package com.floragunn.dlic.auth.http.jwt.keybyoidc;

import com.floragunn.codova.config.net.ProxyConfig;
import com.floragunn.codova.documents.DocReader;
import com.floragunn.dlic.auth.ldap.util.ConfigConstants;
import com.floragunn.dlic.util.SettingsBasedSSLConfigurator;
import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import java.io.IOException;
import java.net.URI;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.StatusLine;
import org.apache.http.client.cache.CacheResponseStatus;
import org.apache.http.client.cache.HttpCacheContext;
import org.apache.http.client.cache.HttpCacheStorage;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.ByteArrayEntity;
import org.apache.http.entity.ContentType;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.client.cache.BasicHttpCacheStorage;
import org.apache.http.impl.client.cache.CacheConfig;
import org.apache.http.impl.client.cache.CachingHttpClientBuilder;
import org.apache.http.impl.client.cache.CachingHttpClients;
import org.apache.http.message.BasicHttpResponse;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.SpecialPermission;

/* loaded from: input_file:com/floragunn/dlic/auth/http/jwt/keybyoidc/OpenIdProviderClient.class */
public class OpenIdProviderClient {
    private static final Logger log = LogManager.getLogger(OpenIdProviderClient.class);
    private static final long CACHE_STATUS_LOG_INTERVAL_MS = 3600000;
    private URI openIdConnectEndpoint;
    private SettingsBasedSSLConfigurator.SSLConfig sslConfig;
    private ProxyConfig proxyConfig;
    private CacheConfig cacheConfig;
    private HttpCacheStorage oidcHttpCacheStorage;
    private int requestTimeoutMs = 10000;
    private int oidcCacheHits = 0;
    private int oidcCacheMisses = 0;
    private int oidcCacheHitsValidated = 0;
    private int oidcCacheModuleResponses = 0;
    private long oidcRequests = 0;
    private long lastCacheStatusLog = 0;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.floragunn.dlic.auth.http.jwt.keybyoidc.OpenIdProviderClient$1, reason: invalid class name */
    /* loaded from: input_file:com/floragunn/dlic/auth/http/jwt/keybyoidc/OpenIdProviderClient$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$http$client$cache$CacheResponseStatus = new int[CacheResponseStatus.values().length];

        static {
            try {
                $SwitchMap$org$apache$http$client$cache$CacheResponseStatus[CacheResponseStatus.CACHE_HIT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$http$client$cache$CacheResponseStatus[CacheResponseStatus.CACHE_MODULE_RESPONSE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$http$client$cache$CacheResponseStatus[CacheResponseStatus.CACHE_MISS.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$http$client$cache$CacheResponseStatus[CacheResponseStatus.VALIDATED.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    /* loaded from: input_file:com/floragunn/dlic/auth/http/jwt/keybyoidc/OpenIdProviderClient$TokenResponse.class */
    public static class TokenResponse {
        private final String accessToken;
        private final String tokenType;
        private final String refreshToken;
        private final long expiresIn;
        private final String idToken;

        TokenResponse(String str, String str2, String str3, long j, String str4) {
            this.accessToken = str;
            this.tokenType = str2;
            this.refreshToken = str3;
            this.expiresIn = j;
            this.idToken = str4;
        }

        TokenResponse(Map<String, Object> map) {
            this.accessToken = map.get("access_token") != null ? String.valueOf(map.get("access_token")) : null;
            this.tokenType = map.get("token_type") != null ? String.valueOf(map.get("token_type")) : null;
            this.refreshToken = map.get("refresh_token") != null ? String.valueOf(map.get("refresh_token")) : null;
            this.idToken = map.get("id_token") != null ? String.valueOf(map.get("id_token")) : null;
            this.expiresIn = (map.get("expires_in") instanceof Number ? Long.valueOf(((Number) map.get("expires_in")).longValue()) : null).longValue();
        }

        public String getAccessToken() {
            return this.accessToken;
        }

        public String getTokenType() {
            return this.tokenType;
        }

        public String getRefreshToken() {
            return this.refreshToken;
        }

