package io.gravitee.am.gateway.handler.common.auth.user.impl;

import com.google.common.base.Strings;
import io.gravitee.am.common.exception.authentication.AccountLockedException;
import io.gravitee.am.common.exception.authentication.AccountPasswordExpiredException;
import io.gravitee.am.common.exception.authentication.AccountStatusException;
import io.gravitee.am.common.exception.authentication.BadCredentialsException;
import io.gravitee.am.common.exception.authentication.InternalAuthenticationServiceException;
import io.gravitee.am.common.exception.authentication.NegotiateContinueException;
import io.gravitee.am.common.exception.authentication.UsernameNotFoundException;
import io.gravitee.am.gateway.handler.common.auth.AuthenticationDetails;
import io.gravitee.am.gateway.handler.common.auth.event.AuthenticationEvent;
import io.gravitee.am.gateway.handler.common.auth.idp.IdentityProviderManager;
import io.gravitee.am.gateway.handler.common.auth.user.EndUserAuthentication;
import io.gravitee.am.gateway.handler.common.auth.user.UserAuthenticationManager;
import io.gravitee.am.gateway.handler.common.auth.user.UserAuthenticationService;
import io.gravitee.am.gateway.handler.common.user.UserService;
import io.gravitee.am.identityprovider.api.Authentication;
import io.gravitee.am.identityprovider.api.DefaultUser;
import io.gravitee.am.identityprovider.api.User;
import io.gravitee.am.model.Domain;
import io.gravitee.am.model.IdentityProvider;
import io.gravitee.am.model.LoginAttempt;
import io.gravitee.am.model.account.AccountSettings;
import io.gravitee.am.model.idp.ApplicationIdentityProvider;
import io.gravitee.am.model.oidc.Client;
import io.gravitee.am.monitoring.provider.GatewayMetricProvider;
import io.gravitee.am.repository.management.api.search.LoginAttemptCriteria;
import io.gravitee.am.service.LoginAttemptService;
import io.gravitee.am.service.PasswordService;
import io.gravitee.am.service.authentication.crypto.password.bcrypt.BCryptPasswordEncoder;
import io.gravitee.common.event.EventManager;
import io.gravitee.el.TemplateEngine;
import io.gravitee.gateway.api.Request;
import io.reactivex.rxjava3.core.Completable;
import io.reactivex.rxjava3.core.Maybe;
import io.reactivex.rxjava3.core.Observable;
import io.reactivex.rxjava3.core.Single;
import java.util.HashMap;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;

/* loaded from: input_file:io/gravitee/am/gateway/handler/common/auth/user/impl/UserAuthenticationManagerImpl.class */
public class UserAuthenticationManagerImpl implements UserAuthenticationManager {

    @Autowired
    private Domain domain;

    @Autowired
    private IdentityProviderManager identityProviderManager;

    @Autowired
    private EventManager eventManager;

    @Autowired
    private LoginAttemptService loginAttemptService;

    @Autowired
    private UserAuthenticationService userAuthenticationService;

    @Autowired
    private UserService userService;

    @Autowired
    private PasswordService passwordService;

    @Autowired
    private GatewayMetricProvider gatewayMetricProvider;
    private final Logger logger = LoggerFactory.getLogger(UserAuthenticationManagerImpl.class);
    private BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/gravitee/am/gateway/handler/common/auth/user/impl/UserAuthenticationManagerImpl$UserAuthentication.class */
    public class UserAuthentication {
        private User user;
        private Throwable lastException;

        public UserAuthentication() {
        }

        public UserAuthentication(User user, Throwable th) {
            this.user = user;
            this.lastException = th;
        }

        public User getUser() {
            return this.user;
        }

        public Throwable getLastException() {
            return this.lastException;
        }
    }

