package com.lunatech.openconnect;

import com.google.api.client.auth.oauth2.TokenResponseException;
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeTokenRequest;
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.auth.oauth2.GoogleTokenResponse;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.services.oauth2.Oauth2;
import com.google.api.services.oauth2.model.Tokeninfo;
import com.google.inject.Inject;
import java.io.IOException;
import java.math.BigInteger;
import java.security.SecureRandom;
import play.api.ConfigLoader$;
import play.api.Configuration;
import play.api.Logger;
import play.api.Logging;
import play.api.MarkerContext$;
import play.api.libs.ws.WSClient;
import play.libs.Json;
import scala.Predef$;
import scala.Predef$ArrowAssoc$;
import scala.Tuple2;
import scala.collection.immutable.Seq;
import scala.concurrent.ExecutionContext;
import scala.concurrent.Future;
import scala.concurrent.Future$;
import scala.io.Codec$;
import scala.io.Source$;
import scala.package$;
import scala.runtime.ScalaRunTime$;
import scala.runtime.Statics;
import scala.util.Either;
import scala.util.Left;
import scala.util.Right;

/* compiled from: Authenticate.scala */
/* loaded from: input_file:com/lunatech/openconnect/Authenticate.class */
public class Authenticate implements Logging {
    private Logger logger;
    private final WSClient wsClient;
    private final ExecutionContext ec;
    private final String GOOGLE_CONF;
    private final String REVOKE_ENDPOINT;
    private final String ERROR_GENERIC;
    private final String clientId;
    private final String secret;
    private final Seq<String> domains;
    private final String ERROR_GOOGLE;
    private final String ERROR_MISMATCH_CLIENT;
    private final String ERROR_MISMATCH_DOMAIN;
    private final NetHttpTransport transport;
    private final GsonFactory jsonFactory;

    @Inject
    public Authenticate(Configuration configuration, WSClient wSClient, ExecutionContext executionContext) {
        this.wsClient = wSClient;
        this.ec = executionContext;
        Logging.$init$(this);
        this.GOOGLE_CONF = "https://accounts.google.com/.well-known/openid-configuration";
        this.REVOKE_ENDPOINT = "revocation_endpoint";
        this.ERROR_GENERIC = "Something went wrong, please try again later";
        this.clientId = (String) configuration.get("google.clientId", ConfigLoader$.MODULE$.stringLoader());
        this.secret = (String) configuration.get("google.secret", ConfigLoader$.MODULE$.stringLoader());
        this.domains = (Seq) configuration.get("google.domains", ConfigLoader$.MODULE$.seqStringLoader());
        this.ERROR_GOOGLE = (String) configuration.get("errors.authorization.googleDecline", ConfigLoader$.MODULE$.stringLoader());
        this.ERROR_MISMATCH_CLIENT = (String) configuration.get("errors.authorization.clientIdMismatch", ConfigLoader$.MODULE$.stringLoader());
        this.ERROR_MISMATCH_DOMAIN = (String) configuration.get("errors.authorization.domainMismatch", ConfigLoader$.MODULE$.stringLoader());
        this.transport = new NetHttpTransport();
        this.jsonFactory = GsonFactory.getDefaultInstance();
        Statics.releaseFence();
    }

    public Logger logger() {
        return this.logger;
    }

    public void play$api$Logging$_setter_$logger_$eq(Logger logger) {
        this.logger = logger;
    }

    public String generateState() {
        return new BigInteger(130, new SecureRandom()).toString(32);
    }

