package org.alfresco.repo.security.authentication.identityservice;

import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.interfaces.RSAPublicKey;
import java.time.Duration;
import java.time.temporal.ChronoUnit;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.Supplier;
import org.alfresco.repo.forms.processor.node.FormFieldConstants;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.client.HttpClient;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.TrustAllStrategy;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.springframework.beans.factory.FactoryBean;
import org.springframework.http.HttpStatus;
import org.springframework.http.RequestEntity;
import org.springframework.http.ResponseEntity;
import org.springframework.http.client.ClientHttpRequestFactory;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.http.converter.FormHttpMessageConverter;
import org.springframework.security.converter.RsaKeyConverters;
import org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler;
import org.springframework.security.oauth2.client.oidc.authentication.OidcIdTokenDecoderFactory;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.converter.ClaimTypeConverter;
import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtClaimValidator;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtIssuerValidator;
import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean.class */
public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentityServiceFacade> {
    private static final Log LOGGER = LogFactory.getLog(IdentityServiceFacadeFactoryBean.class);
    private boolean enabled;
    private SpringBasedIdentityServiceFacadeFactory factory;

    /* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean$ClientRegistrationProvider.class */
    private static class ClientRegistrationProvider {
        private final IdentityServiceConfig config;

        private ClientRegistrationProvider(IdentityServiceConfig identityServiceConfig) {
            this.config = (IdentityServiceConfig) Objects.requireNonNull(identityServiceConfig);
        }

        public ClientRegistration createClientRegistration(RestOperations restOperations) {
            return (ClientRegistration) possibleMetadataURIs().stream().map(uri -> {
                return extractMetadata(restOperations, uri);
            }).filter((v0) -> {
                return v0.isPresent();
            }).map((v0) -> {
                return v0.get();
            }).findFirst().map(this::createBuilder).map((v0) -> {
                return v0.build();
            }).orElseThrow(() -> {
                return new IllegalStateException("Failed to create ClientRegistration.");
            });
        }

        private ClientRegistration.Builder createBuilder(OIDCProviderMetadata oIDCProviderMetadata) {
            return ClientRegistration.withRegistrationId("ids").tokenUri(oIDCProviderMetadata.getTokenEndpointURI().toASCIIString()).jwkSetUri(oIDCProviderMetadata.getJWKSetURI().toASCIIString()).issuerUri(this.config.getIssuerUrl()).clientId(this.config.getResource()).clientSecret(this.config.getClientSecret()).authorizationGrantType(AuthorizationGrantType.PASSWORD).clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
        }

        private Optional<OIDCProviderMetadata> extractMetadata(RestOperations restOperations, URI uri) {
            try {
                ResponseEntity exchange = restOperations.exchange(RequestEntity.get(uri).build(), String.class);
                if (exchange.getStatusCode() != HttpStatus.OK || !exchange.hasBody()) {
                    IdentityServiceFacadeFactoryBean.LOGGER.warn("Unexpected response from " + uri + ". Status code: " + exchange.getStatusCode() + ", has body: " + exchange.hasBody() + FormFieldConstants.DOT_CHARACTER);
                    return Optional.empty();
                }
                try {
                    return Optional.of(OIDCProviderMetadata.parse((String) exchange.getBody()));
                } catch (Exception e) {
                    IdentityServiceFacadeFactoryBean.LOGGER.warn("Failed to parse metadata. " + e.getMessage(), e);
                    return Optional.empty();
                }
            } catch (Exception e2) {
                IdentityServiceFacadeFactoryBean.LOGGER.warn("Failed to get response from " + uri + ". " + e2.getMessage(), e2);
                return Optional.empty();
            }
        }

        private Collection<URI> possibleMetadataURIs() {
            return List.of(UriComponentsBuilder.fromUriString(this.config.getIssuerUrl()).pathSegment(new String[]{".well-known", "openid-configuration"}).build().toUri());
        }

        /* synthetic */ ClientRegistrationProvider(IdentityServiceConfig identityServiceConfig, ClientRegistrationProvider clientRegistrationProvider) {
            this(identityServiceConfig);
        }
    }

