package com.floragunn.searchguard.enterprise.auth.oidc;

import com.floragunn.codova.config.net.ProxyConfig;
import com.floragunn.codova.config.net.TLSConfig;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.codova.validation.ValidatingDocNode;
import com.floragunn.codova.validation.ValidationErrors;
import com.floragunn.codova.validation.ValidationResult;
import com.floragunn.codova.validation.errors.InvalidAttributeValue;
import com.floragunn.codova.validation.errors.MissingAttribute;
import com.floragunn.searchguard.TypedComponent;
import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import com.floragunn.searchguard.authc.CredentialsException;
import com.floragunn.searchguard.authc.base.AuthcResult;
import com.floragunn.searchguard.authc.session.ActivatedFrontendConfig;
import com.floragunn.searchguard.authc.session.ApiAuthenticationFrontend;
import com.floragunn.searchguard.authc.session.GetActivatedFrontendConfigAction;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.enterprise.auth.oidc.OpenIdProviderClient;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.google.common.base.Strings;
import com.google.common.hash.Hashing;
import com.google.common.io.BaseEncoding;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/oidc/OidcAuthenticator.class */
public class OidcAuthenticator implements ApiAuthenticationFrontend {
    private static final String SSO_CONTEXT_PREFIX_STATE = "oidc_s:";
    private static final String SSO_CONTEXT_PREFIX_CODE_VERIFIER = "oidc_cv:";
    private ProxyConfig proxyConfig;
    private OpenIdProviderClient openIdProviderClient;
    private final String clientId;
    private final String clientSecret;
    private final String scope;
    private JwtVerifier jwtVerifier;
    private JwtVerifier userInfoJwtVerifier;
    private final String logoutUrl;
    private final boolean usePkce;
    private final boolean useUserInfoEndpoint;
    private final ComponentState componentState = new ComponentState(0, "authentication_frontend", "oidc", OidcAuthenticator.class).initialized().requiresEnterpriseLicense();
    private static final Logger log = LogManager.getLogger(OidcAuthenticator.class);
    private static final SecureRandom SECURE_RANDOM = new SecureRandom();
    public static TypedComponent.Info<ApiAuthenticationFrontend> INFO = new TypedComponent.Info<ApiAuthenticationFrontend>() { // from class: com.floragunn.searchguard.enterprise.auth.oidc.OidcAuthenticator.1
        public Class<ApiAuthenticationFrontend> getType() {
            return ApiAuthenticationFrontend.class;
        }

        public String getName() {
            return "oidc";
        }

        public TypedComponent.Factory<ApiAuthenticationFrontend> getFactory() {
            return (v1, v2) -> {
                return new OidcAuthenticator(v1, v2);
            };
        }
    };

