package pl.edu.icm.unity.oauth.rp.local;

import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import eu.unicore.util.configuration.ConfigurationException;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import java.util.Optional;
import java.util.Properties;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.authn.AuthenticationMethod;
import pl.edu.icm.unity.base.authn.CredentialDefinition;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.exceptions.InternalException;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.AbstractCredentialVerificatorFactory;
import pl.edu.icm.unity.engine.api.authn.AbstractVerificator;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.CredentialVerificator;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.authn.LocalAuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.local.CredentialHelper;
import pl.edu.icm.unity.engine.api.authn.local.LocalCredentialVerificator;
import pl.edu.icm.unity.engine.api.authn.remote.AuthenticationTriggeringContext;
import pl.edu.icm.unity.engine.api.utils.PrototypeComponent;
import pl.edu.icm.unity.oauth.as.token.OAuthTokenEndpoint;
import pl.edu.icm.unity.oauth.as.token.access.OAuthAccessTokenRepository;
import pl.edu.icm.unity.oauth.rp.verificator.TokenStatus;
import pl.edu.icm.unity.stdext.credential.pass.PasswordVerificator;

@PrototypeComponent
/* loaded from: input_file:pl/edu/icm/unity/oauth/rp/local/AccessTokenAndPasswordVerificator.class */
public class AccessTokenAndPasswordVerificator extends AbstractVerificator implements AccessTokenAndPasswordExchange {
    private static final Logger log = Log.getLogger("unity.server.rest", AccessTokenAndPasswordVerificator.class);
    public static final String NAME = "local-oauth-rp";
    public static final String DESC = "Verifies local tokens";
    private final OAuthAccessTokenRepository tokensDAO;
    private final CredentialHelper credentialHelper;
    private final PasswordVerificator.Factory passwordVerificatorFactory;
    private LocalCredentialVerificator passwordVerificator;
    private LocalBearerTokenVerificator bearerTokenVerificator;
    private LocalOAuthRPProperties verificatorProperties;

    @Component
    /* loaded from: input_file:pl/edu/icm/unity/oauth/rp/local/AccessTokenAndPasswordVerificator$Factory.class */
    public static class Factory extends AbstractCredentialVerificatorFactory {
        @Autowired
        public Factory(ObjectFactory<AccessTokenAndPasswordVerificator> objectFactory) {
            super(AccessTokenAndPasswordVerificator.NAME, AccessTokenAndPasswordVerificator.DESC, objectFactory);
        }
    }

    @Autowired
    public AccessTokenAndPasswordVerificator(OAuthAccessTokenRepository oAuthAccessTokenRepository, PasswordVerificator.Factory factory, CredentialHelper credentialHelper) {
        super(NAME, DESC, AccessTokenAndPasswordExchange.ID);
        this.tokensDAO = oAuthAccessTokenRepository;
        this.passwordVerificatorFactory = factory;
        this.credentialHelper = credentialHelper;
    }

    public CredentialVerificator.VerificatorType getType() {
        return CredentialVerificator.VerificatorType.Mixed;
    }

    public String getSerializedConfiguration() throws InternalException {
        StringWriter stringWriter = new StringWriter();
        try {
            this.verificatorProperties.getProperties().store(stringWriter, OAuthTokenEndpoint.PATH);
            return stringWriter.toString();
        } catch (IOException e) {
            throw new InternalException("Can't serialize OAuth RP verificator configuration", e);
        }
    }

    public void setSerializedConfiguration(String str) {
        try {
            Properties properties = new Properties();
            properties.load(new StringReader(str));
            this.verificatorProperties = new LocalOAuthRPProperties(properties);
            this.bearerTokenVerificator = new LocalBearerTokenVerificator(this.tokensDAO, this.verificatorProperties);
            this.passwordVerificator = getLocalVerificator(this.verificatorProperties.getValue(LocalOAuthRPProperties.CREDENTIAL));
        } catch (ConfigurationException e) {
            throw new InternalException("Invalid configuration of the Local OAuth RP verificator", e);
        } catch (IOException e2) {
            throw new InternalException("Invalid configuration of the Local OAuth RP verificator(?)", e2);
        }
    }

    private LocalCredentialVerificator getLocalVerificator(String str) {
        LocalCredentialVerificator newInstance = this.passwordVerificatorFactory.newInstance();
        newInstance.setIdentityResolver(this.identityResolver);
        newInstance.setInstanceName(NAME);
        Optional<CredentialDefinition> credentialDefinition = getCredentialDefinition(this.credentialHelper, str);
        if (!credentialDefinition.isPresent()) {
            throw new InternalException("Invalid configuration of the verificator, local credential " + str + " is undefined");
        }
        newInstance.setSerializedConfiguration(credentialDefinition.get().getConfiguration());
        newInstance.setIdentityResolver(this.identityResolver);
        LocalCredentialVerificator localCredentialVerificator = newInstance;
        localCredentialVerificator.setCredentialName(str);
        return localCredentialVerificator;
    }

    public Optional<CredentialDefinition> getCredentialDefinition(CredentialHelper credentialHelper, String str) {
        try {
            return Optional.ofNullable((CredentialDefinition) credentialHelper.getCredentialDefinitions().get(str));
        } catch (EngineException e) {
            throw new InternalException("Can not get credential definitions", e);
        }
    }

    @Override // pl.edu.icm.unity.oauth.rp.local.AccessTokenAndPasswordExchange
    public AuthenticationResult checkTokenAndPassword(BearerAccessToken bearerAccessToken, String str, String str2) throws AuthenticationException {
        try {
            AuthenticationResultWithTokenStatus checkToken = this.bearerTokenVerificator.checkToken(bearerAccessToken);
            if (!checkToken.result.getStatus().equals(AuthenticationResult.Status.success)) {
                log.debug("HTTP Bearer access token verification result: " + checkToken.result.getStatus());
                return checkToken.result;
            }
            try {
                AuthenticationResult checkPassword = checkPassword(str, str2);
                if (!checkPassword.getStatus().equals(AuthenticationResult.Status.success)) {
                    log.debug("HTTP BASIC credential verification result: " + checkPassword.getStatus());
                    return checkPassword;
                }
                if (checkToken.token.get().getClientId().get().equals(checkPassword.getSuccessResult().authenticatedEntity.getEntityId())) {
                    updateInvocationContext(checkToken.token.get());
                    return checkToken.result;
                }
                log.debug("Authenticated client {} is not matching the token's client entity {}", checkPassword.getSuccessResult().authenticatedEntity.getEntityId(), checkToken.token.get().getClientId().get());
                return LocalAuthenticationResult.failed();
            } catch (Exception e) {
                log.debug("HTTP BASIC credential is invalid");
                return LocalAuthenticationResult.failed(e);
            }
        } catch (Exception e2) {
            log.debug("HTTP Bearer access token is invalid or its processing failed", e2);
            return LocalAuthenticationResult.failed(e2);
        }
    }

    private void updateInvocationContext(TokenStatus tokenStatus) {
        InvocationContext current = InvocationContext.getCurrent();
        current.setInvocationMaterial(InvocationContext.InvocationMaterial.OAUTH_DELEGATION);
        current.setScopes(tokenStatus.getScope().toStringList());
    }

    private AuthenticationResult checkPassword(String str, String str2) throws AuthenticationException {
        return this.passwordVerificator.checkPassword(str, str2, (String) null, false, (AuthenticationTriggeringContext) null);
    }

    public AuthenticationMethod getAuthenticationMethod() {
        return AuthenticationMethod.UNKNOWN;
    }
}
