package com.lnikkila.oidc;

import android.content.Context;
import android.content.SharedPreferences;
import android.net.Uri;
import android.support.annotation.NonNull;
import android.text.TextUtils;
import android.util.Base64;
import android.util.Log;
import com.facebook.AccessToken;
import com.facebook.internal.ServerProtocol;
import com.fasterxml.jackson.core.util.MinimalPrettyPrinter;
import com.github.kevinsawicki.http.HttpRequest;
import com.google.api.client.auth.oauth2.AuthorizationCodeRequestUrl;
import com.google.api.client.auth.oauth2.AuthorizationCodeTokenRequest;
import com.google.api.client.auth.oauth2.AuthorizationRequestUrl;
import com.google.api.client.auth.oauth2.PasswordTokenRequest;
import com.google.api.client.auth.oauth2.RefreshTokenRequest;
import com.google.api.client.auth.oauth2.TokenResponse;
import com.google.api.client.auth.openidconnect.IdToken;
import com.google.api.client.auth.openidconnect.IdTokenResponse;
import com.google.api.client.auth.openidconnect.IdTokenVerifier;
import com.google.api.client.extensions.android.http.AndroidHttp;
import com.google.api.client.http.BasicAuthentication;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpExecuteInterceptor;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.util.Preconditions;
import com.google.gson.Gson;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

/* loaded from: classes2.dex */
public class OIDCRequestManager {
    private final String TAG = getClass().getSimpleName();
    protected final String authorizationEndpoint;
    protected String clientId;
    protected String clientSecret;
    protected final Context context;
    protected Map<String, String> extras;
    protected Flows flowType;
    protected String flowTypeName;
    protected String issuerId;
    protected String redirectUrl;
    protected String[] scopes;
    protected final String tokenEndpoint;
    protected boolean useOAuth2;
    protected final String userInfoEndpoint;

    /* loaded from: classes2.dex */
    public enum Flows {
        Code,
        Implicit,
        Hybrid,
        Password
    }

    public OIDCRequestManager(Context context) {
        this.context = context;
        this.authorizationEndpoint = this.context.getString(R.string.op_authorizationEnpoint);
        this.tokenEndpoint = this.context.getString(R.string.op_tokenEndpoint);
        this.userInfoEndpoint = this.context.getString(R.string.op_userInfoEndpoint);
        SharedPreferences sharedPreferences = context.getSharedPreferences("oidc_clientconf", 0);
        if (sharedPreferences.getBoolean("oidc_loadfromprefs", false)) {
            this.useOAuth2 = sharedPreferences.getBoolean("oidc_oauth2only", false);
            this.clientId = sharedPreferences.getString("oidc_clientId", null);
            this.clientSecret = sharedPreferences.getString("oidc_clientSecret", null);
            this.redirectUrl = sharedPreferences.getString("oidc_redirectUrl", null);
            String string = sharedPreferences.getString("oidc_scopes", null);
            this.scopes = string != null ? string.split(MinimalPrettyPrinter.DEFAULT_ROOT_VALUE_SEPARATOR) : null;
            this.flowTypeName = sharedPreferences.getString("oidc_flowType", null);
            this.issuerId = sharedPreferences.getString("oidc_issuerId", null);
        } else {
            this.useOAuth2 = this.context.getResources().getBoolean(R.bool.oidc_oauth2only);
            this.clientId = this.context.getString(R.string.oidc_clientId);
            this.clientSecret = this.context.getString(R.string.oidc_clientSecret);
            this.redirectUrl = this.context.getString(R.string.oidc_redirectUrl);
            this.scopes = this.context.getResources().getStringArray(R.array.oidc_scopes);
            this.flowTypeName = this.context.getString(R.string.oidc_flowType);
            this.issuerId = this.context.getString(R.string.oidc_issuerId);
            this.extras = parseStringArray(this.context.getResources().getStringArray(R.array.oidc_authextras));
        }
        if (!checkConfiguration()) {
            throw new RuntimeException("The OpenId Connect client configuration is not correctly set.");
        }
        this.flowType = Flows.valueOf(this.flowTypeName);
    }

    private AuthorizationRequestUrl codeFlowAuthenticationUrl(String str) {
        return new AuthorizationCodeRequestUrl(this.authorizationEndpoint, this.clientId).setRedirectUri(this.redirectUrl).setScopes((Collection<String>) Arrays.asList(this.scopes)).setState(str).set("nonce", (Object) "");
    }

    public static String generateStateToken(@NonNull String str) {
        return TextUtils.replace(str, new String[]{"\\W"}, new String[]{""}).toString() + new SecureRandom().nextInt();
    }

    private AuthorizationRequestUrl hybridFlowAuthenticationUrl(String str) {
        return new AuthorizationRequestUrl(this.authorizationEndpoint, this.clientId, Arrays.asList("code", "id_token")).setRedirectUri(this.redirectUrl).setScopes(Arrays.asList(this.scopes)).setState(str).set("nonce", (Object) "");
    }

