package org.forgerock.openidconnect.ssoprovider;

import com.google.common.base.Throwables;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.iplanet.am.util.SystemProperties;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOProviderPlugin;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.shared.encode.CookieUtils;
import java.security.Principal;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;
import javax.inject.Inject;
import javax.inject.Singleton;
import javax.servlet.http.HttpServletRequest;
import org.forgerock.json.JsonValue;
import org.forgerock.json.jose.exceptions.InvalidJwtException;
import org.forgerock.json.jose.jwt.JwtClaimsSet;
import org.forgerock.oauth2.core.OAuth2Jwt;
import org.forgerock.oauth2.core.OAuth2ProviderSettings;
import org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.forgerock.openam.oauth2.CookieExtractor;
import org.forgerock.openam.utils.CollectionUtils;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.openidconnect.OpenIdConnectClientRegistrationStore;
import org.forgerock.openidconnect.OpenIdConnectTokenStore;
import org.forgerock.services.context.Context;
import org.forgerock.util.annotations.VisibleForTesting;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:org/forgerock/openidconnect/ssoprovider/OpenIdConnectSSOProvider.class */
public class OpenIdConnectSSOProvider implements SSOProviderPlugin {
    private static final Logger LOGGER = LoggerFactory.getLogger("OpenIdConnectSSOProvider");
    private static final String MAX_CACHE_SIZE_PROPERTY = "org.forgerock.openidconnect.ssoprovider.maxcachesize";
    private static final long MAX_CACHE_SIZE = SystemProperties.getAsLong(MAX_CACHE_SIZE_PROPERTY, 5000);
    private final LoadingCache<String, String> idTokenToSessionIdCache;
    private final SSOTokenManager ssoTokenManager;
    private final OpenIdConnectClientRegistrationStore clientRegistrationStore;
    private final OpenIdConnectTokenStore tokenStore;
    private final OAuth2ProviderSettingsFactory providerSettingsFactory;
    private final IdTokenParser idTokenParser;
    private final CookieExtractor cookieExtractor;
    private final String cookieName;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/forgerock/openidconnect/ssoprovider/OpenIdConnectSSOProvider$IdTokenParser.class */
    public static class IdTokenParser {
        private static final String BASE_64_URL = "[A-Za-z0-9-_]+";
        private static final Pattern JWT_PATTERN = Pattern.compile("(([A-Za-z0-9-_]+\\.){2}){1,2}[A-Za-z0-9-_]+");

        IdTokenParser() {
        }

        public OAuth2Jwt parse(String str) throws SSOException {
            try {
                if (JWT_PATTERN.matcher(str).matches()) {
                    return OAuth2Jwt.create(str);
                }
                throw new SSOException("invalid id_token: not a valid JWT");
            } catch (InvalidJwtException e) {
                throw new SSOException("invalid id_token: " + e.getMessage());
            }
        }
    }

    /* loaded from: input_file:org/forgerock/openidconnect/ssoprovider/OpenIdConnectSSOProvider$SessionIdCacheLoader.class */
    private final class SessionIdCacheLoader extends CacheLoader<String, String> {
        private SessionIdCacheLoader() {
        }

        public String load(@Nonnull String str) throws SSOException {
            OAuth2Jwt parse = OpenIdConnectSSOProvider.this.idTokenParser.parse(str);
            if (parse.isExpired()) {
                throw new SSOException("id_token has expired");
            }
            if (!OpenIdConnectSSOProvider.this.isEnabledFor(parse)) {
                throw new SSOException("id_token SSOProvider not enabled");
            }
            JwtClaimsSet claimsSet = parse.getSignedJwt().getClaimsSet();
            try {
                if (!OpenIdConnectSSOProvider.this.clientRegistrationStore.get((String) CollectionUtils.getFirstItem(claimsSet.getAudience()), claimsSet.get("realm").defaultTo("/").asString(), (Context) null).verifyJwtIdentity(parse)) {
                    throw new SSOException("invalid id_token");
                }
                String str2 = (String) claimsSet.getClaim("ssoToken", String.class);
                if (str2 != null) {
                    return str2;
                }
                String str3 = (String) claimsSet.getClaim("org.forgerock.openidconnect.ops", String.class);
                if (str3 == null) {
                    throw new SSOException("no session linked to id_token");
                }
                try {
                    JsonValue read = OpenIdConnectSSOProvider.this.tokenStore.read(str3);
                    if (read == null) {
                        throw new SSOException("session not found");
                    }
                    String str4 = (String) CollectionUtils.getFirstItem(read.get("ops").asCollection(String.class));
                    if (str4 == null) {
                        throw new SSOException("no session linked to id_token");
                    }
                    return str4;
                } catch (NotFoundException | ServerException e) {
                    throw new SSOException(e);
                }
            } catch (InvalidClientException | NotFoundException e2) {
                throw new SSOException(e2);
            }
        }
    }

