package io.camunda.operate.webapp.security.sso;

import com.auth0.AuthenticationController;
import com.auth0.IdentityVerificationException;
import com.auth0.Tokens;
import io.camunda.identity.sdk.Identity;
import io.camunda.operate.property.OperateProperties;
import io.camunda.operate.util.RetryOperation;
import io.camunda.operate.webapp.security.OperateURIs;
import io.camunda.operate.webapp.security.Permission;
import io.camunda.operate.webapp.security.sso.model.ClusterInfo;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.util.List;
import java.util.concurrent.TimeUnit;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Profile;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Component;
import org.springframework.web.client.RestTemplate;

@Profile({"sso-auth"})
@Component
/* loaded from: input_file:io/camunda/operate/webapp/security/sso/Auth0Service.class */
public class Auth0Service {
    private static final String LOGOUT_URL_TEMPLATE = "https://%s/v2/logout?client_id=%s&returnTo=%s";
    private static final String PERMISSION_URL_TEMPLATE = "%s/%s";
    private static final List<String> SCOPES = List.of("openid", "profile", "email", "offline_access");

    @Autowired
    private BeanFactory beanFactory;

    @Autowired
    private AuthenticationController authenticationController;

    @Value("${camunda.operate.auth0.domain}")
    private String domain;

    @Value("${camunda.operate.auth0.clientId}")
    private String clientId;

    @Autowired
    private OperateProperties operateProperties;

    @Autowired(required = false)
    @Qualifier("saasIdentity")
    private Identity identity;

    @Autowired
    @Qualifier("auth0_restTemplate")
    private RestTemplate restTemplate;

    public Authentication authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Auth0ServiceException {
        try {
            Tokens retrieveTokens = retrieveTokens(httpServletRequest, httpServletResponse);
            TokenAuthentication tokenAuthentication = new TokenAuthentication(this.operateProperties.getAuth0(), this.operateProperties.getCloud().getOrganizationId());
            tokenAuthentication.authenticate(retrieveTokens.getIdToken(), retrieveTokens.getRefreshToken(), retrieveTokens.getAccessToken());
            checkPermission(tokenAuthentication, retrieveTokens.getAccessToken());
            tokenAuthentication.getAuthorizations();
            return tokenAuthentication;
        } catch (Exception e) {
            throw new Auth0ServiceException(e);
        }
    }

    private void checkPermission(TokenAuthentication tokenAuthentication, String str) {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setBearerAuth(str);
        ClusterInfo clusterInfo = (ClusterInfo) this.restTemplate.exchange(String.format(PERMISSION_URL_TEMPLATE, this.operateProperties.getCloud().getPermissionUrl(), this.operateProperties.getCloud().getOrganizationId()), HttpMethod.GET, new HttpEntity(httpHeaders), ClusterInfo.class, new Object[0]).getBody();
        if (clusterInfo.getSalesPlan() != null) {
            tokenAuthentication.setSalesPlanType(clusterInfo.getSalesPlan().getType());
        }
        ClusterInfo.Permission operate = clusterInfo.getPermissions().getCluster().getOperate();
        if (!operate.getRead().booleanValue()) {
            throw new InsufficientAuthenticationException("User doesn't have read access");
        }
        tokenAuthentication.addPermission(Permission.READ);
        if (operate.getDelete().booleanValue() && operate.getCreate().booleanValue() && operate.getUpdate().booleanValue()) {
            tokenAuthentication.addPermission(Permission.WRITE);
        }
    }

    public String getAuthorizeUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return this.authenticationController.buildAuthorizeUrl(httpServletRequest, httpServletResponse, getRedirectURI(httpServletRequest, OperateURIs.SSO_CALLBACK_URI, true)).withAudience(this.operateProperties.getCloud().getPermissionAudience()).withScope(String.join(" ", SCOPES)).build();
    }

    public String getLogoutUrlFor(String str) {
        return String.format(LOGOUT_URL_TEMPLATE, this.domain, this.clientId, str);
    }

    public Tokens retrieveTokens(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        return (Tokens) RetryOperation.newBuilder().noOfRetry(10).delayInterval(500, TimeUnit.MILLISECONDS).retryOn(new Class[]{IdentityVerificationException.class}).retryConsumer(() -> {
            return this.authenticationController.handle(httpServletRequest, httpServletResponse);
        }).message("Auth0Service#retrieveTokens").build().retry();
    }

    public String getRedirectURI(HttpServletRequest httpServletRequest, String str) {
        return getRedirectURI(httpServletRequest, str, false);
    }

    public String getRedirectURI(HttpServletRequest httpServletRequest, String str, boolean z) {
        String str2 = httpServletRequest.getScheme() + "://" + httpServletRequest.getServerName();
        if ((httpServletRequest.getScheme().equals("http") && httpServletRequest.getServerPort() != 80) || (httpServletRequest.getScheme().equals("https") && httpServletRequest.getServerPort() != 443)) {
            str2 = str2 + ":" + httpServletRequest.getServerPort();
        }
        return z ? str2 + str + "?uuid=" + httpServletRequest.getContextPath().replace("/", "") : str2 + httpServletRequest.getContextPath() + str;
    }
}