    private AuthorizationRequestUrl implicitFlowAuthenticationUrl(String str) {
        return new AuthorizationRequestUrl(this.authorizationEndpoint, this.clientId, Arrays.asList("id_token", "token")).setRedirectUri(this.redirectUrl).setScopes(Arrays.asList(this.scopes)).setState(str).set("nonce", (Object) "");
    }

    public static boolean isSupportedFlow(String str) {
        for (Flows flows : Flows.values()) {
            if (flows.name().equals(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean isValidAccessToken(String str, String str2) throws IOException, NoSuchAlgorithmException, InvalidKeyException {
        if (TextUtils.isEmpty(str) || TextUtils.isEmpty(str2)) {
            Log.w(this.TAG, "Can't verify access token, AT or idToken empty");
            return true;
        }
        IdToken parse = IdToken.parse((JsonFactory) new GsonFactory(), str2);
        String algorithm = parse.getHeader().getAlgorithm();
        byte[] bytes = str.getBytes("UTF-8");
        String accessTokenHash = parse.getPayload().getAccessTokenHash();
        if (!"HS256".equals(algorithm) && !"RS256".equals(algorithm)) {
            Log.w(this.TAG, "Unsupported alg claim : " + algorithm + ". Supported alg are HS256, RS256");
            return true;
        }
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
        messageDigest.update(bytes, 0, bytes.length);
        byte[] digest = messageDigest.digest();
        String encodeToString = Base64.encodeToString(Arrays.copyOfRange(digest, 0, digest.length / 2), 11);
        Log.d(this.TAG, "Alg : " + algorithm);
        Log.d(this.TAG, "Receive at_hash : " + accessTokenHash);
        Log.d(this.TAG, "Forged at_hash  : " + encodeToString);
        accessTokenHash.equals(encodeToString);
        return true;
    }

    private boolean isValidIdToken(@NonNull String str) throws IOException {
        new IdTokenVerifier.Builder().setAudience(Collections.singletonList(this.clientId)).setAcceptableTimeSkewSeconds(1000L).setIssuer(this.issuerId).build();
        IdToken.parse((JsonFactory) new GsonFactory(), str);
        return true;
    }

    private HashMap<String, String> parseStringArray(String[] strArr) {
        HashMap<String, String> hashMap = new HashMap<>(strArr.length);
        for (String str : strArr) {
            String[] split = str.split("\\|", 2);
            hashMap.put(split[0], split[1]);
        }
        return hashMap;
    }

    public boolean checkConfiguration() {
        if (TextUtils.isEmpty(this.flowTypeName) || !isSupportedFlow(this.flowTypeName)) {
            Log.e(this.TAG, "Undefined or unsupported flow type, check your OIDC client configuration file 'res/values/oidc_clientconfig.xml'");
            return false;
        }
        Flows valueOf = Flows.valueOf(this.flowTypeName);
        if (TextUtils.isEmpty(this.clientSecret)) {
            Log.d(this.TAG, "Undefined client_secret, OIDC client is public");
        } else {
            Log.d(this.TAG, "OIDC client is confidential and will be using HTTP Basic authentication");
        }
        if (this.scopes.length == 0) {
            Log.w(this.TAG, "Undefined scopes, OIDC client will use authorization server pre-defined default values");
        }
        switch (valueOf) {
            case Implicit:
            case Hybrid:
            case Code:
                return (TextUtils.isEmpty(this.clientId) || TextUtils.isEmpty(this.redirectUrl)) ? false : true;
            case Password:
                Log.w(this.TAG, "Please be sure you know what you are doing when using the 'password' flow");
                return true;
            default:
                Log.wtf(this.TAG, "An new/unknown flow type was added but it's configuration checks where not implemented");
                return false;
        }
    }

    public String getAuthenticationUrl(String str) {
        AuthorizationRequestUrl hybridFlowAuthenticationUrl;
        switch (this.flowType) {
            case Implicit:
                hybridFlowAuthenticationUrl = implicitFlowAuthenticationUrl(str);
                break;
            case Hybrid:
                hybridFlowAuthenticationUrl = hybridFlowAuthenticationUrl(str);
                break;
            default:
                hybridFlowAuthenticationUrl = codeFlowAuthenticationUrl(str);
                break;
        }
        Log.d(this.TAG, String.format("Using %1$s flow", this.flowType.name()));
        if (this.extras != null) {
            for (Map.Entry<String, String> entry : this.extras.entrySet()) {
                hybridFlowAuthenticationUrl.set(entry.getKey(), (Object) entry.getValue());
            }
        }
        return hybridFlowAuthenticationUrl.build();
    }

