package it.geosolutions.geostore.services.rest.security.oauth2;

import it.geosolutions.geostore.core.model.User;
import it.geosolutions.geostore.core.security.password.SecurityUtils;
import it.geosolutions.geostore.services.UserService;
import it.geosolutions.geostore.services.rest.RESTSessionService;
import it.geosolutions.geostore.services.rest.SessionServiceDelegate;
import it.geosolutions.geostore.services.rest.exception.NotFoundWebEx;
import it.geosolutions.geostore.services.rest.model.SessionToken;
import it.geosolutions.geostore.services.rest.security.TokenAuthenticationCache;
import it.geosolutions.geostore.services.rest.security.oauth2.OAuth2Configuration;
import it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.enancher.ClientSecretRequestEnhancer;
import it.geosolutions.geostore.services.rest.utils.GeoStoreContext;
import java.io.IOException;
import java.util.Date;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.OAuth2ClientContext;
import org.springframework.security.oauth2.client.OAuth2RestTemplate;
import org.springframework.security.oauth2.client.resource.UserRedirectRequiredException;
import org.springframework.security.oauth2.client.token.AccessTokenRequest;
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2RefreshToken;
import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.client.HttpMessageConverterExtractor;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.context.request.RequestAttributes;
import org.springframework.web.context.request.RequestContextHolder;

/* loaded from: input_file:it/geosolutions/geostore/services/rest/security/oauth2/OAuth2SessionServiceDelegate.class */
public abstract class OAuth2SessionServiceDelegate implements SessionServiceDelegate {
    private static final Logger LOGGER = LogManager.getLogger(OAuth2SessionServiceDelegate.class);
    protected UserService userService;

    public OAuth2SessionServiceDelegate(RESTSessionService rESTSessionService, String str, UserService userService) {
        rESTSessionService.registerDelegate(str, this);
        this.userService = userService;
    }

    public OAuth2SessionServiceDelegate(RestTemplate restTemplate, OAuth2Configuration oAuth2Configuration) {
    }

    public SessionToken refresh(String str, String str2) {
        String str3 = "";
        String str4 = "";
        HttpServletRequest request = getRequest();
        if (str2 == null || str2.isEmpty()) {
            str2 = OAuth2Utils.tokenFromParamsOrBearer(OAuth2Utils.ACCESS_TOKEN_PARAM, request);
        }
        if (str2 == null || str2.isEmpty()) {
            throw new NotFoundWebEx("Either the accessToken or the refresh token are missing");
        }
        OAuth2AccessToken retrieveAccessToken = retrieveAccessToken(str2);
        String value = (retrieveAccessToken.getRefreshToken() == null || retrieveAccessToken.getRefreshToken().getValue() == null || retrieveAccessToken.getRefreshToken().getValue().isEmpty()) ? str : retrieveAccessToken.getRefreshToken().getValue();
        if (value == null || value.isEmpty()) {
            value = OAuth2Utils.getParameterValue(OAuth2Utils.REFRESH_TOKEN_PARAM, request);
        }
        SessionToken sessionToken = null;
        OAuth2Configuration configuration = configuration();
        if (configuration != null && configuration.isEnabled()) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.info("Going to refresh the token.");
            }
            try {
                sessionToken = doRefresh(value, str2, configuration);
            } catch (NullPointerException e) {
                str3 = "Current configuration wasn't correctly initialized.";
                LOGGER.error("Current configuration wasn't correctly initialized.", e);
            } catch (UserRedirectRequiredException e2) {
                str4 = "A redirect is required to get the user's approval.";
                LOGGER.warn(str4);
            } catch (Exception e3) {
                str3 = "An error occurred during token refresh: " + e3.getMessage();
                LOGGER.error(str3);
            }
        }
        if (sessionToken == null && !isTokenExpired(retrieveAccessToken)) {
            if (str4.isEmpty()) {
                str4 = "Refresh Session Token was NULL for some reason... Seeding it with previous Access Token!";
            }
            sessionToken = sessionToken(str2, value, retrieveAccessToken.getExpiration());
        }
        if (sessionToken != null) {
            if (!str4.isEmpty()) {
                sessionToken.setWarning(str4);
            }
            if (!str3.isEmpty()) {
                sessionToken.setError(str3);
            }
            request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_VALUE, sessionToken.getAccessToken());
            request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_TYPE, sessionToken.getTokenType());
        }
        return sessionToken;
    }

