package de.adorsys.ledgers.um.impl.service;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import de.adorsys.ledgers.um.api.domain.AccessTokenBO;
import de.adorsys.ledgers.um.api.domain.AccountAccessBO;
import de.adorsys.ledgers.um.api.domain.AisAccountAccessInfoBO;
import de.adorsys.ledgers.um.api.domain.AisConsentBO;
import de.adorsys.ledgers.um.api.domain.BearerTokenBO;
import de.adorsys.ledgers.um.api.domain.ScaInfoBO;
import de.adorsys.ledgers.um.api.domain.TokenUsageBO;
import de.adorsys.ledgers.um.api.domain.UserBO;
import de.adorsys.ledgers.um.api.domain.UserRoleBO;
import de.adorsys.ledgers.um.api.service.AuthorizationService;
import de.adorsys.ledgers.um.api.service.UserService;
import de.adorsys.ledgers.um.db.domain.UserRole;
import de.adorsys.ledgers.util.Ids;
import de.adorsys.ledgers.util.PasswordEnc;
import de.adorsys.ledgers.util.exception.UserManagementErrorCode;
import de.adorsys.ledgers.util.exception.UserManagementModuleException;
import java.text.ParseException;
import java.time.LocalDate;
import java.time.ZoneId;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.time.DateUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:de/adorsys/ledgers/um/impl/service/AuthorizationServiceImpl.class */
public class AuthorizationServiceImpl implements AuthorizationService {
    private static final Logger log = LoggerFactory.getLogger(AuthorizationServiceImpl.class);
    private static final String NO_TRANSACTION_ACCESS_USER_DOES_NOT_HAVE_ACCESS = "No transaction access. User with id %s does not have access to accounts %s";
    private static final String NO_BALANCE_ACCESS_DOES_NOT_HAVE_ACCESS = "No balance access. User with id %s does not have access to accounts %s";
    private static final String NO_ACCOUNT_ACCESS_DOES_NOT_HAVE_ACCESS = "No account access. User with id %s does not have access to accounts %s";
    private static final String PERMISSION_MODEL_CHANGED_NO_SUFFICIENT_PERMISSION = "Permission model changed for user with subject %s no sufficient permission on account %s.";
    private static final String COULD_NOT_VERIFY_SIGNATURE_OF_TOKEN_WITH_SUBJECT = "Could not verify signature of token with subject : {}";
    private static final String TOKEN_WITH_SUBJECT_EXPIRED = "Token with subject {} is expired at {} and reference time is {}";
    private static final String WRONG_JWS_ALGO_FOR_TOKEN_WITH_SUBJECT = "Wrong jws algo for token with subject : {}";
    private static final String USER_DOES_NOT_HAVE_THE_ROLE_S = "User with id %s and login %s does not have the role %s";

    @Value("${default.token.lifetime.seconds:600}")
    private int defaultLoginTokenExpireInSeconds;
    private final HashMacSecretSource secretSource;
    private final BearerTokenService bearerTokenService;
    private final UserService userService;
    private final PasswordEnc passwordEnc;

    public BearerTokenBO authorise(String str, String str2, UserRoleBO userRoleBO, String str3, String str4) {
        UserBO findByLogin = this.userService.findByLogin(str);
        if (this.passwordEnc.verify(findByLogin.getId(), str2, findByLogin.getPin())) {
            return getLoginToken(str3, str4, findByLogin, userRoleBO);
        }
        return null;
    }

    public BearerTokenBO authorizeNewAuthorizationId(ScaInfoBO scaInfoBO, String str) {
        return getLoginToken(scaInfoBO.getScaId(), str, this.userService.findByLogin(scaInfoBO.getUserLogin()), scaInfoBO.getUserRole());
    }

