package org.cloudfoundry.identity.uaa.provider.oauth;

import com.fasterxml.jackson.core.type.TypeReference;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.xerces.impl.xs.SchemaSymbols;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.manager.ExternalGroupAuthorizationEvent;
import org.cloudfoundry.identity.uaa.authentication.manager.ExternalLoginAuthenticationManager;
import org.cloudfoundry.identity.uaa.authentication.manager.InvitedUserAuthenticatedEvent;
import org.cloudfoundry.identity.uaa.oauth.DisableIdTokenResponseTypeFilter;
import org.cloudfoundry.identity.uaa.oauth.KeyInfo;
import org.cloudfoundry.identity.uaa.oauth.jwk.JsonWebKey;
import org.cloudfoundry.identity.uaa.oauth.jwk.JsonWebKeyHelper;
import org.cloudfoundry.identity.uaa.oauth.jwk.JsonWebKeySet;
import org.cloudfoundry.identity.uaa.oauth.jwt.ChainedSignatureVerifier;
import org.cloudfoundry.identity.uaa.oauth.jwt.Jwt;
import org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants;
import org.cloudfoundry.identity.uaa.oauth.token.CompositeAccessToken;
import org.cloudfoundry.identity.uaa.provider.AbstractXOAuthIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.provider.ExternalIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
import org.cloudfoundry.identity.uaa.provider.OIDCIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.provider.RawXOAuthIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserPrototype;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.cloudfoundry.identity.uaa.util.LinkedMaskingMultiValueMap;
import org.cloudfoundry.identity.uaa.util.RestTemplateFactory;
import org.cloudfoundry.identity.uaa.util.TokenValidation;
import org.cloudfoundry.identity.uaa.util.UaaHttpRequestUtils;
import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.core.ParameterizedTypeReference;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;
import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.HttpServerErrorException;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.context.request.RequestContextHolder;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.12.0.jar:org/cloudfoundry/identity/uaa/provider/oauth/XOAuthAuthenticationManager.class */
public class XOAuthAuthenticationManager extends ExternalLoginAuthenticationManager<AuthenticationData> {
    public static Log logger = LogFactory.getLog(XOAuthAuthenticationManager.class);
    private final RestTemplateFactory restTemplateFactory;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.12.0.jar:org/cloudfoundry/identity/uaa/provider/oauth/XOAuthAuthenticationManager$AuthenticationData.class */
    public static class AuthenticationData {
        private Map<String, Object> claims;
        private String username;
        private List<? extends GrantedAuthority> authorities;
        private Map<String, Object> attributeMappings;

        protected AuthenticationData() {
        }

        public Map<String, Object> getAttributeMappings() {
            return this.attributeMappings;
        }

        public void setAttributeMappings(Map<String, Object> map) {
            this.attributeMappings = map;
        }

        public void setClaims(Map<String, Object> map) {
            this.claims = map;
        }

        public Map<String, Object> getClaims() {
            return this.claims;
        }

        public void setUsername(String str) {
            this.username = str;
        }

        public String getUsername() {
            return this.username;
        }

        public List<? extends GrantedAuthority> getAuthorities() {
            return this.authorities;
        }

        public void setAuthorities(List<? extends GrantedAuthority> list) {
            this.authorities = list;
        }
    }

