package it.geosolutions.geostore.services.rest.security.oauth2;

import it.geosolutions.geostore.core.model.User;
import it.geosolutions.geostore.core.security.password.SecurityUtils;
import it.geosolutions.geostore.services.UserService;
import it.geosolutions.geostore.services.rest.RESTSessionService;
import it.geosolutions.geostore.services.rest.SessionServiceDelegate;
import it.geosolutions.geostore.services.rest.exception.NotFoundWebEx;
import it.geosolutions.geostore.services.rest.model.SessionToken;
import it.geosolutions.geostore.services.rest.security.TokenAuthenticationCache;
import it.geosolutions.geostore.services.rest.security.oauth2.OAuth2Configuration;
import it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.enancher.ClientSecretRequestEnhancer;
import it.geosolutions.geostore.services.rest.utils.GeoStoreContext;
import java.io.IOException;
import java.util.Arrays;
import java.util.Date;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.http.client.ClientHttpRequest;
import org.springframework.http.converter.FormHttpMessageConverter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.OAuth2ClientContext;
import org.springframework.security.oauth2.client.OAuth2RestTemplate;
import org.springframework.security.oauth2.client.token.AccessTokenRequest;
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.HttpMessageConverterExtractor;
import org.springframework.web.client.RequestCallback;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:it/geosolutions/geostore/services/rest/security/oauth2/OAuth2SessionServiceDelegate.class */
public abstract class OAuth2SessionServiceDelegate implements SessionServiceDelegate {
    private static final Logger LOGGER = LogManager.getLogger(OAuth2SessionServiceDelegate.class);
    protected UserService userService;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:it/geosolutions/geostore/services/rest/security/oauth2/OAuth2SessionServiceDelegate$RefreshTokenRequestCallback.class */
    public class RefreshTokenRequestCallback implements RequestCallback {
        private final MultiValueMap<String, String> form;
        private final HttpHeaders headers;

        private RefreshTokenRequestCallback(MultiValueMap<String, String> multiValueMap, HttpHeaders httpHeaders) {
            this.form = multiValueMap;
            this.headers = httpHeaders;
        }

        public void doWithRequest(ClientHttpRequest clientHttpRequest) throws IOException {
            clientHttpRequest.getHeaders().putAll(this.headers);
            clientHttpRequest.getHeaders().setAccept(Arrays.asList(MediaType.APPLICATION_JSON, MediaType.TEXT_XML, MediaType.TEXT_PLAIN, MediaType.APPLICATION_FORM_URLENCODED));
            new FormHttpMessageConverter().write(this.form, MediaType.APPLICATION_FORM_URLENCODED, clientHttpRequest);
        }
    }

    public OAuth2SessionServiceDelegate(RESTSessionService rESTSessionService, String str, UserService userService) {
        rESTSessionService.registerDelegate(str, this);
        this.userService = userService;
    }

    public SessionToken refresh(String str, String str2) {
        HttpServletRequest request = OAuth2Utils.getRequest();
        if (str2 == null) {
            str2 = OAuth2Utils.tokenFromParamsOrBearer(OAuth2Utils.ACCESS_TOKEN_PARAM, request);
        }
        if (str2 == null) {
            throw new NotFoundWebEx("Either the accessToken or the refresh token are missing");
        }
        OAuth2AccessToken retrieveAccessToken = retrieveAccessToken(str2);
        Date expiration = retrieveAccessToken.getExpiration();
        if (str == null) {
            str = OAuth2Utils.getParameterValue(OAuth2Utils.REFRESH_TOKEN_PARAM, request);
        }
        Date fiveMinutesFromNow = OAuth2Utils.fiveMinutesFromNow();
        SessionToken sessionToken = null;
        OAuth2Configuration configuration = configuration();
        if ((expiration == null || fiveMinutesFromNow.after(expiration)) && str != null) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.info("Going to refresh the token.");
            }
            doRefresh(str, str2, configuration);
        }
        if (0 == 0) {
            sessionToken = sessionToken(str2, str, retrieveAccessToken.getExpiration());
        }
        return sessionToken;
    }

    protected SessionToken doRefresh(String str, String str2, OAuth2Configuration oAuth2Configuration) {
        SessionToken sessionToken = null;
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add("grant_type", OAuth2Utils.REFRESH_TOKEN_PARAM);
        linkedMultiValueMap.add(OAuth2Utils.REFRESH_TOKEN_PARAM, str);
        linkedMultiValueMap.add(ClientSecretRequestEnhancer.CLIENT_SECRET, oAuth2Configuration.getClientSecret());
        OAuth2AccessToken oAuth2AccessToken = (OAuth2AccessToken) new RestTemplate().execute(oAuth2Configuration.buildRefreshTokenURI(), HttpMethod.POST, new RefreshTokenRequestCallback(linkedMultiValueMap, new HttpHeaders()), tokenExtractor(), new Object[0]);
        if (oAuth2AccessToken == null || oAuth2AccessToken.getValue() == null) {
            LOGGER.info("Unable to refresh the token. The following request was performed: " + oAuth2Configuration.buildRefreshTokenURI("offline") + ". Redirecting to login.");
            doLogout(null);
            try {
                OAuth2Utils.getResponse().sendRedirect("../../openid/" + oAuth2Configuration.getProvider().toLowerCase() + "/login");
            } catch (IOException e) {
                LOGGER.error("Error while sending redirect to login service. ", e);
                throw new RuntimeException(e);
            }
        } else {
            String value = oAuth2AccessToken.getValue();
            updateAuthToken(str2, oAuth2AccessToken, str, oAuth2Configuration);
            sessionToken = sessionToken(value, str, oAuth2AccessToken.getExpiration());
        }
        return sessionToken;
    }

