package org.cloudfoundry.identity.client;

import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import org.apache.http.HttpRequest;
import org.apache.http.HttpResponse;
import org.apache.http.ProtocolException;
import org.apache.http.client.RedirectStrategy;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.conn.ssl.SSLContextBuilder;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.DefaultRedirectStrategy;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.protocol.HttpContext;
import org.cloudfoundry.identity.client.token.GrantType;
import org.cloudfoundry.identity.client.token.TokenRequest;
import org.cloudfoundry.identity.uaa.oauth.token.CompositeAccessToken;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.client.ClientHttpRequestFactory;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.oauth2.client.DefaultOAuth2ClientContext;
import org.springframework.security.oauth2.client.OAuth2RestTemplate;
import org.springframework.security.oauth2.client.resource.BaseOAuth2ProtectedResourceDetails;
import org.springframework.security.oauth2.client.token.AccessTokenProvider;
import org.springframework.security.oauth2.client.token.AccessTokenProviderChain;
import org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport;
import org.springframework.security.oauth2.client.token.grant.client.ClientCredentialsAccessTokenProvider;
import org.springframework.security.oauth2.client.token.grant.client.ClientCredentialsResourceDetails;
import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider;
import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;
import org.springframework.security.oauth2.client.token.grant.implicit.ImplicitAccessTokenProvider;
import org.springframework.security.oauth2.client.token.grant.password.ResourceOwnerPasswordAccessTokenProvider;
import org.springframework.security.oauth2.client.token.grant.password.ResourceOwnerPasswordResourceDetails;
import org.springframework.security.oauth2.common.AuthenticationScheme;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.UnsupportedGrantTypeException;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.client.HttpMessageConverterExtractor;
import org.springframework.web.client.ResponseExtractor;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:org/cloudfoundry/identity/client/UaaContextFactory.class */
public class UaaContextFactory {
    private final URI uaaURI;
    private String tokenPath = "/oauth/token";
    private String authorizePath = "/oauth/authorize";

    private UaaContextFactory(URI uri) {
        this.uaaURI = uri;
    }

    public static UaaContextFactory factory(URI uri) {
        return new UaaContextFactory(uri);
    }

    public UaaContextFactory tokenPath(String str) {
        this.tokenPath = str;
        return this;
    }

    public UaaContextFactory authorizePath(String str) {
        this.authorizePath = str;
        return this;
    }

    public URI getAuthorizeUri() {
        UriComponentsBuilder newInstance = UriComponentsBuilder.newInstance();
        newInstance.uri(this.uaaURI);
        newInstance.path(this.authorizePath);
        return newInstance.build().toUri();
    }

    public URI getTokenUri() {
        UriComponentsBuilder newInstance = UriComponentsBuilder.newInstance();
        newInstance.uri(this.uaaURI);
        newInstance.path(this.tokenPath);
        return newInstance.build().toUri();
    }

    public TokenRequest tokenRequest() {
        return new TokenRequest(getTokenUri(), getAuthorizeUri());
    }

    public UaaContext authenticate(TokenRequest tokenRequest) {
        if (tokenRequest == null) {
            throw new NullPointerException(TokenRequest.class.getName() + " cannot be null.");
        }
        if (!tokenRequest.isValid()) {
            throw new IllegalArgumentException("Invalid token request.");
        }
        switch (tokenRequest.getGrantType()) {
            case CLIENT_CREDENTIALS:
                return authenticateClientCredentials(tokenRequest);
            case PASSWORD:
            case PASSWORD_WITH_PASSCODE:
                return authenticatePassword(tokenRequest);
            case AUTHORIZATION_CODE:
                return authenticateAuthCode(tokenRequest);
            case AUTHORIZATION_CODE_WITH_TOKEN:
                return authenticateAuthCodeWithToken(tokenRequest);
            case FETCH_TOKEN_FROM_CODE:
                return fetchTokenFromCode(tokenRequest);
            default:
                throw new UnsupportedGrantTypeException("Not implemented:" + tokenRequest.getGrantType());
        }
    }

