package com.ocient.auth;

import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.PasswordBasedDecrypter;
import com.nimbusds.jose.crypto.PasswordBasedEncrypter;
import com.ocient.auth.OpenIDAuthenticators;
import com.ocient.jdbc.proto.ClientWireProtocol;
import com.okta.authn.sdk.AuthenticationException;
import com.okta.authn.sdk.AuthenticationStateHandlerAdapter;
import com.okta.authn.sdk.client.AuthenticationClient;
import com.okta.authn.sdk.client.AuthenticationClients;
import com.okta.authn.sdk.resource.AuthenticationResponse;
import com.okta.authn.sdk.resource.Factor;
import com.okta.authn.sdk.resource.FactorType;
import com.okta.sdk.impl.oauth2.OAuth2AccessToken;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashMap;
import java.util.Optional;
import java.util.concurrent.TimeoutException;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import org.apache.commons.io.IOUtils;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;
import org.jetbrains.annotations.NotNull;

/* loaded from: input_file:com/ocient/auth/OktaAuthenticators.class */
public class OktaAuthenticators {
    private static final Logger LOGGER = Logger.getLogger("com.ocient.jdbc");

    /* loaded from: input_file:com/ocient/auth/OktaAuthenticators$OktaAuthenticationClient.class */
    public static class OktaAuthenticationClient {

        /* JADX INFO: Access modifiers changed from: package-private */
        /* renamed from: com.ocient.auth.OktaAuthenticators$OktaAuthenticationClient$1AuthResult, reason: invalid class name */
        /* loaded from: input_file:com/ocient/auth/OktaAuthenticators$OktaAuthenticationClient$1AuthResult.class */
        public class C1AuthResult {
            String sessionToken;
            AuthException ex;

            C1AuthResult() {
            }
        }

        public static String createSessionToken(ClientWireProtocol.OpenIDAuthenticator openIDAuthenticator, String str, char[] cArr) throws AuthenticationException, AuthException {
            String issuer = openIDAuthenticator.getIssuer();
            if (!openIDAuthenticator.getIssuer().endsWith("okta.com")) {
                issuer = openIDAuthenticator.getIssuer().substring(0, openIDAuthenticator.getIssuer().indexOf("okta.com") + "okta.com".length());
            }
            final AuthenticationClient build = AuthenticationClients.builder().setOrgUrl(issuer).build();
            final C1AuthResult c1AuthResult = new C1AuthResult();
            build.authenticate(str, cArr, null, new AuthenticationStateHandlerAdapter() { // from class: com.ocient.auth.OktaAuthenticators.OktaAuthenticationClient.1
                int mfaChallengeAttempts = 0;

                @Override // com.okta.authn.sdk.AuthenticationStateHandlerAdapter, com.okta.authn.sdk.AuthenticationStateHandler
                public void handleUnauthenticated(AuthenticationResponse authenticationResponse) {
                    handleUnknown(authenticationResponse);
                }

                @Override // com.okta.authn.sdk.AuthenticationStateHandlerAdapter, com.okta.authn.sdk.AuthenticationStateHandler
                public void handleSuccess(AuthenticationResponse authenticationResponse) {
                    OktaAuthenticators.LOGGER.info("Okta Verify success!");
                    C1AuthResult.this.sessionToken = authenticationResponse.getSessionToken();
                }

                @Override // com.okta.authn.sdk.AuthenticationStateHandler
                public void handleUnknown(@NotNull AuthenticationResponse authenticationResponse) {
                    C1AuthResult.this.ex = new AuthException(String.format("Got %s status", authenticationResponse.getStatusString()));
                }

                @Override // com.okta.authn.sdk.AuthenticationStateHandlerAdapter, com.okta.authn.sdk.AuthenticationStateHandler
                public void handleMfaRequired(AuthenticationResponse authenticationResponse) {
                    handleMfaChallenge(authenticationResponse);
                }

                @Override // com.okta.authn.sdk.AuthenticationStateHandlerAdapter, com.okta.authn.sdk.AuthenticationStateHandler
                public void handleMfaEnroll(AuthenticationResponse authenticationResponse) {
                    C1AuthResult.this.ex = new AuthException(String.format("User must enroll in additional factors", new Object[0]));
                }