    public Flows getFlowType() {
        return this.flowType;
    }

    public <T> T getUserInfo(String str, Class<T> cls) throws IOException {
        String str2 = this.userInfoEndpoint;
        if (this.extras != null) {
            str2 = HttpRequest.append(this.userInfoEndpoint, this.extras);
        }
        HttpRequest httpRequest = new HttpRequest(str2, "GET");
        httpRequest.authorization("Bearer " + str).acceptJson();
        if (!httpRequest.ok()) {
            throw new IOException(httpRequest.message());
        }
        return (T) new Gson().fromJson(httpRequest.body(), (Class) cls);
    }

    public boolean isRedirectUrl(String str) {
        Preconditions.checkNotNull(str);
        Preconditions.checkNotNull(this.redirectUrl);
        return str.startsWith(this.redirectUrl);
    }

    public TokenResponse parseTokensFromImplicitResponseFragmentPart(String str, String str2) throws IOException {
        Uri build = new Uri.Builder().encodedQuery(str).build();
        String queryParameter = build.getQueryParameter("access_token");
        String queryParameter2 = build.getQueryParameter("id_token");
        String queryParameter3 = build.getQueryParameter("token_type");
        String queryParameter4 = build.getQueryParameter(AccessToken.EXPIRES_IN_KEY);
        Long decode = !TextUtils.isEmpty(queryParameter4) ? Long.decode(queryParameter4) : null;
        String queryParameter5 = build.getQueryParameter("scope");
        if (!str2.equalsIgnoreCase(build.getQueryParameter(ServerProtocol.DIALOG_PARAM_STATE))) {
            throw new IOException("Local and returned states don't match");
        }
        if (TextUtils.isEmpty(queryParameter3) || decode == null) {
            throw new IOException("Could not read mandatory values (tokenType, expiresIn) from the response fragment");
        }
        if (this.useOAuth2 && !TextUtils.isEmpty(queryParameter)) {
            TokenResponse tokenResponse = new TokenResponse();
            tokenResponse.setAccessToken(queryParameter);
            tokenResponse.setTokenType(queryParameter3);
            tokenResponse.setExpiresInSeconds(decode);
            tokenResponse.setScope(queryParameter5);
            tokenResponse.setFactory(new GsonFactory());
            return tokenResponse;
        }
        if (TextUtils.isEmpty(queryParameter2)) {
            throw new IOException("Could not read access token or idToken from the response fragment");
        }
        IdTokenResponse idTokenResponse = new IdTokenResponse();
        idTokenResponse.setAccessToken(queryParameter);
        idTokenResponse.setIdToken(queryParameter2);
        idTokenResponse.setTokenType(queryParameter3);
        idTokenResponse.setExpiresInSeconds(decode);
        idTokenResponse.setScope(queryParameter5);
        idTokenResponse.setFactory(new GsonFactory());
        try {
            if (!isValidIdToken(queryParameter2)) {
                throw new IOException("Invalid idToken returned");
            }
            if (TextUtils.isEmpty(queryParameter)) {
                throw new IOException("Invalid access token. The at_hash does not match with the return access token.");
            }
            return idTokenResponse;
        } catch (Exception e) {
            throw new IOException("Could not validate access token or idToken", e);
        }
    }

    public TokenResponse refreshTokens(String str) throws IOException {
        List asList = Arrays.asList(this.scopes);
        RefreshTokenRequest refreshTokenRequest = new RefreshTokenRequest(AndroidHttp.newCompatibleTransport(), new GsonFactory(), new GenericUrl(this.tokenEndpoint), str);
        if (!asList.isEmpty()) {
            refreshTokenRequest.setScopes((Collection<String>) asList);
        }
        if (this.extras != null) {
            for (Map.Entry<String, String> entry : this.extras.entrySet()) {
                refreshTokenRequest.set(entry.getKey(), (Object) entry.getValue());
            }
        }
        if (TextUtils.isEmpty(this.clientSecret)) {
            refreshTokenRequest.set("client_id", (Object) this.clientId);
        } else {
            refreshTokenRequest.setClientAuthentication((HttpExecuteInterceptor) new BasicAuthentication(this.clientId, this.clientSecret));
        }
        if (!this.useOAuth2) {
            return IdTokenResponse.execute(refreshTokenRequest);
        }
        if (asList.contains("openid")) {
            Log.w(this.TAG, "Using OAuth2 only request but scopes contain values for OpenId Connect");
        }
        return (TokenResponse) refreshTokenRequest.executeUnparsed().parseAs(TokenResponse.class);
    }