    protected UaaContext fetchTokenFromCode(TokenRequest tokenRequest) {
        String str;
        try {
            String format = String.format("Basic %s", new String(Base64.encode(String.format("%s:%s", tokenRequest.getClientId(), tokenRequest.getClientSecret()).getBytes("UTF-8"))));
            RestTemplate restTemplate = new RestTemplate();
            if (tokenRequest.isSkipSslValidation()) {
                restTemplate.setRequestFactory(getNoValidatingClientHttpRequestFactory());
            }
            HttpHeaders httpHeaders = new HttpHeaders();
            httpHeaders.add("Authorization", format);
            httpHeaders.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON));
            httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
            LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
            linkedMultiValueMap.add("grant_type", "authorization_code");
            linkedMultiValueMap.add("redirect_uri", tokenRequest.getRedirectUri().toString());
            str = "token";
            linkedMultiValueMap.add("response_type", tokenRequest.wantsIdToken() ? str + " id_token" : "token");
            linkedMultiValueMap.add("code", tokenRequest.getAuthorizationCode());
            return new UaaContextImpl(tokenRequest, null, (CompositeAccessToken) restTemplate.exchange(tokenRequest.getTokenEndpoint(), HttpMethod.POST, new HttpEntity(linkedMultiValueMap, httpHeaders), CompositeAccessToken.class).getBody());
        } catch (UnsupportedEncodingException e) {
            throw new IllegalArgumentException(e);
        }
    }

    protected UaaContext authenticateAuthCode(TokenRequest tokenRequest) {
        AuthorizationCodeResourceDetails authorizationCodeResourceDetails = new AuthorizationCodeResourceDetails();
        authorizationCodeResourceDetails.setPreEstablishedRedirectUri(tokenRequest.getRedirectUri().toString());
        authorizationCodeResourceDetails.setUserAuthorizationUri(tokenRequest.getAuthorizationEndpoint().toString());
        configureResourceDetails(tokenRequest, authorizationCodeResourceDetails);
        setClientCredentials(tokenRequest, authorizationCodeResourceDetails);
        setRequestScopes(tokenRequest, authorizationCodeResourceDetails);
        DefaultOAuth2ClientContext defaultOAuth2ClientContext = new DefaultOAuth2ClientContext();
        defaultOAuth2ClientContext.getAccessTokenRequest().setStateKey(tokenRequest.getState());
        defaultOAuth2ClientContext.setPreservedState(tokenRequest.getState(), authorizationCodeResourceDetails.getPreEstablishedRedirectUri());
        defaultOAuth2ClientContext.getAccessTokenRequest().setCurrentUri(authorizationCodeResourceDetails.getPreEstablishedRedirectUri());
        OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(authorizationCodeResourceDetails, defaultOAuth2ClientContext);
        skipSslValidation(tokenRequest, oAuth2RestTemplate, null);
        oAuth2RestTemplate.getAccessToken();
        throw new UnsupportedOperationException(GrantType.AUTHORIZATION_CODE + " is not yet implemented");
    }

