package io.camunda.tasklist.webapp.security.identity;

import io.camunda.identity.sdk.Identity;
import io.camunda.identity.sdk.authentication.AccessToken;
import io.camunda.identity.sdk.authentication.Tokens;
import io.camunda.identity.sdk.authentication.UserDetails;
import io.camunda.identity.sdk.authentication.exception.TokenDecodeException;
import io.camunda.identity.sdk.exception.InvalidConfigurationException;
import io.camunda.identity.sdk.impl.rest.exception.RestException;
import io.camunda.tasklist.property.TasklistProperties;
import io.camunda.tasklist.util.SpringContextHolder;
import io.camunda.tasklist.webapp.security.OldUsernameAware;
import io.camunda.tasklist.webapp.security.Permission;
import io.camunda.tasklist.webapp.security.tenant.TasklistTenant;
import io.camunda.tasklist.webapp.security.tenant.TenantAwareAuthentication;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.collections4.CollectionUtils;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

/* loaded from: input_file:io/camunda/tasklist/webapp/security/identity/IdentityAuthentication.class */
public class IdentityAuthentication extends AbstractAuthenticationToken implements OldUsernameAware, TenantAwareAuthentication {
    private static final Logger LOGGER = LoggerFactory.getLogger(IdentityAuthentication.class);
    private Tokens tokens;
    private String id;
    private String name;
    private String userDisplayName;
    private List<String> permissions;
    private String subject;
    private Date expires;
    private Date refreshTokenExpiresAt;
    private volatile List<TasklistTenant> tenants;
    private IdentityAuthorization authorization;
    private List<String> groups;

    public IdentityAuthentication() {
        super((Collection) null);
        this.tenants = Collections.emptyList();
    }

    /* renamed from: getCredentials, reason: merged with bridge method [inline-methods] */
    public String m36getCredentials() {
        return this.tokens.getAccessToken();
    }

    public Object getPrincipal() {
        return this.subject;
    }

    @Override // io.camunda.tasklist.webapp.security.tenant.TenantAwareAuthentication
    public List<TasklistTenant> getTenants() {
        if (CollectionUtils.isEmpty(this.tenants)) {
            synchronized (this) {
                if (CollectionUtils.isEmpty(this.tenants)) {
                    retrieveTenants();
                }
            }
        }
        return this.tenants;
    }

    private void retrieveTenants() {
        if (!getTasklistProperties().getMultiTenancy().isEnabled()) {
            this.tenants = List.of();
            return;
        }
        try {
            List forToken = getIdentity().tenants().forToken(this.tokens.getAccessToken());
            if (CollectionUtils.isNotEmpty(forToken)) {
                this.tenants = forToken.stream().map(tenant -> {
                    return new TasklistTenant(tenant.getTenantId(), tenant.getName());
                }).sorted(TENANT_NAMES_COMPARATOR).toList();
            } else {
                this.tenants = List.of();
            }
        } catch (RestException e) {
            LOGGER.warn("Unable to retrieve tenants from Identity. Error: " + e.getMessage(), e);
            this.tenants = List.of();
        }
    }

    public Tokens getTokens() {
        return this.tokens;
    }

    private boolean hasExpired() {
        return this.expires == null || this.expires.before(new Date());
    }

    private boolean hasRefreshTokenExpired() {
        try {
            LOGGER.info("Refresh token will expire at {}", this.refreshTokenExpiresAt);
            if (this.refreshTokenExpiresAt != null) {
                if (!this.refreshTokenExpiresAt.before(new Date())) {
                    return false;
                }
            }
            return true;
        } catch (TokenDecodeException e) {
            LOGGER.info("Refresh token is not a JWT and expire date can not be determined. Error message: {}", e.getMessage());
            return false;
        }
    }

    public String getName() {
        return this.name;
    }

    public boolean isAuthenticated() {
        if (hasExpired()) {
            LOGGER.info("Access token is expired");
            if (hasRefreshTokenExpired()) {
                LOGGER.info("No refresh token available. Authentication is invalid.");
                setAuthenticated(false);
                getIdentity().authentication().revokeToken(this.tokens.getRefreshToken());
                return false;
            }
            try {
                LOGGER.info("Get a new access token by using refresh token");
                renewAccessToken();
            } catch (Exception e) {
                LOGGER.error("Renewing access token failed with exception", e);
                setAuthenticated(false);
            }
        }
        return super.isAuthenticated();
    }

