package com.gentics.mesh.auth.oauth2;

import com.gentics.mesh.auth.AuthHandlerContainer;
import com.gentics.mesh.auth.AuthServicePluginRegistry;
import com.gentics.mesh.auth.MeshOAuthService;
import com.gentics.mesh.auth.util.MappingHelper;
import com.gentics.mesh.context.impl.InternalRoutingActionContextImpl;
import com.gentics.mesh.core.data.HibBaseElement;
import com.gentics.mesh.core.data.dao.GroupDao;
import com.gentics.mesh.core.data.dao.PermissionRoots;
import com.gentics.mesh.core.data.dao.RoleDao;
import com.gentics.mesh.core.data.dao.UserDao;
import com.gentics.mesh.core.data.group.HibGroup;
import com.gentics.mesh.core.data.role.HibRole;
import com.gentics.mesh.core.data.user.HibUser;
import com.gentics.mesh.core.data.user.MeshAuthUser;
import com.gentics.mesh.core.db.Database;
import com.gentics.mesh.core.db.Tx;
import com.gentics.mesh.core.endpoint.admin.LocalConfigApi;
import com.gentics.mesh.core.rest.error.Errors;
import com.gentics.mesh.core.rest.group.GroupReference;
import com.gentics.mesh.core.rest.group.GroupResponse;
import com.gentics.mesh.core.rest.role.RoleReference;
import com.gentics.mesh.core.rest.role.RoleResponse;
import com.gentics.mesh.core.rest.user.UserUpdateRequest;
import com.gentics.mesh.distributed.RequestDelegator;
import com.gentics.mesh.etc.config.AuthenticationOptions;
import com.gentics.mesh.etc.config.MeshOptions;
import com.gentics.mesh.event.Assignment;
import com.gentics.mesh.event.EventQueueBatch;
import com.gentics.mesh.plugin.auth.AuthServicePlugin;
import com.gentics.mesh.plugin.auth.GroupFilter;
import com.gentics.mesh.plugin.auth.MappingResult;
import com.gentics.mesh.plugin.auth.RoleFilter;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.google.common.base.Throwables;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.reactivex.Completable;
import io.reactivex.Single;
import io.reactivex.functions.Consumer;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.json.JsonObject;
import io.vertx.core.logging.Logger;
import io.vertx.core.logging.LoggerFactory;
import io.vertx.ext.auth.User;
import io.vertx.ext.web.Route;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.handler.JWTAuthHandler;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.inject.Inject;
import javax.inject.Provider;
import javax.inject.Singleton;

@Singleton
/* loaded from: input_file:com/gentics/mesh/auth/oauth2/MeshOAuth2ServiceImpl.class */
public class MeshOAuth2ServiceImpl implements MeshOAuthService {
    private static final Logger log = LoggerFactory.getLogger(MeshOAuth2ServiceImpl.class);
    private static final String DEFAULT_JWT_USERNAME_PROP = "preferred_username";
    public final Cache<String, String> TOKEN_ID_LOG = Caffeine.newBuilder().maximumSize(20000).expireAfterWrite(24, TimeUnit.HOURS).build();
    protected AuthServicePluginRegistry authPluginRegistry;
    protected Database db;
    protected PermissionRoots permissionRoots;
    private final AuthenticationOptions authOptions;
    private final Provider<EventQueueBatch> batchProvider;
    private final AuthHandlerContainer authHandlerContainer;
    private final LocalConfigApi localConfigApi;
    private final RequestDelegator delegator;

    @Inject
    public MeshOAuth2ServiceImpl(Database database, MeshOptions meshOptions, Provider<EventQueueBatch> provider, AuthServicePluginRegistry authServicePluginRegistry, AuthHandlerContainer authHandlerContainer, LocalConfigApi localConfigApi, RequestDelegator requestDelegator, PermissionRoots permissionRoots) {
        this.db = database;
        this.batchProvider = provider;
        this.authPluginRegistry = authServicePluginRegistry;
        this.authOptions = meshOptions.getAuthenticationOptions();
        this.authHandlerContainer = authHandlerContainer;
        this.localConfigApi = localConfigApi;
        this.delegator = requestDelegator;
        this.permissionRoots = permissionRoots;
    }

