package eu.openanalytics.containerproxy.auth.impl;

import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
import eu.openanalytics.containerproxy.auth.impl.msgraph.MicrosoftGraphGroupFetcher;
import eu.openanalytics.containerproxy.auth.impl.oidc.AccessTokenDecoder;
import eu.openanalytics.containerproxy.auth.impl.oidc.OpenIdReAuthorizeFilter;
import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext;
import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;
import eu.openanalytics.containerproxy.util.ContextPathHelper;
import jakarta.servlet.Filter;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.inject.Inject;
import net.minidev.json.JSONArray;
import net.minidev.json.parser.JSONParser;
import net.minidev.json.parser.ParseException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Lazy;
import org.springframework.core.env.Environment;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestCustomizers;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
import org.springframework.security.oauth2.core.oidc.StandardClaimAccessor;
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.web.servlet.support.ServletUriComponentsBuilder;

/* loaded from: input_file:BOOT-INF/lib/containerproxy-1.2.0.jar:eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.class */
public class OpenIDAuthenticationBackend implements IAuthenticationBackend {
    public static final String NAME = "openid";
    private static final String ENV_TOKEN_NAME = "SHINYPROXY_OIDC_ACCESS_TOKEN";
    private static OAuth2AuthorizedClientService oAuth2AuthorizedClientService;
    private static AccessTokenDecoder accessTokenDecoder;
    private static final Logger log = LogManager.getLogger((Class<?>) OpenIDAuthenticationBackend.class);

    @Inject
    private Environment environment;

    @Inject
    private ClientRegistrationRepository clientRegistrationRepo;

    @Inject
    @Lazy
    private SavedRequestAwareAuthenticationSuccessHandler successHandler;

    @Inject
    private OpenIdReAuthorizeFilter openIdReAuthorizeFilter;

    @Inject
    private SpecExpressionResolver specExpressionResolver;

    @Inject
    private ContextPathHelper contextPathHelper;

    @Autowired(required = false)
    private MicrosoftGraphGroupFetcher microsoftGraphGroupFetcher;

    /* loaded from: input_file:BOOT-INF/lib/containerproxy-1.2.0.jar:eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend$CustomNameOidcUser.class */
    public static class CustomNameOidcUser extends DefaultOidcUser {
        private static final long serialVersionUID = 7563253562760236634L;
        private static final String ID_ATTR_EMAILS = "emails";
        private final boolean isEmailsAttribute;

        public CustomNameOidcUser(Set<GrantedAuthority> set, OidcIdToken oidcIdToken, OidcUserInfo oidcUserInfo, String str) {
            super(set, oidcIdToken, oidcUserInfo, str);
            this.isEmailsAttribute = str.equals(ID_ATTR_EMAILS);
        }

        @Override // org.springframework.security.oauth2.core.user.DefaultOAuth2User, org.springframework.security.core.AuthenticatedPrincipal
        public String getName() {
            if (!this.isEmailsAttribute) {
                return super.getName();
            }
            Object obj = getAttributes().get(ID_ATTR_EMAILS);
            return obj instanceof String[] ? ((String[]) obj)[0] : obj instanceof JSONArray ? ((JSONArray) obj).getFirst().toString() : obj instanceof Collection ? ((Collection) obj).stream().findFirst().get().toString() : obj.toString();
        }

        public String getRefreshToken() {
            OAuth2AuthorizedClient refreshClient = OpenIDAuthenticationBackend.refreshClient(getName());
            if (refreshClient == null || refreshClient.getRefreshToken() == null) {
                return null;
            }
            return refreshClient.getRefreshToken().getTokenValue();
        }

        public String getAccessToken() {
            OAuth2AuthorizedClient refreshClient = OpenIDAuthenticationBackend.refreshClient(getName());
            if (refreshClient == null || refreshClient.getAccessToken() == null) {
                return null;
            }
            return refreshClient.getAccessToken().getTokenValue();
        }

        public Jwt getAccessTokenAsJwt() {
            try {
                return OpenIDAuthenticationBackend.accessTokenDecoder.decode(getAccessToken());
            } catch (JwtException e) {
                OpenIDAuthenticationBackend.log.warn("Failed to decode access token as JWT", (Throwable) e);
                throw e;
            }
        }
    }

