package org.apache.syncope.core.logic;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import java.lang.reflect.Method;
import java.text.ParseException;
import java.time.OffsetDateTime;
import java.util.HashMap;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.syncope.common.lib.Attr;
import org.apache.syncope.common.lib.SyncopeClientException;
import org.apache.syncope.common.lib.oidc.OIDCLoginResponse;
import org.apache.syncope.common.lib.oidc.OIDCRequest;
import org.apache.syncope.common.lib.to.EntityTO;
import org.apache.syncope.common.lib.to.Item;
import org.apache.syncope.common.lib.to.UserTO;
import org.apache.syncope.common.lib.types.CipherAlgorithm;
import org.apache.syncope.common.lib.types.ClientExceptionType;
import org.apache.syncope.core.logic.oidc.NoOpSessionStore;
import org.apache.syncope.core.logic.oidc.OIDCC4UIContext;
import org.apache.syncope.core.logic.oidc.OIDCClientCache;
import org.apache.syncope.core.logic.oidc.OIDCUserManager;
import org.apache.syncope.core.persistence.api.dao.NotFoundException;
import org.apache.syncope.core.persistence.api.dao.OIDCC4UIProviderDAO;
import org.apache.syncope.core.persistence.api.entity.OIDCC4UIProvider;
import org.apache.syncope.core.provisioning.api.data.AccessTokenDataBinder;
import org.apache.syncope.core.provisioning.api.serialization.POJOHelper;
import org.apache.syncope.core.spring.security.AuthContextUtils;
import org.apache.syncope.core.spring.security.AuthDataAccessor;
import org.apache.syncope.core.spring.security.Encryptor;
import org.pac4j.core.exception.http.WithLocationAction;
import org.pac4j.oidc.client.OidcClient;
import org.pac4j.oidc.credentials.OidcCredentials;
import org.pac4j.oidc.profile.OidcProfile;
import org.springframework.security.access.prepost.PreAuthorize;

/* loaded from: input_file:org/apache/syncope/core/logic/OIDCC4UILogic.class */
public class OIDCC4UILogic extends AbstractTransactionalLogic<EntityTO> {
    protected static final String JWT_CLAIM_OP_NAME = "OP_NAME";
    protected static final String JWT_CLAIM_ID_TOKEN = "ID_TOKEN";
    protected static final Encryptor ENCRYPTOR = Encryptor.getInstance();
    protected final OIDCClientCache oidcClientCacheLogin;
    protected final OIDCClientCache oidcClientCacheLogout;
    protected final AuthDataAccessor authDataAccessor;
    protected final AccessTokenDataBinder accessTokenDataBinder;
    protected final OIDCC4UIProviderDAO opDAO;
    protected final OIDCUserManager userManager;

    public OIDCC4UILogic(OIDCClientCache oIDCClientCache, OIDCClientCache oIDCClientCache2, AuthDataAccessor authDataAccessor, AccessTokenDataBinder accessTokenDataBinder, OIDCC4UIProviderDAO oIDCC4UIProviderDAO, OIDCUserManager oIDCUserManager) {
        this.oidcClientCacheLogin = oIDCClientCache;
        this.oidcClientCacheLogout = oIDCClientCache2;
        this.authDataAccessor = authDataAccessor;
        this.accessTokenDataBinder = accessTokenDataBinder;
        this.opDAO = oIDCC4UIProviderDAO;
        this.userManager = oIDCUserManager;
    }

    protected OidcClient getOidcClient(OIDCClientCache oIDCClientCache, OIDCC4UIProvider oIDCC4UIProvider, String str) {
        return oIDCClientCache.get(oIDCC4UIProvider.getName()).orElseGet(() -> {
            return oIDCClientCache.add(oIDCC4UIProvider, str);
        });
    }