    private JWTAuthHandler createJWTHandler() {
        HashSet<JsonObject> hashSet = new HashSet();
        hashSet.addAll((Collection) this.authOptions.getPublicKeys().stream().collect(Collectors.toSet()));
        hashSet.addAll(this.authPluginRegistry.getActivePublicKeys());
        if (hashSet.isEmpty()) {
            return null;
        }
        if (log.isDebugEnabled()) {
            for (JsonObject jsonObject : hashSet) {
                if (jsonObject != null) {
                    log.debug(jsonObject.encodePrettily());
                } else {
                    log.debug("Key is null");
                }
            }
        }
        return this.authHandlerContainer.create(hashSet);
    }

    public void secure(Route route) {
        route.handler(routingContext -> {
            if (routingContext.user() != null) {
                routingContext.next();
                return;
            }
            if (routingContext.request().headers().get(HttpHeaders.AUTHORIZATION) == null) {
                routingContext.next();
                return;
            }
            JWTAuthHandler createJWTHandler = createJWTHandler();
            if (createJWTHandler != null) {
                createJWTHandler.handle(routingContext);
            } else {
                log.warn("No key handler was created. This may happen when neither the plugin or the mesh configuration provides custom public keys.");
                routingContext.next();
            }
        });
        route.handler(routingContext2 -> {
            User user = routingContext2.user();
            if (user == null) {
                routingContext2.next();
                return;
            }
            if (user instanceof MeshAuthUser) {
                routingContext2.next();
                return;
            }
            List<AuthServicePlugin> plugins = this.authPluginRegistry.getPlugins();
            JsonObject jsonObject = user.attributes().getJsonObject("accessToken");
            if (jsonObject == null || jsonObject.isEmpty()) {
                routingContext2.fail(401);
                return;
            }
            for (AuthServicePlugin authServicePlugin : plugins) {
                if (!authServicePlugin.acceptToken(routingContext2.request(), jsonObject)) {
                    if (log.isDebugEnabled()) {
                        log.debug("The plugin {} rejected the token.", new Object[]{authServicePlugin.getManifest().getName()});
                    }
                    routingContext2.fail(401);
                    return;
                }
            }
            syncUser(routingContext2, jsonObject).subscribe(meshAuthUser -> {
                routingContext2.setUser(meshAuthUser);
                routingContext2.next();
            }, th -> {
                if (Throwables.getRootCause(th) instanceof CannotWriteException) {
                    this.delegator.redirectToMaster(routingContext2);
                    return;
                }
                Single<MeshAuthUser> syncUser = syncUser(routingContext2, jsonObject);
                Consumer consumer = meshAuthUser2 -> {
                    routingContext2.setUser(meshAuthUser2);
                    routingContext2.next();
                };
                Objects.requireNonNull(routingContext2);
                syncUser.subscribe(consumer, routingContext2::fail);
            });
        });
    }

    protected Single<MeshAuthUser> syncUser(RoutingContext routingContext, JsonObject jsonObject) {
        Optional<String> extractUsername = extractUsername(jsonObject);
        if (!extractUsername.isPresent()) {
            throw new RuntimeException("The username could not be determined. Maybe no plugin was able to return a match or the token did not contain the preferred_username property.");
        }
        String str = extractUsername.get();
        String string = jsonObject.getString("jti");
        if (string == null) {
            Integer integer = jsonObject.getInteger("iat");
            if (integer == null) {
                throw new RuntimeException("The token does not contain an iat or jti property. One of those values is required.");
            }
            string = str + "-" + String.valueOf(integer);
        }
        String str2 = string;
        EventQueueBatch eventQueueBatch = (EventQueueBatch) this.batchProvider.get();
        return this.db.maybeTx(tx -> {
            return tx.userDao().findMeshAuthUserByUsername(str);
        }).flatMapSingleElement(meshAuthUser -> {
            Database database = this.db;
            HibUser delegate = meshAuthUser.getDelegate();
            Objects.requireNonNull(delegate);
            return database.singleTx(delegate::getUuid).flatMap(str3 -> {
                String str3 = (String) this.TOKEN_ID_LOG.getIfPresent(str3);
                if (str3 == null || !str3.equals(str2)) {
                    return assertReadOnlyDeactivated().andThen(this.db.singleTx(tx2 -> {
                        runPlugins(tx2, routingContext, eventQueueBatch, tx2.userDao().findByUsername("admin"), meshAuthUser, str3, jsonObject);
                        this.TOKEN_ID_LOG.put(str3, str2);
                        return meshAuthUser;
                    }));
                }
                log.debug("The request does not need mapping since we have already processed the token before.");
                return Single.just(meshAuthUser);
            });
        }).switchIfEmpty(assertReadOnlyDeactivated().andThen(requiresWriteCompletable()).andThen(this.db.singleTxWriteLock(tx2 -> {
            UserDao userDao = tx2.userDao();
            HibBaseElement user = this.permissionRoots.user();
            HibUser findByUsername = userDao.findByUsername("admin");
            userDao.inheritRolePermissions(findByUsername, user, userDao.create(str, findByUsername));
            MeshAuthUser findMeshAuthUserByUsername = userDao.findMeshAuthUserByUsername(str);
            String uuid = findMeshAuthUserByUsername.getDelegate().getUuid();
            runPlugins(tx2, routingContext, eventQueueBatch, findByUsername, findMeshAuthUserByUsername, null, jsonObject);
            this.TOKEN_ID_LOG.put(uuid, str2);
            return findMeshAuthUserByUsername;
        }))).doOnSuccess(meshAuthUser2 -> {
            eventQueueBatch.dispatch();
        });
    }

