package io.corbel.iam.service;

import io.corbel.iam.auth.AuthorizationRequestContext;
import io.corbel.iam.auth.AuthorizationRequestContextFactory;
import io.corbel.iam.auth.AuthorizationRule;
import io.corbel.iam.auth.BasicParams;
import io.corbel.iam.auth.OauthParams;
import io.corbel.iam.auth.provider.AuthorizationProviderFactory;
import io.corbel.iam.exception.MissingBasicParamsException;
import io.corbel.iam.exception.MissingOAuthParamsException;
import io.corbel.iam.exception.NoSuchPrincipalException;
import io.corbel.iam.exception.OauthServerConnectionException;
import io.corbel.iam.exception.UnauthorizedException;
import io.corbel.iam.exception.UnauthorizedTimeException;
import io.corbel.iam.model.Domain;
import io.corbel.iam.model.TokenGrant;
import io.corbel.iam.model.User;
import io.corbel.iam.model.UserToken;
import io.corbel.iam.repository.UserTokenRepository;
import io.corbel.iam.utils.Message;
import io.corbel.lib.token.TokenInfo;
import io.corbel.lib.token.exception.TokenVerificationException;
import io.corbel.lib.token.factory.TokenFactory;
import io.corbel.lib.token.model.TokenType;
import java.security.SignatureException;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import net.oauth.jsontoken.JsonToken;
import net.oauth.jsontoken.JsonTokenParser;
import org.joda.time.Instant;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/corbel/iam/service/DefaultAuthorizationService.class */
public class DefaultAuthorizationService implements AuthorizationService {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultAuthorizationService.class);
    private final JsonTokenParser jsonTokenParser;
    private final List<AuthorizationRule> rules;
    private final TokenFactory tokenFactory;
    private final AuthorizationRequestContextFactory contextFactory;
    private final ScopeService scopeService;
    private final AuthorizationProviderFactory authorizationProviderFactory;
    private final RefreshTokenService refreshTokenService;
    private final UserTokenRepository userTokenRepository;
    private final UserService userService;
    private final EventsService eventsService;
    private final DeviceService deviceService;

    public DefaultAuthorizationService(JsonTokenParser jsonTokenParser, List<AuthorizationRule> list, TokenFactory tokenFactory, AuthorizationRequestContextFactory authorizationRequestContextFactory, ScopeService scopeService, AuthorizationProviderFactory authorizationProviderFactory, RefreshTokenService refreshTokenService, UserTokenRepository userTokenRepository, UserService userService, EventsService eventsService, DeviceService deviceService) {
        this.jsonTokenParser = jsonTokenParser;
        this.eventsService = eventsService;
        this.rules = Collections.unmodifiableList(list);
        this.tokenFactory = tokenFactory;
        this.contextFactory = authorizationRequestContextFactory;
        this.scopeService = scopeService;
        this.authorizationProviderFactory = authorizationProviderFactory;
        this.refreshTokenService = refreshTokenService;
        this.userTokenRepository = userTokenRepository;
        this.userService = userService;
        this.deviceService = deviceService;
    }

    @Override // io.corbel.iam.service.AuthorizationService
    public TokenGrant authorize(String str) throws UnauthorizedException, MissingOAuthParamsException, OauthServerConnectionException, MissingBasicParamsException {
        TokenGrant refreshToken;
        try {
            AuthorizationRequestContext context = getContext(str);
            if (context.isOAuth()) {
                OauthParams oauthParams = context.getOauthParams();
                checkOauthParams(context, oauthParams);
                refreshToken = grantAccess(context, oauthParams);
            } else if (context.isBasic()) {
                BasicParams basicParams = context.getBasicParams();
                checkBasicParams(context, basicParams);
                refreshToken = grantAccess(context, basicParams);
            } else {
                refreshToken = context.hasRefreshToken() ? refreshToken(context) : grantAccess(context, Optional.ofNullable(context.getPrincipal()));
            }
            return refreshToken;
        } catch (IllegalArgumentException | IllegalStateException | NullPointerException e) {
            logInvalidAssertion(str, e);
            throw new UnauthorizedException("Invalid assertion");
        } catch (SignatureException | TokenVerificationException e2) {
            throw new UnauthorizedException(e2.getMessage());
        }
    }

