package com.floragunn.searchguard.enterprise.auth.oidc;

import com.floragunn.codova.config.net.TLSConfig;
import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.DocWriter;
import com.floragunn.searchguard.test.helper.network.SocketUtils;
import com.google.common.collect.ImmutableMap;
import com.google.common.hash.Hashing;
import java.io.Closeable;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.BindException;
import java.net.InetAddress;
import java.net.Socket;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.Charset;
import java.nio.charset.CharsetDecoder;
import java.nio.charset.CharsetEncoder;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
import org.apache.http.HttpConnectionFactory;
import org.apache.http.HttpEntityEnclosingRequest;
import org.apache.http.HttpException;
import org.apache.http.HttpInetConnection;
import org.apache.http.HttpRequest;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.http.config.ConnectionConfig;
import org.apache.http.config.MessageConstraints;
import org.apache.http.entity.ContentLengthStrategy;
import org.apache.http.entity.ContentType;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.ConnSupport;
import org.apache.http.impl.DefaultBHttpServerConnection;
import org.apache.http.impl.bootstrap.HttpServer;
import org.apache.http.impl.bootstrap.SSLServerSetupHandler;
import org.apache.http.impl.bootstrap.ServerBootstrap;
import org.apache.http.io.HttpMessageParserFactory;
import org.apache.http.io.HttpMessageWriterFactory;
import org.apache.http.protocol.HttpContext;
import org.apache.http.protocol.HttpCoreContext;
import org.apache.http.protocol.HttpRequestHandler;
import org.apache.http.util.EntityUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.junit.Assert;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/oidc/MockIpdServer.class */
public class MockIpdServer implements Closeable {
    private static final Logger log = LogManager.getLogger(MockIpdServer.class);
    static final String CTX_DISCOVER = "/discover";
    static final String CTX_KEYS = "/api/oauth/keys";
    static final String CTX_TOKEN = "/token";
    static final String CTX_USERINFO = "/userinfo";
    private HttpServer httpServer;
    private int port;
    private String uri;
    private boolean requireTlsClientCertAuth;
    private String requireTlsClientCertFingerprint;
    private JsonWebKeys jwks;
    private boolean requireValidCodes;
    private boolean requirePkce;
    private Map<String, AuthCodeContext> validCodes;
    private Map<String, Map<String, Object>> accessTokenToUserInfoMap;
    private InetAddress acceptConnectionsOnlyFromInetAddress;
    private TLSConfig tlsConfig;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/oidc/MockIpdServer$AuthCodeContext.class */
    public static class AuthCodeContext {
        private String userJwt;
        private String redirectUri;
        private String codeChallenge;
        private Map<String, Object> userInfo;

        private AuthCodeContext() {
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/oidc/MockIpdServer$Builder.class */
    public static class Builder {
        private MockIpdServer mockIdpServer = new MockIpdServer();

        public Builder(JsonWebKeys jsonWebKeys) {
            this.mockIdpServer.jwks = jsonWebKeys;
        }

        public Builder useCustomTlsConfig(TLSConfig tLSConfig) {
            this.mockIdpServer.tlsConfig = tLSConfig;
            return this;
        }

        public Builder requirePkce(boolean z) {
            this.mockIdpServer.requirePkce = z;
            return this;
        }

        public Builder requireTlsClientCertAuth() {
            this.mockIdpServer.requireTlsClientCertAuth = true;
            return this;
        }

        public Builder acceptConnectionsOnlyFromInetAddress(InetAddress inetAddress) {
            this.mockIdpServer.acceptConnectionsOnlyFromInetAddress = inetAddress;
            return this;
        }

        public Builder requireValidCodes(boolean z) {
            this.mockIdpServer.requireValidCodes = z;
            return this;
        }

        public Builder requireTlsClientCertFingerprint(String str) {
            this.mockIdpServer.requireTlsClientCertAuth = true;
            this.mockIdpServer.requireTlsClientCertFingerprint = str;
            return this;
        }

