package pl.edu.icm.unity.oauth.client.config;

import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.unicore.util.configuration.ConfigurationException;
import eu.unicore.util.configuration.DocumentationReferenceMeta;
import eu.unicore.util.configuration.DocumentationReferencePrefix;
import eu.unicore.util.configuration.PropertyMD;
import eu.unicore.util.httpclient.ServerHostnameCheckingMode;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import org.apache.hc.core5.http.NameValuePair;
import org.apache.hc.core5.http.message.BasicNameValuePair;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.engine.api.config.UnityPropertiesHelper;
import pl.edu.icm.unity.oauth.BaseRemoteASProperties;
import pl.edu.icm.unity.oauth.client.UserProfileFetcher;
import pl.edu.icm.unity.oauth.client.config.OAuthClientProperties;
import pl.edu.icm.unity.oauth.client.profile.OpenIdProfileFetcher;
import pl.edu.icm.unity.oauth.client.profile.PlainProfileFetcher;
import pl.edu.icm.unity.oauth.oidc.metadata.OIDCMetadataRequest;

/* loaded from: input_file:pl/edu/icm/unity/oauth/client/config/CustomProviderProperties.class */
public class CustomProviderProperties extends UnityPropertiesHelper implements BaseRemoteASProperties {

    @DocumentationReferencePrefix
    public static final String P = "unity.oauth2.client.CLIENT_ID.";
    public static final String PROVIDER_TYPE = "type";
    public static final String PROVIDER_LOCATION = "authEndpoint";
    public static final String ACCESS_TOKEN_ENDPOINT = "accessTokenEndpoint";
    public static final String PROVIDER_NAME = "name";
    public static final String SCOPES = "scopes";
    public static final String ACCESS_TOKEN_FORMAT = "accessTokenFormat";
    public static final String OPENID_CONNECT = "openIdConnect";
    public static final String OPENID_DISCOVERY = "openIdConnectDiscoveryEndpoint";
    public static final String ICON_URL = "iconUrl";
    public static final String ADDITIONAL_AUTHZ_PARAMS = "extraAuthzParams.";
    public static final String REQUEST_ACRS_MODE = "requestACRs";
    public static final String REQUESTED_ACRS = "requestedACRs.";
    public static final String REQUESTED_ACRS_ARE_ESSENTIAL = "requestedACRsAreEssential";
    private X509CertChainValidator validator;
    private static final Logger log = Log.getLogger("unity.server.config", CustomProviderProperties.class);

    @DocumentationReferenceMeta
    public static final Map<String, PropertyMD> META = new HashMap();

    /* loaded from: input_file:pl/edu/icm/unity/oauth/client/config/CustomProviderProperties$AccessTokenFormat.class */
    public enum AccessTokenFormat {
        standard,
        httpParams
    }

    /* loaded from: input_file:pl/edu/icm/unity/oauth/client/config/CustomProviderProperties$ClientAuthnMode.class */
    public enum ClientAuthnMode {
        secretPost,
        secretBasic
    }

    /* loaded from: input_file:pl/edu/icm/unity/oauth/client/config/CustomProviderProperties$ClientHttpMethod.class */
    public enum ClientHttpMethod {
        post,
        get
    }

    public CustomProviderProperties(Properties properties, String str, PKIManagement pKIManagement) throws ConfigurationException {
        super(str, properties, META, log);
        this.validator = null;
        if (getBooleanValue(OPENID_CONNECT).booleanValue()) {
            if (!isSet(SCOPES)) {
                setProperty(SCOPES, "openid email");
            }
            if (!isSet(OPENID_DISCOVERY)) {
                throw new ConfigurationException(getKeyDescription(OPENID_DISCOVERY) + " is mandatory in OpenID Connect mode");
            }
        } else {
            if (!isSet(PROVIDER_LOCATION)) {
                throw new ConfigurationException(getKeyDescription(PROVIDER_LOCATION) + " is mandatory in non OpenID Connect mode");
            }
            if (!isSet(ACCESS_TOKEN_ENDPOINT)) {
                throw new ConfigurationException(getKeyDescription(ACCESS_TOKEN_ENDPOINT) + " is mandatory in non OpenID Connect mode");
            }
        }
        if (!isSet("name")) {
            throw new ConfigurationException(getKeyDescription("name") + " is mandatory");
        }
        if (!isSet("embeddedTranslationProfile") && !isSet("translationProfile")) {
            throw new ConfigurationException(getKeyDescription("translationProfile") + " is mandatory");
        }
        String value = getValue("httpClientTruststore");
        if (value != null) {
            try {
                if (!pKIManagement.getValidatorNames().contains(value)) {
                    throw new ConfigurationException("The http client truststore " + value + " for the OAuth verification client does not exist");
                }
                this.validator = pKIManagement.getValidator(value);
            } catch (EngineException e) {
                throw new ConfigurationException("Can not establish the http client truststore " + value + " for the OAuth verification client", e);
            }
        }
    }

    public UserProfileFetcher getUserAttributesResolver() {
        return getBooleanValue(OPENID_CONNECT).booleanValue() ? new OpenIdProfileFetcher() : new PlainProfileFetcher();
    }