    @Override // io.corbel.iam.service.AuthorizationService
    public TokenGrant authorize(String str, OauthParams oauthParams) throws UnauthorizedException, MissingOAuthParamsException, OauthServerConnectionException {
        try {
            AuthorizationRequestContext context = getContext(str);
            checkOauthParams(context, oauthParams);
            return grantAccess(context, oauthParams);
        } catch (IllegalArgumentException | IllegalStateException | NullPointerException e) {
            logInvalidAssertion(str, e);
            throw new UnauthorizedException("Invalid assertion");
        } catch (SignatureException e2) {
            throw new UnauthorizedException(e2.getMessage());
        }
    }

    private void checkOauthParams(AuthorizationRequestContext authorizationRequestContext, OauthParams oauthParams) throws MissingOAuthParamsException {
        if (!authorizationRequestContext.isOAuth() || oauthParams == null || oauthParams.isMissing()) {
            throw new MissingOAuthParamsException("Missing oauth params");
        }
    }

    private void checkBasicParams(AuthorizationRequestContext authorizationRequestContext, BasicParams basicParams) throws MissingBasicParamsException {
        if (!authorizationRequestContext.isBasic() || basicParams == null || basicParams.isMissing()) {
            throw new MissingBasicParamsException("Missing basic params");
        }
    }

    private void logInvalidAssertion(String str, RuntimeException runtimeException) {
        LOG.warn("Invalid JWT: {}. Reason {}:{}", new Object[]{str, runtimeException.getClass().getCanonicalName(), runtimeException.getMessage()});
    }

    private TokenGrant grantAccess(AuthorizationRequestContext authorizationRequestContext, OauthParams oauthParams) throws SignatureException, UnauthorizedException, MissingOAuthParamsException, OauthServerConnectionException {
        Domain requestedDomain = authorizationRequestContext.getRequestedDomain();
        String oAuthService = authorizationRequestContext.getOAuthService();
        try {
            Optional<User> map = Optional.ofNullable(this.authorizationProviderFactory.getProvider(requestedDomain, oAuthService).getIdentity(oauthParams, oAuthService, requestedDomain.getId())).map(identity -> {
                return this.userService.findById(identity.getUserId());
            });
            if (!map.isPresent()) {
                throw new NoSuchPrincipalException(Message.OAUTH_PRINCIPAL_EXISTS_UNAUTHORIZED.getMessage(oAuthService, authorizationRequestContext.getIssuerClient().getDomain()));
            }
            authorizationRequestContext.setPrincipalId(map.get().getUsername());
            return grantAccess(authorizationRequestContext, map);
        } catch (MissingOAuthParamsException | OauthServerConnectionException | UnauthorizedException e) {
            throw e;
        } catch (Exception e2) {
            throw new UnauthorizedException(e2.getMessage());
        }
    }

    private TokenGrant grantAccess(AuthorizationRequestContext authorizationRequestContext, BasicParams basicParams) throws UnauthorizedException {
        Domain requestedDomain = authorizationRequestContext.getRequestedDomain();
        User findByDomainAndUsername = this.userService.findByDomainAndUsername(requestedDomain.getId(), basicParams.getUsername());
        if (findByDomainAndUsername == null) {
            findByDomainAndUsername = this.userService.findByDomainAndEmail(requestedDomain.getId(), basicParams.getUsername());
        }
        if (findByDomainAndUsername == null || !findByDomainAndUsername.checkPassword(basicParams.getPassword())) {
            throw new NoSuchPrincipalException(Message.UNKNOWN_BASIC_USER_CREDENTIALS.getMessage(new Object[0]));
        }
        authorizationRequestContext.setPrincipalId(findByDomainAndUsername.getUsername());
        return grantAccess(authorizationRequestContext, Optional.of(findByDomainAndUsername));
    }

