package info.magnolia.wechat.cms.security.auth.login;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.github.scribejava.core.model.OAuth1AccessToken;
import com.github.scribejava.core.model.OAuth2AccessToken;
import com.github.scribejava.core.model.OAuthRequest;
import com.github.scribejava.core.model.Response;
import com.github.scribejava.core.model.Verb;
import com.github.scribejava.core.oauth.OAuth10aService;
import com.github.scribejava.core.oauth.OAuth20Service;
import info.magnolia.cms.security.PermissionUtil;
import info.magnolia.cms.security.SecuritySupport;
import info.magnolia.cms.security.auth.callback.CredentialsCallbackHandler;
import info.magnolia.cms.security.auth.login.LoginHandler;
import info.magnolia.cms.security.auth.login.LoginResult;
import info.magnolia.connector.sso.SSOConnector;
import info.magnolia.connector.sso.jaas.callback.ExternalUserCallbackHandler;
import info.magnolia.connector.sso.oic.service.OICServiceRequest;
import info.magnolia.connector.sso.oic.service.OICServices;
import info.magnolia.connector.sso.oic.settings.OICSettings;
import info.magnolia.connector.sso.util.JSONUtils;
import info.magnolia.connector.sso.util.SSOUtils;
import info.magnolia.connector.sso.util.UserAccountUtils;
import java.io.IOException;
import java.util.Map;
import javax.inject.Inject;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:info/magnolia/wechat/cms/security/auth/login/WechatLoginHandler.class */
public class WechatLoginHandler implements LoginHandler {
    private static final Logger log = LoggerFactory.getLogger(WechatLoginHandler.class);
    private static final String SSO_AUTHENTICATION_REALM = "sso-authentication";
    private static final String SSO_SERVICE = "wechatService";
    private String jaasChain = "magnolia";
    private final SecuritySupport securitySupport;
    private final SSOConnector ssoConfig;
    private final UserAccountUtils userAccountUtils;

    @Inject
    public WechatLoginHandler(SecuritySupport securitySupport, SSOConnector sSOConnector, UserAccountUtils userAccountUtils) {
        this.securitySupport = securitySupport;
        this.ssoConfig = sSOConnector;
        this.userAccountUtils = userAccountUtils;
    }

    public LoginResult handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        LoginResult loginResult = LoginResult.NOT_HANDLED;
        OICSettings oICSettings = (OICSettings) this.ssoConfig.getAuthenticationServices().get(SSO_SERVICE);
        String originalRedirectURL = SSOUtils.getOriginalRedirectURL(httpServletRequest.getRequestURI(), httpServletRequest.getParameterMap());
        if (log.isDebugEnabled()) {
            log.debug("Requested URL: " + originalRedirectURL);
        }
        OICServiceRequest createOICServiceRequest = new OICServices(SSO_SERVICE, originalRedirectURL, oICSettings, this.ssoConfig.getDefaultCallbackURL()).createOICServiceRequest();
        if (createOICServiceRequest == null) {
            return loginResult;
        }
        String defaultString = StringUtils.defaultString(httpServletRequest.getParameter(createOICServiceRequest.getCallbackParam()), "");
        StringUtils.defaultString(httpServletRequest.getParameter("state"), "");
        boolean isNotBlank = StringUtils.isNotBlank(defaultString);
        boolean isNotBlank2 = StringUtils.isNotBlank(httpServletRequest.getParameter("mgnlLogout"));
        if (!isNotBlank || isNotBlank2) {
            return LoginResult.NOT_HANDLED;
        }
        if (httpServletRequest.getParameter("error") != null) {
            return new LoginResult(2, new LoginException(httpServletRequest.getParameter("error")));
        }
        if (log.isDebugEnabled()) {
            log.debug("Authorization code received: " + defaultString);
        }
        String authenticationServiceName = createOICServiceRequest.getAuthenticationServiceName();
        OICSettings oICSettings2 = (OICSettings) this.ssoConfig.getAuthenticationServices().get(authenticationServiceName);
        Response oICResponse = getOICResponse(createOICServiceRequest, defaultString, oICSettings2);
        if (oICResponse == null || !oICResponse.isSuccessful()) {
            return failedLogin("OpenID Connect response was not successful, login not possible: " + oICResponse);
        }
        Map createUserProperties = this.userAccountUtils.createUserProperties(oICResponse, oICSettings2, authenticationServiceName, createOICServiceRequest);
        if (createOICServiceRequest.getServiceSettings().getUserManagement().isCreateLocalUsers()) {
            if (log.isDebugEnabled()) {
                log.debug("Local user management is enabled in SSO configuration.");
            }
            createUserProperties.put(this.userAccountUtils.getUseLocalUserFlagName(), "true");
        }
        if (createOICServiceRequest.getServiceSettings().getUserManagement().isSsoUserFlagRequired()) {
            if (log.isDebugEnabled()) {
                log.debug("Local SSO users require the SSO flag in JCR for extended security.");
            }
            createUserProperties.put(this.userAccountUtils.getRequireSsoUserFlag(), "true");
        }
        if (createUserProperties == null) {
            return failedLogin("Could not get user properties from JSON response.");
        }
        LoginResult authenticate = authenticate(new ExternalUserCallbackHandler(createUserProperties, authenticationServiceName, getJaasChain()), getJaasChain());
        if (authenticate.getStatus() == 2) {
            log.error("User details are available but permissions do not seem to be suitable or not available.");
            log.error("Please make sure that the user object has groups/roles assigned to enabled access.");
            try {
                httpServletResponse.sendError(403);
            } catch (IOException e) {
                log.error("Problem while sending forbidden status.", e);
            }
        }
        return authenticate;
    }

