package org.eclipse.pass.main.security;

import com.yahoo.elide.RefreshableElide;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.eclipse.pass.object.PassClient;
import org.eclipse.pass.object.PassClientResult;
import org.eclipse.pass.object.PassClientSelector;
import org.eclipse.pass.object.RSQL;
import org.eclipse.pass.object.model.PassEntity;
import org.eclipse.pass.object.model.User;
import org.eclipse.pass.object.model.UserRole;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

@Component
/* loaded from: input_file:org/eclipse/pass/main/security/PassAuthenticationFilter.class */
public class PassAuthenticationFilter extends OncePerRequestFilter {
    static final String EMPLOYEE_ID_TYPE = "employeeid";
    static final String UNIQUE_ID_TYPE = "unique-id";
    static final String INSTITUIONAL_ID_TYPE = "eppn";
    private static final Logger LOG = LoggerFactory.getLogger(PassAuthenticationFilter.class);
    private final SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder.getContextHolderStrategy();
    private final SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();
    private final RefreshableElide elide;
    private PassAuthenticationFilterConfiguration config;

    /* loaded from: input_file:org/eclipse/pass/main/security/PassAuthenticationFilter$Attribute.class */
    public enum Attribute {
        DISPLAY_NAME,
        EMAIL,
        EPPN,
        GIVEN_NAME,
        SURNAME,
        EMPLOYEE_ID,
        UNIQUE_ID,
        SCOPED_AFFILIATION
    }

    public PassAuthenticationFilter(RefreshableElide refreshableElide, PassAuthenticationFilterConfiguration passAuthenticationFilterConfiguration) {
        this.config = passAuthenticationFilterConfiguration;
        this.elide = refreshableElide;
    }

    private Authentication authenticate(Saml2AuthenticatedPrincipal saml2AuthenticatedPrincipal) throws AuthenticationException, IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Principal: " + saml2AuthenticatedPrincipal.getName());
            saml2AuthenticatedPrincipal.getAttributes().forEach((str, list) -> {
                LOG.debug(str + ": " + String.valueOf(list));
            });
        }
        User parseUser = parseUser(saml2AuthenticatedPrincipal.getAttributes());
        create_or_update_pass_user(parseUser);
        return new PassAuthentication(parseUser);
    }

    private synchronized void create_or_update_pass_user(User user) throws IOException {
        PassClient newInstance = PassClient.newInstance(this.elide);
        try {
            User find_pass_user = find_pass_user(newInstance, user);
            if (find_pass_user == null) {
                newInstance.createObject(user);
                LOG.info("Created user: {}", user.getUsername());
            } else {
                update_pass_user(newInstance, user, find_pass_user);
            }
            if (newInstance != null) {
                newInstance.close();
            }
        } catch (Throwable th) {
            if (newInstance != null) {
                try {
                    newInstance.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void update_pass_user(PassClient passClient, User user, User user2) throws IOException {
        boolean z = false;
        if (!Objects.equals(user2.getUsername(), user.getUsername())) {
            user2.setUsername(user.getUsername());
            z = true;
        }
        if (!Objects.equals(user2.getEmail(), user.getEmail())) {
            user2.setEmail(user.getEmail());
            z = true;
        }
        if (!Objects.equals(user2.getDisplayName(), user.getDisplayName())) {
            user2.setDisplayName(user.getDisplayName());
            z = true;
        }
        if (!Objects.equals(user2.getFirstName(), user.getFirstName())) {
            user2.setFirstName(user.getFirstName());
            z = true;
        }
        if (!Objects.equals(user2.getLastName(), user.getLastName())) {
            user2.setLastName(user.getLastName());
            z = true;
        }
        if (!PassEntity.listEquals(user2.getLocatorIds(), user.getLocatorIds())) {
            user2.setLocatorIds(user.getLocatorIds());
            z = true;
        }
        if (!Objects.equals(user2.getAffiliation(), user.getAffiliation())) {
            user2.setAffiliation(user.getAffiliation());
            z = true;
        }
        if (!PassEntity.listEquals(user2.getRoles(), user.getRoles())) {
            user2.setRoles(user.getRoles());
            z = true;
        }
        if (z) {
            passClient.updateObject(user2);
            LOG.info("Updated user: {}", user.getUsername());
        }
    }

    private User find_pass_user(PassClient passClient, User user) throws IOException {
        PassClientSelector passClientSelector = new PassClientSelector(User.class);
        for (String str : user.getLocatorIds()) {
            passClientSelector.setFilter(RSQL.hasMember("locatorIds", str));
            PassClientResult selectObjects = passClient.selectObjects(passClientSelector);
            if (selectObjects.getTotal() == 1) {
                return (User) selectObjects.getObjects().get(0);
            }
            if (selectObjects.getTotal() > 1) {
                throw new BadCredentialsException("Found multiple users matching locator: " + str);
            }
        }
        return null;
    }

