package alpine.auth;

import alpine.Config;
import alpine.auth.AlpineAuthenticationException;
import alpine.logging.Logger;
import alpine.model.OidcUser;
import alpine.persistence.AlpineQueryManager;
import alpine.util.OidcUtil;
import java.security.Principal;
import java.util.List;
import javax.annotation.Nullable;
import javax.ws.rs.ProcessingException;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.client.ClientBuilder;

/* loaded from: input_file:alpine/auth/OidcAuthenticationService.class */
public class OidcAuthenticationService implements AuthenticationService {
    private static final Logger LOGGER = Logger.getLogger(OidcAuthenticationService.class);
    private final Config config;
    private final OidcConfiguration oidcConfiguration;
    private final String accessToken;

    public OidcAuthenticationService(String str) {
        this(Config.getInstance(), OidcConfigurationResolver.getInstance().resolve(), str);
    }

    OidcAuthenticationService(Config config, OidcConfiguration oidcConfiguration, String str) {
        this.config = config;
        this.oidcConfiguration = oidcConfiguration;
        this.accessToken = str;
    }

    @Override // alpine.auth.AuthenticationService
    public boolean isSpecified() {
        return OidcUtil.isOidcAvailable(this.config, this.oidcConfiguration) && this.accessToken != null;
    }

    @Override // alpine.auth.AuthenticationService
    @Nullable
    public Principal authenticate() throws AlpineAuthenticationException {
        try {
            OidcUserInfo oidcUserInfo = (OidcUserInfo) ClientBuilder.newClient().target(this.oidcConfiguration.getUserInfoEndpointUri()).request(new String[]{"application/json"}).header("Authorization", "Bearer " + this.accessToken).get(OidcUserInfo.class);
            String property = this.config.getProperty(Config.AlpineKey.OIDC_USERNAME_CLAIM);
            String str = (String) oidcUserInfo.getClaim(property, String.class);
            if (str == null) {
                LOGGER.error("The configured OIDC username claim (" + property + ") could not be found in UserInfo response");
                throw new AlpineAuthenticationException(AlpineAuthenticationException.CauseType.OTHER);
            }
            AlpineQueryManager alpineQueryManager = new AlpineQueryManager();
            Throwable th = null;
            try {
                OidcUser oidcUser = alpineQueryManager.getOidcUser(str);
                if (oidcUser == null) {
                    if (!this.config.getPropertyAsBoolean(Config.AlpineKey.OIDC_USER_PROVISIONING)) {
                        LOGGER.debug("The user (" + str + ") is unmapped and user provisioning is not enabled");
                        throw new AlpineAuthenticationException(AlpineAuthenticationException.CauseType.UNMAPPED_ACCOUNT);
                    }
                    LOGGER.debug("The user (" + str + ") authenticated successfully but the account has not been provisioned");
                    OidcUser autoProvision = autoProvision(alpineQueryManager, str, oidcUserInfo);
                    if (alpineQueryManager != null) {
                        if (0 != 0) {
                            try {
                                alpineQueryManager.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            alpineQueryManager.close();
                        }
                    }
                    return autoProvision;
                }
                LOGGER.debug("Attempting to authenticate user: " + str);
                oidcUser.setEmail(oidcUserInfo.getEmail());
                if (oidcUser.getSubjectIdentifier() == null) {
                    LOGGER.debug("Assigning subject identifier " + oidcUserInfo.getSubject() + " to user " + str);
                    oidcUser.setSubjectIdentifier(oidcUserInfo.getSubject());
                    OidcUser updateOidcUser = alpineQueryManager.updateOidcUser(oidcUser);
                    if (alpineQueryManager != null) {
                        if (0 != 0) {
                            try {
                                alpineQueryManager.close();
                            } catch (Throwable th3) {
                                th.addSuppressed(th3);
                            }
                        } else {
                            alpineQueryManager.close();
                        }
                    }
                    return updateOidcUser;
                }
                if (!oidcUser.getSubjectIdentifier().equals(oidcUserInfo.getSubject())) {
                    LOGGER.error("Refusing to authenticate user " + str + ": subject identifier has changed (" + oidcUser.getSubjectIdentifier() + " to " + oidcUserInfo.getSubject() + ")");
                    throw new AlpineAuthenticationException(AlpineAuthenticationException.CauseType.INVALID_CREDENTIALS);
                }
                if (!this.config.getPropertyAsBoolean(Config.AlpineKey.OIDC_TEAM_SYNCHRONIZATION)) {
                    return oidcUser;
                }
                OidcUser synchronizeTeams = synchronizeTeams(alpineQueryManager, oidcUser, oidcUserInfo);
                if (alpineQueryManager != null) {
                    if (0 != 0) {
                        try {
                            alpineQueryManager.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        alpineQueryManager.close();
                    }
                }
                return synchronizeTeams;
            } finally {
                if (alpineQueryManager != null) {
                    if (0 != 0) {
                        try {
                            alpineQueryManager.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        alpineQueryManager.close();
                    }
                }
            }
        } catch (WebApplicationException e) {
            if (e.getResponse().getStatus() == 401) {
                throw new AlpineAuthenticationException(AlpineAuthenticationException.CauseType.INVALID_CREDENTIALS);
            }
            LOGGER.error("An error occurred requesting the OIDC UserInfo", e);
            throw new AlpineAuthenticationException(AlpineAuthenticationException.CauseType.OTHER);
        } catch (ProcessingException e2) {
            LOGGER.error("An error occurred while processing the OIDC UserInfo response", e2);
            throw new AlpineAuthenticationException(AlpineAuthenticationException.CauseType.OTHER);
        }
    }

    private OidcUser autoProvision(AlpineQueryManager alpineQueryManager, String str, OidcUserInfo oidcUserInfo) {
        OidcUser oidcUser = new OidcUser();
        oidcUser.setUsername(str);
        oidcUser.setSubjectIdentifier(oidcUserInfo.getSubject());
        oidcUser.setEmail(oidcUserInfo.getEmail());
        OidcUser oidcUser2 = (OidcUser) alpineQueryManager.persist((AlpineQueryManager) oidcUser);
        if (!this.config.getPropertyAsBoolean(Config.AlpineKey.OIDC_TEAM_SYNCHRONIZATION)) {
            return oidcUser2;
        }
        LOGGER.debug("Synchronizing teams for user " + str);
        return synchronizeTeams(alpineQueryManager, oidcUser2, oidcUserInfo);
    }

    OidcUser synchronizeTeams(AlpineQueryManager alpineQueryManager, OidcUser oidcUser, OidcUserInfo oidcUserInfo) {
        String property = this.config.getProperty(Config.AlpineKey.OIDC_TEAMS_CLAIM);
        if (property == null) {
            LOGGER.error("Synchronizing teams for user " + oidcUser.getUsername() + " failed: Synchronization is enabled, but no teams claim is configured");
            return oidcUser;
        }
        try {
            List<String> list = (List) oidcUserInfo.getClaim(property, List.class);
            if (list != null) {
                return alpineQueryManager.synchronizeTeamMembership(oidcUser, list);
            }
            LOGGER.error("Synchronizing teams for user " + oidcUser.getUsername() + " failed: Teams claim " + property + " does not exist");
            return oidcUser;
        } catch (ClassCastException e) {
            LOGGER.error("Synchronizing teams for user " + oidcUser.getUsername() + " failed: Teams claim is not a list", e);
            return oidcUser;
        }
    }
}