    @Override // pl.edu.icm.unity.oauth.BaseRemoteASProperties
    public ClientAuthnMode getClientAuthModeForProfileAccess() {
        ClientAuthnMode clientAuthnMode = (ClientAuthnMode) getEnumValue(BaseRemoteASProperties.CLIENT_AUTHN_MODE_FOR_PROFILE_ACCESS, ClientAuthnMode.class);
        return clientAuthnMode != null ? clientAuthnMode : (ClientAuthnMode) getEnumValue(BaseRemoteASProperties.CLIENT_AUTHN_MODE, ClientAuthnMode.class);
    }

    @Override // pl.edu.icm.unity.oauth.BaseRemoteASProperties
    public HTTPRequest.Method getClientHttpMethodForProfileAccess() {
        return getEnumValue(BaseRemoteASProperties.CLIENT_HTTP_METHOD_FOR_PROFILE_ACCESS, ClientHttpMethod.class) == ClientHttpMethod.get ? HTTPRequest.Method.GET : HTTPRequest.Method.POST;
    }

    public List<String> getUserInfoEndpoints() {
        ArrayList arrayList = new ArrayList();
        String value = getValue(BaseRemoteASProperties.PROFILE_ENDPOINT);
        if (value != null) {
            arrayList.add(value);
        }
        arrayList.addAll(getListOfValues("profileEndpoint."));
        return arrayList;
    }

    public Properties getProperties() {
        return this.properties;
    }

    @Override // pl.edu.icm.unity.oauth.BaseRemoteASProperties
    public X509CertChainValidator getValidator() {
        return this.validator;
    }

    public List<NameValuePair> getAdditionalAuthzParams() {
        List<String> listOfValues = getListOfValues(ADDITIONAL_AUTHZ_PARAMS);
        ArrayList arrayList = new ArrayList(listOfValues.size());
        for (String str : listOfValues) {
            int indexOf = str.indexOf(61);
            if (indexOf == -1) {
                log.warn("Specification of extra authz query parameter is invalid, no '=': " + str + " ignoring it");
            } else if (indexOf == str.length() - 1) {
                log.warn("Specification of extra authz query parameter is invalid, no value: " + str + " ignoring it");
            } else {
                arrayList.add(new BasicNameValuePair(str.substring(0, indexOf), str.substring(indexOf + 1)));
            }
        }
        return arrayList;
    }

    public static void setIfUnset(Properties properties, String str, String str2) {
        if (properties.containsKey(str)) {
            return;
        }
        properties.setProperty(str, str2);
    }

    public static void setDefaultProfileIfUnset(Properties properties, String str, String str2) {
        if (properties.containsKey(str + "embeddedTranslationProfile") || properties.containsKey(str + "translationProfile")) {
            return;
        }
        properties.setProperty(str + "translationProfile", str2);
    }

    public OIDCMetadataRequest generateMetadataRequest() {
        return OIDCMetadataRequest.builder().withHostnameChecking(getHostNameCheckingMode()).withValidator(this.validator).withValidatorName(getValue("httpClientTruststore")).withUrl(getValue(OPENID_DISCOVERY)).build();
    }

    public ServerHostnameCheckingMode getHostNameCheckingMode() {
        return getEnumValue("httpClientHostnameChecking", ServerHostnameCheckingMode.class);
    }

    public RequestACRsMode getRequestACRMode() {
        return (RequestACRsMode) getEnumValue(REQUEST_ACRS_MODE, RequestACRsMode.class);
    }