        public long getExpiresIn() {
            return this.expiresIn;
        }

        public String getIdToken() {
            return this.idToken;
        }

        public Map<String, Object> asMap() {
            HashMap hashMap = new HashMap();
            hashMap.put("access_token", this.accessToken);
            hashMap.put("token_type", this.tokenType);
            hashMap.put("refresh_token", this.refreshToken);
            hashMap.put("expires_in", Long.valueOf(this.expiresIn));
            hashMap.put("id_token", this.idToken);
            return hashMap;
        }
    }

    public OpenIdProviderClient(URI uri, SettingsBasedSSLConfigurator.SSLConfig sSLConfig, ProxyConfig proxyConfig, boolean z) {
        this.openIdConnectEndpoint = uri;
        this.sslConfig = sSLConfig;
        this.proxyConfig = proxyConfig;
        if (z) {
            this.cacheConfig = CacheConfig.custom().setMaxCacheEntries(10).setMaxObjectSize(1048576L).build();
            this.oidcHttpCacheStorage = new BasicHttpCacheStorage(this.cacheConfig);
        }
    }

    public OidcProviderConfig getOidcConfiguration() throws AuthenticatorUnavailableException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            return (OidcProviderConfig) AccessController.doPrivileged(() -> {
                try {
                    CloseableHttpClient createHttpClient = createHttpClient(this.oidcHttpCacheStorage);
                    try {
                        HttpGet httpGet = new HttpGet(this.openIdConnectEndpoint);
                        httpGet.setConfig(RequestConfig.custom().setConnectionRequestTimeout(getRequestTimeoutMs()).setConnectTimeout(getRequestTimeoutMs()).setSocketTimeout(getRequestTimeoutMs()).build());
                        HttpCacheContext httpCacheContext = null;
                        if (this.oidcHttpCacheStorage != null) {
                            httpCacheContext = new HttpCacheContext();
                        }
                        CloseableHttpResponse execute = createHttpClient.execute(httpGet, httpCacheContext);
                        if (httpCacheContext != null) {
                            try {
                                logCacheResponseStatus(httpCacheContext);
                            } catch (Throwable th) {
                                if (execute != null) {
                                    try {
                                        execute.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                }
                                throw th;
                            }
                        }
                        StatusLine statusLine = execute.getStatusLine();
                        if (statusLine.getStatusCode() < 200 || statusLine.getStatusCode() >= 300) {
                            throw new AuthenticatorUnavailableException("IdP error", "Error while getting " + this.openIdConnectEndpoint + ": " + statusLine);
                        }
                        HttpEntity entity = execute.getEntity();
                        if (entity == null) {
                            throw new AuthenticatorUnavailableException("IdP error", "Error while getting " + this.openIdConnectEndpoint + ": Empty response entity");
                        }
                        OidcProviderConfig oidcProviderConfig = new OidcProviderConfig(DocReader.json().readObject(entity.getContent()));
                        if (execute != null) {
                            execute.close();
                        }
                        if (createHttpClient != null) {
                            createHttpClient.close();
                        }
                        return oidcProviderConfig;
                    } finally {
                    }
                } catch (IOException e) {
                    throw new AuthenticatorUnavailableException("Error while getting " + this.openIdConnectEndpoint + ": " + e, e);
                }
            });
        } catch (PrivilegedActionException e) {
            if (e.getCause() instanceof AuthenticatorUnavailableException) {
                throw e.getCause();
            }
            if (e.getCause() instanceof RuntimeException) {
                throw ((RuntimeException) e.getCause());
            }
            throw new RuntimeException(e.getCause());
        }
    }