    protected UaaContext authenticateAuthCodeWithToken(TokenRequest tokenRequest) {
        List<OAuth2AccessTokenSupport> singletonList = Collections.singletonList(new AuthorizationCodeAccessTokenProvider() { // from class: org.cloudfoundry.identity.client.UaaContextFactory.1
            protected ResponseExtractor<OAuth2AccessToken> getResponseExtractor() {
                getRestTemplate();
                return new HttpMessageConverterExtractor(CompositeAccessToken.class, Arrays.asList(new MappingJackson2HttpMessageConverter()));
            }
        });
        enhanceRequestParameters(tokenRequest, singletonList.get(0));
        AuthorizationCodeResourceDetails authorizationCodeResourceDetails = new AuthorizationCodeResourceDetails();
        authorizationCodeResourceDetails.setPreEstablishedRedirectUri(tokenRequest.getRedirectUri().toString());
        configureResourceDetails(tokenRequest, authorizationCodeResourceDetails);
        setClientCredentials(tokenRequest, authorizationCodeResourceDetails);
        setRequestScopes(tokenRequest, authorizationCodeResourceDetails);
        authorizationCodeResourceDetails.setUserAuthorizationUri(tokenRequest.getAuthorizationEndpoint().toString());
        DefaultOAuth2ClientContext defaultOAuth2ClientContext = new DefaultOAuth2ClientContext();
        defaultOAuth2ClientContext.getAccessTokenRequest().setStateKey(tokenRequest.getState());
        defaultOAuth2ClientContext.setPreservedState(tokenRequest.getState(), authorizationCodeResourceDetails.getPreEstablishedRedirectUri());
        defaultOAuth2ClientContext.getAccessTokenRequest().setCurrentUri(authorizationCodeResourceDetails.getPreEstablishedRedirectUri());
        defaultOAuth2ClientContext.getAccessTokenRequest().getHeaders().put("Authorization", Arrays.asList("bearer " + tokenRequest.getAuthCodeAPIToken()));
        OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(authorizationCodeResourceDetails, defaultOAuth2ClientContext);
        skipSslValidation(tokenRequest, oAuth2RestTemplate, singletonList);
        return new UaaContextImpl(tokenRequest, oAuth2RestTemplate, oAuth2RestTemplate.getAccessToken());
    }

    protected UaaContext authenticatePassword(TokenRequest tokenRequest) {
        List<OAuth2AccessTokenSupport> singletonList = Collections.singletonList(new ResourceOwnerPasswordAccessTokenProvider() { // from class: org.cloudfoundry.identity.client.UaaContextFactory.2
            protected ResponseExtractor<OAuth2AccessToken> getResponseExtractor() {
                getRestTemplate();
                return new HttpMessageConverterExtractor(CompositeAccessToken.class, Arrays.asList(new MappingJackson2HttpMessageConverter()));
            }
        });
        enhanceRequestParameters(tokenRequest, singletonList.get(0));
        ResourceOwnerPasswordResourceDetails resourceOwnerPasswordResourceDetails = new ResourceOwnerPasswordResourceDetails();
        configureResourceDetails(tokenRequest, resourceOwnerPasswordResourceDetails);
        setUserCredentials(tokenRequest, resourceOwnerPasswordResourceDetails);
        setClientCredentials(tokenRequest, resourceOwnerPasswordResourceDetails);
        setRequestScopes(tokenRequest, resourceOwnerPasswordResourceDetails);
        OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(resourceOwnerPasswordResourceDetails, new DefaultOAuth2ClientContext());
        skipSslValidation(tokenRequest, oAuth2RestTemplate, singletonList);
        return new UaaContextImpl(tokenRequest, oAuth2RestTemplate, oAuth2RestTemplate.getAccessToken());
    }

    protected void enhanceRequestParameters(TokenRequest tokenRequest, OAuth2AccessTokenSupport oAuth2AccessTokenSupport) {
        oAuth2AccessTokenSupport.setTokenRequestEnhancer((accessTokenRequest, oAuth2ProtectedResourceDetails, multiValueMap, httpHeaders) -> {
            if (tokenRequest.wantsIdToken()) {
                multiValueMap.put("response_type", Arrays.asList("id_token token"));
            }
            if (tokenRequest.getGrantType() == GrantType.PASSWORD_WITH_PASSCODE) {
                multiValueMap.put("passcode", Arrays.asList(tokenRequest.getPasscode()));
            }
        });
    }

    protected UaaContext authenticateClientCredentials(TokenRequest tokenRequest) {
        ClientCredentialsResourceDetails clientCredentialsResourceDetails = new ClientCredentialsResourceDetails();
        configureResourceDetails(tokenRequest, clientCredentialsResourceDetails);
        setClientCredentials(tokenRequest, clientCredentialsResourceDetails);
        setRequestScopes(tokenRequest, clientCredentialsResourceDetails);
        OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(clientCredentialsResourceDetails, new DefaultOAuth2ClientContext());
        skipSslValidation(tokenRequest, oAuth2RestTemplate, null);
        return new UaaContextImpl(tokenRequest, oAuth2RestTemplate, new CompositeAccessToken(oAuth2RestTemplate.getAccessToken()));
    }