    private BearerTokenBO getLoginToken(String str, String str2, UserBO userBO, UserRoleBO userRoleBO) {
        UserRoleBO userRoleBO2 = (UserRoleBO) userBO.getUserRoles().stream().filter(userRoleBO3 -> {
            return userRoleBO3.name().equals(userRoleBO.name());
        }).findFirst().orElseThrow(() -> {
            return UserManagementModuleException.builder().errorCode(UserManagementErrorCode.INSUFFICIENT_PERMISSION).devMsg(String.format(USER_DOES_NOT_HAVE_THE_ROLE_S, userBO.getId(), userBO.getLogin(), userRoleBO)).build();
        });
        checkUserForBlocking(EnumSet.of(UserRoleBO.STAFF, UserRoleBO.SYSTEM), userBO);
        String id = str != null ? str : Ids.id();
        String str3 = str2 != null ? str2 : id;
        Date date = new Date();
        return this.bearerTokenService.bearerToken(userBO.getId(), userBO.getLogin(), null, null, UserRole.valueOf(userRoleBO2.name()), id, str3, date, DateUtils.addSeconds(date, this.defaultLoginTokenExpireInSeconds), TokenUsageBO.LOGIN, null);
    }

    public BearerTokenBO validate(String str, Date date) {
        try {
            SignedJWT parse = SignedJWT.parse(str);
            JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
            if (!JWSAlgorithm.HS256.equals(parse.getHeader().getAlgorithm())) {
                log.warn(WRONG_JWS_ALGO_FOR_TOKEN_WITH_SUBJECT, jWTClaimsSet.getSubject());
                return null;
            }
            int expiresIn = this.bearerTokenService.expiresIn(date, jWTClaimsSet);
            if (expiresIn <= 0) {
                log.warn(TOKEN_WITH_SUBJECT_EXPIRED, new Object[]{jWTClaimsSet.getSubject(), jWTClaimsSet.getExpirationTime(), date});
                return null;
            }
            if (!parse.verify(new MACVerifier(this.secretSource.getHmacSecret()))) {
                log.warn(COULD_NOT_VERIFY_SIGNATURE_OF_TOKEN_WITH_SUBJECT, jWTClaimsSet.getSubject());
                return null;
            }
            UserBO findById = this.userService.findById(jWTClaimsSet.getSubject());
            checkUserForBlocking(Collections.singleton(UserRoleBO.SYSTEM), findById);
            AccessTokenBO accessTokenObject = this.bearerTokenService.toAccessTokenObject(jWTClaimsSet);
            validateAccountAccesses(findById, accessTokenObject);
            validateAisConsent(accessTokenObject.getConsent(), findById);
            return this.bearerTokenService.bearerToken(str, expiresIn, accessTokenObject);
        } catch (ParseException | JOSEException e) {
            log.warn(e.getMessage());
            return null;
        }
    }

    public BearerTokenBO consentToken(ScaInfoBO scaInfoBO, AisConsentBO aisConsentBO) {
        UserBO findById = this.userService.findById(scaInfoBO.getUserId());
        aisConsentBO.setUserId(findById.getId());
        validateAisConsent(aisConsentBO, findById);
        Date date = new Date();
        Date expirationDate = getExpirationDate(aisConsentBO, date);
        HashMap hashMap = new HashMap();
        hashMap.put("tppId", aisConsentBO.getTppId());
        return this.bearerTokenService.bearerToken(findById.getId(), findById.getLogin(), null, aisConsentBO, UserRole.valueOf(scaInfoBO.getUserRole().name()), scaInfoBO.getScaId(), scaInfoBO.getAuthorisationId(), date, expirationDate, TokenUsageBO.DELEGATED_ACCESS, hashMap);
    }

    public BearerTokenBO scaToken(ScaInfoBO scaInfoBO) {
        return getToken(scaInfoBO, TokenUsageBO.DIRECT_ACCESS);
    }

    public BearerTokenBO loginToken(ScaInfoBO scaInfoBO) {
        return getToken(scaInfoBO, TokenUsageBO.LOGIN);
    }

    public boolean validateCredentials(String str, String str2, UserRoleBO userRoleBO) {
        UserBO findByLogin = this.userService.findByLogin(str);
        return this.passwordEnc.verify(findByLogin.getId(), str2, findByLogin.getPin()) && findByLogin.getUserRoles().stream().anyMatch(userRoleBO2 -> {
            return userRoleBO2.equals(userRoleBO);
        });
    }

    private void validateAccountAccesses(UserBO userBO, AccessTokenBO accessTokenBO) {
        Iterator it = accessTokenBO.getAccountAccesses().iterator();
        while (it.hasNext()) {
            log.info("Account {} was successfully validated", confirmAndReturnAccess(userBO.getId(), (AccountAccessBO) it.next(), userBO.getAccountAccesses()).getIban());
        }
    }

