package org.modelio.vbasic.oidc.flows;

import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.pkce.CodeChallengeMethod;
import com.nimbusds.oauth2.sdk.pkce.CodeVerifier;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.AuthenticationResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
import com.nimbusds.openid.connect.sdk.op.ReadOnlyOIDCProviderMetadata;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import java.io.IOException;
import java.net.InetAddress;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.CancellationException;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.Supplier;
import org.apache.http.HttpRequest;
import org.apache.http.HttpResponse;
import org.apache.http.entity.InputStreamEntity;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.bootstrap.HttpServer;
import org.apache.http.impl.bootstrap.ServerBootstrap;
import org.apache.http.protocol.HttpContext;
import org.modelio.vbasic.files.FileUtils;
import org.modelio.vbasic.log.Log;
import org.modelio.vbasic.net.HttpErrorMapper;
import org.modelio.vbasic.net.UriAuthenticationException;
import org.modelio.vbasic.oidc.IOidcAuthenticationFlow;
import org.modelio.vbasic.oidc.IOidcWebBrowser;
import org.modelio.vbasic.oidc.OidcBrowserFlowBuilder;

/* loaded from: input_file:org/modelio/vbasic/oidc/flows/OidcBrowserFlow.class */
public class OidcBrowserFlow implements IOidcAuthenticationFlow {
    private final String loginHint;
    private final ReadOnlyOIDCProviderMetadata metadata;
    private final ClientID clientId;
    private final Secret clientSecret;
    private JWT idTokenHint;
    private final IOidcWebBrowser webBrowser;
    private static final ScheduledExecutorService timerExecutor = createTimerExecutor();
    private CompletableFuture<IOidcAuthenticationFlow.AuthResponse> runningAuthFlow;
    private final Object runningAuthFlowGuard;

    private static ScheduledExecutorService createTimerExecutor() {
        AtomicInteger atomicInteger = new AtomicInteger(0);
        ScheduledThreadPoolExecutor scheduledThreadPoolExecutor = new ScheduledThreadPoolExecutor(1, runnable -> {
            return new Thread(runnable, "OIDC login timeout timer -" + atomicInteger.incrementAndGet());
        });
        scheduledThreadPoolExecutor.setRemoveOnCancelPolicy(true);
        return scheduledThreadPoolExecutor;
    }

    public OidcBrowserFlow(ReadOnlyOIDCProviderMetadata readOnlyOIDCProviderMetadata, ClientID clientID, Secret secret, IOidcWebBrowser iOidcWebBrowser, OIDCTokens oIDCTokens) {
        this.runningAuthFlowGuard = new Object();
        this.metadata = readOnlyOIDCProviderMetadata;
        this.clientId = clientID;
        this.clientSecret = secret;
        this.webBrowser = iOidcWebBrowser;
        this.idTokenHint = oIDCTokens != null ? oIDCTokens.getIDToken() : null;
        this.loginHint = null;
    }

    public OidcBrowserFlow(ReadOnlyOIDCProviderMetadata readOnlyOIDCProviderMetadata, ClientID clientID, Secret secret, IOidcWebBrowser iOidcWebBrowser) {
        this(readOnlyOIDCProviderMetadata, clientID, secret, iOidcWebBrowser, null);
    }

    public OidcBrowserFlow(ReadOnlyOIDCProviderMetadata readOnlyOIDCProviderMetadata, OidcBrowserFlowBuilder oidcBrowserFlowBuilder) throws IOException {
        this.runningAuthFlowGuard = new Object();
        this.metadata = readOnlyOIDCProviderMetadata;
        this.clientId = new ClientID(oidcBrowserFlowBuilder.getClientId());
        this.clientSecret = oidcBrowserFlowBuilder.getSecret() == null ? null : new Secret(oidcBrowserFlowBuilder.getSecret());
        this.webBrowser = oidcBrowserFlowBuilder.getWebBrowser();
        this.loginHint = oidcBrowserFlowBuilder.getLoginHint();
        if (oidcBrowserFlowBuilder.getPreviousAuth() != null) {
            this.idTokenHint = oidcBrowserFlowBuilder.getPreviousAuth().run().tokens.getIDToken();
        } else {
            this.idTokenHint = null;
        }
    }

