package io.jans.kc.spi.auth;

import io.jans.kc.spi.ProviderIDs;
import io.jans.kc.spi.auth.oidc.OIDCAuthRequest;
import io.jans.kc.spi.auth.oidc.OIDCMetaError;
import io.jans.kc.spi.auth.oidc.OIDCService;
import io.jans.kc.spi.auth.oidc.OIDCTokenError;
import io.jans.kc.spi.auth.oidc.OIDCTokenRequest;
import io.jans.kc.spi.auth.oidc.OIDCTokenRequestError;
import io.jans.kc.spi.auth.oidc.OIDCTokenResponse;
import io.jans.kc.spi.auth.oidc.OIDCUserInfoError;
import io.jans.kc.spi.auth.oidc.OIDCUserInfoRequestError;
import io.jans.kc.spi.auth.oidc.OIDCUserInfoResponse;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriBuilder;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URLDecoder;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Random;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.RequiredActionFactory;
import org.keycloak.models.AuthenticatorConfigModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;

/* loaded from: input_file:io/jans/kc/spi/auth/JansAuthenticator.class */
public class JansAuthenticator implements Authenticator {
    private static final Logger log = Logger.getLogger(JansAuthenticator.class);
    private static final String JANS_AUTH_REDIRECT_FORM_FTL = "jans-auth-redirect.ftl";
    private static final String JANS_AUTH_ERROR_FTL = "jans-auth-error.ftl";
    private static final String OPENID_CODE_RESPONSE = "code";
    private static final String OPENID_SCOPE = "openid";
    private static final String USERNAME_SCOPE = "user_name";
    private static final String EMAIL_SCOPE = "email";
    private static final String JANS_LOGIN_URL_ATTRIBUTE = "jansLoginUrl";
    private static final String OPENID_AUTH_PARAMS_ATTRIBUTE = "openIdAuthParams";
    private static final String URI_PATH_TO_REST_SERVICE = "/realms/{0}/{1}/auth-complete";
    private OIDCService oidcService;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/jans/kc/spi/auth/JansAuthenticator$Configuration.class */
    public class Configuration {
        private String serverUrl;
        private String clientId;
        private String clientSecret;
        private String issuerUrl;
        private List<String> scopes;

        public Configuration(String str, String str2, String str3, String str4, List<String> list) {
            this.serverUrl = str;
            this.clientId = str2;
            this.clientSecret = str3;
            this.issuerUrl = str4;
            this.scopes = list;
        }

        public ValidationResult validate() {
            ValidationResult validationResult = new ValidationResult();
            if (this.serverUrl == null || this.serverUrl.isEmpty()) {
                validationResult.addError("Missing or empty Server Url");
            }
            if (this.clientId == null || this.clientId.isEmpty()) {
                validationResult.addError("Missing or empty Client ID");
            }
            if (this.clientSecret == null || this.clientSecret.isEmpty()) {
                validationResult.addError("Missing or empty client secret");
            }
            return validationResult;
        }

        public String normalizedIssuerUrl() {
            String str = this.issuerUrl;
            if (str == null) {
                str = this.serverUrl;
            }
            if (str == null) {
                return null;
            }
            return str.charAt(str.length() - 1) == '/' ? str.substring(0, str.length() - 1) : str;
        }
    }

    /* loaded from: input_file:io/jans/kc/spi/auth/JansAuthenticator$ValidationResult.class */
    public static class ValidationResult {
        private List<String> errors;

        public void addError(String str) {
            if (this.errors == null) {
                this.errors = new ArrayList();
            }
            this.errors.add(str);
        }

        public boolean hasErrors() {
            return this.errors != null;
        }

        public List<String> getErrors() {
            return this.errors;
        }
    }

    public JansAuthenticator(OIDCService oIDCService) {
        this.oidcService = oIDCService;
    }