    public static List<String> parseRolesClaim(Logger logger, String str, String str2, Object obj) {
        if (obj == null) {
            logger.debug(String.format("No roles claim with name %s found in %s", str2, str));
            return new ArrayList();
        }
        logger.debug(String.format("Matching claim found in %s: %s -> %s (%s)", str, str2, obj, obj.getClass()));
        if (obj instanceof Collection) {
            ArrayList arrayList = new ArrayList();
            for (Object obj2 : (Collection) obj) {
                if (obj2 != null) {
                    arrayList.add(obj2.toString());
                }
            }
            logger.debug(String.format("Parsed roles claim as Java Collection: %s -> %s (%s)", str2, arrayList, arrayList.getClass()));
            return arrayList;
        }
        if (!(obj instanceof String)) {
            logger.debug(String.format("No parser found for roles claim (unsupported type): %s -> %s (%s)", str2, obj, obj.getClass()));
            return new ArrayList();
        }
        ArrayList arrayList2 = new ArrayList();
        try {
            Object parse = new JSONParser(-1).parse((String) obj);
            if (parse instanceof List) {
                ((List) parse).forEach(obj3 -> {
                    arrayList2.add(obj3.toString());
                });
            }
        } catch (ParseException e) {
            logger.debug(String.format("Unable to parse claim as JSON: %s -> %s (%s)", str2, obj, obj.getClass()));
        }
        logger.debug(String.format("Parsed roles claim as JSON: %s -> %s (%s)", str2, arrayList2, arrayList2.getClass()));
        return arrayList2;
    }

    public Set<GrantedAuthority> parseClaims(StandardClaimAccessor standardClaimAccessor, String str) {
        String str2 = standardClaimAccessor instanceof OidcIdToken ? "ID token" : "user info";
        if (log.isDebugEnabled()) {
            String lineSeparator = System.lineSeparator();
            log.debug(String.format("Available claims in %s (%d):%s%s", str2, Integer.valueOf(standardClaimAccessor.getClaims().size()), lineSeparator, (String) standardClaimAccessor.getClaims().entrySet().stream().map(entry -> {
                return String.format("%s -> %s", entry.getKey(), entry.getValue());
            }).collect(Collectors.joining(lineSeparator))));
        }
        HashSet hashSet = new HashSet();
        if (str == null || str.isEmpty()) {
            return hashSet;
        }
        for (String str3 : parseRolesClaim(log, str2, str, standardClaimAccessor.getClaims().get(str))) {
            hashSet.add(new SimpleGrantedAuthority((str3.toUpperCase().startsWith("ROLE_") ? str3 : "ROLE_" + str3).toUpperCase()));
        }
        return hashSet;
    }

    private static OAuth2AuthorizedClient refreshClient(String str) {
        return oAuth2AuthorizedClientService.loadAuthorizedClient("shinyproxy", str);
    }

    @Autowired
    public void setAccessTokenDecoder(AccessTokenDecoder accessTokenDecoder2) {
        accessTokenDecoder = accessTokenDecoder2;
    }

    @Autowired
    public void setOAuth2AuthorizedClientService(OAuth2AuthorizedClientService oAuth2AuthorizedClientService2) {
        oAuth2AuthorizedClientService = oAuth2AuthorizedClientService2;
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public String getName() {
        return "openid";
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public boolean hasAuthorization() {
        return true;
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public void configureHttpSecurity(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.oauth2Login(oAuth2LoginConfigurer -> {
            oAuth2LoginConfigurer.loginPage(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL).successHandler(this.successHandler).clientRegistrationRepository(this.clientRegistrationRepo).authorizedClientService(oAuth2AuthorizedClientService).authorizationEndpoint(authorizationEndpointConfig -> {
                authorizationEndpointConfig.authorizationRequestResolver(authorizationRequestResolver());
            }).failureHandler((httpServletRequest, httpServletResponse, authenticationException) -> {
                log.error(authenticationException);
                httpServletResponse.sendRedirect(ServletUriComponentsBuilder.fromCurrentContextPath().path("/auth-error").build().toUriString());
            }).userInfoEndpoint(userInfoEndpointConfig -> {
                userInfoEndpointConfig.userAuthoritiesMapper(createAuthoritiesMapper()).oidcUserService(createOidcUserService());
            });
        }).addFilterAfter((Filter) this.openIdReAuthorizeFilter, UsernamePasswordAuthenticationFilter.class);
    }

    private OAuth2AuthorizationRequestResolver authorizationRequestResolver() {
        Boolean bool = (Boolean) this.environment.getProperty("proxy.openid.with-pkce", Boolean.class, false);
        DefaultOAuth2AuthorizationRequestResolver defaultOAuth2AuthorizationRequestResolver = new DefaultOAuth2AuthorizationRequestResolver(this.clientRegistrationRepo, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI);
        if (bool.booleanValue()) {
            defaultOAuth2AuthorizationRequestResolver.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce());
        }
        return defaultOAuth2AuthorizationRequestResolver;
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public void configureAuthenticationManagerBuilder(AuthenticationManagerBuilder authenticationManagerBuilder) {
    }

