package com.gentics.mesh.auth;

import com.gentics.mesh.cli.BootstrapInitializer;
import com.gentics.mesh.core.data.Group;
import com.gentics.mesh.core.data.MeshAuthUser;
import com.gentics.mesh.core.data.MeshVertex;
import com.gentics.mesh.core.data.Role;
import com.gentics.mesh.core.data.User;
import com.gentics.mesh.core.data.relationship.GraphPermission;
import com.gentics.mesh.core.data.root.GroupRoot;
import com.gentics.mesh.core.data.root.RoleRoot;
import com.gentics.mesh.core.data.root.UserRoot;
import com.gentics.mesh.core.data.search.SearchQueue;
import com.gentics.mesh.core.data.search.SearchQueueBatch;
import com.gentics.mesh.core.rest.error.Errors;
import com.gentics.mesh.etc.config.MeshOptions;
import com.gentics.mesh.etc.config.OAuth2Options;
import com.gentics.mesh.graphdb.spi.Database;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.vertx.core.Vertx;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.core.logging.Logger;
import io.vertx.core.logging.LoggerFactory;
import io.vertx.ext.auth.oauth2.AccessToken;
import io.vertx.ext.auth.oauth2.OAuth2Auth;
import io.vertx.ext.auth.oauth2.OAuth2FlowType;
import io.vertx.ext.auth.oauth2.providers.KeycloakAuth;
import io.vertx.ext.web.Route;
import java.io.File;
import java.io.IOException;
import java.net.URL;
import java.nio.charset.Charset;
import java.util.Iterator;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import javax.inject.Inject;
import javax.inject.Singleton;
import javax.script.ScriptEngine;
import javax.script.ScriptException;
import jdk.nashorn.api.scripting.ClassFilter;
import jdk.nashorn.api.scripting.NashornScriptEngineFactory;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;

@Singleton
/* loaded from: input_file:com/gentics/mesh/auth/MeshOAuth2ServiceImpl.class */
public class MeshOAuth2ServiceImpl implements MeshOAuthService {
    private static final Logger log = LoggerFactory.getLogger(MeshOAuth2ServiceImpl.class);
    public static final Cache<String, String> TOKEN_ID_LOG = Caffeine.newBuilder().maximumSize(20000).expireAfterWrite(24, TimeUnit.HOURS).build();
    protected MeshOAuth2AuthHandlerImpl oauth2Handler;
    protected NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
    protected OAuth2Options options;
    protected String mapperScript;
    protected OAuth2Auth oauth2Provider;
    protected Database db;
    protected BootstrapInitializer boot;
    protected SearchQueue searchQueue;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/gentics/mesh/auth/MeshOAuth2ServiceImpl$Sandbox.class */
    public static class Sandbox implements ClassFilter {
        protected Sandbox() {
        }

        public boolean exposeToScripts(String str) {
            return false;
        }
    }

    @Inject
    public MeshOAuth2ServiceImpl(Database database, BootstrapInitializer bootstrapInitializer, MeshOptions meshOptions, Vertx vertx, SearchQueue searchQueue) {
        this.mapperScript = null;
        this.db = database;
        this.boot = bootstrapInitializer;
        this.options = meshOptions.getAuthenticationOptions().getOauth2();
        this.searchQueue = searchQueue;
        if (this.options == null || !this.options.isEnabled()) {
            return;
        }
        JsonObject loadRealmInfo = loadRealmInfo(vertx, meshOptions);
        this.mapperScript = loadScript();
        this.oauth2Provider = KeycloakAuth.create(vertx, OAuth2FlowType.AUTH_CODE, loadRealmInfo);
        this.oauth2Handler = new MeshOAuth2AuthHandlerImpl(this.oauth2Provider);
    }

    protected String loadScript() {
        String mapperScriptPath = this.options.getMapperScriptPath();
        if (mapperScriptPath == null) {
            return null;
        }
        File file = new File(mapperScriptPath);
        if (!file.exists()) {
            log.warn("The OAuth2 mapper script {" + mapperScriptPath + "} could not be found.");
            return null;
        }
        try {
            return FileUtils.readFileToString(file, Charset.defaultCharset());
        } catch (IOException e) {
            throw Errors.error(HttpResponseStatus.INTERNAL_SERVER_ERROR, "oauth_mapper_file_not_readable", e);
        }
    }