    public Future<Either<AuthenticationResult, AuthenticationError>> getUserFromToken(String str) {
        Future<Either<AuthenticationResult, AuthenticationError>> apply;
        try {
            GoogleCredential accessToken = new GoogleCredential.Builder().setJsonFactory(this.jsonFactory).setTransport(this.transport).setClientSecrets(this.clientId, this.secret).build().setAccessToken(str);
            Tokeninfo tokeninfo = (Tokeninfo) new Oauth2.Builder(this.transport, this.jsonFactory, accessToken).setApplicationName("Lunatech Google Openconnect").build().tokeninfo().setAccessToken(accessToken.getAccessToken()).execute();
            if (tokeninfo.containsKey("error")) {
                logger().error(Authenticate::getUserFromToken$$anonfun$1, MarkerContext$.MODULE$.NoMarker());
                apply = revokeUser(accessToken.getAccessToken(), AuthenticationServiceError$.MODULE$.apply(this.ERROR_GOOGLE));
            } else if (this.domains.nonEmpty() && this.domains.forall(str2 -> {
                return !tokeninfo.getEmail().endsWith(str2);
            })) {
                logger().error(Authenticate::getUserFromToken$$anonfun$3, MarkerContext$.MODULE$.NoMarker());
                apply = revokeUser(accessToken.getAccessToken(), TokenDomainMismatchError$.MODULE$.apply(this.ERROR_MISMATCH_DOMAIN));
            } else {
                apply = Future$.MODULE$.apply(() -> {
                    return getUserFromToken$$anonfun$4(r1, r2);
                }, this.ec);
            }
            return apply;
        } catch (TokenResponseException e) {
            logger().error(Authenticate::getUserFromToken$$anonfun$5, () -> {
                return getUserFromToken$$anonfun$6(r2);
            }, MarkerContext$.MODULE$.NoMarker());
            return Future$.MODULE$.apply(this::getUserFromToken$$anonfun$7, this.ec);
        } catch (IOException e2) {
            logger().error(Authenticate::getUserFromToken$$anonfun$8, () -> {
                return getUserFromToken$$anonfun$9(r2);
            }, MarkerContext$.MODULE$.NoMarker());
            return Future$.MODULE$.apply(this::getUserFromToken$$anonfun$10, this.ec);
        }
    }

    public Future<Either<AuthenticationResult, AuthenticationError>> authenticateToken(String str) {
        Future<Either<AuthenticationResult, AuthenticationError>> apply;
        try {
            GoogleTokenResponse execute = new GoogleAuthorizationCodeTokenRequest(this.transport, this.jsonFactory, this.clientId, this.secret, str, "postmessage").execute();
            GoogleCredential fromTokenResponse = new GoogleCredential.Builder().setJsonFactory(this.jsonFactory).setTransport(this.transport).setClientSecrets(this.clientId, this.secret).build().setFromTokenResponse(execute);
            Tokeninfo tokeninfo = (Tokeninfo) new Oauth2.Builder(this.transport, this.jsonFactory, fromTokenResponse).setApplicationName("Lunatech Google Openconnect").build().tokeninfo().setAccessToken(fromTokenResponse.getAccessToken()).execute();
            if (tokeninfo.containsKey("error")) {
                logger().error(Authenticate::authenticateToken$$anonfun$1, MarkerContext$.MODULE$.NoMarker());
                apply = revokeUser(fromTokenResponse.getAccessToken(), AuthenticationServiceError$.MODULE$.apply(this.ERROR_GOOGLE));
            } else if (!tokeninfo.getIssuedTo().equals(this.clientId)) {
                logger().error(Authenticate::authenticateToken$$anonfun$2, MarkerContext$.MODULE$.NoMarker());
                apply = revokeUser(fromTokenResponse.getAccessToken(), TokenClientMismatchError$.MODULE$.apply(this.ERROR_MISMATCH_CLIENT));
            } else if (this.domains.nonEmpty() && this.domains.forall(str2 -> {
                return !tokeninfo.getEmail().endsWith(str2);
            })) {
                logger().error(Authenticate::authenticateToken$$anonfun$4, MarkerContext$.MODULE$.NoMarker());
                apply = revokeUser(fromTokenResponse.getAccessToken(), TokenDomainMismatchError$.MODULE$.apply(this.ERROR_MISMATCH_DOMAIN));
            } else {
                apply = Future$.MODULE$.apply(() -> {
                    return authenticateToken$$anonfun$5(r1, r2);
                }, this.ec);
            }
            return apply;
        } catch (TokenResponseException e) {
            logger().error(() -> {
                return authenticateToken$$anonfun$6(r1);
            }, MarkerContext$.MODULE$.NoMarker());
            return Future$.MODULE$.apply(this::authenticateToken$$anonfun$7, this.ec);
        } catch (IOException e2) {
            logger().error(() -> {
                return authenticateToken$$anonfun$8(r1);
            }, MarkerContext$.MODULE$.NoMarker());
            return Future$.MODULE$.apply(this::authenticateToken$$anonfun$9, this.ec);
        }
    }