    public XOAuthAuthenticationManager(IdentityProviderProvisioning identityProviderProvisioning, RestTemplateFactory restTemplateFactory) {
        super(identityProviderProvisioning);
        this.restTemplateFactory = restTemplateFactory;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.cloudfoundry.identity.uaa.authentication.manager.ExternalLoginAuthenticationManager
    public AuthenticationData getExternalAuthenticationDetails(Authentication authentication) {
        String str;
        XOAuthCodeToken xOAuthCodeToken = (XOAuthCodeToken) authentication;
        setOrigin(xOAuthCodeToken.getOrigin());
        IdentityProvider retrieveByOrigin = getProviderProvisioning().retrieveByOrigin(getOrigin(), IdentityZoneHolder.get().getId());
        if (retrieveByOrigin == null || !(retrieveByOrigin.getConfig() instanceof AbstractXOAuthIdentityProviderDefinition)) {
            logger.debug("No identity provider found for origin:" + getOrigin() + " and zone:" + IdentityZoneHolder.get().getId());
            return null;
        }
        AuthenticationData authenticationData = new AuthenticationData();
        AbstractXOAuthIdentityProviderDefinition abstractXOAuthIdentityProviderDefinition = (AbstractXOAuthIdentityProviderDefinition) retrieveByOrigin.getConfig();
        Map<String, Object> claimsFromToken = getClaimsFromToken(xOAuthCodeToken, abstractXOAuthIdentityProviderDefinition);
        if (claimsFromToken == null) {
            return null;
        }
        authenticationData.setClaims(claimsFromToken);
        Map<String, Object> attributeMappings = abstractXOAuthIdentityProviderDefinition.getAttributeMappings();
        String str2 = (String) attributeMappings.get("user_name");
        if (StringUtils.hasText(str2)) {
            str = (String) claimsFromToken.get(str2);
            logger.debug(String.format("Extracted username for claim: %s and username is: %s", str2, str));
        } else {
            str = (String) claimsFromToken.get("preferred_username");
            logger.debug(String.format("Extracted username for claim: %s and username is: %s", "preferred_username", str));
        }
        authenticationData.setUsername(str);
        authenticationData.setAuthorities(extractXOAuthUserAuthorities(attributeMappings, claimsFromToken, abstractXOAuthIdentityProviderDefinition.getExternalGroupsWhitelist()));
        Optional.ofNullable(attributeMappings).ifPresent(map -> {
            authenticationData.setAttributeMappings(new HashMap(map));
        });
        return authenticationData;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.cloudfoundry.identity.uaa.authentication.manager.ExternalLoginAuthenticationManager
    public void populateAuthenticationAttributes(UaaAuthentication uaaAuthentication, Authentication authentication, AuthenticationData authenticationData) {
        Map<String, Object> claims = authenticationData.getClaims();
        if (claims != null) {
            if (claims.get(ClaimConstants.AMR) != null) {
                if (uaaAuthentication.getAuthenticationMethods() == null) {
                    uaaAuthentication.setAuthenticationMethods(new HashSet<>((Collection) claims.get(ClaimConstants.AMR)));
                } else {
                    uaaAuthentication.getAuthenticationMethods().addAll((Collection) claims.get(ClaimConstants.AMR));
                }
            }
            Object obj = claims.get("acr");
            if (obj != null) {
                if (obj instanceof Map) {
                    Object obj2 = ((Map) obj).get("values");
                    if (obj2 instanceof Collection) {
                        uaaAuthentication.setAuthContextClassRef(new HashSet<>((Collection) obj2));
                    } else if (obj2 instanceof String[]) {
                        uaaAuthentication.setAuthContextClassRef(new HashSet<>(Arrays.asList((String[]) obj2)));
                    } else {
                        logger.debug(String.format("Unrecognized ACR claim[%s] for user_id: %s", obj2, uaaAuthentication.getPrincipal().getId()));
                    }
                } else if (obj instanceof String) {
                    uaaAuthentication.setAuthContextClassRef(new HashSet<>(Arrays.asList((String) obj)));
                } else {
                    logger.debug(String.format("Unrecognized ACR claim[%s] for user_id: %s", obj, uaaAuthentication.getPrincipal().getId()));
                }
            }
            MultiValueMap<String, String> linkedMultiValueMap = new LinkedMultiValueMap<>();
            logger.debug("Mapping XOauth custom attributes");
            for (Map.Entry<String, Object> entry : authenticationData.getAttributeMappings().entrySet()) {
                if (entry.getKey().startsWith("user.attribute.") && entry.getValue() != null) {
                    String substring = entry.getKey().substring("user.attribute.".length());
                    Object obj3 = claims.get(entry.getValue());
                    if (obj3 != null) {
                        logger.debug(String.format("Mapped XOauth attribute %s to %s", substring, obj3));
                        if (obj3 instanceof List) {
                            linkedMultiValueMap.put(substring, (List) ((List) obj3).stream().map(obj4 -> {
                                return Objects.toString(obj4, null);
                            }).collect(Collectors.toList()));
                        } else if (obj3 instanceof String) {
                            linkedMultiValueMap.put(substring, Arrays.asList((String) obj3));
                        } else {
                            linkedMultiValueMap.put(substring, Arrays.asList(obj3.toString()));
                        }
                    }
                }
            }
            uaaAuthentication.setUserAttributes(linkedMultiValueMap);
            uaaAuthentication.setExternalGroups((Set) ((List) Optional.ofNullable(authenticationData.getAuthorities()).orElse(Collections.emptyList())).stream().map((v0) -> {
                return v0.getAuthority();
            }).collect(Collectors.toSet()));
        }
        super.populateAuthenticationAttributes(uaaAuthentication, authentication, (Authentication) authenticationData);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.cloudfoundry.identity.uaa.authentication.manager.ExternalLoginAuthenticationManager
    public List<String> getExternalUserAuthorities(UserDetails userDetails) {
        return super.getExternalUserAuthorities(userDetails);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.cloudfoundry.identity.uaa.authentication.manager.ExternalLoginAuthenticationManager
    public UaaUser getUser(Authentication authentication, AuthenticationData authenticationData) {
        if (authenticationData == null) {
            logger.debug("Authenticate data is missing, unable to return user");
            return null;
        }
        Map<String, Object> claims = authenticationData.getClaims();
        String username = authenticationData.getUsername();
        String str = (String) claims.get("email");
        if (str == null) {
            str = generateEmailIfNull(username);
        }
        logger.debug(String.format("Returning user data for username:%s, email:%s", username, str));
        return new UaaUser(new UaaUserPrototype().withEmail(str).withGivenName((String) claims.get("given_name")).withFamilyName((String) claims.get("family_name")).withPhoneNumber((String) claims.get("phone_number")).withModified(new Date()).withUsername(username).withPassword("").withAuthorities(authenticationData.getAuthorities()).withCreated(new Date()).withOrigin(getOrigin()).withExternalId(null).withVerified(true).withZoneId(IdentityZoneHolder.get().getId()).withSalt(null).withPasswordLastModified(null));
    }