    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        Configuration extractAndValidateConfiguration = extractAndValidateConfiguration(authenticationFlowContext);
        if (extractAndValidateConfiguration == null) {
            authenticationFlowContext.failure(AuthenticationFlowError.INTERNAL_ERROR, onConfigurationError(authenticationFlowContext));
            return;
        }
        try {
            URI createRedirectUri = createRedirectUri(authenticationFlowContext);
            URI createActionUrl = createActionUrl(authenticationFlowContext);
            String generateOIDCState = generateOIDCState();
            String generateOIDCNonce = generateOIDCNonce();
            URI createAuthorizationUrl = this.oidcService.createAuthorizationUrl(extractAndValidateConfiguration.normalizedIssuerUrl(), createAuthnRequest(extractAndValidateConfiguration, generateOIDCState, generateOIDCNonce, createRedirectUri.toString()));
            Response createForm = authenticationFlowContext.form().setActionUri(createActionUrl).setAttribute(JANS_LOGIN_URL_ATTRIBUTE, UriBuilder.fromUri(createAuthorizationUrl.toString()).replaceQuery((String) null).build(new Object[0]).toString()).setAttribute(OPENID_AUTH_PARAMS_ATTRIBUTE, parseQueryParameters(createAuthorizationUrl.getQuery())).createForm(JANS_AUTH_REDIRECT_FORM_FTL);
            saveRealmStringData(authenticationFlowContext, SessionAttributes.JANS_OIDC_NONCE, generateOIDCNonce);
            saveRealmStringData(authenticationFlowContext, SessionAttributes.KC_ACTION_URI, createActionUrl.toString());
            saveRealmStringData(authenticationFlowContext, SessionAttributes.JANS_OIDC_STATE, generateOIDCState);
            authenticationFlowContext.challenge(createForm);
        } catch (OIDCMetaError e) {
            log.errorv(e, "OIDC Error obtaining the authorization url", new Object[0]);
            authenticationFlowContext.failure(AuthenticationFlowError.INTERNAL_ERROR, authenticationFlowContext.form().createForm(JANS_AUTH_ERROR_FTL));
        }
    }

    public void action(AuthenticationFlowContext authenticationFlowContext) {
        Configuration extractAndValidateConfiguration = extractAndValidateConfiguration(authenticationFlowContext);
        if (extractAndValidateConfiguration == null) {
            authenticationFlowContext.failure(AuthenticationFlowError.INTERNAL_ERROR, onMissingAuthenticationCode(authenticationFlowContext));
            return;
        }
        String openIdCode = getOpenIdCode(authenticationFlowContext);
        if (openIdCode == null) {
            log.errorv("Missing authentication code during response processing", new Object[0]);
            authenticationFlowContext.failure(AuthenticationFlowError.INTERNAL_ERROR, onMissingAuthenticationCode(authenticationFlowContext));
            return;
        }
        try {
            OIDCTokenResponse requestTokens = this.oidcService.requestTokens(extractAndValidateConfiguration.normalizedIssuerUrl(), createTokenRequest(extractAndValidateConfiguration, openIdCode, createRedirectUri(authenticationFlowContext)));
            if (!requestTokens.indicatesSuccess()) {
                OIDCTokenError error = requestTokens.error();
                log.errorv("Error processing token {0}. ({1}) {2}", error.code(), error.description());
                authenticationFlowContext.failure(AuthenticationFlowError.INTERNAL_ERROR, onTokenRetrievalError(authenticationFlowContext));
                return;
            }
            OIDCUserInfoResponse requestUserInfo = this.oidcService.requestUserInfo(extractAndValidateConfiguration.normalizedIssuerUrl(), requestTokens.accessToken());
            if (!requestUserInfo.indicatesSuccess()) {
                OIDCUserInfoError error2 = requestUserInfo.error();
                log.errorv("Error getting userinfo for authenticated user. ({0}) {1}", error2.code(), error2.description());
                authenticationFlowContext.failure(AuthenticationFlowError.INTERNAL_ERROR, onUserInfoRetrievalError(authenticationFlowContext));
                return;
            }
            UserModel findUserByNameOrEmail = findUserByNameOrEmail(authenticationFlowContext, requestUserInfo.username(), requestUserInfo.email());
            if (findUserByNameOrEmail == null) {
                log.errorv("User with username/email {0} / {1} not found", requestUserInfo.username(), requestUserInfo.email());
                authenticationFlowContext.failure(AuthenticationFlowError.UNKNOWN_USER);
            } else {
                log.debugv("User {0} authenticated", findUserByNameOrEmail.getUsername());
                authenticationFlowContext.setUser(findUserByNameOrEmail);
                authenticationFlowContext.success();
            }
        } catch (OIDCTokenRequestError e) {
            log.debugv(e, "Unable to retrieve token information", new Object[0]);
            authenticationFlowContext.failure(AuthenticationFlowError.INTERNAL_ERROR, onTokenRetrievalError(authenticationFlowContext));
        } catch (OIDCUserInfoRequestError e2) {
            log.debugv(e2, "Unable to retrieve user information", new Object[0]);
            authenticationFlowContext.failure(AuthenticationFlowError.INTERNAL_ERROR, onUserInfoRetrievalError(authenticationFlowContext));
        }
    }

