package io.camunda.operate.webapp.security.sso;

import com.auth0.client.auth.AuthAPI;
import com.auth0.exception.Auth0Exception;
import com.auth0.json.auth.TokenHolder;
import com.auth0.jwt.JWT;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.interfaces.Claim;
import com.fasterxml.jackson.annotation.JsonIgnore;
import io.camunda.identity.sdk.Identity;
import io.camunda.identity.sdk.authorizations.dto.Authorization;
import io.camunda.identity.sdk.impl.rest.exception.RestException;
import io.camunda.operate.property.Auth0Properties;
import io.camunda.operate.property.OperateProperties;
import io.camunda.operate.util.SpringContextHolder;
import io.camunda.operate.webapp.security.Permission;
import io.camunda.operate.webapp.security.identity.IdentityAuthorization;
import java.time.Duration;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.InsufficientAuthenticationException;

/* loaded from: input_file:io/camunda/operate/webapp/security/sso/TokenAuthentication.class */
public class TokenAuthentication extends AbstractAuthenticationToken {
    public static final String ORGANIZATION_ID = "id";
    public static final String ROLES_KEY = "roles";
    private static final Logger LOGGER = LoggerFactory.getLogger(TokenAuthentication.class);

    @JsonIgnore
    private static final Object RESOURCE_PERMISSIONS_LOCK = new Object();
    private String claimName;
    private String organization;
    private String domain;
    private String clientId;
    private String clientSecret;
    private String idToken;
    private String refreshToken;
    private String accessToken;
    private String salesPlanType;
    private final List<Permission> permissions;

    @JsonIgnore
    private List<IdentityAuthorization> authorizations;
    private Instant lastResourceBasedPermissionsUpdated;

    public TokenAuthentication() {
        super((Collection) null);
        this.permissions = new ArrayList();
        this.lastResourceBasedPermissionsUpdated = Instant.now();
    }

    public TokenAuthentication(Auth0Properties auth0Properties, String str) {
        this();
        this.claimName = auth0Properties.getClaimName();
        this.organization = str;
        this.domain = auth0Properties.getDomain();
        this.clientId = auth0Properties.getClientId();
        this.clientSecret = auth0Properties.getClientSecret();
    }

    private boolean isIdEqualsOrganization(Map<String, String> map) {
        return map.containsKey("id") && map.get("id").equals(this.organization);
    }

    public boolean isAuthenticated() {
        if (hasExpired()) {
            LOGGER.info("Tokens are expired");
            if (this.refreshToken == null) {
                setAuthenticated(false);
                LOGGER.info("No refresh token available. Authentication is invalid.");
            } else {
                LOGGER.info("Get a new tokens by using refresh token");
                getNewTokenByRefreshToken();
            }
        }
        return super.isAuthenticated();
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass() || !super.equals(obj)) {
            return false;
        }
        TokenAuthentication tokenAuthentication = (TokenAuthentication) obj;
        return this.claimName.equals(tokenAuthentication.claimName) && this.organization.equals(tokenAuthentication.organization) && this.domain.equals(tokenAuthentication.domain) && this.clientId.equals(tokenAuthentication.clientId) && this.clientSecret.equals(tokenAuthentication.clientSecret) && this.idToken.equals(tokenAuthentication.idToken) && Objects.equals(this.refreshToken, tokenAuthentication.refreshToken) && Objects.equals(this.salesPlanType, tokenAuthentication.salesPlanType);
    }

    public int hashCode() {
        return Objects.hash(Integer.valueOf(super.hashCode()), this.claimName, this.organization, this.domain, this.clientId, this.clientSecret, this.idToken, this.refreshToken, this.salesPlanType);
    }

    public List<Permission> getPermissions() {
        return this.permissions;
    }

    public void addPermission(Permission permission) {
        this.permissions.add(permission);
    }

    public List<IdentityAuthorization> getAuthorizations() {
        if (getIdentity() != null && (this.authorizations == null || needToUpdate())) {
            synchronized (RESOURCE_PERMISSIONS_LOCK) {
                updateResourcePermissions();
            }
        }
        return this.authorizations;
    }

    public TokenAuthentication setAuthorizations(List<IdentityAuthorization> list) {
        this.authorizations = list;
        return this;
    }

    public boolean needToUpdate() {
        return !Duration.between(this.lastResourceBasedPermissionsUpdated, Instant.now()).minusSeconds(getOperateProperties().getIdentity().getResourcePermissionsUpdatePeriod()).isNegative();
    }

