package org.apache.cxf.rs.security.oidc.rp;

import jakarta.annotation.Priority;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.container.PreMatching;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriBuilder;
import java.io.ByteArrayInputStream;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.jaxrs.ext.MessageContextImpl;
import org.apache.cxf.jaxrs.impl.MetadataMap;
import org.apache.cxf.jaxrs.utils.FormUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtException;
import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
import org.apache.cxf.rs.security.oauth2.client.ClientTokenContext;
import org.apache.cxf.rs.security.oauth2.client.ClientTokenContextManager;
import org.apache.cxf.rs.security.oidc.common.IdToken;

@PreMatching
@Priority(1002)
/* loaded from: input_file:org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.class */
public class OidcRpAuthenticationFilter implements ContainerRequestFilter {

    @Context
    private MessageContext mc;
    private ClientTokenContextManager stateManager;
    private String redirectUri;
    private String roleClaim;
    private boolean addRequestUriAsRedirectQuery;

    public void filter(ContainerRequestContext containerRequestContext) {
        if (checkSecurityContext(containerRequestContext)) {
            return;
        }
        if (this.redirectUri == null) {
            containerRequestContext.abortWith(Response.status(401).build());
            return;
        }
        UriBuilder path = this.redirectUri.startsWith("/") ? UriBuilder.fromUri((String) this.mc.get("http.base.path")).path(this.redirectUri) : this.redirectUri.startsWith("http") ? UriBuilder.fromUri(URI.create(this.redirectUri)) : containerRequestContext.getUriInfo().getBaseUriBuilder().path(this.redirectUri);
        if (this.addRequestUriAsRedirectQuery) {
            path.queryParam("state", new Object[]{containerRequestContext.getUriInfo().getRequestUri().toString()});
        }
        containerRequestContext.abortWith(Response.seeOther(path.build(new Object[0])).header("Cache-Control", "no-cache, no-store").header("Pragma", "no-cache").build());
    }

    protected boolean checkSecurityContext(ContainerRequestContext containerRequestContext) {
        OidcClientTokenContext oidcClientTokenContext = (OidcClientTokenContext) this.stateManager.getClientTokenContext(this.mc);
        if (oidcClientTokenContext == null) {
            return false;
        }
        IdToken idToken = oidcClientTokenContext.getIdToken();
        try {
            JwtUtils.validateJwtExpiry(idToken, 0, idToken.getExpiryTime() != null);
            OidcClientTokenContextImpl oidcClientTokenContextImpl = new OidcClientTokenContextImpl();
            oidcClientTokenContextImpl.setToken(oidcClientTokenContext.getToken());
            oidcClientTokenContextImpl.setIdToken(idToken);
            oidcClientTokenContextImpl.setUserInfo(oidcClientTokenContext.getUserInfo());
            oidcClientTokenContextImpl.setState(toRequestState(containerRequestContext));
            JAXRSUtils.getCurrentMessage().setContent(ClientTokenContext.class, oidcClientTokenContextImpl);
            OidcSecurityContext oidcSecurityContext = new OidcSecurityContext(oidcClientTokenContextImpl);
            oidcSecurityContext.setRoleClaim(this.roleClaim);
            containerRequestContext.setSecurityContext(oidcSecurityContext);
            return true;
        } catch (JwtException e) {
            this.stateManager.removeClientTokenContext(new MessageContextImpl(JAXRSUtils.getCurrentMessage()));
            return false;
        }
    }

    private MultivaluedMap<String, String> toRequestState(ContainerRequestContext containerRequestContext) {
        MetadataMap metadataMap = new MetadataMap();
        metadataMap.putAll(containerRequestContext.getUriInfo().getQueryParameters(true));
        if (MediaType.APPLICATION_FORM_URLENCODED_TYPE.isCompatible(containerRequestContext.getMediaType())) {
            String readBody = FormUtils.readBody(containerRequestContext.getEntityStream(), StandardCharsets.UTF_8.name());
            FormUtils.populateMapFromString(metadataMap, JAXRSUtils.getCurrentMessage(), readBody, StandardCharsets.UTF_8.name(), true);
            containerRequestContext.setEntityStream(new ByteArrayInputStream(StringUtils.toBytesUTF8(readBody)));
        }
        return metadataMap;
    }

    public void setRedirectUri(String str) {
        this.redirectUri = str;
    }

    public void setClientTokenContextManager(ClientTokenContextManager clientTokenContextManager) {
        this.stateManager = clientTokenContextManager;
    }

    public void setRoleClaim(String str) {
        this.roleClaim = str;
    }

    public void setAddRequestUriAsRedirectQuery(boolean z) {
        this.addRequestUriAsRedirectQuery = z;
    }
}
