package io.camunda.operate.webapp.security.identity;

import com.fasterxml.jackson.annotation.JsonIgnore;
import io.camunda.identity.sdk.Identity;
import io.camunda.identity.sdk.authentication.AccessToken;
import io.camunda.identity.sdk.authentication.Tokens;
import io.camunda.identity.sdk.authentication.UserDetails;
import io.camunda.identity.sdk.authentication.exception.TokenDecodeException;
import io.camunda.identity.sdk.authorizations.dto.Authorization;
import io.camunda.identity.sdk.impl.rest.exception.RestException;
import io.camunda.operate.property.OperateProperties;
import io.camunda.operate.util.SpringContextHolder;
import io.camunda.operate.webapp.security.Permission;
import io.camunda.operate.webapp.security.SessionRepository;
import io.camunda.operate.webapp.security.tenant.OperateTenant;
import io.camunda.operate.webapp.security.tenant.TenantAwareAuthentication;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

/* loaded from: input_file:io/camunda/operate/webapp/security/identity/IdentityAuthentication.class */
public class IdentityAuthentication extends AbstractAuthenticationToken implements Serializable, TenantAwareAuthentication {
    private static final long serialVersionUID = 1;
    private static final Logger LOGGER = LoggerFactory.getLogger(IdentityAuthentication.class);
    private Tokens tokens;
    private String id;
    private String name;
    private List<String> permissions;

    @JsonIgnore
    private List<IdentityAuthorization> authorizations;
    private String subject;
    private Date expires;
    private Date refreshTokenExpiresAt;
    private List<OperateTenant> tenants;

    public IdentityAuthentication() {
        super((Collection) null);
    }

    /* renamed from: getCredentials, reason: merged with bridge method [inline-methods] */
    public String m74getCredentials() {
        return this.tokens.getAccessToken();
    }

    public Object getPrincipal() {
        return this.subject;
    }

    public Tokens getTokens() {
        return this.tokens;
    }

    private boolean hasExpired() {
        return this.expires == null || this.expires.before(new Date());
    }

    private boolean hasRefreshTokenExpired() {
        try {
            LOGGER.info("Refresh token will expire at {}", this.refreshTokenExpiresAt);
            if (this.refreshTokenExpiresAt != null) {
                if (!this.refreshTokenExpiresAt.before(new Date())) {
                    return false;
                }
            }
            return true;
        } catch (TokenDecodeException e) {
            LOGGER.info("Refresh token is not a JWT and expire date can not be determined. Error message: {}", e.getMessage());
            return false;
        }
    }

    public String getName() {
        return this.name;
    }

    public boolean isAuthenticated() {
        if (hasExpired()) {
            LOGGER.info("Access token is expired");
            if (hasRefreshTokenExpired()) {
                LOGGER.info("No refresh token available. Authentication is invalid.");
                setAuthenticated(false);
                getIdentity().authentication().revokeToken(this.tokens.getRefreshToken());
                return false;
            }
            LOGGER.info("Get a new access token by using refresh token");
            try {
                renewAccessToken();
            } catch (Exception e) {
                LOGGER.error("Renewing access token failed with exception", e);
                setAuthenticated(false);
            }
        }
        return super.isAuthenticated();
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass() || !super.equals(obj)) {
            return false;
        }
        IdentityAuthentication identityAuthentication = (IdentityAuthentication) obj;
        return Objects.equals(this.tokens, identityAuthentication.tokens) && Objects.equals(this.id, identityAuthentication.id) && Objects.equals(this.name, identityAuthentication.name) && Objects.equals(this.permissions, identityAuthentication.permissions) && Objects.equals(this.authorizations, identityAuthentication.authorizations) && Objects.equals(this.subject, identityAuthentication.subject) && Objects.equals(this.expires, identityAuthentication.expires) && Objects.equals(this.refreshTokenExpiresAt, identityAuthentication.refreshTokenExpiresAt) && Objects.equals(this.tenants, identityAuthentication.tenants);
    }

    public int hashCode() {
        return Objects.hash(Integer.valueOf(super.hashCode()), this.tokens, this.id, this.name, this.permissions, this.authorizations, this.subject, this.expires, this.refreshTokenExpiresAt, this.tenants);
    }

    public String getId() {
        return this.id;
    }

    public List<Permission> getPermissions() {
        PermissionConverter permissionConverter = getPermissionConverter();
        Stream<String> stream = this.permissions.stream();
        Objects.requireNonNull(permissionConverter);
        return stream.map(permissionConverter::convert).toList();
    }

    public IdentityAuthentication setPermissions(List<String> list) {
        this.permissions = list;
        return this;
    }

    public List<IdentityAuthorization> getAuthorizations() {
        if (this.authorizations == null) {
            synchronized (this) {
                if (this.authorizations == null) {
                    retrieveResourcePermissions();
                }
            }
        }
        return this.authorizations;
    }