    public String getId() {
        return this.id;
    }

    public List<Permission> getPermissions() {
        Stream<String> stream = this.permissions.stream();
        PermissionConverter permissionConverter = PermissionConverter.getInstance();
        Objects.requireNonNull(permissionConverter);
        return (List) stream.map(permissionConverter::convert).collect(Collectors.toList());
    }

    public void authenticate(Tokens tokens) {
        if (tokens != null) {
            this.tokens = tokens;
        }
        AccessToken verifyToken = getIdentity().authentication().verifyToken(this.tokens.getAccessToken());
        UserDetails userDetails = verifyToken.getUserDetails();
        this.id = userDetails.getId();
        this.name = retrieveName(userDetails);
        this.userDisplayName = retrieveUserDisplayName();
        this.permissions = verifyToken.getPermissions();
        if (!getPermissions().contains(Permission.READ)) {
            throw new InsufficientAuthenticationException("No read permissions");
        }
        try {
            if (getTasklistProperties().getIdentity().isResourcePermissionsEnabled()) {
                this.authorization = new IdentityAuthorization(getIdentity().authorizations().forToken(this.tokens.getAccessToken()));
            }
        } catch (InvalidConfigurationException e) {
            LOGGER.debug("Base URL is not provided so it's not possible to get authorizations from Identity");
        } catch (Exception e2) {
            LOGGER.debug("Identity and Tasklist misconfiguration.");
        }
        this.subject = verifyToken.getToken().getSubject();
        this.expires = verifyToken.getToken().getExpiresAt();
        this.groups = verifyToken.getUserDetails().getGroups();
        if (!isPolling()) {
            try {
                this.refreshTokenExpiresAt = getIdentity().authentication().decodeJWT(this.tokens.getRefreshToken()).getExpiresAt();
            } catch (TokenDecodeException e3) {
                LOGGER.error("Unable to decode refresh token {} with exception: {}", this.tokens.getRefreshToken(), e3.getMessage());
            }
        }
        if (hasExpired()) {
            setAuthenticated(false);
        } else {
            setAuthenticated(true);
        }
    }

    @NotNull
    private static TasklistProperties getTasklistProperties() {
        return (TasklistProperties) SpringContextHolder.getBean(TasklistProperties.class);
    }

    private String retrieveName(UserDetails userDetails) {
        return (String) userDetails.getUsername().orElse(userDetails.getId());
    }

    private void renewAccessToken() {
        authenticate(renewTokens(this.tokens.getRefreshToken()));
    }

    private Tokens renewTokens(String str) {
        return (Tokens) IdentityService.requestWithRetry(() -> {
            return getIdentity().authentication().renewToken(str);
        });
    }

    private Identity getIdentity() {
        return (Identity) SpringContextHolder.getBean(Identity.class);
    }

    public IdentityAuthentication setExpires(Date date) {
        this.expires = date;
        return this;
    }

    public IdentityAuthentication setPermissions(List<String> list) {
        this.permissions = list;
        return this;
    }

    public String getUserDisplayName() {
        return this.userDisplayName;
    }

    private String retrieveUserDisplayName() {
        return (String) getIdentity().authentication().verifyToken(this.tokens.getAccessToken()).getUserDetails().getName().orElse(this.name);
    }

    public IdentityAuthentication setUserDisplayName(String str) {
        this.userDisplayName = str;
        return this;
    }

    @Override // io.camunda.tasklist.webapp.security.OldUsernameAware
    public String getOldName() {
        return getId();
    }

    public IdentityAuthorization getAuthorizations() {
        return this.authorization;
    }

    public IdentityAuthentication setAuthorizations(IdentityAuthorization identityAuthorization) {
        this.authorization = identityAuthorization;
        return this;
    }

    public List<String> getGroups() {
        return this.groups;
    }

    public IdentityAuthentication setGroups(List<String> list) {
        this.groups = list;
        return this;
    }

    private boolean isPolling() {
        ServletRequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
        return (requestAttributes instanceof ServletRequestAttributes) && RequestContextHolder.getRequestAttributes() != null && Boolean.TRUE.equals(Boolean.valueOf(Boolean.parseBoolean(requestAttributes.getRequest().getHeader("x-is-polling"))));
    }
}
