package com.gentics.mesh.auth;

import com.gentics.mesh.cli.BootstrapInitializer;
import com.gentics.mesh.context.impl.InternalRoutingActionContextImpl;
import com.gentics.mesh.core.data.Group;
import com.gentics.mesh.core.data.MeshAuthUser;
import com.gentics.mesh.core.data.MeshVertex;
import com.gentics.mesh.core.data.Role;
import com.gentics.mesh.core.data.User;
import com.gentics.mesh.core.data.root.GroupRoot;
import com.gentics.mesh.core.data.root.RoleRoot;
import com.gentics.mesh.core.data.root.UserRoot;
import com.gentics.mesh.core.endpoint.admin.LocalConfigApi;
import com.gentics.mesh.core.rest.error.Errors;
import com.gentics.mesh.core.rest.group.GroupReference;
import com.gentics.mesh.core.rest.group.GroupResponse;
import com.gentics.mesh.core.rest.role.RoleReference;
import com.gentics.mesh.core.rest.role.RoleResponse;
import com.gentics.mesh.core.rest.user.UserUpdateRequest;
import com.gentics.mesh.etc.config.AuthenticationOptions;
import com.gentics.mesh.etc.config.MeshOptions;
import com.gentics.mesh.event.Assignment;
import com.gentics.mesh.event.EventQueueBatch;
import com.gentics.mesh.graphdb.spi.Database;
import com.gentics.mesh.plugin.auth.AuthServicePlugin;
import com.gentics.mesh.plugin.auth.GroupFilter;
import com.gentics.mesh.plugin.auth.MappingResult;
import com.gentics.mesh.plugin.auth.RoleFilter;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.reactivex.Completable;
import io.reactivex.Single;
import io.reactivex.functions.Consumer;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.json.JsonObject;
import io.vertx.core.logging.Logger;
import io.vertx.core.logging.LoggerFactory;
import io.vertx.ext.auth.jwt.impl.JWTUser;
import io.vertx.ext.web.Route;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.handler.JWTAuthHandler;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.inject.Inject;
import javax.inject.Provider;
import javax.inject.Singleton;

@Singleton
/* loaded from: input_file:com/gentics/mesh/auth/MeshOAuth2ServiceImpl.class */
public class MeshOAuth2ServiceImpl implements MeshOAuthService {
    private static final Logger log = LoggerFactory.getLogger(MeshOAuth2ServiceImpl.class);
    private static final String DEFAULT_JWT_USERNAME_PROP = "preferred_username";
    public final Cache<String, String> TOKEN_ID_LOG = Caffeine.newBuilder().maximumSize(20000).expireAfterWrite(24, TimeUnit.HOURS).build();
    protected AuthServicePluginRegistry authPluginRegistry;
    protected Database db;
    protected BootstrapInitializer boot;
    private final AuthenticationOptions authOptions;
    private final Provider<EventQueueBatch> batchProvider;
    private final AuthHandlerContainer authHandlerContainer;
    private final LocalConfigApi localConfigApi;

    @Inject
    public MeshOAuth2ServiceImpl(Database database, BootstrapInitializer bootstrapInitializer, MeshOptions meshOptions, Provider<EventQueueBatch> provider, AuthServicePluginRegistry authServicePluginRegistry, AuthHandlerContainer authHandlerContainer, LocalConfigApi localConfigApi) {
        this.db = database;
        this.boot = bootstrapInitializer;
        this.batchProvider = provider;
        this.authPluginRegistry = authServicePluginRegistry;
        this.authOptions = meshOptions.getAuthenticationOptions();
        this.authHandlerContainer = authHandlerContainer;
        this.localConfigApi = localConfigApi;
    }

    private JWTAuthHandler createJWTHandler() {
        HashSet<JsonObject> hashSet = new HashSet();
        hashSet.addAll((Collection) this.authOptions.getPublicKeys().stream().collect(Collectors.toSet()));
        hashSet.addAll(this.authPluginRegistry.getActivePublicKeys());
        if (hashSet.isEmpty()) {
            return null;
        }
        if (log.isDebugEnabled()) {
            for (JsonObject jsonObject : hashSet) {
                if (jsonObject != null) {
                    log.debug(jsonObject.encodePrettily());
                } else {
                    log.debug("Key is null");
                }
            }
        }
        return this.authHandlerContainer.create(hashSet);
    }