    static {
        META.put(PROVIDER_TYPE, new PropertyMD(OAuthClientProperties.Providers.custom).setDescription("Type of provider. Either a well known provider type can be specified or 'custom'. In the first case only few additional settings are required: client id, secret and translation profile. Other settings as scope can be additionally set to fine tune the remote authentication. In the latter 'custom' case all mandatory options must be set."));
        META.put(PROVIDER_LOCATION, new PropertyMD().setDescription("Location (URL) of OAuth2 provider's authorization endpoint. It is mandatory for non OpenID Connect providers, in whose case the endopint can be discovered."));
        META.put(ACCESS_TOKEN_ENDPOINT, new PropertyMD().setDescription("Location (URL) of OAuth2 provider's access token endpoint. In case of OpenID Connect mode can be discovered, otherwise mandatory."));
        META.put(BaseRemoteASProperties.PROFILE_ENDPOINT, new PropertyMD().setCanHaveSubkeys().setDescription("Location (URL) of OAuth2 provider's user's profile endpoint. It is used to obtain additional user's attributes. It can be autodiscovered for OpenID Connect mode. Otherwise it should be set as otherwise there is bearly no information about the user identity. If not set then the only information about the user is the one extracted from the access token (if any). Additionally a subkeys can be added (.1, .2, ...) if user attributes should be fetched from more then a single endpoint."));
        META.put("name", new PropertyMD().setMandatory().setCanHaveSubkeys().setDescription("Name of the OAuth provider to be displayed. Can be localized with locale subkeys."));
        META.put(ICON_URL, new PropertyMD().setCanHaveSubkeys().setDescription("URL to provider's logo. Can be http(s), file or data scheme. Can be localized."));
        META.put("clientId", new PropertyMD().setMandatory().setDescription("Client identifier, obtained during Unity's registration at the provider"));
        META.put("clientSecret", new PropertyMD().setSecret().setMandatory().setDescription("Client secret, obtained during Unity's registration at the provider"));
        META.put(BaseRemoteASProperties.CLIENT_AUTHN_MODE, new PropertyMD(ClientAuthnMode.secretBasic).setDescription("Defines how the client secret and id should be passed to the provider."));
        META.put(BaseRemoteASProperties.CLIENT_AUTHN_MODE_FOR_PROFILE_ACCESS, new PropertyMD().setEnum(ClientAuthnMode.secretBasic).setDescription("Defines how the client secret and id should be passed to the provider's user's profile endpoint. If not set the clientAuthenticationMode is used"));
        META.put(BaseRemoteASProperties.CLIENT_HTTP_METHOD_FOR_PROFILE_ACCESS, new PropertyMD(ClientHttpMethod.get).setDescription("Http method used in query to profile endpoint"));
        META.put(SCOPES, new PropertyMD().setDescription("Space separated list of authorization scopes to be requested. Most often required if in non OpenID Connect mode, otherwise has a default value of 'openid email'"));
        META.put(ACCESS_TOKEN_FORMAT, new PropertyMD(AccessTokenFormat.standard).setDescription("Some providers (Facebook) use legacy format of a response to the access token query. Non standard format can be set here."));
        META.put(OPENID_CONNECT, new PropertyMD("false").setDescription("If set to true, then the provider is treated as OpenID Connect 1.0 provider. For such providers specifying profileEndpoint is not needed as the basic user information is retrieved together with access token. However the discovery endpoint must be set."));
        META.put(OPENID_DISCOVERY, new PropertyMD().setDescription("OpenID Connect Discovery endpoint address, relevant (and required) only when OpenID Connect mode is turned on."));
        META.put("registrationFormForUnknown", new PropertyMD().setDescription("Registration form to be shown for the locally unknown users which were successfuly authenticated remotely."));
        META.put("translationProfile", new PropertyMD().setDescription("Name of translation profile which will be used to map received user information to a local representation."));
        META.put("embeddedTranslationProfile", new PropertyMD().setHidden().setDescription("Translation profile in json which will be used to map received user information to a local representation."));
        META.put("enableAccountAssociation", new PropertyMD().setBoolean().setDescription("If true then unknown remote user gets an option to associate the remote identity with an another local (already existing) account. Overrides the global setting."));
        META.put("httpClientHostnameChecking", new PropertyMD(ServerHostnameCheckingMode.FAIL).setDescription("Controls how to react on the DNS name mismatch with the server's certificate. Unless in testing environment should be left on the default setting."));
        META.put("httpClientTruststore", new PropertyMD().setDescription("Name of the truststore which should be used to validate TLS peer's certificates. If undefined then the system Java tuststore is used."));
        META.put(ADDITIONAL_AUTHZ_PARAMS, new PropertyMD().setList(false).setDescription("Allows to specify non-standard, fixed parameters which shall be added to the query string of the authorization redirect request. format must be: PARAM=VALUE"));
        META.put(REQUEST_ACRS_MODE, new PropertyMD(RequestACRsMode.NONE).setDescription("Authenticator can request ACR from its upstream IdP. Requested ACRs can be either defined here in configuration or forwarded, basing on ACRs requested by downstream client, what is relevant in the case of proxy authentication."));
        META.put(REQUESTED_ACRS, new PropertyMD().setList(true).setDescription("List of requested ACRs (only required when mode is FIXED)."));
        META.put(REQUESTED_ACRS_ARE_ESSENTIAL, new PropertyMD("false").setDescription("Whether requested ACRs are essential or not (only required when mode is FIXED)."));
    }
}
