package nl.gezondheidsmeter.SSO;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.net.URLEncoder;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import nl.curavista.jwt.JWT;
import nl.knowledgeplaza.securityfilter.SavedRequest;
import nl.knowledgeplaza.securityfilter.SecurityFilter;
import nl.knowledgeplaza.securityfilter.SecurityFilterPrincipal;
import nl.knowledgeplaza.util.Log4jUtil;
import org.apache.log4j.Logger;

/* loaded from: input_file:nl/gezondheidsmeter/SSO/OpenID.class */
public class OpenID extends GZMSSOHandler {
    public static final String SOURCECODE_VERSION = "$Revision: 1.5 $";
    private static final String ISSUER_PARAMETER = "iss";
    private static final String LOGINHINT_PARAMETER = "login_hint";
    private static final String CODE_PARAMETER = "code";
    private static final String STATE_PARAMETER = "state";
    private static final String CONTEXT_SESSION_NAME = "OpenIDContext";
    private static final String GZM_SSO_ROLE = "GZM_SSO_ROLE";
    private static final String GZM_SSO_EXT_ID = "GZM_SSO_EXT_ID";
    private static final String OPENID_HANDELED = "OPENID_HANDELED";
    private static final String SSO_SAVEDREQUEST = "SSO_SAVEDREQUEST";
    private static final String GZM_SIGNUP = "GZM_SIGNUP";
    private static final String GZM_SIGNUP_TRIES = "GZM_SIGNUP_TRIES";
    private static Logger log4j = Log4jUtil.createLogger();
    private String iIssuerIdentifier;
    private String iClientId;
    private String iClientSecret;
    private String iOAuth2Scope;
    private String iAuthorizationEndPoint;
    private String iTokenEndPoint;
    private String iUserInfoEndPoint;
    private String iSSOContextEndPoint;
    private String iPublicKeyPath;
    private String iRedirToGzmUrl;

    public boolean canHandleAuthentication(SecurityFilter securityFilter, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        log4j.debug("canHandleAuthentication called");
        if (httpServletRequest.getSession().getAttribute(CONTEXT_SESSION_NAME) != null) {
            if (!log4j.isDebugEnabled()) {
                return true;
            }
            log4j.debug("OpenID Context in session.");
            return true;
        }
        Optional ofNullable = Optional.ofNullable(httpServletRequest.getParameter(ISSUER_PARAMETER));
        if (log4j.isDebugEnabled()) {
            log4j.debug("Issuer: " + ((String) ofNullable.orElse("-none-")));
        }
        log4j.debug("canHandleAuthentication returns " + (!ofNullable.isPresent()));
        return ofNullable.isPresent();
    }

    public boolean shouldAuthenticate(HttpServletRequest httpServletRequest) {
        if (httpServletRequest.getSession().getAttribute(CONTEXT_SESSION_NAME) == null || httpServletRequest.getParameter("ssoconfig") != null) {
            return true;
        }
        if (!log4j.isDebugEnabled()) {
            return false;
        }
        log4j.debug("OpenID Context in session.");
        return false;
    }

    public String sha256Hash(String str) throws IOException {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(str.getBytes());
            StringBuffer stringBuffer = new StringBuffer();
            for (byte b : messageDigest.digest()) {
                String hexString = Integer.toHexString(255 & b);
                if (hexString.length() == 1) {
                    stringBuffer.append('0');
                }
                stringBuffer.append(hexString);
            }
            return stringBuffer.toString();
        } catch (NoSuchAlgorithmException e) {
            throw new IOException(e);
        }
    }