    protected List<? extends GrantedAuthority> extractXOAuthUserAuthorities(Map<String, Object> map, Map<String, Object> map2, Collection<String> collection) {
        LinkedList linkedList = new LinkedList();
        if (map.get(ExternalIdentityProviderDefinition.GROUP_ATTRIBUTE_NAME) instanceof String) {
            linkedList.add((String) map.get(ExternalIdentityProviderDefinition.GROUP_ATTRIBUTE_NAME));
        } else if (map.get(ExternalIdentityProviderDefinition.GROUP_ATTRIBUTE_NAME) instanceof Collection) {
            linkedList.addAll((Collection) map.get(ExternalIdentityProviderDefinition.GROUP_ATTRIBUTE_NAME));
        }
        logger.debug("Extracting XOauth group names:" + linkedList);
        HashSet hashSet = new HashSet();
        Iterator it = linkedList.iterator();
        while (it.hasNext()) {
            Object obj = map2.get((String) it.next());
            if (obj instanceof String) {
                hashSet.addAll(Arrays.asList(((String) obj).split(",")));
            } else if (obj instanceof Collection) {
                hashSet.addAll((Collection) obj);
            }
        }
        logger.debug("Filtering XOauth scopes:" + hashSet);
        Set<String> retainAllMatches = UaaStringUtils.retainAllMatches(hashSet, collection);
        logger.debug("Filtered XOauth scopes:" + retainAllMatches);
        ArrayList arrayList = new ArrayList();
        Iterator<String> it2 = retainAllMatches.iterator();
        while (it2.hasNext()) {
            arrayList.add(new XOAuthUserAuthority(it2.next()));
        }
        return arrayList;
    }

