package com.gentics.mesh.auth.oauth2;

import com.gentics.mesh.auth.AuthHandlerContainer;
import com.gentics.mesh.auth.AuthServicePluginRegistry;
import com.gentics.mesh.auth.MeshOAuthService;
import com.gentics.mesh.context.impl.InternalRoutingActionContextImpl;
import com.gentics.mesh.core.data.HibBaseElement;
import com.gentics.mesh.core.data.dao.GroupDao;
import com.gentics.mesh.core.data.dao.PermissionRoots;
import com.gentics.mesh.core.data.dao.RoleDao;
import com.gentics.mesh.core.data.dao.UserDao;
import com.gentics.mesh.core.data.group.HibGroup;
import com.gentics.mesh.core.data.role.HibRole;
import com.gentics.mesh.core.data.user.HibUser;
import com.gentics.mesh.core.data.user.MeshAuthUser;
import com.gentics.mesh.core.db.Database;
import com.gentics.mesh.core.db.Tx;
import com.gentics.mesh.core.endpoint.admin.LocalConfigApi;
import com.gentics.mesh.core.rest.error.Errors;
import com.gentics.mesh.core.rest.group.GroupReference;
import com.gentics.mesh.core.rest.group.GroupResponse;
import com.gentics.mesh.core.rest.role.RoleReference;
import com.gentics.mesh.core.rest.role.RoleResponse;
import com.gentics.mesh.core.rest.user.UserUpdateRequest;
import com.gentics.mesh.distributed.RequestDelegator;
import com.gentics.mesh.etc.config.AuthenticationOptions;
import com.gentics.mesh.etc.config.MeshOptions;
import com.gentics.mesh.event.Assignment;
import com.gentics.mesh.event.EventQueueBatch;
import com.gentics.mesh.plugin.auth.AuthServicePlugin;
import com.gentics.mesh.plugin.auth.GroupFilter;
import com.gentics.mesh.plugin.auth.MappingResult;
import com.gentics.mesh.plugin.auth.RoleFilter;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.google.common.base.Throwables;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.reactivex.Completable;
import io.reactivex.Single;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.json.JsonObject;
import io.vertx.core.logging.Logger;
import io.vertx.core.logging.LoggerFactory;
import io.vertx.ext.auth.User;
import io.vertx.ext.web.Route;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.handler.JWTAuthHandler;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.inject.Inject;
import javax.inject.Provider;
import javax.inject.Singleton;

@Singleton
/* loaded from: input_file:com/gentics/mesh/auth/oauth2/MeshOAuth2ServiceImpl.class */
public class MeshOAuth2ServiceImpl implements MeshOAuthService {
    private static final Logger log = LoggerFactory.getLogger(MeshOAuth2ServiceImpl.class);
    private static final String DEFAULT_JWT_USERNAME_PROP = "preferred_username";
    public final Cache<String, String> TOKEN_ID_LOG = Caffeine.newBuilder().maximumSize(20000).expireAfterWrite(24, TimeUnit.HOURS).build();
    protected AuthServicePluginRegistry authPluginRegistry;
    protected Database db;
    protected PermissionRoots permissionRoots;
    private final AuthenticationOptions authOptions;
    private final Provider<EventQueueBatch> batchProvider;
    private final AuthHandlerContainer authHandlerContainer;
    private final LocalConfigApi localConfigApi;
    private final RequestDelegator delegator;

    @Inject
    public MeshOAuth2ServiceImpl(Database database, MeshOptions meshOptions, Provider<EventQueueBatch> provider, AuthServicePluginRegistry authServicePluginRegistry, AuthHandlerContainer authHandlerContainer, LocalConfigApi localConfigApi, RequestDelegator requestDelegator, PermissionRoots permissionRoots) {
        this.db = database;
        this.batchProvider = provider;
        this.authPluginRegistry = authServicePluginRegistry;
        this.authOptions = meshOptions.getAuthenticationOptions();
        this.authHandlerContainer = authHandlerContainer;
        this.localConfigApi = localConfigApi;
        this.delegator = requestDelegator;
        this.permissionRoots = permissionRoots;
    }

