package nl._42.boot.saml.user;

import java.util.Collection;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import nl._42.boot.saml.SAMLProperties;
import nl._42.boot.saml.UserNotAllowedException;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.saml.SAMLCredential;
import org.springframework.security.saml.userdetails.SAMLUserDetailsService;

/* loaded from: input_file:nl/_42/boot/saml/user/DefaultSAMLUserDetailsService.class */
public class DefaultSAMLUserDetailsService implements SAMLUserDetailsService {
    private static final Logger log = LoggerFactory.getLogger(DefaultSAMLUserDetailsService.class);
    private final SAMLProperties properties;
    private final SAMLUserMapper mapper;
    private final Values organisations;
    private final Values roles;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:nl/_42/boot/saml/user/DefaultSAMLUserDetailsService$Values.class */
    public static final class Values {
        private final Set<String> values;

        Values(String... strArr) {
            this.values = (Set) Stream.of((Object[]) strArr).filter((v0) -> {
                return StringUtils.isNotBlank(v0);
            }).map((v0) -> {
                return v0.trim();
            }).map((v0) -> {
                return v0.toLowerCase();
            }).collect(Collectors.toSet());
        }

        static final Values parse(String str) {
            return StringUtils.isNotBlank(str) ? new Values(str.split("[ ]*,[ ]*")) : new Values(new String[0]);
        }

        boolean containsAny(Collection<String> collection) {
            if (this.values.isEmpty()) {
                return true;
            }
            return collection.stream().anyMatch(this::contains);
        }

        private boolean contains(String str) {
            return this.values.contains(StringUtils.lowerCase(str));
        }

        public String toString() {
            return this.values.toString();
        }
    }

    public DefaultSAMLUserDetailsService(SAMLProperties sAMLProperties, SAMLUserMapper sAMLUserMapper) {
        Objects.requireNonNull(sAMLProperties, "Properties are required");
        this.properties = sAMLProperties;
        if (sAMLUserMapper == null) {
            log.warn("No user mapper defined, please register a SAMLUserMapper bean.");
            sAMLUserMapper = new DefaultSAMLUserMapper();
        }
        this.mapper = sAMLUserMapper;
        this.organisations = Values.parse(sAMLProperties.getAuthorizedOrganisations());
        this.roles = Values.parse(sAMLProperties.getAuthorizedRoles());
    }

    /* renamed from: loadUserBySAML, reason: merged with bridge method [inline-methods] */
    public User m4loadUserBySAML(SAMLCredential sAMLCredential) throws UsernameNotFoundException {
        return load(new SAMLResponse(sAMLCredential));
    }

    private User load(SAMLResponse sAMLResponse) {
        log.debug("Loading user by SAML credentials...");
        sAMLResponse.getAttributes().forEach(sAMLAttribute -> {
            log.trace("Attribute: {} = '{}'", sAMLAttribute.getName(), sAMLAttribute.stream().collect(Collectors.joining(", ")));
        });
        SAMLUser sAMLUser = new SAMLUser(sAMLResponse, this.properties);
        verifyHasRole(sAMLUser);
        verifyHasOrganisation(sAMLUser);
        return this.mapper.load(sAMLUser);
    }

    private void verifyHasRole(SAMLUser sAMLUser) {
        if (this.roles.containsAny(sAMLUser.getRoles())) {
            return;
        }
        log.error("Could not log in '{}', request roles: {} but user has only these roles: {}", new Object[]{sAMLUser, this.roles, sAMLUser.getRoles()});
        throw new UserNotAllowedException("User does not have the requested roles.");
    }

    private void verifyHasOrganisation(SAMLUser sAMLUser) {
        if (this.organisations.containsAny(sAMLUser.getOrganisations())) {
            return;
        }
        log.error("Could not log in '{}', request organisations: {} but user has is only assigned to: {}", new Object[]{sAMLUser, this.organisations, sAMLUser.getOrganisations()});
        throw new UserNotAllowedException("User is not assigned to one of the required organisations.");
    }
}