    private Future<Either<AuthenticationResult, AuthenticationError>> revokeUser(String str, AuthenticationError authenticationError) {
        return this.wsClient.url(getRevokeEndpoint()).addQueryStringParameters(ScalaRunTime$.MODULE$.wrapRefArray(new Tuple2[]{Predef$ArrowAssoc$.MODULE$.$minus$greater$extension((String) Predef$.MODULE$.ArrowAssoc("token"), str)})).get().map(wSResponse -> {
            if (200 == wSResponse.status()) {
                logger().info(Authenticate::revokeUser$$anonfun$1$$anonfun$1, MarkerContext$.MODULE$.NoMarker());
                return package$.MODULE$.Right().apply(authenticationError);
            }
            logger().info(Authenticate::revokeUser$$anonfun$1$$anonfun$2, MarkerContext$.MODULE$.NoMarker());
            return package$.MODULE$.Right().apply(UserRevokeError$.MODULE$.apply(this.ERROR_GENERIC));
        }, this.ec);
    }

    private String getRevokeEndpoint() {
        return Json.parse(Source$.MODULE$.fromURL(this.GOOGLE_CONF, Codec$.MODULE$.fallbackSystemCodec()).mkString()).get(this.REVOKE_ENDPOINT).asText();
    }

    private static final String getUserFromToken$$anonfun$1() {
        return "Authorization has been denied by Google";
    }

    private static final String getUserFromToken$$anonfun$3() {
        return "Domain doesn't match one of the expected domains";
    }

    private static final Left getUserFromToken$$anonfun$4(Tokeninfo tokeninfo, String str) {
        return package$.MODULE$.Left().apply(AuthenticationResult$.MODULE$.apply(tokeninfo.getEmail(), str));
    }

    private static final String getUserFromToken$$anonfun$5() {
        return "Unable to request authorization to Google ";
    }

    private static final Throwable getUserFromToken$$anonfun$6(TokenResponseException tokenResponseException) {
        return tokenResponseException;
    }

    private final Right getUserFromToken$$anonfun$7() {
        return package$.MODULE$.Right().apply(TokenResponseError$.MODULE$.apply(this.ERROR_GENERIC));
    }

    private static final String getUserFromToken$$anonfun$8() {
        return "Unable to request authorization to Google ";
    }

    private static final Throwable getUserFromToken$$anonfun$9(IOException iOException) {
        return iOException;
    }

    private final Right getUserFromToken$$anonfun$10() {
        return package$.MODULE$.Right().apply(TokenIOError$.MODULE$.apply(this.ERROR_GENERIC));
    }

    private static final String authenticateToken$$anonfun$1() {
        return "Authorizationtoken has been denied by Google";
    }

    private static final String authenticateToken$$anonfun$2() {
        return "client_id doesn't match expected client_id";
    }

    private static final String authenticateToken$$anonfun$4() {
        return "domain doesn't match one of the expected domains";
    }

    private static final Left authenticateToken$$anonfun$5(Tokeninfo tokeninfo, GoogleTokenResponse googleTokenResponse) {
        return package$.MODULE$.Left().apply(AuthenticationResult$.MODULE$.apply(tokeninfo.getEmail(), googleTokenResponse.toString()));
    }

    private static final String authenticateToken$$anonfun$6(TokenResponseException tokenResponseException) {
        return new StringBuilder(42).append("Unable to request authorization to Google ").append(tokenResponseException).toString();
    }

    private final Right authenticateToken$$anonfun$7() {
        return package$.MODULE$.Right().apply(TokenResponseError$.MODULE$.apply(this.ERROR_GENERIC));
    }

    private static final String authenticateToken$$anonfun$8(IOException iOException) {
        return new StringBuilder(42).append("Unable to request authorization to Google ").append(iOException).toString();
    }

    private final Right authenticateToken$$anonfun$9() {
        return package$.MODULE$.Right().apply(TokenIOError$.MODULE$.apply(this.ERROR_GENERIC));
    }

    private static final String revokeUser$$anonfun$1$$anonfun$1() {
        return "User successfully revoked";
    }

    private static final String revokeUser$$anonfun$1$$anonfun$2() {
        return "ERROR revoking user access";
    }
}