    private Completable assertReadOnlyDeactivated() {
        return this.db.isReadOnly(true) ? Completable.error(Errors.error(HttpResponseStatus.METHOD_NOT_ALLOWED, "error_readonly_mode_oauth", new String[0])) : this.localConfigApi.getActiveConfig().flatMapCompletable(localConfigModel -> {
            return localConfigModel.isReadOnly().booleanValue() ? Completable.error(Errors.error(HttpResponseStatus.METHOD_NOT_ALLOWED, "error_readonly_mode_oauth", new String[0])) : Completable.complete();
        });
    }

    private Optional<String> extractUsername(JsonObject jsonObject) {
        Iterator<AuthServicePlugin> it = this.authPluginRegistry.getPlugins().iterator();
        while (it.hasNext()) {
            Optional<String> extractUsername = it.next().extractUsername(jsonObject);
            if (extractUsername.isPresent()) {
                return extractUsername;
            }
        }
        return Optional.ofNullable(jsonObject.getString(DEFAULT_JWT_USERNAME_PROP));
    }

    private void defaultUserMapper(EventQueueBatch eventQueueBatch, MeshAuthUser meshAuthUser, JsonObject jsonObject) throws CannotWriteException {
        boolean z = false;
        String string = jsonObject.getString("given_name");
        if (string == null) {
            log.warn("Did not find given_name property in OAuth2 principle.");
        } else if (!Objects.equals(meshAuthUser.getDelegate().getFirstname(), string)) {
            requiresWrite();
            meshAuthUser.getDelegate().setFirstname(string);
            z = true;
        }
        String string2 = jsonObject.getString("family_name");
        if (string2 == null) {
            log.warn("Did not find family_name property in OAuth2 principle.");
        } else if (!Objects.equals(meshAuthUser.getDelegate().getLastname(), string2)) {
            requiresWrite();
            meshAuthUser.getDelegate().setLastname(string2);
            z = true;
        }
        String string3 = jsonObject.getString("email");
        if (string3 == null) {
            log.warn("Did not find email property in OAuth2 principle");
        } else if (!Objects.equals(meshAuthUser.getDelegate().getEmailAddress(), string3)) {
            requiresWrite();
            meshAuthUser.getDelegate().setEmailAddress(string3);
            z = true;
        }
        if (z) {
            eventQueueBatch.add(meshAuthUser.getDelegate().onUpdated());
        }
    }