    public String getLoginRedirectURI() {
        return this.contextPathHelper.withoutEndingSlash() + "/oauth2/authorization/shinyproxy";
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public String getLogoutSuccessURL() {
        String property = this.environment.getProperty("proxy.openid.logout-url");
        if (property == null || property.trim().isEmpty()) {
            property = super.getLogoutSuccessURL();
        }
        return property;
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public void customizeContainerEnv(Authentication authentication, Map<String, String> map) {
        OAuth2AuthorizedClient refreshClient = refreshClient(authentication.getName());
        if (refreshClient == null || refreshClient.getAccessToken() == null) {
            return;
        }
        map.put(ENV_TOKEN_NAME, refreshClient.getAccessToken().getTokenValue());
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public LogoutSuccessHandler getLogoutSuccessHandler() {
        return (httpServletRequest, httpServletResponse, authentication) -> {
            String evaluateToString = authentication != null ? this.specExpressionResolver.evaluateToString(getLogoutSuccessURL(), SpecExpressionContext.create(authentication.getPrincipal(), authentication.getCredentials()).build()) : getLogoutSuccessURL();
            SimpleUrlLogoutSuccessHandler simpleUrlLogoutSuccessHandler = new SimpleUrlLogoutSuccessHandler();
            simpleUrlLogoutSuccessHandler.setDefaultTargetUrl(evaluateToString);
            simpleUrlLogoutSuccessHandler.onLogoutSuccess(httpServletRequest, httpServletResponse, authentication);
        };
    }

    protected GrantedAuthoritiesMapper createAuthoritiesMapper() {
        if (this.microsoftGraphGroupFetcher != null) {
            return collection -> {
                Iterator it = collection.iterator();
                while (it.hasNext()) {
                    GrantedAuthority grantedAuthority = (GrantedAuthority) it.next();
                    if (grantedAuthority instanceof OidcUserAuthority) {
                        OidcIdToken idToken = ((OidcUserAuthority) grantedAuthority).getIdToken();
                        if (idToken.hasClaim("oid")) {
                            return this.microsoftGraphGroupFetcher.fetchGroups(idToken.getClaimAsString("oid"));
                        }
                        log.warn("Required claim 'oid' not found, make sure to include the 'profile' scope - continuing without groups");
                        return Set.of();
                    }
                }
                return Set.of();
            };
        }
        String property = this.environment.getProperty("proxy.openid.roles-claim");
        return collection2 -> {
            HashSet hashSet = new HashSet();
            Iterator it = collection2.iterator();
            while (it.hasNext()) {
                GrantedAuthority grantedAuthority = (GrantedAuthority) it.next();
                if (grantedAuthority instanceof OidcUserAuthority) {
                    OidcIdToken idToken = ((OidcUserAuthority) grantedAuthority).getIdToken();
                    if (idToken != null) {
                        hashSet.addAll(parseClaims(idToken, property));
                    }
                    OidcUserInfo userInfo = ((OidcUserAuthority) grantedAuthority).getUserInfo();
                    if (userInfo != null) {
                        hashSet.addAll(parseClaims(userInfo, property));
                    }
                }
            }
            return hashSet;
        };
    }

    protected OidcUserService createOidcUserService() {
        return new OidcUserService() { // from class: eu.openanalytics.containerproxy.auth.impl.OpenIDAuthenticationBackend.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService, org.springframework.security.oauth2.client.userinfo.OAuth2UserService
            public OidcUser loadUser(OidcUserRequest oidcUserRequest) throws OAuth2AuthenticationException {
                try {
                    OidcUser loadUser = super.loadUser(oidcUserRequest);
                    return new CustomNameOidcUser(new HashSet(loadUser.getAuthorities()), loadUser.getIdToken(), loadUser.getUserInfo(), OpenIDAuthenticationBackend.this.environment.getProperty("proxy.openid.username-attribute", "email"));
                } catch (IllegalArgumentException e) {
                    OpenIDAuthenticationBackend.log.warn("Error while loading user info: {}", e.getMessage());
                    throw new OAuth2AuthenticationException(new OAuth2Error("invalid_request"), "Error while loading user info", e);
                } catch (OAuth2AuthenticationException e2) {
                    OpenIDAuthenticationBackend.log.warn("Error while loading user info: {}", e2.getMessage());
                    throw e2;
                }
            }
        };
    }
}