    protected void configureResourceDetails(TokenRequest tokenRequest, BaseOAuth2ProtectedResourceDetails baseOAuth2ProtectedResourceDetails) {
        baseOAuth2ProtectedResourceDetails.setAuthenticationScheme(AuthenticationScheme.header);
        baseOAuth2ProtectedResourceDetails.setAccessTokenUri(tokenRequest.getTokenEndpoint().toString());
    }

    protected void setRequestScopes(TokenRequest tokenRequest, BaseOAuth2ProtectedResourceDetails baseOAuth2ProtectedResourceDetails) {
        if (Objects.isNull(tokenRequest.getScopes())) {
            return;
        }
        baseOAuth2ProtectedResourceDetails.setScope(new LinkedList(tokenRequest.getScopes()));
    }

    protected void setClientCredentials(TokenRequest tokenRequest, BaseOAuth2ProtectedResourceDetails baseOAuth2ProtectedResourceDetails) {
        baseOAuth2ProtectedResourceDetails.setClientId(tokenRequest.getClientId());
        baseOAuth2ProtectedResourceDetails.setClientSecret(tokenRequest.getClientSecret());
    }

    protected void setUserCredentials(TokenRequest tokenRequest, ResourceOwnerPasswordResourceDetails resourceOwnerPasswordResourceDetails) {
        resourceOwnerPasswordResourceDetails.setUsername(tokenRequest.getUsername());
        resourceOwnerPasswordResourceDetails.setPassword(tokenRequest.getPassword());
    }

    protected void skipSslValidation(TokenRequest tokenRequest, OAuth2RestTemplate oAuth2RestTemplate, List<OAuth2AccessTokenSupport> list) {
        ClientHttpRequestFactory clientHttpRequestFactory = null;
        if (tokenRequest.isSkipSslValidation()) {
            clientHttpRequestFactory = getNoValidatingClientHttpRequestFactory();
        }
        List<OAuth2AccessTokenSupport> asList = list != null ? list : Arrays.asList(new AuthorizationCodeAccessTokenProvider(), new ImplicitAccessTokenProvider(), new ResourceOwnerPasswordAccessTokenProvider(), new ClientCredentialsAccessTokenProvider());
        ArrayList arrayList = new ArrayList();
        Iterator<OAuth2AccessTokenSupport> it = asList.iterator();
        while (it.hasNext()) {
            AccessTokenProvider accessTokenProvider = (OAuth2AccessTokenSupport) it.next();
            if (clientHttpRequestFactory != null) {
                accessTokenProvider.setRequestFactory(clientHttpRequestFactory);
            }
            arrayList.add(accessTokenProvider);
        }
        oAuth2RestTemplate.setAccessTokenProvider(new AccessTokenProviderChain(arrayList));
    }

    public static ClientHttpRequestFactory getNoValidatingClientHttpRequestFactory() {
        return getNoValidatingClientHttpRequestFactory(true);
    }

    public static ClientHttpRequestFactory getNoValidatingClientHttpRequestFactory(boolean z) {
        try {
            return new HttpComponentsClientHttpRequestFactory(HttpClients.custom().setSslcontext(new SSLContextBuilder().loadTrustMaterial((KeyStore) null, new TrustSelfSignedStrategy()).build()).setRedirectStrategy(z ? new DefaultRedirectStrategy() : new RedirectStrategy() { // from class: org.cloudfoundry.identity.client.UaaContextFactory.3
                public boolean isRedirected(HttpRequest httpRequest, HttpResponse httpResponse, HttpContext httpContext) throws ProtocolException {
                    return false;
                }

                public HttpUriRequest getRedirect(HttpRequest httpRequest, HttpResponse httpResponse, HttpContext httpContext) throws ProtocolException {
                    return null;
                }
            }).build());
        } catch (KeyManagementException e) {
            throw new RuntimeException(e);
        } catch (KeyStoreException e2) {
            throw new RuntimeException(e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new RuntimeException(e3);
        }
    }
}
