package io.camunda.operate.webapp.security.identity;

import io.camunda.identity.sdk.authentication.dto.AuthCodeDto;
import io.camunda.operate.webapp.security.OperateURIs;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Profile;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;

@Profile({"identity-auth"})
@Controller
/* loaded from: input_file:io/camunda/operate/webapp/security/identity/IdentityController.class */
public class IdentityController {
    private final IdentityService identityService;
    protected final Logger logger = LoggerFactory.getLogger(getClass());
    private final SecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository();
    private final SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder.getContextHolderStrategy();

    @Autowired
    public IdentityController(IdentityService identityService) {
        this.identityService = identityService;
    }

    @RequestMapping(value = {OperateURIs.LOGIN_RESOURCE}, method = {RequestMethod.GET, RequestMethod.POST})
    public String login(HttpServletRequest httpServletRequest) {
        String redirectUrl = this.identityService.getRedirectUrl(httpServletRequest);
        this.logger.debug("Redirect Login to {}", redirectUrl);
        return "redirect:" + redirectUrl;
    }

    @GetMapping({OperateURIs.IDENTITY_CALLBACK_URI})
    public void loggedInCallback(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, @RequestParam(required = false, name = "code") String str, @RequestParam(required = false, name = "state") String str2, @RequestParam(required = false, name = "error") String str3) throws IOException {
        AuthCodeDto authCodeDto = new AuthCodeDto(str, str2, str3);
        this.logger.debug("Called back by identity with {} {}, SessionId: {} and AuthCode {}", new Object[]{httpServletRequest.getRequestURI(), httpServletRequest.getQueryString(), httpServletRequest.getSession().getId(), authCodeDto.getCode()});
        try {
            IdentityAuthentication authenticationFor = this.identityService.getAuthenticationFor(httpServletRequest, authCodeDto);
            SecurityContext createEmptyContext = this.securityContextHolderStrategy.createEmptyContext();
            createEmptyContext.setAuthentication(authenticationFor);
            this.securityContextHolderStrategy.setContext(createEmptyContext);
            this.securityContextRepository.saveContext(createEmptyContext, httpServletRequest, httpServletResponse);
            redirectToPage(httpServletRequest, httpServletResponse);
        } catch (Exception e) {
            clearContextAndRedirectToNoPermission(httpServletRequest, httpServletResponse, e);
        }
    }

    private void redirectToPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        Object attribute = httpServletRequest.getSession().getAttribute("requestedUrl");
        if (attribute != null) {
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + String.valueOf(attribute));
        } else {
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + "/operate");
        }
    }

    @RequestMapping({OperateURIs.NO_PERMISSION})
    @ResponseBody
    public String noPermissions() {
        return "No permission for Operate - Please check your operate configuration or cloud configuration.";
    }

    @RequestMapping({OperateURIs.LOGOUT_RESOURCE})
    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        this.logger.debug("logout user");
        try {
            this.identityService.logout();
        } catch (Exception e) {
            this.logger.error("An error occurred in logout process", e);
        }
        cleanup(httpServletRequest);
    }

    protected void clearContextAndRedirectToNoPermission(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Throwable th) throws IOException {
        this.logger.error("Error in authentication callback: ", th);
        cleanup(httpServletRequest);
        httpServletResponse.sendRedirect(OperateURIs.NO_PERMISSION);
    }

    protected void cleanup(HttpServletRequest httpServletRequest) {
        httpServletRequest.getSession().invalidate();
        SecurityContext context = this.securityContextHolderStrategy.getContext();
        if (context != null) {
            context.setAuthentication((Authentication) null);
            this.securityContextHolderStrategy.clearContext();
        }
    }
}