    public void announce(SecurityFilter securityFilter, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Principal principal) throws ServletException {
        log4j.debug("Announce called");
        httpServletRequest.setAttribute(OPENID_HANDELED, "true");
        OpenIDContext openIDContext = new OpenIDContext();
        if (httpServletRequest.getParameter(ISSUER_PARAMETER) == null) {
            throw new ServletException("iss parameter not set");
        }
        openIDContext.setIssuer(httpServletRequest.getParameter(ISSUER_PARAMETER));
        if (httpServletRequest.getParameter(LOGINHINT_PARAMETER) == null) {
            throw new ServletException("login_hint parameter not set");
        }
        openIDContext.setLoginHint(httpServletRequest.getParameter(LOGINHINT_PARAMETER));
        if (!openIDContext.getIssuer().equals(this.iIssuerIdentifier)) {
            throw new ServletException("Request issuer does not match with config issuer");
        }
        httpServletRequest.getSession().setAttribute(CONTEXT_SESSION_NAME, openIDContext);
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append(getAuthorizationEndPoint());
        if (!getAuthorizationEndPoint().endsWith("?")) {
            stringBuffer.append("?");
        }
        try {
            stringBuffer.append("client_id=");
            stringBuffer.append(getClientId());
            stringBuffer.append("&response_type=code");
            stringBuffer.append("&redirect_uri=");
            stringBuffer.append(URLEncoder.encode(getRedirToGzmUrl(), "UTF-8"));
            stringBuffer.append("&scope=");
            stringBuffer.append(getOAuth2Scope());
            stringBuffer.append("&login_hint=");
            stringBuffer.append(openIDContext.getLoginHint());
            stringBuffer.append("&state=");
            stringBuffer.append(sha256Hash(httpServletRequest.getSession().getId()));
            if (log4j.isDebugEnabled()) {
                log4j.debug("Announce(redir) to url: " + ((Object) stringBuffer));
            }
            httpServletRequest.getSession().setAttribute("ForceSessionStore", "true");
            httpServletResponse.sendRedirect(stringBuffer.toString());
            log4j.debug("Announce returns");
        } catch (IOException e) {
            log4j.error("Could not redirect user to SSO login", e);
            throw new ServletException("Could not redirect user to SSO login", e);
        }
    }