    public OidcAuthenticator(Map<String, Object> map, ConfigurationRepository.Context context) throws ConfigValidationException {
        ValidationErrors validationErrors = new ValidationErrors();
        ValidatingDocNode validatingDocNode = new ValidatingDocNode(map, validationErrors, context);
        this.clientId = validatingDocNode.get("client_id").required().asString();
        this.usePkce = validatingDocNode.get("pkce").withDefault(true).asBoolean();
        this.useUserInfoEndpoint = validatingDocNode.get("get_user_info").withDefault(false).asBoolean();
        this.clientSecret = validatingDocNode.get("client_secret").required(!this.usePkce).asString();
        this.scope = validatingDocNode.get("scope").withDefault("openid profile email address phone").asString();
        this.proxyConfig = (ProxyConfig) validatingDocNode.get("idp.proxy").by(ProxyConfig::parse);
        this.logoutUrl = validatingDocNode.get("logout_url").asString();
        int asInt = validatingDocNode.get("idp_request_timeout_ms").withDefault(5000).asInt();
        int asInt2 = validatingDocNode.get("idp_queued_thread_timeout_ms").withDefault(2500).asInt();
        int asInt3 = validatingDocNode.get("refresh_rate_limit_time_window_ms").withDefault(10000).asInt();
        int asInt4 = validatingDocNode.get("refresh_rate_limit_count").withDefault(10).asInt();
        URI asURI = validatingDocNode.get("idp.openid_configuration_url").required().asURI();
        TLSConfig tLSConfig = (TLSConfig) validatingDocNode.get("idp.tls").by(TLSConfig::parse);
        boolean asBoolean = validatingDocNode.get("cache_jwks_endpoint").withDefault(false).asBoolean();
        String asString = validatingDocNode.get("required_audience").asString();
        String asString2 = validatingDocNode.get("required_issuer").asString();
        validatingDocNode.checkForUnusedAttributes();
        validationErrors.throwExceptionForPresentErrors();
        this.openIdProviderClient = new OpenIdProviderClient(asURI, tLSConfig, this.proxyConfig, asBoolean);
        this.openIdProviderClient.setRequestTimeoutMs(asInt);
        SelfRefreshingKeySet selfRefreshingKeySet = new SelfRefreshingKeySet(new KeySetRetriever(this.openIdProviderClient));
        selfRefreshingKeySet.setRequestTimeoutMs(asInt);
        selfRefreshingKeySet.setQueuedThreadTimeoutMs(asInt2);
        selfRefreshingKeySet.setRefreshRateLimitTimeWindowMs(asInt3);
        selfRefreshingKeySet.setRefreshRateLimitCount(asInt4);
        this.jwtVerifier = new JwtVerifier(selfRefreshingKeySet, asString, asString2);
        this.userInfoJwtVerifier = new JwtVerifier(selfRefreshingKeySet, null, asString2);
    }

    public ActivatedFrontendConfig.AuthMethod activateFrontendConfig(ActivatedFrontendConfig.AuthMethod authMethod, GetActivatedFrontendConfigAction.Request request) throws AuthenticatorUnavailableException {
        try {
            ValidationResult<OidcProviderConfig> oidcConfiguration = this.openIdProviderClient.getOidcConfiguration();
            if (oidcConfiguration.peek() == null || ((OidcProviderConfig) oidcConfiguration.peek()).getAuthorizationEndpoint() == null) {
                throw new AuthenticatorUnavailableException("Invalid OIDC metadata", "authorization_endpoint missing from OIDC metadata").details("oidc_metadata", oidcConfiguration.toBasicObject(), new Object[0]);
            }
            if (request.getFrontendBaseUrl() == null) {
                throw new AuthenticatorUnavailableException("Invalid configuration", "frontend_base_url is required for OIDC authentication").details("request", request.toBasicObject(), new Object[0]);
            }
            String aSCIIString = getLoginPostURI(new URI(request.getFrontendBaseUrl())).toASCIIString();
            String createOpaqueToken = createOpaqueToken(24);
            String str = "oidc_s:" + createOpaqueToken;
            URIBuilder addParameter = new URIBuilder(((OidcProviderConfig) oidcConfiguration.peek()).getAuthorizationEndpoint()).addParameter("client_id", this.clientId).addParameter("response_type", "code").addParameter("redirect_uri", aSCIIString).addParameter("state", !Strings.isNullOrEmpty(request.getNextURL()) ? createOpaqueToken + "|" + request.getNextURL() : createOpaqueToken).addParameter("scope", this.scope);
            if (this.usePkce) {
                String createOpaqueToken2 = createOpaqueToken(48);
                addParameter.addParameter("code_challenge", BaseEncoding.base64Url().omitPadding().encode(Hashing.sha256().hashString(createOpaqueToken2, StandardCharsets.US_ASCII).asBytes()));
                addParameter.addParameter("code_challenge_method", "S256");
                str = str + ";oidc_cv:" + createOpaqueToken2;
            }
            return authMethod.ssoLocation(addParameter.build().toASCIIString()).ssoContext(str);
        } catch (URISyntaxException e) {
            log.error("Error while activating SAML authenticator", e);
            throw new AuthenticatorUnavailableException("Invalid configuration", "frontend_base_url is not a valid URL", e).details("request", request.toBasicObject(), new Object[0]);
        }
    }