    private JWTAuthHandler createJWTHandler() {
        HashSet<JsonObject> hashSet = new HashSet();
        hashSet.addAll((Collection) this.authOptions.getPublicKeys().stream().collect(Collectors.toSet()));
        hashSet.addAll(this.authPluginRegistry.getActivePublicKeys());
        if (hashSet.isEmpty()) {
            return null;
        }
        if (log.isDebugEnabled()) {
            for (JsonObject jsonObject : hashSet) {
                if (jsonObject != null) {
                    log.debug(jsonObject.encodePrettily());
                } else {
                    log.debug("Key is null");
                }
            }
        }
        return this.authHandlerContainer.create(hashSet);
    }

    public void secure(Route route) {
        route.handler(routingContext -> {
            if (routingContext.user() != null) {
                routingContext.next();
                return;
            }
            if (routingContext.request().headers().get(HttpHeaders.AUTHORIZATION) == null) {
                routingContext.next();
                return;
            }
            JWTAuthHandler createJWTHandler = createJWTHandler();
            if (createJWTHandler != null) {
                createJWTHandler.handle(routingContext);
            } else {
                log.warn("No key handler was created. This may happen when neither the plugin or the mesh configuration provides custom public keys.");
                routingContext.next();
            }
        });
        route.handler(routingContext2 -> {
            User user = routingContext2.user();
            if (user == null) {
                routingContext2.next();
                return;
            }
            if (user instanceof MeshAuthUser) {
                routingContext2.next();
                return;
            }
            List<AuthServicePlugin> plugins = this.authPluginRegistry.getPlugins();
            JsonObject jsonObject = user.attributes().getJsonObject("accessToken");
            if (jsonObject == null || jsonObject.isEmpty()) {
                routingContext2.fail(401);
                return;
            }
            for (AuthServicePlugin authServicePlugin : plugins) {
                if (!authServicePlugin.acceptToken(routingContext2.request(), jsonObject)) {
                    if (log.isDebugEnabled()) {
                        log.debug("The plugin {} rejected the token.", new Object[]{authServicePlugin.getManifest().getName()});
                    }
                    routingContext2.fail(401);
                    return;
                }
            }
            syncUser(routingContext2, jsonObject).subscribe(meshAuthUser -> {
                routingContext2.setUser(meshAuthUser);
                routingContext2.next();
            }, th -> {
                if (Throwables.getRootCause(th) instanceof CannotWriteException) {
                    this.delegator.redirectToMaster(routingContext2);
                } else {
                    routingContext2.fail(th);
                }
            });
        });
    }

    protected Single<MeshAuthUser> syncUser(RoutingContext routingContext, JsonObject jsonObject) {
        Optional<String> extractUsername = extractUsername(jsonObject);
        if (!extractUsername.isPresent()) {
            throw new RuntimeException("The username could not be determined. Maybe no plugin was able to return a match or the token did not contain the preferred_username property.");
        }
        String str = extractUsername.get();
        String string = jsonObject.getString("jti");
        if (string == null) {
            Integer integer = jsonObject.getInteger("iat");
            if (integer == null) {
                throw new RuntimeException("The token does not contain an iat or jti property. One of those values is required.");
            }
            string = str + "-" + String.valueOf(integer);
        }
        String str2 = string;
        EventQueueBatch eventQueueBatch = (EventQueueBatch) this.batchProvider.get();
        return this.db.maybeTx(tx -> {
            return tx.userDao().findMeshAuthUserByUsername(str);
        }).flatMapSingleElement(meshAuthUser -> {
            Database database = this.db;
            HibUser delegate = meshAuthUser.getDelegate();
            Objects.requireNonNull(delegate);
            return database.singleTx(delegate::getUuid).flatMap(str3 -> {
                String str3 = (String) this.TOKEN_ID_LOG.getIfPresent(str3);
                if (str3 == null || !str3.equals(str2)) {
                    return assertReadOnlyDeactivated().andThen(this.db.singleTx(tx2 -> {
                        runPlugins(tx2, routingContext, eventQueueBatch, tx2.userDao().findByUsername("admin"), meshAuthUser, str3, jsonObject);
                        this.TOKEN_ID_LOG.put(str3, str2);
                        return meshAuthUser;
                    }));
                }
                log.debug("The request does not need mapping since we have already processed the token before.");
                return Single.just(meshAuthUser);
            });
        }).switchIfEmpty(assertReadOnlyDeactivated().andThen(requiresWriteCompletable()).andThen(this.db.singleTxWriteLock(tx2 -> {
            UserDao userDao = tx2.userDao();
            HibBaseElement user = this.permissionRoots.user();
            HibUser findByUsername = userDao.findByUsername("admin");
            userDao.inheritRolePermissions(findByUsername, user, userDao.create(str, findByUsername));
            MeshAuthUser findMeshAuthUserByUsername = userDao.findMeshAuthUserByUsername(str);
            String uuid = findMeshAuthUserByUsername.getDelegate().getUuid();
            eventQueueBatch.add(findMeshAuthUserByUsername.getDelegate().onCreated());
            runPlugins(tx2, routingContext, eventQueueBatch, findByUsername, findMeshAuthUserByUsername, null, jsonObject);
            this.TOKEN_ID_LOG.put(uuid, str2);
            return findMeshAuthUserByUsername;
        }))).doOnSuccess(meshAuthUser2 -> {
            eventQueueBatch.dispatch();
        });
    }