                @Override // com.okta.authn.sdk.AuthenticationStateHandlerAdapter, com.okta.authn.sdk.AuthenticationStateHandler
                public void handleMfaChallenge(AuthenticationResponse authenticationResponse) {
                    Optional<Factor> findFirst = authenticationResponse.getFactors().stream().filter(factor -> {
                        return factor.getType() == FactorType.PUSH;
                    }).findFirst();
                    if (!findFirst.isPresent()) {
                        C1AuthResult.this.ex = new AuthException("Only Okta Verify Push factor is supported for 'okta_session_token' exchange");
                        return;
                    }
                    if (this.mfaChallengeAttempts == 0) {
                        System.out.println("Sending Okta Verify push notification...");
                    }
                    System.out.println("Polling for push approve...");
                    int i = this.mfaChallengeAttempts;
                    this.mfaChallengeAttempts = i + 1;
                    if (i > 10) {
                        C1AuthResult.this.ex = new AuthException("Timed out waiting for MFA factor verification");
                        return;
                    }
                    try {
                        Thread.sleep(6000L);
                    } catch (InterruptedException e) {
                        Thread.interrupted();
                    }
                    try {
                        build.verifyFactor(findFirst.get().getId(), authenticationResponse.getStateToken(), this);
                    } catch (AuthenticationException e2) {
                        C1AuthResult.this.ex = new AuthException("MFA failed. Try again.", e2);
                    }
                }
            });
            if (c1AuthResult.sessionToken != null) {
                return c1AuthResult.sessionToken;
            }
            if (c1AuthResult.ex != null) {
                throw c1AuthResult.ex;
            }
            throw new AuthException("MFA failed. Try again.");
        }

        @SuppressFBWarnings(value = {"HTTP_PARAMETER_POLLUTION"}, justification = "sessionToken is provided by Okta")
        public static OpenIDAuthenticators.AuthorizationCodeWithPKCEClient.AuthorizationCodeGrant<OpenIDAuthenticators.OAuthToken> exchangeSessionToken(OpenIDAuthenticators.AuthorizationCodeWithPKCEClient authorizationCodeWithPKCEClient, ClientWireProtocol.OpenIDAuthenticator openIDAuthenticator, String str) throws KeyManagementException, UnsupportedEncodingException, MalformedURLException, NoSuchAlgorithmException, KeyStoreException, IOException, InterruptedException {
            HashMap hashMap = new HashMap();
            hashMap.put("sessionToken", str);
            OpenIDAuthenticators.AuthorizationCodeWithPKCEClient.AuthorizationCodeGrant<OpenIDAuthenticators.OAuthToken> create = authorizationCodeWithPKCEClient.create(openIDAuthenticator, hashMap);
            CloseableHttpClient createHTTPClient = OpenIDAuthenticators.createHTTPClient(create.getURL());
            try {
                CloseableHttpResponse execute = createHTTPClient.execute((HttpUriRequest) new HttpGet(create.getURL()));
                Thread.sleep(1000L);
                execute.close();
                if (createHTTPClient != null) {
                    createHTTPClient.close();
                }
                return create;
            } catch (Throwable th) {
                if (createHTTPClient != null) {
                    try {
                        createHTTPClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
    }

    /* loaded from: input_file:com/ocient/auth/OktaAuthenticators$OktaNativeSSOClient.class */
    public static class OktaNativeSSOClient {
        public static OpenIDAuthenticators.AuthorizationCodeWithPKCEClient.AuthorizationCodeGrant<OktaNativeSSOToken> createAuthorizationCodeGrant(OpenIDAuthenticators.AuthorizationCodeWithPKCEClient authorizationCodeWithPKCEClient, ClientWireProtocol.OpenIDAuthenticator openIDAuthenticator) throws AuthException, KeyManagementException, UnsupportedEncodingException, MalformedURLException, NoSuchAlgorithmException, KeyStoreException, IOException {
            ClientWireProtocol.OpenIDAuthenticator addDeviceScope = addDeviceScope(openIDAuthenticator);
            OpenIDAuthenticators.AuthorizationCodeWithPKCEClient.AuthorizationCodeGrant<OpenIDAuthenticators.OAuthToken> create = authorizationCodeWithPKCEClient.create(addDeviceScope);
            return new OpenIDAuthenticators.AuthorizationCodeWithPKCEClient.AuthorizationCodeGrant<>(create.getURL(), create.getToken().thenApply(oAuthToken -> {
                return new OktaNativeSSOToken(addDeviceScope, oAuthToken.getTokenResponse());
            }));
        }