    public AuthCredentials extractCredentials(Map<String, Object> map) throws CredentialsException, AuthenticatorUnavailableException, ConfigValidationException {
        String substring;
        String substring2;
        HashMap hashMap = new HashMap();
        String valueOf = map.containsKey("sso_context") ? String.valueOf(map.get("sso_context")) : null;
        if (valueOf == null) {
            throw new ConfigValidationException(new MissingAttribute("sso_context"));
        }
        String valueFromSsoContext = getValueFromSsoContext(SSO_CONTEXT_PREFIX_STATE, valueOf);
        if (valueFromSsoContext == null) {
            throw new ConfigValidationException(new InvalidAttributeValue("sso_context", valueOf, "Must contain oidc_s:"));
        }
        String valueFromSsoContext2 = getValueFromSsoContext(SSO_CONTEXT_PREFIX_CODE_VERIFIER, valueOf);
        if (this.usePkce && valueFromSsoContext2 == null) {
            throw new ConfigValidationException(new InvalidAttributeValue("sso_context", valueOf, "Must contain oidc_cv:"));
        }
        String valueOf2 = map.containsKey("sso_result") ? String.valueOf(map.get("sso_result")) : null;
        if (valueOf2 == null) {
            throw new ConfigValidationException(new MissingAttribute("ssoResult"));
        }
        if (!map.containsKey("frontend_base_url")) {
            throw new ConfigValidationException(new MissingAttribute("frontend_base_url"));
        }
        try {
            URI uri = new URI(String.valueOf(map.get("frontend_base_url")));
            Map<String, String> uriParams = getUriParams(valueOf2);
            String str = uriParams.get("state");
            if (str == null) {
                throw new ConfigValidationException(new MissingAttribute("ssoResult.state"));
            }
            int indexOf = str.indexOf(124);
            if (indexOf == -1) {
                substring = str;
                substring2 = null;
            } else {
                substring = str.substring(0, indexOf);
                substring2 = str.substring(indexOf + 1);
            }
            String str2 = uriParams.get("code");
            if (str2 == null) {
                throw new ConfigValidationException(new MissingAttribute("ssoResult.code"));
            }
            hashMap.put("sso_context", valueOf);
            hashMap.put("sso_result", valueOf2);
            hashMap.put("code", str2);
            hashMap.put("state", str);
            if (!Objects.equals(valueFromSsoContext, substring)) {
                throw new CredentialsException(new AuthcResult.DebugInfo(getType(), false, "Invalid state token: " + valueFromSsoContext + "/" + substring, hashMap));
            }
            String aSCIIString = getLoginPostURI(uri).toASCIIString();
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put("client_id", this.clientId);
            linkedHashMap.put("code", str2);
            linkedHashMap.put("redirect_uri", aSCIIString);
            if (this.usePkce) {
                linkedHashMap.put("code_verifier", valueFromSsoContext2);
            }
            if (this.clientSecret != null) {
                linkedHashMap.put("client_secret", this.clientSecret);
            }
            OpenIdProviderClient.TokenResponse callTokenEndpoint = this.openIdProviderClient.callTokenEndpoint(linkedHashMap);
            hashMap.put("token_response", callTokenEndpoint.asMap());
            String idToken = callTokenEndpoint.getIdToken();
            try {
                JwtToken verifiedJwtToken = this.jwtVerifier.getVerifiedJwtToken(idToken);
                JwtClaims claims = verifiedJwtToken.getClaims();
                if (log.isTraceEnabled()) {
                    log.trace("Claims from JWT: " + String.valueOf(claims.asMap()));
                }
                hashMap.put("claims", claims.asMap());
                Map<String, Object> emptyMap = Collections.emptyMap();
                if (this.useUserInfoEndpoint) {
                    emptyMap = this.openIdProviderClient.callUserInfoEndpoint(callTokenEndpoint.getAccessToken(), this.userInfoJwtVerifier);
                    String valueOf3 = String.valueOf(emptyMap.get("sub"));
                    hashMap.put("oidc_user_info", emptyMap);
                    if (!valueOf3.equals(verifiedJwtToken.getClaims().getSubject())) {
                        throw new CredentialsException(new AuthcResult.DebugInfo(getType(), false, "sub claim from user info does not match sub claim from ID token", hashMap));
                    }
                }
                return AuthCredentials.forUser(claims.getSubject()).userMappingAttribute("oidc_id_token", claims.asMap()).userMappingAttribute("jwt", claims.asMap()).userMappingAttribute("oidc_user_info", emptyMap).attribute("__auth_type", "oidc").attribute("__oidc_id", idToken).attribute("__fe_base_url", uri.toString()).claims(claims.asMap()).complete().redirectUri(substring2).build();
            } catch (BadCredentialsException e) {
                log.info("Extracting JWT token from " + idToken + " failed", e);
                throw new CredentialsException(new AuthcResult.DebugInfo(getType(), false, e.getMessage(), hashMap), e);
            } catch (AuthenticatorUnavailableException e2) {
                log.info(e2);
                throw e2;
            }
        } catch (URISyntaxException e3) {
            throw new ConfigValidationException(new InvalidAttributeValue("frontend_base_url", map.get("frontend_base_url"), "A URL"));
        }
    }