    @Override // io.camunda.operate.webapp.security.tenant.TenantAwareAuthentication
    public List<OperateTenant> getTenants() {
        if (this.tenants == null) {
            synchronized (this) {
                if (this.tenants == null) {
                    retrieveTenants();
                }
            }
        }
        return this.tenants;
    }

    private void retrieveResourcePermissions() {
        if (getOperateProperties().getIdentity().isResourcePermissionsEnabled()) {
            try {
                this.authorizations = IdentityAuthorization.createFrom((List<Authorization>) getIdentity().authorizations().forToken(this.tokens.getAccessToken()));
            } catch (RestException e) {
                LOGGER.warn("Unable to retrieve resource base permissions from Identity. Error: " + e.getMessage(), e);
                this.authorizations = new ArrayList();
            }
        }
    }

    private void retrieveTenants() {
        if (getOperateProperties().getMultiTenancy().isEnabled()) {
            try {
                List forToken = getIdentity().tenants().forToken(this.tokens.getAccessToken());
                if (forToken != null) {
                    this.tenants = forToken.stream().map(tenant -> {
                        return new OperateTenant(tenant.getTenantId(), tenant.getName());
                    }).toList();
                } else {
                    this.tenants = new ArrayList();
                }
            } catch (RestException e) {
                LOGGER.warn("Unable to retrieve tenants from Identity. Error: " + e.getMessage(), e);
                this.tenants = new ArrayList();
            }
        }
    }

    public void authenticate(Tokens tokens) {
        if (tokens != null) {
            this.tokens = tokens;
        }
        AccessToken verifyToken = getIdentity().authentication().verifyToken(this.tokens.getAccessToken());
        UserDetails userDetails = verifyToken.getUserDetails();
        this.id = userDetails.getId();
        retrieveName(userDetails);
        this.permissions = verifyToken.getPermissions();
        retrieveResourcePermissions();
        if (!getPermissions().contains(Permission.READ)) {
            throw new InsufficientAuthenticationException("No read permissions");
        }
        retrieveTenants();
        this.subject = verifyToken.getToken().getSubject();
        this.expires = verifyToken.getToken().getExpiresAt();
        LOGGER.info("Access token will expire at {}", this.expires);
        if (!isPolling()) {
            try {
                this.refreshTokenExpiresAt = getIdentity().authentication().decodeJWT(this.tokens.getRefreshToken()).getExpiresAt();
            } catch (TokenDecodeException e) {
                LOGGER.error("Unable to decode refresh token {} with exception: {}", this.tokens.getRefreshToken(), e.getMessage());
            }
        }
        setAuthenticated(!hasExpired());
    }

    private boolean isPolling() {
        ServletRequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
        if (requestAttributes != null) {
            return Boolean.TRUE.equals(Boolean.valueOf(Boolean.parseBoolean(requestAttributes.getRequest().getHeader(SessionRepository.POLLING_HEADER))));
        }
        return false;
    }

    private void retrieveName(UserDetails userDetails) {
        this.name = (String) userDetails.getName().orElse((String) userDetails.getUsername().orElse(""));
    }

    private void renewAccessToken() throws Exception {
        authenticate(renewTokens(this.tokens.getRefreshToken()));
    }

    private Tokens renewTokens(String str) throws Exception {
        return (Tokens) getIdentityRetryService().requestWithRetry(() -> {
            return getIdentity().authentication().renewToken(str);
        }, "IdentityAuthentication#renewTokens");
    }

    public IdentityAuthentication setExpires(Date date) {
        this.expires = date;
        return this;
    }

    private Identity getIdentity() {
        return (Identity) SpringContextHolder.getBean(Identity.class);
    }

    private OperateProperties getOperateProperties() {
        return (OperateProperties) SpringContextHolder.getBean(OperateProperties.class);
    }

    private IdentityRetryService getIdentityRetryService() {
        return (IdentityRetryService) SpringContextHolder.getBean(IdentityRetryService.class);
    }

    private PermissionConverter getPermissionConverter() {
        return (PermissionConverter) SpringContextHolder.getBean(PermissionConverter.class);
    }
}