    protected JsonObject executeMapperScript(JsonObject jsonObject) throws ScriptException {
        JsonObject jsonObject2 = new JsonObject();
        jsonObject2.put("roles", new JsonArray());
        jsonObject2.put("groups", new JsonArray());
        boolean isMapperScriptDevMode = this.options.isMapperScriptDevMode();
        if (isMapperScriptDevMode) {
            log.info("Reloading mapper script due to enabled development mode.");
            this.mapperScript = loadScript();
        }
        if (StringUtils.isEmpty(this.mapperScript)) {
            return jsonObject2;
        }
        ScriptEngine scriptEngine = this.factory.getScriptEngine(new Sandbox());
        scriptEngine.put("principle", jsonObject);
        StringBuilder sb = new StringBuilder();
        sb.append(this.mapperScript);
        sb.append("\ngroups = JSON.stringify(extractGroups(JSON.parse(principle)));");
        sb.append("\nroles = JSON.stringify(extractRoles(JSON.parse(principle)));");
        if (isMapperScriptDevMode || log.isDebugEnabled()) {
            log.info("Executing mapper script:\n" + sb.toString());
            log.info("Using principle:\n" + jsonObject.encodePrettily());
        }
        scriptEngine.eval(sb.toString());
        Object obj = scriptEngine.get("roles");
        if (obj != null) {
            if (!(obj instanceof String)) {
                throw new RuntimeException("The mapper script must return roles as a string. Got {" + obj.getClass().getName() + "}");
            }
            jsonObject2.put("roles", new JsonArray((String) obj));
        }
        Object obj2 = scriptEngine.get("groups");
        if (obj2 != null) {
            if (!(obj2 instanceof String)) {
                throw new RuntimeException("The mapper script must return groups as a string. Got {" + obj2.getClass().getName() + "}");
            }
            jsonObject2.put("groups", new JsonArray((String) obj2));
        }
        if (isMapperScriptDevMode || log.isDebugEnabled()) {
            log.info("Mapping script output:\n" + jsonObject2.encodePrettily());
        }
        return jsonObject2;
    }

    public void secure(Route route) {
        route.handler(this.oauth2Handler);
        route.handler(routingContext -> {
            AccessToken user = routingContext.user();
            if (user instanceof AccessToken) {
                AccessToken accessToken = user;
                if (accessToken.accessToken() == null) {
                    routingContext.fail(401);
                    return;
                }
                routingContext.setUser(syncUser(accessToken.accessToken()));
            }
            routingContext.next();
        });
    }

    protected MeshAuthUser syncUser(JsonObject jsonObject) {
        String string = jsonObject.getString("preferred_username");
        Objects.requireNonNull(string, "The preferred_username property could not be found in the principle user info.");
        String string2 = jsonObject.getString("jti");
        SearchQueueBatch create = this.searchQueue.create();
        MeshAuthUser meshAuthUser = (MeshAuthUser) this.db.tx(() -> {
            UserRoot userRoot = this.boot.userRoot();
            MeshAuthUser findMeshAuthUserByUsername = userRoot.findMeshAuthUserByUsername(string);
            if (findMeshAuthUserByUsername == null) {
                User findByUsername = userRoot.findByUsername("admin");
                findByUsername.addCRUDPermissionOnRole(userRoot, GraphPermission.CREATE_PERM, userRoot.create(string, findByUsername));
                findMeshAuthUserByUsername = userRoot.findMeshAuthUserByUsername(string);
                String uuid = findMeshAuthUserByUsername.getUuid();
                syncUser(create, findMeshAuthUserByUsername, findByUsername, jsonObject);
                TOKEN_ID_LOG.put(uuid, string2);
            } else {
                String uuid2 = findMeshAuthUserByUsername.getUuid();
                String str = (String) TOKEN_ID_LOG.getIfPresent(findMeshAuthUserByUsername.getUuid());
                if (str == null || !str.equals(string2)) {
                    syncUser(create, findMeshAuthUserByUsername, userRoot.findByUsername("admin"), jsonObject);
                    TOKEN_ID_LOG.put(uuid2, string2);
                }
            }
            return findMeshAuthUserByUsername;
        });
        create.processSync();
        return meshAuthUser;
    }