    private AccountAccessBO confirmAndReturnAccess(String str, AccountAccessBO accountAccessBO, List<AccountAccessBO> list) {
        return list.stream().filter(accountAccessBO2 -> {
            return matchAccess(accountAccessBO, accountAccessBO2);
        }).findFirst().orElseThrow(() -> {
            String format = String.format(PERMISSION_MODEL_CHANGED_NO_SUFFICIENT_PERMISSION, str, accountAccessBO.getIban());
            log.warn(format);
            return UserManagementModuleException.builder().errorCode(UserManagementErrorCode.INSUFFICIENT_PERMISSION).devMsg(format).build();
        });
    }

    private boolean matchAccess(AccountAccessBO accountAccessBO, AccountAccessBO accountAccessBO2) {
        return StringUtils.equals(accountAccessBO.getIban(), accountAccessBO2.getIban()) && accountAccessBO.getCurrency().equals(accountAccessBO2.getCurrency()) && accountAccessBO.getAccessType().compareTo(accountAccessBO2.getAccessType()) <= 0;
    }

    private BearerTokenBO getToken(ScaInfoBO scaInfoBO, TokenUsageBO tokenUsageBO) {
        UserBO findById = this.userService.findById(scaInfoBO.getUserId());
        Date date = new Date();
        return this.bearerTokenService.bearerToken(findById.getId(), findById.getLogin(), null, null, UserRole.valueOf(scaInfoBO.getUserRole().name()), scaInfoBO.getScaId(), scaInfoBO.getAuthorisationId(), date, DateUtils.addSeconds(date, this.defaultLoginTokenExpireInSeconds), tokenUsageBO, null);
    }

    /* JADX WARN: Type inference failed for: r0v5, types: [java.time.ZonedDateTime] */
    private Date getExpirationDate(AisConsentBO aisConsentBO, Date date) {
        LocalDate validUntil = aisConsentBO.getValidUntil();
        return validUntil == null ? DateUtils.addDays(date, 90) : Date.from(validUntil.atTime(23, 59, 59, 99).atZone(ZoneId.systemDefault()).toInstant());
    }

    private void validateAisConsent(AisConsentBO aisConsentBO, UserBO userBO) {
        if (aisConsentBO == null) {
            return;
        }
        List<String> list = (List) userBO.getAccountAccesses().stream().map((v0) -> {
            return v0.getIban();
        }).collect(Collectors.toList());
        AisAccountAccessInfoBO access = aisConsentBO.getAccess();
        if (access != null) {
            checkAccountAccess(list, access.getAccounts(), NO_ACCOUNT_ACCESS_DOES_NOT_HAVE_ACCESS, userBO.getId());
            checkAccountAccess(list, access.getBalances(), NO_BALANCE_ACCESS_DOES_NOT_HAVE_ACCESS, userBO.getId());
            checkAccountAccess(list, access.getTransactions(), NO_TRANSACTION_ACCESS_USER_DOES_NOT_HAVE_ACCESS, userBO.getId());
        }
    }

    private void checkAccountAccess(List<String> list, List<String> list2, String str, String str2) {
        ArrayList arrayList = new ArrayList();
        if (list2 != null) {
            arrayList.addAll(list2);
        }
        arrayList.removeAll(list);
        if (!arrayList.isEmpty()) {
            throw UserManagementModuleException.builder().errorCode(UserManagementErrorCode.INSUFFICIENT_PERMISSION).devMsg(String.format(str, str2, arrayList.toString())).build();
        }
    }

    private void checkUserForBlocking(Set<UserRoleBO> set, UserBO userBO) {
        if (userBO.isBlocked()) {
            Stream stream = userBO.getUserRoles().stream();
            set.getClass();
            if (stream.noneMatch((v1) -> {
                return r1.contains(v1);
            })) {
                log.info("User with id {} is blocked by configuration", userBO.getId());
                throw ((UserManagementModuleException) UserManagementModuleException.getUserBlockedSupplier(true).get());
            }
        }
    }

    public AuthorizationServiceImpl(HashMacSecretSource hashMacSecretSource, BearerTokenService bearerTokenService, UserService userService, PasswordEnc passwordEnc) {
        this.secretSource = hashMacSecretSource;
        this.bearerTokenService = bearerTokenService;
        this.userService = userService;
        this.passwordEnc = passwordEnc;
    }
}
