package org.dcache.gplazma.oidc;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Joiner;
import com.google.common.base.Preconditions;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.net.InternetDomainName;
import java.io.IOException;
import java.security.Principal;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Properties;
import java.util.Random;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import org.codehaus.jackson.JsonNode;
import org.dcache.auth.BearerTokenCredential;
import org.dcache.auth.EmailAddressPrincipal;
import org.dcache.auth.FullNamePrincipal;
import org.dcache.auth.OidcSubjectPrincipal;
import org.dcache.gplazma.AuthenticationException;
import org.dcache.gplazma.oidc.exceptions.OidcException;
import org.dcache.gplazma.oidc.helpers.JsonHttpClient;
import org.dcache.gplazma.plugins.GPlazmaAuthenticationPlugin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/gplazma/oidc/OidcAuthPlugin.class */
public class OidcAuthPlugin implements GPlazmaAuthenticationPlugin {
    private static final Logger LOG = LoggerFactory.getLogger(OidcAuthPlugin.class);
    private static final String OIDC_HOSTNAMES = "gplazma.oidc.hostnames";
    private final LoadingCache<String, JsonNode> cache;
    private Set<String> discoveryDocs;
    private JsonHttpClient jsonHttpClient;
    private final Random random;

    public OidcAuthPlugin(Properties properties) {
        this(properties, new JsonHttpClient());
    }

    @VisibleForTesting
    OidcAuthPlugin(Properties properties, JsonHttpClient jsonHttpClient) {
        this(properties, jsonHttpClient, createLoadingCache(jsonHttpClient));
    }

    @VisibleForTesting
    OidcAuthPlugin(Properties properties, JsonHttpClient jsonHttpClient, LoadingCache<String, JsonNode> loadingCache) {
        this.random = new Random();
        String property = properties.getProperty(OIDC_HOSTNAMES);
        Preconditions.checkArgument(property != null, "gplazma.oidc.hostnames not defined");
        Map map = (Map) Arrays.stream(property.split("\\s+")).filter(not((v0) -> {
            return v0.isEmpty();
        })).collect(Collectors.groupingBy(InternetDomainName::isValid, Collectors.toSet()));
        Preconditions.checkArgument(!map.containsKey(Boolean.FALSE), String.format("Invalid hosts in %s: %s", OIDC_HOSTNAMES, Joiner.on(", ").join(nullToEmpty((Collection) map.get(Boolean.FALSE)))));
        Preconditions.checkArgument(map.containsKey(Boolean.TRUE), String.format("No hosts specified in %s", OIDC_HOSTNAMES));
        this.discoveryDocs = (Set) map.get(Boolean.TRUE);
        this.jsonHttpClient = jsonHttpClient;
        this.cache = loadingCache;
    }

    public void authenticate(Set<Object> set, Set<Object> set2, Set<Principal> set3) throws AuthenticationException {
        HashSet hashSet = new HashSet();
        boolean z = false;
        for (Object obj : set2) {
            if (obj instanceof BearerTokenCredential) {
                BearerTokenCredential bearerTokenCredential = (BearerTokenCredential) obj;
                z = true;
                for (String str : this.discoveryDocs) {
                    try {
                        set3.addAll(validateBearerTokenWithOpenIdProvider(bearerTokenCredential, extractUserInfoEndPoint((JsonNode) this.cache.get(str)), str));
                        return;
                    } catch (ExecutionException e) {
                        hashSet.add("(\"" + str + "\", " + e.getMessage() + ")");
                    } catch (OidcException e2) {
                        hashSet.add(e2.getMessage());
                    }
                }
            }
        }
        org.dcache.gplazma.util.Preconditions.checkAuthentication(z, "No bearer token in the credentials");
        if (hashSet.size() == 1) {
            throw new AuthenticationException("OpenId Validation Failed: " + hashSet.iterator().next());
        }
        String randomId = randomId();
        LOG.warn("OpenId Validation Failure ({}): {}", randomId, buildErrorMessage(hashSet));
        throw new AuthenticationException("OpenId Validation Failed check [log entry #" + randomId + "]");
    }