        public MockIpdServer start() throws IOException {
            this.mockIdpServer.start();
            return this.mockIdpServer;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/oidc/MockIpdServer$SSLTestHttpServerConnection.class */
    public static class SSLTestHttpServerConnection extends DefaultBHttpServerConnection {
        public SSLTestHttpServerConnection(int i, int i2, CharsetDecoder charsetDecoder, CharsetEncoder charsetEncoder, MessageConstraints messageConstraints, ContentLengthStrategy contentLengthStrategy, ContentLengthStrategy contentLengthStrategy2, HttpMessageParserFactory<HttpRequest> httpMessageParserFactory, HttpMessageWriterFactory<HttpResponse> httpMessageWriterFactory) {
            super(i, i2, charsetDecoder, charsetEncoder, messageConstraints, contentLengthStrategy, contentLengthStrategy2, httpMessageParserFactory, httpMessageWriterFactory);
        }

        public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
            return ((SSLSocket) getSocket()).getSession().getPeerCertificates();
        }
    }

    public static Builder forKeySet(JsonWebKeys jsonWebKeys) {
        return new Builder(jsonWebKeys);
    }

    private MockIpdServer() {
        this.requireValidCodes = true;
        this.requirePkce = false;
        this.validCodes = new ConcurrentHashMap();
        this.accessTokenToUserInfoMap = new ConcurrentHashMap();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void start() throws IOException {
        int i = 0;
        while (true) {
            try {
                start(SocketUtils.findAvailableTcpPort());
                return;
            } catch (BindException e) {
                if (i >= 10) {
                    throw e;
                }
                i++;
                try {
                    Thread.sleep(10L);
                } catch (InterruptedException e2) {
                    throw new RuntimeException(e2);
                }
            }
        }
    }

    private void start(int i) throws IOException {
        this.port = i;
        this.uri = (this.tlsConfig != null ? "https" : "http") + "://localhost:" + i;
        ServerBootstrap registerHandler = ServerBootstrap.bootstrap().setListenerPort(i).registerHandler(CTX_DISCOVER, new HttpRequestHandler() { // from class: com.floragunn.searchguard.enterprise.auth.oidc.MockIpdServer.4
            @Override // org.apache.http.protocol.HttpRequestHandler
            public void handle(HttpRequest httpRequest, HttpResponse httpResponse, HttpContext httpContext) throws HttpException, IOException {
                MockIpdServer.this.handleDiscoverRequest(httpRequest, httpResponse, httpContext);
            }
        }).registerHandler(CTX_KEYS, new HttpRequestHandler() { // from class: com.floragunn.searchguard.enterprise.auth.oidc.MockIpdServer.3
            @Override // org.apache.http.protocol.HttpRequestHandler
            public void handle(HttpRequest httpRequest, HttpResponse httpResponse, HttpContext httpContext) throws HttpException, IOException {
                MockIpdServer.this.handleKeysRequest(httpRequest, httpResponse, httpContext);
            }
        }).registerHandler(CTX_TOKEN, new HttpRequestHandler() { // from class: com.floragunn.searchguard.enterprise.auth.oidc.MockIpdServer.2
            @Override // org.apache.http.protocol.HttpRequestHandler
            public void handle(HttpRequest httpRequest, HttpResponse httpResponse, HttpContext httpContext) throws HttpException, IOException {
                MockIpdServer.this.handleTokenRequest(httpRequest, httpResponse, httpContext);
            }
        }).registerHandler(CTX_USERINFO, new HttpRequestHandler() { // from class: com.floragunn.searchguard.enterprise.auth.oidc.MockIpdServer.1
            @Override // org.apache.http.protocol.HttpRequestHandler
            public void handle(HttpRequest httpRequest, HttpResponse httpResponse, HttpContext httpContext) throws HttpException, IOException {
                MockIpdServer.this.handleUserInfoRequest(httpRequest, httpResponse, httpContext);
            }
        });
        if (this.tlsConfig != null) {
            registerHandler = registerHandler.setSslContext(createSSLContext()).setSslSetupHandler(new SSLServerSetupHandler() { // from class: com.floragunn.searchguard.enterprise.auth.oidc.MockIpdServer.6
                public void initialize(SSLServerSocket sSLServerSocket) throws SSLException {
                    sSLServerSocket.setNeedClientAuth(MockIpdServer.this.requireTlsClientCertAuth);
                }
            }).setConnectionFactory(new HttpConnectionFactory<DefaultBHttpServerConnection>() { // from class: com.floragunn.searchguard.enterprise.auth.oidc.MockIpdServer.5
                private ConnectionConfig cconfig = ConnectionConfig.DEFAULT;