    private SessionToken sessionToken(String str, String str2, Date date) {
        SessionToken sessionToken = new SessionToken();
        sessionToken.setExpires(Long.valueOf(date.getTime()));
        sessionToken.setAccessToken(str);
        sessionToken.setRefreshToken(str2);
        sessionToken.setTokenType("bearer");
        return sessionToken;
    }

    private Authentication updateAuthToken(String str, OAuth2AccessToken oAuth2AccessToken, String str2, OAuth2Configuration oAuth2Configuration) {
        Authentication authentication = cache().get(str);
        if (authentication == null) {
            authentication = SecurityContextHolder.getContext().getAuthentication();
        }
        if (authentication instanceof PreAuthenticatedAuthenticationToken) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.info("Updating the cache and the SecurityContext with new Auth details");
            }
            String idToken = OAuth2Utils.getTokenDetails(authentication).getIdToken();
            cache().removeEntry(str);
            Authentication preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), authentication.getAuthorities());
            DefaultOAuth2AccessToken defaultOAuth2AccessToken = new DefaultOAuth2AccessToken(oAuth2AccessToken);
            if (str2 != null) {
                defaultOAuth2AccessToken.setRefreshToken(new DefaultOAuth2RefreshToken(str2));
            }
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Creating new details. AccessToken: " + defaultOAuth2AccessToken + " IdToken: " + idToken);
            }
            preAuthenticatedAuthenticationToken.setDetails(new TokenDetails(defaultOAuth2AccessToken, idToken, oAuth2Configuration.getBeanName()));
            cache().putCacheEntry(oAuth2AccessToken.getValue(), preAuthenticatedAuthenticationToken);
            SecurityContextHolder.getContext().setAuthentication(preAuthenticatedAuthenticationToken);
            authentication = preAuthenticatedAuthenticationToken;
        }
        return authentication;
    }

    private OAuth2AccessToken retrieveAccessToken(String str) {
        OAuth2ClientContext oAuth2ClientContext;
        Authentication authentication = cache().get(str);
        OAuth2AccessToken oAuth2AccessToken = null;
        if (authentication != null) {
            oAuth2AccessToken = OAuth2Utils.getTokenDetails(authentication).getAccessToken();
        }
        if (oAuth2AccessToken == null && (oAuth2ClientContext = ((OAuth2RestTemplate) GeoStoreContext.bean(OAuth2RestTemplate.class)).getOAuth2ClientContext()) != null) {
            oAuth2AccessToken = oAuth2ClientContext.getAccessToken();
        }
        if (oAuth2AccessToken == null) {
            oAuth2AccessToken = new DefaultOAuth2AccessToken(str);
        }
        return oAuth2AccessToken;
    }

    public void doLogout(String str) {
        HttpServletRequest request = OAuth2Utils.getRequest();
        HttpServletResponse response = OAuth2Utils.getResponse();
        OAuth2RestTemplate restTemplate = restTemplate();
        if (str == null) {
            str = OAuth2Utils.getParameterValue(OAuth2Utils.ACCESS_TOKEN_PARAM, request);
        }
        TokenAuthenticationCache cache = cache();
        OAuth2AccessToken oAuth2AccessToken = null;
        TokenDetails tokenDetails = OAuth2Utils.getTokenDetails(cache.get(str));
        if (tokenDetails != null) {
            oAuth2AccessToken = tokenDetails.getAccessToken();
        }
        cache.removeEntry(str);
        if (oAuth2AccessToken == null) {
            oAuth2AccessToken = restTemplate.getOAuth2ClientContext().getAccessToken();
        }
        if (oAuth2AccessToken != null) {
            doLogoutInternal(oAuth2AccessToken, configuration());
            clearSession(restTemplate, request);
        } else if (LOGGER.isDebugEnabled()) {
            LOGGER.info("Unable to retrieve access token. Remote logout was not executed.");
        }
        if (request == null || response == null) {
            return;
        }
        clearCookies(request, response);
    }

