package org.squashtest.tm.plugin.openid.connect.bean;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Map;
import java.util.stream.Stream;
import org.apache.commons.lang3.EnumUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.config.oauth2.client.CommonOAuth2Provider;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;
import org.squashtest.tm.plugin.openid.connect.exception.SquashOidcAuthenticationException;
import org.squashtest.tm.plugin.openid.connect.properties.OidcAccessProperties;

/* loaded from: input_file:org/squashtest/tm/plugin/openid/connect/bean/SquashOidcGrantedAuthoritiesMapper.class */
public class SquashOidcGrantedAuthoritiesMapper implements GrantedAuthoritiesMapper {
    private static final String ACCESS_DENIED = "Access denied !";
    private static final Logger LOGGER = LoggerFactory.getLogger(SquashOidcGrantedAuthoritiesMapper.class);

    @Autowired
    private OAuth2ClientProperties oAuth2ClientProperties;

    @Autowired(required = false)
    private OidcAccessProperties oidcAccessProperties;

    @Autowired
    private UserDetailsService userDetailsService;

    public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> collection) {
        HashSet hashSet = new HashSet();
        collection.forEach(grantedAuthority -> {
            if (grantedAuthority instanceof OAuth2UserAuthority) {
                OAuth2UserAuthority oAuth2UserAuthority = (OAuth2UserAuthority) grantedAuthority;
                if (this.oAuth2ClientProperties == null || this.oAuth2ClientProperties.getProvider().keySet().isEmpty()) {
                    return;
                }
                Map<String, Object> attributes = oAuth2UserAuthority.getAttributes();
                OAuth2ClientProperties.Provider authProviderFromTokenAndProperties = getAuthProviderFromTokenAndProperties(attributes);
                if (!isUserWhitelisted((String) attributes.get("email"))) {
                    throw new SquashOidcAuthenticationException(ACCESS_DENIED, new AccessDeniedException("You are not authorized to access this application with this account. If this is an error, please contact your administrator."));
                }
                UserDetails findUserDetailsByLoginIfExists = findUserDetailsByLoginIfExists(authProviderFromTokenAndProperties, attributes);
                if (findUserDetailsByLoginIfExists != null) {
                    if (!findUserDetailsByLoginIfExists.isEnabled()) {
                        throw new SquashOidcAuthenticationException(ACCESS_DENIED, new AccessDeniedException("The authentication attempt has failed because the user account associated with this login request has been disabled. Please contact the system administrator for assistance or to reactivate your account."));
                    }
                    hashSet.addAll(findUserDetailsByLoginIfExists.getAuthorities());
                }
            }
        });
        return hashSet;
    }

    private boolean isUserWhitelisted(String str) {
        String[] emailDomainWhitelist = this.oidcAccessProperties.getEmailDomainWhitelist();
        if (emailDomainWhitelist == null || emailDomainWhitelist.length <= 0) {
            return true;
        }
        if (str == null || str.isBlank()) {
            throw new SquashOidcAuthenticationException(ACCESS_DENIED, new AccessDeniedException("Your permissions could not be verified since no email claim was received from the Identity Provider. If this is an error, please contact your administrator."));
        }
        Stream stream = Arrays.stream(emailDomainWhitelist);
        str.getClass();
        return stream.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }

    private OAuth2ClientProperties.Provider getAuthProviderFromTokenAndProperties(Map<String, Object> map) {
        Map provider = this.oAuth2ClientProperties.getProvider();
        Map.Entry<String, OAuth2ClientProperties.Registration> entry = (Map.Entry) this.oAuth2ClientProperties.getRegistration().entrySet().stream().filter(entry2 -> {
            return ((OAuth2ClientProperties.Registration) entry2.getValue()).getClientId().equals(((ArrayList) map.get("aud")).get(0));
        }).findFirst().orElseThrow();
        OAuth2ClientProperties.Provider provider2 = (OAuth2ClientProperties.Provider) provider.get(entry.getKey());
        if (EnumUtils.isValidEnum(CommonOAuth2Provider.class, entry.getKey().toUpperCase())) {
            retrieveAdditionalProviderInformationForCommonOAuth2Providers(provider2, entry);
        }
        return provider2;
    }

    private UserDetails findUserDetailsByLoginIfExists(OAuth2ClientProperties.Provider provider, Map<String, Object> map) {
        String str = (String) map.get(provider.getUserNameAttribute());
        if (str == null || str.isBlank()) {
            throw new SquashOidcAuthenticationException(ACCESS_DENIED, new AccessDeniedException("Your permissions could not be verified since no username claim was received from the Identity Provider. If this is an error, please contact your administrator."));
        }
        try {
            return this.userDetailsService.loadUserByUsername(str);
        } catch (UsernameNotFoundException e) {
            LOGGER.info(String.format("No user with the username %s was found. A new user will be created.", str), e);
            return null;
        }
    }

    private void retrieveAdditionalProviderInformationForCommonOAuth2Providers(OAuth2ClientProperties.Provider provider, Map.Entry<String, OAuth2ClientProperties.Registration> entry) {
        ClientRegistration.Builder builder = CommonOAuth2Provider.valueOf(entry.getKey().toUpperCase()).getBuilder(entry.getKey());
        builder.clientId(entry.getValue().getClientId());
        builder.clientSecret(entry.getValue().getClientSecret());
        if (provider.getAuthorizationUri() != null) {
            builder.authorizationUri(provider.getAuthorizationUri());
        }
        if (provider.getTokenUri() != null) {
            builder.tokenUri(provider.getTokenUri());
        }
        ClientRegistration build = builder.build();
        if (provider.getIssuerUri() == null) {
            provider.setIssuerUri(build.getProviderDetails().getIssuerUri());
        }
    }
}
