package org.gridgain.grid.security.oidc;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.cert.Certificate;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.ignite.Ignite;
import org.apache.ignite.IgniteCheckedException;
import org.apache.ignite.IgniteException;
import org.apache.ignite.IgniteLogger;
import org.apache.ignite.internal.util.tostring.GridToStringExclude;
import org.apache.ignite.internal.util.typedef.F;
import org.apache.ignite.internal.util.typedef.T3;
import org.apache.ignite.internal.util.typedef.internal.S;
import org.apache.ignite.lifecycle.LifecycleAware;
import org.apache.ignite.plugin.security.AuthenticationContext;
import org.apache.ignite.plugin.security.SecurityCredentials;
import org.apache.ignite.plugin.security.SecurityPermissionSet;
import org.apache.ignite.plugin.security.SecuritySubject;
import org.apache.ignite.plugin.security.SecuritySubjectType;
import org.apache.ignite.resources.IgniteInstanceResource;
import org.apache.ignite.resources.LoggerResource;
import org.gridgain.control.shade.jackson.core.type.TypeReference;
import org.gridgain.control.shade.jackson.databind.ObjectMapper;
import org.gridgain.grid.internal.GridPluginUtils;
import org.gridgain.grid.internal.util.security.GridSecurityPermissionSetJsonParser;
import org.gridgain.grid.security.AuthenticationValidator;
import org.gridgain.grid.security.Authenticator;
import org.gridgain.grid.security.SecuritySubjectAdapter;

/* loaded from: input_file:org/gridgain/grid/security/oidc/OpenIdAuthenticator.class */
public class OpenIdAuthenticator implements Authenticator, AuthenticationValidator, LifecycleAware {
    private static final String DFLT_CLAIM_NAME = "gg-role";
    private String userInfoUrl;
    private String claimName = DFLT_CLAIM_NAME;
    private Map<String, SecurityPermissionSet> mapping;

    @IgniteInstanceResource
    @GridToStringExclude
    private Ignite ignite;

    @LoggerResource
    private IgniteLogger log;
    static final /* synthetic */ boolean $assertionsDisabled;

    public Object validationToken() {
        return new T3(this.userInfoUrl, this.claimName, this.mapping);
    }

    public boolean supported(SecuritySubjectType securitySubjectType) {
        if ($assertionsDisabled || securitySubjectType != null) {
            return true;
        }
        throw new AssertionError();
    }

    public SecuritySubject authenticate(AuthenticationContext authenticationContext) throws IgniteCheckedException {
        if (!$assertionsDisabled && authenticationContext == null) {
            throw new AssertionError();
        }
        SecurityCredentials credentials = authenticationContext.credentials();
        if (credentials == null) {
            return null;
        }
        Object userObject = credentials.getUserObject();
        String str = null;
        if (userObject instanceof Map) {
            Object obj = ((Map) userObject).get("accessToken");
            if (obj instanceof String) {
                str = (String) obj;
            }
        }
        if (F.isEmpty(str)) {
            return null;
        }
        Map<String, String> executeUserInfoRequest = executeUserInfoRequest(str);
        String str2 = executeUserInfoRequest.get("sub");
        if (F.isEmpty(str2)) {
            return null;
        }
        String str3 = executeUserInfoRequest.get(this.claimName);
        String str4 = this.claimName + "-" + this.ignite.cluster().id();
        String str5 = executeUserInfoRequest.get(str4);
        String str6 = F.isEmpty(str5) ? str3 : str5;
        if (F.isEmpty(str6)) {
            if (!this.log.isDebugEnabled()) {
                return null;
            }
            this.log.debug("Failed to obtain role from user info claims [sub=" + str2 + ", expectedClaims=[" + this.claimName + ", " + str4 + "]]");
            return null;
        }
        SecurityPermissionSet securityPermissionSet = this.mapping.get(str6);
        if (securityPermissionSet != null) {
            return new SecuritySubjectAdapter(authenticationContext.subjectId(), authenticationContext.subjectType(), str2, authenticationContext.address(), securityPermissionSet, (Certificate[]) null);
        }
        if (!this.log.isDebugEnabled()) {
            return null;
        }
        this.log.debug("Failed to found matched permissions [sub=" + str2 + ", role=" + str6 + "]");
        return null;
    }

    public boolean isGlobalNodeAuthentication() {
        return true;
    }

    public void start() throws IgniteException {
        GridPluginUtils.assertParameter(!F.isEmpty(this.userInfoUrl), "userInfoUrl cannot be null or empty");
        GridPluginUtils.assertParameter(!F.isEmpty(this.mapping), "permissions cannot be null or empty");
    }

    public void stop() throws IgniteException {
    }

    public String getUserInfoUrl() {
        return this.userInfoUrl;
    }

    public OpenIdAuthenticator setUserInfoUrl(String str) {
        this.userInfoUrl = str;
        return this;
    }

    public String getClaimName() {
        return this.claimName;
    }

    public OpenIdAuthenticator setClaimName(String str) {
        this.claimName = str;
        return this;
    }

    public OpenIdAuthenticator setPermissions(Map<String, SecurityPermissionSet> map) {
        this.mapping = Collections.unmodifiableMap(new HashMap(map));
        return this;
    }

    public OpenIdAuthenticator setPermissionsJson(Map<String, String> map) throws IgniteCheckedException {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (Map.Entry<String, String> entry : map.entrySet()) {
            linkedHashMap.put(entry.getKey(), new GridSecurityPermissionSetJsonParser(entry.getValue()).parse());
        }
        return setPermissions(linkedHashMap);
    }

    private Map<String, String> executeUserInfoRequest(String str) throws IgniteCheckedException {
        try {
            HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(this.userInfoUrl).openConnection();
            httpURLConnection.addRequestProperty("Authorization", "Bearer " + str);
            httpURLConnection.setRequestMethod("GET");
            httpURLConnection.connect();
            if (httpURLConnection.getResponseCode() != 200) {
                if (httpURLConnection.getErrorStream() != null) {
                    BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpURLConnection.getErrorStream(), StandardCharsets.UTF_8));
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Failed to request user info [url=" + this.userInfoUrl + ", responseCode=" + httpURLConnection.getResponseCode() + ", responseBody=" + ((String) bufferedReader.lines().collect(Collectors.joining())) + "]");
                    }
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Failed to request user info [url=" + this.userInfoUrl + ", responseCode=" + httpURLConnection.getResponseCode() + "]");
                }
                return Collections.emptyMap();
            }
            InputStreamReader inputStreamReader = new InputStreamReader(httpURLConnection.getInputStream());
            Throwable th = null;
            try {
                try {
                    Map<String, String> map = (Map) new ObjectMapper().readValue(inputStreamReader, new TypeReference<Map<String, String>>() { // from class: org.gridgain.grid.security.oidc.OpenIdAuthenticator.1
                    });
                    if (inputStreamReader != null) {
                        if (0 != 0) {
                            try {
                                inputStreamReader.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            inputStreamReader.close();
                        }
                    }
                    return map;
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new IgniteCheckedException("Failed to execute user info request", e);
        }
    }

    public String toString() {
        return S.toString(OpenIdAuthenticator.class, this);
    }

    static {
        $assertionsDisabled = !OpenIdAuthenticator.class.desiredAssertionStatus();
    }
}