    private TokenGrant grantAccess(AuthorizationRequestContext authorizationRequestContext, Optional<User> optional) throws UnauthorizedException {
        Iterator<AuthorizationRule> it = this.rules.iterator();
        while (it.hasNext()) {
            it.next().process(authorizationRequestContext);
        }
        String accessToken = getAccessToken(authorizationRequestContext);
        TokenGrant tokenGrant = new TokenGrant(accessToken, authorizationRequestContext.getAuthorizationExpiration().longValue(), this.refreshTokenService.createRefreshToken(authorizationRequestContext, accessToken), authorizationRequestContext.getTokenScopes());
        if (optional.isPresent()) {
            User user = optional.get();
            storeUserToken(tokenGrant, user, authorizationRequestContext.getDeviceId(), (Set) authorizationRequestContext.getExpandedRequestedScopes().stream().map((v0) -> {
                return v0.getId();
            }).collect(Collectors.toSet()));
            updateDeviceLastConnection(user.getDomain(), user.getId(), authorizationRequestContext.getDeviceId());
            this.eventsService.sendUserAuthenticationEvent(optional.get().getUserProfile());
        } else {
            this.eventsService.sendClientAuthenticationEvent(authorizationRequestContext.getIssuerClientDomain().getId(), authorizationRequestContext.getIssuerClientId());
        }
        publishScope(tokenGrant, authorizationRequestContext);
        return tokenGrant;
    }

    private void publishScope(TokenGrant tokenGrant, AuthorizationRequestContext authorizationRequestContext) {
        this.scopeService.publishAuthorizationRules(tokenGrant.getAccessToken(), tokenGrant.getExpiresAt(), this.scopeService.fillScopes(authorizationRequestContext.getExpandedRequestedScopes(), authorizationRequestContext.hasPrincipal() ? authorizationRequestContext.getPrincipal().getId() : null, authorizationRequestContext.getIssuerClientId(), authorizationRequestContext.getRequestedDomain().getId()));
    }

    private AuthorizationRequestContext getContext(String str) throws SignatureException, UnauthorizedTimeException {
        try {
            return this.contextFactory.fromJsonToken(this.jsonTokenParser.verifyAndDeserialize(str));
        } catch (IllegalStateException e) {
            if (isAnExpiredException(str)) {
                throw new UnauthorizedTimeException(e.getMessage());
            }
            throw e;
        }
    }

    private boolean isAnExpiredException(String str) {
        JsonToken deserialize = this.jsonTokenParser.deserialize(str);
        Instant now = Instant.now();
        return (this.jsonTokenParser.issuedAtIsValid(deserialize, now) && this.jsonTokenParser.expirationIsValid(deserialize, now)) ? false : true;
    }

    private String getAccessToken(AuthorizationRequestContext authorizationRequestContext) {
        TokenInfo.Builder domainId = TokenInfo.newBuilder().setType(TokenType.TOKEN).setClientId(authorizationRequestContext.getIssuerClient().getId()).setState(Long.toString(authorizationRequestContext.getAuthorizationExpiration().longValue())).setDomainId(authorizationRequestContext.getRequestedDomain().getId());
        Optional ofNullable = Optional.ofNullable(authorizationRequestContext.getDeviceId());
        domainId.getClass();
        ofNullable.ifPresent(domainId::setDeviceId);
        return this.tokenFactory.createToken(authorizationRequestContext.hasPrincipal() ? domainId.setUserId(authorizationRequestContext.getPrincipal().getId()).setGroups(authorizationRequestContext.getPrincipal().getGroups()).build() : domainId.build(), authorizationRequestContext.getAuthorizationExpiration().longValue(), new String[0]).getAccessToken();
    }

    private TokenGrant refreshToken(AuthorizationRequestContext authorizationRequestContext) throws TokenVerificationException, UnauthorizedException {
        User userFromRefreshToken = this.refreshTokenService.getUserFromRefreshToken(authorizationRequestContext.getRefreshToken());
        if (userFromRefreshToken == null) {
            throw new UnauthorizedException(Message.PRINCIPAL_EXISTS_UNAUTHORIZED.getMessage(authorizationRequestContext.getPrincipalId()));
        }
        authorizationRequestContext.setPrincipalId(userFromRefreshToken.getUsername());
        return grantAccess(authorizationRequestContext, Optional.of(userFromRefreshToken));
    }

    private void storeUserToken(TokenGrant tokenGrant, User user, String str, Set<String> set) {
        this.userTokenRepository.save(new UserToken(tokenGrant.getAccessToken(), user.getId(), str, new Date(tokenGrant.getExpiresAt()), set));
    }

    private void updateDeviceLastConnection(String str, String str2, String str3) {
        if (str3 != null) {
            this.deviceService.deviceConnect(str, str2, str3);
        }
    }
}