    public JsonWebKeys getJsonWebKeys() throws AuthenticatorUnavailableException {
        URI jwksUri = getJwksUri();
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            return (JsonWebKeys) AccessController.doPrivileged(() -> {
                try {
                    CloseableHttpClient createHttpClient = createHttpClient(null);
                    try {
                        HttpGet httpGet = new HttpGet(jwksUri);
                        httpGet.setConfig(RequestConfig.custom().setConnectionRequestTimeout(getRequestTimeoutMs()).setConnectTimeout(getRequestTimeoutMs()).setSocketTimeout(getRequestTimeoutMs()).build());
                        CloseableHttpResponse execute = createHttpClient.execute(httpGet);
                        try {
                            StatusLine statusLine = execute.getStatusLine();
                            if (statusLine.getStatusCode() < 200 || statusLine.getStatusCode() >= 300) {
                                throw new AuthenticatorUnavailableException("IdP error", "Error while getting " + jwksUri + ": " + statusLine);
                            }
                            HttpEntity entity = execute.getEntity();
                            if (entity == null) {
                                throw new AuthenticatorUnavailableException("IdP error", "Error while getting " + jwksUri + ": Empty response entity");
                            }
                            JsonWebKeys readJwkSet = JwkUtils.readJwkSet(entity.getContent());
                            if (execute != null) {
                                execute.close();
                            }
                            if (createHttpClient != null) {
                                createHttpClient.close();
                            }
                            return readJwkSet;
                        } catch (Throwable th) {
                            if (execute != null) {
                                try {
                                    execute.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            }
                            throw th;
                        }
                    } finally {
                    }
                } catch (IOException e) {
                    throw new AuthenticatorUnavailableException("Error while getting " + jwksUri + ": " + e, e);
                }
            });
        } catch (PrivilegedActionException e) {
            if (e.getCause() instanceof AuthenticatorUnavailableException) {
                throw e.getCause();
            }
            if (e.getCause() instanceof RuntimeException) {
                throw ((RuntimeException) e.getCause());
            }
            throw new RuntimeException(e.getCause());
        }
    }

    public TokenResponse callTokenEndpoint(String str, String str2, String str3, String str4, String str5) throws AuthenticatorUnavailableException {
        List asList = Arrays.asList(new BasicNameValuePair("client_id", str), new BasicNameValuePair("client_secret", str2), new BasicNameValuePair("grant_type", "authorization_code"), new BasicNameValuePair("code", str4), new BasicNameValuePair("redirect_uri", str5));
        String tokenEndpoint = getOidcConfiguration().getTokenEndpoint();
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            return (TokenResponse) AccessController.doPrivileged(() -> {
                try {
                    CloseableHttpClient createHttpClient = createHttpClient(null);
                    try {
                        HttpPost httpPost = new HttpPost(tokenEndpoint);
                        httpPost.setEntity(new UrlEncodedFormEntity(asList, "utf-8"));
                        httpPost.setConfig(RequestConfig.custom().setConnectionRequestTimeout(getRequestTimeoutMs()).setConnectTimeout(getRequestTimeoutMs()).setSocketTimeout(getRequestTimeoutMs()).build());
                        CloseableHttpResponse execute = createHttpClient.execute(httpPost);
                        try {
                            String entityUtils = EntityUtils.toString(execute.getEntity());
                            if (execute.getStatusLine().getStatusCode() >= 300 || execute.getStatusLine().getStatusCode() < 200) {
                                throw new AuthenticatorUnavailableException("IdP error", "Error response from token endpoint:\n" + execute.getStatusLine() + "\n" + entityUtils);
                            }
                            TokenResponse tokenResponse = new TokenResponse(DocReader.json().readObject(entityUtils));
                            if (execute != null) {
                                execute.close();
                            }
                            if (createHttpClient != null) {
                                createHttpClient.close();
                            }
                            return tokenResponse;
                        } catch (Throwable th) {
                            if (execute != null) {
                                try {
                                    execute.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            }
                            throw th;
                        }
                    } finally {
                    }
                } catch (IOException e) {
                    throw new AuthenticatorUnavailableException("Error while calling " + tokenEndpoint, e);
                }
            });
        } catch (PrivilegedActionException e) {
            if (e.getCause() instanceof AuthenticatorUnavailableException) {
                throw e.getCause();
            }
            if (e.getCause() instanceof RuntimeException) {
                throw ((RuntimeException) e.getCause());
            }
            throw new RuntimeException(e.getCause());
        }
    }