    private Completable assertReadOnlyDeactivated() {
        return this.db.isReadOnly(true) ? Completable.error(Errors.error(HttpResponseStatus.METHOD_NOT_ALLOWED, "error_readonly_mode_oauth", new String[0])) : this.localConfigApi.getActiveConfig().flatMapCompletable(localConfigModel -> {
            return localConfigModel.isReadOnly().booleanValue() ? Completable.error(Errors.error(HttpResponseStatus.METHOD_NOT_ALLOWED, "error_readonly_mode_oauth", new String[0])) : Completable.complete();
        });
    }

    private Optional<String> extractUsername(JsonObject jsonObject) {
        Iterator<AuthServicePlugin> it = this.authPluginRegistry.getPlugins().iterator();
        while (it.hasNext()) {
            Optional<String> extractUsername = it.next().extractUsername(jsonObject);
            if (extractUsername.isPresent()) {
                return extractUsername;
            }
        }
        return Optional.ofNullable(jsonObject.getString(DEFAULT_JWT_USERNAME_PROP));
    }

    private void defaultUserMapper(EventQueueBatch eventQueueBatch, MeshAuthUser meshAuthUser, JsonObject jsonObject) throws CannotWriteException {
        boolean z = false;
        String string = jsonObject.getString("given_name");
        if (string == null) {
            log.warn("Did not find given_name property in OAuth2 principle.");
        } else if (!Objects.equals(meshAuthUser.getDelegate().getFirstname(), string)) {
            requiresWrite();
            meshAuthUser.getDelegate().setFirstname(string);
            z = true;
        }
        String string2 = jsonObject.getString("family_name");
        if (string2 == null) {
            log.warn("Did not find family_name property in OAuth2 principle.");
        } else if (!Objects.equals(meshAuthUser.getDelegate().getLastname(), string2)) {
            requiresWrite();
            meshAuthUser.getDelegate().setLastname(string2);
            z = true;
        }
        String string3 = jsonObject.getString("email");
        if (string3 == null) {
            log.warn("Did not find email property in OAuth2 principle");
        } else if (!Objects.equals(meshAuthUser.getDelegate().getEmailAddress(), string3)) {
            requiresWrite();
            meshAuthUser.getDelegate().setEmailAddress(string3);
            z = true;
        }
        if (z) {
            eventQueueBatch.add(meshAuthUser.getDelegate().onUpdated());
        }
    }