    private Response getOICResponse(OICServiceRequest oICServiceRequest, String str, OICSettings oICSettings) {
        Response response = null;
        if (oICServiceRequest.getOAuth20Service() != null) {
            OAuth20Service oAuth20Service = oICServiceRequest.getOAuth20Service();
            try {
                OAuth2AccessToken accessToken = oAuth20Service.getAccessToken(str);
                oICServiceRequest.setAccessTokenV2(accessToken);
                if (log.isDebugEnabled()) {
                    log.debug("Received an access token: {}", accessToken.getAccessToken());
                    log.debug("Raw response: {}", accessToken.getRawResponse());
                    log.debug("Token expires in: {} ", accessToken.getExpiresIn());
                }
                oICServiceRequest.setTokenExpirationDate(accessToken.getExpiresIn());
                if (StringUtils.isNotBlank(accessToken.getRefreshToken())) {
                    oICServiceRequest.setRefreshToken(accessToken.getRefreshToken());
                }
                if (oICSettings.isOpenIdEnabled()) {
                    if (log.isDebugEnabled()) {
                        log.debug("Using OpenID Connect for SSO authentication.");
                    }
                    if (!JSONUtils.validOpenIdToken(oICSettings, accessToken, oICServiceRequest)) {
                        log.error("The OpenID token could not be validated. Please examine the log for reasons and adjust your configuration.");
                        if (oICSettings.isOpenIdStrictValidation()) {
                            log.error("Because SSO service is configured to use strict OpenID validation, the login process will be cancelled.");
                            return null;
                        }
                        log.info("The login process will continue because you configured your service to not use strict OpenID validation.");
                        log.info("Please make sure to have correct configuration because this option might be removed in future versions!");
                    } else if (log.isDebugEnabled()) {
                        log.debug("Validation of the OpenID token was successful.");
                    }
                    String openIdTokenValue = JSONUtils.getOpenIdTokenValue(accessToken, oICSettings.getOpenIdAccessTokenAttributeName());
                    if (log.isDebugEnabled()) {
                        log.debug("Assigned the OpenID token: {}", openIdTokenValue);
                    }
                    oICServiceRequest.setTokenGetMethodName(oICSettings.getOpenIdAccessTokenAttributeName());
                    oICServiceRequest.setOpenIdToken(openIdTokenValue);
                }
                if (log.isDebugEnabled()) {
                    log.debug("Trying to retrieve user information by using the URL: {}", oICServiceRequest.getUserInfoUrl());
                }
                try {
                    OAuthRequest oAuthRequest = new OAuthRequest(Verb.GET, oICServiceRequest.getUserInfoUrl());
                    oAuthRequest.addParameter("access_token", accessToken.getAccessToken());
                    oAuthRequest.addParameter("openid", getOpenIdFromAccessToken(accessToken));
                    oAuth20Service.signRequest(accessToken, oAuthRequest);
                    response = oAuth20Service.execute(oAuthRequest);
                } catch (Exception e) {
                    log.error("Problem while retrieving user information over {}.", oICServiceRequest.getUserInfoUrl(), e);
                }
            } catch (Exception e2) {
                log.error("Could not get access token from OAuth 2.x service.", e2);
            }
        } else {
            OAuth10aService oAuth10aService = oICServiceRequest.getOAuth10aService();
            try {
                OAuth1AccessToken accessToken2 = oAuth10aService.getAccessToken(oICServiceRequest.getRequestToken(), str);
                oICServiceRequest.setAccessTokenV1(accessToken2);
                OAuthRequest oAuthRequest2 = new OAuthRequest(Verb.GET, oICServiceRequest.getUserInfoUrl());
                oAuth10aService.signRequest(accessToken2, oAuthRequest2);
                response = oAuth10aService.execute(oAuthRequest2);
            } catch (Exception e3) {
                log.error("Could not get access token from OAuth 1.x service.", e3);
            }
        }
        return response;
    }

    private String getOpenIdFromAccessToken(OAuth2AccessToken oAuth2AccessToken) {
        try {
            JsonNode jsonNode = new ObjectMapper().readTree(oAuth2AccessToken.getRawResponse()).get("openid");
            if (jsonNode == null) {
                return null;
            }
            return jsonNode.asText();
        } catch (JsonProcessingException e) {
            return null;
        }
    }

    private LoginResult failedLogin(String str) {
        log.error(str);
        return new LoginResult(2, new LoginException(str));
    }

    protected LoginResult authenticate(CredentialsCallbackHandler credentialsCallbackHandler, String str) {
        LoginResult authenticate = this.securitySupport.authenticate(credentialsCallbackHandler, str);
        Subject subject = authenticate.getSubject();
        return (subject == null || PermissionUtil.getAccessManager("uri", subject).getPermissionList() != null) ? authenticate : failedLogin("The user does not have suitable permissions to access Magnolia.");
    }

    private String getJaasChain() {
        return StringUtils.isNotBlank(this.jaasChain) ? this.jaasChain : SSO_AUTHENTICATION_REALM;
    }

    public void setJaasChain(String str) {
        this.jaasChain = str;
    }
}
