package alpine.server.auth;

import alpine.Config;
import alpine.common.logging.Logger;
import alpine.model.OidcUser;
import alpine.persistence.AlpineQueryManager;
import alpine.server.auth.AlpineAuthenticationException;
import alpine.server.util.OidcUtil;
import java.security.Principal;
import java.util.List;
import java.util.Objects;
import javax.annotation.Nonnull;

/* loaded from: input_file:alpine/server/auth/OidcAuthenticationService.class */
public class OidcAuthenticationService implements AuthenticationService {
    private static final Logger LOGGER = Logger.getLogger(OidcAuthenticationService.class);
    private final Config config;
    private final OidcConfiguration oidcConfiguration;
    private final OidcIdTokenAuthenticator idTokenAuthenticator;
    private final OidcUserInfoAuthenticator userInfoAuthenticator;
    private final String idToken;
    private final String accessToken;

    @Deprecated
    public OidcAuthenticationService(String str) {
        this(Config.getInstance(), OidcConfigurationResolver.getInstance().resolve(), null, str);
    }

    public OidcAuthenticationService(String str, String str2) {
        this(Config.getInstance(), OidcConfigurationResolver.getInstance().resolve(), str, str2);
    }

    OidcAuthenticationService(Config config, OidcConfiguration oidcConfiguration, String str, String str2) {
        this(config, oidcConfiguration, new OidcIdTokenAuthenticator(oidcConfiguration, config.getProperty(Config.AlpineKey.OIDC_CLIENT_ID)), new OidcUserInfoAuthenticator(oidcConfiguration), str, str2);
    }

    OidcAuthenticationService(Config config, OidcConfiguration oidcConfiguration, OidcIdTokenAuthenticator oidcIdTokenAuthenticator, OidcUserInfoAuthenticator oidcUserInfoAuthenticator, String str, String str2) {
        this.config = config;
        this.oidcConfiguration = oidcConfiguration;
        this.idTokenAuthenticator = oidcIdTokenAuthenticator;
        this.userInfoAuthenticator = oidcUserInfoAuthenticator;
        this.idToken = str;
        this.accessToken = str2;
    }

    @Override // alpine.server.auth.AuthenticationService
    public boolean isSpecified() {
        return OidcUtil.isOidcAvailable(this.config, this.oidcConfiguration) && !(this.accessToken == null && this.idToken == null);
    }

    @Override // alpine.server.auth.AuthenticationService
    @Nonnull
    public Principal authenticate() throws AlpineAuthenticationException {
        String property = this.config.getProperty(Config.AlpineKey.OIDC_USERNAME_CLAIM);
        if (property == null) {
            LOGGER.error("No username claim has been configured");
            throw new AlpineAuthenticationException(AlpineAuthenticationException.CauseType.OTHER);
        }
        boolean propertyAsBoolean = this.config.getPropertyAsBoolean(Config.AlpineKey.OIDC_TEAM_SYNCHRONIZATION);
        String property2 = this.config.getProperty(Config.AlpineKey.OIDC_TEAMS_CLAIM);
        if (propertyAsBoolean && property2 == null) {
            LOGGER.error("Team synchronization is enabled, but no teams claim has been configured");
            throw new AlpineAuthenticationException(AlpineAuthenticationException.CauseType.OTHER);
        }
        OidcProfileCreator oidcProfileCreator = claimsSet -> {
            OidcProfile oidcProfile = new OidcProfile();
            oidcProfile.setSubject(claimsSet.getStringClaim("sub"));
            oidcProfile.setUsername(claimsSet.getStringClaim(property));
            oidcProfile.setGroups(claimsSet.getStringListClaim(property2));
            oidcProfile.setEmail(claimsSet.getStringClaim("email"));
            return oidcProfile;
        };
        OidcProfile oidcProfile = null;
        if (this.idToken != null) {
            oidcProfile = this.idTokenAuthenticator.authenticate(this.idToken, oidcProfileCreator);
            LOGGER.debug("ID token profile: " + oidcProfile);
            if (isProfileComplete(oidcProfile, propertyAsBoolean)) {
                LOGGER.debug("ID token profile is complete, proceeding to authenticate");
                return authenticateInternal(oidcProfile);
            }
        }
        OidcProfile oidcProfile2 = null;
        if (this.accessToken != null) {
            oidcProfile2 = this.userInfoAuthenticator.authenticate(this.accessToken, oidcProfileCreator);
            LOGGER.debug("UserInfo profile: " + oidcProfile2);
            if (isProfileComplete(oidcProfile2, propertyAsBoolean)) {
                LOGGER.debug("UserInfo profile is complete, proceeding to authenticate");
                return authenticateInternal(oidcProfile2);
            }
        }
        OidcProfile oidcProfile3 = null;
        if (oidcProfile != null && oidcProfile2 != null) {
            oidcProfile3 = mergeProfiles(oidcProfile, oidcProfile2);
            LOGGER.debug("Merged profile: " + oidcProfile3);
            if (isProfileComplete(oidcProfile3, propertyAsBoolean)) {
                LOGGER.debug("Merged profile is complete, proceeding to authenticate");
                return authenticateInternal(oidcProfile3);
            }
        }
        LOGGER.error("Unable to assemble complete profile (ID token: " + oidcProfile + ", UserInfo: " + oidcProfile2 + ", Merged: " + oidcProfile3 + ")");
        throw new AlpineAuthenticationException(AlpineAuthenticationException.CauseType.OTHER);
    }