    private boolean isTokenExpired(OAuth2AccessToken oAuth2AccessToken) {
        return (oAuth2AccessToken == null || oAuth2AccessToken.getValue().isEmpty() || (oAuth2AccessToken.getExpiration() != null && (oAuth2AccessToken.getExpiration() == null || !oAuth2AccessToken.getExpiration().before(new Date())))) ? false : true;
    }

    protected SessionToken doRefresh(String str, String str2, OAuth2Configuration oAuth2Configuration) {
        SessionToken sessionToken = null;
        int i = 0;
        OAuth2RestTemplate restTemplate = restTemplate();
        HttpHeaders httpHeaders = getHttpHeaders(str2, oAuth2Configuration);
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add("grant_type", OAuth2Utils.REFRESH_TOKEN_PARAM);
        linkedMultiValueMap.add(OAuth2Utils.REFRESH_TOKEN_PARAM, str);
        linkedMultiValueMap.add(ClientSecretRequestEnhancer.CLIENT_SECRET, oAuth2Configuration.getClientSecret());
        linkedMultiValueMap.add("client_id", oAuth2Configuration.getClientId());
        HttpEntity httpEntity = new HttpEntity(linkedMultiValueMap, httpHeaders);
        long initialBackoffDelay = oAuth2Configuration.getInitialBackoffDelay();
        int maxRetries = oAuth2Configuration.getMaxRetries() > 0 ? oAuth2Configuration.getMaxRetries() : 1;
        while (true) {
            if (i >= maxRetries) {
                break;
            }
            i++;
            LOGGER.info("Attempting to refresh token, attempt {} of {}", Integer.valueOf(i), Integer.valueOf(maxRetries));
            try {
                ResponseEntity exchange = restTemplate.exchange(oAuth2Configuration.buildRefreshTokenURI(), HttpMethod.POST, httpEntity, OAuth2AccessToken.class, new Object[0]);
                if (exchange.getStatusCode().is2xxSuccessful()) {
                    OAuth2AccessToken oAuth2AccessToken = (OAuth2AccessToken) exchange.getBody();
                    if (oAuth2AccessToken == null || isTokenExpired(oAuth2AccessToken)) {
                        LOGGER.warn("Received invalid or expired token on attempt {}", Integer.valueOf(i));
                    } else {
                        DefaultOAuth2RefreshToken refreshToken = oAuth2AccessToken.getRefreshToken();
                        DefaultOAuth2RefreshToken defaultOAuth2RefreshToken = (refreshToken == null || refreshToken.getValue() == null) ? new DefaultOAuth2RefreshToken(str) : refreshToken;
                        updateAuthToken(str2, oAuth2AccessToken, defaultOAuth2RefreshToken, oAuth2Configuration);
                        sessionToken = sessionToken(oAuth2AccessToken.getValue(), defaultOAuth2RefreshToken.getValue(), oAuth2AccessToken.getExpiration());
                        LOGGER.info("Token refreshed successfully on attempt {}", Integer.valueOf(i));
                    }
                } else {
                    if (exchange.getStatusCode().is4xxClientError()) {
                        LOGGER.error("Client error occurred: {}. Stopping further attempts.", exchange.getStatusCode());
                        break;
                    }
                    LOGGER.warn("Server error occurred: {}. Retrying...", exchange.getStatusCode());
                }
            } catch (RestClientException e) {
                LOGGER.error("Attempt {}: Error refreshing token: {}", Integer.valueOf(i), e.getMessage());
                if (i == maxRetries) {
                    LOGGER.error("Max retries reached. Unable to refresh token.");
                    break;
                }
            } catch (UserRedirectRequiredException e2) {
                LOGGER.warn("A redirect is required to get the user's approval.");
                sessionToken = sessionToken(str2, str, null);
                sessionToken.setWarning("A redirect is required to get the user's approval.");
            }
            if (i < maxRetries) {
                try {
                    LOGGER.info("Waiting for {} ms before next retry.", Long.valueOf(initialBackoffDelay));
                    Thread.sleep(initialBackoffDelay);
                } catch (InterruptedException e3) {
                    LOGGER.warn("Backoff delay interrupted", e3);
                    Thread.currentThread().interrupt();
                }
                initialBackoffDelay = (long) (initialBackoffDelay * oAuth2Configuration.getBackoffMultiplier());
            }
        }
        if (sessionToken == null) {
            try {
                handleRefreshFailure(str2, str, oAuth2Configuration);
            } catch (Exception e4) {
                LOGGER.error("Could not successfully perform the 'doLogout' procedure due to an internal error.", e4);
            }
        }
        return sessionToken;
    }

