package org.killbill.billing.util.security.shiro.realm;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Splitter;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Maps;
import com.google.inject.Inject;
import com.ning.http.client.AsyncCompletionHandler;
import com.ning.http.client.AsyncHttpClient;
import com.ning.http.client.AsyncHttpClientConfig;
import com.ning.http.client.Response;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.config.Ini;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import org.eclipse.jetty.io.SelectorManager;
import org.killbill.billing.server.notifications.PushNotificationListener;
import org.killbill.billing.util.config.definition.SecurityConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/killbill-util-0.18.20.jar:org/killbill/billing/util/security/shiro/realm/KillBillOktaRealm.class */
public class KillBillOktaRealm extends AuthorizingRealm {
    private static final int DEFAULT_TIMEOUT_SECS = 15;
    private final SecurityConfig securityConfig;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) KillBillOktaRealm.class);
    private static final ObjectMapper mapper = new ObjectMapper();
    private static final Splitter SPLITTER = Splitter.on(',').omitEmptyStrings().trimResults();
    private final Map<String, Collection<String>> permissionsByGroup = Maps.newLinkedHashMap();
    private final AsyncHttpClient httpClient = new AsyncHttpClient(new AsyncHttpClientConfig.Builder().setRequestTimeout(SelectorManager.DEFAULT_CONNECT_TIMEOUT).build());

    @Inject
    public KillBillOktaRealm(SecurityConfig securityConfig) {
        this.securityConfig = securityConfig;
        if (securityConfig.getShiroOktaPermissionsByGroup() != null) {
            Ini ini = new Ini();
            ini.load(securityConfig.getShiroOktaPermissionsByGroup().replace("\\n", StringUtils.LF));
            for (Ini.Section section : ini.getSections()) {
                for (String str : section.keySet()) {
                    this.permissionsByGroup.put(str, ImmutableList.copyOf(SPLITTER.split(section.get((Object) str))));
                }
            }
        }
    }

    @Override // org.apache.shiro.realm.AuthorizingRealm
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        Set<String> findOktaGroupsForUser = findOktaGroupsForUser(findOktaUserId((String) getAvailablePrincipal(principalCollection)));
        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo(findOktaGroupsForUser);
        simpleAuthorizationInfo.setStringPermissions(groupsPermissions(findOktaGroupsForUser));
        return simpleAuthorizationInfo;
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        if (doAuthenticate((UsernamePasswordToken) authenticationToken)) {
            return new SimpleAuthenticationInfo(authenticationToken.getPrincipal(), authenticationToken.getCredentials(), getName());
        }
        throw new AuthenticationException("Okta authentication failed");
    }

    private boolean doAuthenticate(UsernamePasswordToken usernamePasswordToken) {
        AsyncHttpClient.BoundRequestBuilder preparePost = this.httpClient.preparePost(this.securityConfig.getShiroOktaUrl() + "/api/v1/authn");
        try {
            preparePost.setBody(mapper.writeValueAsString(ImmutableMap.of(FormAuthenticationFilter.DEFAULT_USERNAME_PARAM, usernamePasswordToken.getUsername(), "password", String.valueOf(usernamePasswordToken.getPassword()))));
            preparePost.addHeader("Authorization", "SSWS " + this.securityConfig.getShiroOktaAPIToken());
            preparePost.addHeader("Content-Type", PushNotificationListener.CONTENT_TYPE_JSON);
            try {
                return isAuthenticated((Response) preparePost.execute(new AsyncCompletionHandler<Response>() { // from class: org.killbill.billing.util.security.shiro.realm.KillBillOktaRealm.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // com.ning.http.client.AsyncCompletionHandler
                    public Response onCompleted(Response response) throws Exception {
                        return response;
                    }
                }).get(15L, TimeUnit.SECONDS));
            } catch (TimeoutException e) {
                log.warn("Timeout while connecting to Okta");
                throw new AuthenticationException(e);
            } catch (Exception e2) {
                log.warn("Error while connecting to Okta");
                throw new AuthenticationException(e2);
            }
        } catch (JsonProcessingException e3) {
            log.warn("Error while generating Okta payload");
            throw new AuthenticationException(e3);
        }
    }

    private boolean isAuthenticated(Response response) {
        try {
            Map map = (Map) mapper.readValue(response.getResponseBodyAsStream(), Map.class);
            if ("SUCCESS".equals(map.get("status"))) {
                return true;
            }
            log.warn("Okta authentication failed: " + map);
            return false;
        } catch (IOException e) {
            log.warn("Unable to read response from Okta");
            throw new AuthenticationException(e);
        }
    }

    private String findOktaUserId(String str) {
        try {
            try {
                return (String) ((Map) mapper.readValue(doGetRequest("/api/v1/users/" + URLEncoder.encode(str, "UTF-8")).getResponseBodyAsStream(), Map.class)).get("id");
            } catch (IOException e) {
                log.warn("Unable to read response from Okta");
                throw new AuthorizationException(e);
            }
        } catch (UnsupportedEncodingException e2) {
            throw new IllegalStateException(e2);
        }
    }

    private Set<String> findOktaGroupsForUser(String str) {
        return getGroups(doGetRequest("/api/v1/users/" + str + "/groups"));
    }

    private Response doGetRequest(String str) {
        AsyncHttpClient.BoundRequestBuilder prepareGet = this.httpClient.prepareGet(this.securityConfig.getShiroOktaUrl() + str);
        prepareGet.addHeader("Authorization", "SSWS " + this.securityConfig.getShiroOktaAPIToken());
        prepareGet.addHeader("Content-Type", PushNotificationListener.CONTENT_TYPE_JSON);
        try {
            return (Response) prepareGet.execute(new AsyncCompletionHandler<Response>() { // from class: org.killbill.billing.util.security.shiro.realm.KillBillOktaRealm.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // com.ning.http.client.AsyncCompletionHandler
                public Response onCompleted(Response response) throws Exception {
                    return response;
                }
            }).get(15L, TimeUnit.SECONDS);
        } catch (TimeoutException e) {
            log.warn("Timeout while connecting to Okta");
            throw new AuthorizationException(e);
        } catch (Exception e2) {
            log.warn("Error while connecting to Okta");
            throw new AuthorizationException(e2);
        }
    }

    private Set<String> getGroups(Response response) {
        try {
            List list = (List) mapper.readValue(response.getResponseBodyAsStream(), new TypeReference<List<Map>>() { // from class: org.killbill.billing.util.security.shiro.realm.KillBillOktaRealm.3
            });
            HashSet hashSet = new HashSet();
            Iterator it = list.iterator();
            while (it.hasNext()) {
                Object obj = ((Map) it.next()).get("profile");
                if (obj != null && (obj instanceof Map)) {
                    hashSet.add((String) ((Map) obj).get("name"));
                }
            }
            return hashSet;
        } catch (IOException e) {
            log.warn("Unable to read response from Okta");
            throw new AuthorizationException(e);
        }
    }

    private Set<String> groupsPermissions(Iterable<String> iterable) {
        HashSet hashSet = new HashSet();
        Iterator<String> it = iterable.iterator();
        while (it.hasNext()) {
            Collection<String> collection = this.permissionsByGroup.get(it.next());
            if (collection != null) {
                hashSet.addAll(collection);
            }
        }
        return hashSet;
    }
}
