package com.erudika.para.server.security.filters;

import ch.qos.logback.classic.spi.CallerData;
import com.erudika.para.core.App;
import com.erudika.para.core.User;
import com.erudika.para.core.utils.Config;
import com.erudika.para.core.utils.Para;
import com.erudika.para.core.utils.ParaObjectUtils;
import com.erudika.para.core.utils.Utils;
import com.erudika.para.server.security.AuthenticatedUserDetails;
import com.erudika.para.server.security.SecurityUtils;
import com.erudika.para.server.security.UserAuthentication;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectReader;
import com.nimbusds.jwt.JWTClaimNames;
import com.onelogin.saml2.settings.SettingsBuilder;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.hc.client5.http.classic.methods.HttpGet;
import org.apache.hc.client5.http.config.RequestConfig;
import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
import org.apache.hc.client5.http.impl.classic.CloseableHttpResponse;
import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
import org.apache.hc.core5.http.ClassicHttpRequest;
import org.apache.hc.core5.http.HttpEntity;
import org.apache.hc.core5.http.io.entity.EntityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;

/* loaded from: input_file:WEB-INF/lib/para-server-1.46.3.jar:com/erudika/para/server/security/filters/GenericOAuth2Filter.class */
public class GenericOAuth2Filter extends AbstractAuthenticationProcessingFilter {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) GenericOAuth2Filter.class);
    private final CloseableHttpClient httpclient;
    private final ObjectReader jreader;
    private static final String PAYLOAD = "code={0}&redirect_uri={1}&scope={2}&client_id={3}&client_secret={4}&grant_type=authorization_code";
    private static final String REFRESH_PAYLOAD = "refresh_token={0}&scope={1}&client_id={2}&client_secret={3}&grant_type=refresh_token";
    public static final String OAUTH2_ACTION = "oauth2_auth";
    public static final String OAUTH2_SECOND_ACTION = "oauth2second_auth";
    public static final String OAUTH2_THIRD_ACTION = "oauth2third_auth";

    public GenericOAuth2Filter(String str) {
        super(str);
        this.jreader = ParaObjectUtils.getJsonReader(Map.class);
        this.httpclient = HttpClientBuilder.create().setDefaultRequestConfig(RequestConfig.custom().setConnectTimeout(30, TimeUnit.SECONDS).setConnectionRequestTimeout(30, TimeUnit.SECONDS).build()).build();
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String requestURI = httpServletRequest.getRequestURI();
        UserAuthentication userAuthentication = null;
        boolean endsWith = requestURI.endsWith(OAUTH2_SECOND_ACTION);
        boolean endsWith2 = requestURI.endsWith(OAUTH2_THIRD_ACTION);
        if (requestURI.endsWith(OAUTH2_ACTION) || endsWith || endsWith2) {
            String str = endsWith2 ? "third" : endsWith ? "second" : "";
            String parameter = httpServletRequest.getParameter("code");
            if (!StringUtils.isBlank(parameter)) {
                String appidFromAuthRequest = SecurityUtils.getAppidFromAuthRequest(httpServletRequest);
                App app = (App) Para.getDAO().read(App.id(appidFromAuthRequest == null ? Para.getConfig().getRootAppIdentifier() : appidFromAuthRequest));
                Map<String, Object> map = tokenRequest(app, parameter, SecurityUtils.getRedirectUrl(httpServletRequest), str);
                if (map != null) {
                    if (map.containsKey("access_token")) {
                        userAuthentication = getOrCreateUser(app, map.get("access_token") + Para.getConfig().separator() + map.get("refresh_token") + Para.getConfig().separator() + map.get("id_token"));
                    } else {
                        LOG.info("OAuth 2.0 token request failed with response " + map);
                    }
                }
            }
        }
        return SecurityUtils.checkIfActive(userAuthentication, SecurityUtils.getAuthenticatedUser(userAuthentication), true);
    }

    public UserAuthentication getOrCreateUser(App app, String str) throws IOException {
        return getOrCreateUser(app, str, null);
    }

