package org.pac4j.oidc.credentials.extractor;

import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import java.net.URI;
import java.net.URISyntaxException;
import java.text.ParseException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.credentials.extractor.CredentialsExtractor;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.exception.http.BadRequestAction;
import org.pac4j.core.exception.http.OkAction;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.core.util.Pac4jConstants;
import org.pac4j.oidc.client.OidcClient;
import org.pac4j.oidc.config.OidcConfiguration;
import org.pac4j.oidc.credentials.OidcCredentials;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/pac4j-oidc-4.5.8.jar:org/pac4j/oidc/credentials/extractor/OidcExtractor.class */
public class OidcExtractor implements CredentialsExtractor<OidcCredentials> {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) OidcExtractor.class);
    protected OidcConfiguration configuration;
    protected OidcClient client;

    public OidcExtractor(OidcConfiguration oidcConfiguration, OidcClient oidcClient) {
        CommonHelper.assertNotNull("configuration", oidcConfiguration);
        CommonHelper.assertNotNull("client", oidcClient);
        this.configuration = oidcConfiguration;
        this.client = oidcClient;
    }

    @Override // org.pac4j.core.credentials.extractor.CredentialsExtractor
    public Optional<OidcCredentials> extract(WebContext webContext) {
        if (webContext.getRequestParameter(Pac4jConstants.LOGOUT_ENDPOINT_PARAMETER).isPresent()) {
            Optional<String> requestParameter = webContext.getRequestParameter("logout_token");
            if (requestParameter.isPresent()) {
                try {
                    String str = (String) JWTParser.parse(requestParameter.get()).getJWTClaimsSet().getClaim("sid");
                    logger.debug("Handling back-channel logout for sessionId: {}", str);
                    this.configuration.findLogoutHandler().destroySessionBack(webContext, str);
                } catch (ParseException e) {
                    logger.error("Cannot validate JWT logout token", (Throwable) e);
                    throw BadRequestAction.INSTANCE;
                }
            } else {
                String orElse = webContext.getRequestParameter("sid").orElse(null);
                logger.debug("Handling front-channel logout for sessionId: {}", orElse);
                this.configuration.findLogoutHandler().destroySessionFront(webContext, orElse);
            }
            webContext.setResponseHeader("Cache-Control", "no-cache, no-store");
            webContext.setResponseHeader("Pragma", "no-cache");
            throw new OkAction("");
        }
        String computeFinalCallbackUrl = this.client.computeFinalCallbackUrl(webContext);
        try {
            AuthenticationResponse parse = AuthenticationResponseParser.parse(new URI(computeFinalCallbackUrl), retrieveParameters(webContext));
            if (parse instanceof AuthenticationErrorResponse) {
                logger.error("Bad authentication response, error={}", ((AuthenticationErrorResponse) parse).getErrorObject());
                return Optional.empty();
            }
            logger.debug("Authentication response successful");
            AuthenticationSuccessResponse authenticationSuccessResponse = (AuthenticationSuccessResponse) parse;
            if (this.configuration.isWithState()) {
                State state = (State) this.configuration.getValueRetriever().retrieve(this.client.getStateSessionAttributeName(), this.client, webContext).orElseThrow(() -> {
                    return new TechnicalException("State cannot be determined");
                });
                State state2 = authenticationSuccessResponse.getState();
                if (state2 == null) {
                    throw new TechnicalException("Missing state parameter");
                }
                logger.debug("Request state: {}/response state: {}", state, state2);
                if (!state.equals(state2)) {
                    throw new TechnicalException("State parameter is different from the one sent in authentication request.");
                }
            }
            OidcCredentials oidcCredentials = new OidcCredentials();
            AuthorizationCode authorizationCode = authenticationSuccessResponse.getAuthorizationCode();
            if (authorizationCode != null) {
                oidcCredentials.setCode(authorizationCode);
            }
            JWT iDToken = authenticationSuccessResponse.getIDToken();
            if (iDToken != null) {
                oidcCredentials.setIdToken(iDToken);
            }
            AccessToken accessToken = authenticationSuccessResponse.getAccessToken();
            if (accessToken != null) {
                oidcCredentials.setAccessToken(accessToken);
            }
            if (authorizationCode == null && iDToken == null && accessToken == null) {
                throw new TechnicalException("Cannot accept empty OIDC credentials");
            }
            return Optional.of(oidcCredentials);
        } catch (com.nimbusds.oauth2.sdk.ParseException | URISyntaxException e2) {
            throw new TechnicalException(e2);
        }
    }

    protected Map<String, List<String>> retrieveParameters(WebContext webContext) {
        Map<String, String[]> requestParameters = webContext.getRequestParameters();
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, String[]> entry : requestParameters.entrySet()) {
            hashMap.put(entry.getKey(), Arrays.asList(entry.getValue()));
        }
        return hashMap;
    }
}
