package com.mapr.admin.controller;

import com.mapr.admin.lib.SecurityUtils;
import com.mapr.admin.model.oidc.KeyCloakToken;
import com.mapr.admin.model.oidc.OauthAccessToken;
import com.mapr.admin.model.oidc.SsoConf;
import com.mapr.admin.service.AdminService;
import com.mapr.admin.service.impl.MapRAdminService;
import com.mapr.admin.util.AuditLog;
import com.mapr.admin.util.FileUtil;
import com.mapr.admin.util.Oauth2Util;
import com.mapr.baseutils.sso.JwtValidator;
import com.mapr.baseutils.sso.roles.SSORoleTranslator;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.InvalidParameterException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.commons.compress.utils.IOUtils;
import org.apache.commons.lang3.ObjectUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.RestTemplate;

@Produces({"application/json"})
@Path("/oauth")
@Consumes({"application/json"})
/* loaded from: input_file:com/mapr/admin/controller/OauthController.class */
public class OauthController extends ResourceController {
    private static final Logger log = LogManager.getLogger((Class<?>) OauthController.class);
    AdminService adminService = new MapRAdminService();
    SsoConf ssoConf = Oauth2Util.getInstance().getSsoConf();

    @Autowired
    private OAuth2AuthorizedClientService authorizedClientService;

    @GET
    @Path("login")
    public Response login() {
        return Response.ok().build();
    }

    @GET
    @Path("getToken")
    public Response getToken(@Context HttpServletRequest httpServletRequest) {
        OAuth2AuthorizedClient oauth2AuthorizedClient = getOauth2AuthorizedClient();
        if (oauth2AuthorizedClient == null) {
            return Response.ok().build();
        }
        OAuth2AccessToken accessToken = oauth2AuthorizedClient.getAccessToken();
        Instant expiresAt = accessToken.getExpiresAt();
        Long l = null;
        if (expiresAt != null) {
            l = Long.valueOf(expiresAt.getEpochSecond());
        }
        OauthAccessToken oauthAccessToken = new OauthAccessToken(accessToken.getTokenValue(), l, accessToken.getScopes(), accessToken.getTokenType().getValue());
        String tokenValue = oauth2AuthorizedClient.getAccessToken().getTokenValue();
        httpServletRequest.getSession().setAttribute("rtoken", oauth2AuthorizedClient.getRefreshToken().getTokenValue());
        httpServletRequest.getSession().setAttribute("atoken", tokenValue);
        return Response.ok(oauthAccessToken).build();
    }

    @GET
    @Path("refreshToken")
    public Response refreshToken(@Context HttpServletRequest httpServletRequest) {
        try {
            KeyCloakToken jwtTokens = getJwtTokens(httpServletRequest);
            return (ObjectUtils.isNotEmpty(jwtTokens) && ObjectUtils.isNotEmpty(jwtTokens.getAccessToken())) ? Response.ok(new OauthAccessToken(jwtTokens.getAccessToken(), Long.valueOf((System.currentTimeMillis() / 1000) + Long.parseLong(jwtTokens.getExpiresIn())), (Set) Arrays.stream(jwtTokens.getScope().split(" ")).collect(Collectors.toSet()), jwtTokens.getTokenType())).build() : Response.ok(jwtTokens).build();
        } catch (HttpClientErrorException.BadRequest e) {
            return Response.status(401, e.getMessage()).build();
        }
    }

    @GET
    @Path("jwtTokens")
    public Response jwtTokens(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        KeyCloakToken jwtTokens = getJwtTokens(httpServletRequest);
        if (!ObjectUtils.isNotEmpty(jwtTokens)) {
            return Response.status(Response.Status.UNAUTHORIZED.getStatusCode(), "Keyclock token not found").build();
        }
        try {
            java.nio.file.Path createTempDirectory = Files.createTempDirectory("jwt_token", new FileAttribute[0]);
            InputStream newInputStream = Files.newInputStream(Paths.get(FileUtil.createTarGz(createTempDirectory.toString(), "jwt_tokens", ".tar.gz", FileUtil.writeContentToFile(createTempDirectory.toString(), "jwt_access", "", jwtTokens.getAccessToken()), FileUtil.writeContentToFile(createTempDirectory.toString(), "jwt_refresh", "", jwtTokens.getRefreshToken())), new String[0]), new OpenOption[0]);
            httpServletResponse.setContentType("application/gzip");
            httpServletResponse.setHeader("Content-Disposition", "attachment; filename=jwt_tokens.tar.gz");
            IOUtils.copy(newInputStream, httpServletResponse.getOutputStream());
            httpServletResponse.getOutputStream().flush();
            FileUtil.deleteTempDirectory(createTempDirectory.toString());
            return Response.ok().build();
        } catch (IOException e) {
            log.error(e.getMessage());
            return Response.serverError().build();
        }
    }

