package pl.decerto.hyperon.common.security;

import com.google.common.collect.ImmutableSet;
import java.util.Optional;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.ConditionContext;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.ConfigurationCondition;
import org.springframework.core.type.AnnotatedTypeMetadata;
import org.springframework.security.authentication.AccountStatusException;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;
import pl.decerto.hyperon.common.SecurityConstants;
import pl.decerto.hyperon.common.security.activedirectory.exception.EmptyFirstOrLastNameException;
import pl.decerto.hyperon.common.security.activedirectory.exception.InternalUserException;
import pl.decerto.hyperon.common.security.activedirectory.exception.NoRoleAssignedException;
import pl.decerto.hyperon.common.security.activedirectory.exception.NotUniqueEmailException;
import pl.decerto.hyperon.common.security.activedirectory.exception.NotUniqueLoginException;
import pl.decerto.hyperon.common.security.domain.LoginEvent;
import pl.decerto.hyperon.common.security.domain.SystemRights;
import pl.decerto.hyperon.common.security.dto.SystemUser;
import pl.decerto.hyperon.common.utils.Messages;

@Conditional({SecurityCondition.class})
@Component
/* loaded from: input_file:pl/decerto/hyperon/common/security/AccessGateway.class */
public class AccessGateway {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AccessGateway.class);
    private static final String UNAUTHORIZED_MESSAGE = Messages.message("authorization.unauthorized");
    private static final ImmutableSet<Class<? extends AuthenticationException>> AUTHENTICATION_EXCEPTIONS = ImmutableSet.of(BadCredentialsException.class, NoRoleAssignedException.class, NotUniqueEmailException.class, NotUniqueLoginException.class, InternalUserException.class, EmptyFirstOrLastNameException.class, new Class[0]);
    private final AuthenticationManager authenticationManager;
    private final UserDetailsService userService;
    private final LoginEventService loginService;
    private final LoginAttemptHolder loginAttemptHolder;
    private final Optional<SessionRegistry> sessionRegistry;

    /* loaded from: input_file:pl/decerto/hyperon/common/security/AccessGateway$SecurityCondition.class */
    static class SecurityCondition implements ConfigurationCondition {
        SecurityCondition() {
        }

        @Override // org.springframework.context.annotation.ConfigurationCondition
        public ConfigurationCondition.ConfigurationPhase getConfigurationPhase() {
            return ConfigurationCondition.ConfigurationPhase.PARSE_CONFIGURATION;
        }

        @Override // org.springframework.context.annotation.Condition
        public boolean matches(ConditionContext conditionContext, AnnotatedTypeMetadata annotatedTypeMetadata) {
            return conditionContext.getEnvironment().getProperty(SecurityConstants.HIGSON_RUNTIME_REST_SECURITY_TYPE) != null;
        }
    }

    @Autowired
    public AccessGateway(AuthenticationManager authenticationManager, UserDetailsService userDetailsService, LoginEventService loginEventService, LoginConfiguration loginConfiguration, Optional<SessionRegistry> optional) {
        this.authenticationManager = authenticationManager;
        this.userService = userDetailsService;
        this.loginService = loginEventService;
        this.loginAttemptHolder = new LoginAttemptHolder(loginConfiguration.getMaxLoginAttempts(), loginConfiguration.getCoolDown());
        this.sessionRegistry = optional;
    }

    public AuthResult authenticate(String str, String str2) {
        log.debug("Authenticate and role check for {}", str);
        if (StringUtils.isBlank(str) || StringUtils.isBlank(str2)) {
            return new AuthResult(false, Messages.message("authorization.loginAndPasswordShouldBeFilled"));
        }
        if (this.loginAttemptHolder.reachedAttemptsLimit(str)) {
            return createCoolDownAuthResult();
        }
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(str, str2);
        log.trace("Attempt to authenticate with token {} ", usernamePasswordAuthenticationToken);
        try {
            return authenticate(str, usernamePasswordAuthenticationToken);
        } catch (AuthenticationException e) {
            return new AuthResult(false, getAuthExceptionMessage(str, e));
        }
    }

    private String getAuthExceptionMessage(String str, AuthenticationException authenticationException) {
        saveFailureLoginEvent(str, authenticationException);
        if (isKnownException(authenticationException)) {
            log.info("Authentication failed, reason:{}", authenticationException.getMessage());
            return authenticationException.getClass().isAssignableFrom(BadCredentialsException.class) ? Messages.message("authorization.incorrectPassword") : authenticationException.getMessage();
        }
        log.warn("Authentication failed", (Throwable) authenticationException);
        return Messages.message("authorization.incorrectPassword");
    }

    private AuthResult createCoolDownAuthResult() {
        return new AuthResult(false, Messages.message("authorization.login.attempt.cooldown", Integer.valueOf(this.loginAttemptHolder.getMaxAttempts()), Integer.valueOf(this.loginAttemptHolder.getFailureCoolDown())));
    }

