package org.deepamehta.plugins.signon;

import com.sun.jersey.api.view.Viewable;
import de.deepamehta.core.RelatedTopic;
import de.deepamehta.core.Topic;
import de.deepamehta.core.model.CompositeValueModel;
import de.deepamehta.core.model.SimpleValue;
import de.deepamehta.core.model.TopicModel;
import de.deepamehta.core.service.ClientState;
import de.deepamehta.core.service.PluginService;
import de.deepamehta.core.service.annotation.ConsumesService;
import de.deepamehta.core.util.JavaUtils;
import de.deepamehta.plugins.accesscontrol.service.AccessControlService;
import de.deepamehta.plugins.webactivator.WebActivatorPlugin;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.HashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import javax.ws.rs.GET;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import org.expressme.openid.Association;
import org.expressme.openid.Authentication;
import org.expressme.openid.Base64;
import org.expressme.openid.Endpoint;
import org.expressme.openid.OpenIdException;
import org.expressme.openid.OpenIdManager;

@Path("/sign-on")
/* loaded from: input_file:org/deepamehta/plugins/signon/SignonPlugin.class */
public class SignonPlugin extends WebActivatorPlugin {
    private static Logger log = Logger.getLogger(SignonPlugin.class.getName());
    private static final String ENCRYPTED_PASSWORD_PREFIX = "-SHA256-";
    private static final String USERNAME_TYPE_URI = "dm4.accesscontrol.username";
    private static final String USER_ACCOUNT_TYPE_URI = "dm4.accesscontrol.user_account";
    private static final String USER_PASSWORD_TYPE_URI = "dm4.accesscontrol.password";
    private static final String PERSON_TYPE_URI = "dm4.contacts.person";
    private static final String PERSON_NAME_TYPE_URI = "dm4.contacts.person_name";
    private static final String MAILBOX_TYPE_URI = "dm4.contacts.email_address";
    private static final String FIRSTNAME_TYPE_URI = "dm4.contacts.first_name";
    private static final String LASTNAME_TYPE_URI = "dm4.contacts.last_name";
    private static final String OPENID_CLAIMED_TYPE_URI = "org.deepamehta.openid.claimed_id";
    private static final String ATTR_MAC = "openid_mac";
    private static final String ATTR_ALIAS = "openid_alias";
    private static final String OPEN_ID_COOKIE = "dm4.signon.openid_cookie";
    private static final long ONE_HOUR = 3600000;
    private static final long TWO_HOURS = 7200000;

    @Context
    private HttpServletRequest request;
    private OpenIdManager manager;
    private AccessControlService acService;
    private HashMap nonces = null;
    private String MY_DOMAIN = "http://localhost:8080";

    public void init() {
        initTemplateEngine();
        this.manager = new OpenIdManager();
        this.manager.setRealm(this.MY_DOMAIN);
        this.manager.setReturnTo(this.MY_DOMAIN + "/sign-on/openid/response");
        this.nonces = new HashMap();
    }

    @GET
    @Path("/openid/google")
    public String performGoogleAuthentication() {
        Endpoint lookupEndpoint = this.manager.lookupEndpoint("Google");
        Association lookupAssociation = this.manager.lookupAssociation(lookupEndpoint);
        lookupAssociation.setMaxAge(TWO_HOURS);
        log.fine("Google EP Ali  => " + lookupEndpoint.getAlias());
        log.fine("Google EP URL  => " + lookupEndpoint.getUrl());
        log.fine("Google AP Type => " + lookupAssociation.getAssociationType());
        log.fine("Google AP Hand => " + lookupAssociation.getAssociationHandle());
        try {
            throw new WebApplicationException(Response.seeOther(new URI(this.manager.getAuthenticationUrl(lookupEndpoint, lookupAssociation))).cookie(new NewCookie[]{createClientSideCookie(lookupEndpoint, lookupAssociation)}).build());
        } catch (URISyntaxException e) {
            Logger.getLogger(SignonPlugin.class.getName()).log(Level.SEVERE, (String) null, (Throwable) e);
            return "";
        }
    }

