package org.vaulttec.sonarqube.auth.oidc;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.GeneralException;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.TokenResponse;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.http.ServletUtils;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.AuthenticationResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
import com.nimbusds.openid.connect.sdk.UserInfoRequest;
import com.nimbusds.openid.connect.sdk.UserInfoResponse;
import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import javax.servlet.http.HttpServletRequest;
import org.sonar.api.server.ServerSide;
import org.sonar.api.utils.log.Logger;
import org.sonar.api.utils.log.Loggers;

@ServerSide
/* loaded from: input_file:org/vaulttec/sonarqube/auth/oidc/OidcClient.class */
public class OidcClient {
    private static final Logger LOGGER = Loggers.get(OidcClient.class);
    private static final ResponseType RESPONSE_TYPE = new ResponseType(ResponseType.Value.CODE);
    private final OidcConfiguration config;

    public OidcClient(OidcConfiguration oidcConfiguration) {
        this.config = oidcConfiguration;
    }

    public AuthenticationRequest createAuthenticationRequest(String str, String str2) {
        LOGGER.trace("Creating authentication request");
        try {
            AuthenticationRequest build = new AuthenticationRequest.Builder(RESPONSE_TYPE, getScope(), getClientId(), new URI(str)).endpointURI(getProviderMetadata().getAuthorizationEndpointURI()).state(State.parse(str2)).build();
            LOGGER.debug("Authentication request URI: {}", build.toURI());
            return build;
        } catch (URISyntaxException e) {
            throw new IllegalStateException("Creating new authentication request failed", e);
        }
    }

    public AuthorizationCode getAuthorizationCode(HttpServletRequest httpServletRequest) {
        LOGGER.trace("Retrieving authorization code from callback request's query parameters: {}", httpServletRequest.getQueryString());
        try {
            HTTPRequest createHTTPRequest = ServletUtils.createHTTPRequest(httpServletRequest);
            AuthenticationResponse parse = AuthenticationResponseParser.parse(createHTTPRequest.getURL().toURI(), createHTTPRequest.getQueryParameters());
            if (parse instanceof AuthenticationErrorResponse) {
                throw new IllegalStateException("Authentication request failed: " + ((AuthenticationErrorResponse) parse).getErrorObject().toJSONObject());
            }
            AuthorizationCode authorizationCode = ((AuthenticationSuccessResponse) parse).getAuthorizationCode();
            LOGGER.debug("Authorization code: {}", authorizationCode.getValue());
            return authorizationCode;
        } catch (ParseException | IOException | URISyntaxException e) {
            throw new IllegalStateException("Error while parsing callback request", e);
        }
    }

    public UserInfo getUserInfo(AuthorizationCode authorizationCode, String str) {
        LOGGER.trace("Getting user info for authorization code");
        OIDCProviderMetadata providerMetadata = getProviderMetadata();
        TokenResponse tokenResponse = getTokenResponse(providerMetadata.getTokenEndpointURI(), authorizationCode, str);
        if (tokenResponse instanceof TokenErrorResponse) {
            ErrorObject errorObject = ((TokenErrorResponse) tokenResponse).getErrorObject();
            if (errorObject == null || errorObject.getCode() == null) {
                throw new IllegalStateException("Token request failed: No error code returned (identity provider not reachable - check network proxy setting 'http.nonProxyHosts' in 'sonar.properties')");
            }
            throw new IllegalStateException("Token request failed: " + errorObject.toJSONObject());
        }
        OIDCTokens oIDCTokens = ((OIDCTokenResponse) tokenResponse).getOIDCTokens();
        if (isIdTokenSigned()) {
            validateIdToken(providerMetadata.getIssuer(), providerMetadata.getJWKSetURI(), oIDCTokens.getIDToken());
        }
        try {
            UserInfo userInfo = new UserInfo(oIDCTokens.getIDToken().getJWTClaimsSet());
            if ((userInfo.getName() == null && userInfo.getPreferredUsername() == null) || (this.config.syncGroups() && userInfo.getClaim(this.config.syncGroupsClaimName()) == null)) {
                UserInfoResponse userInfoResponse = getUserInfoResponse(providerMetadata.getUserInfoEndpointURI(), oIDCTokens.getBearerAccessToken());
                if (userInfoResponse instanceof UserInfoErrorResponse) {
                    ErrorObject errorObject2 = ((UserInfoErrorResponse) userInfoResponse).getErrorObject();
                    if (errorObject2 == null || errorObject2.getCode() == null) {
                        throw new IllegalStateException("UserInfo request failed: No error code returned (identity provider not reachable - check network proxy setting 'http.nonProxyHosts' in 'sonar.properties')");
                    }
                    throw new IllegalStateException("UserInfo request failed: " + errorObject2.toJSONObject());
                }
                userInfo = ((UserInfoSuccessResponse) userInfoResponse).getUserInfo();
            }
            LOGGER.debug("User info: {}", userInfo.toJSONObject());
            return userInfo;
        } catch (java.text.ParseException e) {
            throw new IllegalStateException("Parsing ID token failed", e);
        }
    }

