package eu.openanalytics.containerproxy.auth.impl;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext;
import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import javax.inject.Inject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.env.Environment;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:BOOT-INF/lib/containerproxy-1.2.0.jar:eu/openanalytics/containerproxy/auth/impl/WebServiceAuthenticationBackend.class */
public class WebServiceAuthenticationBackend implements IAuthenticationBackend {
    public static final String NAME = "webservice";
    private static final String PROP_PREFIX = "proxy.webservice.";
    private static final String PROP_AUTHENTICATION_REQUEST_BODY = "proxy.webservice.authentication-request-body";
    private static final String PROP_AUTHENTICATION_URL = "proxy.webservice.authentication-url";
    private static final String PROP_GROUPS_EXPRESSION = "proxy.webservice.groups-expression";
    private final ObjectMapper objectMapper = new ObjectMapper();
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private final String requestBodyTemplate;
    private final String authenticationUrl;
    private final String groupsExpression;

    @Inject
    private SpecExpressionResolver specExpressionResolver;

    /* loaded from: input_file:BOOT-INF/lib/containerproxy-1.2.0.jar:eu/openanalytics/containerproxy/auth/impl/WebServiceAuthenticationBackend$WebServiceAuthenticationProvider.class */
    public class WebServiceAuthenticationProvider implements AuthenticationProvider {
        public WebServiceAuthenticationProvider() {
        }

        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.springframework.security.authentication.AuthenticationProvider
        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
            String name = authentication.getName();
            String obj = authentication.getCredentials().toString();
            RestTemplate restTemplate = new RestTemplate();
            HttpHeaders httpHeaders = new HttpHeaders();
            httpHeaders.setAccept(List.of(MediaType.APPLICATION_JSON));
            httpHeaders.setContentType(MediaType.APPLICATION_JSON);
            try {
                ResponseEntity exchange = restTemplate.exchange(WebServiceAuthenticationBackend.this.authenticationUrl, HttpMethod.POST, new HttpEntity<>(String.format(WebServiceAuthenticationBackend.this.requestBodyTemplate, name, obj), httpHeaders), String.class, new Object[0]);
                if (exchange.getStatusCode() != HttpStatus.OK) {
                    throw new AuthenticationServiceException("Unknown response received " + String.valueOf(exchange));
                }
                User createUser = createUser(name, (String) exchange.getBody());
                return new UsernamePasswordAuthenticationToken(createUser, "", createUser.getAuthorities());
            } catch (HttpClientErrorException e) {
                throw new BadCredentialsException("Invalid username or password");
            } catch (RestClientException e2) {
                throw new AuthenticationServiceException("Internal error " + e2.getMessage());
            }
        }

        @Override // org.springframework.security.authentication.AuthenticationProvider
        public boolean supports(Class<?> cls) {
            return cls.equals(UsernamePasswordAuthenticationToken.class);
        }

        private User createUser(String str, String str2) {
            if (str2 == null) {
                return new WebServiceUser(str, null, null, List.of());
            }
            JsonNode jsonNode = null;
            ArrayList arrayList = new ArrayList();
            try {
                jsonNode = WebServiceAuthenticationBackend.this.objectMapper.readTree(str2);
                if (WebServiceAuthenticationBackend.this.groupsExpression != null) {
                    for (String str3 : WebServiceAuthenticationBackend.this.specExpressionResolver.evaluateToList(List.of(WebServiceAuthenticationBackend.this.groupsExpression), SpecExpressionContext.create(jsonNode).build())) {
                        arrayList.add(new SimpleGrantedAuthority((str3.toUpperCase().startsWith("ROLE_") ? str3 : "ROLE_" + str3).toUpperCase()));
                    }
                }
            } catch (JsonProcessingException e) {
                WebServiceAuthenticationBackend.this.logger.warn("Invalid json response returned by web service, response is: " + str2, (Throwable) e);
            }
            return new WebServiceUser(str, str2, jsonNode, arrayList);
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/containerproxy-1.2.0.jar:eu/openanalytics/containerproxy/auth/impl/WebServiceAuthenticationBackend$WebServiceUser.class */
    public static class WebServiceUser extends User {
        private final String response;
        private final JsonNode jsonResponse;

        public WebServiceUser(String str, String str2, JsonNode jsonNode, Collection<? extends GrantedAuthority> collection) {
            super(str, "", collection);
            this.response = str2;
            this.jsonResponse = jsonNode;
        }

        public String getResponse() {
            return this.response;
        }

        public JsonNode getJsonResponse() {
            return this.jsonResponse;
        }
    }

    public WebServiceAuthenticationBackend(Environment environment) {
        this.requestBodyTemplate = environment.getProperty(PROP_AUTHENTICATION_REQUEST_BODY);
        if (this.requestBodyTemplate == null) {
            throw new IllegalStateException("Webservice authentication enabled, but no 'proxy.webservice.authentication-request-body' defined!");
        }
        this.authenticationUrl = environment.getProperty(PROP_AUTHENTICATION_URL);
        if (this.authenticationUrl == null) {
            throw new IllegalStateException("Webservice authentication enabled, but no 'proxy.webservice.authentication-url' defined!");
        }
        this.groupsExpression = environment.getProperty(PROP_GROUPS_EXPRESSION);
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public String getName() {
        return NAME;
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public boolean hasAuthorization() {
        return true;
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public void configureHttpSecurity(HttpSecurity httpSecurity) {
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public void configureAuthenticationManagerBuilder(AuthenticationManagerBuilder authenticationManagerBuilder) {
        authenticationManagerBuilder.authenticationProvider((AuthenticationProvider) new WebServiceAuthenticationProvider());
    }
}
