package io.camunda.tasklist.webapp.security.sso;

import com.auth0.AuthenticationController;
import com.auth0.IdentityVerificationException;
import com.auth0.Tokens;
import io.camunda.tasklist.property.TasklistProperties;
import io.camunda.tasklist.webapp.security.Permission;
import io.camunda.tasklist.webapp.security.TasklistProfileService;
import io.camunda.tasklist.webapp.security.TasklistURIs;
import io.camunda.tasklist.webapp.security.sso.model.ClusterInfo;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.time.Duration;
import java.util.List;
import net.jodah.failsafe.Failsafe;
import net.jodah.failsafe.RetryPolicy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Profile;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Component;
import org.springframework.web.client.RestTemplate;

@Profile({TasklistProfileService.SSO_AUTH_PROFILE})
@Component
/* loaded from: input_file:io/camunda/tasklist/webapp/security/sso/Auth0Service.class */
public class Auth0Service {
    private static final String LOGOUT_URL_TEMPLATE = "https://%s/v2/logout?client_id=%s&returnTo=%s";
    private static final String PERMISSION_URL_TEMPLATE = "%s/%s";

    @Autowired
    private BeanFactory beanFactory;

    @Autowired
    private AuthenticationController authenticationController;

    @Autowired
    private TasklistProperties tasklistProperties;

    @Autowired
    @Qualifier("auth0_restTemplate")
    private RestTemplate restTemplate;
    private static final Logger LOGGER = LoggerFactory.getLogger(Auth0Service.class);
    private static final List<String> SCOPES = List.of("openid", "profile", "email", "offline_access");

    public Authentication authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Tokens retrieveTokens = retrieveTokens(httpServletRequest, httpServletResponse);
        TokenAuthentication tokenAuthentication = (TokenAuthentication) this.beanFactory.getBean(TokenAuthentication.class);
        tokenAuthentication.authenticate(retrieveTokens.getIdToken(), retrieveTokens.getRefreshToken(), retrieveTokens.getAccessToken());
        checkPermission(tokenAuthentication);
        return tokenAuthentication;
    }

    private void checkPermission(TokenAuthentication tokenAuthentication) {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setBearerAuth(tokenAuthentication.getAccessToken());
        ClusterInfo clusterInfo = (ClusterInfo) this.restTemplate.exchange(String.format(PERMISSION_URL_TEMPLATE, this.tasklistProperties.getCloud().getPermissionUrl(), this.tasklistProperties.getAuth0().getOrganization()), HttpMethod.GET, new HttpEntity(httpHeaders), ClusterInfo.class, new Object[0]).getBody();
        if (clusterInfo.getSalesPlan() != null) {
            tokenAuthentication.setSalesPlanType(clusterInfo.getSalesPlan().getType());
        }
        ClusterInfo.Permission tasklist = clusterInfo.getPermissions().getCluster().getTasklist();
        if (!tasklist.getRead().booleanValue()) {
            throw new InsufficientAuthenticationException("User doesn't have read access");
        }
        tokenAuthentication.addPermission(Permission.READ);
        if (tasklist.getDelete().booleanValue() && tasklist.getCreate().booleanValue() && tasklist.getUpdate().booleanValue()) {
            tokenAuthentication.addPermission(Permission.WRITE);
        }
    }

    public String getAuthorizeUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return this.authenticationController.buildAuthorizeUrl(httpServletRequest, httpServletResponse, getRedirectURI(httpServletRequest, TasklistURIs.SSO_CALLBACK, true)).withAudience(this.tasklistProperties.getCloud().getPermissionAudience()).withScope(String.join(" ", SCOPES)).build();
    }

    public String getLogoutUrlFor(String str) {
        return String.format(LOGOUT_URL_TEMPLATE, this.tasklistProperties.getAuth0().getDomain(), this.tasklistProperties.getAuth0().getClientId(), str);
    }

    public Tokens retrieveTokens(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return (Tokens) Failsafe.with(((RetryPolicy) new RetryPolicy().handle(IdentityVerificationException.class)).withDelay(Duration.ofMillis(500L)).withMaxAttempts(10).onRetry(executionAttemptedEvent -> {
            LOGGER.debug("Retrying #{} {}", Integer.valueOf(executionAttemptedEvent.getAttemptCount()), "retrieve tokens");
        }).onAbort(executionCompletedEvent -> {
            LOGGER.error("Abort {} by {}", "retrieve tokens", executionCompletedEvent.getFailure());
        }).onRetriesExceeded(executionCompletedEvent2 -> {
            LOGGER.error("Retries {} exceeded for {}", Integer.valueOf(executionCompletedEvent2.getAttemptCount()), "retrieve tokens");
        }), new RetryPolicy[0]).get(() -> {
            return this.authenticationController.handle(httpServletRequest, httpServletResponse);
        });
    }

    public String getRedirectURI(HttpServletRequest httpServletRequest, String str) {
        return getRedirectURI(httpServletRequest, str, false);
    }

    public String getRedirectURI(HttpServletRequest httpServletRequest, String str, boolean z) {
        String str2 = httpServletRequest.getScheme() + "://" + httpServletRequest.getServerName();
        if ((httpServletRequest.getScheme().equals("http") && httpServletRequest.getServerPort() != 80) || (httpServletRequest.getScheme().equals("https") && httpServletRequest.getServerPort() != 443)) {
            str2 = str2 + ":" + httpServletRequest.getServerPort();
        }
        return z ? str2 + str + "?uuid=" + httpServletRequest.getContextPath().replace("/", "") : str2 + httpServletRequest.getContextPath() + str;
    }
}
