package com.premiumminds.flowable.filter;

import com.google.common.cache.Cache;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.premiumminds.flowable.conf.KeycloakProperties;
import com.premiumminds.flowable.service.KeycloakAccessTokenExtractor;
import com.premiumminds.flowable.service.OIDCClient;
import com.premiumminds.flowable.service.OIDCMetadataHolder;
import java.io.IOException;
import java.net.URI;
import java.util.Base64;
import java.util.UUID;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.tuple.Pair;
import org.flowable.ui.common.model.RemoteToken;
import org.flowable.ui.common.model.RemoteUser;
import org.flowable.ui.common.security.FlowableAppUser;
import org.flowable.ui.common.service.idm.RemoteIdmService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.RememberMeAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:com/premiumminds/flowable/filter/AuthenticationHandler.class */
public class AuthenticationHandler {
    private static final Logger LOGGER = LoggerFactory.getLogger(AuthenticationHandler.class);
    private final Cache<String, FlowableAppUser> userCache;
    private final Cache<String, RemoteToken> tokenCache;
    private final RemoteIdmService remoteIdmService;
    private final OIDCClient oidcClient;
    private final KeycloakAccessTokenExtractor accessTokenExtractor;
    private final KeycloakCookieFilter filter;

    public AuthenticationHandler(Cache<String, FlowableAppUser> cache, Cache<String, RemoteToken> cache2, KeycloakProperties keycloakProperties, RemoteIdmService remoteIdmService, KeycloakCookieFilter keycloakCookieFilter) {
        this.userCache = cache;
        this.tokenCache = cache2;
        this.filter = keycloakCookieFilter;
        this.remoteIdmService = remoteIdmService;
        OIDCMetadataHolder oIDCMetadataHolder = new OIDCMetadataHolder(keycloakProperties);
        this.oidcClient = new OIDCClient(keycloakProperties, oIDCMetadataHolder);
        this.accessTokenExtractor = new KeycloakAccessTokenExtractor(keycloakProperties, oIDCMetadataHolder);
    }

    public URI login() {
        return this.oidcClient.login();
    }

    public boolean handleAuthenticatedRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Pair<RemoteToken, FlowableAppUser> validFlowableUser = getValidFlowableUser(httpServletRequest, httpServletResponse);
        if (validFlowableUser == null) {
            LOGGER.debug("No valid token found.");
            this.filter.redirectOrSendNotPermitted(httpServletRequest, httpServletResponse, null);
            return false;
        }
        FlowableAppUser flowableAppUser = (FlowableAppUser) validFlowableUser.getValue();
        RemoteToken remoteToken = (RemoteToken) validFlowableUser.getKey();
        if (!this.filter.validateRequiredPrivileges(httpServletRequest, httpServletResponse, flowableAppUser)) {
            this.filter.redirectOrSendNotPermitted(httpServletRequest, httpServletResponse, flowableAppUser.getUserObject().getId());
            return false;
        }
        SecurityContextHolder.getContext().setAuthentication(new RememberMeAuthenticationToken(remoteToken.getId(), flowableAppUser, flowableAppUser.getAuthorities()));
        if (this.filter.filterCallback == null) {
            return true;
        }
        this.filter.filterCallback.onValidTokenFound(httpServletRequest, httpServletResponse, remoteToken);
        return true;
    }

    public void authenticationCallbackHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        BearerAccessToken bearerAccessToken = this.oidcClient.getOIDCTokens(httpServletRequest).getBearerAccessToken();
        RemoteUser user = this.remoteIdmService.getUser(this.accessTokenExtractor.getUserId(this.accessTokenExtractor.extractClaims(bearerAccessToken.getValue())));
        FlowableAppUser appUserFromRemoteUser = this.filter.appUserFromRemoteUser(user, this.accessTokenExtractor.getRoles(bearerAccessToken.getValue()));
        RemoteToken remoteToken = tokenFromUser(user, bearerAccessToken);
        updateCaches(appUserFromRemoteUser, remoteToken);
        addRememberCookie(remoteToken.getId(), httpServletResponse);
        httpServletResponse.sendRedirect(httpServletRequest.getContextPath());
    }

    private Pair<RemoteToken, FlowableAppUser> getValidFlowableUser(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if ("FLOWABLE_REMEMBER_ME".equals(cookie.getName())) {
                String decodeCookie = decodeCookie(cookie.getValue());
                try {
                    RemoteToken remoteToken = (RemoteToken) this.tokenCache.getIfPresent(decodeCookie);
                    FlowableAppUser flowableAppUser = remoteToken != null ? (FlowableAppUser) this.userCache.getIfPresent(remoteToken.getUserId()) : null;
                    if (flowableAppUser == null) {
                        return null;
                    }
                    return Pair.of(remoteToken, flowableAppUser);
                } catch (Exception e) {
                    LOGGER.debug("Could not find token with id {}", decodeCookie);
                }
            }
        }
        return null;
    }

    private String decodeCookie(String str) {
        return new String(Base64.getDecoder().decode(str.getBytes()));
    }

    private RemoteToken tokenFromUser(RemoteUser remoteUser, BearerAccessToken bearerAccessToken) {
        RemoteToken remoteToken = new RemoteToken();
        remoteToken.setId(UUID.randomUUID().toString());
        remoteToken.setUserId(remoteUser.getId());
        remoteToken.setValue(bearerAccessToken.getValue());
        return remoteToken;
    }

    private void updateCaches(FlowableAppUser flowableAppUser, RemoteToken remoteToken) {
        this.userCache.put(flowableAppUser.getUserObject().getId(), flowableAppUser);
        this.tokenCache.put(remoteToken.getId(), remoteToken);
    }

    private void addRememberCookie(String str, HttpServletResponse httpServletResponse) {
        Cookie cookie = new Cookie("FLOWABLE_REMEMBER_ME", Base64.getEncoder().encodeToString(str.getBytes()));
        cookie.setPath("/");
        httpServletResponse.addCookie(cookie);
    }
}