    protected TokenResponse getTokenResponse(URI uri, AuthorizationCode authorizationCode, String str) {
        LOGGER.trace("Retrieving OIDC tokens with user info claims set from {}", uri);
        try {
            HTTPResponse send = new TokenRequest(uri, new ClientSecretBasic(getClientId(), getClientSecret()), new AuthorizationCodeGrant(authorizationCode, new URI(str))).toHTTPRequest().send();
            LOGGER.debug("Token response content: {}", send.getContent());
            return OIDCTokenResponseParser.parse(send);
        } catch (ParseException | URISyntaxException e) {
            throw new IllegalStateException("Retrieving access token failed", e);
        } catch (IOException e2) {
            throw new IllegalStateException("Retrieving access token failed: Identity provider not reachable - check network proxy setting 'http.nonProxyHosts' in 'sonar.properties'");
        }
    }

    protected void validateIdToken(Issuer issuer, URI uri, JWT jwt) {
        LOGGER.trace("Validating ID token with {} and key set from from {}", getIdTokenSignAlgorithm(), uri);
        try {
            createValidator(issuer, uri.toURL()).validate(jwt, (Nonce) null);
        } catch (JOSEException e) {
            throw new IllegalStateException("Validating ID token failed", e);
        } catch (BadJOSEException e2) {
            throw new IllegalStateException("Invalid ID token", e2);
        } catch (MalformedURLException e3) {
            throw new IllegalStateException("Invalid JWK set URL", e3);
        }
    }

    protected IDTokenValidator createValidator(Issuer issuer, URL url) {
        return new IDTokenValidator(issuer, getClientId(), getIdTokenSignAlgorithm(), url);
    }

    protected UserInfoResponse getUserInfoResponse(URI uri, BearerAccessToken bearerAccessToken) {
        LOGGER.trace("Retrieving user info from {}", uri);
        try {
            HTTPResponse send = new UserInfoRequest(uri, bearerAccessToken).toHTTPRequest().send();
            LOGGER.debug("UserInfo response content: {}", send.getContent());
            return UserInfoResponse.parse(send);
        } catch (ParseException e) {
            throw new IllegalStateException("Retrieving user information failed", e);
        } catch (IOException e2) {
            throw new IllegalStateException("Retrieving user information failed: Identity provider not reachable - check network proxy setting 'http.nonProxyHosts' in 'sonar.properties'");
        }
    }

    protected OIDCProviderMetadata getProviderMetadata() {
        LOGGER.trace("Retrieving provider metadata from {}", this.config.issuerUri());
        try {
            return OIDCProviderMetadata.resolve(new Issuer(this.config.issuerUri()));
        } catch (GeneralException | IOException e) {
            throw new IllegalStateException("Retrieving OpenID Connect provider metadata failed", e);
        }
    }

    private Scope getScope() {
        return Scope.parse(this.config.scopes());
    }

    private ClientID getClientId() {
        return new ClientID(this.config.clientId());
    }

    private Secret getClientSecret() {
        String clientSecret = this.config.clientSecret();
        return clientSecret == null ? new Secret("") : new Secret(clientSecret);
    }

    private boolean isIdTokenSigned() {
        return this.config.idTokenSignAlgorithm() != null;
    }

    private JWSAlgorithm getIdTokenSignAlgorithm() {
        String idTokenSignAlgorithm = this.config.idTokenSignAlgorithm();
        if (idTokenSignAlgorithm == null) {
            return null;
        }
        return new JWSAlgorithm(idTokenSignAlgorithm);
    }
}
