package org.alfresco.repo.security.authentication.identityservice.admin;

import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.State;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.time.Instant;
import java.util.HashMap;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.alfresco.repo.management.subsystems.ActivateableBean;
import org.alfresco.repo.notification.EMailNotificationProvider;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.external.AdminConsoleAuthenticator;
import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceConfig;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceMetadataKey;
import org.alfresco.repo.transfer.reportd.TransferDestinationReportModel;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/admin/IdentityServiceAdminConsoleAuthenticator.class */
public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAuthenticator, ActivateableBean {
    private static final String ALFRESCO_ACCESS_TOKEN = "ALFRESCO_ACCESS_TOKEN";
    private static final String ALFRESCO_REFRESH_TOKEN = "ALFRESCO_REFRESH_TOKEN";
    private static final String ALFRESCO_TOKEN_EXPIRATION = "ALFRESCO_TOKEN_EXPIRATION";
    private IdentityServiceConfig identityServiceConfig;
    private IdentityServiceFacade identityServiceFacade;
    private AdminConsoleAuthenticationCookiesService cookiesService;
    private RemoteUserMapper remoteUserMapper;
    private boolean isEnabled;
    private static final Logger LOGGER = LoggerFactory.getLogger(IdentityServiceAdminConsoleAuthenticator.class);
    private static final Set<String> SCOPES = Set.of("openid", "profile", EMailNotificationProvider.NAME, "offline_access");

    @Override // org.alfresco.repo.security.authentication.external.AdminConsoleAuthenticator
    public String getAdminConsoleUser(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String remoteUser = this.remoteUserMapper.getRemoteUser(httpServletRequest);
        if (remoteUser != null) {
            return remoteUser;
        }
        String cookie = this.cookiesService.getCookie(ALFRESCO_ACCESS_TOKEN, httpServletRequest);
        if (cookie != null) {
            cookie = refreshTokenIfNeeded(httpServletRequest, httpServletResponse, cookie);
        } else {
            String parameter = httpServletRequest.getParameter("code");
            if (parameter != null) {
                cookie = retrieveTokenUsingAuthCode(httpServletRequest, httpServletResponse, parameter);
            }
        }
        if (cookie == null) {
            return null;
        }
        return this.remoteUserMapper.getRemoteUser(decorateBearerHeader(cookie, httpServletRequest));
    }

    @Override // org.alfresco.repo.security.authentication.external.AdminConsoleAuthenticator
    public void requestAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        respondWithAuthChallenge(httpServletRequest, httpServletResponse);
    }

    private void respondWithAuthChallenge(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Responding with the authentication challenge");
            }
            httpServletResponse.sendRedirect(getAuthenticationRequest(httpServletRequest));
        } catch (IOException e) {
            LOGGER.error("Error while trying to respond with the authentication challenge: {}", e.getMessage(), e);
            throw new AuthenticationException(e.getMessage(), e);
        }
    }

    private String retrieveTokenUsingAuthCode(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        String str2 = null;
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Retrieving a response using the Authorization Code at the Token Endpoint");
        }
        try {
            IdentityServiceFacade.AccessTokenAuthorization authorize = this.identityServiceFacade.authorize(IdentityServiceFacade.AuthorizationGrant.authorizationCode(str, httpServletRequest.getRequestURL().toString()));
            addCookies(httpServletResponse, authorize);
            str2 = authorize.getAccessToken().getTokenValue();
        } catch (IdentityServiceFacade.AuthorizationException e) {
            if (LOGGER.isWarnEnabled()) {
                LOGGER.warn("Error while trying to retrieve a response using the Authorization Code at the Token Endpoint: {}", e.getMessage());
            }
        }
        return str2;
    }

    private String refreshTokenIfNeeded(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        String cookie = this.cookiesService.getCookie(ALFRESCO_REFRESH_TOKEN, httpServletRequest);
        try {
            if (isAuthTokenExpired(this.cookiesService.getCookie(ALFRESCO_TOKEN_EXPIRATION, httpServletRequest))) {
                str = refreshAuthToken(cookie, httpServletResponse);
            }
        } catch (Exception e) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Error while trying to refresh Auth Token: {}", e.getMessage());
            }
            str = null;
            resetCookies(httpServletResponse);
        }
        return str;
    }

    private void addCookies(HttpServletResponse httpServletResponse, IdentityServiceFacade.AccessTokenAuthorization accessTokenAuthorization) {
        this.cookiesService.addCookie(ALFRESCO_ACCESS_TOKEN, accessTokenAuthorization.getAccessToken().getTokenValue(), httpServletResponse);
        this.cookiesService.addCookie(ALFRESCO_TOKEN_EXPIRATION, String.valueOf(accessTokenAuthorization.getAccessToken().getExpiresAt().toEpochMilli()), httpServletResponse);
        this.cookiesService.addCookie(ALFRESCO_REFRESH_TOKEN, accessTokenAuthorization.getRefreshTokenValue(), httpServletResponse);
    }