    @Override // org.cloudfoundry.identity.uaa.authentication.manager.ExternalLoginAuthenticationManager
    protected UaaUser userAuthenticated(Authentication authentication, UaaUser uaaUser, UaaUser uaaUser2) {
        boolean z = false;
        boolean isAcceptedInvitationAuthentication = UaaHttpRequestUtils.isAcceptedInvitationAuthentication();
        String email = uaaUser.getEmail();
        logger.debug("XOAUTH user authenticated:" + email);
        if (isAcceptedInvitationAuthentication) {
            String str = (String) RequestContextHolder.currentRequestAttributes().getAttribute("user_id", 1);
            logger.debug("XOAUTH user accepted invitation, user_id:" + str);
            UaaUser retrieveUserById = getUserDatabase().retrieveUserById(str);
            if (email != null && !email.equalsIgnoreCase(retrieveUserById.getEmail())) {
                throw new BadCredentialsException("OAuth User email mismatch. Authenticated email doesn't match invited email.");
            }
            publish(new InvitedUserAuthenticatedEvent(retrieveUserById));
            uaaUser2 = getUserDatabase().retrieveUserById(str);
        }
        if (authentication.getPrincipal() != null && haveUserAttributesChanged(uaaUser2, uaaUser)) {
            logger.debug("User attributed have changed, updating them.");
            uaaUser2 = uaaUser2.modifyAttributes(email, uaaUser.getGivenName(), uaaUser.getFamilyName(), uaaUser.getPhoneNumber()).modifyUsername(uaaUser.getUsername());
            z = true;
        }
        publish(new ExternalGroupAuthorizationEvent(uaaUser2, z, uaaUser.getAuthorities(), true));
        return getUserDatabase().retrieveUserById(uaaUser2.getId());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.cloudfoundry.identity.uaa.authentication.manager.ExternalLoginAuthenticationManager
    public boolean isAddNewShadowUser() {
        if (super.isAddNewShadowUser()) {
            return ((AbstractXOAuthIdentityProviderDefinition) getProviderProvisioning().retrieveByOrigin(getOrigin(), IdentityZoneHolder.get().getId()).getConfig()).isAddShadowUserOnLogin();
        }
        return false;
    }

    public RestTemplate getRestTemplate(AbstractXOAuthIdentityProviderDefinition abstractXOAuthIdentityProviderDefinition) {
        return this.restTemplateFactory.getRestTemplate(abstractXOAuthIdentityProviderDefinition.isSkipSslValidation());
    }

    private String getResponseType(AbstractXOAuthIdentityProviderDefinition abstractXOAuthIdentityProviderDefinition) {
        if (RawXOAuthIdentityProviderDefinition.class.isAssignableFrom(abstractXOAuthIdentityProviderDefinition.getClass())) {
            return SchemaSymbols.ATTVAL_TOKEN;
        }
        if (OIDCIdentityProviderDefinition.class.isAssignableFrom(abstractXOAuthIdentityProviderDefinition.getClass())) {
            return DisableIdTokenResponseTypeFilter.ID_TOKEN;
        }
        throw new IllegalArgumentException("Unknown type for provider.");
    }

    protected Map<String, Object> getClaimsFromToken(XOAuthCodeToken xOAuthCodeToken, AbstractXOAuthIdentityProviderDefinition abstractXOAuthIdentityProviderDefinition) {
        return getClaimsFromToken(getTokenFromCode(xOAuthCodeToken, abstractXOAuthIdentityProviderDefinition), abstractXOAuthIdentityProviderDefinition);
    }

    protected Map<String, Object> getClaimsFromToken(String str, AbstractXOAuthIdentityProviderDefinition abstractXOAuthIdentityProviderDefinition) {
        logger.debug("Extracting claims from id_token");
        if (str == null) {
            logger.debug("id_token is null, no claims returned.");
            return null;
        }
        JsonWebKeySet<JsonWebKey> tokenKeyFromOAuth = getTokenKeyFromOAuth(abstractXOAuthIdentityProviderDefinition);
        logger.debug("Validating id_token");
        TokenValidation throwIfInvalid = TokenValidation.validate(str).checkSignature(new ChainedSignatureVerifier(tokenKeyFromOAuth)).checkIssuer(StringUtils.isEmpty(abstractXOAuthIdentityProviderDefinition.getIssuer()) ? abstractXOAuthIdentityProviderDefinition.getTokenUrl().toString() : abstractXOAuthIdentityProviderDefinition.getIssuer()).checkAudience(abstractXOAuthIdentityProviderDefinition.getRelyingPartyId()).checkExpiry().throwIfInvalid();
        logger.debug("Decoding id_token");
        Jwt jwt = throwIfInvalid.getJwt();
        logger.debug("Deserializing id_token claims");
        return (Map) JsonUtils.readValue(jwt.getClaims(), new TypeReference<Map<String, Object>>() { // from class: org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationManager.1
        });
    }