    public void handleRefreshFailure(String str, String str2, OAuth2Configuration oAuth2Configuration) {
        LOGGER.info("Unable to refresh token after max retries. Clearing session and redirecting to login.");
        doLogout(null);
        try {
            getResponse().sendRedirect("../../openid/" + oAuth2Configuration.getProvider().toLowerCase() + "/login");
        } catch (IOException e) {
            LOGGER.error("Error while sending redirect to login service: ", e);
            throw new RuntimeException("Failed to redirect to login", e);
        }
    }

    private static HttpHeaders getHttpHeaders(String str, OAuth2Configuration oAuth2Configuration) {
        HttpHeaders httpHeaders = new HttpHeaders();
        if (oAuth2Configuration != null && oAuth2Configuration.getClientId() != null && oAuth2Configuration.getClientSecret() != null) {
            httpHeaders.setBasicAuth(oAuth2Configuration.getClientId(), oAuth2Configuration.getClientSecret());
        } else if (str != null && !str.isEmpty()) {
            httpHeaders.set("Authorization", "Bearer " + str);
        }
        httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
        return httpHeaders;
    }

    private SessionToken sessionToken(String str, String str2, Date date) {
        SessionToken sessionToken = new SessionToken();
        if (date != null) {
            sessionToken.setExpires(Long.valueOf(date.getTime()));
        }
        sessionToken.setAccessToken(str);
        sessionToken.setRefreshToken(str2);
        sessionToken.setTokenType("bearer");
        return sessionToken;
    }

    protected void updateAuthToken(String str, OAuth2AccessToken oAuth2AccessToken, OAuth2RefreshToken oAuth2RefreshToken, OAuth2Configuration oAuth2Configuration) {
        Authentication authentication = cache().get(str);
        if (authentication == null) {
            authentication = SecurityContextHolder.getContext().getAuthentication();
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.info("Updating the cache and the SecurityContext with new Auth details");
        }
        if (authentication == null || (authentication instanceof AnonymousAuthenticationToken)) {
            return;
        }
        String idToken = getTokenDetails(authentication).getIdToken();
        cache().removeEntry(str);
        PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), authentication.getAuthorities());
        DefaultOAuth2AccessToken defaultOAuth2AccessToken = new DefaultOAuth2AccessToken(oAuth2AccessToken);
        if (oAuth2RefreshToken != null) {
            defaultOAuth2AccessToken.setRefreshToken(oAuth2RefreshToken);
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Creating new details. AccessToken: {} IdToken: {}", defaultOAuth2AccessToken, idToken);
        }
        preAuthenticatedAuthenticationToken.setDetails(new TokenDetails(defaultOAuth2AccessToken, idToken, oAuth2Configuration.getBeanName()));
        cache().putCacheEntry(oAuth2AccessToken.getValue(), preAuthenticatedAuthenticationToken);
        SecurityContextHolder.getContext().setAuthentication(preAuthenticatedAuthenticationToken);
    }

    protected TokenDetails getTokenDetails(Authentication authentication) {
        return OAuth2Utils.getTokenDetails(authentication);
    }

    protected OAuth2AccessToken retrieveAccessToken(String str) {
        OAuth2RestTemplate restTemplate;
        OAuth2ClientContext oAuth2ClientContext;
        Authentication authentication = cache() != null ? cache().get(str) : null;
        OAuth2AccessToken oAuth2AccessToken = null;
        if (authentication != null) {
            oAuth2AccessToken = OAuth2Utils.getTokenDetails(authentication).getAccessToken();
        }
        if (oAuth2AccessToken == null && (restTemplate = restTemplate()) != null && (oAuth2ClientContext = restTemplate.getOAuth2ClientContext()) != null) {
            oAuth2AccessToken = oAuth2ClientContext.getAccessToken();
        }
        if (oAuth2AccessToken == null) {
            oAuth2AccessToken = new DefaultOAuth2AccessToken(str);
        }
        return oAuth2AccessToken;
    }