    public Principal verify(SecurityFilter securityFilter, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Principal principal) throws ServletException {
        String str;
        log4j.debug("verify called, expired principal: " + principal);
        HttpSession session = httpServletRequest.getSession();
        httpServletRequest.getSession().setAttribute("ForceSessionStore", "true");
        SecurityFilterPrincipal securityFilterPrincipal = null;
        httpServletRequest.setAttribute(OPENID_HANDELED, "true");
        OpenIDContext openIDContext = (OpenIDContext) session.getAttribute(CONTEXT_SESSION_NAME);
        if (httpServletRequest.getParameter(CODE_PARAMETER) != null) {
            openIDContext.setAuthorizationCode(httpServletRequest.getParameter(CODE_PARAMETER));
        }
        if (openIDContext.getAuthorizationCode() == null) {
            throw new ServletException("No auth code returned");
        }
        if (httpServletRequest.getParameter(STATE_PARAMETER) != null) {
            openIDContext.setState(httpServletRequest.getParameter(STATE_PARAMETER));
        }
        try {
        } catch (IOException e) {
            log4j.error("The world has ended!", e);
        }
        if (!sha256Hash(httpServletRequest.getSession().getId()).equals(openIDContext.getState())) {
            throw new ServletException("State returned by request is invalid");
        }
        try {
            if (openIDContext.getAccessToken() == null) {
                log4j.debug("TokenEndPoint is being called, access token unknown");
                JsonNode readTree = new ObjectMapper().readTree(OpenIDClient.callTokenEndPoint(getTokenEndPoint(), getClientId(), getClientSecret(), openIDContext.getAuthorizationCode(), getRedirToGzmUrl()));
                openIDContext.setAccessToken(readTree.findValue("access_token").asText());
                String asText = readTree.findValue("id_token").asText();
                if (log4j.isDebugEnabled()) {
                    log4j.debug("ID token (unparsed): " + asText);
                }
                JWT jwt = new JWT(asText);
                log4j.debug("Checking signature of ID token");
                if (!jwt.checkSignatureWithPubKey(this.iPublicKeyPath)) {
                    throw new ServletException("Invalid JWT signature for ID token");
                }
                log4j.debug("Signature check passed");
                JsonNode decodedPayloadObject = jwt.getDecodedPayloadObject();
                if (log4j.isDebugEnabled()) {
                    log4j.debug("IDToken: " + decodedPayloadObject.toString());
                }
                str = decodedPayloadObject.has("sub") ? decodedPayloadObject.findValue("sub").asText() : null;
                session.setAttribute(GZM_SSO_EXT_ID, str);
            } else {
                log4j.debug("Access token is in session, use access token and external id from session");
                str = (String) session.getAttribute(GZM_SSO_EXT_ID);
            }
            if (log4j.isDebugEnabled()) {
                log4j.debug("Access token: " + openIDContext.getAccessToken());
                log4j.debug("Subject (external id): " + str);
            }
            String extUserID = getExtUserID(session, str, Role.CAREGIVER);
            if (log4j.isDebugEnabled()) {
                log4j.debug("GZM User: " + extUserID);
            }
            session.setAttribute(GZM_SSO_ROLE, Role.CAREGIVER.toString());
            if (extUserID != null) {
                securityFilterPrincipal = new SecurityFilterPrincipal(extUserID, (String) null);
            }
            try {
                log4j.debug("UserInfoEndPoint is being called");
                String callInfoEndPoint = OpenIDClient.callInfoEndPoint(getUserInfoEndPoint(), openIDContext.getAccessToken());
                if (log4j.isDebugEnabled()) {
                    log4j.debug("User-info token (unparsed): " + callInfoEndPoint);
                }
                log4j.debug("SSOContextEndPoint is being called");
                String callInfoEndPoint2 = OpenIDClient.callInfoEndPoint(getSSOContextEndPoint(), openIDContext.getAccessToken());
                if (log4j.isDebugEnabled()) {
                    log4j.debug("SSO context token (unparsed): " + callInfoEndPoint2);
                }
                JWT jwt2 = new JWT(callInfoEndPoint);
                JWT jwt3 = new JWT(callInfoEndPoint2);
                log4j.debug("Checking signature of userinfo token");
                if (!jwt2.checkSignatureWithPubKey(this.iPublicKeyPath)) {
                    throw new ServletException("Invalid JWT signature for user info");
                }
                log4j.debug("Signature check passed");
                log4j.debug("Checking signature of ssocontext token");
                if (!jwt3.checkSignatureWithPubKey(this.iPublicKeyPath)) {
                    throw new ServletException("Invalid JWT signature for SSO context");
                }
                log4j.debug("Signature check passed");
                JsonNode decodedPayloadObject2 = jwt2.getDecodedPayloadObject();
                if (log4j.isDebugEnabled()) {
                    log4j.debug("UserInfo token: " + decodedPayloadObject2.toString());
                }
                String asText2 = decodedPayloadObject2.has("agb_code") ? decodedPayloadObject2.findValue("agb_code").asText() : null;
                if (log4j.isDebugEnabled()) {
                    log4j.debug("Caregiver agb code: " + asText2);
                }
                String asText3 = decodedPayloadObject2.has("initials") ? decodedPayloadObject2.findValue("initials").asText() : null;
                if (log4j.isDebugEnabled()) {
                    log4j.debug("Caregiver initials: " + asText3);
                }
                String asText4 = decodedPayloadObject2.has("given_name") ? decodedPayloadObject2.findValue("given_name").asText() : null;
                if (log4j.isDebugEnabled()) {
                    log4j.debug("Caregiver given name: " + asText4);
                }
                String asText5 = decodedPayloadObject2.has("family_name_prefix") ? decodedPayloadObject2.findValue("family_name_prefix").asText() : null;
                if (log4j.isDebugEnabled()) {
                    log4j.debug("Caregiver family name prefix: " + asText5);
                }
                String asText6 = decodedPayloadObject2.has("family_name") ? decodedPayloadObject2.findValue("family_name").asText() : null;
                if (log4j.isDebugEnabled()) {