    /* JADX WARN: Multi-variable type inference failed */
    private JsonWebKeySet<JsonWebKey> getTokenKeyFromOAuth(AbstractXOAuthIdentityProviderDefinition abstractXOAuthIdentityProviderDefinition) {
        String tokenKey = abstractXOAuthIdentityProviderDefinition.getTokenKey();
        if (StringUtils.hasText(tokenKey)) {
            HashMap hashMap = new HashMap();
            hashMap.put("value", tokenKey);
            hashMap.put("kty", KeyInfo.isAssymetricKey(tokenKey) ? JsonWebKey.KeyType.RSA.name() : JsonWebKey.KeyType.MAC.name());
            logger.debug("Key configured, returning.");
            return new JsonWebKeySet<>(Arrays.asList(new JsonWebKey(hashMap)));
        }
        URL tokenKeyUrl = abstractXOAuthIdentityProviderDefinition.getTokenKeyUrl();
        if (tokenKeyUrl == null || !StringUtils.hasText(tokenKeyUrl.toString())) {
            return new JsonWebKeySet<>(Collections.emptyList());
        }
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add("Authorization", getClientAuthHeader(abstractXOAuthIdentityProviderDefinition));
        linkedMultiValueMap.add("Accept", "application/json");
        HttpEntity<?> httpEntity = new HttpEntity<>(null, linkedMultiValueMap);
        logger.debug("Fetching token keys from:" + tokenKeyUrl);
        ResponseEntity exchange = getRestTemplate(abstractXOAuthIdentityProviderDefinition).exchange(tokenKeyUrl.toString(), HttpMethod.GET, httpEntity, String.class, new Object[0]);
        logger.debug("Token key response:" + exchange.getStatusCode());
        if (exchange.getStatusCode() == HttpStatus.OK) {
            return JsonWebKeyHelper.deserialize((String) exchange.getBody());
        }
        throw new InvalidTokenException("Unable to fetch verification keys, status:" + exchange.getStatusCode());
    }

    private String getTokenFromCode(XOAuthCodeToken xOAuthCodeToken, AbstractXOAuthIdentityProviderDefinition abstractXOAuthIdentityProviderDefinition) {
        if (StringUtils.hasText(xOAuthCodeToken.getIdToken()) && DisableIdTokenResponseTypeFilter.ID_TOKEN.equals(getResponseType(abstractXOAuthIdentityProviderDefinition))) {
            logger.debug("XOauthCodeToken contains id_token, not exchanging code.");
            return xOAuthCodeToken.getIdToken();
        }
        LinkedMaskingMultiValueMap linkedMaskingMultiValueMap = new LinkedMaskingMultiValueMap("code");
        linkedMaskingMultiValueMap.add("grant_type", "authorization_code");
        linkedMaskingMultiValueMap.add(OAuth2Utils.RESPONSE_TYPE, getResponseType(abstractXOAuthIdentityProviderDefinition));
        linkedMaskingMultiValueMap.add("code", xOAuthCodeToken.getCode());
        linkedMaskingMultiValueMap.add(OAuth2Utils.REDIRECT_URI, xOAuthCodeToken.getRedirectUrl());
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.add("Authorization", getClientAuthHeader(abstractXOAuthIdentityProviderDefinition));
        httpHeaders.add("Accept", "application/json");
        HttpEntity<?> httpEntity = new HttpEntity<>(linkedMaskingMultiValueMap, httpHeaders);
        try {
            URI uri = abstractXOAuthIdentityProviderDefinition.getTokenUrl().toURI();
            try {
                logger.debug(String.format("Performing token exchange with url:%s and request:%s", uri, linkedMaskingMultiValueMap));
                ResponseEntity exchange = getRestTemplate(abstractXOAuthIdentityProviderDefinition).exchange(uri, HttpMethod.POST, httpEntity, new ParameterizedTypeReference<Map<String, String>>() { // from class: org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationManager.2
                });
                logger.debug(String.format("Request completed with status:%s", exchange.getStatusCode()));
                return (String) ((Map) exchange.getBody()).get(CompositeAccessToken.ID_TOKEN);
            } catch (HttpClientErrorException | HttpServerErrorException e) {
                throw e;
            }
        } catch (URISyntaxException e2) {
            logger.error("Invalid URI configured:" + abstractXOAuthIdentityProviderDefinition.getTokenUrl(), e2);
            return null;
        }
    }

    private String getClientAuthHeader(AbstractXOAuthIdentityProviderDefinition abstractXOAuthIdentityProviderDefinition) {
        return "Basic " + new String(Base64.encodeBase64((abstractXOAuthIdentityProviderDefinition.getRelyingPartyId() + ":" + abstractXOAuthIdentityProviderDefinition.getRelyingPartySecret()).getBytes()));
    }
}