    private void clearSession(OAuth2RestTemplate oAuth2RestTemplate, HttpServletRequest httpServletRequest) {
        AccessTokenRequest accessTokenRequest = oAuth2RestTemplate.getOAuth2ClientContext().getAccessTokenRequest();
        if (accessTokenRequest != null && accessTokenRequest.getStateKey() != null) {
            oAuth2RestTemplate.getOAuth2ClientContext().removePreservedState(accessTokenRequest.getStateKey());
        }
        try {
            accessTokenRequest.remove(OAuth2Utils.ACCESS_TOKEN_PARAM);
            accessTokenRequest.remove(OAuth2Utils.REFRESH_TOKEN_PARAM);
            httpServletRequest.logout();
        } catch (ServletException e) {
            LOGGER.error("Error happened while doing request logout: ", e);
        } finally {
            SecurityContextHolder.clearContext();
        }
    }

    protected void doLogoutInternal(OAuth2AccessToken oAuth2AccessToken, OAuth2Configuration oAuth2Configuration) {
        String value = oAuth2AccessToken.getRefreshToken() != null ? oAuth2AccessToken.getRefreshToken().getValue() : oAuth2AccessToken.getValue();
        if (oAuth2Configuration.getRevokeEndpoint() == null || value == null) {
            return;
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.info("Performing remote logout");
        }
        callRevokeEndpoint(value, oAuth2Configuration.getRevokeEndpoint());
        callRemoteLogout(oAuth2AccessToken.getValue(), oAuth2Configuration.getLogoutUri());
    }

    protected void callRevokeEndpoint(String str, String str2) {
        OAuth2Configuration.Endpoint buildRevokeEndpoint = configuration().buildRevokeEndpoint(str);
        if (buildRevokeEndpoint != null) {
            ResponseEntity exchange = new RestTemplate().exchange(buildRevokeEndpoint.getUrl(), buildRevokeEndpoint.getMethod(), (HttpEntity) null, String.class, new Object[0]);
            if (exchange.getStatusCode().value() != 200) {
                LOGGER.error("Error while revoking authorization. Error is: " + ((String) exchange.getBody()));
            }
        }
    }

    protected void callRemoteLogout(String str, String str2) {
        OAuth2Configuration.Endpoint buildLogoutEndpoint = configuration().buildLogoutEndpoint(str);
        if (buildLogoutEndpoint != null) {
            ResponseEntity exchange = new RestTemplate().exchange(buildLogoutEndpoint.getUrl(), buildLogoutEndpoint.getMethod(), (HttpEntity) null, String.class, new Object[0]);
            if (exchange.getStatusCode().value() != 200) {
                LOGGER.error("Error while revoking authorization. Error is: " + ((String) exchange.getBody()));
            }
        }
    }

    protected void clearCookies(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null || cookies.length <= 0) {
            return;
        }
        for (Cookie cookie : cookies) {
            if (deleteCookie(cookie)) {
                cookie.setMaxAge(-1);
                cookie.setPath("/");
                cookie.setComment("EXPIRING COOKIE at " + System.currentTimeMillis());
                httpServletResponse.addCookie(cookie);
            }
        }
    }

    protected boolean deleteCookie(Cookie cookie) {
        return cookie.getName().equalsIgnoreCase("JSESSIONID") || cookie.getName().equalsIgnoreCase(OAuth2Utils.ACCESS_TOKEN_PARAM) || cookie.getName().equalsIgnoreCase(OAuth2Utils.REFRESH_TOKEN_PARAM);
    }

    private TokenAuthenticationCache cache() {
        return (TokenAuthenticationCache) GeoStoreContext.bean("oAuth2Cache", TokenAuthenticationCache.class);
    }

    protected abstract OAuth2Configuration configuration();

    /* JADX INFO: Access modifiers changed from: protected */
    public OAuth2Configuration configuration(String str) {
        return (OAuth2Configuration) GeoStoreContext.bean(str, OAuth2Configuration.class);
    }

    protected HttpMessageConverterExtractor<OAuth2AccessToken> tokenExtractor() {
        return new HttpMessageConverterExtractor<>(OAuth2AccessToken.class, restTemplate().getMessageConverters());
    }

    protected abstract OAuth2RestTemplate restTemplate();

    public User getUser(String str, boolean z, boolean z2) {
        User user;
        String userName = getUserName(str, z, z2);
        if (userName == null) {
            return null;
        }
        try {
            user = this.userService.get(userName);
        } catch (Exception e) {
            LOGGER.warn("Issue while retrieving user. Will return just the username.", e);
            user = new User();
            user.setName(userName);
        }
        return user;
    }

    public String getUserName(String str, boolean z, boolean z2) {
        Object principal;
        Authentication authentication = cache().get(str);
        if (z) {
            LOGGER.warn("Refresh was set to true but this delegate is not supporting refreshing token when retrieving the user...");
        }
        if (authentication == null || (principal = authentication.getPrincipal()) == null) {
            return null;
        }
        return SecurityUtils.getUsername(principal);
    }
}