        public static OpenIDAuthenticators.DeviceAuthorizationGrant<OktaNativeSSOToken> createDeviceAuthorizationGrant(ClientWireProtocol.OpenIDAuthenticator openIDAuthenticator) throws AuthException, KeyManagementException, MalformedURLException, NoSuchAlgorithmException, KeyStoreException, IOException, TimeoutException {
            ClientWireProtocol.OpenIDAuthenticator addDeviceScope = addDeviceScope(openIDAuthenticator);
            OpenIDAuthenticators.DeviceAuthorizationGrant<OpenIDAuthenticators.OAuthToken> create = OpenIDAuthenticators.DeviceAuthorizationGrantClient.create(addDeviceScope);
            return new OpenIDAuthenticators.DeviceAuthorizationGrant<>(create.getVerificationURIComplete(), create.getVerificationURI(), create.getUserCode(), j -> {
                return new OktaNativeSSOToken(addDeviceScope, ((OpenIDAuthenticators.OAuthToken) create.getToken(j)).getTokenResponse());
            });
        }

        private static ClientWireProtocol.OpenIDAuthenticator addDeviceScope(ClientWireProtocol.OpenIDAuthenticator openIDAuthenticator) throws AuthException {
            if (openIDAuthenticator.getIssuer().toLowerCase().contains("okta.com")) {
                return ClientWireProtocol.OpenIDAuthenticator.newBuilder(openIDAuthenticator).addScope("device_sso").build();
            }
            throw new AuthException("Okta authenticator required ");
        }

        public static OpenIDAuthenticators.OAuthToken exchangeForOAuthToken(OktaNativeSSOToken oktaNativeSSOToken) throws KeyManagementException, MalformedURLException, NoSuchAlgorithmException, KeyStoreException, IOException {
            HttpPost httpPost = new HttpPost(OpenIDAuthenticators.getDiscoveryDocument(oktaNativeSSOToken.authenticator.getIssuer()).get("token_endpoint").getAsString());
            httpPost.addHeader("Accept", "application/json");
            httpPost.addHeader("Content-Type", "application/x-www-form-urlencoded");
            ArrayList arrayList = new ArrayList();
            arrayList.add(new BasicNameValuePair("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange"));
            arrayList.add(new BasicNameValuePair("client_id", oktaNativeSSOToken.authenticator.getClientId()));
            arrayList.add(new BasicNameValuePair("actor_token", oktaNativeSSOToken.getTokenResponse().get("device_secret").getAsString()));
            arrayList.add(new BasicNameValuePair("actor_token_type", "urn:x-oath:params:oauth:token-type:device-secret"));
            arrayList.add(new BasicNameValuePair("subject_token", oktaNativeSSOToken.getTokenResponse().get("id_token").getAsString()));
            arrayList.add(new BasicNameValuePair("subject_token_type", "urn:ietf:params:oauth:token-type:id_token"));
            arrayList.add(new BasicNameValuePair("audience", "api://default"));
            arrayList.add(new BasicNameValuePair("scope", (String) oktaNativeSSOToken.authenticator.getScopeList().stream().filter(str -> {
                return !str.equalsIgnoreCase("device_sso");
            }).collect(Collectors.joining(" "))));
            httpPost.setEntity(new UrlEncodedFormEntity(arrayList, "UTF-8"));
            JsonObject asJsonObject = JsonParser.parseString(EntityUtils.toString(HttpClients.createDefault().execute((HttpUriRequest) httpPost).getEntity())).getAsJsonObject();
            if (asJsonObject.has(OAuth2AccessToken.ACCESS_TOKEN_KEY)) {
                return new OpenIDAuthenticators.OAuthToken(asJsonObject);
            }
            Object[] objArr = new Object[2];
            objArr[0] = asJsonObject.has(OAuth2AccessToken.ERROR_KEY) ? asJsonObject.get(OAuth2AccessToken.ERROR_KEY).getAsString() : "general_error";
            objArr[1] = asJsonObject.has(OAuth2AccessToken.ERROR_DESCRIPTION) ? asJsonObject.get(OAuth2AccessToken.ERROR_DESCRIPTION).getAsString() : "Something went wrong.";
            throw new IOException(String.format("%s: %s", objArr));
        }