    private void runPlugins(Tx tx, RoutingContext routingContext, EventQueueBatch eventQueueBatch, HibUser hibUser, MeshAuthUser meshAuthUser, String str, JsonObject jsonObject) throws CannotWriteException {
        List<AuthServicePlugin> plugins = this.authPluginRegistry.getPlugins();
        if (plugins.isEmpty()) {
            log.debug("No auth plugins could be found. Falling back to default mapping");
            defaultUserMapper(eventQueueBatch, meshAuthUser, jsonObject);
            return;
        }
        tx.roleDao();
        tx.groupDao();
        UserDao userDao = tx.userDao();
        this.permissionRoots.group();
        this.permissionRoots.role();
        HibUser hibUser2 = (HibUser) userDao.findByUuid(meshAuthUser.getDelegate().getUuid());
        for (AuthServicePlugin authServicePlugin : plugins) {
            if (log.isDebugEnabled()) {
                log.debug("Handling mapping via auth plugin {}", new Object[]{authServicePlugin.getManifest().getName()});
            }
            try {
                MappingResult mapToken = authServicePlugin.mapToken(routingContext.request(), str, jsonObject);
                if (mapToken == null) {
                    log.debug("Plugin did not provide a mapping result. Using only default mapping for user");
                    defaultUserMapper(eventQueueBatch, meshAuthUser, jsonObject);
                } else {
                    UserUpdateRequest user = mapToken.getUser();
                    if (user != null) {
                        InternalRoutingActionContextImpl internalRoutingActionContextImpl = new InternalRoutingActionContextImpl(routingContext);
                        internalRoutingActionContextImpl.setBody(user);
                        internalRoutingActionContextImpl.setUser(hibUser.toAuthUser());
                        if (!this.delegator.canWrite() && userDao.updateDry(hibUser2, internalRoutingActionContextImpl)) {
                            throw new CannotWriteException();
                        }
                        userDao.update(hibUser2, internalRoutingActionContextImpl, eventQueueBatch);
                        handleMappingResult(tx, eventQueueBatch, mapToken, hibUser2, hibUser);
                    } else {
                        defaultUserMapper(eventQueueBatch, meshAuthUser, jsonObject);
                    }
                }
            } catch (CannotWriteException e) {
                throw e;
            } catch (Exception e2) {
                log.error("Error while executing mapping plugin {" + authServicePlugin.id() + "}. Ignoring result.", e2);
                throw e2;
            }
        }
    }

