package io.mapsmessaging.security.jaas;

import io.mapsmessaging.security.identity.principals.AuthHandlerPrincipal;
import io.mapsmessaging.security.identity.principals.GroupPrincipal;
import io.mapsmessaging.security.jaas.aws.AwsAuthHelper;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminInitiateAuthRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AuthenticationResultType;
import software.amazon.awssdk.services.cognitoidentityprovider.model.GetUserRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.NotAuthorizedException;

/* loaded from: input_file:io/mapsmessaging/security/jaas/AwsCognitoLoginModule.class */
public class AwsCognitoLoginModule extends BaseLoginModule {
    private String userPoolId;
    private String appClientId;
    private String accessKeyId;
    private String accessSecretKey;
    private String appClientSecret;
    private Region region;
    private List<String> groupList;

    @Override // io.mapsmessaging.security.jaas.BaseLoginModule
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        super.initialize(subject, callbackHandler, map, map2);
        this.region = Region.of((String) map2.get("region"));
        this.userPoolId = (String) map2.get("userPoolId");
        this.accessKeyId = (String) map2.get("accessKeyId");
        this.accessSecretKey = (String) map2.get("secretAccessKey");
        this.appClientId = (String) map2.get("appClientId");
        this.appClientSecret = (String) map2.get("appClientSecret");
    }

    @Override // io.mapsmessaging.security.jaas.BaseLoginModule
    public boolean validate(String str, char[] cArr) throws LoginException {
        try {
            CognitoIdentityProviderClient cognitoIdentityProviderClient = (CognitoIdentityProviderClient) CognitoIdentityProviderClient.builder().credentialsProvider(StaticCredentialsProvider.create(AwsBasicCredentials.create(this.accessKeyId, this.accessSecretKey))).region(this.region).build();
            try {
                String generateSecretHash = AwsAuthHelper.generateSecretHash(this.appClientId, this.appClientSecret, str);
                String str2 = new String(cArr);
                if (AwsAuthHelper.isJwt(str2)) {
                    boolean validateForJWT = validateForJWT(cognitoIdentityProviderClient, str, str2);
                    if (cognitoIdentityProviderClient != null) {
                        cognitoIdentityProviderClient.close();
                    }
                    return validateForJWT;
                }
                AuthenticationResultType authenticationResult = cognitoIdentityProviderClient.adminInitiateAuth((AdminInitiateAuthRequest) AdminInitiateAuthRequest.builder().authFlow("ADMIN_NO_SRP_AUTH").clientId(this.appClientId).userPoolId(this.userPoolId).authParameters(Map.of("USERNAME", str, "PASSWORD", new String(cArr), "SECRET_HASH", generateSecretHash)).build()).authenticationResult();
                if (authenticationResult == null) {
                    if (cognitoIdentityProviderClient != null) {
                        cognitoIdentityProviderClient.close();
                    }
                    return false;
                }
                this.groupList = AwsAuthHelper.getGroups(authenticationResult.accessToken(), this.region.id(), this.userPoolId);
                if (cognitoIdentityProviderClient != null) {
                    cognitoIdentityProviderClient.close();
                }
                return true;
            } catch (Throwable th) {
                if (cognitoIdentityProviderClient != null) {
                    try {
                        cognitoIdentityProviderClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (NotAuthorizedException | InvalidKeyException | NoSuchAlgorithmException e) {
            LoginException loginException = new LoginException("Not authorised exception raised");
            loginException.initCause(e);
            throw loginException;
        }
    }

    @Override // io.mapsmessaging.security.jaas.BaseLoginModule
    public boolean commit() {
        boolean commit = super.commit();
        if (commit && this.groupList != null) {
            Iterator<String> it = this.groupList.iterator();
            while (it.hasNext()) {
                this.subject.getPrincipals().add(new GroupPrincipal(it.next()));
            }
            this.subject.getPrincipals().add(new AuthHandlerPrincipal("Aws:Cognito"));
        }
        return commit;
    }

    private boolean validateForJWT(CognitoIdentityProviderClient cognitoIdentityProviderClient, String str, String str2) {
        return str.equals(cognitoIdentityProviderClient.getUser((GetUserRequest) GetUserRequest.builder().accessToken(str2).build()).username());
    }
}