    private AuthResult authenticate(String str, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) {
        this.loginAttemptHolder.incrementAttempt(str);
        Authentication authenticate = this.authenticationManager.authenticate(usernamePasswordAuthenticationToken);
        SecurityContextHolder.clearContext();
        SecurityContextHolder.getContext().setAuthentication(authenticate);
        RequestContextHolder.currentRequestAttributes().getSessionId();
        Optional<MppUserDetails> currentUser = getCurrentUser();
        if (!hasAccess()) {
            currentUser.ifPresent(mppUserDetails -> {
                saveFailureLoginEvent(mppUserDetails.getUser());
            });
            return new AuthResult(false, UNAUTHORIZED_MESSAGE);
        }
        this.loginAttemptHolder.reset(str);
        currentUser.ifPresent(mppUserDetails2 -> {
            saveSuccessLoginEvent(mppUserDetails2.getUser());
            registerNewSession(mppUserDetails2);
        });
        return new AuthResult(true, Messages.message("authorization.passwordAndLoginMatch"));
    }

    private Optional<MppUserDetails> getCurrentUser() {
        return UserRoleChecker.currentUser();
    }

    private void registerNewSession(MppUserDetails mppUserDetails) {
        String sessionId = RequestContextHolder.currentRequestAttributes().getSessionId();
        this.sessionRegistry.ifPresent(sessionRegistry -> {
            sessionRegistry.registerNewSession(sessionId, mppUserDetails.getUser());
        });
    }

    private boolean isKnownException(AuthenticationException authenticationException) {
        Class<?> cls = authenticationException.getClass();
        if (isInstanceOfAuthenticationExceptions(cls)) {
            return true;
        }
        return cls.isAssignableFrom(DisabledException.class);
    }

    public AuthResult authenticateOmittingPassword(String str) {
        log.debug("Only role checking for {}", str);
        try {
            UserDetails loadUserByUsername = this.userService.loadUserByUsername(str);
            SecurityContextHolder.clearContext();
            SecurityContextHolder.getContext().setAuthentication(new SimpleAuthentication(loadUserByUsername));
            return (AuthResult) getCurrentUser().map(mppUserDetails -> {
                return authorizeUser(mppUserDetails, str);
            }).orElseGet(() -> {
                return new AuthResult(false, UNAUTHORIZED_MESSAGE);
            });
        } catch (Exception e) {
            saveFailureLoginEvent(str, e);
            log.warn("Authentication fail: {}", e.getMessage());
            return new AuthResult(false, UNAUTHORIZED_MESSAGE);
        }
    }

    public AuthResult authorizeUser(MppUserDetails mppUserDetails, String str) {
        try {
            if (hasAccess()) {
                saveSuccessLoginEvent(mppUserDetails.getUser());
                return new AuthResult(true, Messages.message("authorization.passwordAndLoginMatch"));
            }
            saveFailureLoginEvent(mppUserDetails.getUser());
            return new AuthResult(false, UNAUTHORIZED_MESSAGE);
        } catch (Exception e) {
            saveFailureLoginEvent(str, e);
            log.warn("Authorization failed: {}", e.getMessage());
            return new AuthResult(false, UNAUTHORIZED_MESSAGE);
        }
    }

    private boolean hasAccess() {
        return UserRoleChecker.hasRight(SystemRights.MPP_ACCESS.name());
    }

    private void saveSuccessLoginEvent(SystemUser systemUser) {
        this.loginService.saveLoginEvent(systemUser, LoginEvent.Type.SUCCESS);
    }

    private void saveFailureLoginEvent(SystemUser systemUser) {
        this.loginService.saveLoginEvent(systemUser, LoginEvent.Type.UNAUTHORIZED_ACCESS);
    }

    private void saveFailureLoginEvent(String str, Exception exc) {
        try {
            MppUserDetails mppUserDetails = (MppUserDetails) this.userService.loadUserByUsername(str);
            if (exc instanceof AccountStatusException) {
                this.loginService.saveLoginEvent(mppUserDetails.getUser(), LoginEvent.Type.ACCOUNT_INACTIVE);
            } else if (isInstanceOfAuthenticationExceptions(exc.getClass())) {
                this.loginService.saveLoginEvent(mppUserDetails.getUser(), LoginEvent.Type.BAD_CREDENTIALS);
            }
        } catch (UsernameNotFoundException e) {
            log.error("username:{} not found", e.getMessage());
        }
    }

    private boolean isInstanceOfAuthenticationExceptions(Class cls) {
        return AUTHENTICATION_EXCEPTIONS.stream().anyMatch(cls2 -> {
            return cls2.isAssignableFrom(cls);
        });
    }
}
