package fish.payara.security.openid.domain;

import fish.payara.security.openid.OpenIdUtil;
import fish.payara.security.openid.api.AccessToken;
import fish.payara.security.openid.api.IdentityToken;
import fish.payara.security.openid.api.JwtClaims;
import fish.payara.security.openid.api.OpenIdClaims;
import fish.payara.security.openid.api.OpenIdContext;
import fish.payara.security.openid.api.RefreshToken;
import fish.payara.security.openid.controller.AuthenticationController;
import fish.payara.security.openid.controller.UserInfoController;
import jakarta.enterprise.context.SessionScoped;
import jakarta.inject.Inject;
import jakarta.json.Json;
import jakarta.json.JsonObject;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import jakarta.ws.rs.core.UriBuilder;
import java.io.IOException;
import java.util.Optional;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;

@SessionScoped
/* loaded from: input_file:MICRO-INF/runtime/security-connector-oidc-client.jar:fish/payara/security/openid/domain/OpenIdContextImpl.class */
public class OpenIdContextImpl implements OpenIdContext {

    @Inject
    UserInfoController userInfoController;
    private String callerName;
    private Set<String> callerGroups;
    private String tokenType;
    private AccessToken accessToken;
    private IdentityToken identityToken;
    private RefreshToken refreshToken;
    private Long expiresIn;
    private JsonObject claims;

    @Inject
    private OpenIdConfiguration configuration;

    @Inject
    private AuthenticationController authenticationController;
    private static final Logger LOGGER = Logger.getLogger(OpenIdContextImpl.class.getName());

    @Override // fish.payara.security.openid.api.OpenIdContext
    public String getCallerName() {
        return this.callerName;
    }

    public void setCallerName(String str) {
        this.callerName = str;
    }

    @Override // fish.payara.security.openid.api.OpenIdContext
    public Set<String> getCallerGroups() {
        return this.callerGroups;
    }

    public void setCallerGroups(Set<String> set) {
        this.callerGroups = set;
    }

    @Override // fish.payara.security.openid.api.OpenIdContext
    public String getSubject() {
        return (String) getIdentityToken().getClaim("sub");
    }

    @Override // fish.payara.security.openid.api.OpenIdContext
    public String getTokenType() {
        return this.tokenType;
    }

    public void setTokenType(String str) {
        this.tokenType = str;
    }

    @Override // fish.payara.security.openid.api.OpenIdContext
    public AccessToken getAccessToken() {
        return this.accessToken;
    }

    public void setAccessToken(AccessToken accessToken) {
        this.accessToken = accessToken;
    }

    @Override // fish.payara.security.openid.api.OpenIdContext
    public IdentityToken getIdentityToken() {
        return this.identityToken;
    }

    public void setIdentityToken(IdentityToken identityToken) {
        this.identityToken = identityToken;
    }

    @Override // fish.payara.security.openid.api.OpenIdContext
    public Optional<RefreshToken> getRefreshToken() {
        return Optional.ofNullable(this.refreshToken);
    }

    public void setRefreshToken(RefreshToken refreshToken) {
        this.refreshToken = refreshToken;
    }

    @Override // fish.payara.security.openid.api.OpenIdContext
    public Optional<Long> getExpiresIn() {
        return Optional.ofNullable(this.expiresIn);
    }

    public void setExpiresIn(Long l) {
        this.expiresIn = l;
    }

    @Override // fish.payara.security.openid.api.OpenIdContext
    public JsonObject getClaimsJson() {
        if (this.claims == null) {
            if (this.configuration == null || this.accessToken == null) {
                this.claims = Json.createObjectBuilder().build();
            } else if (this.configuration.isUserClaimsFromIDToken()) {
                LOGGER.log(Level.FINEST, "Processing user info from ID Token");
                this.claims = processUserClaimsFromIDToken();
            } else {
                this.claims = this.userInfoController.getUserInfo(this.configuration, this.accessToken);
            }
        }
        return this.claims;
    }

    protected JsonObject processUserClaimsFromIDToken() {
        JwtClaims jwtClaims = this.identityToken.getJwtClaims();
        JwtClaims jwtClaims2 = this.accessToken.getJwtClaims();
        JsonObject build = Json.createObjectBuilder().add("sub", jwtClaims.getStringClaim("sub").orElse("")).add("name", jwtClaims.getStringClaim("name").orElse("")).add("family_name", jwtClaims2.getStringClaim("family_name").orElse("")).add("given_name", jwtClaims2.getStringClaim("given_name").orElse("")).add("email", jwtClaims.getStringClaim("email").orElse("")).build();
        if (getSubject().equals(build.getString("sub"))) {
            return build;
        }
        throw new IllegalStateException("UserInfo Response is invalid as sub claim must match with the sub Claim in the ID Token");
    }

    @Override // fish.payara.security.openid.api.OpenIdContext
    public OpenIdClaims getClaims() {
        return new JsonClaims(getClaimsJson());
    }

    @Override // fish.payara.security.openid.api.OpenIdContext
    public JsonObject getProviderMetadata() {
        return this.configuration.getProviderMetadata().getDocument();
    }

    @Override // fish.payara.security.openid.api.OpenIdContext
    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        LogoutConfiguration logoutConfiguration = this.configuration.getLogoutConfiguration();
        try {
            httpServletRequest.logout();
        } catch (ServletException e) {
            LOGGER.log(Level.WARNING, "Failed to logout the user.", (Throwable) e);
        }
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            session.invalidate();
        }
        if (logoutConfiguration == null) {
            LOGGER.log(Level.WARNING, "Logout invoked on session without OpenID session");
            redirect(httpServletResponse, httpServletRequest.getContextPath());
            return;
        }
        String endSessionEndpoint = this.configuration.getProviderMetadata().getEndSessionEndpoint();
        if (!logoutConfiguration.isNotifyProvider() || OpenIdUtil.isEmpty(endSessionEndpoint) || getIdentityToken() == null) {
            if (OpenIdUtil.isEmpty(logoutConfiguration.getRedirectURI())) {
                this.authenticationController.authenticateUser(httpServletRequest, httpServletResponse);
                return;
            } else {
                redirect(httpServletResponse, logoutConfiguration.buildRedirectURI(this.configuration.getProxyConfiguration(), httpServletRequest));
                return;
            }
        }
        UriBuilder queryParam = UriBuilder.fromUri(endSessionEndpoint).queryParam("id_token_hint", getIdentityToken().getToken());
        if (!OpenIdUtil.isEmpty(logoutConfiguration.getRedirectURI())) {
            queryParam.queryParam("post_logout_redirect_uri", logoutConfiguration.buildRedirectURI(this.configuration.getProxyConfiguration(), httpServletRequest));
        }
        redirect(httpServletResponse, queryParam.toString());
    }

    private static void redirect(HttpServletResponse httpServletResponse, String str) {
        try {
            httpServletResponse.sendRedirect(str);
        } catch (IOException e) {
            throw new IllegalStateException(e);
        }
    }
}
