package org.iplass.mtp.impl.auth.authenticate.oidc;

import org.iplass.mtp.auth.AuthContext;
import org.iplass.mtp.auth.User;
import org.iplass.mtp.auth.login.Credential;
import org.iplass.mtp.auth.login.LoginFailedException;
import org.iplass.mtp.impl.auth.AuthService;
import org.iplass.mtp.impl.auth.authenticate.AccountHandle;
import org.iplass.mtp.impl.auth.authenticate.AccountManagementModule;
import org.iplass.mtp.impl.auth.authenticate.AuthenticationProviderBase;
import org.iplass.mtp.impl.auth.authenticate.DefaultUserEntityResolver;
import org.iplass.mtp.impl.auth.authenticate.builtin.policy.AuthenticationPolicyService;
import org.iplass.mtp.impl.auth.authenticate.oidc.MetaOpenIdConnect;
import org.iplass.mtp.impl.web.WebResourceBundleUtil;
import org.iplass.mtp.spi.Config;
import org.iplass.mtp.spi.ServiceRegistry;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/iplass/mtp/impl/auth/authenticate/oidc/OIDCAuthenticationProvider.class */
public class OIDCAuthenticationProvider extends AuthenticationProviderBase {
    private static final Logger authLog = LoggerFactory.getLogger("mtp.auth.oidc");
    private OpenIdConnectService oidcService;
    private AuthenticationPolicyService policyService;

    public void inited(AuthService authService, Config config) {
        if (getUserEntityResolver() == null) {
            OIDCUserEntityResolver oIDCUserEntityResolver = new OIDCUserEntityResolver();
            oIDCUserEntityResolver.setEagerLoadReferenceProperty(DefaultUserEntityResolver.DEFAULT_EAGER_LOAD_REFERENCE_PROPERTY);
            setUserEntityResolver(oIDCUserEntityResolver);
        }
        super.inited(authService, config);
        this.oidcService = (OpenIdConnectService) ServiceRegistry.getRegistry().getService(OpenIdConnectService.class);
        this.policyService = ServiceRegistry.getRegistry().getService(AuthenticationPolicyService.class);
    }

    public AccountManagementModule getAccountManagementModule() {
        return NO_UPDATABLE_AMM;
    }

    public Class<? extends Credential> getCredentialType() {
        return OIDCCredential.class;
    }

    protected Class<? extends AccountHandle> getAccountHandleClassForTrust() {
        return OIDCAccountHandle.class;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r3v19, types: [java.lang.Throwable] */
    public AccountHandle login(Credential credential) {
        if (!(credential instanceof OIDCCredential)) {
            return null;
        }
        OIDCCredential oIDCCredential = (OIDCCredential) credential;
        MetaOpenIdConnect.OpenIdConnectRuntime orDefault = this.oidcService.getOrDefault(oIDCCredential.getOpenIdConnectDefinitionName());
        OIDCValidateResult validate = orDefault.validate(oIDCCredential);
        if (!validate.isValid()) {
            if (authLog.isDebugEnabled()) {
                if (validate.getRootCause() == null) {
                    authLog.debug("OIDC failed:error=" + validate.getError() + ", errorDescription=" + validate.getErrorDescription());
                } else {
                    authLog.debug("OIDC failed:error=" + validate.getError() + ", errorDescription=" + validate.getErrorDescription() + "exception=" + validate.getRootCause(), validate.getRootCause());
                }
            }
            throw new LoginFailedException(WebResourceBundleUtil.resourceString("impl.auth.authenticate.oidc.OIDCAuthenticationProvider.error", "Invalid response from OpenID Provider.", "invalid_response"), validate.getRootCause() == null ? new OIDCRuntimeException(validate.getError() + ":" + validate.getErrorDescription()) : new OIDCRuntimeException(validate.getError() + ":" + validate.getErrorDescription(), validate.getRootCause()));
        }
        OIDCAccountHandle oIDCAccountHandle = new OIDCAccountHandle(validate.getSubjectId(), validate.getSubjectName(), orDefault.m14getMetaData().getName(), validate.getClaims(), validate.getAccessToken(), validate.getExpiresIn(), validate.getRefreshToken(), validate.getScopes());
        User searchUser = getUserEntityResolver().searchUser(oIDCAccountHandle);
        if (searchUser == null) {
            if (orDefault.getAutoUserProvisioningHandler() != null) {
                searchUser = (User) AuthContext.doPrivileged(() -> {
                    String createUser = orDefault.getAutoUserProvisioningHandler().createUser(validate.getSubjectId(), validate.getSubjectName(), oIDCAccountHandle.getAttributeMap());
                    if (createUser == null) {
                        return null;
                    }
                    orDefault.connect(createUser, validate);
                    return getUserEntityResolver().searchUser(oIDCAccountHandle);
                });
            }
            if (searchUser == null) {
                throw new LoginFailedException(WebResourceBundleUtil.resourceString("impl.auth.authenticate.oidc.OIDCAuthenticationProvider.error", "", "account_not_available"));
            }
        } else if (orDefault.getAutoUserProvisioningHandler() != null) {
            searchUser = (User) AuthContext.doPrivileged(() -> {
                orDefault.getAutoUserProvisioningHandler().updateUser(searchUser, validate.getSubjectId(), validate.getSubjectName(), oIDCAccountHandle.getAttributeMap());
                return getUserEntityResolver().searchUser(oIDCAccountHandle);
            });
        }
        if (!orDefault.isAllowedOnPolicy(this.policyService.getOrDefault(searchUser.getAccountPolicy()))) {
            throw new LoginFailedException(WebResourceBundleUtil.resourceString("impl.auth.authenticate.oidc.OIDCAuthenticationProvider.error", "", "account_policy_error"), new OIDCRuntimeException("policy not allow OpenIdConnectDefinition:" + orDefault.m14getMetaData().getName()));
        }
        oIDCAccountHandle.setId(searchUser.getAccountId());
        return oIDCAccountHandle;
    }

    public void logout(AccountHandle accountHandle) {
    }
}