    @Override // io.gravitee.am.gateway.handler.common.auth.user.UserAuthenticationManager
    public Single<io.gravitee.am.model.User> authenticate(Client client, Authentication authentication, boolean z) {
        this.logger.debug("Trying to authenticate [{}]", authentication);
        List<ApplicationIdentityProvider> applicationIdentityProviders = getApplicationIdentityProviders(client);
        if (!Objects.isNull(applicationIdentityProviders) && !applicationIdentityProviders.isEmpty()) {
            return Observable.fromIterable(applicationIdentityProviders).filter(applicationIdentityProvider -> {
                return selectionRuleMatches(applicationIdentityProvider.getSelectionRule(), authentication.copy());
            }).switchIfEmpty(Observable.error(() -> {
                return getInternalAuthenticationServiceException(client);
            })).concatMapMaybe(applicationIdentityProvider2 -> {
                return authenticate0(client, authentication.copy(), applicationIdentityProvider2.getIdentity(), z);
            }).takeUntil(userAuthentication -> {
                return userAuthentication.getUser() != null || (userAuthentication.getLastException() instanceof AccountLockedException);
            }).lastOrError().flatMap(userAuthentication2 -> {
                User user = userAuthentication2.getUser();
                if (user != null) {
                    return connect(user, client, authentication.getContext().request()).flatMap(user2 -> {
                        return checkAccountPasswordExpiry(client, user2);
                    });
                }
                Throwable lastException = userAuthentication2.getLastException();
                if (lastException == null) {
                    return Single.error(new BadCredentialsException("The credentials you entered are invalid"));
                }
                if (lastException instanceof BadCredentialsException) {
                    return Single.error(new BadCredentialsException("The credentials you entered are invalid", lastException));
                }
                if (lastException instanceof UsernameNotFoundException) {
                    this.bCryptPasswordEncoder.matches(authentication.getCredentials().toString(), "$2a$10$hdjt9YGrSudbIljTqAtcW.KOxNJscq00Nxv088wPy6GDKXCJe0aCm");
                    return Single.error(new BadCredentialsException("The credentials you entered are invalid", lastException));
                }
                if (!(lastException instanceof AccountStatusException) && !(lastException instanceof NegotiateContinueException)) {
                    this.logger.error("An error occurs during user authentication", lastException);
                    return Single.error(new InternalAuthenticationServiceException("Unable to validate credentials. The user account you are trying to access may be experiencing a problem.", lastException));
                }
                return Single.error(lastException);
            }).doOnSuccess(user -> {
                this.gatewayMetricProvider.incrementSuccessfulAuth(false);
                this.eventManager.publishEvent(AuthenticationEvent.SUCCESS, new AuthenticationDetails(authentication, this.domain, client, user));
            }).doOnError(th -> {
                this.gatewayMetricProvider.incrementFailedAuth(false);
                this.eventManager.publishEvent(AuthenticationEvent.FAILURE, new AuthenticationDetails(authentication, this.domain, client, th));
            });
        }
        InternalAuthenticationServiceException internalAuthenticationServiceException = getInternalAuthenticationServiceException(client);
        this.eventManager.publishEvent(AuthenticationEvent.FAILURE, new AuthenticationDetails(authentication, this.domain, client, (Throwable) internalAuthenticationServiceException));
        return Single.error(internalAuthenticationServiceException);
    }

    @Override // io.gravitee.am.gateway.handler.common.auth.user.UserAuthenticationManager
    public Maybe<io.gravitee.am.model.User> loadPreAuthenticatedUser(String str, Request request) {
        return this.userAuthenticationService.loadPreAuthenticatedUser(str, request);
    }

    @Override // io.gravitee.am.gateway.handler.common.auth.user.UserAuthenticationManager
    public Single<io.gravitee.am.model.User> connect(User user, Client client, Request request, boolean z) {
        return this.userAuthenticationService.connect(user, client, request, z);
    }

    @Override // io.gravitee.am.gateway.handler.common.auth.user.UserAuthenticationManager
    public Single<io.gravitee.am.model.User> connectWithPasswordless(Client client, String str, Authentication authentication) {
        return this.userAuthenticationService.connectWithPasswordless(str, client).doOnSuccess(user -> {
            this.eventManager.publishEvent(AuthenticationEvent.SUCCESS, new AuthenticationDetails(authentication, this.domain, client, user));
        }).doOnError(th -> {
            this.eventManager.publishEvent(AuthenticationEvent.FAILURE, new AuthenticationDetails(authentication, this.domain, client, th));
        });
    }

    private Maybe<UserAuthentication> authenticate0(Client client, Authentication authentication, String str, boolean z) {
        return loadUserByUsername0(client, authentication, str, z).flatMap(userAuthentication -> {
            return postAuthentication(client, authentication, str, userAuthentication).andThen(Maybe.just(userAuthentication));
        });
    }