    public TokenResponse requestTokensWithCodeGrant(String str) throws IOException {
        AuthorizationCodeTokenRequest authorizationCodeTokenRequest = new AuthorizationCodeTokenRequest(AndroidHttp.newCompatibleTransport(), new GsonFactory(), new GenericUrl(this.tokenEndpoint), str);
        authorizationCodeTokenRequest.setRedirectUri(this.redirectUrl);
        if (this.extras != null) {
            for (Map.Entry<String, String> entry : this.extras.entrySet()) {
                authorizationCodeTokenRequest.set(entry.getKey(), (Object) entry.getValue());
            }
        }
        if (TextUtils.isEmpty(this.clientSecret)) {
            authorizationCodeTokenRequest.set("client_id", (Object) this.clientId);
        } else {
            authorizationCodeTokenRequest.setClientAuthentication((HttpExecuteInterceptor) new BasicAuthentication(this.clientId, this.clientSecret));
        }
        if (this.useOAuth2) {
            Log.d(this.TAG, "tokens request OAuth2 sent");
            TokenResponse tokenResponse = (TokenResponse) authorizationCodeTokenRequest.executeUnparsed().parseAs(TokenResponse.class);
            String accessToken = tokenResponse.getAccessToken();
            if (TextUtils.isEmpty(accessToken)) {
                throw new IOException("Invalid Access Token returned.");
            }
            Log.d(this.TAG, String.format("Manage to parse and extract AT : %1$s", accessToken));
            return tokenResponse;
        }
        Log.d(this.TAG, "tokens request OIDC sent");
        IdTokenResponse execute = IdTokenResponse.execute(authorizationCodeTokenRequest);
        if (!isValidIdToken(execute.getIdToken())) {
            throw new IOException("Invalid ID token returned.");
        }
        try {
            if (TextUtils.isEmpty(execute.getAccessToken())) {
                throw new IOException("Invalid access token. The at_hash does not match with the return access token.");
            }
            return execute;
        } catch (Exception e) {
            throw new IOException("Can not validate AccessToken.", e);
        }
    }

    public TokenResponse requestTokensWithPasswordGrant(String str, String str2) throws IOException {
        TokenResponse tokenResponse;
        List asList = Arrays.asList(this.scopes);
        PasswordTokenRequest passwordTokenRequest = new PasswordTokenRequest(AndroidHttp.newCompatibleTransport(), new GsonFactory(), new GenericUrl(this.tokenEndpoint), str, str2);
        if (!asList.isEmpty()) {
            passwordTokenRequest.setScopes((Collection<String>) asList);
        }
        if (this.extras != null) {
            for (Map.Entry<String, String> entry : this.extras.entrySet()) {
                passwordTokenRequest.set(entry.getKey(), (Object) entry.getValue());
            }
        }
        if (TextUtils.isEmpty(this.clientSecret)) {
            passwordTokenRequest.set("client_id", (Object) this.clientId);
        } else {
            passwordTokenRequest.setClientAuthentication((HttpExecuteInterceptor) new BasicAuthentication(this.clientId, this.clientSecret));
        }
        if (asList.contains("openid")) {
            Log.d(this.TAG, "PasswordGrant request OIDC sent");
            IdTokenResponse execute = IdTokenResponse.execute(passwordTokenRequest);
            boolean isValidIdToken = isValidIdToken(execute.getIdToken());
            tokenResponse = execute;
            if (!isValidIdToken) {
                throw new IOException("Invalid ID token returned.");
            }
        } else {
            Log.d(this.TAG, "PasswordGrant request OAuth2 sent");
            TokenResponse tokenResponse2 = (TokenResponse) passwordTokenRequest.executeUnparsed().parseAs(TokenResponse.class);
            String accessToken = tokenResponse2.getAccessToken();
            if (TextUtils.isEmpty(accessToken)) {
                throw new IOException("Invalid Access Token returned.");
            }
            Log.d(this.TAG, String.format("Manage to parse and extract AT : %1$s", accessToken));
            tokenResponse = tokenResponse2;
        }
        return tokenResponse;
    }

    public OIDCRequestManager setClientId(String str) {
        this.clientId = str;
        return this;
    }

    public OIDCRequestManager setClientSecret(String str) {
        this.clientSecret = str;
        return this;
    }

    public OIDCRequestManager setExtras(Map<String, String> map) {
        this.extras = map;
        return this;
    }

    public OIDCRequestManager setFlowType(Flows flows) {
        this.flowType = flows;
        return this;
    }

    public OIDCRequestManager setFlowType(String str) {
        if (!isSupportedFlow(str)) {
            throw new IllegalArgumentException(str + " is not a supported flow type");
        }
        this.flowTypeName = str;
        this.flowType = Flows.valueOf(str);
        return this;
    }

    public OIDCRequestManager setIssuerId(String str) {
        this.issuerId = str;
        return this;
    }

    public OIDCRequestManager setRedirectUrl(String str) {
        this.redirectUrl = str;
        return this;
    }

    public OIDCRequestManager setScopes(String[] strArr) {
        this.scopes = strArr;
        return this;
    }
}