    public boolean requiresUser() {
        return false;
    }

    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return false;
    }

    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
    }

    public List<RequiredActionFactory> getRequiredActions(KeycloakSession keycloakSession) {
        return null;
    }

    public void close() {
    }

    private Configuration extractAndValidateConfiguration(AuthenticationFlowContext authenticationFlowContext) {
        Configuration pluginConfigurationFromContext = pluginConfigurationFromContext(authenticationFlowContext);
        if (pluginConfigurationFromContext == null) {
            log.debugv("Plugin probably not configured. Check the Janssen Auth plugin in the authentication flow", new Object[0]);
            return null;
        }
        ValidationResult validate = pluginConfigurationFromContext.validate();
        if (!validate.hasErrors()) {
            return pluginConfigurationFromContext;
        }
        Iterator<String> it = validate.getErrors().iterator();
        while (it.hasNext()) {
            log.errorv("Invalid plugin configuration {0}", it.next());
        }
        return null;
    }

    private URI createRedirectUri(AuthenticationFlowContext authenticationFlowContext) {
        return authenticationFlowContext.getSession().getContext().getUri().getBaseUri().resolve(MessageFormat.format(URI_PATH_TO_REST_SERVICE, authenticationFlowContext.getRealm().getName(), ProviderIDs.JANS_AUTH_RESPONSE_REST_PROVIDER));
    }

    private UserModel findUserByNameOrEmail(AuthenticationFlowContext authenticationFlowContext, String str, String str2) {
        UserModel findUserByNameOrEmail = KeycloakModelUtils.findUserByNameOrEmail(authenticationFlowContext.getSession(), authenticationFlowContext.getRealm(), str);
        if (findUserByNameOrEmail == null) {
            findUserByNameOrEmail = KeycloakModelUtils.findUserByNameOrEmail(authenticationFlowContext.getSession(), authenticationFlowContext.getRealm(), str2);
        }
        return findUserByNameOrEmail;
    }

    private Map<String, String> parseQueryParameters(String str) {
        HashMap hashMap = new HashMap();
        if (str == null) {
            return hashMap;
        }
        for (String str2 : str.split("&")) {
            String[] split = str2.split("=");
            if (split.length == 1) {
                hashMap.put(split[0].trim(), "");
            } else {
                try {
                    hashMap.put(split[0].trim(), URLDecoder.decode(split[1].trim(), "UTF-8"));
                } catch (UnsupportedEncodingException e) {
                    log.debugv(e, "Failed to decode query parameter data {0}", str2);
                }
            }
        }
        return hashMap;
    }