    public UserAuthentication getOrCreateUser(App app, String str, String str2) throws IOException {
        UserAuthentication userAuthentication = null;
        User user = new User();
        if (str != null) {
            String[] split = str.split(Para.getConfig().separator());
            String str3 = null;
            String str4 = null;
            if (split.length > 0) {
                str = split[0];
            }
            if (split.length > 1) {
                str3 = split[1];
            }
            if (split.length > 2) {
                str4 = split[2];
            }
            boolean isAccessTokenDelegationEnabled = isAccessTokenDelegationEnabled(app, str2);
            Map<String, Object> fetchProfileFromIDP = fetchProfileFromIDP(app, str, str4, str2);
            String settingForApp = Para.getConfig().getSettingForApp(app, configKey("parameters.id", str2), JWTClaimNames.SUBJECT);
            String settingForApp2 = Para.getConfig().getSettingForApp(app, configKey("parameters.picture", str2), "picture");
            String settingForApp3 = Para.getConfig().getSettingForApp(app, configKey("domain", str2), "paraio.com");
            String settingForApp4 = Para.getConfig().getSettingForApp(app, configKey("parameters.email", str2), "email");
            String settingForApp5 = Para.getConfig().getSettingForApp(app, configKey("parameters.name", str2), "name");
            String settingForApp6 = Para.getConfig().getSettingForApp(app, configKey("parameters.given_name", str2), SettingsBuilder.SP_CONTACT_GIVEN_NAME_PROPERTY_KEY_SUFFIX);
            String settingForApp7 = Para.getConfig().getSettingForApp(app, configKey("parameters.family_name", str2), "family_name");
            if (fetchProfileFromIDP.containsKey(settingForApp)) {
                Object obj = fetchProfileFromIDP.get(settingForApp);
                String valueOf = obj instanceof String ? (String) obj : String.valueOf(obj);
                String emailFromProfile = getEmailFromProfile(fetchProfileFromIDP, settingForApp4, valueOf, settingForApp3);
                String pictureFromProfile = getPictureFromProfile(fetchProfileFromIDP, settingForApp2);
                String nameFromProfile = getNameFromProfile(fetchProfileFromIDP, settingForApp5);
                String givenNameFromProfile = getGivenNameFromProfile(fetchProfileFromIDP, settingForApp6);
                String firstNameFromProfile = getFirstNameFromProfile(fetchProfileFromIDP, settingForApp7);
                user.setAppid(getAppid(app));
                user.setIdentifier(oauthPrefix(str2).concat(valueOf));
                user.setEmail(emailFromProfile);
                user = User.readUserForIdentifier(user);
                if (user == null) {
                    user = new User();
                    user.setActive(true);
                    user.setAppid(getAppid(app));
                    user.setEmail(emailFromProfile);
                    user.setName(StringUtils.isBlank(nameFromProfile) ? getFullName(givenNameFromProfile, firstNameFromProfile) : nameFromProfile);
                    user.setPassword(Utils.generateSecurityToken());
                    if (isAccessTokenDelegationEnabled) {
                        user.setIdpAccessToken(str);
                        user.setIdpRefreshToken(str3);
                        user.setIdpIdToken(str4);
                        printTokenDebugInfo(user);
                    }
                    user.setPicture(getPicture(app, user, str, str2, pictureFromProfile));
                    user.setIdentifier(oauthPrefix(str2).concat(valueOf));
                    if (user.create() == null) {
                        throw new AuthenticationServiceException("Authentication failed: cannot create new user.");
                    }
                } else if (updateUserInfo(app, user, pictureFromProfile, emailFromProfile, nameFromProfile, str, str3, str4, str2, isAccessTokenDelegationEnabled)) {
                    user.update();
                }
                userAuthentication = new UserAuthentication(new AuthenticatedUserDetails(user));
            } else {
                LOG.error("Authentication was successful but OAuth 2 parameter names not configured properly - 'id' property not found in user data (data." + settingForApp + " = null). The names available are: " + (fetchProfileFromIDP != null ? fetchProfileFromIDP.keySet() : null));
            }
        }
        return SecurityUtils.checkIfActive(userAuthentication, user, false);
    }

    private boolean updateUserInfo(App app, User user, String str, String str2, String str3, String str4, String str5, String str6, String str7, boolean z) {
        String picture = getPicture(app, user, str4, str7, str);
        boolean z2 = false;
        if (!StringUtils.equals(user.getPicture(), picture)) {
            user.setPicture(picture);
            z2 = true;
        }
        if (!StringUtils.isBlank(str2) && !StringUtils.equals(user.getEmail(), str2)) {
            user.setEmail(str2);
            z2 = true;
        }
        if (!StringUtils.isBlank(str3) && !StringUtils.equals(user.getName(), str3)) {
            user.setName(str3);
            z2 = true;
        }
        if (z) {
            user.setIdpAccessToken(str4);
            user.setIdpRefreshToken(str5);
            user.setIdpIdToken(str6);
            printTokenDebugInfo(user);
            z2 = true;
        }
        return z2;
    }

    public boolean isAccessTokenDelegationEnabled(App app, User user) {
        return isAccessTokenDelegationEnabled(app, oauthAlias(user.getIdentifier()));
    }

    private boolean isAccessTokenDelegationEnabled(App app, String str) {
        return Boolean.parseBoolean(Para.getConfig().getSettingForApp(app, configKey("token_delegation_enabled", str), "false"));
    }

