package sirius.biz.tenants;

import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.UUID;
import sirius.biz.web.BizController;
import sirius.db.mixing.Column;
import sirius.db.mixing.Constraint;
import sirius.db.mixing.constraints.FieldOperator;
import sirius.kernel.commons.Lambdas;
import sirius.kernel.commons.Strings;
import sirius.kernel.di.std.ConfigValue;
import sirius.kernel.di.std.Part;
import sirius.kernel.di.std.Register;
import sirius.kernel.health.Exceptions;
import sirius.web.controller.Controller;
import sirius.web.controller.Routed;
import sirius.web.http.WebContext;
import sirius.web.security.SAMLHelper;
import sirius.web.security.SAMLResponse;
import sirius.web.security.UserContext;
import sirius.web.security.UserInfo;

@Register(classes = {Controller.class})
/* loaded from: input_file:sirius/biz/tenants/SAMLController.class */
public class SAMLController extends BizController {

    @Part
    private SAMLHelper saml;

    @ConfigValue("product.wondergemRoot")
    private String wondergemRoot;

    @ConfigValue("security.roles")
    private List<String> roles;

    @Routed("/saml")
    public void saml(WebContext webContext) {
        webContext.respondWith().template("/templates/tenants/saml.html.pasta", new Object[]{obtainTenantsForSaml(webContext)});
    }

    private List<Tenant> obtainTenantsForSaml(WebContext webContext) {
        if (!webContext.hasParameter("issuerName")) {
            return this.oma.select(Tenant.class).where(new Constraint[]{FieldOperator.on(Tenant.SAML_ISSUER_URL).notEqual((Object) null)}).orderAsc(Tenant.NAME).queryList();
        }
        Tenant tenant = new Tenant();
        tenant.setSamlRequestIssuerName(webContext.require(new String[]{"issuerName"}).asString());
        tenant.setSamlIssuerUrl(webContext.require(new String[]{"issuerUrl"}).asString());
        tenant.setSamlIssuerIndex(webContext.get("issuerIndex").asString("0"));
        return Collections.singletonList(tenant);
    }

    @Routed("/saml/login")
    public void samlLogin(WebContext webContext) {
        if (!webContext.isPOST()) {
            webContext.respondWith().redirectToGet("/saml");
            return;
        }
        SAMLResponse parseSAMLResponse = this.saml.parseSAMLResponse(webContext);
        if (Strings.isEmpty(parseSAMLResponse.getNameId())) {
            throw Exceptions.createHandled().withSystemErrorMessage("SAML Error: No or empty name ID was given.", new Object[0]).handle();
        }
        TenantUserManager userManager = UserContext.getCurrentScope().getUserManager();
        UserInfo findUserByName = userManager.findUserByName(webContext, parseSAMLResponse.getNameId());
        if (findUserByName == null) {
            findUserByName = tryCreateUser(webContext, parseSAMLResponse);
        } else {
            verifyUser(parseSAMLResponse, findUserByName);
        }
        UserContext userContext = UserContext.get();
        userContext.setCurrentUser(findUserByName);
        userContext.attachUserToSession();
        userManager.recordLogin(findUserByName, true);
        webContext.respondWith().redirectToGet(webContext.get("goto").asString(this.wondergemRoot));
    }

    private UserInfo tryCreateUser(WebContext webContext, SAMLResponse sAMLResponse) {
        if (Strings.isEmpty(sAMLResponse.getIssuer())) {
            throw Exceptions.createHandled().withSystemErrorMessage("SAML Error: No issuer in request!", new Object[0]).handle();
        }
        Tenant findTenant = findTenant(sAMLResponse);
        checkFingerprint(findTenant, sAMLResponse);
        UserAccount userAccount = new UserAccount();
        userAccount.getTenant().setValue(findTenant);
        userAccount.getLogin().setUsername(sAMLResponse.getNameId());
        userAccount.getLogin().setCleartextPassword(UUID.randomUUID().toString());
        userAccount.setExternalLoginRequired(true);
        updateAccount(sAMLResponse, userAccount);
        this.oma.update(userAccount);
        UserInfo findUserByName = UserContext.getCurrentScope().getUserManager().findUserByName(webContext, sAMLResponse.getNameId());
        if (findUserByName == null) {
            throw Exceptions.createHandled().withSystemErrorMessage("SAML Error: Failed to create a user", new Object[0]).handle();
        }
        return findUserByName;
    }