    public void secure(Route route) {
        route.handler(routingContext -> {
            if (routingContext.user() != null) {
                routingContext.next();
                return;
            }
            if (routingContext.request().headers().get(HttpHeaders.AUTHORIZATION) == null) {
                routingContext.next();
                return;
            }
            JWTAuthHandler createJWTHandler = createJWTHandler();
            if (createJWTHandler != null) {
                createJWTHandler.handle(routingContext);
            } else {
                routingContext.next();
            }
        });
        route.handler(routingContext2 -> {
            JWTUser user = routingContext2.user();
            if (user == null) {
                routingContext2.next();
                return;
            }
            if (user instanceof MeshAuthUser) {
                routingContext2.next();
                return;
            }
            if (!(user instanceof JWTUser)) {
                routingContext2.fail(401);
                return;
            }
            JWTUser jWTUser = user;
            List<AuthServicePlugin> plugins = this.authPluginRegistry.getPlugins();
            JsonObject principal = jWTUser.principal();
            Iterator<AuthServicePlugin> it = plugins.iterator();
            while (it.hasNext()) {
                if (!it.next().acceptToken(routingContext2.request(), principal)) {
                    routingContext2.fail(401);
                    return;
                }
            }
            Single<MeshAuthUser> syncUser = syncUser(routingContext2, jWTUser.principal());
            Consumer consumer = meshAuthUser -> {
                routingContext2.setUser(meshAuthUser);
                routingContext2.next();
            };
            routingContext2.getClass();
            syncUser.subscribe(consumer, routingContext2::fail);
        });
    }

    protected Single<MeshAuthUser> syncUser(RoutingContext routingContext, JsonObject jsonObject) {
        Optional<String> extractUsername = extractUsername(jsonObject);
        if (!extractUsername.isPresent()) {
            throw new RuntimeException("The username could not be determined. Maybe no plugin was able to return a match or the token did not contain the preferred_username property.");
        }
        String str = extractUsername.get();
        String string = jsonObject.getString("jti");
        if (string == null) {
            Integer integer = jsonObject.getInteger("iat");
            if (integer == null) {
                throw new RuntimeException("The token does not contain an iat or jti property. One of those values is required.");
            }
            string = str + "-" + String.valueOf(integer);
        }
        String str2 = string;
        EventQueueBatch eventQueueBatch = (EventQueueBatch) this.batchProvider.get();
        return this.db.maybeTx(tx -> {
            return this.boot.userRoot().findMeshAuthUserByUsername(str);
        }).flatMapSingleElement(meshAuthUser -> {
            Database database = this.db;
            meshAuthUser.getClass();
            return database.singleTx(meshAuthUser::getUuid).flatMap(str3 -> {
                String str3 = (String) this.TOKEN_ID_LOG.getIfPresent(meshAuthUser.getUuid());
                return (str3 == null || !str3.equals(str2)) ? assertReadOnlyDeactivated().andThen(this.db.asyncTx(() -> {
                    runPlugins(routingContext, eventQueueBatch, this.boot.userRoot().findByUsername("admin"), meshAuthUser, str3, jsonObject);
                    this.TOKEN_ID_LOG.put(str3, str2);
                })).andThen(Single.just(meshAuthUser)) : Single.just(meshAuthUser);
            });
        }).switchIfEmpty(assertReadOnlyDeactivated().andThen(this.db.singleTxWriteLock(tx2 -> {
            UserRoot userRoot = this.boot.userRoot();
            User findByUsername = userRoot.findByUsername("admin");
            findByUsername.inheritRolePermissions(userRoot, userRoot.create(str, findByUsername));
            MeshAuthUser findMeshAuthUserByUsername = userRoot.findMeshAuthUserByUsername(str);
            String uuid = findMeshAuthUserByUsername.getUuid();
            runPlugins(routingContext, eventQueueBatch, findByUsername, findMeshAuthUserByUsername, null, jsonObject);
            this.TOKEN_ID_LOG.put(uuid, str2);
            return findMeshAuthUserByUsername;
        }))).doOnSuccess(meshAuthUser2 -> {
            eventQueueBatch.dispatch();
        });
    }

