package cronapp.framework.authentication.token;

import com.google.gson.JsonArray;
import com.google.gson.JsonObject;
import cronapi.AppConfig;
import cronapi.RestClient;
import cronapi.Var;
import cronapi.database.DatabaseQueryManager;
import cronapi.database.HistoryListener;
import cronapi.database.TransactionManager;
import cronapi.util.Operations;
import cronapp.framework.LockedUserException;
import cronapp.framework.api.ApiManager;
import cronapp.framework.api.EventsManager;
import cronapp.framework.api.User;
import cronapp.framework.api.response.DefaultResponse;
import cronapp.framework.authentication.external.ExternalAuthenticationConfig;
import cronapp.framework.authentication.security.CronappUserDetails;
import cronapp.framework.authentication.security.Permission;
import cronapp.framework.authentication.social.SocialConfig;
import cronapp.framework.authentication.token.google.CaptchaVerify;
import cronapp.framework.authentication.token.google.ICaptchaVerify;
import cronapp.framework.core.CronappConfiguration;
import cronapp.framework.core.CronappSettingsService;
import cronapp.framework.i18n.Messages;
import cronapp.framework.persistence.PasswordConstraintException;
import cronapp.framework.tenant.TenantComponent;
import io.jsonwebtoken.Claims;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.StringJoiner;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.lang.Nullable;
import org.springframework.mobile.device.Device;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.encrypt.Encryptors;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

@RequestMapping({"auth"})
@ConditionalOnProperty(name = {"cronapp.security.authentication"}, havingValue = "true", matchIfMissing = true)
@RestController
/* loaded from: input_file:cronapp/framework/authentication/token/AuthenticationController.class */
public class AuthenticationController {
    private static final String SCOPE_UPDATE_CURRENT_USER_PASSWORD = "update:current_user:password";
    private TenantComponent tenantComponent;
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private ICaptchaVerify captchaVerify = new CaptchaVerify();

    public AuthenticationController(@Nullable TenantComponent tenantComponent) {
        this.tenantComponent = tenantComponent;
    }

    @RequestMapping(method = {RequestMethod.POST})
    public ResponseEntity<AuthenticationResponse> authenticationRequest(@RequestParam String str, String str2, Device device, @RequestHeader(name = "X-AUTH-TOKEN", required = false) String str3, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
        if (str3 == null || str3.isBlank()) {
            str3 = TokenUtils.getTokenFromCookie(httpServletRequest.getCookies());
        }
        return auth(str, str2, device, "local", str3, null, httpServletRequest, httpServletResponse);
    }

