package io.hawt.web.auth.oidc;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWKSecurityContext;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import io.hawt.web.auth.oidc.token.KidKeySelector;
import io.hawt.web.auth.oidc.token.ValidAccessToken;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.security.Principal;
import java.text.ParseException;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/hawtio-system-4.0.0-RC2.jar:io/hawt/web/auth/oidc/OidcLoginModule.class */
public class OidcLoginModule implements LoginModule {
    public static final Logger LOG = LoggerFactory.getLogger((Class<?>) OidcLoginModule.class);
    private Subject subject;
    private CallbackHandler callbackHandler;
    private OidcConfiguration oidcConfiguration;
    private ValidAccessToken parsedToken;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        this.subject = subject;
        this.callbackHandler = callbackHandler;
        this.oidcConfiguration = (OidcConfiguration) map2.get(OidcConfiguration.OIDC_JAAS_CONFIGURATION);
    }

    public boolean login() throws LoginException {
        NameCallback[] nameCallbackArr = {new NameCallback("username"), new PasswordCallback("password", false)};
        try {
            this.callbackHandler.handle(nameCallbackArr);
            nameCallbackArr[0].getName();
            String str = new String(((PasswordCallback) nameCallbackArr[1]).getPassword());
            ((PasswordCallback) nameCallbackArr[1]).clearPassword();
            ValidAccessToken validateToken = validateToken(str);
            if (validateToken == null) {
                return false;
            }
            this.parsedToken = validateToken;
            return true;
        } catch (IOException e) {
            LoginException loginException = new LoginException(e.getMessage());
            loginException.initCause(e);
            throw loginException;
        } catch (ParseException e2) {
            LOG.error("JWT parse exception: {}", e2.getMessage());
            LoginException loginException2 = new LoginException(e2.getMessage());
            loginException2.initCause(e2);
            throw loginException2;
        } catch (UnsupportedCallbackException e3) {
            LOG.error("JAAS configuration error {}", e3.getMessage(), e3);
            return false;
        }
    }

    public boolean commit() {
        if (this.parsedToken == null) {
            return false;
        }
        Class<?> roleClass = this.oidcConfiguration.getRoleClass();
        try {
            for (String str : this.oidcConfiguration.extractRoles(this.parsedToken)) {
                this.subject.getPrincipals().add((Principal) roleClass.getConstructor(String.class).newInstance(str));
            }
            this.subject.getPrivateCredentials().add(this.parsedToken.getAccessToken());
            return true;
        } catch (IllegalAccessException | InstantiationException | NoSuchMethodException | InvocationTargetException e) {
            LOG.warn("Problem instantiating role principal for class {}", roleClass);
            return false;
        }
    }

    public boolean abort() {
        return true;
    }

    public boolean logout() throws LoginException {
        if (this.subject == null) {
            return true;
        }
        this.subject.getPrivateCredentials().clear();
        new HashSet(this.subject.getPrincipals()).removeIf(principal -> {
            return this.oidcConfiguration.getRoleClass().isAssignableFrom(principal.getClass()) || RolePrincipal.class == principal.getClass();
        });
        return true;
    }

    private ValidAccessToken validateToken(String str) throws ParseException {
        try {
            JWT parse = JWTParser.parse(str);
            this.oidcConfiguration.refreshPublicKeysIfNeeded();
            JWKSecurityContext jwkContext = this.oidcConfiguration.getJwkContext();
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(new KidKeySelector());
            defaultJWTProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier(null, null, Set.of("sub")));
            defaultJWTProcessor.process(parse, (JWT) jwkContext);
            return new ValidAccessToken(parse, str);
        } catch (JOSEException | BadJOSEException e) {
            LOG.error("JWT processing error: {}", e.getMessage());
            return null;
        } catch (ParseException e2) {
            LOG.error("JWT parsing error", (Throwable) e2);
            return null;
        }
    }
}