    private void runPlugins(Tx tx, RoutingContext routingContext, EventQueueBatch eventQueueBatch, HibUser hibUser, MeshAuthUser meshAuthUser, String str, JsonObject jsonObject) throws CannotWriteException {
        List<AuthServicePlugin> plugins = this.authPluginRegistry.getPlugins();
        if (plugins.isEmpty()) {
            log.debug("No auth plugins could be found. Falling back to default mapping");
            defaultUserMapper(eventQueueBatch, meshAuthUser, jsonObject);
            return;
        }
        RoleDao roleDao = tx.roleDao();
        GroupDao groupDao = tx.groupDao();
        UserDao userDao = tx.userDao();
        HibBaseElement group = this.permissionRoots.group();
        HibBaseElement role = this.permissionRoots.role();
        HibUser findByUuid = userDao.findByUuid(meshAuthUser.getDelegate().getUuid());
        for (AuthServicePlugin authServicePlugin : plugins) {
            if (log.isDebugEnabled()) {
                log.debug("Handling mapping via auth plugin {}", new Object[]{authServicePlugin.getManifest().getName()});
            }
            try {
                MappingResult mapToken = authServicePlugin.mapToken(routingContext.request(), str, jsonObject);
                if (mapToken == null) {
                    log.debug("Plugin did not provide a mapping result. Using only default mapping for user");
                    defaultUserMapper(eventQueueBatch, meshAuthUser, jsonObject);
                } else {
                    UserUpdateRequest user = mapToken.getUser();
                    if (user != null) {
                        InternalRoutingActionContextImpl internalRoutingActionContextImpl = new InternalRoutingActionContextImpl(routingContext);
                        internalRoutingActionContextImpl.setBody(user);
                        internalRoutingActionContextImpl.setUser(hibUser.toAuthUser());
                        if (!this.delegator.canWrite() && userDao.updateDry(findByUuid, internalRoutingActionContextImpl)) {
                            throw new CannotWriteException();
                        }
                        userDao.update(findByUuid, internalRoutingActionContextImpl, eventQueueBatch);
                        List<RoleResponse> roles = mapToken.getRoles();
                        if (roles != null) {
                            for (RoleResponse roleResponse : roles) {
                                String uuid = roleResponse.getUuid();
                                String name = roleResponse.getName();
                                HibRole hibRole = null;
                                if (uuid != null) {
                                    hibRole = (HibRole) roleDao.findByUuid(uuid);
                                } else if (name != null) {
                                    hibRole = roleDao.findByName(name);
                                }
                                if (hibRole == null) {
                                    if (name != null) {
                                        requiresWrite();
                                        log.debug("Creating new role {} via mapping request.", new Object[]{name});
                                        HibRole create = roleDao.create(name, hibUser);
                                        userDao.inheritRolePermissions(hibUser, role, create);
                                        eventQueueBatch.add(create.onCreated());
                                    } else {
                                        log.error("Unable to create role. No role name was specified.");
                                    }
                                }
                            }
                        }
                        List groups = mapToken.getGroups();
                        if (groups != null) {
                            Iterator it = groups.iterator();
                            while (true) {
                                if (!it.hasNext()) {
                                    break;
                                }
                                GroupResponse groupResponse = (GroupResponse) it.next();
                                String name2 = groupResponse.getName();
                                String uuid2 = groupResponse.getUuid();
                                HibBaseElement hibBaseElement = null;
                                if (uuid2 != null) {
                                    hibBaseElement = (HibGroup) groupDao.findByUuid(uuid2);
                                } else if (name2 != null) {
                                    hibBaseElement = (HibGroup) groupDao.findByName(name2);
                                }
                                boolean z = false;
                                if (hibBaseElement == null) {
                                    if (name2 == null) {
                                        log.error("Unable to create group. No group name was specified.");
                                        break;
                                    }
                                    requiresWrite();
                                    log.debug("Creating group {} via mapping request.", new Object[]{name2});
                                    hibBaseElement = groupDao.create(name2, hibUser);
                                    userDao.inheritRolePermissions(hibUser, group, hibBaseElement);
                                    eventQueueBatch.add(hibBaseElement.onCreated());
                                    z = true;
                                }
                                if (!groupDao.hasUser(hibBaseElement, findByUuid)) {
                                    requiresWrite();
                                    log.debug("Adding user {} to group {} via mapping request.", new Object[]{findByUuid.getUsername(), hibBaseElement.getName()});
                                    groupDao.addUser(hibBaseElement, findByUuid);
                                    eventQueueBatch.add(groupDao.createUserAssignmentEvent(hibBaseElement, findByUuid, Assignment.ASSIGNED));
                                    if (!z) {