    public HttpResponse callTokenEndpoint(byte[] bArr, ContentType contentType) throws AuthenticatorUnavailableException {
        String tokenEndpoint = getOidcConfiguration().getTokenEndpoint();
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            return (HttpResponse) AccessController.doPrivileged(() -> {
                try {
                    CloseableHttpClient createHttpClient = createHttpClient(null);
                    try {
                        HttpPost httpPost = new HttpPost(tokenEndpoint);
                        httpPost.setEntity(new ByteArrayEntity(bArr, contentType));
                        httpPost.setConfig(RequestConfig.custom().setConnectionRequestTimeout(getRequestTimeoutMs()).setConnectTimeout(getRequestTimeoutMs()).setSocketTimeout(getRequestTimeoutMs()).build());
                        CloseableHttpResponse execute = createHttpClient.execute(httpPost);
                        try {
                            BasicHttpResponse basicHttpResponse = new BasicHttpResponse(execute.getStatusLine());
                            basicHttpResponse.setEntity(new ByteArrayEntity(EntityUtils.toByteArray(execute.getEntity()), ContentType.getOrDefault(execute.getEntity())));
                            if (execute != null) {
                                execute.close();
                            }
                            if (createHttpClient != null) {
                                createHttpClient.close();
                            }
                            return basicHttpResponse;
                        } catch (Throwable th) {
                            if (execute != null) {
                                try {
                                    execute.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            }
                            throw th;
                        }
                    } finally {
                    }
                } catch (IOException e) {
                    throw new AuthenticatorUnavailableException("Error while calling " + tokenEndpoint, e);
                }
            });
        } catch (PrivilegedActionException e) {
            if (e.getCause() instanceof AuthenticatorUnavailableException) {
                throw e.getCause();
            }
            if (e.getCause() instanceof RuntimeException) {
                throw ((RuntimeException) e.getCause());
            }
            throw new RuntimeException(e.getCause());
        }
    }

    URI getJwksUri() throws AuthenticatorUnavailableException {
        return getOidcConfiguration().getJwksUri();
    }

    public int getRequestTimeoutMs() {
        return this.requestTimeoutMs;
    }

    public void setRequestTimeoutMs(int i) {
        this.requestTimeoutMs = i;
    }

    private void logCacheResponseStatus(HttpCacheContext httpCacheContext) {
        this.oidcRequests++;
        switch (AnonymousClass1.$SwitchMap$org$apache$http$client$cache$CacheResponseStatus[httpCacheContext.getCacheResponseStatus().ordinal()]) {
            case ConfigConstants.LDAPS_VERIFY_HOSTNAMES_DEFAULT /* 1 */:
                this.oidcCacheHits++;
                break;
            case 2:
                this.oidcCacheModuleResponses++;
                break;
            case 3:
                this.oidcCacheMisses++;
                break;
            case 4:
                this.oidcCacheHitsValidated++;
                break;
        }
        long currentTimeMillis = System.currentTimeMillis();
        if (this.oidcRequests < 2 || currentTimeMillis - this.lastCacheStatusLog <= CACHE_STATUS_LOG_INTERVAL_MS) {
            return;
        }
        log.info("Cache status for KeySetRetriever:\noidcCacheHits: " + this.oidcCacheHits + "\noidcCacheHitsValidated: " + this.oidcCacheHitsValidated + "\noidcCacheModuleResponses: " + this.oidcCacheModuleResponses + "\noidcCacheMisses: " + this.oidcCacheMisses);
        this.lastCacheStatusLog = currentTimeMillis;
    }

    private CloseableHttpClient createHttpClient(HttpCacheStorage httpCacheStorage) {
        CachingHttpClientBuilder httpCacheStorage2 = httpCacheStorage != null ? CachingHttpClients.custom().setCacheConfig(this.cacheConfig).setHttpCacheStorage(httpCacheStorage) : HttpClients.custom();
        if (this.proxyConfig != null) {
            this.proxyConfig.apply(httpCacheStorage2);
        }
        httpCacheStorage2.useSystemProperties();
        if (this.sslConfig != null) {
            httpCacheStorage2.setSSLSocketFactory(this.sslConfig.toSSLConnectionSocketFactory());
        }
        return httpCacheStorage2.build();
    }

    public int getOidcCacheHits() {
        return this.oidcCacheHits;
    }

    public int getOidcCacheMisses() {
        return this.oidcCacheMisses;
    }

    public int getOidcCacheHitsValidated() {
        return this.oidcCacheHitsValidated;
    }

    public int getOidcCacheModuleResponses() {
        return this.oidcCacheModuleResponses;
    }
}