    @PreAuthorize("hasRole('ANONYMOUS')")
    public OIDCRequest createLoginRequest(String str, String str2) {
        Optional redirectionAction = getOidcClient(this.oidcClientCacheLogin, (OIDCC4UIProvider) Optional.ofNullable(this.opDAO.findByName(str2)).orElseThrow(() -> {
            return new NotFoundException("OIDC Provider '" + str2 + "'");
        }), str).getRedirectionAction(new OIDCC4UIContext(), NoOpSessionStore.INSTANCE);
        Class<WithLocationAction> cls = WithLocationAction.class;
        Objects.requireNonNull(WithLocationAction.class);
        WithLocationAction withLocationAction = (WithLocationAction) redirectionAction.map((v1) -> {
            return r1.cast(v1);
        }).orElseThrow(() -> {
            SyncopeClientException build = SyncopeClientException.build(ClientExceptionType.Unknown);
            build.getElements().add("No RedirectionAction generated for LoginRequest");
            return build;
        });
        OIDCRequest oIDCRequest = new OIDCRequest();
        oIDCRequest.setLocation(withLocationAction.getLocation());
        return oIDCRequest;
    }

    @PreAuthorize("hasRole('ANONYMOUS')")
    public OIDCLoginResponse login(String str, String str2, String str3) {
        String str4;
        OIDCC4UIProvider oIDCC4UIProvider = (OIDCC4UIProvider) Optional.ofNullable(this.opDAO.findByName(str3)).orElseThrow(() -> {
            return new NotFoundException("OIDC Provider '" + str3 + "'");
        });
        OidcClient oidcClient = getOidcClient(this.oidcClientCacheLogin, oIDCC4UIProvider, str);
        try {
            OidcCredentials oidcCredentials = new OidcCredentials();
            oidcCredentials.setCode(new AuthorizationCode(str2));
            oidcClient.getAuthenticator().validate(oidcCredentials, new OIDCC4UIContext(), NoOpSessionStore.INSTANCE);
            JWTClaimsSet jWTClaimsSet = oidcCredentials.getIdToken().getJWTClaimsSet();
            String serialize = oidcCredentials.getIdToken().serialize();
            OIDCLoginResponse oIDCLoginResponse = new OIDCLoginResponse();
            oIDCLoginResponse.setLogoutSupported(StringUtils.isNotBlank(oIDCC4UIProvider.getEndSessionEndpoint()));
            String subject = jWTClaimsSet.getSubject();
            for (Item item : oIDCC4UIProvider.getItems()) {
                Attr attr = new Attr();
                attr.setSchema(item.getExtAttrName());
                String str5 = (String) Optional.ofNullable(jWTClaimsSet.getClaim(item.getExtAttrName())).map((v0) -> {
                    return v0.toString();
                }).orElse(null);
                if (str5 != null) {
                    attr.getValues().add(str5);
                    oIDCLoginResponse.getAttrs().add(attr);
                    if (item.isConnObjectKey()) {
                        subject = str5;
                    }
                }
            }
            List list = (List) Optional.ofNullable(subject).map(str6 -> {
                return this.userManager.findMatchingUser(str6, (Item) oIDCC4UIProvider.getConnObjectKeyItem().get());
            }).orElse(List.of());
            LOG.debug("Found {} matching users for {}", Integer.valueOf(list.size()), subject);
            if (list.isEmpty()) {
                if (!oIDCC4UIProvider.isCreateUnmatching()) {
                    if (!oIDCC4UIProvider.isSelfRegUnmatching()) {
                        throw new NotFoundException((String) Optional.ofNullable(subject).map(str7 -> {
                            return "User matching the provided value " + str7;
                        }).orElse("User marching the provided claims"));
                    }
                    UserTO userTO = new UserTO();
                    this.userManager.fill(oIDCC4UIProvider, oIDCLoginResponse, userTO);
                    oIDCLoginResponse.getAttrs().clear();
                    oIDCLoginResponse.getAttrs().addAll(userTO.getPlainAttrs());
                    if (StringUtils.isNotBlank(userTO.getUsername())) {
                        oIDCLoginResponse.setUsername(userTO.getUsername());
                    } else {
                        oIDCLoginResponse.setUsername(subject);
                    }
                    oIDCLoginResponse.setSelfReg(true);
                    return oIDCLoginResponse;
                }
                LOG.debug("No user matching {}, about to create", subject);
                String str8 = subject;
                str4 = (String) AuthContextUtils.callAsAdmin(AuthContextUtils.getDomain(), () -> {
                    return this.userManager.create(oIDCC4UIProvider, oIDCLoginResponse, str8);
                });
            } else {
                if (list.size() > 1) {
                    throw new IllegalArgumentException("Several users match the provided value " + subject);
                }
                if (oIDCC4UIProvider.isUpdateMatching()) {
                    LOG.debug("About to update {} for {}", list.get(0), subject);
                    str4 = (String) AuthContextUtils.callAsAdmin(AuthContextUtils.getDomain(), () -> {
                        return this.userManager.update((String) list.get(0), oIDCC4UIProvider, oIDCLoginResponse);
                    });
                } else {
                    str4 = (String) list.get(0);
                }
            }
            oIDCLoginResponse.setUsername(str4);
            HashMap hashMap = new HashMap();
            hashMap.put(JWT_CLAIM_OP_NAME, str3);
            hashMap.put(JWT_CLAIM_ID_TOKEN, serialize);
            byte[] bArr = null;
            try {
                bArr = ENCRYPTOR.encode(POJOHelper.serialize(this.authDataAccessor.getAuthorities(oIDCLoginResponse.getUsername(), (String) null)), CipherAlgorithm.AES).getBytes();
            } catch (Exception e) {
                LOG.error("Could not fetch authorities", e);
            }
            Pair create = this.accessTokenDataBinder.create(oIDCLoginResponse.getUsername(), hashMap, bArr, true);
            oIDCLoginResponse.setAccessToken((String) create.getLeft());
            oIDCLoginResponse.setAccessTokenExpiryTime((OffsetDateTime) create.getRight());
            return oIDCLoginResponse;
        } catch (Exception e2) {
            LOG.error("While validating Token Response", e2);
            SyncopeClientException build = SyncopeClientException.build(ClientExceptionType.Unknown);
            build.getElements().add(e2.getMessage());
            throw build;
        }
    }