                /* renamed from: createConnection, reason: merged with bridge method [inline-methods] */
                public DefaultBHttpServerConnection m13createConnection(Socket socket) throws IOException {
                    SSLTestHttpServerConnection sSLTestHttpServerConnection = new SSLTestHttpServerConnection(this.cconfig.getBufferSize(), this.cconfig.getFragmentSizeHint(), ConnSupport.createDecoder(this.cconfig), ConnSupport.createEncoder(this.cconfig), this.cconfig.getMessageConstraints(), null, null, null, null);
                    sSLTestHttpServerConnection.bind(socket);
                    return sSLTestHttpServerConnection;
                }
            });
        }
        this.httpServer = registerHandler.create();
        this.httpServer.start();
    }

    public MockIpdServer acceptConnectionsOnlyFromInetAddress(InetAddress inetAddress) {
        this.acceptConnectionsOnlyFromInetAddress = inetAddress;
        return this;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        this.httpServer.stop();
    }

    public HttpServer getHttpServer() {
        return this.httpServer;
    }

    public String getUri() {
        return this.uri;
    }

    public URI getDiscoverUri() {
        return URI.create(this.uri + CTX_DISCOVER);
    }

    public int getPort() {
        return this.port;
    }

    protected void handleDiscoverRequest(HttpRequest httpRequest, HttpResponse httpResponse, HttpContext httpContext) throws HttpException, IOException {
        if (checkAccess(httpRequest, httpResponse, httpContext)) {
            httpResponse.setStatusCode(200);
            httpResponse.setHeader("Cache-Control", "public, max-age=31536000");
            httpResponse.setEntity(new StringEntity(DocNode.of("jwks_uri", this.uri + CTX_KEYS, "issuer", this.uri, "unknownPropertyToBeIgnored", 42, "token_endpoint", this.uri + CTX_TOKEN, "authorization_endpoint", this.uri + "/auth", new Object[]{"end_session_endpoint", this.uri + "/logout", "userinfo_endpoint", this.uri + CTX_USERINFO}).toJsonString(), ContentType.APPLICATION_JSON));
        }
    }

    protected void handleKeysRequest(HttpRequest httpRequest, HttpResponse httpResponse, HttpContext httpContext) throws HttpException, IOException {
        if (checkAccess(httpRequest, httpResponse, httpContext)) {
            httpResponse.setStatusCode(200);
            httpResponse.setEntity(new StringEntity(CxfTestTools.toJson(this.jwks)));
        }
    }