    public boolean isValidAccessToken(App app, User user) {
        try {
            String oauthAlias = oauthAlias(user.getIdentifier());
            Map<String, Object> fetchProfileFromIDP = fetchProfileFromIDP(app, user.getIdpAccessToken(), null, oauthAlias);
            if (user.getIdpRefreshToken() != null) {
                refreshTokens(app, user);
                fetchProfileFromIDP = fetchProfileFromIDP(app, user.getIdpAccessToken(), null, oauthAlias);
            }
            if (fetchProfileFromIDP != null) {
                if (fetchProfileFromIDP.containsKey(Para.getConfig().getSettingForApp(app, configKey("parameters.id", oauthAlias), JWTClaimNames.SUBJECT))) {
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            LOG.debug("Invalid access token {}", (Throwable) e);
            return false;
        }
    }

    private Map<String, Object> fetchProfileFromIDP(App app, String str, String str2, String str3) throws IOException {
        HashMap hashMap = new HashMap();
        if (StringUtils.contains(str2, ".")) {
            hashMap.putAll((Map) this.jreader.readValue(Utils.base64dec(StringUtils.substringBetween(str2, "."))));
        }
        String settingForApp = Para.getConfig().getSettingForApp(app, configKey("accept_header", str3), "");
        HttpGet httpGet = new HttpGet(Para.getConfig().getSettingForApp(app, configKey("profile_url", str3), ""));
        httpGet.setHeader("Authorization", "Bearer " + str);
        if (!StringUtils.isBlank(settingForApp)) {
            httpGet.setHeader("Accept", settingForApp);
        }
        try {
            CloseableHttpResponse execute = this.httpclient.execute((ClassicHttpRequest) httpGet);
            try {
                HttpEntity entity = execute.getEntity();
                String str4 = null;
                if (entity != null) {
                    if (execute.getCode() == 200) {
                        hashMap.putAll((Map) this.jreader.readValue(entity.getContent()));
                    } else {
                        str4 = IOUtils.toString(entity.getContent(), Para.getConfig().defaultEncoding());
                    }
                }
                if (hashMap.isEmpty() || str4 != null) {
                    LOG.error("OAuth 2 provider did not return any valid user information - response code {} {}, app '{}', payload {}", Integer.valueOf(execute.getCode()), execute.getReasonPhrase(), app.getId(), Utils.abbreviate(str4, 1000));
                }
                EntityUtils.consumeQuietly(entity);
                if (execute != null) {
                    execute.close();
                }
            } finally {
            }
        } catch (Exception e) {
            LOG.error("Failed to fetch profile form IDP for app {} - {}", app.getId(), e.getMessage());
        }
        return hashMap;
    }

    private void refreshTokens(App app, User user) throws IOException {
        Map<String, Object> map = tokenRequest(app, user.getIdpRefreshToken(), null, oauthAlias(user.getIdentifier()));
        if (map == null || !map.containsKey("access_token")) {
            return;
        }
        if (isAccessTokenDelegationEnabled(app, user)) {
            user.setIdpAccessToken((String) map.get("access_token"));
            user.setIdpIdToken((String) map.get("id_token"));
        } else {
            user.setIdpAccessToken("");
            user.setIdpIdToken("");
        }
        String str = (String) map.get("refresh_token");
        if (!StringUtils.equals(str, user.getIdpRefreshToken())) {
            user.setIdpRefreshToken(str);
        }
        printTokenDebugInfo(user);
        user.update();
    }

    /* JADX WARN: Removed duplicated region for block: B:16:0x012d  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private java.util.Map<java.lang.String, java.lang.Object> tokenRequest(com.erudika.para.core.App r8, java.lang.String r9, java.lang.String r10, java.lang.String r11) throws java.io.IOException {
        /*
            Method dump skipped, instructions count: 339
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.erudika.para.server.security.filters.GenericOAuth2Filter.tokenRequest(com.erudika.para.core.App, java.lang.String, java.lang.String, java.lang.String):java.util.Map");
    }

    private String oauthPrefix(String str) {
        return "third".equalsIgnoreCase(str) ? Config.OAUTH2_THIRD_PREFIX : "second".equalsIgnoreCase(str) ? Config.OAUTH2_SECOND_PREFIX : Config.OAUTH2_PREFIX;
    }

    private String oauthAlias(String str) {
        return str.startsWith(Config.OAUTH2_THIRD_PREFIX) ? "third" : str.startsWith(Config.OAUTH2_SECOND_PREFIX) ? "second" : "";
    }

    private static String configKey(String str, String str2) {
        return StringUtils.isBlank(str2) ? "security.oauth." + str : "security.oauth" + str2 + "." + str;
    }