    private Configuration pluginConfigurationFromContext(AuthenticationFlowContext authenticationFlowContext) {
        AuthenticatorConfigModel authenticatorConfig = authenticationFlowContext.getAuthenticatorConfig();
        if (authenticatorConfig == null || authenticatorConfig.getConfig() == null) {
            return null;
        }
        String str = (String) authenticatorConfig.getConfig().get(JansAuthenticatorConfigProp.SERVER_URL.getName());
        String str2 = (String) authenticatorConfig.getConfig().get(JansAuthenticatorConfigProp.CLIENT_ID.getName());
        String str3 = (String) authenticatorConfig.getConfig().get(JansAuthenticatorConfigProp.CLIENT_SECRET.getName());
        String str4 = (String) authenticatorConfig.getConfig().get(JansAuthenticatorConfigProp.ISSUER.getName());
        String str5 = (String) authenticatorConfig.getConfig().get(JansAuthenticatorConfigProp.EXTRA_SCOPES.getName());
        ArrayList arrayList = new ArrayList();
        if (str5 != null) {
            for (String str6 : str5.split("\\s*,\\s*")) {
                arrayList.add(str6);
            }
        }
        return new Configuration(str, str2, str3, str4, arrayList);
    }

    private final String generateOIDCState() {
        return generateRandomString(10);
    }

    private final String generateOIDCNonce() {
        return generateRandomString(10);
    }

    private final URI createActionUrl(AuthenticationFlowContext authenticationFlowContext) {
        return authenticationFlowContext.getActionUrl(authenticationFlowContext.generateAccessCode());
    }

    private final void saveRealmStringData(AuthenticationFlowContext authenticationFlowContext, String str, String str2) {
        authenticationFlowContext.getRealm().setAttribute(str, str2);
    }

    private String generateRandomString(int i) {
        return ((StringBuilder) new Random().ints(48, 122 + 1).filter(i2 -> {
            return (i2 <= 57 || i2 >= 65) && (i2 <= 90 || i2 >= 97);
        }).limit(i).collect(StringBuilder::new, (v0, v1) -> {
            v0.appendCodePoint(v1);
        }, (v0, v1) -> {
            v0.append(v1);
        })).toString();
    }

    private OIDCAuthRequest createAuthnRequest(Configuration configuration, String str, String str2, String str3) {
        OIDCAuthRequest oIDCAuthRequest = new OIDCAuthRequest();
        oIDCAuthRequest.setClientId(configuration.clientId);
        oIDCAuthRequest.addScope(OPENID_SCOPE);
        oIDCAuthRequest.addScope(USERNAME_SCOPE);
        oIDCAuthRequest.addScope(EMAIL_SCOPE);
        Iterator<String> it = configuration.scopes.iterator();
        while (it.hasNext()) {
            oIDCAuthRequest.addScope(it.next());
        }
        oIDCAuthRequest.addResponseType(OPENID_CODE_RESPONSE);
        oIDCAuthRequest.setNonce(str2);
        oIDCAuthRequest.setState(str);
        oIDCAuthRequest.setRedirectUri(str3);
        return oIDCAuthRequest;
    }

    private OIDCTokenRequest createTokenRequest(Configuration configuration, String str, URI uri) {
        return new OIDCTokenRequest(str, configuration.clientId, configuration.clientSecret, uri);
    }

    private final Response onConfigurationError(AuthenticationFlowContext authenticationFlowContext) {
        return authenticationFlowContext.form().createForm(JANS_AUTH_ERROR_FTL);
    }

    private final Response onMissingAuthenticationCode(AuthenticationFlowContext authenticationFlowContext) {
        return authenticationFlowContext.form().createForm(JANS_AUTH_ERROR_FTL);
    }

    private final Response onTokenRetrievalError(AuthenticationFlowContext authenticationFlowContext) {
        return authenticationFlowContext.form().createForm(JANS_AUTH_ERROR_FTL);
    }

    private final Response onUserInfoRetrievalError(AuthenticationFlowContext authenticationFlowContext) {
        return authenticationFlowContext.form().createForm(JANS_AUTH_ERROR_FTL);
    }

    private final String getOpenIdCode(AuthenticationFlowContext authenticationFlowContext) {
        return authenticationFlowContext.getRealm().getAttribute(SessionAttributes.JANS_OIDC_CODE);
    }
}