    protected void handleTokenRequest(HttpRequest httpRequest, HttpResponse httpResponse, HttpContext httpContext) throws HttpException, IOException {
        String str;
        String str2;
        try {
            if (checkAccess(httpRequest, httpResponse, httpContext)) {
                if (!"POST".equalsIgnoreCase(httpRequest.getRequestLine().getMethod())) {
                    httpResponse.setStatusCode(400);
                    httpResponse.setEntity(new StringEntity("Not a POST request"));
                    return;
                }
                if (httpRequest.getFirstHeader("Content-Type") == null) {
                    httpResponse.setStatusCode(400);
                    httpResponse.setEntity(new StringEntity("Content-Type header is missing"));
                    return;
                }
                if (!httpRequest.getFirstHeader("Content-Type").getValue().toLowerCase().startsWith("application/x-www-form-urlencoded")) {
                    httpResponse.setStatusCode(400);
                    httpResponse.setEntity(new StringEntity("Content-Type is not application/x-www-form-urlencoded"));
                    return;
                }
                if (!(httpRequest instanceof HttpEntityEnclosingRequest)) {
                    httpResponse.setStatusCode(400);
                    httpResponse.setEntity(new StringEntity("Missing entity"));
                    return;
                }
                String entityUtils = EntityUtils.toString(((HttpEntityEnclosingRequest) httpRequest).getEntity());
                Map<String, String> formUrlEncodedValues = getFormUrlEncodedValues(entityUtils);
                log.info("Got entity params: " + formUrlEncodedValues + "; " + entityUtils);
                if (!formUrlEncodedValues.containsKey("grant_type")) {
                    httpResponse.setStatusCode(400);
                    httpResponse.setEntity(new StringEntity("Missing grant_type"));
                    return;
                }
                String str3 = formUrlEncodedValues.get("code");
                if (this.requireValidCodes) {
                    AuthCodeContext remove = this.validCodes.remove(str3);
                    if (remove == null) {
                        httpResponse.setStatusCode(400);
                        httpResponse.setEntity(new StringEntity("Invalid code " + str3));
                        return;
                    }
                    if (remove.codeChallenge != null) {
                        String str4 = formUrlEncodedValues.get("code_verifier");
                        String applySHA256 = applySHA256(str4);
                        if (!applySHA256.equals(remove.codeChallenge)) {
                            httpResponse.setStatusCode(400);
                            httpResponse.setEntity(new StringEntity("Invalid code_challenge " + remove.codeChallenge + "; expected: " + applySHA256 + " (" + str4 + ")"));
                            return;
                        }
                    }
                    str = remove.userJwt;
                    str2 = RandomStringUtils.randomAlphabetic(20);
                    if (remove.userInfo != null) {
                        this.accessTokenToUserInfoMap.put(str2, remove.userInfo);
                    }
                    String str5 = remove.redirectUri;
                    String str6 = formUrlEncodedValues.get("redirect_uri");
                    System.out.println("redirect uri: " + str5 + "; " + str6);
                    if (!str5.equals(str6)) {
                        httpResponse.setStatusCode(400);
                        httpResponse.setEntity(new StringEntity("Invalid redirect_uri " + str6 + "; expected: " + str5));
                        return;
                    }
                } else {
                    str = TestJwts.MC_COY_SIGNED_OCT_1;
                    str2 = "dummy_access_token";
                }
                httpResponse.setStatusCode(200);
                httpResponse.setEntity(new StringEntity(DocWriter.json().writeAsString(ImmutableMap.of("access_token", str2, "token_type", "bearer", "expires_in", 3600, "scope", "profile app:read app:write", "id_token", str)), ContentType.APPLICATION_JSON));
            }
        } catch (Exception e) {
            log.error("Error in handleTokenRequest()", e);
            httpResponse.setStatusCode(500);
            httpResponse.setEntity(new StringEntity(e.toString()));
        }
    }

    protected void handleUserInfoRequest(HttpRequest httpRequest, HttpResponse httpResponse, HttpContext httpContext) throws HttpException, IOException {
        if (checkAccess(httpRequest, httpResponse, httpContext)) {
            if (!"POST".equalsIgnoreCase(httpRequest.getRequestLine().getMethod()) && !"GET".equalsIgnoreCase(httpRequest.getRequestLine().getMethod())) {
                httpResponse.setStatusCode(400);
                httpResponse.setEntity(new StringEntity("Not a GET or POST request"));
                return;
            }
            if (httpRequest.getFirstHeader("Authorization") == null) {
                httpResponse.setStatusCode(400);
                httpResponse.setEntity(new StringEntity("Authorization header is missing"));
                return;
            }
            String value = httpRequest.getFirstHeader("Authorization").getValue();
            if (!value.toLowerCase().startsWith("bearer ")) {
                httpResponse.setStatusCode(400);
                httpResponse.setEntity(new StringEntity("Needs to use bearer authorization"));
                return;
            }
            String substring = value.substring("bearer ".length());
            Map<String, Object> map = this.accessTokenToUserInfoMap.get(substring);
            if (map != null) {
                httpResponse.setEntity(new StringEntity(DocWriter.json().writeAsString(map), ContentType.APPLICATION_JSON));
            } else {
                httpResponse.setStatusCode(400);
                httpResponse.setEntity(new StringEntity("Invalid access token " + substring));
            }
        }
    }