    User parseUser(Map<String, List<Object>> map) {
        User user = new User();
        String str = get(map, Attribute.DISPLAY_NAME, true);
        String str2 = get(map, Attribute.GIVEN_NAME, true);
        String str3 = get(map, Attribute.SURNAME, true);
        String str4 = get(map, Attribute.EMAIL, true);
        String str5 = get(map, Attribute.EPPN, true);
        String str6 = get(map, Attribute.EMPLOYEE_ID, false);
        String str7 = get(map, Attribute.UNIQUE_ID, true);
        List<String> list = get_list(map, Attribute.SCOPED_AFFILIATION, false);
        String[] split = str5.split("@");
        if (split.length != 2) {
            throw new BadCredentialsException("EPPN attribute malformed: " + str5);
        }
        String str8 = split[1];
        String lowerCase = split[0].toLowerCase();
        if (str8.isEmpty() || lowerCase.isEmpty()) {
            throw new BadCredentialsException("EPPN attribute malformed: " + str5);
        }
        user.getLocatorIds().add(String.join(":", str8, UNIQUE_ID_TYPE, str7.split("@")[0]));
        user.getLocatorIds().add(String.join(":", str8, INSTITUIONAL_ID_TYPE, lowerCase));
        if (str6 != null && !str6.isEmpty()) {
            user.getLocatorIds().add(String.join(":", str8, EMPLOYEE_ID_TYPE, str6));
        }
        user.getAffiliation().add(str8);
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            user.getAffiliation().add(it.next());
        }
        user.setDisplayName(str);
        user.setEmail(str4);
        user.setFirstName(str2);
        user.setLastName(str3);
        user.setUsername(str5);
        user.getRoles().add(UserRole.SUBMITTER);
        return user;
    }

    private String get(Map<String, List<Object>> map, Attribute attribute, boolean z) throws AuthenticationException {
        String str = this.config.getAttributeMap().get(attribute);
        List<Object> list = map.get(str);
        String str2 = null;
        if (list != null && list.size() > 0 && list.get(0) != null) {
            str2 = list.get(0).toString().trim();
        }
        if (str2 == null || str2.isEmpty()) {
            str2 = null;
            if (z) {
                throw new BadCredentialsException("Missing attribute: " + String.valueOf(attribute) + "[" + str + "]");
            }
        }
        return str2;
    }

    private List<String> get_list(Map<String, List<Object>> map, Attribute attribute, boolean z) throws AuthenticationException {
        String str = this.config.getAttributeMap().get(attribute);
        List<Object> list = map.get(str);
        if (list == null) {
            list = List.of();
        }
        ArrayList arrayList = new ArrayList();
        Iterator<Object> it = list.iterator();
        while (it.hasNext()) {
            Object next = it.next();
            String trim = next == null ? null : next.toString().trim();
            if (trim != null && !trim.isEmpty()) {
                arrayList.add(trim);
            }
        }
        if (list.size() == 0 && z) {
            throw new BadCredentialsException("Missing attribute: " + String.valueOf(attribute) + "[" + str + "]");
        }
        return arrayList;
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        Authentication authentication = this.securityContextHolderStrategy.getContext().getAuthentication();
        if (authentication != null && authentication.isAuthenticated() && (authentication.getPrincipal() instanceof Saml2AuthenticatedPrincipal)) {
            try {
                SecurityContext createEmptyContext = this.securityContextHolderStrategy.createEmptyContext();
                createEmptyContext.setAuthentication(authenticate((Saml2AuthenticatedPrincipal) authentication.getPrincipal()));
                this.securityContextHolderStrategy.setContext(createEmptyContext);
                this.securityContextRepository.saveContext(createEmptyContext, httpServletRequest, httpServletResponse);
                LOG.debug("User logged in {}", authentication.getName());
            } catch (AuthenticationException e) {
                LOG.error("Login failed", e);
                httpServletResponse.setStatus(HttpStatus.BAD_REQUEST.value());
                return;
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }
}