                    log4j.debug("Caregiver family name: " + asText6);
                }
                String asText7 = decodedPayloadObject2.has("gender") ? decodedPayloadObject2.findValue("gender").asText() : null;
                if (log4j.isDebugEnabled()) {
                    log4j.debug("Caregiver gender: " + asText7);
                }
                String asText8 = decodedPayloadObject2.has("birthdate") ? decodedPayloadObject2.findValue("birthdate").asText() : null;
                if (log4j.isDebugEnabled()) {
                    log4j.debug("Caregiver birthdate: " + asText8);
                }
                JsonNode decodedPayloadObject3 = jwt3.getDecodedPayloadObject();
                if (log4j.isDebugEnabled()) {
                    log4j.debug("SSOContext token: " + decodedPayloadObject3.toString());
                }
                JsonNode findValue = decodedPayloadObject3.findValue("care_group");
                String asText9 = (findValue == null || !findValue.has("agb_code")) ? null : findValue.findValue("agb_code").asText();
                JsonNode findValue2 = decodedPayloadObject3.findValue("organization");
                String asText10 = (findValue2 == null || !findValue2.has("agb_code")) ? null : findValue2.findValue("agb_code").asText();
                if ("F".equals(asText7)) {
                    asText7 = "V";
                }
                HashMap hashMap = new HashMap();
                hashMap.put("initials", asText3);
                hashMap.put("givenName", asText4);
                hashMap.put("familyNamePrefix", asText5);
                hashMap.put("familyName", asText6);
                hashMap.put("gender", asText7);
                hashMap.put("birthdate", asText8);
                hashMap.put("persAgb", asText2);
                hashMap.put("orgAgb", asText10);
                hashMap.put("careAgb", asText9);
                Caregiver caregiver = new Caregiver(hashMap);
                if (log4j.isDebugEnabled()) {
                    log4j.debug("Caregiver: " + caregiver.toString());
                }
                JsonNode findValue3 = decodedPayloadObject3.findValue("patient");
                String asText11 = (findValue3 == null || !findValue3.has("bsn")) ? null : findValue3.findValue("bsn").asText();
                if (log4j.isDebugEnabled()) {
                    log4j.debug("Patient bsn: " + asText11);
                }
                String asText12 = (findValue3 == null || !findValue3.has("initials")) ? null : findValue3.findValue("initials").asText();
                if (log4j.isDebugEnabled()) {
                    log4j.debug("Patient initials: " + asText12);
                }
                String asText13 = (findValue3 == null || !findValue3.has("given_name")) ? null : findValue3.findValue("given_name").asText();
                if (log4j.isDebugEnabled()) {
                    log4j.debug("Patient given name: " + asText13);
                }
                String asText14 = (findValue3 == null || !findValue3.has("family_name_prefix")) ? null : findValue3.findValue("family_name_prefix").asText();
                if (log4j.isDebugEnabled()) {
                    log4j.debug("Patient family name prefix: " + asText14);
                }
                String asText15 = (findValue3 == null || !findValue3.has("family_name")) ? null : findValue3.findValue("family_name").asText();
                if (log4j.isDebugEnabled()) {
                    log4j.debug("Patient family name: " + asText15);
                }
                String asText16 = (findValue3 == null || !findValue3.has("gender")) ? null : findValue3.findValue("gender").asText();
                if (log4j.isDebugEnabled()) {
                    log4j.debug("Patient gender: " + asText16);
                }
                String asText17 = (findValue3 == null || !findValue3.has("birthdate")) ? null : findValue3.findValue("birthdate").asText();
                if (log4j.isDebugEnabled()) {
                    log4j.debug("Patient birthdate: " + asText17);
                }
                if ("F".equals(asText16)) {
                    asText16 = "V";
                }
                HashMap hashMap2 = new HashMap();
                hashMap2.put("bsn", asText11);
                hashMap2.put("initials", asText12);
                hashMap2.put("givenName", asText13);
                hashMap2.put("familyNamePrefix", asText14);
                hashMap2.put("familyName", asText15);
                hashMap2.put("gender", asText16);
                hashMap2.put("birthdate", asText17);
                Patient patient = new Patient(hashMap2);
                if (log4j.isDebugEnabled()) {
                    log4j.debug("Patient: " + patient.toString());
                }
                session.setAttribute("GZM_CAREGIVER_OBJECT", caregiver);
                session.setAttribute("GZM_PATIENT_OBJECT", patient);
                SavedRequest savedRequest = (SavedRequest) httpServletRequest.getSession().getAttribute(SSO_SAVEDREQUEST);
                if (savedRequest != null) {
                    if (log4j.isDebugEnabled()) {
                        log4j.debug("removing ssoconfig parameter from request");
                        log4j.debug("- URL before: " + savedRequest.getURL());
                    }
                    savedRequest.removeParameter("ssoconfig");
                    if (log4j.isDebugEnabled()) {
                        log4j.debug("- URL after: " + savedRequest.getURL());
                    }
                    session.setAttribute(SSO_SAVEDREQUEST, savedRequest);
                }
                session.setAttribute(CONTEXT_SESSION_NAME, openIDContext);
                log4j.debug("verify returns principal: " + securityFilterPrincipal);
                return securityFilterPrincipal;
            } catch (IOException | GeneralSecurityException e2) {
                log4j.error("Could not process ID Token", e2);
                throw new ServletException("Could not process ID Token", e2);
            } catch (OpenIDException e3) {
                log4j.error("Could not process ID Token", e3);
                throw new ServletException("Could not get ID Token", e3);
            }
        } catch (IOException | GeneralSecurityException e4) {
            log4j.error("Could not process ID Token", e4);
            throw new ServletException("Could not process ID Token", e4);
        } catch (OpenIDException e5) {
            log4j.error("Could not process ID Token", e5);
            throw new ServletException("Could not get ID Token", e5);
        }
    }

