package nl._42.boot.saml.user;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import nl._42.boot.saml.SAMLProperties;
import nl._42.boot.saml.UserNotAllowedException;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;

/* loaded from: input_file:nl/_42/boot/saml/user/SAMLUserService.class */
public class SAMLUserService {
    private static final Logger log = LoggerFactory.getLogger(SAMLUserService.class);
    private static final String USER_NAME = "user";
    private static final String ROLE_NAME = "role";
    private final Map<String, String> attributes;
    private final Assertions assertions;
    private final RoleMapper roleMapper;
    private final boolean roleRequired;
    private List<SAMLUserDecorator> decorators = new ArrayList();

    public SAMLUserService(SAMLProperties sAMLProperties) {
        Objects.requireNonNull(sAMLProperties, "Properties are required");
        this.attributes = sAMLProperties.getAttributes();
        this.assertions = new Assertions(sAMLProperties.getAssertions());
        this.roleMapper = sAMLProperties.getRoleMapper();
        this.roleRequired = sAMLProperties.isRoleRequired();
    }

    public UserDetails load(SAMLResponse sAMLResponse) throws AuthenticationException {
        return decorate(build(sAMLResponse), sAMLResponse);
    }

    private UserDetails build(SAMLResponse sAMLResponse) {
        log.debug("Loading user by SAML credentials...");
        String userName = getUserName(sAMLResponse);
        Collection<GrantedAuthority> authorities = getAuthorities(sAMLResponse);
        this.assertions.verify(str -> {
            return sAMLResponse.getValues(this.attributes.getOrDefault(str, str));
        });
        return new User(userName, "", authorities);
    }

    private String getUserName(SAMLResponse sAMLResponse) {
        Optional<String> value = sAMLResponse.getValue(this.attributes.getOrDefault(USER_NAME, ""));
        sAMLResponse.getClass();
        String orElseGet = value.orElseGet(sAMLResponse::getName);
        if (StringUtils.isBlank(orElseGet)) {
            throw new UserNotAllowedException("Missing user name in SAML response, please provide a Name ID or user attribute");
        }
        return orElseGet;
    }

    private Collection<GrantedAuthority> getAuthorities(SAMLResponse sAMLResponse) {
        Set<String> values = sAMLResponse.getValues(this.attributes.getOrDefault(ROLE_NAME, ROLE_NAME));
        Collection<GrantedAuthority> authorities = this.roleMapper.getAuthorities(values);
        if (!isNotAllowed(authorities)) {
            return authorities;
        }
        throw new UserNotAllowedException("User has no authorized roles, found: " + ((String) values.stream().collect(Collectors.joining(","))));
    }

    private boolean isNotAllowed(Collection<GrantedAuthority> collection) {
        return this.roleRequired && collection.isEmpty();
    }

    private UserDetails decorate(UserDetails userDetails, SAMLResponse sAMLResponse) {
        Iterator<SAMLUserDecorator> it = this.decorators.iterator();
        while (it.hasNext()) {
            userDetails = it.next().decorate(userDetails, sAMLResponse);
        }
        return userDetails;
    }

    @Autowired(required = false)
    public void setDecorators(List<SAMLUserDecorator> list) {
        this.decorators = list;
    }
}