    private OidcUser authenticateInternal(OidcProfile oidcProfile) throws AlpineAuthenticationException {
        AlpineQueryManager alpineQueryManager = new AlpineQueryManager();
        try {
            OidcUser oidcUser = alpineQueryManager.getOidcUser(oidcProfile.getUsername());
            if (oidcUser == null) {
                if (!this.config.getPropertyAsBoolean(Config.AlpineKey.OIDC_USER_PROVISIONING)) {
                    LOGGER.debug("The user (" + oidcProfile.getUsername() + ") is unmapped and user provisioning is not enabled");
                    throw new AlpineAuthenticationException(AlpineAuthenticationException.CauseType.UNMAPPED_ACCOUNT);
                }
                LOGGER.debug("The user (" + oidcProfile.getUsername() + ") authenticated successfully but the account has not been provisioned");
                OidcUser autoProvision = autoProvision(alpineQueryManager, oidcProfile);
                alpineQueryManager.close();
                return autoProvision;
            }
            LOGGER.debug("Attempting to authenticate user: " + oidcUser.getUsername());
            if (oidcUser.getSubjectIdentifier() == null) {
                LOGGER.debug("Assigning subject identifier " + oidcProfile.getSubject() + " to user " + oidcUser.getUsername());
                oidcUser.setSubjectIdentifier(oidcProfile.getSubject());
                oidcUser.setEmail(oidcProfile.getEmail());
                OidcUser updateOidcUser = alpineQueryManager.updateOidcUser(oidcUser);
                alpineQueryManager.close();
                return updateOidcUser;
            }
            if (!oidcUser.getSubjectIdentifier().equals(oidcProfile.getSubject())) {
                LOGGER.error("Refusing to authenticate user " + oidcUser.getUsername() + ": subject identifier has changed (" + oidcUser.getSubjectIdentifier() + " to " + oidcProfile.getSubject() + ")");
                throw new AlpineAuthenticationException(AlpineAuthenticationException.CauseType.INVALID_CREDENTIALS);
            }
            if (!Objects.equals(oidcUser.getEmail(), oidcProfile.getEmail())) {
                LOGGER.debug("Updating email of user " + oidcUser.getUsername() + ": " + oidcUser.getEmail() + " -> " + oidcProfile.getEmail());
                oidcUser.setEmail(oidcProfile.getEmail());
                oidcUser = alpineQueryManager.updateOidcUser(oidcUser);
            }
            if (this.config.getPropertyAsBoolean(Config.AlpineKey.OIDC_TEAM_SYNCHRONIZATION)) {
                OidcUser synchronizeTeamMembership = alpineQueryManager.synchronizeTeamMembership(oidcUser, oidcProfile.getGroups());
                alpineQueryManager.close();
                return synchronizeTeamMembership;
            }
            OidcUser oidcUser2 = oidcUser;
            alpineQueryManager.close();
            return oidcUser2;
        } catch (Throwable th) {
            try {
                alpineQueryManager.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private boolean isProfileComplete(OidcProfile oidcProfile, boolean z) {
        return (oidcProfile.getSubject() == null || oidcProfile.getUsername() == null || (z && oidcProfile.getGroups() == null)) ? false : true;
    }

    private OidcProfile mergeProfiles(OidcProfile oidcProfile, OidcProfile oidcProfile2) {
        OidcProfile oidcProfile3 = new OidcProfile();
        oidcProfile3.setSubject((String) selectProfileClaim(oidcProfile.getSubject(), oidcProfile2.getSubject()));
        oidcProfile3.setUsername((String) selectProfileClaim(oidcProfile.getUsername(), oidcProfile2.getUsername()));
        oidcProfile3.setGroups((List) selectProfileClaim(oidcProfile.getGroups(), oidcProfile2.getGroups()));
        oidcProfile3.setEmail((String) selectProfileClaim(oidcProfile.getEmail(), oidcProfile2.getEmail()));
        return oidcProfile3;
    }

    private <T> T selectProfileClaim(T t, T t2) {
        return t != null ? t : t2;
    }

    private OidcUser autoProvision(AlpineQueryManager alpineQueryManager, OidcProfile oidcProfile) {
        OidcUser oidcUser = new OidcUser();
        oidcUser.setUsername(oidcProfile.getUsername());
        oidcUser.setSubjectIdentifier(oidcProfile.getSubject());
        oidcUser.setEmail(oidcProfile.getEmail());
        OidcUser oidcUser2 = (OidcUser) alpineQueryManager.persist(oidcUser);
        if (!this.config.getPropertyAsBoolean(Config.AlpineKey.OIDC_TEAM_SYNCHRONIZATION)) {
            return alpineQueryManager.addUserToTeams(oidcUser2, this.config.getPropertyAsList(Config.AlpineKey.OIDC_TEAMS_DEFAULT));
        }
        LOGGER.debug("Synchronizing teams for user " + oidcUser2.getUsername());
        return alpineQueryManager.synchronizeTeamMembership(oidcUser2, oidcProfile.getGroups());
    }
}