    private Completable assertReadOnlyDeactivated() {
        return this.localConfigApi.getActiveConfig().flatMapCompletable(localConfigModel -> {
            return localConfigModel.isReadOnly().booleanValue() ? Completable.error(Errors.error(HttpResponseStatus.METHOD_NOT_ALLOWED, "error_readonly_mode_oauth", new String[0])) : Completable.complete();
        });
    }

    private Optional<String> extractUsername(JsonObject jsonObject) {
        Iterator<AuthServicePlugin> it = this.authPluginRegistry.getPlugins().iterator();
        while (it.hasNext()) {
            Optional<String> extractUsername = it.next().extractUsername(jsonObject);
            if (extractUsername.isPresent()) {
                return extractUsername;
            }
        }
        return Optional.ofNullable(jsonObject.getString(DEFAULT_JWT_USERNAME_PROP));
    }

    private void defaultUserMapper(EventQueueBatch eventQueueBatch, MeshAuthUser meshAuthUser, JsonObject jsonObject) {
        boolean z = false;
        String string = jsonObject.getString("given_name");
        if (string == null) {
            log.warn("Did not find given_name property in OAuth2 principle.");
        } else if (!Objects.equals(meshAuthUser.getFirstname(), string)) {
            meshAuthUser.setFirstname(string);
            z = true;
        }
        String string2 = jsonObject.getString("family_name");
        if (string2 == null) {
            log.warn("Did not find family_name property in OAuth2 principle.");
        } else if (!Objects.equals(meshAuthUser.getLastname(), string2)) {
            meshAuthUser.setLastname(string2);
            z = true;
        }
        String string3 = jsonObject.getString("email");
        if (string3 == null) {
            log.warn("Did not find email property in OAuth2 principle");
        } else if (!Objects.equals(meshAuthUser.getEmailAddress(), string3)) {
            meshAuthUser.setEmailAddress(string3);
            z = true;
        }
        if (z) {
            eventQueueBatch.add(meshAuthUser.onUpdated());
        }
    }