    private AuthorizationCode parseAuthenticationResponse(String str, State state) throws IOException {
        try {
            AuthenticationResponse parse = AuthenticationResponseParser.parse(new URI(str));
            if (parse instanceof AuthenticationErrorResponse) {
                ErrorObject errorObject = parse.toErrorResponse().getErrorObject();
                throw HttpErrorMapper.create(errorObject.getHTTPStatusCode(), this.metadata.getAuthorizationEndpointURI().toString(), errorObject.getDescription(), null);
            }
            AuthenticationSuccessResponse successResponse = parse.toSuccessResponse();
            if (successResponse.getState() == null || Objects.equals(successResponse.getState(), state)) {
                return successResponse.getAuthorizationCode();
            }
            throw new UriAuthenticationException("Request state does not match response state, May indicate man in the middle attack!");
        } catch (ParseException e) {
            throw new UriAuthenticationException(e, str.toString(), e.getLocalizedMessage());
        } catch (URISyntaxException e2) {
            throw new UriAuthenticationException(e2, str.toString(), e2.getLocalizedMessage());
        }
    }

    private URI computeAuthcodeRequest(URI uri, State state, CodeVerifier codeVerifier, Nonce nonce) throws IOException {
        return new AuthenticationRequest.Builder(ResponseType.CODE, new Scope(OIDCScopeValue.OPENID), this.clientId, uri).nonce(nonce).state(state).endpointURI(this.metadata.getAuthorizationEndpointURI()).loginHint(this.idTokenHint == null ? this.loginHint : null).idTokenHint(this.idTokenHint).responseMode(this.metadata.getResponseModes().get(0)).codeChallenge(codeVerifier, chooseCodeChallengeMethod()).build().toURI();
    }

    private CodeChallengeMethod chooseCodeChallengeMethod() throws IOException {
        CodeChallengeMethod codeChallengeMethod;
        List<CodeChallengeMethod> codeChallengeMethods = this.metadata.getCodeChallengeMethods();
        codeChallengeMethods.get(codeChallengeMethods.size() - 1);
        if (codeChallengeMethods.contains(CodeChallengeMethod.S256)) {
            codeChallengeMethod = CodeChallengeMethod.S256;
        } else {
            if (!codeChallengeMethods.contains(CodeChallengeMethod.PLAIN)) {
                throw new IOException("The identity server support no known PKCE challenge method");
            }
            codeChallengeMethod = CodeChallengeMethod.PLAIN;
        }
        return codeChallengeMethod;
    }

    private void handleLocalServerRequest(HttpRequest httpRequest, HttpResponse httpResponse, HttpContext httpContext, Predicate<IOidcWebBrowser.IHttpResponse> predicate, Supplier<IOidcWebBrowser.IHttpResponse> supplier) {
        try {
            URI create = URI.create(httpRequest.getRequestLine().getUri());
            IOidcWebBrowser.IHttpResponse iHttpResponse = (IOidcWebBrowser.IHttpResponse) Optional.ofNullable(this.webBrowser.getOidcRedirectServer()).map(oidcRedirectServer -> {
                return oidcRedirectServer.serve(create.getPath());
            }).filter(predicate != null ? predicate : iHttpResponse2 -> {
                return iHttpResponse2 != null;
            }).orElseGet(supplier);
            InputStreamEntity inputStreamEntity = new InputStreamEntity(iHttpResponse.getContent());
            inputStreamEntity.setContentType(iHttpResponse.getContentType());
            httpResponse.setEntity(inputStreamEntity);
            httpResponse.setStatusCode(iHttpResponse.getStatusCode());
        } catch (RuntimeException e) {
            Log.error(e);
            httpResponse.setEntity(new StringEntity("Unexpected failure, send Modelio log to support team.", StandardCharsets.UTF_8.name()));
            httpResponse.setStatusCode(500);
        }
    }