    private String getAuthenticationRequest(HttpServletRequest httpServletRequest) {
        ClientRegistration clientRegistration = this.identityServiceFacade.getClientRegistration();
        UriComponentsBuilder queryParam = UriComponentsBuilder.fromUriString(clientRegistration.getProviderDetails().getAuthorizationUri()).queryParam("client_id", new Object[]{clientRegistration.getClientId()}).queryParam("redirect_uri", new Object[]{getRedirectUri(httpServletRequest.getRequestURL().toString())}).queryParam("response_type", new Object[]{"code"}).queryParam("scope", new Object[]{String.join("+", getScopes(clientRegistration))}).queryParam(TransferDestinationReportModel.LOCALNAME_TRANSFER_STATE, new Object[]{new State().toString()});
        if (StringUtils.isNotBlank(this.identityServiceConfig.getAudience())) {
            queryParam.queryParam("audience", new Object[]{this.identityServiceConfig.getAudience()});
        }
        return queryParam.build().toUriString();
    }

    private Set<String> getScopes(ClientRegistration clientRegistration) {
        Optional map = Optional.ofNullable(clientRegistration.getProviderDetails()).map((v0) -> {
            return v0.getConfigurationMetadata();
        }).map(map2 -> {
            return map2.get(IdentityServiceMetadataKey.SCOPES_SUPPORTED.getValue());
        });
        Class<Scope> cls = Scope.class;
        Scope.class.getClass();
        Optional filter = map.filter(cls::isInstance);
        Class<Scope> cls2 = Scope.class;
        Scope.class.getClass();
        return (Set) filter.map(cls2::cast).map(this::getSupportedScopes).orElse(clientRegistration.getScopes());
    }

    private Set<String> getSupportedScopes(Scope scope) {
        return (Set) scope.stream().filter(value -> {
            return SCOPES.contains(value.getValue());
        }).map((v0) -> {
            return v0.getValue();
        }).collect(Collectors.toSet());
    }

    private String getRedirectUri(String str) {
        try {
            URI uri = new URI(str);
            return new URI(uri.getScheme(), uri.getAuthority(), this.identityServiceConfig.getAdminConsoleRedirectPath(), uri.getQuery(), uri.getFragment()).toASCIIString();
        } catch (URISyntaxException e) {
            LOGGER.error("Error while trying to get the redirect URI and respond with the authentication challenge: {}", e.getMessage(), e);
            throw new AuthenticationException(e.getMessage(), e);
        }
    }

    private void resetCookies(HttpServletResponse httpServletResponse) {
        this.cookiesService.resetCookie(ALFRESCO_TOKEN_EXPIRATION, httpServletResponse);
        this.cookiesService.resetCookie(ALFRESCO_ACCESS_TOKEN, httpServletResponse);
        this.cookiesService.resetCookie(ALFRESCO_REFRESH_TOKEN, httpServletResponse);
    }

    private String refreshAuthToken(String str, HttpServletResponse httpServletResponse) {
        IdentityServiceFacade.AccessTokenAuthorization doRefreshAuthToken = doRefreshAuthToken(str);
        addCookies(httpServletResponse, doRefreshAuthToken);
        return doRefreshAuthToken.getAccessToken().getTokenValue();
    }

    private IdentityServiceFacade.AccessTokenAuthorization doRefreshAuthToken(String str) {
        IdentityServiceFacade.AccessTokenAuthorization authorize = this.identityServiceFacade.authorize(IdentityServiceFacade.AuthorizationGrant.refreshToken(str));
        if (authorize == null || authorize.getAccessToken() == null) {
            throw new AuthenticationException("AccessTokenResponse is null or empty");
        }
        return authorize;
    }

    private static boolean isAuthTokenExpired(String str) {
        return Instant.now().compareTo(Instant.ofEpochMilli(Long.parseLong(str))) >= 0;
    }

    private HttpServletRequest decorateBearerHeader(String str, HttpServletRequest httpServletRequest) {
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + str);
        return new AdminConsoleHttpServletRequestWrapper(hashMap, httpServletRequest);
    }

    public void setIdentityServiceFacade(IdentityServiceFacade identityServiceFacade) {
        this.identityServiceFacade = identityServiceFacade;
    }

    public void setRemoteUserMapper(RemoteUserMapper remoteUserMapper) {
        this.remoteUserMapper = remoteUserMapper;
    }

    public void setCookiesService(AdminConsoleAuthenticationCookiesService adminConsoleAuthenticationCookiesService) {
        this.cookiesService = adminConsoleAuthenticationCookiesService;
    }

    public void setIdentityServiceConfig(IdentityServiceConfig identityServiceConfig) {
        this.identityServiceConfig = identityServiceConfig;
    }

    @Override // org.alfresco.repo.management.subsystems.ActivateableBean
    public boolean isActive() {
        return this.isEnabled;
    }

    public void setActive(boolean z) {
        this.isEnabled = z;
    }
}