    public void handleMappingResult(Tx tx, EventQueueBatch eventQueueBatch, MappingResult mappingResult, HibUser hibUser, HibUser hibUser2) throws CannotWriteException {
        RoleDao roleDao = tx.roleDao();
        GroupDao groupDao = tx.groupDao();
        UserDao userDao = tx.userDao();
        HibBaseElement group = this.permissionRoots.group();
        HibBaseElement role = this.permissionRoots.role();
        List<RoleResponse> roles = mappingResult.getRoles();
        List<GroupResponse> groups = mappingResult.getGroups();
        MappingHelper mappingHelper = new MappingHelper(roleDao);
        mappingHelper.initMapped(roles, (v0) -> {
            return v0.getUuid();
        }, (v0) -> {
            return v0.getName();
        }, MappingHelper.Order.UUID_FIRST);
        mappingHelper.initAssigned(groups, (v0) -> {
            return v0.getRoles();
        }, (v0) -> {
            return v0.getUuid();
        }, (v0) -> {
            return v0.getName();
        }, MappingHelper.Order.NAME_FIRST);
        mappingHelper.load();
        if (mappingHelper.areMappedEntitiesMissing()) {
            requiresWrite();
        }
        mappingHelper.createMissingMapped(str -> {
            log.debug("Creating new role {} via mapping request.", new Object[]{str});
            return roleDao.create(str, hibUser2);
        }, collection -> {
            userDao.inheritRolePermissions(hibUser2, role, collection);
        });
        MappingHelper mappingHelper2 = new MappingHelper(groupDao);
        mappingHelper2.initMapped(groups, (v0) -> {
            return v0.getUuid();
        }, (v0) -> {
            return v0.getName();
        }, MappingHelper.Order.UUID_FIRST);
        mappingHelper2.initAssigned(roles, (v0) -> {
            return v0.getGroups();
        }, (v0) -> {
            return v0.getUuid();
        }, (v0) -> {
            return v0.getName();
        }, MappingHelper.Order.NAME_FIRST);
        mappingHelper2.load();
        if (mappingHelper2.areMappedEntitiesMissing()) {
            requiresWrite();
        }
        mappingHelper2.createMissingMapped(str2 -> {
            log.debug("Creating group {} via mapping request.", new Object[]{str2});
            return groupDao.create(str2, hibUser2);
        }, collection2 -> {
            userDao.inheritRolePermissions(hibUser2, group, collection2);
        });
        ArrayList<HibGroup> arrayList = new ArrayList(userDao.getGroups(hibUser).list());
        ArrayList<HibGroup> arrayList2 = new ArrayList(mappingHelper2.getMappedEntities());
        arrayList2.removeAll(arrayList);
        for (HibGroup hibGroup : arrayList2) {
            requiresWrite();
            log.debug("Adding user {} to group {} via mapping request.", new Object[]{hibUser.getUsername(), hibGroup.getName()});
            userDao.addGroup(hibUser, hibGroup);
            eventQueueBatch.add(groupDao.createUserAssignmentEvent(hibGroup, hibUser, Assignment.ASSIGNED));
            if (!mappingHelper2.wasCreated(hibGroup)) {
                eventQueueBatch.add(hibGroup.onUpdated());
            }
        }
        HashMap hashMap = new HashMap();
        if (groups != null) {
            for (GroupResponse groupResponse : groups) {
                mappingHelper2.getEntity(groupResponse.getUuid(), groupResponse.getName()).ifPresent(hibGroup2 -> {
                    List<RoleReference> roles2 = groupResponse.getRoles();
                    if (roles2 != null) {
                        for (RoleReference roleReference : roles2) {
                            mappingHelper.getEntity(roleReference.getUuid(), roleReference.getName()).ifPresent(hibRole -> {
                                ((Set) hashMap.computeIfAbsent(hibGroup2.getUuid(), str3 -> {
                                    return new HashSet();
                                })).add(hibRole.getUuid());
                            });
                        }
                    }
                });
            }
        }
        if (roles != null) {
            for (RoleResponse roleResponse : roles) {
                mappingHelper.getEntity(roleResponse.getUuid(), roleResponse.getName()).ifPresent(hibRole -> {
                    List<GroupReference> groups2 = roleResponse.getGroups();
                    if (groups2 != null) {
                        for (GroupReference groupReference : groups2) {
                            mappingHelper2.getEntity(groupReference.getUuid(), groupReference.getName()).ifPresent(hibGroup3 -> {
                                ((Set) hashMap.computeIfAbsent(hibGroup3.getUuid(), str3 -> {
                                    return new HashSet();
                                })).add(hibRole.getUuid());
                            });
                        }
                    }
                });
            }
        }
        RoleFilter roleFilter = mappingResult.getRoleFilter();
        HashSet hashSet = new HashSet();
        hashSet.addAll(hashMap.keySet());
        if (roleFilter != null) {
            hashSet.addAll((Collection) mappingHelper2.getMappedEntities().stream().map((v0) -> {
                return v0.getUuid();
            }).collect(Collectors.toSet()));
        }
        Map roles2 = groupDao.getRoles(mappingHelper2.getEntities(hashSet));
        for (Map.Entry entry : hashMap.entrySet()) {
            Optional entity = mappingHelper2.getEntity((String) entry.getKey(), null);
            if (entity.isPresent()) {
                HibGroup hibGroup3 = (HibGroup) entity.get();
                ArrayList<HibRole> arrayList3 = new ArrayList(mappingHelper.getEntities((Collection) entry.getValue()));
                arrayList3.removeAll((Collection) roles2.getOrDefault(hibGroup3, Collections.emptyList()));
                if (!arrayList3.isEmpty()) {
                    requiresWrite();
                }
                for (HibRole hibRole2 : arrayList3) {
                    groupDao.addRole(hibGroup3, hibRole2);
                    eventQueueBatch.add(groupDao.createRoleAssignmentEvent(hibGroup3, hibRole2, Assignment.ASSIGNED));
                }
            }
        }
        if (roleFilter != null) {
            for (HibGroup hibGroup4 : mappingHelper2.getMappedEntities()) {
                for (HibRole hibRole3 : (Collection) roles2.getOrDefault(hibGroup4, Collections.emptyList())) {
                    if (roleFilter.filter(hibGroup4.getName(), hibRole3.getName())) {
                        requiresWrite();
                        log.info("Unassigning role {" + hibRole3.getName() + "} from group {" + hibGroup4.getName() + "}");
                        groupDao.removeRole(hibGroup4, hibRole3);
                        eventQueueBatch.add(groupDao.createRoleAssignmentEvent(hibGroup4, hibRole3, Assignment.UNASSIGNED));
                    }
                }
            }
        }
        GroupFilter groupFilter = mappingResult.getGroupFilter();
        if (groupFilter != null) {
            for (HibGroup hibGroup5 : arrayList) {
                if (groupFilter.filter(hibGroup5.getName())) {
                    requiresWrite();
                    log.info("Unassigning group {" + hibGroup5.getName() + "} from user {" + hibUser.getUsername() + "}");
                    groupDao.removeUser(hibGroup5, hibUser);
                    eventQueueBatch.add(groupDao.createUserAssignmentEvent(hibGroup5, hibUser, Assignment.UNASSIGNED));
                }
            }
        }
    }

    private void requiresWrite() throws CannotWriteException {
        if (!this.delegator.canWrite()) {
            throw new CannotWriteException();
        }
    }

    private Completable requiresWriteCompletable() {
        return this.delegator.canWrite() ? Completable.complete() : Completable.error(new CannotWriteException());
    }
}