    private Tenant findTenant(SAMLResponse sAMLResponse) {
        for (Tenant tenant : this.oma.select(Tenant.class).fields(new Column[]{Tenant.ID, Tenant.SAML_ISSUER_NAME, Tenant.SAML_FINGERPRINT}).where(new Constraint[]{FieldOperator.on(Tenant.SAML_ISSUER_NAME).notEqual((Object) null)}).where(new Constraint[]{FieldOperator.on(Tenant.SAML_FINGERPRINT).notEqual((Object) null)}).queryList()) {
            if (checkIssuer(tenant, sAMLResponse)) {
                return tenant;
            }
        }
        throw Exceptions.createHandled().withSystemErrorMessage("SAML Error: No matching tenant found for issuer: %s", new Object[]{sAMLResponse.getIssuer()}).handle();
    }

    private void verifyUser(SAMLResponse sAMLResponse, UserInfo userInfo) {
        UserAccount userAccount = (UserAccount) userInfo.getUserObject(UserAccount.class);
        Tenant tenant = (Tenant) userAccount.getTenant().getValue();
        if (!checkIssuer(tenant, sAMLResponse)) {
            throw Exceptions.createHandled().withSystemErrorMessage("SAML Error: Issuer mismatch!", new Object[0]).handle();
        }
        if (!checkFingerprint(tenant, sAMLResponse)) {
            throw Exceptions.createHandled().withSystemErrorMessage("SAML Error: Fingerprint mismatch!", new Object[0]).handle();
        }
        UserAccount userAccount2 = (UserAccount) this.oma.refreshOrFail(userAccount);
        updateAccount(sAMLResponse, userAccount2);
        this.oma.update(userAccount2);
    }

    private boolean checkFingerprint(Tenant tenant, SAMLResponse sAMLResponse) {
        return isInList(tenant.getSamlFingerprint(), sAMLResponse.getFingerprint());
    }

    private boolean checkIssuer(Tenant tenant, SAMLResponse sAMLResponse) {
        return isInList(tenant.getSamlIssuerName(), sAMLResponse.getIssuer());
    }

    private boolean isInList(String str, String str2) {
        if (Strings.isEmpty(str)) {
            return false;
        }
        for (String str3 : str.split(",")) {
            if (Strings.isFilled(str3) && Strings.areEqual(str3, str2)) {
                return true;
            }
        }
        return false;
    }

    private void updateAccount(SAMLResponse sAMLResponse, UserAccount userAccount) {
        userAccount.getPermissions().getPermissions().clear();
        sAMLResponse.getAttribute("http://schemas.xmlsoap.org/claims/Group").stream().filter((v0) -> {
            return Strings.isFilled(v0);
        }).flatMap(str -> {
            return Arrays.stream(str.split(","));
        }).map((v0) -> {
            return v0.trim();
        }).filter((v0) -> {
            return Strings.isFilled(v0);
        }).filter(str2 -> {
            return this.roles.contains(str2);
        }).collect(Lambdas.into(userAccount.getPermissions().getPermissions()));
        if (Strings.isFilled(sAMLResponse.getAttributeValue("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"))) {
            userAccount.getPerson().setFirstname(sAMLResponse.getAttributeValue("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"));
        }
        if (Strings.isFilled(sAMLResponse.getAttributeValue("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"))) {
            userAccount.getPerson().setLastname(sAMLResponse.getAttributeValue("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"));
        }
        if (Strings.isFilled(sAMLResponse.getAttributeValue("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"))) {
            userAccount.setEmail(sAMLResponse.getAttributeValue("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"));
        }
    }
}