    protected void syncUser(SearchQueueBatch searchQueueBatch, MeshAuthUser meshAuthUser, User user, JsonObject jsonObject) {
        String string = jsonObject.getString("given_name");
        if (string == null) {
            log.warn("Did not find given_name property in OAuth2 principle.");
        } else {
            meshAuthUser.setFirstname(string);
        }
        String string2 = jsonObject.getString("family_name");
        if (string2 == null) {
            log.warn("Did not find family_name property in OAuth2 principle.");
        } else {
            meshAuthUser.setLastname(string2);
        }
        String string3 = jsonObject.getString("email");
        if (string3 == null) {
            log.warn("Did not find email property in OAuth2 principle");
        } else {
            meshAuthUser.setEmailAddress(string3);
        }
        searchQueueBatch.store(meshAuthUser, false);
        try {
            JsonObject executeMapperScript = executeMapperScript(jsonObject);
            JsonArray jsonArray = executeMapperScript.getJsonArray("roles");
            RoleRoot roleRoot = this.boot.roleRoot();
            for (int i = 0; i < jsonArray.size(); i++) {
                String string4 = jsonArray.getString(i);
                if (roleRoot.findByName(string4) == null) {
                    Role create = roleRoot.create(string4, user);
                    user.addCRUDPermissionOnRole(roleRoot, GraphPermission.CREATE_PERM, create);
                    searchQueueBatch.store(create, false);
                }
            }
            JsonArray jsonArray2 = executeMapperScript.getJsonArray("groups");
            GroupRoot groupRoot = this.boot.groupRoot();
            Iterator it = groupRoot.findAll().iterator();
            while (it.hasNext()) {
                Group group = (Group) it.next();
                group.removeUser(meshAuthUser);
                searchQueueBatch.store(group, false);
            }
            for (int i2 = 0; i2 < jsonArray2.size(); i2++) {
                String string5 = jsonArray2.getString(i2);
                MeshVertex meshVertex = (Group) groupRoot.findByName(string5);
                if (meshVertex == null) {
                    meshVertex = groupRoot.create(string5, user);
                    user.addCRUDPermissionOnRole(groupRoot, GraphPermission.CREATE_PERM, meshVertex);
                }
                meshVertex.addUser(meshAuthUser);
                searchQueueBatch.store(meshVertex, false);
            }
        } catch (Exception e) {
            log.error("Error while executing mapping script. Ignoring mapping script.", e);
        }
    }

    public OAuth2Auth getOauth2Provider() {
        return this.oauth2Provider;
    }

    public JsonObject loadRealmInfo(Vertx vertx, MeshOptions meshOptions) {
        if (meshOptions == null) {
            log.debug("Mesh options not specified. Can't setup OAuth2.");
            return null;
        }
        if (meshOptions.getAuthenticationOptions() == null) {
            log.debug("Mesh auth options not specified. Can't setup OAuth2.");
            return null;
        }
        JsonObject json = meshOptions.getAuthenticationOptions().getOauth2().getConfig().toJson();
        if (json == null) {
            log.debug("OAuth config  not specified. Can't setup OAuth2.");
            return null;
        }
        String string = json.getString("realm");
        Objects.requireNonNull(string, "The realm property was not found in the oauth2 config");
        String string2 = json.getString("auth-server-url");
        Objects.requireNonNull(string, "The auth-server-url property was not found in the oauth2 config");
        try {
            URL url = new URL(string2);
            String host = url.getHost();
            json.put("auth-server-host", host);
            int port = url.getPort();
            json.put("auth-server-port", Integer.valueOf(port));
            String protocol = url.getProtocol();
            json.put("auth-server-protocol", protocol);
            JsonObject fetchPublicRealmInfo = fetchPublicRealmInfo(protocol, host, port, string);
            json.put("auth-server-url", protocol + "://" + host + ":" + port + "/auth");
            json.put("realm-public-key", fetchPublicRealmInfo.getString("public_key"));
            return json;
        } catch (Exception e) {
            throw Errors.error(HttpResponseStatus.INTERNAL_SERVER_ERROR, "oauth_config_error", e);
        }
    }

    protected JsonObject fetchPublicRealmInfo(String str, String str2, int i, String str3) throws IOException {
        Response execute = new OkHttpClient.Builder().build().newCall(new Request.Builder().header("Accept", "application/json").url(str + "://" + str2 + ":" + i + "/auth/realms/" + str3).build()).execute();
        if (execute.isSuccessful()) {
            return new JsonObject(execute.body().string());
        }
        log.error(execute.body().toString());
        throw new RuntimeException("Error while loading realm info. Got code {" + execute.code() + "}");
    }
}