        public static void revoke(OktaNativeSSOToken oktaNativeSSOToken) throws KeyManagementException, MalformedURLException, NoSuchAlgorithmException, KeyStoreException, IOException {
            HttpPost httpPost = new HttpPost(OpenIDAuthenticators.getDiscoveryDocument(oktaNativeSSOToken.authenticator.getIssuer()).get("revocation_endpoint").getAsString());
            httpPost.addHeader("Accept", "application/json");
            httpPost.addHeader("Content-Type", "application/x-www-form-urlencoded");
            ArrayList arrayList = new ArrayList();
            arrayList.add(new BasicNameValuePair("client_id", oktaNativeSSOToken.authenticator.getClientId()));
            arrayList.add(new BasicNameValuePair("token", oktaNativeSSOToken.getTokenResponse().get("device_secret").getAsString()));
            httpPost.setEntity(new UrlEncodedFormEntity(arrayList, "UTF-8"));
            CloseableHttpClient createDefault = HttpClients.createDefault();
            try {
                createDefault.execute((HttpUriRequest) httpPost).close();
                if (createDefault != null) {
                    createDefault.close();
                }
            } catch (Throwable th) {
                if (createDefault != null) {
                    try {
                        createDefault.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
    }

    /* loaded from: input_file:com/ocient/auth/OktaAuthenticators$OktaNativeSSOToken.class */
    public static class OktaNativeSSOToken extends OpenIDAuthenticators.OAuthToken {
        private static final int ITERATION_COUNT = 65536;
        private static final int SALT_LENGTH = 16;
        private final ClientWireProtocol.OpenIDAuthenticator authenticator;

        public OktaNativeSSOToken(ClientWireProtocol.OpenIDAuthenticator openIDAuthenticator, JsonObject jsonObject) {
            super(jsonObject);
            this.authenticator = openIDAuthenticator;
        }

        @Override // com.ocient.auth.OpenIDAuthenticators.OAuthToken, com.ocient.auth.Token
        public String getTokenHint() {
            throw new UnsupportedOperationException("OktaNativeSSOToken must be exchanged for new tokens");
        }

        @Override // com.ocient.auth.OpenIDAuthenticators.OAuthToken, com.ocient.auth.Token
        public String getToken() {
            throw new UnsupportedOperationException("OktaNativeSSOToken must be exchanged for new tokens");
        }

        public byte[] encrypt(byte[] bArr) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException, IOException, InvalidKeySpecException, InvalidAlgorithmParameterException, JOSEException {
            JsonObject jsonObject = new JsonObject();
            jsonObject.add("token_response", getTokenResponse());
            jsonObject.addProperty("authenticator", Base64.getUrlEncoder().encodeToString(this.authenticator.toByteArray()));
            jsonObject.addProperty("authenticator", Base64.getUrlEncoder().encodeToString(this.authenticator.toByteArray()));
            JWEObject jWEObject = new JWEObject(new JWEHeader(JWEAlgorithm.PBES2_HS512_A256KW, EncryptionMethod.A256GCM), new Payload(OpenIDAuthenticators.GSON.toJson((JsonElement) jsonObject).getBytes("UTF-8")));
            jWEObject.encrypt(new PasswordBasedEncrypter(bArr, 16, 65536));
            return jWEObject.serialize().getBytes("UTF-8");
        }

        public static OktaNativeSSOToken decrypt(byte[] bArr, InputStream inputStream) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException, IOException, AuthException, ParseException, JOSEException {
            JWEObject parse = JWEObject.parse(new String(IOUtils.toByteArray(inputStream), "UTF-8"));
            parse.decrypt(new PasswordBasedDecrypter(bArr));
            JsonObject asJsonObject = JsonParser.parseString(parse.getPayload().toString()).getAsJsonObject();
            if (!asJsonObject.has("authenticator")) {
                throw new AuthException("The supplied token is corrupted! [1]");
            }
            if (asJsonObject.has("token_response")) {
                return new OktaNativeSSOToken(ClientWireProtocol.OpenIDAuthenticator.parseFrom(Base64.getUrlDecoder().decode(new String(asJsonObject.get("authenticator").getAsString().getBytes("UTF-8"), StandardCharsets.ISO_8859_1))), asJsonObject.get("token_response").getAsJsonObject());
            }
            throw new AuthException("The supplied token is corrupted! [1]");
        }

        ClientWireProtocol.OpenIDAuthenticator getAuthenticator() {
            return this.authenticator;
        }
    }
}