    private Set<Principal> validateBearerTokenWithOpenIdProvider(BearerTokenCredential bearerTokenCredential, String str, String str2) throws OidcException {
        try {
            JsonNode userInfo = getUserInfo(str, bearerTokenCredential.getToken());
            if (userInfo == null || !userInfo.has("sub")) {
                throw new OidcException(str2, "No OpendId \"sub\"");
            }
            LOG.debug("UserInfo from OpenId Provider: {}", userInfo);
            HashSet hashSet = new HashSet();
            addSub(userInfo, hashSet);
            addNames(userInfo, hashSet);
            addEmail(userInfo, hashSet);
            return hashSet;
        } catch (IllegalArgumentException e) {
            throw new OidcException(str2, "Error parsing UserInfo: " + e.getMessage());
        } catch (AuthenticationException e2) {
            throw new OidcException(str2, e2.getMessage());
        } catch (IOException e3) {
            throw new OidcException(str2, "Failed to fetch UserInfo: " + e3.getMessage());
        }
    }

    private JsonNode getUserInfo(String str, String str2) throws AuthenticationException, IOException {
        JsonNode doGetWithToken = this.jsonHttpClient.doGetWithToken(str, str2);
        if (!doGetWithToken.has("error")) {
            return doGetWithToken;
        }
        throw new AuthenticationException("Error: [" + doGetWithToken.get("error").asText() + ", " + doGetWithToken.get("error_description").asText() + " ]");
    }

    private String extractUserInfoEndPoint(JsonNode jsonNode) {
        if (jsonNode.has("userinfo_endpoint")) {
            return jsonNode.get("userinfo_endpoint").asText();
        }
        return null;
    }

    private static LoadingCache<String, JsonNode> createLoadingCache(final JsonHttpClient jsonHttpClient) {
        return CacheBuilder.newBuilder().maximumSize(100L).expireAfterAccess(1L, TimeUnit.HOURS).build(new CacheLoader<String, JsonNode>() { // from class: org.dcache.gplazma.oidc.OidcAuthPlugin.1
            public JsonNode load(String str) throws OidcException, IOException {
                JsonNode doGet = JsonHttpClient.this.doGet("https://" + str + "/.well-known/openid-configuration");
                if (doGet == null || !doGet.has("userinfo_endpoint")) {
                    throw new OidcException(str, "Discovery Document at " + doGet + " does not contain userinfo endpoint url");
                }
                return doGet;
            }
        });
    }

    private void addEmail(JsonNode jsonNode, Set<Principal> set) {
        if (jsonNode.has("email")) {
            set.add(new EmailAddressPrincipal(jsonNode.get("email").asText()));
        }
    }

    private void addNames(JsonNode jsonNode, Set<Principal> set) {
        JsonNode jsonNode2 = jsonNode.get("given_name");
        JsonNode jsonNode3 = jsonNode.get("family_name");
        JsonNode jsonNode4 = jsonNode.get("name");
        if (jsonNode4 == null || jsonNode4.asText().isEmpty()) {
            set.add(new FullNamePrincipal(jsonNode2 == null ? null : jsonNode2.asText(), jsonNode3 == null ? null : jsonNode3.asText()));
        } else {
            set.add(new FullNamePrincipal(jsonNode4.asText()));
        }
    }

    private boolean addSub(JsonNode jsonNode, Set<Principal> set) {
        return set.add(new OidcSubjectPrincipal(jsonNode.get("sub").asText()));
    }

    private static <T> Predicate<T> not(Predicate<T> predicate) {
        return predicate.negate();
    }

    private <T> Collection<T> nullToEmpty(Collection<T> collection) {
        return collection == null ? Collections.emptySet() : collection;
    }

    private String buildErrorMessage(Set<String> set) {
        return set.isEmpty() ? "(unknown)" : (String) set.stream().collect(Collectors.joining(", ", "[", "]"));
    }

    private String randomId() {
        byte[] bArr = new byte[6];
        this.random.nextBytes(bArr);
        return Base64.getEncoder().withoutPadding().encodeToString(bArr);
    }
}