    private void runPlugins(RoutingContext routingContext, EventQueueBatch eventQueueBatch, User user, MeshAuthUser meshAuthUser, String str, JsonObject jsonObject) {
        List<AuthServicePlugin> plugins = this.authPluginRegistry.getPlugins();
        if (plugins.isEmpty()) {
            defaultUserMapper(eventQueueBatch, meshAuthUser, jsonObject);
            return;
        }
        RoleRoot roleRoot = this.boot.roleRoot();
        GroupRoot groupRoot = this.boot.groupRoot();
        for (AuthServicePlugin authServicePlugin : plugins) {
            try {
                MappingResult mapToken = authServicePlugin.mapToken(routingContext.request(), str, jsonObject);
                if (mapToken == null) {
                    log.debug("Plugin did not provide a mapping result. Using only default mapping for user");
                    defaultUserMapper(eventQueueBatch, meshAuthUser, jsonObject);
                } else {
                    UserUpdateRequest user2 = mapToken.getUser();
                    if (user2 != null) {
                        InternalRoutingActionContextImpl internalRoutingActionContextImpl = new InternalRoutingActionContextImpl(routingContext);
                        internalRoutingActionContextImpl.setBody(user2);
                        internalRoutingActionContextImpl.setUser(user.toAuthUser());
                        meshAuthUser.update(internalRoutingActionContextImpl, eventQueueBatch);
                    } else {
                        defaultUserMapper(eventQueueBatch, meshAuthUser, jsonObject);
                    }
                    List<RoleResponse> roles = mapToken.getRoles();
                    if (roles != null) {
                        Iterator it = roles.iterator();
                        while (it.hasNext()) {
                            String name = ((RoleResponse) it.next()).getName();
                            if (roleRoot.findByName(name) == null) {
                                Role create = roleRoot.create(name, user);
                                user.inheritRolePermissions(roleRoot, create);
                                eventQueueBatch.add(create.onCreated());
                            }
                        }
                    }
                    List<GroupResponse> groups = mapToken.getGroups();
                    if (groups != null) {
                        for (GroupResponse groupResponse : groups) {
                            String name2 = groupResponse.getName();
                            MeshVertex meshVertex = (Group) groupRoot.findByName(name2);
                            boolean z = false;
                            if (meshVertex == null) {
                                meshVertex = groupRoot.create(name2, user);
                                user.inheritRolePermissions(groupRoot, meshVertex);
                                eventQueueBatch.add(meshVertex.onCreated());
                                z = true;
                            }
                            if (!meshVertex.hasUser(meshAuthUser)) {
                                meshVertex.addUser(meshAuthUser);
                                eventQueueBatch.add(meshVertex.createUserAssignmentEvent(meshAuthUser, Assignment.ASSIGNED));
                                if (!z) {
                                    eventQueueBatch.add(meshVertex.onUpdated());
                                }
                            }
                            for (RoleReference roleReference : groupResponse.getRoles()) {
                                String name3 = roleReference.getName();
                                String uuid = roleReference.getUuid();
                                Role role = name3 != null ? (Role) roleRoot.findByName(name3) : null;
                                if (role == null) {
                                    role = (Role) roleRoot.findByUuid(uuid);
                                }
                                if (role != null && !meshVertex.hasRole(role)) {
                                    meshVertex.addRole(role);
                                    meshVertex.setLastEditedTimestamp();
                                    meshVertex.setEditor(user);
                                    eventQueueBatch.add(meshVertex.createRoleAssignmentEvent(role, Assignment.ASSIGNED));
                                }
                            }
                            RoleFilter roleFilter = mapToken.getRoleFilter();
                            if (roleFilter != null) {
                                Iterator it2 = meshVertex.getRoles().iterator();
                                while (it2.hasNext()) {
                                    Role role2 = (Role) it2.next();
                                    if (roleFilter.filter(meshVertex.getName(), role2.getName())) {
                                        log.info("Unassigning role {" + role2.getName() + "} from group {" + meshVertex.getName() + "}");
                                        meshVertex.removeRole(role2);
                                        eventQueueBatch.add(meshVertex.createRoleAssignmentEvent(role2, Assignment.UNASSIGNED));
                                    }
                                }
                            }
                        }
                    }
                    if (roles != null) {
                        for (RoleResponse roleResponse : roles) {
                            Role findByName = roleRoot.findByName(roleResponse.getName());
                            if (findByName == null) {
                                log.warn("Could not find referenced role {" + findByName + "}");
                            } else {
                                for (GroupReference groupReference : roleResponse.getGroups()) {
                                    String name4 = groupReference.getName();
                                    String uuid2 = groupReference.getUuid();
                                    Group group = name4 != null ? (Group) groupRoot.findByName(name4) : null;
                                    if (group == null) {
                                        group = (Group) groupRoot.findByUuid(uuid2);
                                    }
                                    if (group != null && !group.hasRole(findByName)) {
                                        group.addRole(findByName);
                                        eventQueueBatch.add(group.createRoleAssignmentEvent(findByName, Assignment.ASSIGNED));
                                    }
                                }
                            }
                        }
                    }
                    GroupFilter groupFilter = mapToken.getGroupFilter();
                    if (groupFilter != null) {
                        Iterator it3 = meshAuthUser.getGroups().iterator();
                        while (it3.hasNext()) {
                            Group group2 = (Group) it3.next();
                            if (groupFilter.filter(group2.getName())) {
                                log.info("Unassigning group {" + group2.getName() + "} from user {" + meshAuthUser.getUsername() + "}");
                                group2.removeUser(meshAuthUser);
                                eventQueueBatch.add(group2.createUserAssignmentEvent(meshAuthUser, Assignment.UNASSIGNED));
                            }
                        }
                    }
                }
            } catch (Exception e) {
                log.error("Error while executing mapping plugin {" + authServicePlugin.id() + "}. Ignoring result.", e);
                throw e;
            }
        }
    }
}
