package net.nemerosa.ontrack.service.security;

import java.util.Optional;
import net.nemerosa.ontrack.model.security.AccountService;
import net.nemerosa.ontrack.model.security.AccountUserDetails;
import net.nemerosa.ontrack.model.security.AuthenticatedAccount;
import net.nemerosa.ontrack.repository.AccountRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Component;

@Component
@Qualifier("password")
/* loaded from: input_file:net/nemerosa/ontrack/service/security/PasswordAuthenticationProvider.class */
public class PasswordAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {
    private final AccountService accountService;
    private final AccountRepository accountRepository;
    private final PasswordEncoder passwordEncoder;
    private final PasswordAuthenticationSourceProvider passwordAuthenticationSourceProvider;

    @Autowired
    public PasswordAuthenticationProvider(AccountService accountService, AccountRepository accountRepository, PasswordEncoder passwordEncoder, PasswordAuthenticationSourceProvider passwordAuthenticationSourceProvider) {
        this.accountService = accountService;
        this.accountRepository = accountRepository;
        this.passwordEncoder = passwordEncoder;
        this.passwordAuthenticationSourceProvider = passwordAuthenticationSourceProvider;
    }

    protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) throws AuthenticationException {
        String str = (String) usernamePasswordAuthenticationToken.getCredentials();
        if (!this.accountRepository.checkPassword(((AccountUserDetails) userDetails).getAccount().id(), str2 -> {
            return this.passwordEncoder.matches(str, str2);
        })) {
            throw new BadCredentialsException("Incorrect password");
        }
    }

    protected UserDetails retrieveUser(String str, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) throws AuthenticationException {
        Optional map = this.accountRepository.findUserByNameAndSource(str, this.passwordAuthenticationSourceProvider).map(AuthenticatedAccount::of);
        AccountService accountService = this.accountService;
        accountService.getClass();
        return (UserDetails) map.map(accountService::withACL).map(AccountUserDetails::new).orElseThrow(() -> {
            return new UsernameNotFoundException(String.format("User %s cannot be found", str));
        });
    }
}