    /* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean$HttpClientProvider.class */
    private static class HttpClientProvider {
        private final IdentityServiceConfig config;

        private HttpClientProvider(IdentityServiceConfig identityServiceConfig) {
            this.config = (IdentityServiceConfig) Objects.requireNonNull(identityServiceConfig);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public HttpClient createHttpClient() {
            try {
                return applySSLConfiguration(applyConnectionConfiguration(HttpClients.custom())).build();
            } catch (Exception e) {
                throw new IllegalStateException("Failed to create ClientHttpRequestFactory. " + e.getMessage(), e);
            }
        }

        private HttpClientBuilder applyConnectionConfiguration(HttpClientBuilder httpClientBuilder) {
            return httpClientBuilder.setDefaultRequestConfig(RequestConfig.custom().setConnectTimeout(this.config.getClientConnectionTimeout()).setSocketTimeout(this.config.getClientSocketTimeout()).build()).setMaxConnTotal(this.config.getConnectionPoolSize());
        }

        private HttpClientBuilder applySSLConfiguration(HttpClientBuilder httpClientBuilder) throws Exception {
            SSLContextBuilder sSLContextBuilder = null;
            if (this.config.isDisableTrustManager()) {
                sSLContextBuilder = SSLContexts.custom().loadTrustMaterial(TrustAllStrategy.INSTANCE);
            } else if (IdentityServiceFacadeFactoryBean.isDefined(this.config.getTruststore())) {
                sSLContextBuilder = SSLContexts.custom().loadTrustMaterial(new File(this.config.getTruststore()), asCharArray(this.config.getTruststorePassword(), null));
            }
            if (IdentityServiceFacadeFactoryBean.isDefined(this.config.getClientKeystore())) {
                if (sSLContextBuilder == null) {
                    sSLContextBuilder = SSLContexts.custom();
                }
                char[] asCharArray = asCharArray(this.config.getClientKeystorePassword(), null);
                sSLContextBuilder.loadKeyMaterial(new File(this.config.getClientKeystore()), asCharArray, asCharArray(this.config.getClientKeyPassword(), asCharArray));
            }
            if (sSLContextBuilder != null) {
                httpClientBuilder.setSSLContext(sSLContextBuilder.build());
            }
            if (this.config.isDisableTrustManager() || this.config.isAllowAnyHostname()) {
                httpClientBuilder.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
            }
            return httpClientBuilder;
        }

        private char[] asCharArray(String str, char[] cArr) {
            return (char[]) Optional.ofNullable(str).filter(Predicate.not((v0) -> {
                return v0.isBlank();
            })).map((v0) -> {
                return v0.toCharArray();
            }).orElse(cArr);
        }

        /* synthetic */ HttpClientProvider(IdentityServiceConfig identityServiceConfig, HttpClientProvider httpClientProvider) {
            this(identityServiceConfig);
        }

        static /* synthetic */ HttpClient access$1(HttpClientProvider httpClientProvider) {
            return httpClientProvider.createHttpClient();
        }
    }

    /* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean$JwtDecoderProvider.class */
    static class JwtDecoderProvider {
        private static final SignatureAlgorithm SIGNATURE_ALGORITHM = SignatureAlgorithm.RS256;
        private final IdentityServiceConfig config;

        JwtDecoderProvider(IdentityServiceConfig identityServiceConfig) {
            this.config = (IdentityServiceConfig) Objects.requireNonNull(identityServiceConfig);
        }

        public JwtDecoder createJwtDecoder(RestOperations restOperations, ClientRegistration.ProviderDetails providerDetails) {
            try {
                NimbusJwtDecoder buildJwtDecoder = buildJwtDecoder(restOperations, providerDetails);
                buildJwtDecoder.setJwtValidator(createJwtTokenValidator(providerDetails));
                buildJwtDecoder.setClaimSetConverter(new ClaimTypeConverter(OidcIdTokenDecoderFactory.createDefaultClaimTypeConverters()));
                return buildJwtDecoder;
            } catch (RuntimeException e) {
                IdentityServiceFacadeFactoryBean.LOGGER.warn("Failed to create JwtDecoder.", e);
                throw IdentityServiceFacadeFactoryBean.authorizationServerCantBeUsedException(e);
            }
        }