                                        eventQueueBatch.add(hibBaseElement.onUpdated());
                                    }
                                }
                                for (RoleReference roleReference : groupResponse.getRoles()) {
                                    String name3 = roleReference.getName();
                                    String uuid3 = roleReference.getUuid();
                                    HibRole hibRole2 = null;
                                    if (name3 != null) {
                                        hibRole2 = (HibRole) roleDao.findByName(name3);
                                    } else if (uuid3 != null) {
                                        hibRole2 = roleDao.findByUuid(uuid3);
                                    }
                                    if (hibRole2 == null || groupDao.hasRole(hibBaseElement, hibRole2)) {
                                        log.warn("Unable to map role to group. The role with name {} / uuid {} could not be found", new Object[]{name3, uuid3});
                                    } else {
                                        requiresWrite();
                                        log.debug("Adding role {} to group {} via mapping request.", new Object[]{hibRole2.getName(), hibBaseElement.getName()});
                                        groupDao.addRole(hibBaseElement, hibRole2);
                                        hibBaseElement.setLastEditedTimestamp();
                                        hibBaseElement.setEditor(hibUser);
                                        eventQueueBatch.add(groupDao.createRoleAssignmentEvent(hibBaseElement, hibRole2, Assignment.ASSIGNED));
                                    }
                                }
                                RoleFilter roleFilter = mapToken.getRoleFilter();
                                if (roleFilter != null) {
                                    for (HibRole hibRole3 : groupDao.getRoles(hibBaseElement)) {
                                        if (roleFilter.filter(hibBaseElement.getName(), hibRole3.getName())) {
                                            requiresWrite();
                                            log.info("Unassigning role {" + hibRole3.getName() + "} from group {" + hibBaseElement.getName() + "}");
                                            groupDao.removeRole(hibBaseElement, hibRole3);
                                            eventQueueBatch.add(groupDao.createRoleAssignmentEvent(hibBaseElement, hibRole3, Assignment.UNASSIGNED));
                                        }
                                    }
                                }
                            }
                        }
                        if (roles != null) {
                            for (RoleResponse roleResponse2 : roles) {
                                HibRole findByName = roleDao.findByName(roleResponse2.getName());
                                if (findByName == null) {
                                    log.warn("Could not find referenced role {" + findByName + "}");
                                } else {
                                    for (GroupReference groupReference : roleResponse2.getGroups()) {
                                        String name4 = groupReference.getName();
                                        String uuid4 = groupReference.getUuid();
                                        HibGroup hibGroup = null;
                                        if (name4 != null) {
                                            hibGroup = (HibGroup) groupDao.findByName(name4);
                                        } else if (uuid4 != null) {
                                            hibGroup = groupDao.findByUuid(uuid4);
                                        }
                                        if (hibGroup == null || groupDao.hasRole(hibGroup, findByName)) {
                                            log.error("Could not find group in role->group mapping of role {}", new Object[]{findByName.getName()});
                                        } else {
                                            requiresWrite();
                                            groupDao.addRole(hibGroup, findByName);
                                            eventQueueBatch.add(groupDao.createRoleAssignmentEvent(hibGroup, findByName, Assignment.ASSIGNED));
                                        }
                                    }
                                }
                            }
                        }
                        GroupFilter groupFilter = mapToken.getGroupFilter();
                        if (groupFilter != null) {
                            for (HibGroup hibGroup2 : userDao.getGroups(findByUuid)) {
                                if (groupFilter.filter(hibGroup2.getName())) {
                                    requiresWrite();
                                    log.info("Unassigning group {" + hibGroup2.getName() + "} from user {" + findByUuid.getUsername() + "}");
                                    groupDao.removeUser(hibGroup2, findByUuid);
                                    eventQueueBatch.add(groupDao.createUserAssignmentEvent(hibGroup2, findByUuid, Assignment.UNASSIGNED));
                                }
                            }
                        }
                    } else {
                        defaultUserMapper(eventQueueBatch, meshAuthUser, jsonObject);
                    }
                }
            } catch (CannotWriteException e) {
                throw e;
            } catch (Exception e2) {
                log.error("Error while executing mapping plugin {" + authServicePlugin.id() + "}. Ignoring result.", e2);
                throw e2;
            }
        }
    }

    private void requiresWrite() throws CannotWriteException {
        if (!this.delegator.canWrite()) {
            throw new CannotWriteException();
        }
    }

    private Completable requiresWriteCompletable() {
        return this.delegator.canWrite() ? Completable.complete() : Completable.error(new CannotWriteException());
    }
}
