package it.geosolutions.geostore.services.rest.security.keycloak;

import it.geosolutions.geostore.core.model.User;
import it.geosolutions.geostore.core.model.enums.Role;
import it.geosolutions.geostore.core.security.password.SecurityUtils;
import it.geosolutions.geostore.services.UserService;
import it.geosolutions.geostore.services.exception.BadRequestServiceEx;
import it.geosolutions.geostore.services.exception.NotFoundServiceEx;
import it.geosolutions.geostore.services.rest.security.oauth2.OAuth2Utils;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import javax.servlet.http.HttpServletRequest;
import org.apache.log4j.Logger;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.springsecurity.account.KeycloakRole;
import org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount;
import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken;
import org.keycloak.representations.AccessToken;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;

/* loaded from: input_file:it/geosolutions/geostore/services/rest/security/keycloak/GeoStoreKeycloakAuthProvider.class */
public class GeoStoreKeycloakAuthProvider implements AuthenticationProvider {
    private GeoStoreKeycloakAuthoritiesMapper grantedAuthoritiesMapper;
    private static final Logger LOGGER = Logger.getLogger(GeoStoreKeycloakAuthProvider.class);

    @Autowired
    private UserService userService;
    private KeyCloakConfiguration configuration;

    public GeoStoreKeycloakAuthProvider(KeyCloakConfiguration keyCloakConfiguration) {
        this.configuration = keyCloakConfiguration;
    }

    public void setGrantedAuthoritiesMapper(GeoStoreKeycloakAuthoritiesMapper geoStoreKeycloakAuthoritiesMapper) {
        this.grantedAuthoritiesMapper = geoStoreKeycloakAuthoritiesMapper;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        KeycloakAuthenticationToken keycloakAuthenticationToken = (KeycloakAuthenticationToken) authentication;
        RefreshableKeycloakSecurityContext keycloakSecurityContext = keycloakAuthenticationToken.getAccount().getKeycloakSecurityContext();
        ArrayList arrayList = new ArrayList();
        Iterator it2 = keycloakAuthenticationToken.getAccount().getRoles().iterator();
        while (it2.hasNext()) {
            arrayList.add(new KeycloakRole((String) it2.next()));
        }
        Collection<? extends GrantedAuthority> mapAuthorities = mapAuthorities(arrayList);
        AccessToken token = keycloakSecurityContext.getToken();
        String tokenString = keycloakSecurityContext.getTokenString();
        String str = null;
        Long l = null;
        HttpServletRequest request = OAuth2Utils.getRequest();
        if (token != null) {
            l = token.getExp();
            if (request != null) {
                request.setAttribute(OAuth2Utils.ACCESS_TOKEN_PARAM, token);
            }
        }
        if (keycloakSecurityContext instanceof RefreshableKeycloakSecurityContext) {
            str = keycloakSecurityContext.getRefreshToken();
            if (request != null) {
                request.setAttribute(OAuth2Utils.REFRESH_TOKEN_PARAM, str);
            }
        }
        KeycloakTokenDetails keycloakTokenDetails = new KeycloakTokenDetails(tokenString, str, l);
        User retrieveUser = retrieveUser(getUsername(authentication), "");
        if (this.grantedAuthoritiesMapper != null) {
            retrieveUser.getGroups().addAll(this.grantedAuthoritiesMapper.getGroups());
        }
        if (this.grantedAuthoritiesMapper != null) {
            retrieveUser.setRole(this.grantedAuthoritiesMapper.getRole());
        }
        if (retrieveUser.getRole() == null) {
            retrieveUser.setRole(Role.USER);
        }
        PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(retrieveUser, "", mapAuthorities);
        preAuthenticatedAuthenticationToken.setDetails(keycloakTokenDetails);
        return preAuthenticatedAuthenticationToken;
    }

    private Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> collection) {
        return this.grantedAuthoritiesMapper != null ? this.grantedAuthoritiesMapper.mapAuthorities(collection) : collection;
    }

    public boolean supports(Class<?> cls) {
        return KeycloakAuthenticationToken.class.isAssignableFrom(cls);
    }

    protected User retrieveUser(String str, String str2) {
        User user = null;
        if (this.userService != null) {
            try {
                user = this.userService.get(str);
            } catch (NotFoundServiceEx e) {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.warn("Keycloak user not found in DB.", e);
                }
            }
        }
        if (user == null) {
            user = new User();
            user.setName(str);
            user.setNewPassword(str2);
            user.setEnabled(true);
            user.setRole(Role.USER);
            user.setGroups(new HashSet());
            if (this.userService != null && this.configuration.isAutoCreateUser()) {
                try {
                    long insert = this.userService.insert(user);
                    user = new User(user);
                    user.setId(Long.valueOf(insert));
                } catch (NotFoundServiceEx | BadRequestServiceEx e2) {
                    LOGGER.error("Exception while inserting the user.", e2);
                }
            }
        }
        return user;
    }

    private String getUsername(Authentication authentication) {
        String str = null;
        if (authentication != null && (authentication.getDetails() instanceof SimpleKeycloakAccount)) {
            AccessToken token = ((SimpleKeycloakAccount) authentication.getDetails()).getKeycloakSecurityContext().getToken();
            if (token != null) {
                str = token.getEmail();
            }
            if (str == null) {
                str = token.getPreferredUsername();
            }
        }
        if (str == null) {
            str = SecurityUtils.getUsername(authentication);
        }
        return str;
    }
}
