package io.camunda.operate.webapp.security.sso;

import com.auth0.IdentityVerificationException;
import io.camunda.operate.webapp.security.OperateURIs;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Profile;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;

@Profile({"sso-auth"})
@Controller
/* loaded from: input_file:io/camunda/operate/webapp/security/sso/SSOController.class */
public class SSOController {

    @Autowired
    private Auth0Service auth0Service;
    protected final Logger logger = LoggerFactory.getLogger(getClass());
    private final SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder.getContextHolderStrategy();
    private SecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository();

    @RequestMapping(value = {OperateURIs.LOGIN_RESOURCE}, method = {RequestMethod.GET, RequestMethod.POST})
    public String login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String authorizeUrl = this.auth0Service.getAuthorizeUrl(httpServletRequest, httpServletResponse);
        this.logger.debug("Redirect Login to {}", authorizeUrl);
        return "redirect:" + authorizeUrl;
    }

    @GetMapping({OperateURIs.SSO_CALLBACK_URI})
    public void loggedInCallback(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        this.logger.debug("Called back by auth0 with {} {} and SessionId: {}", new Object[]{httpServletRequest.getRequestURI(), httpServletRequest.getQueryString(), httpServletRequest.getSession().getId()});
        try {
            Authentication authenticate = this.auth0Service.authenticate(httpServletRequest, httpServletResponse);
            SecurityContext createEmptyContext = this.securityContextHolderStrategy.createEmptyContext();
            createEmptyContext.setAuthentication(authenticate);
            this.securityContextHolderStrategy.setContext(createEmptyContext);
            this.securityContextRepository.saveContext(createEmptyContext, httpServletRequest, httpServletResponse);
            sessionExpiresWhenAuthenticationExpires(httpServletRequest);
            redirectToPage(httpServletRequest, httpServletResponse);
        } catch (InsufficientAuthenticationException e) {
            clearContextAndRedirectToNoPermission(httpServletRequest, httpServletResponse, e);
        } catch (Auth0ServiceException e2) {
            handleAuth0Exception(e2, httpServletRequest, httpServletResponse);
        }
    }

    private void handleAuth0Exception(Auth0ServiceException auth0ServiceException, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        this.logger.error("Error in authentication callback: ", auth0ServiceException);
        Throwable cause = auth0ServiceException.getCause();
        if (cause == null) {
            logout(httpServletRequest, httpServletResponse);
            return;
        }
        if (cause instanceof InsufficientAuthenticationException) {
            logoutAndRedirectToNoPermissionPage(httpServletRequest, httpServletResponse);
        } else if ((cause instanceof IdentityVerificationException) || (cause instanceof AuthenticationException)) {
            clearContextAndRedirectToNoPermission(httpServletRequest, httpServletResponse, cause);
        } else {
            logout(httpServletRequest, httpServletResponse);
        }
    }

    private void redirectToPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        Object attribute = httpServletRequest.getSession().getAttribute(OperateURIs.REQUESTED_URL);
        if (attribute != null) {
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + String.valueOf(attribute));
        } else {
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + "/operate");
        }
    }

    @RequestMapping({OperateURIs.NO_PERMISSION})
    @ResponseBody
    public String noPermissions() {
        return "No permission for Operate - Please check your operate configuration or cloud configuration.";
    }

    @RequestMapping({OperateURIs.LOGOUT_RESOURCE})
    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        this.logger.debug("logout user");
        cleanup(httpServletRequest);
        logoutFromAuth0(httpServletResponse, this.auth0Service.getRedirectURI(httpServletRequest, OperateURIs.ROOT));
    }

    protected void clearContextAndRedirectToNoPermission(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Throwable th) throws IOException {
        this.logger.error("Error in authentication callback: ", th);
        cleanup(httpServletRequest);
        httpServletResponse.sendRedirect(this.auth0Service.getRedirectURI(httpServletRequest, OperateURIs.NO_PERMISSION));
    }

    protected void logoutAndRedirectToNoPermissionPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        this.logger.warn("User is authenticated but there are no permissions.");
        cleanup(httpServletRequest);
        logoutFromAuth0(httpServletResponse, this.auth0Service.getRedirectURI(httpServletRequest, OperateURIs.NO_PERMISSION));
    }

    protected void cleanup(HttpServletRequest httpServletRequest) {
        httpServletRequest.getSession().invalidate();
        SecurityContext context = this.securityContextHolderStrategy.getContext();
        if (context != null) {
            context.setAuthentication((Authentication) null);
            this.securityContextHolderStrategy.clearContext();
        }
    }

    protected void logoutFromAuth0(HttpServletResponse httpServletResponse, String str) throws IOException {
        httpServletResponse.sendRedirect(this.auth0Service.getLogoutUrlFor(str));
    }

    private void sessionExpiresWhenAuthenticationExpires(HttpServletRequest httpServletRequest) {
        httpServletRequest.getSession().setMaxInactiveInterval(-1);
    }
}