    @Inject
    OpenIdConnectSSOProvider(SSOTokenManager sSOTokenManager, OpenIdConnectClientRegistrationStore openIdConnectClientRegistrationStore, OpenIdConnectTokenStore openIdConnectTokenStore, CookieExtractor cookieExtractor, OAuth2ProviderSettingsFactory oAuth2ProviderSettingsFactory) {
        this(sSOTokenManager, openIdConnectClientRegistrationStore, openIdConnectTokenStore, cookieExtractor, oAuth2ProviderSettingsFactory, CookieUtils.getAmCookieName(), new IdTokenParser());
    }

    @VisibleForTesting
    OpenIdConnectSSOProvider(SSOTokenManager sSOTokenManager, OpenIdConnectClientRegistrationStore openIdConnectClientRegistrationStore, OpenIdConnectTokenStore openIdConnectTokenStore, CookieExtractor cookieExtractor, OAuth2ProviderSettingsFactory oAuth2ProviderSettingsFactory, String str, IdTokenParser idTokenParser) {
        this.idTokenToSessionIdCache = CacheBuilder.newBuilder().weakValues().maximumSize(MAX_CACHE_SIZE).build(new SessionIdCacheLoader());
        this.ssoTokenManager = sSOTokenManager;
        this.clientRegistrationStore = openIdConnectClientRegistrationStore;
        this.tokenStore = openIdConnectTokenStore;
        this.idTokenParser = idTokenParser;
        this.cookieExtractor = cookieExtractor;
        this.cookieName = str;
        this.providerSettingsFactory = oAuth2ProviderSettingsFactory;
    }

    public boolean isApplicable(HttpServletRequest httpServletRequest) {
        return httpServletRequest != null && isApplicable(this.cookieExtractor.extract(httpServletRequest, this.cookieName));
    }

    public boolean isApplicable(String str) {
        try {
            if (StringUtils.isNotEmpty(str)) {
                if (isEnabledFor(this.idTokenParser.parse(str))) {
                    return true;
                }
            }
            return false;
        } catch (SSOException e) {
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isEnabledFor(OAuth2Jwt oAuth2Jwt) {
        if (oAuth2Jwt == null) {
            return false;
        }
        String asString = oAuth2Jwt.getSignedJwt().getClaimsSet().get("realm").defaultTo("/").asString();
        try {
            OAuth2ProviderSettings realmProviderSettings = this.providerSettingsFactory.getRealmProviderSettings(asString);
            if (realmProviderSettings != null) {
                if (realmProviderSettings.isOpenIDConnectSSOProviderEnabled()) {
                    return true;
                }
            }
            return false;
        } catch (NotFoundException | ServerException e) {
            LOGGER.debug("OpenIdConnectSSOProvider: Error looking up OAuth2 provider settings for realm {}", asString, e);
            return false;
        }
    }

    public SSOToken createSSOToken(HttpServletRequest httpServletRequest) throws SSOException {
        return createSSOToken(this.cookieExtractor.extract(httpServletRequest, this.cookieName));
    }

    public SSOToken createSSOToken(Principal principal, String str) throws SSOException {
        throw new UnsupportedOperationException();
    }

    public SSOToken createSSOToken(String str) throws SSOException {
        return this.ssoTokenManager.createSSOToken(toSessionId(str));
    }

    public SSOToken createSSOToken(String str, boolean z, boolean z2) throws SSOException {
        return !z2 ? this.ssoTokenManager.retrieveValidTokenWithoutResettingIdleTime(toSessionId(str)) : createSSOToken(str);
    }

    public SSOToken createSSOToken(String str, String str2) throws SSOException {
        return this.ssoTokenManager.createSSOToken(toSessionId(str), str2);
    }

    public void destroyToken(SSOToken sSOToken) throws SSOException {
        throw new UnsupportedOperationException();
    }

    public boolean isValidToken(SSOToken sSOToken) {
        throw new UnsupportedOperationException();
    }

    public boolean isValidToken(SSOToken sSOToken, boolean z) {
        throw new UnsupportedOperationException();
    }

    public void validateToken(SSOToken sSOToken) throws SSOException {
        throw new UnsupportedOperationException();
    }

    public void refreshSession(SSOToken sSOToken) throws SSOException {
        throw new UnsupportedOperationException();
    }

    public void refreshSession(SSOToken sSOToken, boolean z) throws SSOException {
        throw new UnsupportedOperationException();
    }

    public void destroyToken(SSOToken sSOToken, SSOToken sSOToken2) throws SSOException {
        throw new UnsupportedOperationException();
    }

    public void logout(SSOToken sSOToken) throws SSOException {
        throw new UnsupportedOperationException();
    }

    public Set<SSOToken> getValidSessions(SSOToken sSOToken, String str) throws SSOException {
        throw new UnsupportedOperationException();
    }

    private String toSessionId(String str) throws SSOException {
        if (StringUtils.isBlank(str)) {
            throw new SSOException("no id_token in request");
        }
        try {
            return (String) this.idTokenToSessionIdCache.get(str);
        } catch (ExecutionException e) {
            Throwables.propagateIfPossible(e.getCause(), SSOException.class);
            throw new SSOException(e.getCause());
        }
    }
}