    public ResponseEntity<AuthenticationResponse> auth(String str, String str2, Device device, String str3, String str4, JsonObject jsonObject, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
        if (StringUtils.hasLength(str4)) {
            String providerFromToken = TokenUtils.getProviderFromToken(str4);
            if (str3 != null && !"local".equals(providerFromToken) && str.equals("#OAUTH#")) {
                str = TokenUtils.getUsernameFromToken(str4);
                str3 = providerFromToken;
                if (TokenUtils.isTokenExpired(str4)) {
                    throw new AuthenticationServiceException(Messages.getString("AuthError"));
                }
            }
        }
        boolean z = !"local".equals(str3);
        boolean z2 = false;
        boolean z3 = false;
        CronappUserDetails cronappUserDetails = null;
        if (ExternalAuthenticationConfig.isExternalAuth()) {
            Authentication authenticateExternally = ExternalAuthenticationConfig.authenticateExternally(new UsernamePasswordAuthenticationToken(str, str2));
            str3 = ExternalAuthenticationConfig.getExternalAuthType();
            z3 = true;
            z2 = AppConfig.autoSignUp();
            if (authenticateExternally.getPrincipal() instanceof CronappUserDetails) {
                cronappUserDetails = (CronappUserDetails) authenticateExternally.getPrincipal();
            }
        } else if (ExternalAuthenticationConfig.isSocial(str3)) {
            z2 = SocialConfig.isAutoSignUp();
        } else if ("SSO".equalsIgnoreCase(str3)) {
            z2 = AppConfig.autoSignUp();
        }
        ApiManager byUserAndPassword = ApiManager.byUserAndPassword(str, str2, str3, z2, jsonObject);
        try {
            if (ApiManager.isUserLocked(ApiManager.byUser(str).getUser())) {
                doLogAuthOperation("Fail", "auth", str, Arrays.asList("Reason", "UserLocked"));
                throw new LockedUserException(Messages.getString("UserLocked"));
            }
            verifyRecaptcha(str, httpServletRequest);
            User user = byUserAndPassword.getUser(cronappUserDetails);
            if (user == null) {
                doLogAuthOperation("Fail", "auth", str, Arrays.asList("Reason", "UserNotFound"));
                throw new UsernameNotFoundException(Messages.getString("UserNotFound"));
            }
            if (ExternalAuthenticationConfig.isExternalAuth() && !z && !z3) {
                doLogAuthOperation("Fail", "auth", str, Arrays.asList("Reason", "UserOrPassordInvalids"));
                throw new BadCredentialsException(Messages.getString("UserOrPassordInvalids"));
            }
            if (!ExternalAuthenticationConfig.isExternalAuth() && !z && !byUserAndPassword.passwordMatches(str2, user.getPassword())) {
                doLogAuthOperation("Fail", "auth", str, Arrays.asList("Reason", "UserOrPassordInvalids"));
                throw new BadCredentialsException(Messages.getString("UserOrPassordInvalids"));
            }
            Collection<? extends GrantedAuthority> authorities = StringUtils.hasLength(str4) ? (Collection) TokenUtils.getAuthoritiesFromToken(str4).stream().map(SimpleGrantedAuthority::new).collect(Collectors.toSet()) : cronappUserDetails == null ? byUserAndPassword.getAuthorities() : cronappUserDetails.getAuthorities();
            if (!AppConfig.isNull(jsonObject) && !AppConfig.isNull(jsonObject.get("authorities"))) {
                ArrayList arrayList = new ArrayList();
                authorities.forEach(grantedAuthority -> {
                    arrayList.add(grantedAuthority.getAuthority());
                });
                jsonObject.get("authorities").getAsJsonArray().forEach(jsonElement -> {
                    String asString = jsonElement.getAsJsonObject().get("role").getAsString();
                    if (arrayList.contains(asString)) {
                        return;
                    }
                    arrayList.add(asString);
                });
                authorities = AuthorityUtils.commaSeparatedStringToAuthorityList(StringUtils.collectionToCommaDelimitedString(arrayList));
            }
            org.springframework.security.core.userdetails.User user2 = new org.springframework.security.core.userdetails.User(str, "password", true, true, true, true, authorities);
            SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(user2, "password", authorities));
            StringJoiner stringJoiner = new StringJoiner(",");
            stringJoiner.add("Public");
            stringJoiner.add("Authenticated");
            boolean z4 = false;
            for (GrantedAuthority grantedAuthority2 : authorities) {
                if (!grantedAuthority2.getAuthority().equals("Public") && !grantedAuthority2.getAuthority().equals("Authenticated")) {
                    stringJoiner.add(grantedAuthority2.getAuthority());
                    if (grantedAuthority2.getAuthority().equalsIgnoreCase(Permission.ROOT_ROLE)) {
                        z4 = true;
                    }
                }
            }
            if (this.tenantComponent != null) {
                this.tenantComponent.authenticationTenant(user.getUsername());
            }
            User resetPassword = user.resetPassword();
            if (EventsManager.hasEvent("onLogin") && EventsManager.getEvent("onLogin").get(ApiManager.SECURABLE_ATTRIBUTE_TYPE).getAsString().equalsIgnoreCase("server")) {
                EventsManager.executeEventOnTransaction("onLogin", Var.valueOf("username", str));
            }
            String generateToken = TokenUtils.generateToken(user2, user.getName(), device, str3);
            Date expirationDateFromToken = TokenUtils.getExpirationDateFromToken(generateToken);
            ApiManager.unlockUser(user);
            doLogAuthOperation("Success", "auth", str, Arrays.asList("Roles", stringJoiner.toString()));
            httpServletResponse.addCookie(TokenUtils.createCookieFromToken(generateToken, httpServletRequest.isSecure()));
            return ResponseEntity.ok(new AuthenticationResponse(resetPassword, generateToken, expirationDateFromToken.getTime(), stringJoiner.toString(), z4));
        } catch (Exception e) {
            this.logger.error(Messages.getString("AuthError", e.getMessage()), e);
            ApiManager.attemptFailed(null);
            if (ApiManager.isUserLocked(null) || ApiManager.getFailedAttempts(null) <= AppConfig.getFailedAttempts().intValue()) {
                doLogAuthOperation("Fail", "auth", str, Arrays.asList("Reason", e.getMessage()));
                throw new AuthenticationServiceException(Messages.getString("AuthError", e.getMessage()));
            }
            ApiManager.lockUser(null);
            doLogAuthOperation("Fail", "auth", str, Arrays.asList("Reason", "UserLocked10Min"));
            throw new AuthenticationServiceException(Messages.getString("UserLocked10Min"));
        }
    }