    @GET
    @Path("/openid/yahoo")
    public String performYahooAuthentication() {
        Endpoint lookupEndpoint = this.manager.lookupEndpoint("Yahoo");
        Association lookupAssociation = this.manager.lookupAssociation(lookupEndpoint);
        lookupAssociation.setMaxAge(TWO_HOURS);
        log.fine("Yahoo EP Ali  => " + lookupEndpoint.getAlias());
        log.fine("Yahoo EP URL  => " + lookupEndpoint.getUrl());
        log.fine("Yahoo AP Type => " + lookupAssociation.getAssociationType());
        log.fine("Yahoo AP Hand => " + lookupAssociation.getAssociationHandle());
        try {
            throw new WebApplicationException(Response.seeOther(new URI(this.manager.getAuthenticationUrl(lookupEndpoint, lookupAssociation))).cookie(new NewCookie[]{createClientSideCookie(lookupEndpoint, lookupAssociation)}).build());
        } catch (URISyntaxException e) {
            Logger.getLogger(SignonPlugin.class.getName()).log(Level.SEVERE, (String) null, (Throwable) e);
            return "";
        }
    }

    @GET
    @Produces({"text/html"})
    @Path("/openid/response")
    public Viewable processOpenAuthenticationResponse(@QueryParam("openid.response_nonce") String str, @QueryParam("openid.op_endpoint") String str2, @QueryParam("openid.claimed_id") String str3, @HeaderParam("Cookie") ClientState clientState) {
        String str4 = clientState.get(OPEN_ID_COOKIE);
        String[] split = str4.split(":");
        String str5 = split[0].split(",")[1];
        String str6 = split[1].split(",")[1];
        log.fine("OpenID-Debug: " + str4);
        try {
            String decode = URLDecoder.decode(str6, "UTF-8");
            Authentication authenticateIncomingRequest = authenticateIncomingRequest(this.request, str3, Base64.decode(decode.getBytes(), 0, decode.length(), 16), str5);
            if (authenticateIncomingRequest == null) {
                throw new WebApplicationException(new Throwable("Authentication unsuccessfull."), Response.Status.UNAUTHORIZED);
            }
            String str7 = "";
            if (str2.indexOf("google") != -1) {
                str7 = "Google";
            } else if (str2.indexOf("yahoo") != -1) {
                str7 = "Yahoo";
            }
            checkNonce(str);
            RelatedTopic userAccountByOpenId = getUserAccountByOpenId(str3, str7);
            if (userAccountByOpenId == null) {
                String email = authenticateIncomingRequest.getEmail();
                String substring = email.substring(0, email.indexOf("@"));
                createUserSession(substring, this.request);
                createUserAccountByOpenId(str3, substring, email, authenticateIncomingRequest.getFirstname(), authenticateIncomingRequest.getLastname(), clientState);
                viewData("title", "DeepaMehta Account Created");
                viewData("message", "On behalf of your successfull request DeepaMehta created a new user account.");
                viewData("username", authenticateIncomingRequest.getEmail());
                viewData("openid", str3);
            } else {
                log.info("Sign-on Module => User Account already known, logging in => " + authenticateIncomingRequest.getEmail());
                viewData("title", "Logged in via " + str7);
                viewData("message", "");
                String email2 = authenticateIncomingRequest.getEmail();
                createUserSession(email2.substring(0, email2.indexOf("@")), this.request);
                log.info("##### Logging in via OpenID-Request => SUCCESSFUL!\n      ##### Could create a new session for " + userAccountByOpenId.getSimpleValue().toString());
                try {
                    throw new WebApplicationException(Response.seeOther(new URI("http://localhost:8080/de.deepamehta.webclient")).build());
                } catch (URISyntaxException e) {
                    log.info("Redirecting failed cause of malformed URI");
                }
            }
            return getSignedOnView();
        } catch (UnsupportedEncodingException e2) {
            Logger.getLogger(SignonPlugin.class.getName()).log(Level.SEVERE, (String) null, (Throwable) e2);
            return null;
        }
    }

    private Authentication authenticateIncomingRequest(HttpServletRequest httpServletRequest, String str, byte[] bArr, String str2) {
        if (bArr == null) {
            throw new RuntimeException("MA-Code .. is empty");
        }
        HttpSession session = httpServletRequest.getSession(true);
        session.setAttribute(ATTR_MAC, bArr);
        session.setAttribute(ATTR_ALIAS, str2);
        Authentication authentication = this.manager.getAuthentication(httpServletRequest, bArr, str2);
        if (authentication != null) {
            return authentication;
        }
        log.info("Request authentication failed with \"" + str2 + "\" key:\"" + bArr + "\"");
        log.info("##### Logging in via OpenID-Request => FAILED!");
        session.invalidate();
        return authentication;
    }