    private HttpServer startLocalServer(State state, CompletableFuture<AuthorizationCode> completableFuture) throws IOException {
        ServerBootstrap registerHandler = ServerBootstrap.bootstrap().setListenerPort(0).setLocalAddress(InetAddress.getLoopbackAddress()).registerHandler("/", (httpRequest, httpResponse, httpContext) -> {
            try {
                AuthorizationCode parseAuthenticationResponse = parseAuthenticationResponse(httpRequest.getRequestLine().getUri(), state);
                NimbusDumper.logTrace(this, "Auth code received by local server. ", new Object[0]);
                completableFuture.complete(parseAuthenticationResponse);
                handleLocalServerRequest(httpRequest, httpResponse, httpContext, iHttpResponse -> {
                    return iHttpResponse != null && iHttpResponse.getStatusCode() >= 200 && iHttpResponse.getStatusCode() < 400;
                }, () -> {
                    return IOidcWebBrowser.BasicHttpResponse.ofString(HTTPResponse.SC_OK, "<center><h1>Authentication successful</h1><p>Just wait for the browser to close.</p></center> ");
                });
            } catch (IOException e) {
                completableFuture.completeExceptionally(e);
                httpResponse.setEntity(new StringEntity("Unexpected failure : " + FileUtils.getLocalizedMessage(e), StandardCharsets.UTF_8.name()));
                httpResponse.setStatusCode(500);
                Log.error(e);
            }
        });
        if (this.webBrowser.getOidcRedirectServer() != null) {
            registerHandler.registerHandler("*", (httpRequest2, httpResponse2, httpContext2) -> {
                handleLocalServerRequest(httpRequest2, httpResponse2, httpContext2, iHttpResponse -> {
                    return iHttpResponse != null;
                }, () -> {
                    return IOidcWebBrowser.BasicHttpResponse.ofString(HTTPResponse.SC_NOT_FOUND, "<center><h1>Authentication successful</h1><p>Path not found</p></center>");
                });
            });
        }
        HttpServer create = registerHandler.create();
        create.start();
        return create;
    }

    @Override // org.modelio.vbasic.oidc.IOidcAuthenticationFlow
    public IOidcAuthenticationFlow.AuthResponse run() throws IOException {
        try {
            return getOrCreateBrowserProcess().get();
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
            throw new UriAuthenticationException(e, this.metadata.getAuthorizationEndpointURI().toString(), e.getLocalizedMessage());
        } catch (CancellationException e2) {
            throw new UriAuthenticationException(e2, this.metadata.getAuthorizationEndpointURI().toString(), e2.getLocalizedMessage());
        } catch (ExecutionException e3) {
            String localizedMessage = e3.getCause().getLocalizedMessage();
            if (e3.getCause() instanceof IOException) {
                localizedMessage = FileUtils.getLocalizedMessage((IOException) e3.getCause());
            } else if (e3.getCause() instanceof TimeoutException) {
                localizedMessage = "Authentication time out elapsed.";
            }
            throw new UriAuthenticationException(e3, this.metadata.getAuthorizationEndpointURI().toString(), localizedMessage);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object] */
    /* JADX WARN: Type inference failed for: r0v2, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v6 */
    private CompletableFuture<IOidcAuthenticationFlow.AuthResponse> getOrCreateBrowserProcess() throws IOException {
        ?? r0 = this.runningAuthFlowGuard;
        synchronized (r0) {
            CompletableFuture<IOidcAuthenticationFlow.AuthResponse> completableFuture = this.runningAuthFlow;
            if (completableFuture == null) {
                completableFuture = createBrowserProcess();
                this.runningAuthFlow = completableFuture;
                completableFuture.whenComplete((authResponse, th) -> {
                    ?? r02 = this.runningAuthFlowGuard;
                    synchronized (r02) {
                        this.runningAuthFlow = null;
                        r02 = r02;
                    }
                });
            }
            r0 = r0;
            return completableFuture;
        }
    }