        private NimbusJwtDecoder buildJwtDecoder(RestOperations restOperations, ClientRegistration.ProviderDetails providerDetails) {
            return IdentityServiceFacadeFactoryBean.isDefined(this.config.getRealmKey()) ? NimbusJwtDecoder.withPublicKey(parsePublicKey(this.config.getRealmKey())).signatureAlgorithm(SIGNATURE_ALGORITHM).build() : NimbusJwtDecoder.withJwkSetUri(requireValidJwkSetUri(providerDetails)).jwsAlgorithm(SIGNATURE_ALGORITHM).restOperations(restOperations).build();
        }

        private OAuth2TokenValidator<Jwt> createJwtTokenValidator(ClientRegistration.ProviderDetails providerDetails) {
            String str = "Bearer";
            "Bearer".getClass();
            return new DelegatingOAuth2TokenValidator(new OAuth2TokenValidator[]{new JwtTimestampValidator(Duration.of(0L, ChronoUnit.MILLIS)), new JwtIssuerValidator(providerDetails.getIssuerUri()), new JwtClaimValidator("typ", (v1) -> {
                return r8.equals(v1);
            }), new JwtClaimValidator("sub", (v0) -> {
                return Objects.nonNull(v0);
            })});
        }

        private RSAPublicKey parsePublicKey(String str) {
            try {
                return tryToParsePublicKey(str);
            } catch (Exception e) {
                if (isPemFormatException(e)) {
                    return tryToParsePublicKey("-----BEGIN PUBLIC KEY-----\n" + str + "\n-----END PUBLIC KEY-----");
                }
                throw e;
            }
        }

        private RSAPublicKey tryToParsePublicKey(String str) {
            return (RSAPublicKey) RsaKeyConverters.x509().convert(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8)));
        }

        private boolean isPemFormatException(Exception exc) {
            return exc.getMessage() != null && exc.getMessage().contains("-----BEGIN PUBLIC KEY-----");
        }

        private String requireValidJwkSetUri(ClientRegistration.ProviderDetails providerDetails) {
            String jwkSetUri = providerDetails.getJwkSetUri();
            if (IdentityServiceFacadeFactoryBean.isDefined(jwkSetUri)) {
                return jwkSetUri;
            }
            OAuth2Error oAuth2Error = new OAuth2Error("missing_signature_verifier", "Failed to find a Signature Verifier for: '" + providerDetails.getIssuerUri() + "'. Check to ensure you have configured the JwkSet URI.", (String) null);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean$LazyInstantiatingIdentityServiceFacade.class */
    public static class LazyInstantiatingIdentityServiceFacade implements IdentityServiceFacade {
        private final AtomicReference<IdentityServiceFacade> targetFacade = new AtomicReference<>();
        private final Supplier<IdentityServiceFacade> targetFacadeCreator;

        LazyInstantiatingIdentityServiceFacade(Supplier<IdentityServiceFacade> supplier) {
            this.targetFacadeCreator = (Supplier) Objects.requireNonNull(supplier);
        }

        @Override // org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade
        public IdentityServiceFacade.AccessTokenAuthorization authorize(IdentityServiceFacade.AuthorizationGrant authorizationGrant) throws IdentityServiceFacade.AuthorizationException {
            return getTargetFacade().authorize(authorizationGrant);
        }

        @Override // org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade
        public IdentityServiceFacade.DecodedAccessToken decodeToken(String str) throws IdentityServiceFacade.TokenDecodingException {
            return getTargetFacade().decodeToken(str);
        }

        private IdentityServiceFacade getTargetFacade() {
            return (IdentityServiceFacade) Optional.ofNullable(this.targetFacade.get()).orElseGet(() -> {
                return this.targetFacade.updateAndGet(identityServiceFacade -> {
                    return (IdentityServiceFacade) Optional.ofNullable(identityServiceFacade).orElseGet(this::createTargetFacade);
                });
            });
        }

        private IdentityServiceFacade createTargetFacade() {
            try {
                return this.targetFacadeCreator.get();
            } catch (IdentityServiceFacade.IdentityServiceFacadeException e) {
                throw e;
            } catch (RuntimeException e2) {
                IdentityServiceFacadeFactoryBean.LOGGER.warn("Failed to instantiate IdentityServiceFacade.", e2);
                throw IdentityServiceFacadeFactoryBean.authorizationServerCantBeUsedException(e2);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean$SpringBasedIdentityServiceFacadeFactory.class */
    public static class SpringBasedIdentityServiceFacadeFactory {
        private final Supplier<HttpClient> httpClientProvider;
        private final Function<RestOperations, ClientRegistration> clientRegistrationProvider;
        private final BiFunction<RestOperations, ClientRegistration.ProviderDetails, JwtDecoder> jwtDecoderProvider;