    protected HttpServletRequest getRequest() {
        return OAuth2Utils.getRequest();
    }

    protected HttpServletResponse getResponse() {
        return OAuth2Utils.getResponse();
    }

    public void doLogout(String str) {
        HttpServletRequest request = getRequest();
        HttpServletResponse response = getResponse();
        OAuth2RestTemplate restTemplate = restTemplate();
        OAuth2Configuration configuration = configuration();
        if (request == null || response == null || configuration == null) {
            LOGGER.warn("Request, response, or configuration is null, unable to proceed with logout.");
            return;
        }
        String str2 = null;
        String str3 = null;
        if (str != null) {
            TokenAuthenticationCache cache = cache();
            TokenDetails tokenDetails = getTokenDetails(cache.get(str));
            if (tokenDetails != null) {
                str2 = tokenDetails.getIdToken();
                str3 = tokenDetails.getAccessToken().getValue();
            }
            cache.removeEntry(str);
        }
        if (str2 == null) {
            if (restTemplate != null && restTemplate.getOAuth2ClientContext() != null && restTemplate.getOAuth2ClientContext().getAccessToken() != null) {
                str2 = restTemplate.getOAuth2ClientContext().getAccessToken().getRefreshToken().getValue();
            }
            if (str2 == null) {
                str2 = OAuth2Utils.getParameterValue(OAuth2Utils.REFRESH_TOKEN_PARAM, request);
            }
            if (str2 == null) {
                str2 = (String) ((RequestAttributes) Objects.requireNonNull(RequestContextHolder.getRequestAttributes())).getAttribute(OAuth2Utils.REFRESH_TOKEN_PARAM, 0);
            }
        }
        if (str3 == null) {
            if (restTemplate != null && restTemplate.getOAuth2ClientContext() != null && restTemplate.getOAuth2ClientContext().getAccessToken() != null) {
                str3 = restTemplate.getOAuth2ClientContext().getAccessToken().getValue();
            }
            if (str3 == null) {
                str3 = OAuth2Utils.getParameterValue(OAuth2Utils.ACCESS_TOKEN_PARAM, request);
            }
            if (str3 == null) {
                str3 = (String) ((RequestAttributes) Objects.requireNonNull(RequestContextHolder.getRequestAttributes())).getAttribute(OAuth2Utils.ACCESS_TOKEN_PARAM, 0);
            }
        }
        if (configuration.isEnabled()) {
            if (str2 != null && str3 != null && !str2.isEmpty() && !str3.isEmpty()) {
                if (configuration.isGlobalLogoutEnabled()) {
                    doLogoutInternal(str2, configuration, str3);
                }
                if (configuration.getRevokeEndpoint() != null) {
                    clearSession(restTemplate, request);
                }
            } else if (LOGGER.isDebugEnabled()) {
                LOGGER.info("Unable to retrieve access token. Remote logout was not executed.");
            }
            if (response != null) {
                clearCookies(request, response);
            }
        }
    }

    private void clearSession(OAuth2RestTemplate oAuth2RestTemplate, HttpServletRequest httpServletRequest) {
        AccessTokenRequest accessTokenRequest = oAuth2RestTemplate.getOAuth2ClientContext().getAccessTokenRequest();
        if (accessTokenRequest != null && accessTokenRequest.getStateKey() != null) {
            oAuth2RestTemplate.getOAuth2ClientContext().removePreservedState(accessTokenRequest.getStateKey());
        }
        if (accessTokenRequest != null) {
            try {
                accessTokenRequest.remove(OAuth2Utils.ACCESS_TOKEN_PARAM);
                accessTokenRequest.remove(OAuth2Utils.REFRESH_TOKEN_PARAM);
            } catch (ServletException e) {
                LOGGER.error("Error happened while doing request logout: ", e);
                return;
            } finally {
                SecurityContextHolder.clearContext();
            }
        }
        httpServletRequest.logout();
    }

    protected void doLogoutInternal(Object obj, OAuth2Configuration oAuth2Configuration, String str) {
        String str2 = null;
        if (obj instanceof OAuth2AccessToken) {
            str2 = ((OAuth2AccessToken) obj).getRefreshToken() != null ? ((OAuth2AccessToken) obj).getRefreshToken().getValue() : ((OAuth2AccessToken) obj).getValue();
        } else if (obj instanceof String) {
            str2 = (String) obj;
        }
        if (oAuth2Configuration.getRevokeEndpoint() == null || str2 == null) {
            return;
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.info("Performing remote logout");
        }
        callRevokeEndpoint(str2, str);
        callRemoteLogout(str2, str);
    }