    private SSLContext createSSLContext() {
        return this.tlsConfig.getUnrestrictedSslContext();
    }

    private boolean checkAccess(HttpRequest httpRequest, HttpResponse httpResponse, HttpContext httpContext) throws UnsupportedEncodingException, SSLPeerUnverifiedException {
        if (this.acceptConnectionsOnlyFromInetAddress != null) {
            HttpInetConnection httpInetConnection = (HttpInetConnection) httpContext.getAttribute("http.connection");
            if (!httpInetConnection.getRemoteAddress().equals(this.acceptConnectionsOnlyFromInetAddress)) {
                httpResponse.setStatusCode(451);
                httpResponse.setEntity(new StringEntity("We are not accepting connections from " + httpInetConnection.getRemoteAddress() + "; only: " + this.acceptConnectionsOnlyFromInetAddress));
                return false;
            }
        }
        if (this.requireTlsClientCertFingerprint == null) {
            return true;
        }
        X509Certificate x509Certificate = (X509Certificate) ((SSLTestHttpServerConnection) ((HttpCoreContext) httpContext).getConnection()).getPeerCertificates()[0];
        try {
            String hashCode = Hashing.sha256().hashBytes(x509Certificate.getEncoded()).toString();
            if (this.requireTlsClientCertFingerprint.equals(hashCode)) {
                return true;
            }
            httpResponse.setStatusCode(401);
            httpResponse.setEntity(new StringEntity("Client certificate is not allowed: " + hashCode + "\n" + x509Certificate));
            return false;
        } catch (CertificateEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    private String applySHA256(String str) {
        try {
            return Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigest.getInstance("SHA-256").digest(str.getBytes(StandardCharsets.US_ASCII)));
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    public String handleSsoGetRequestURI(String str, String str2) throws URISyntaxException, UnsupportedEncodingException {
        return handleSsoGetRequestURI(str, str2, null);
    }

    public String handleSsoGetRequestURI(String str, String str2, Map<String, Object> map) throws URISyntaxException, UnsupportedEncodingException {
        Map<String, String> uriParams = getUriParams(str);
        String str3 = uriParams.get("scope");
        Assert.assertNotNull(str, str3);
        Assert.assertTrue(str, str3.contains("openid"));
        String str4 = uriParams.get("state");
        Assert.assertNotNull(str, str4);
        String str5 = uriParams.get("redirect_uri");
        Assert.assertNotNull(str, str5);
        String str6 = uriParams.get("code_challenge");
        String str7 = uriParams.get("code_challenge_method");
        String randomAlphanumeric = RandomStringUtils.randomAlphanumeric(8);
        AuthCodeContext authCodeContext = new AuthCodeContext();
        authCodeContext.userJwt = str2;
        authCodeContext.redirectUri = str5;
        authCodeContext.codeChallenge = str6;
        authCodeContext.userInfo = map;
        if (str6 != null) {
            Assert.assertEquals(str, "S256", str7);
        } else if (this.requirePkce) {
            return null;
        }
        this.validCodes.put(randomAlphanumeric, authCodeContext);
        URIBuilder uRIBuilder = new URIBuilder(str5);
        uRIBuilder.addParameter("code", randomAlphanumeric);
        uRIBuilder.addParameter("state", str4);
        return uRIBuilder.build().toASCIIString();
    }

    private Map<String, String> getUriParams(String str) {
        return getFormUrlEncodedValues(URI.create(str).getRawQuery());
    }

    private Map<String, String> getFormUrlEncodedValues(String str) {
        List<NameValuePair> parse = URLEncodedUtils.parse(str, Charset.forName("utf-8"));
        HashMap hashMap = new HashMap(parse.size());
        for (NameValuePair nameValuePair : parse) {
            hashMap.put(nameValuePair.getName(), nameValuePair.getValue());
        }
        return hashMap;
    }

    public boolean isRequireValidCodes() {
        return this.requireValidCodes;
    }

    public void setRequireValidCodes(boolean z) {
        this.requireValidCodes = z;
    }
}