    @PreAuthorize("isAuthenticated() and not(hasRole('ANONYMOUS'))")
    public OIDCRequest createLogoutRequest(String str, String str2) {
        try {
            JWTClaimsSet jWTClaimsSet = SignedJWT.parse(str).getJWTClaimsSet();
            OidcClient oidcClient = getOidcClient(this.oidcClientCacheLogout, (OIDCC4UIProvider) Optional.ofNullable(this.opDAO.findByName((String) jWTClaimsSet.getClaim(JWT_CLAIM_OP_NAME))).orElseThrow(() -> {
                return new NotFoundException("OIDC Provider '" + jWTClaimsSet.getClaim(JWT_CLAIM_OP_NAME) + "'");
            }), str2);
            OidcProfile oidcProfile = new OidcProfile();
            oidcProfile.setIdTokenString((String) jWTClaimsSet.getClaim(JWT_CLAIM_ID_TOKEN));
            Optional logoutAction = oidcClient.getLogoutAction(new OIDCC4UIContext(), NoOpSessionStore.INSTANCE, oidcProfile, str2);
            Class<WithLocationAction> cls = WithLocationAction.class;
            Objects.requireNonNull(WithLocationAction.class);
            WithLocationAction withLocationAction = (WithLocationAction) logoutAction.map((v1) -> {
                return r1.cast(v1);
            }).orElseThrow(() -> {
                SyncopeClientException build = SyncopeClientException.build(ClientExceptionType.Unknown);
                build.getElements().add("No RedirectionAction generated for LogoutRequest");
                return build;
            });
            OIDCRequest oIDCRequest = new OIDCRequest();
            oIDCRequest.setLocation(withLocationAction.getLocation());
            return oIDCRequest;
        } catch (ParseException e) {
            SyncopeClientException build = SyncopeClientException.build(ClientExceptionType.InvalidAccessToken);
            build.getElements().add(e.getMessage());
            throw build;
        }
    }

    protected EntityTO resolveReference(Method method, Object... objArr) throws UnresolvedReferenceException {
        throw new UnresolvedReferenceException();
    }
}
