package com.appiancorp.security.auth.oidc;

import com.appiancorp.security.auth.oidc.persistence.entities.OidcSettings;
import com.appiancorp.security.auth.oidc.persistence.service.OidcSettingsService;
import com.appiancorp.security.auth.oidc.test.OidcTestStateManager;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.ClientRegistrations;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;

/* loaded from: input_file:com/appiancorp/security/auth/oidc/AppianOidcClientRegistrationRepository.class */
public class AppianOidcClientRegistrationRepository implements ClientRegistrationRepository {
    private static final Logger LOG = LoggerFactory.getLogger(AppianOidcClientRegistrationRepository.class);
    private final OidcSettingsService oidcSettingsService;
    private final OidcTestStateManager oidcTestStateManager;
    private final OidcEncryptionService oidcEncryptionService;

    public AppianOidcClientRegistrationRepository(OidcEncryptionService oidcEncryptionService, OidcSettingsService oidcSettingsService, OidcTestStateManager oidcTestStateManager) {
        this.oidcEncryptionService = oidcEncryptionService;
        this.oidcSettingsService = oidcSettingsService;
        this.oidcTestStateManager = oidcTestStateManager;
    }

    public ClientRegistration findByRegistrationId(String str) {
        LOG.debug("Attempting to find registrationId: {}", str);
        if (this.oidcTestStateManager.shouldUseTestData()) {
            return this.oidcTestStateManager.getTestClientRegistration();
        }
        Optional oidcSettingsByFriendlyName = this.oidcSettingsService.getOidcSettingsByFriendlyName(str);
        if (!oidcSettingsByFriendlyName.isPresent()) {
            LOG.error("No OIDC settings found: {} ", str);
            throw new OAuth2AuthenticationException(new OAuth2Error("No OIDC settings found."));
        }
        try {
            if (!((OidcSettings) oidcSettingsByFriendlyName.get()).isDynamic()) {
                return createCoreClientRegistration((OidcSettings) oidcSettingsByFriendlyName.get());
            }
            ClientRegistration createDynamicClientRegistration = createDynamicClientRegistration((OidcSettings) oidcSettingsByFriendlyName.get());
            verifyIfNotHttps(createDynamicClientRegistration);
            return createDynamicClientRegistration;
        } catch (Exception e) {
            LOG.error("Issue building ClientRegistration.", e);
            throw new OAuth2AuthenticationException(new OAuth2Error("Issue building ClientRegistration"), e);
        }
    }

    private ClientRegistration createCoreClientRegistration(OidcSettings oidcSettings) {
        return ClientRegistration.withRegistrationId("oidc").authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE).clientId(oidcSettings.getClientId()).clientSecret(this.oidcEncryptionService.decryptFromString(oidcSettings.getClientSecret())).scope(OidcCommon.parseScopes(oidcSettings.getScopes())).redirectUri("{baseUrl}/oidc/callback").issuerUri(oidcSettings.getIssuerUri()).authorizationUri(oidcSettings.getAuthorizationEndpoint()).tokenUri(oidcSettings.getTokenEndpoint()).jwkSetUri(oidcSettings.getJwksUri()).userInfoUri(oidcSettings.getUserInfoEndpoint()).userNameAttributeName("sub").build();
    }

    private ClientRegistration createDynamicClientRegistration(OidcSettings oidcSettings) {
        return ClientRegistrations.fromOidcIssuerLocation(oidcSettings.getIssuerUri()).clientId(oidcSettings.getClientId()).clientSecret(this.oidcEncryptionService.decryptFromString(oidcSettings.getClientSecret())).registrationId("oidc").redirectUri("{baseUrl}/oidc/callback").scope(OidcCommon.parseScopes(oidcSettings.getScopes())).build();
    }

    private void verifyIfNotHttps(ClientRegistration clientRegistration) throws OidcAuthenticationException {
        checkIfHttp(clientRegistration.getProviderDetails().getIssuerUri(), "IssuerURI");
        checkIfHttp(clientRegistration.getProviderDetails().getAuthorizationUri(), "AuthorizationURI");
        checkIfHttp(clientRegistration.getProviderDetails().getTokenUri(), "TokenURI");
        checkIfHttp(clientRegistration.getProviderDetails().getJwkSetUri(), "JWKSetURI");
        if (clientRegistration.getProviderDetails().getUserInfoEndpoint() == null || clientRegistration.getProviderDetails().getUserInfoEndpoint().getUri() == null) {
            return;
        }
        checkIfHttp(clientRegistration.getProviderDetails().getUserInfoEndpoint().getUri(), "UserInfoEndpointURI");
    }

    private void checkIfHttp(String str, String str2) throws OidcAuthenticationException {
        if (str == null || !str.toLowerCase().startsWith("https://")) {
            LOG.error("{} is either null or not HTTPS given: {}", str2, str);
            throw new OidcAuthenticationException(String.format("%s is not HTTPS or null: %s", str2, str));
        }
    }
}