    protected void callRevokeEndpoint(String str, String str2) {
        OAuth2Configuration.Endpoint buildRevokeEndpoint;
        OAuth2Configuration configuration = configuration();
        if (configuration == null || !configuration.isEnabled() || (buildRevokeEndpoint = configuration.buildRevokeEndpoint(str, str2, configuration)) == null) {
            return;
        }
        try {
            ResponseEntity exchange = new RestTemplate().exchange(buildRevokeEndpoint.getUrl(), buildRevokeEndpoint.getMethod(), buildRevokeEndpoint.getRequestEntity(), String.class, new Object[0]);
            if (exchange.getStatusCode().value() != 200) {
                logRevokeErrors(exchange.getBody());
            }
        } catch (Exception e) {
            logRevokeErrors(e);
        }
    }

    protected void callRemoteLogout(String str, String str2) {
        OAuth2Configuration.Endpoint buildLogoutEndpoint;
        OAuth2Configuration configuration = configuration();
        if (configuration == null || !configuration.isEnabled() || (buildLogoutEndpoint = configuration.buildLogoutEndpoint(str, str2, configuration)) == null) {
            return;
        }
        ResponseEntity exchange = new RestTemplate().exchange(buildLogoutEndpoint.getUrl(), buildLogoutEndpoint.getMethod(), buildLogoutEndpoint.getRequestEntity(), String.class, new Object[0]);
        if (exchange.getStatusCode().value() != 200) {
            logRevokeErrors(exchange.getBody());
        }
    }

    protected void clearCookies(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                if (deleteCookie(cookie)) {
                    cookie.setMaxAge(-1);
                    cookie.setPath("/");
                    cookie.setComment("EXPIRING COOKIE at " + System.currentTimeMillis());
                    httpServletResponse.addCookie(cookie);
                }
            }
        }
    }

    protected boolean deleteCookie(Cookie cookie) {
        return cookie.getName().equalsIgnoreCase("JSESSIONID") || cookie.getName().equalsIgnoreCase(OAuth2Utils.ACCESS_TOKEN_PARAM) || cookie.getName().equalsIgnoreCase(OAuth2Utils.REFRESH_TOKEN_PARAM);
    }

    protected TokenAuthenticationCache cache() {
        return (TokenAuthenticationCache) GeoStoreContext.bean("oAuth2Cache", TokenAuthenticationCache.class);
    }

    protected OAuth2Configuration configuration() {
        Map beans = GeoStoreContext.beans(OAuth2Configuration.class);
        if (beans == null) {
            LOGGER.error("OAuth2Configuration is not initialized properly.");
            throw new IllegalStateException("Configuration is required but not initialized.");
        }
        Optional findFirst = beans.values().stream().filter((v0) -> {
            return v0.isEnabled();
        }).findFirst();
        if (findFirst.isPresent()) {
            return (OAuth2Configuration) findFirst.get();
        }
        return null;
    }

    protected HttpMessageConverterExtractor<OAuth2AccessToken> tokenExtractor() {
        return new HttpMessageConverterExtractor<>(OAuth2AccessToken.class, restTemplate().getMessageConverters());
    }

    protected abstract OAuth2RestTemplate restTemplate();

    public User getUser(String str, boolean z, boolean z2) {
        User user;
        String userName = getUserName(str, z, z2);
        if (userName == null) {
            return null;
        }
        try {
            user = this.userService.get(userName);
        } catch (Exception e) {
            LOGGER.warn("Issue while retrieving user. Will return just the username.", e);
            user = new User();
            user.setName(userName);
        }
        return user;
    }

    public String getUserName(String str, boolean z, boolean z2) {
        Object principal;
        Authentication authentication = cache().get(str);
        if (z) {
            LOGGER.warn("Refresh was set to true but this delegate is not supporting refreshing token when retrieving the user...");
        }
        if (authentication == null || (principal = authentication.getPrincipal()) == null) {
            return null;
        }
        return SecurityUtils.getUsername(principal);
    }

    private static void logRevokeErrors(Object obj) {
        LOGGER.error("Error while revoking authorization. Error is: {}", obj);
    }
}
