package org.alfresco.repo.security.authentication.identityservice;

import jakarta.servlet.http.HttpServletRequest;
import java.util.Optional;
import org.alfresco.repo.management.subsystems.ActivateableBean;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;

/* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/IdentityServiceRemoteUserMapper.class */
public class IdentityServiceRemoteUserMapper implements RemoteUserMapper, ActivateableBean {
    private static final Log LOGGER = LogFactory.getLog(IdentityServiceRemoteUserMapper.class);
    private boolean isEnabled;
    private boolean isValidationFailureSilent;
    private BearerTokenResolver bearerTokenResolver;
    private IdentityServiceJITProvisioningHandler jitProvisioningHandler;

    public void setActive(boolean z) {
        this.isEnabled = z;
    }

    public void setValidationFailureSilent(boolean z) {
        this.isValidationFailureSilent = z;
    }

    public void setBearerTokenResolver(BearerTokenResolver bearerTokenResolver) {
        this.bearerTokenResolver = bearerTokenResolver;
    }

    public void setJitProvisioningHandler(IdentityServiceJITProvisioningHandler identityServiceJITProvisioningHandler) {
        this.jitProvisioningHandler = identityServiceJITProvisioningHandler;
    }

    @Override // org.alfresco.repo.security.authentication.external.RemoteUserMapper
    public String getRemoteUser(HttpServletRequest httpServletRequest) {
        LOGGER.trace("Retrieving username from http request...");
        if (!this.isEnabled) {
            LOGGER.debug("IdentityServiceRemoteUserMapper is disabled, returning null.");
            return null;
        }
        try {
            String extractUserFromHeader = extractUserFromHeader(httpServletRequest);
            if (extractUserFromHeader != null) {
                LOGGER.trace("Returning userId: " + AuthenticationUtil.maskUsername(extractUserFromHeader));
                return extractUserFromHeader;
            }
        } catch (IdentityServiceFacade.IdentityServiceFacadeException e) {
            if (!this.isValidationFailureSilent) {
                throw new AuthenticationException("Failed to extract username from token: " + e.getMessage(), e);
            }
            LOGGER.error("Failed to authenticate user using IdentityServiceRemoteUserMapper: " + e.getMessage(), e);
        } catch (RuntimeException e2) {
            LOGGER.error("Failed to authenticate user using IdentityServiceRemoteUserMapper: " + e2.getMessage(), e2);
        }
        LOGGER.trace("Could not identify a userId. Returning null.");
        return null;
    }

    @Override // org.alfresco.repo.management.subsystems.ActivateableBean
    public boolean isActive() {
        return this.isEnabled;
    }

    private String extractUserFromHeader(HttpServletRequest httpServletRequest) {
        LOGGER.debug("Trying bearer token...");
        try {
            Optional<U> map = this.jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(this.bearerTokenResolver.resolve(httpServletRequest)).map((v0) -> {
                return v0.username();
            });
            if (map.isEmpty()) {
                LOGGER.debug("User could not be authenticated by IdentityServiceRemoteUserMapper.");
                return null;
            }
            String str = (String) map.get();
            LOGGER.trace("Extracted username: " + AuthenticationUtil.maskUsername(str));
            return str;
        } catch (OAuth2AuthenticationException e) {
            LOGGER.debug("Failed to resolve Bearer token.", e);
            return null;
        }
    }
}