    @RequestMapping(value = {"refresh"}, method = {RequestMethod.GET})
    public ResponseEntity<?> authenticationRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String header = httpServletRequest.getHeader(TokenUtils.AUTH_HEADER_NAME);
        if (header == null || header.isBlank()) {
            header = TokenUtils.getTokenFromCookie(httpServletRequest.getCookies());
        }
        if (!TokenUtils.canTokenBeRefreshed(header, TokenUtils.getExpirationDateFromToken(header)) || !TokenUtils.getScopeFromToken(header).isEmpty()) {
            return ResponseEntity.badRequest().body((Object) null);
        }
        String refreshToken = TokenUtils.refreshToken(header);
        Date expirationDateFromToken = TokenUtils.getExpirationDateFromToken(header);
        String usernameFromToken = TokenUtils.getUsernameFromToken(header);
        String nameFromToken = TokenUtils.getNameFromToken(header);
        if (nameFromToken == null || "".equals(nameFromToken)) {
            nameFromToken = usernameFromToken;
        }
        ApiManager byUser = ApiManager.byUser(usernameFromToken);
        StringJoiner stringJoiner = new StringJoiner(",");
        stringJoiner.add("Public");
        stringJoiner.add("Authenticated");
        boolean z = false;
        if (ExternalAuthenticationConfig.isExternalAuth() || ExternalAuthenticationConfig.getExternalAuthType().equalsIgnoreCase("SSO")) {
            stringJoiner = new StringJoiner(",");
            List<String> authoritiesFromToken = TokenUtils.getAuthoritiesFromToken(header);
            Objects.requireNonNull(stringJoiner);
            authoritiesFromToken.forEach((v1) -> {
                r1.add(v1);
            });
            z = authoritiesFromToken.stream().filter(str -> {
                return str.equalsIgnoreCase(Permission.ROOT_ROLE);
            }).findFirst().isPresent();
        } else {
            for (GrantedAuthority grantedAuthority : byUser.getAuthorities()) {
                stringJoiner.add(grantedAuthority.getAuthority());
                if (grantedAuthority.getAuthority().equalsIgnoreCase(Permission.ROOT_ROLE)) {
                    z = true;
                }
            }
        }
        AuthenticationResponse authenticationResponse = new AuthenticationResponse(new User(nameFromToken, usernameFromToken), refreshToken, expirationDateFromToken.getTime(), stringJoiner.toString(), z);
        httpServletResponse.addCookie(TokenUtils.createCookieFromToken(refreshToken, httpServletRequest.isSecure()));
        return ResponseEntity.ok(authenticationResponse);
    }

    private void verifyRecaptcha(String str, HttpServletRequest httpServletRequest) {
        try {
            Assert.isTrue(this.captchaVerify.processRequest(str, httpServletRequest), "");
        } catch (Exception e) {
            this.logger.error(Messages.getString("AuthError", e.getMessage()), e);
            throw new AuthenticationServiceException(Messages.getString("AuthError", e.getMessage()));
        }
    }

    private void doLogAuthOperation(String str, String str2, String str3, List<String> list) {
        try {
            DatabaseQueryManager auditLogManager = HistoryListener.getAuditLogManager();
            if (auditLogManager != null) {
                Class<?> cls = Class.forName(auditLogManager.getEntity());
                TransactionManager.begin(cls);
                JsonObject jsonObject = new JsonObject();
                JsonArray jsonArray = new JsonArray();
                jsonObject.add("parameters", jsonArray);
                Iterator<String> it = list.iterator();
                while (it.hasNext()) {
                    jsonArray.add(it.next());
                }
                Var var = new Var(new LinkedHashMap());
                var.set(ApiManager.SECURABLE_ATTRIBUTE_TYPE, "app.authorization." + str);
                var.set("command", str2);
                var.set("category", "Authorization");
                var.set("date", new Date());
                var.set("objectData", jsonObject.toString());
                if (RestClient.getRestClient() != null) {
                    var.set("user", str3);
                    var.set("host", RestClient.getRestClient().getHost());
                    var.set("agent", RestClient.getRestClient().getAgent());
                }
                var.set("server", HistoryListener.CURRENT_IP);
                var.set("affectedFields", (Object) null);
                var.set("application", AppConfig.guid());
                auditLogManager.insert(var, new Object[0]);
                TransactionManager.commit(cls);
            }
        } catch (Exception e) {
            this.logger.error("Error on logging: " + e.getMessage());
        }
    }