    private HttpSession createUserSession(String str, HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession();
        session.setAttribute("username", str);
        return session;
    }

    private NewCookie createClientSideCookie(Endpoint endpoint, Association association) {
        try {
            String encode = URLEncoder.encode(Base64.encodeBytes(association.getRawMacKey(), 16), "UTF-8");
            log.info("DEBUG !CookieBody Key Before => " + encode);
            return new NewCookie(new Cookie(OPEN_ID_COOKIE, "alias," + endpoint.getAlias().toString() + ":key," + encode), "", 7776000, false);
        } catch (UnsupportedEncodingException e) {
            throw new WebApplicationException(e);
        }
    }

    private void checkNonce(String str) {
        if (str == null || str.length() < 20) {
            throw new OpenIdException("Verifying openid.response_nonce failed.");
        }
        long nonceTime = getNonceTime(str);
        long currentTimeMillis = System.currentTimeMillis() - nonceTime;
        if (currentTimeMillis < 0) {
            currentTimeMillis = -currentTimeMillis;
        }
        if (currentTimeMillis > ONE_HOUR) {
            throw new OpenIdException("Bad nonce time.");
        }
        if (isNonceExist(str)) {
            throw new OpenIdException("Verifiying openid.response_nonce failed.");
        }
        storeNonce(str, nonceTime + TWO_HOURS);
    }

    private boolean isNonceExist(String str) {
        return this.nonces.containsKey(str);
    }

    private void storeNonce(String str, long j) {
        this.nonces.put(str, Long.valueOf(j));
    }

    private long getNonceTime(String str) {
        try {
            return new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssZ").parse(str.substring(0, 19) + "+0000").getTime();
        } catch (ParseException e) {
            throw new OpenIdException("Bad nonce time.");
        }
    }

    private RelatedTopic getUserAccountByOpenId(String str, String str2) {
        if (str2.equals("Yahoo") && str.indexOf("#") != -1) {
            str = str.substring(0, str.indexOf("#"));
        }
        Topic topic = this.dms.getTopic(OPENID_CLAIMED_TYPE_URI, new SimpleValue(str), true);
        if (topic != null) {
            return topic.getRelatedTopic("dm4.core.composition", "dm4.core.child", "dm4.core.parent", USER_ACCOUNT_TYPE_URI, true, false);
        }
        return null;
    }

    private Topic createUserAccountByOpenId(String str, String str2, String str3, String str4, String str5, ClientState clientState) {
        if (!isUsernameAvailable(str2)) {
            throw new WebApplicationException(412);
        }
        return this.dms.createTopic(new TopicModel(USER_ACCOUNT_TYPE_URI, new CompositeValueModel().put(USERNAME_TYPE_URI, str2).put(USER_PASSWORD_TYPE_URI, encryptPassword("")).put(OPENID_CLAIMED_TYPE_URI, str)), clientState);
    }

    private boolean isUsernameAvailable(String str) {
        return this.dms.getTopic(USERNAME_TYPE_URI, new SimpleValue(str), true) == null;
    }

    private String encryptPassword(String str) {
        return ENCRYPTED_PASSWORD_PREFIX + JavaUtils.encodeSHA256(str);
    }

    @GET
    @Produces({"text/html"})
    @Path("/")
    public Viewable getSignOnView() {
        return view("index");
    }

    @GET
    @Produces({"text/html"})
    @Path("/received")
    public Viewable getSignedOnView() {
        return view("received");
    }

    @ConsumesService({"de.deepamehta.plugins.accesscontrol.service.AccessControlService"})
    public void serviceArrived(PluginService pluginService) {
        if (pluginService instanceof AccessControlService) {
            this.acService = (AccessControlService) pluginService;
        }
    }

    @ConsumesService({"de.deepamehta.plugins.accesscontrol.service.AccessControlService"})
    public void serviceGone(PluginService pluginService) {
        if (pluginService == this.acService) {
            this.acService = null;
        }
    }
}
