package io.camunda.tasklist.webapp.security.sso;

import io.camunda.tasklist.webapp.security.TasklistProfileService;
import io.camunda.tasklist.webapp.security.TasklistURIs;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Profile;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;

@Profile({TasklistProfileService.SSO_AUTH_PROFILE})
@Controller
/* loaded from: input_file:io/camunda/tasklist/webapp/security/sso/SSOController.class */
public class SSOController {
    private static final Logger LOGGER = LoggerFactory.getLogger(SSOController.class);

    @Autowired
    private Auth0Service auth0Service;
    private SecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository();
    private final SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder.getContextHolderStrategy();

    @RequestMapping(value = {TasklistURIs.LOGIN_RESOURCE}, method = {RequestMethod.GET, RequestMethod.POST})
    public String login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String authorizeUrl = this.auth0Service.getAuthorizeUrl(httpServletRequest, httpServletResponse);
        LOGGER.debug("Redirect Login to {}", authorizeUrl);
        return "redirect:" + authorizeUrl;
    }

    @GetMapping({TasklistURIs.SSO_CALLBACK})
    public void loggedInCallback(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        LOGGER.debug("Called back by auth0 with {} {} and SessionId: {}", new Object[]{httpServletRequest.getRequestURI(), httpServletRequest.getQueryString(), httpServletRequest.getSession().getId()});
        try {
            Authentication authenticate = this.auth0Service.authenticate(httpServletRequest, httpServletResponse);
            SecurityContext createEmptyContext = this.securityContextHolderStrategy.createEmptyContext();
            createEmptyContext.setAuthentication(authenticate);
            this.securityContextHolderStrategy.setContext(createEmptyContext);
            this.securityContextRepository.saveContext(createEmptyContext, httpServletRequest, httpServletResponse);
            sessionExpiresWhenAuthenticationExpires(httpServletRequest);
            redirectToPage(httpServletRequest, httpServletResponse);
        } catch (Exception e) {
            clearContextAndRedirectToNoPermission(httpServletRequest, httpServletResponse, e);
        }
    }

    private void redirectToPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        Object attribute = httpServletRequest.getSession().getAttribute(TasklistURIs.REQUESTED_URL);
        if (attribute != null) {
            httpServletResponse.sendRedirect(attribute.toString());
        } else {
            httpServletResponse.sendRedirect("/");
        }
    }

    @RequestMapping({TasklistURIs.NO_PERMISSION})
    @ResponseBody
    public String noPermissions() {
        return "No permission for Tasklist - Please check your Tasklist configuration or cloud configuration.";
    }

    @RequestMapping({TasklistURIs.LOGOUT_RESOURCE})
    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        LOGGER.debug("logout user");
        cleanup(httpServletRequest);
        logoutFromAuth0(httpServletResponse, this.auth0Service.getRedirectURI(httpServletRequest, "/"));
    }

    protected void clearContextAndRedirectToNoPermission(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Throwable th) throws IOException {
        LOGGER.error("Error in authentication callback: ", th);
        cleanup(httpServletRequest);
        httpServletResponse.sendRedirect(TasklistURIs.NO_PERMISSION);
    }

    protected void logoutAndRedirectToNoPermissionPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        LOGGER.error("User is authenticated but there are no permissions. Show noPermission message");
        cleanup(httpServletRequest);
        logoutFromAuth0(httpServletResponse, this.auth0Service.getRedirectURI(httpServletRequest, TasklistURIs.NO_PERMISSION));
    }

    protected void cleanup(HttpServletRequest httpServletRequest) {
        httpServletRequest.getSession().invalidate();
        SecurityContext context = this.securityContextHolderStrategy.getContext();
        if (context != null) {
            context.setAuthentication((Authentication) null);
            this.securityContextHolderStrategy.clearContext();
        }
    }

    protected void logoutFromAuth0(HttpServletResponse httpServletResponse, String str) throws IOException {
        httpServletResponse.sendRedirect(this.auth0Service.getLogoutUrlFor(str));
    }

    private void sessionExpiresWhenAuthenticationExpires(HttpServletRequest httpServletRequest) {
        httpServletRequest.getSession().setMaxInactiveInterval(-1);
    }
}
