package com.erudika.para.security.filters;

import ch.qos.logback.classic.spi.CallerData;
import com.erudika.para.Para;
import com.erudika.para.core.App;
import com.erudika.para.core.User;
import com.erudika.para.core.utils.ParaObjectUtils;
import com.erudika.para.security.AuthenticatedUserDetails;
import com.erudika.para.security.SecurityUtils;
import com.erudika.para.security.UserAuthentication;
import com.erudika.para.utils.Config;
import com.erudika.para.utils.Utils;
import com.fasterxml.jackson.databind.ObjectReader;
import java.io.IOException;
import java.net.URLEncoder;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpEntity;
import org.apache.http.client.config.CookieSpecs;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.cookie.ClientCookie;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.NoConnectionReuseStrategy;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.util.EntityUtils;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;

/* loaded from: input_file:BOOT-INF/lib/para-server-1.34.0.jar:com/erudika/para/security/filters/GenericOAuth2Filter.class */
public class GenericOAuth2Filter extends AbstractAuthenticationProcessingFilter {
    private final CloseableHttpClient httpclient;
    private final ObjectReader jreader;
    private static final String PAYLOAD = "code={0}&redirect_uri={1}&scope={2}&client_id={3}&client_secret={4}&grant_type=authorization_code";
    private static final String REFRESH_PAYLOAD = "refresh_token={0}&scope={1}&client_id={2}&client_secret={3}&grant_type=refresh_token";
    public static final String OAUTH2_ACTION = "oauth2_auth";
    public static final String OAUTH2_SECOND_ACTION = "oauth2second_auth";
    public static final String OAUTH2_THIRD_ACTION = "oauth2third_auth";

    public GenericOAuth2Filter(String str) {
        super(str);
        this.jreader = ParaObjectUtils.getJsonReader(Map.class);
        this.httpclient = HttpClientBuilder.create().setConnectionReuseStrategy(new NoConnectionReuseStrategy()).setDefaultRequestConfig(RequestConfig.custom().setConnectTimeout(30000).setConnectionRequestTimeout(30000).setCookieSpec(CookieSpecs.STANDARD).setSocketTimeout(30000).build()).build();
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String requestURI = httpServletRequest.getRequestURI();
        UserAuthentication userAuthentication = null;
        boolean endsWith = requestURI.endsWith(OAUTH2_SECOND_ACTION);
        boolean endsWith2 = requestURI.endsWith(OAUTH2_THIRD_ACTION);
        if (requestURI.endsWith(OAUTH2_ACTION) || endsWith || endsWith2) {
            String str = endsWith2 ? "third" : endsWith ? "second" : "";
            String parameter = httpServletRequest.getParameter("code");
            if (!StringUtils.isBlank(parameter)) {
                String appidFromAuthRequest = SecurityUtils.getAppidFromAuthRequest(httpServletRequest);
                App app = (App) Para.getDAO().read(App.id(appidFromAuthRequest == null ? Config.getRootAppIdentifier() : appidFromAuthRequest));
                Map<String, Object> map = tokenRequest(app, parameter, SecurityUtils.getRedirectUrl(httpServletRequest), str);
                if (map != null && map.containsKey("access_token")) {
                    userAuthentication = getOrCreateUser(app, map.get("access_token") + Config.SEPARATOR + map.get("refresh_token"));
                }
            }
        }
        return SecurityUtils.checkIfActive(userAuthentication, SecurityUtils.getAuthenticatedUser(userAuthentication), true);
    }

    public UserAuthentication getOrCreateUser(App app, String str) throws IOException {
        return getOrCreateUser(app, str, null);
    }