    private static String getPicture(App app, User user, String str, String str2, String str3) {
        if (str3 == null) {
            return null;
        }
        String str4 = str3;
        if ("true".equals(Para.getConfig().getSettingForApp(app, configKey("download_avatars", str2), "false"))) {
            str4 = fetchAvatar(app.getAppIdentifier().trim(), user.getId(), str, str3);
        } else if (str3.contains(CallerData.NA)) {
            str4 = str3.substring(0, str3.indexOf(63));
        }
        return str4;
    }

    private static String fetchAvatar(String str, String str2, String str3, String str4) {
        if (str3 != null) {
            HttpGet httpGet = new HttpGet(str4);
            httpGet.setHeader("Authorization", "Bearer " + str3);
            try {
                CloseableHttpResponse execute = HttpClientBuilder.create().build().execute((ClassicHttpRequest) httpGet);
                try {
                    HttpEntity entity = execute.getEntity();
                    if (entity != null && entity.getContentType().startsWith("image")) {
                        String store = Para.getFileStore().store(((String) Optional.ofNullable(str).orElse(Config.PARA)) + "/" + str2 + "." + StringUtils.substringAfter(entity.getContentType(), "/"), entity.getContent());
                        if (execute != null) {
                            execute.close();
                        }
                        return store;
                    }
                    if (execute != null) {
                        execute.close();
                    }
                } finally {
                }
            } catch (Exception e) {
                LOG.error((String) null, (Throwable) e);
            }
        }
        return str4;
    }

    private String getAppid(App app) {
        if (app == null) {
            return null;
        }
        return app.getAppIdentifier();
    }

    private String getFullName(String str, String str2) {
        return StringUtils.isBlank(str2) ? StringUtils.isBlank(str) ? "No Name" : str : StringUtils.isBlank(str) ? StringUtils.isBlank(str2) ? "No Name" : str2 : str + " " + str2;
    }

    private String getEmailFromProfile(Map<String, Object> map, String str, String str2, String str3) {
        String str4 = (String) map.get(str);
        if (StringUtils.isBlank(str4)) {
            if (str.startsWith("/")) {
                JsonNode at = ParaObjectUtils.getJsonMapper().valueToTree(map).at(str);
                if (!at.isMissingNode()) {
                    str4 = at.asText(str4);
                }
            }
            if (StringUtils.isBlank(str4)) {
                if (Utils.isValidEmail(str2)) {
                    str4 = str2;
                } else if (StringUtils.isBlank(str3)) {
                    LOG.warn("Blank email attribute for OAuth2 user '{}'.", str2);
                    str4 = str2 + "@scoold.com";
                } else {
                    str4 = str2.concat("@").concat(str3);
                }
            }
        }
        return str4;
    }

    private String getPictureFromProfile(Map<String, Object> map, String str) {
        String str2 = (String) map.get(str);
        if (StringUtils.isBlank(str2) && str.startsWith("/")) {
            JsonNode at = ParaObjectUtils.getJsonMapper().valueToTree(map).at(str);
            if (!at.isMissingNode()) {
                str2 = at.asText(str2);
            }
        }
        return str2;
    }

    private String getNameFromProfile(Map<String, Object> map, String str) {
        String str2 = (String) map.get(str);
        if (StringUtils.isBlank(str2) && str.startsWith("/")) {
            JsonNode at = ParaObjectUtils.getJsonMapper().valueToTree(map).at(str);
            if (!at.isMissingNode()) {
                str2 = at.asText(str2);
            }
        }
        return str2;
    }

    private String getGivenNameFromProfile(Map<String, Object> map, String str) {
        String str2 = (String) map.get(str);
        if (StringUtils.isBlank(str2) && str.startsWith("/")) {
            JsonNode at = ParaObjectUtils.getJsonMapper().valueToTree(map).at(str);
            if (!at.isMissingNode()) {
                str2 = at.asText(str2);
            }
        }
        return str2;
    }

    private String getFirstNameFromProfile(Map<String, Object> map, String str) {
        String str2 = (String) map.get(str);
        if (StringUtils.isBlank(str2) && str.startsWith("/")) {
            JsonNode at = ParaObjectUtils.getJsonMapper().valueToTree(map).at(str);
            if (!at.isMissingNode()) {
                str2 = at.asText(str2);
            }
        }
        return str2;
    }

    private void printTokenDebugInfo(User user) {
        try {
            LOG.debug("Updated OAuth2 tokens for user " + user.getId() + ":\nidpAccessTokenPayload: " + Utils.base64dec(user.getIdpAccessTokenPayload()) + "\nidpIdTokenPayload: " + Utils.base64dec(user.getIdpIdTokenPayload()) + "\nidpRefreshToken: " + user.getIdpRefreshToken());
        } catch (Exception e) {
            LOG.debug((String) null, (Throwable) e);
        }
    }
}
