package io.gravitee.am.gateway.handler.common.vertx.web.handler;

import io.gravitee.am.common.exception.authentication.AccountDisabledException;
import io.gravitee.am.common.exception.authentication.AccountIllegalStateException;
import io.gravitee.am.common.exception.authentication.AccountLockedException;
import io.gravitee.am.common.exception.authentication.AccountStatusException;
import io.gravitee.am.common.exception.oauth2.InvalidRequestException;
import io.gravitee.am.gateway.handler.common.client.ClientSyncService;
import io.gravitee.am.gateway.handler.common.vertx.web.handler.impl.CookieSession;
import io.gravitee.am.model.Domain;
import io.gravitee.am.model.User;
import io.gravitee.am.model.account.AccountSettings;
import io.gravitee.am.model.oidc.Client;
import io.gravitee.am.repository.management.api.search.LoginAttemptCriteria;
import io.gravitee.am.service.AuthenticationFlowContextService;
import io.gravitee.am.service.LoginAttemptService;
import io.reactivex.rxjava3.core.Completable;
import io.reactivex.rxjava3.core.Maybe;
import io.reactivex.rxjava3.core.Single;
import io.vertx.core.AsyncResult;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.ext.web.handler.HttpException;
import io.vertx.rxjava3.ext.web.RoutingContext;
import java.util.HashMap;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/gravitee/am/gateway/handler/common/vertx/web/handler/SSOSessionHandler.class */
public class SSOSessionHandler implements Handler<RoutingContext> {
    private static final Logger LOGGER = LoggerFactory.getLogger(SSOSessionHandler.class);
    private ClientSyncService clientSyncService;
    private AuthenticationFlowContextService authenticationFlowContextService;
    private LoginAttemptService loginAttemptService;
    private Domain domain;

    public SSOSessionHandler(ClientSyncService clientSyncService, AuthenticationFlowContextService authenticationFlowContextService, LoginAttemptService loginAttemptService, Domain domain) {
        this.clientSyncService = clientSyncService;
        this.authenticationFlowContextService = authenticationFlowContextService;
        this.loginAttemptService = loginAttemptService;
        this.domain = domain;
    }

    public void handle(RoutingContext routingContext) {
        if (routingContext.user() == null) {
            routingContext.next();
        } else {
            authorizeUser(routingContext, asyncResult -> {
                if (asyncResult.failed()) {
                    Throwable cause = asyncResult.cause();
                    LOGGER.debug("An error occurs while checking SSO Session upon the current user : {}", routingContext.user().principal(), cause);
                    if (cause instanceof AccountStatusException) {
                        this.authenticationFlowContextService.clearContext((String) routingContext.session().get("tid")).doOnError(th -> {
                            LOGGER.info("Deletion of some authentication flow data fails '{}'", th.getMessage());
                        }).subscribe();
                        routingContext.clearUser();
                        routingContext.session().destroy();
                    } else if (cause instanceof InvalidRequestException) {
                        routingContext.fail(new HttpException(403, "Invalid request for the current SSO context"));
                        return;
                    }
                }
                routingContext.next();
            });
        }
    }

    private void authorizeUser(RoutingContext routingContext, Handler<AsyncResult<Void>> handler) {
        User user = ((io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User) routingContext.user().getDelegate()).getUser();
        checkAccountStatus(routingContext, user, asyncResult -> {
            if (asyncResult.failed()) {
                handler.handle(Future.failedFuture(asyncResult.cause()));
            } else {
                checkClient(routingContext, user, asyncResult -> {
                    if (asyncResult.failed()) {
                        handler.handle(Future.failedFuture(asyncResult.cause()));
                    } else {
                        handler.handle(Future.succeededFuture());
                    }
                });
            }
        });
    }

    private void checkAccountStatus(RoutingContext routingContext, User user, Handler<AsyncResult<Void>> handler) {
        if (!user.isEnabled().booleanValue()) {
            handler.handle(Future.failedFuture(new AccountDisabledException(user.getId())));
            return;
        }
        CookieSession delegate = routingContext.session().getDelegate();
        List of = List.of(Optional.ofNullable(user.getLastPasswordReset()), Optional.ofNullable(user.getLastUsernameReset()), Optional.ofNullable(user.getLastLogoutAt()));
        long time = delegate.lastLogin().getTime();
        if (of.stream().filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).map((v0) -> {
            return v0.getTime();
        }).anyMatch(l -> {
            return l.longValue() - time > 1000;
        })) {
            handler.handle(Future.failedFuture(new AccountIllegalStateException(user.getId())));
        } else {
            handler.handle(Future.succeededFuture());
        }
    }

    private void checkClient(RoutingContext routingContext, User user, Handler<AsyncResult<Void>> handler) {
        String param = routingContext.request().getParam("client_id");
        if (param == null) {
            handler.handle(Future.succeededFuture());
        } else if (user.getClient() == null) {
            handler.handle(Future.succeededFuture());
        } else {
            Single.zip(getClient(param), getClient(user.getClient()), (optional, optional2) -> {
                Client client = (Client) optional.get();
                Client client2 = (Client) optional2.get();
                if (client != null && client2 != null && !client2.getId().equals(client.getId())) {
                    Set set = (Set) ((List) Optional.ofNullable(user.getIdentities()).orElseGet(List::of)).stream().map((v0) -> {
                        return v0.getProviderId();
                    }).collect(Collectors.toSet());
                    set.add(user.getSource());
                    if (!Objects.nonNull(client.getIdentityProviders()) || !client.getIdentityProviders().stream().anyMatch(applicationIdentityProvider -> {
                        return set.contains(applicationIdentityProvider.getIdentity());
                    })) {
                        throw new InvalidRequestException("User is not on a shared identity provider");
                    }
                    AccountSettings accountSettings = AccountSettings.getInstance(this.domain, client);
                    if (accountSettings == null || !accountSettings.isLoginAttemptsDetectionEnabled()) {
                        return Completable.complete();
                    }
                    return this.loginAttemptService.checkAccount(new LoginAttemptCriteria.Builder().domain(this.domain.getId()).client(client.getId()).identityProvider(user.getSource()).username(user.getUsername()).build(), accountSettings).map(loginAttempt -> {
                        if (!loginAttempt.isAccountLocked(accountSettings.getMaxLoginAttempts().intValue())) {
                            return loginAttempt;
                        }
                        HashMap hashMap = new HashMap();
                        hashMap.put("attempt_id", loginAttempt.getId());
                        throw new AccountLockedException("User " + user.getUsername() + " is locked", hashMap);
                    }).ignoreElement();
                }
                return Completable.complete();
            }).subscribe(completable -> {
                completable.subscribe(() -> {
                    handler.handle(Future.succeededFuture());
                }, th -> {
                    handler.handle(Future.failedFuture(th));
                });
            }, th -> {
                handler.handle(Future.failedFuture(th));
            });
        }
    }

    private Single<Optional<Client>> getClient(String str) {
        return this.clientSyncService.findById(str).switchIfEmpty(Maybe.defer(() -> {
            return this.clientSyncService.findByClientId(str);
        })).map((v0) -> {
            return Optional.ofNullable(v0);
        }).defaultIfEmpty(Optional.empty());
    }
}