    public UserAuthentication getOrCreateUser(App app, String str, String str2) throws IOException {
        UserAuthentication userAuthentication = null;
        User user = new User();
        if (str != null) {
            String[] split = str.split(Config.SEPARATOR);
            String str3 = null;
            if (split.length > 1) {
                str = split[0];
                str3 = split[1];
            }
            boolean isAccessTokenDelegationEnabled = isAccessTokenDelegationEnabled(app, str2);
            Map<String, Object> fetchProfileFromIDP = fetchProfileFromIDP(app, str, str2);
            String settingForApp = SecurityUtils.getSettingForApp(app, configKey("parameters.id", str2), "sub");
            String settingForApp2 = SecurityUtils.getSettingForApp(app, configKey("parameters.picture", str2), "picture");
            String settingForApp3 = SecurityUtils.getSettingForApp(app, configKey(ClientCookie.DOMAIN_ATTR, str2), "paraio.com");
            String settingForApp4 = SecurityUtils.getSettingForApp(app, configKey("parameters.email", str2), Config._EMAIL);
            String settingForApp5 = SecurityUtils.getSettingForApp(app, configKey("parameters.name", str2), "name");
            if (fetchProfileFromIDP != null && fetchProfileFromIDP.containsKey(settingForApp)) {
                String str4 = (String) fetchProfileFromIDP.get(settingForApp);
                String str5 = (String) fetchProfileFromIDP.get(settingForApp2);
                String str6 = (String) fetchProfileFromIDP.get(settingForApp4);
                String str7 = (String) fetchProfileFromIDP.get(settingForApp5);
                user.setAppid(getAppid(app));
                user.setIdentifier(oauthPrefix(str2).concat(str4));
                user.setEmail(str6);
                user = User.readUserForIdentifier(user);
                if (user == null) {
                    user = new User();
                    user.setActive(true);
                    user.setAppid(getAppid(app));
                    user.setEmail(StringUtils.isBlank(str6) ? Utils.getNewId() + "@" + settingForApp3 : str6);
                    user.setName(StringUtils.isBlank(str7) ? "No Name" : str7);
                    user.setPassword(Utils.generateSecurityToken());
                    if (isAccessTokenDelegationEnabled) {
                        user.setIdpAccessToken(str);
                        user.setIdpRefreshToken(str3);
                    }
                    user.setPicture(getPicture(str5));
                    user.setIdentifier(oauthPrefix(str2).concat(str4));
                    if (user.create() == null) {
                        throw new AuthenticationServiceException("Authentication failed: cannot create new user.");
                    }
                } else if (updateUserInfo(user, str5, str6, str7, str, str3, isAccessTokenDelegationEnabled)) {
                    user.update();
                }
                userAuthentication = new UserAuthentication(new AuthenticatedUserDetails(user));
            }
        }
        return SecurityUtils.checkIfActive(userAuthentication, user, false);
    }

    private boolean updateUserInfo(User user, String str, String str2, String str3, String str4, String str5, boolean z) {
        String picture = getPicture(str);
        boolean z2 = false;
        if (!StringUtils.equals(user.getPicture(), picture)) {
            user.setPicture(picture);
            z2 = true;
        }
        if (!StringUtils.isBlank(str2) && !StringUtils.equals(user.getEmail(), str2)) {
            user.setEmail(str2);
            z2 = true;
        }
        if (!StringUtils.isBlank(str3) && !StringUtils.equals(user.getName(), str3)) {
            user.setName(str3);
            z2 = true;
        }
        if (z) {
            user.setIdpAccessToken(str4);
            user.setIdpRefreshToken(str5);
            z2 = true;
        }
        return z2;
    }

    public boolean isAccessTokenDelegationEnabled(App app, User user) {
        return isAccessTokenDelegationEnabled(app, oauthAlias(user.getIdentifier()));
    }

    private boolean isAccessTokenDelegationEnabled(App app, String str) {
        return Boolean.parseBoolean(SecurityUtils.getSettingForApp(app, configKey("token_delegation_enabled", str), "false"));
    }

    public boolean isValidAccessToken(App app, User user) {
        try {
            String oauthAlias = oauthAlias(user.getIdentifier());
            Map<String, Object> fetchProfileFromIDP = fetchProfileFromIDP(app, user.getIdpAccessToken(), oauthAlias);
            if (fetchProfileFromIDP == null && user.getIdpRefreshToken() != null) {
                refreshTokens(app, user);
                fetchProfileFromIDP = fetchProfileFromIDP(app, user.getIdpAccessToken(), oauthAlias);
            }
            if (fetchProfileFromIDP != null) {
                if (fetchProfileFromIDP.containsKey(SecurityUtils.getSettingForApp(app, configKey("parameters.id", oauthAlias), "sub"))) {
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            this.logger.error(null, e);
            return false;
        }
    }