    private CompletableFuture<IOidcAuthenticationFlow.AuthResponse> createBrowserProcess() throws IOException {
        Nonce nonce = new Nonce();
        State state = new State();
        CompletableFuture<AuthorizationCode> completableFuture = new CompletableFuture<>();
        HttpServer startLocalServer = startLocalServer(state, completableFuture);
        URI computeServerUri = computeServerUri(startLocalServer);
        NimbusDumper.logTrace(this, "Server listening on: %s", computeServerUri);
        CodeVerifier codeVerifier = new CodeVerifier();
        URI computeAuthcodeRequest = computeAuthcodeRequest(computeServerUri, state, codeVerifier, nonce);
        CompletableFuture<IOidcAuthenticationFlow.AuthResponse> thenApply = completableFuture.thenApply((Function<? super AuthorizationCode, ? extends U>) authorizationCode -> {
            NimbusDumper.logTrace(this, "OIDC Authorization code received. ", new Object[0]);
            try {
                NimbusDumper.logTrace(this, "Requesting OIDC tokens ...", new Object[0]);
                IOidcAuthenticationFlow.AuthResponse tokenFromAuthcode = getTokenFromAuthcode(authorizationCode, computeServerUri, codeVerifier, nonce);
                Object[] objArr = new Object[3];
                objArr[0] = tokenFromAuthcode.tokens.getAccessToken() != null ? "one" : "NO";
                objArr[1] = tokenFromAuthcode.tokens.getRefreshToken() != null ? "one" : "NO";
                objArr[2] = tokenFromAuthcode.tokens.getIDToken() != null ? "one" : "NO";
                NimbusDumper.logTrace(this, "Received %s access token, %s refresh token, %s ID token.", objArr);
                this.idTokenHint = tokenFromAuthcode.tokens.getIDToken();
                return tokenFromAuthcode;
            } catch (IOException e) {
                throw new CompletionException(e);
            }
        });
        addTimeout(thenApply);
        thenApply.whenCompleteAsync((authResponse, th) -> {
            NimbusDumper.logTrace(this, "Requesting browser close.", new Object[0]);
            this.webBrowser.closeBrowser();
            NimbusDumper.logTrace(this, "Stopping server: %s", computeServerUri);
            startLocalServer.shutdown(5L, TimeUnit.SECONDS);
            NimbusDumper.logTrace(this, "Stopped server: %s", computeServerUri);
        });
        NimbusDumper.logTrace(this, "Open browser toward: %s...", computeAuthcodeRequest.resolve(computeAuthcodeRequest.getRawPath()));
        this.webBrowser.browse(computeAuthcodeRequest, () -> {
            if (thenApply.isDone()) {
                NimbusDumper.logTrace(this, "Browser close detected after login ended, nothing to do.", new Object[0]);
            } else {
                NimbusDumper.logTrace(this, "Browser closed during login process, abort login.", new Object[0]);
                thenApply.completeExceptionally(new CancellationException("Login cancelled by the user"));
            }
        });
        return thenApply;
    }

    private CompletableFuture<IOidcAuthenticationFlow.AuthResponse> addTimeout(CompletableFuture<IOidcAuthenticationFlow.AuthResponse> completableFuture) {
        ScheduledFuture schedule = timerExecutor.schedule(() -> {
            NimbusDumper.logTrace(this, "Time out waiting for login to end.", new Object[0]);
            return Boolean.valueOf(completableFuture.completeExceptionally(new TimeoutException()));
        }, 10L, TimeUnit.MINUTES);
        return completableFuture.whenComplete((authResponse, th) -> {
            schedule.cancel(true);
        });
    }

    private static URI computeServerUri(HttpServer httpServer) throws IOException {
        try {
            return new URI("http", null, httpServer.getInetAddress().getHostName(), httpServer.getLocalPort(), null, null, null);
        } catch (URISyntaxException e) {
            throw new IOException(httpServer.getInetAddress().getHostName() + ":" + httpServer.getLocalPort() + ": " + e.getLocalizedMessage(), e);
        }
    }

    private IOidcAuthenticationFlow.AuthResponse getTokenFromAuthcode(AuthorizationCode authorizationCode, URI uri, CodeVerifier codeVerifier, Nonce nonce) throws IOException {
        return NimbusHelper.requestOidcTokens(this.metadata, this.clientSecret != null ? new TokenRequest(this.metadata.getTokenEndpointURI(), new ClientSecretBasic(this.clientId, this.clientSecret), new AuthorizationCodeGrant(authorizationCode, uri, codeVerifier)) : new TokenRequest(this.metadata.getTokenEndpointURI(), this.clientId, new AuthorizationCodeGrant(authorizationCode, uri, codeVerifier)));
    }
}