    public String getLogoutUrl(User user) throws AuthenticatorUnavailableException {
        try {
            if (this.logoutUrl != null) {
                return this.logoutUrl;
            }
            if (user == null || user.getStructuredAttributes().get("__fe_base_url") == null) {
                return null;
            }
            String valueOf = String.valueOf(user.getStructuredAttributes().get("__fe_base_url"));
            URI endSessionEndpoint = ((OidcProviderConfig) this.openIdProviderClient.getOidcConfiguration().get()).getEndSessionEndpoint();
            if (endSessionEndpoint == null) {
                return null;
            }
            return new URIBuilder(endSessionEndpoint).addParameter("post_logout_redirect_uri", valueOf).addParameter("id_token_hint", user.getStructuredAttributes().get("__oidc_id") != null ? user.getStructuredAttributes().get("__oidc_id").toString() : null).build().toASCIIString();
        } catch (ConfigValidationException e) {
            log.error("Error while constructing logout url for " + String.valueOf(this), e);
            return null;
        } catch (URISyntaxException e2) {
            log.error("Error while constructing logout url for " + String.valueOf(this), e2);
            return null;
        }
    }

    private Map<String, String> getUriParams(String str) throws ConfigValidationException {
        try {
            List<NameValuePair> parse = URLEncodedUtils.parse(new URI(str), Charset.forName("utf-8"));
            HashMap hashMap = new HashMap(parse.size());
            for (NameValuePair nameValuePair : parse) {
                hashMap.put(nameValuePair.getName(), nameValuePair.getValue());
            }
            return hashMap;
        } catch (URISyntaxException e) {
            throw new ConfigValidationException(new InvalidAttributeValue("sso_result", str, "URI"));
        }
    }

    private URI getLoginPostURI(URI uri) {
        try {
            return new URIBuilder(uri).setPath(uri.getPath().endsWith("/") ? uri.getPath() + "auth/openid/login" : uri.getPath() + "/auth/openid/login").build();
        } catch (URISyntaxException e) {
            log.error("Got URISyntaxException when constructing loginPostURI. This should not happen. frontendBaseURI: " + String.valueOf(uri), e);
            throw new RuntimeException(e);
        }
    }

    public String getType() {
        return "oidc";
    }

    private String createOpaqueToken(int i) {
        byte[] bArr = new byte[i];
        SECURE_RANDOM.nextBytes(bArr);
        return BaseEncoding.base64Url().omitPadding().encode(bArr);
    }

    private String getValueFromSsoContext(String str, String str2) {
        int indexOf;
        if (str2 == null || (indexOf = str2.indexOf(str)) == -1) {
            return null;
        }
        int length = indexOf + str.length();
        int indexOf2 = str2.indexOf(59, length);
        return str2.substring(length, indexOf2 == -1 ? str2.length() : indexOf2).trim();
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }
}