    private Map<String, Object> fetchProfileFromIDP(App app, String str, String str2) throws IOException {
        Map<String, Object> map = null;
        String settingForApp = SecurityUtils.getSettingForApp(app, configKey("accept_header", str2), "");
        HttpGet httpGet = new HttpGet(SecurityUtils.getSettingForApp(app, configKey("profile_url", str2), ""));
        httpGet.setHeader("Authorization", "Bearer " + str);
        if (!StringUtils.isBlank(settingForApp)) {
            httpGet.setHeader("Accept", settingForApp);
        }
        CloseableHttpResponse execute = this.httpclient.execute((HttpUriRequest) httpGet);
        Throwable th = null;
        try {
            try {
                HttpEntity entity = execute.getEntity();
                if (entity != null && execute.getStatusLine().getStatusCode() == 200) {
                    map = (Map) this.jreader.readValue(entity.getContent());
                }
                EntityUtils.consumeQuietly(entity);
                if (execute != null) {
                    if (0 != 0) {
                        try {
                            execute.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        execute.close();
                    }
                }
                return map;
            } finally {
            }
        } catch (Throwable th3) {
            if (execute != null) {
                if (th != null) {
                    try {
                        execute.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    execute.close();
                }
            }
            throw th3;
        }
    }

    private void refreshTokens(App app, User user) throws IOException {
        Map<String, Object> map = tokenRequest(app, user.getIdpRefreshToken(), null, oauthAlias(user.getIdentifier()));
        if (map == null || !map.containsKey("access_token")) {
            return;
        }
        user.setIdpAccessToken((String) map.get("access_token"));
        String str = (String) map.get("refresh_token");
        if (!StringUtils.equals(str, user.getIdpRefreshToken())) {
            user.setIdpRefreshToken(str);
        }
        user.update();
    }

    private Map<String, Object> tokenRequest(App app, String str, String str2, String str3) throws IOException {
        String[] oAuthKeysForApp = SecurityUtils.getOAuthKeysForApp(app, oauthPrefix(str3));
        String settingForApp = SecurityUtils.getSettingForApp(app, configKey("scope", str3), "");
        String formatMessage = str2 == null ? Utils.formatMessage(REFRESH_PAYLOAD, str, URLEncoder.encode(settingForApp, "UTF-8"), oAuthKeysForApp[0], oAuthKeysForApp[1]) : Utils.formatMessage(PAYLOAD, str, Utils.urlEncode(str2), URLEncoder.encode(settingForApp, "UTF-8"), oAuthKeysForApp[0], oAuthKeysForApp[1]);
        String settingForApp2 = SecurityUtils.getSettingForApp(app, configKey("accept_header", str3), "");
        HttpPost httpPost = new HttpPost(SecurityUtils.getSettingForApp(app, configKey("token_url", str3), ""));
        httpPost.setHeader("Content-Type", "application/x-www-form-urlencoded");
        httpPost.setEntity(new StringEntity(formatMessage, "UTF-8"));
        if (!StringUtils.isBlank(settingForApp2)) {
            httpPost.setHeader("Accept", settingForApp2);
        }
        Map<String, Object> map = null;
        CloseableHttpResponse execute = this.httpclient.execute((HttpUriRequest) httpPost);
        Throwable th = null;
        if (execute != null) {
            try {
                try {
                    if (execute.getEntity() != null) {
                        map = (Map) this.jreader.readValue(execute.getEntity().getContent());
                        EntityUtils.consumeQuietly(execute.getEntity());
                    }
                } finally {
                }
            } catch (Throwable th2) {
                if (execute != null) {
                    if (th != null) {
                        try {
                            execute.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        execute.close();
                    }
                }
                throw th2;
            }
        }
        if (execute != null) {
            if (0 != 0) {
                try {
                    execute.close();
                } catch (Throwable th4) {
                    th.addSuppressed(th4);
                }
            } else {
                execute.close();
            }
        }
        return map;
    }

    private String oauthPrefix(String str) {
        return "third".equalsIgnoreCase(str) ? Config.OAUTH2_THIRD_PREFIX : "second".equalsIgnoreCase(str) ? Config.OAUTH2_SECOND_PREFIX : Config.OAUTH2_PREFIX;
    }

    private String oauthAlias(String str) {
        return str.startsWith(Config.OAUTH2_THIRD_PREFIX) ? "third" : str.startsWith(Config.OAUTH2_SECOND_PREFIX) ? "second" : "";
    }

    private String configKey(String str, String str2) {
        return StringUtils.isBlank(str2) ? "security.oauth." + str : "security.oauth" + str2 + "." + str;
    }

    private static String getPicture(String str) {
        if (str != null) {
            return str.contains(CallerData.NA) ? str.substring(0, str.indexOf(63)) : str;
        }
        return null;
    }

    private String getAppid(App app) {
        if (app == null) {
            return null;
        }
        return app.getAppIdentifier();
    }
}
