStore().save(randomState));
            servletResponse.getWriter().print(String.format("<script type=\"text/javascript\">window.location.href = '%s'</script>", format));
        } catch (IOException e) {
            throw new AuthenticationException(e.getMessage(), e);
        }
    }

    @Override // io.okdp.spark.authc.provider.AuthProvider
    public AccessToken requestAccessToken(ServletRequest servletRequest, ServletResponse servletResponse) throws AuthenticationException {
        String checkNotNull = PreconditionsUtils.checkNotNull(servletRequest.getParameter("code"), "code");
        String checkNotNull2 = PreconditionsUtils.checkNotNull(servletRequest.getParameter("state"), "state");
        AuthState authState = (AuthState) this.httpSecurityConfig.sessionStore().readPKCEState(HttpAuthenticationUtils.getCookieValue(Constants.AUTH_STATE_COOKE_NAME, servletRequest).orElseThrow(() -> {
            return new AuthenticationException(HttpStatus.SC_UNAUTHORIZED, String.format("The cookie '%s' is not present", Constants.AUTH_STATE_COOKE_NAME));
        }));
        PreconditionsUtils.checkState(authState.state(), checkNotNull2, String.format("Invalid state, the state does not match with the oidc provider state, expected: <%s>, provided: <%s>. Please retry!", authState.state(), checkNotNull2));
        Form add = Form.form().add("client_id", this.httpSecurityConfig.oidcConfig().clientId()).add("grant_type", "authorization_code").add("code", checkNotNull).add("code_verifier", PreconditionsUtils.checkNotNull(authState.codeVerifier(), "code_verifier")).add("redirect_uri", this.httpSecurityConfig.oidcConfig().redirectUri());
        Request connectTimeout = Request.post(this.httpSecurityConfig.oidcConfig().wellKnownConfiguration().tokenEndpoint()).addHeader("cache-control", "no-cache").addHeader("content-type", "application/x-www-form-urlencoded").bodyForm(((Form) Optional.ofNullable(this.httpSecurityConfig.oidcConfig().clientSecret()).map(str -> {
            return add.add("client_secret", str);
        }).orElse(add)).build()).responseTimeout(Timeout.ofSeconds(30L)).connectTimeout(Timeout.ofSeconds(30L));
        ((HttpServletResponse) servletResponse).addCookie((Cookie) this.httpSecurityConfig.sessionStore().save((AuthState) null));
        return (AccessToken) JsonUtils.loadJsonFromString(doExecute(connectTimeout), AccessToken.class);
    }

    @Override // io.okdp.spark.authc.provider.AuthProvider
    public AccessToken refreshToken(String str) throws AuthenticationException {
        PreconditionsUtils.checkNotNull(str, "refresh_token");
        Form add = Form.form().add("client_id", this.httpSecurityConfig.oidcConfig().clientId()).add("grant_type", "refresh_token").add("refresh_token", str);
        return (AccessToken) JsonUtils.loadJsonFromString(doExecute(Request.post(this.httpSecurityConfig.oidcConfig().wellKnownConfiguration().tokenEndpoint()).addHeader("cache-control", "no-cache").addHeader("content-type", "application/x-www-form-urlencoded").bodyForm(((Form) Optional.ofNullable(this.httpSecurityConfig.oidcConfig().clientSecret()).map(str2 -> {
            return add.add("client_secret", str2);
        }).orElse(add)).build()).responseTimeout(Timeout.ofSeconds(30L)).connectTimeout(Timeout.ofSeconds(30L))), AccessToken.class);
    }

    @Generated
    public static PKCEAuthorizationCodeAuthProviderBuilder builder() {
        return new PKCEAuthorizationCodeAuthProviderBuilder();
    }

    @Override // io.okdp.spark.authc.provider.AuthProvider
    @NonNull
    @Generated
    public HttpSecurityConfig httpSecurityConfig() {
        return this.httpSecurityConfig;
    }
}