    private void updateResourcePermissions() {
        if (!getOperateProperties().getIdentity().isResourcePermissionsEnabled() || getIdentity() == null) {
            this.authorizations = new ArrayList();
            return;
        }
        try {
            List<IdentityAuthorization> createFrom = IdentityAuthorization.createFrom((List<Authorization>) getIdentity().authorizations().forToken(this.accessToken, getOperateProperties().getCloud().getOrganizationId()));
            LOGGER.debug("Authorizations updated: " + String.valueOf(createFrom));
            this.authorizations = createFrom;
            this.lastResourceBasedPermissionsUpdated = Instant.now();
        } catch (RestException e) {
            LOGGER.warn("Unable to retrieve resource base permissions from Identity. Error: " + e.getMessage(), e);
            this.authorizations = new ArrayList();
        }
    }

    public String getNewTokenByRefreshToken() {
        try {
            TokenHolder tokenHolder = (TokenHolder) getAuthAPI().renewAuth(this.refreshToken).execute();
            authenticate(tokenHolder.getIdToken(), tokenHolder.getRefreshToken(), tokenHolder.getAccessToken());
            LOGGER.info("New tokens received and validated.");
            return this.accessToken;
        } catch (Auth0Exception e) {
            LOGGER.error(e.getMessage(), e.getCause());
            setAuthenticated(false);
            return null;
        }
    }

    private AuthAPI getAuthAPI() {
        return new AuthAPI(this.domain, this.clientId, this.clientSecret);
    }

    public boolean hasExpired() {
        Date expiresAt = JWT.decode(this.idToken).getExpiresAt();
        return expiresAt == null || expiresAt.before(new Date());
    }

    public Date getExpiresAt() {
        return JWT.decode(this.idToken).getExpiresAt();
    }

    /* renamed from: getCredentials, reason: merged with bridge method [inline-methods] */
    public String m85getCredentials() {
        return JWT.decode(this.idToken).getToken();
    }

    public Object getPrincipal() {
        return JWT.decode(this.idToken).getSubject();
    }

    public void authenticate(String str, String str2, String str3) {
        this.idToken = str;
        this.accessToken = str3;
        if (str2 != null) {
            this.refreshToken = str2;
        }
        tryAuthenticateAsListOfMaps(JWT.decode(str).getClaim(this.claimName));
        if (!isAuthenticated()) {
            throw new InsufficientAuthenticationException("No permission for Operate - check your organization id");
        }
    }

    private void tryAuthenticateAsListOfMaps(Claim claim) {
        try {
            List asList = claim.asList(Map.class);
            if (asList != null) {
                setAuthenticated(asList.stream().anyMatch(this::isIdEqualsOrganization));
            }
        } catch (JWTDecodeException e) {
            LOGGER.debug("Read organization claim as list of maps failed.", e);
        }
    }

    public Map<String, Claim> getClaims() {
        return JWT.decode(this.idToken).getClaims();
    }

    public List<String> getRoles(String str) {
        try {
            return findRolesForOrganization(getClaims(), str, this.organization);
        } catch (Exception e) {
            LOGGER.error("Could not get roles. Return empty roles list.", e);
            return List.of();
        }
    }

    private List<String> findRolesForOrganization(Map<String, Claim> map, String str, String str2) {
        try {
            List asList = map.get(str).asList(Map.class);
            if (asList != null) {
                Optional findFirst = asList.stream().filter(map2 -> {
                    return map2.get("id").equals(str2);
                }).findFirst();
                if (findFirst.isPresent()) {
                    return (List) ((Map) findFirst.get()).get(ROLES_KEY);
                }
            }
        } catch (Exception e) {
            LOGGER.error(String.format("Couldn't extract roles for organization '%s' in JWT claims. Return empty roles list.", str2), e);
        }
        return List.of();
    }

    public String getSalesPlanType() {
        return this.salesPlanType;
    }

    public void setSalesPlanType(String str) {
        this.salesPlanType = str;
    }

    public String getAccessToken() {
        return this.accessToken;
    }

    private Identity getIdentity() {
        try {
            return (Identity) SpringContextHolder.getBean(Identity.class);
        } catch (NoSuchBeanDefinitionException e) {
            return null;
        }
    }

    private OperateProperties getOperateProperties() {
        return (OperateProperties) SpringContextHolder.getBean(OperateProperties.class);
    }
}