    @PostMapping({"reset-password"})
    public ResponseEntity<String> resetPassword(@RequestParam("email") String str) {
        try {
            User user = ApiManager.byUser(str).getUser();
            HashMap hashMap = new HashMap();
            hashMap.put("sub", user.getUsername());
            hashMap.put("scope", SCOPE_UPDATE_CURRENT_USER_PASSWORD);
            Operations.callBlockly(Var.valueOf("UserManager:sendResetPasswordEmail"), new Var[]{Var.valueOf(user.getEmail()), Var.valueOf(user.getName()), Var.valueOf(TokenUtils.generateToken(hashMap, TokenUtils.generateExpirationDate(), (String) null))});
        } catch (Exception e) {
            this.logger.error(Messages.getString("AuthError", e.getMessage()), e);
        }
        return new ResponseEntity<>("{}", HttpStatus.OK);
    }

    @PostMapping({"confirm-reset-password"})
    public void confirmResetPassword(@RequestParam("password") String str, @RequestParam(value = "otp", required = false) String str2, @RequestHeader("X-AUTH-TOKEN") String str3, HttpServletRequest httpServletRequest) {
        if (str3 == null || str3.isBlank()) {
            str3 = TokenUtils.getTokenFromCookie(httpServletRequest.getCookies());
        }
        if (TokenUtils.isTokenExpired(str3)) {
            throw new ForbiddenException(Messages.getString("ResetPasswordTokenExpired"));
        }
        String usernameFromToken = TokenUtils.getUsernameFromToken(str3);
        List<String> scopeFromToken = TokenUtils.getScopeFromToken(str3);
        Claims claimsFromToken = TokenUtils.getClaimsFromToken(str3);
        if (usernameFromToken == null || !scopeFromToken.contains(SCOPE_UPDATE_CURRENT_USER_PASSWORD)) {
            throw new ForbiddenException(Messages.getString("UserOrPassordInvalids"));
        }
        CronappSettingsService cronappSettingsService = (CronappSettingsService) CronappConfiguration.getBean(CronappSettingsService.class);
        if (str2 != null) {
            String valueOf = String.valueOf(claimsFromToken.get("otp"));
            String decrypt = Encryptors.text(cronappSettingsService.getEncryptionKey(), cronappSettingsService.getEncryptionSalt()).decrypt(valueOf);
            if (valueOf != null && !decrypt.equals(str2)) {
                throw new ForbiddenException(Messages.getString("InvalidOTP"));
            }
        }
        if (EventsManager.hasEvent("onResetPassword")) {
            EventsManager.executeEventOnTransaction("onResetPassword", Var.valueOf(usernameFromToken), Var.valueOf(str));
            return;
        }
        try {
            ApiManager.byUser(usernameFromToken).updatePassword(str);
        } catch (Exception e) {
            PasswordConstraintException unwrap = PasswordConstraintException.unwrap(e);
            if (unwrap == null) {
                throw new AuthenticationServiceException(Messages.getString("AuthError", e.getMessage()));
            }
            throw unwrap;
        }
    }

    @PostMapping({"signup"})
    public ResponseEntity<DefaultResponse> signUp(@RequestBody Var var) {
        DefaultResponse defaultResponse = new DefaultResponse();
        if (!AppConfig.getIfRegistrationAvailable().booleanValue()) {
            return new ResponseEntity<>(defaultResponse.parseResponse(Integer.valueOf(HttpStatus.FORBIDDEN.value()), Messages.getString("UserRegisterNotAvaliable")), HttpStatus.FORBIDDEN);
        }
        Map objectAsMap = var.getObjectAsMap();
        if (objectAsMap.get(ApiManager.SECURABLE_ATTRIBUTE_NAME) == null) {
            objectAsMap.put(ApiManager.SECURABLE_ATTRIBUTE_NAME, objectAsMap.get("username"));
        }
        objectAsMap.put("normalizedUserName", objectAsMap.get("username"));
        objectAsMap.put("normalizedEmail", objectAsMap.get("email"));
        try {
            if (ApiManager.byUser(objectAsMap.get("username").toString()).getUser() != null) {
                return new ResponseEntity<>(defaultResponse.parseResponse(Integer.valueOf(HttpStatus.BAD_REQUEST.value()), Messages.getString("UserAlreadyExists")), HttpStatus.BAD_REQUEST);
            }
            ApiManager.createUser(var);
            return new ResponseEntity<>(defaultResponse.parseResponse(Integer.valueOf(HttpStatus.CREATED.value()), Messages.getString("UserRegisteredSuccessfully")), HttpStatus.CREATED);
        } catch (Exception e) {
            PasswordConstraintException unwrap = PasswordConstraintException.unwrap(e);
            if (unwrap != null) {
                throw unwrap;
            }
            return new ResponseEntity<>(defaultResponse.parseResponse(Integer.valueOf(HttpStatus.FORBIDDEN.value()), Messages.getString("AuthError", e.getMessage())), HttpStatus.FORBIDDEN);
        }
    }
}