    public Principal handleUnknownPrincipal(SecurityFilter securityFilter, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Principal principal) throws ServletException {
        log4j.debug("Handling unknown principal...");
        try {
            httpServletRequest.getSession().setAttribute(SecurityFilter.SESSIONATTRIBUTE_REASON, "User not found");
            log4j.debug("Forwarding to OnUnkownUser:" + this.iOnUnkownUser);
            httpServletRequest.getSession().setAttribute(GZM_SIGNUP, "true");
            httpServletRequest.getSession().setAttribute(GZM_SIGNUP_TRIES, 0);
            httpServletRequest.getRequestDispatcher(this.iOnUnkownUser).forward(httpServletRequest, httpServletResponse);
            log4j.debug("Unknown principle handled.");
            return SecurityFilter.AUTHENTICATION_IN_PROGRESS;
        } catch (IOException e) {
            throw new ServletException(e);
        }
    }

    public void logout(SecurityFilter securityFilter, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException {
    }

    public void updateTimeout(SecurityFilter securityFilter, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException {
        if (httpServletRequest.getParameter("ssoconfig") == null || httpServletResponse.isCommitted() || httpServletRequest.getAttribute(OPENID_HANDELED) != null) {
            return;
        }
        if (log4j.isDebugEnabled()) {
            log4j.debug("New ssoconfig request detected. ");
        }
        SavedRequest savedRequest = new SavedRequest(httpServletRequest);
        httpServletRequest.getSession().invalidate();
        if (log4j.isDebugEnabled()) {
            log4j.debug("Redirecting to URL: " + savedRequest.getURL());
        }
        savedRequest.redirect(httpServletRequest, httpServletResponse);
    }

    @Override // nl.gezondheidsmeter.SSO.GZMSSOHandler
    public void setConfig(Map<String, String> map) {
        log4j.debug("setConfig called");
        super.setConfig(map);
        this.iIssuerIdentifier = map.get("IssuerIdentifier");
        this.iClientId = map.get("ClientId");
        this.iClientSecret = map.get("ClientSecret");
        this.iPublicKeyPath = map.get("PublicKeyPath");
        this.iOAuth2Scope = map.get("OAuth2scope");
        this.iAuthorizationEndPoint = map.get("AuthorizationEndPoint");
        this.iTokenEndPoint = map.get("TokenEndPoint");
        this.iUserInfoEndPoint = map.get("UserInfoEndPoint");
        this.iSSOContextEndPoint = map.get("SSOContextEndPoint");
        this.iRedirToGzmUrl = map.get("RedirToGzmUrl");
        if (log4j.isDebugEnabled()) {
            log4j.debug("IssuerIdentifier=" + this.iIssuerIdentifier);
            log4j.debug("ClientId=" + this.iClientId);
            log4j.debug("ClientSecret=" + this.iClientSecret);
            log4j.debug("PublicKeyPath=" + this.iPublicKeyPath);
            log4j.debug("OAuth2scope=" + this.iOAuth2Scope);
            log4j.debug("AuthorizationEndPoint=" + this.iAuthorizationEndPoint);
            log4j.debug("TokenEndPoint=" + this.iTokenEndPoint);
            log4j.debug("UserInfoEndPoint=" + this.iUserInfoEndPoint);
            log4j.debug("SSOContextEndPoint=" + this.iSSOContextEndPoint);
            log4j.debug("RedirToGzmUrl=" + this.iRedirToGzmUrl);
        }
        log4j.debug("setConfig returns");
    }

    protected String getIssuerIdentifier() {
        return this.iIssuerIdentifier;
    }

    protected void setIssuerIdentifier(String str) {
        this.iIssuerIdentifier = str;
    }

    protected String getClientId() {
        return this.iClientId;
    }

    protected void setClientId(String str) {
        this.iClientId = str;
    }

    protected String getClientSecret() {
        return this.iClientSecret;
    }

    protected void setClientSecret(String str) {
        this.iClientSecret = str;
    }

    protected String getOAuth2Scope() {
        return this.iOAuth2Scope;
    }

    protected void setOAuth2Scope(String str) {
        this.iOAuth2Scope = str;
    }

    protected String getAuthorizationEndPoint() {
        return this.iAuthorizationEndPoint;
    }

    protected void setAuthorizationEndPoint(String str) {
        this.iAuthorizationEndPoint = str;
    }

    protected String getTokenEndPoint() {
        return this.iTokenEndPoint;
    }

    protected void setTokenEndPoint(String str) {
        this.iTokenEndPoint = str;
    }

    protected String getUserInfoEndPoint() {
        return this.iUserInfoEndPoint;
    }

    protected void setUserInfoEndPoint(String str) {
        this.iUserInfoEndPoint = str;
    }

    protected String getSSOContextEndPoint() {
        return this.iSSOContextEndPoint;
    }

    protected void setSSOContextEndPoint(String str) {
        this.iSSOContextEndPoint = str;
    }

    protected String getPublicKeyPath() {
        return this.iPublicKeyPath;
    }

    protected void setPublicKeyPath(String str) {
        this.iPublicKeyPath = str;
    }

    protected String getRedirToGzmUrl() {
        return this.iRedirToGzmUrl;
    }

    protected void setRedirToGzmUrl(String str) {
        this.iRedirToGzmUrl = str;
    }
}