    @GET
    @Path("getSsoUserRoles")
    public List<String> getSsoUserRoles() {
        return getRoles();
    }

    @GET
    @Path("hasLoginPerm")
    public Boolean hasLoginPerms(@Context HttpServletRequest httpServletRequest) {
        List<String> list = null;
        try {
            list = getRoles();
        } catch (Exception e) {
            log.info(e.getMessage());
        }
        long clusterCapabilities = SSORoleTranslator.getInstance().getClusterCapabilities(list);
        String currentUserName = SecurityUtils.getCurrentUserName();
        if (clusterCapabilities != 0) {
            AuditLog.auditAuthentication(httpServletRequest, currentUserName, true);
            return true;
        }
        boolean hasLoginPermission = this.adminService.hasLoginPermission(getProxyOrLoggedInUser());
        AuditLog.auditAuthentication(httpServletRequest, currentUserName, hasLoginPermission);
        return Boolean.valueOf(hasLoginPermission);
    }

    private OAuth2AuthorizedClient getOauth2AuthorizedClient() {
        SecurityContext context = SecurityContextHolder.getContext();
        if (!(context.getAuthentication() instanceof OAuth2AuthenticationToken)) {
            return null;
        }
        OAuth2AuthenticationToken oAuth2AuthenticationToken = (OAuth2AuthenticationToken) context.getAuthentication();
        return this.authorizedClientService.loadAuthorizedClient(oAuth2AuthenticationToken.getAuthorizedClientRegistrationId(), oAuth2AuthenticationToken.getName());
    }

    private List<String> getRoles() {
        new ArrayList();
        OAuth2AuthorizedClient oauth2AuthorizedClient = getOauth2AuthorizedClient();
        if (oauth2AuthorizedClient == null) {
            return null;
        }
        String tokenValue = oauth2AuthorizedClient.getAccessToken().getTokenValue();
        JwtValidator jwtValidator = Oauth2Util.getInstance().getJwtValidator();
        if (jwtValidator == null) {
            log.info("jwt validator is empty");
            return null;
        }
        jwtValidator.validate(tokenValue);
        List claimAsList = jwtValidator.getClaimAsList(tokenValue, "gids");
        String claim = jwtValidator.getClaim(tokenValue, "uid");
        if (claimAsList != null && !StringUtils.isBlank(claim)) {
            return jwtValidator.getClaimAsList(tokenValue, "userRoles");
        }
        log.info("JWT is invalid, missing uid or gid in sso token");
        return null;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private KeyCloakToken getJwtTokens(@Context HttpServletRequest httpServletRequest) {
        String str = null;
        if (this.ssoConf == null) {
            log.info("ssoConf is null");
            return null;
        }
        String clientId = this.ssoConf.getClientId();
        String clientSecret = this.ssoConf.getClientSecret();
        String issuerEndPoint = this.ssoConf.getIssuerEndPoint();
        if (httpServletRequest.getSession().getAttribute("rtoken") != null) {
            str = httpServletRequest.getSession().getAttribute("rtoken").toString();
            if (str == null) {
                throw new InvalidParameterException("no refresh token found in session");
            }
        }
        String str2 = null;
        if (this.ssoConf.getProviderName().equalsIgnoreCase("keycloak")) {
            str2 = issuerEndPoint + "/protocol/openid-connect/token";
        } else if (this.ssoConf.getProviderName().equalsIgnoreCase("okta")) {
            str2 = issuerEndPoint + "/v1/token";
        }
        RestTemplate restTemplate = new RestTemplate();
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add("client_id", clientId);
        linkedMultiValueMap.add(OAuth2ParameterNames.REFRESH_TOKEN, str);
        linkedMultiValueMap.add(OAuth2ParameterNames.GRANT_TYPE, OAuth2ParameterNames.REFRESH_TOKEN);
        if (!StringUtils.isBlank(clientSecret)) {
            linkedMultiValueMap.add(OAuth2ParameterNames.CLIENT_SECRET, clientSecret);
        }
        ResponseEntity exchange = restTemplate.exchange(str2, HttpMethod.POST, new HttpEntity<>(linkedMultiValueMap, httpHeaders), KeyCloakToken.class, new Object[0]);
        KeyCloakToken keyCloakToken = (KeyCloakToken) exchange.getBody();
        if (exchange.getStatusCode().value() == 200 && ObjectUtils.isNotEmpty(keyCloakToken)) {
            httpServletRequest.getSession().setAttribute("rtoken", keyCloakToken.getRefreshToken());
            httpServletRequest.getSession().setAttribute("atoken", keyCloakToken.getAccessToken());
        }
        return keyCloakToken;
    }
}