        SpringBasedIdentityServiceFacadeFactory(Supplier<HttpClient> supplier, Function<RestOperations, ClientRegistration> function, BiFunction<RestOperations, ClientRegistration.ProviderDetails, JwtDecoder> biFunction) {
            this.httpClientProvider = (Supplier) Objects.requireNonNull(supplier);
            this.clientRegistrationProvider = (Function) Objects.requireNonNull(function);
            this.jwtDecoderProvider = (BiFunction) Objects.requireNonNull(biFunction);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public IdentityServiceFacade createIdentityServiceFacade() {
            HttpComponentsClientHttpRequestFactory httpComponentsClientHttpRequestFactory = new HttpComponentsClientHttpRequestFactory(this.httpClientProvider.get());
            RestOperations restTemplate = new RestTemplate(httpComponentsClientHttpRequestFactory);
            ClientRegistration apply = this.clientRegistrationProvider.apply(restTemplate);
            return new SpringBasedIdentityServiceFacade(createOAuth2RestTemplate(httpComponentsClientHttpRequestFactory), apply, this.jwtDecoderProvider.apply(restTemplate, apply.getProviderDetails()));
        }

        private RestTemplate createOAuth2RestTemplate(ClientHttpRequestFactory clientHttpRequestFactory) {
            RestTemplate restTemplate = new RestTemplate(Arrays.asList(new FormHttpMessageConverter(), new OAuth2AccessTokenResponseHttpMessageConverter()));
            restTemplate.setRequestFactory(clientHttpRequestFactory);
            restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
            return restTemplate;
        }

        static /* synthetic */ IdentityServiceFacade access$0(SpringBasedIdentityServiceFacadeFactory springBasedIdentityServiceFacadeFactory) {
            return springBasedIdentityServiceFacadeFactory.createIdentityServiceFacade();
        }
    }

    public void setEnabled(boolean z) {
        this.enabled = z;
    }

    public void setIdentityServiceConfig(IdentityServiceConfig identityServiceConfig) {
        HttpClientProvider httpClientProvider = new HttpClientProvider(identityServiceConfig, null);
        httpClientProvider.getClass();
        Supplier supplier = () -> {
            return HttpClientProvider.access$1(r3);
        };
        ClientRegistrationProvider clientRegistrationProvider = new ClientRegistrationProvider(identityServiceConfig, null);
        clientRegistrationProvider.getClass();
        Function function = clientRegistrationProvider::createClientRegistration;
        JwtDecoderProvider jwtDecoderProvider = new JwtDecoderProvider(identityServiceConfig);
        jwtDecoderProvider.getClass();
        this.factory = new SpringBasedIdentityServiceFacadeFactory(supplier, function, jwtDecoderProvider::createJwtDecoder);
    }

    /* renamed from: getObject, reason: merged with bridge method [inline-methods] */
    public IdentityServiceFacade m852getObject() throws Exception {
        if (!this.enabled) {
            return null;
        }
        SpringBasedIdentityServiceFacadeFactory springBasedIdentityServiceFacadeFactory = this.factory;
        springBasedIdentityServiceFacadeFactory.getClass();
        return new LazyInstantiatingIdentityServiceFacade(() -> {
            return SpringBasedIdentityServiceFacadeFactory.access$0(r2);
        });
    }

    public Class<?> getObjectType() {
        return IdentityServiceFacade.class;
    }

    public boolean isSingleton() {
        return true;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static IdentityServiceFacade.IdentityServiceFacadeException authorizationServerCantBeUsedException(RuntimeException runtimeException) {
        return new IdentityServiceFacade.IdentityServiceFacadeException("Unable to use the Authorization Server.", runtimeException);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isDefined(String str) {
        return (str == null || str.isBlank()) ? false : true;
    }
}