    private Maybe<UserAuthentication> loadUserByUsername0(Client client, Authentication authentication, String str, boolean z) {
        return this.identityProviderManager.get(str).switchIfEmpty(Maybe.error(() -> {
            return new BadCredentialsException("Unable to load authentication provider " + str + ", an error occurred during the initialization stage");
        })).flatMap(authenticationProvider -> {
            this.logger.debug("Authentication attempt using identity provider {} ({})", authenticationProvider, authenticationProvider.getClass().getName());
            return Maybe.just(Boolean.valueOf(z)).flatMap(bool -> {
                if (!bool.booleanValue()) {
                    return authenticationProvider.loadUserByUsername(authentication);
                }
                String obj = authentication.getPrincipal().toString();
                return this.userService.findByDomainAndUsernameAndSource(this.domain.getId(), obj, str).switchIfEmpty(Maybe.error(() -> {
                    return new UsernameNotFoundException(obj);
                })).flatMap(user -> {
                    return authenticationProvider.loadPreAuthenticatedUser(new EndUserAuthentication(user, null, authentication.getContext()));
                });
            }).switchIfEmpty(Maybe.error(() -> {
                return new UsernameNotFoundException(authentication.getPrincipal().toString());
            }));
        }).map(user -> {
            this.logger.debug("Successfully Authenticated: " + authentication.getPrincipal() + " with provider authentication provider " + str);
            HashMap hashMap = user.getAdditionalInformation() == null ? new HashMap() : new HashMap(user.getAdditionalInformation());
            hashMap.put("source", str);
            hashMap.put("client_id", client.getId());
            ((DefaultUser) user).setAdditionalInformation(hashMap);
            return new UserAuthentication(user, null);
        }).onErrorResumeNext(th -> {
            this.logger.debug("Unable to authenticate [{}] with authentication provider [{}]", new Object[]{authentication.getPrincipal(), str, th});
            return Maybe.just(new UserAuthentication(null, th));
        });
    }

    private Completable postAuthentication(Client client, Authentication authentication, String str, UserAuthentication userAuthentication) {
        return postAuthentication(client, (String) Optional.ofNullable(authentication.getContext()).map(authenticationContext -> {
            return (String) authenticationContext.get("actual_username");
        }).orElse(authentication.getPrincipal().toString()), str, userAuthentication);
    }

    private Completable postAuthentication(Client client, String str, String str2, UserAuthentication userAuthentication) {
        AccountSettings accountSettings = AccountSettings.getInstance(this.domain, client);
        if (accountSettings == null || !accountSettings.isLoginAttemptsDetectionEnabled()) {
            return Completable.complete();
        }
        LoginAttemptCriteria build = new LoginAttemptCriteria.Builder().domain(this.domain.getId()).client(client.getId()).identityProvider(str2).username(str).build();
        return this.loginAttemptService.checkAccount(build, accountSettings).map((v0) -> {
            return Optional.of(v0);
        }).defaultIfEmpty(Optional.empty()).flatMapCompletable(optional -> {
            if (!optional.isPresent() || !((LoginAttempt) optional.get()).isAccountLocked(accountSettings.getMaxLoginAttempts().intValue())) {
                return userAuthentication.getLastException() == null ? this.loginAttemptService.loginSucceeded(build) : userAuthentication.getLastException() instanceof BadCredentialsException ? this.userService.findByDomainAndUsernameAndSource(build.domain(), build.username(), build.identityProvider(), true).flatMapCompletable(user -> {
                    return this.loginAttemptService.loginFailed(build, accountSettings).flatMapCompletable(loginAttempt -> {
                        return loginAttempt.isAccountLocked(accountSettings.getMaxLoginAttempts().intValue()) ? this.userAuthenticationService.lockAccount(build, accountSettings, client, user) : Completable.complete();
                    });
                }) : Completable.complete();
            }
            HashMap hashMap = new HashMap();
            hashMap.put("attempt_id", ((LoginAttempt) optional.get()).getId());
            return Completable.error(new AccountLockedException("User " + str + " is locked", hashMap));
        });
    }

    private Single<io.gravitee.am.model.User> checkAccountPasswordExpiry(Client client, io.gravitee.am.model.User user) {
        return this.passwordService.checkAccountPasswordExpiry(user, client, this.domain) ? Single.error(new AccountPasswordExpiredException("Account's password is expired ")) : Single.just(user);
    }

    private List<ApplicationIdentityProvider> getApplicationIdentityProviders(Client client) {
        return Objects.isNull(client.getIdentityProviders()) ? List.of() : (List) client.getIdentityProviders().stream().filter(applicationIdentityProvider -> {
            IdentityProvider identityProvider = this.identityProviderManager.getIdentityProvider(applicationIdentityProvider.getIdentity());
            return Objects.nonNull(identityProvider) && !identityProvider.isExternal();
        }).collect(Collectors.toList());
    }

    private boolean selectionRuleMatches(String str, Authentication authentication) {
        try {
            if (Strings.isNullOrEmpty(str) || str.isBlank()) {
                return true;
            }
            TemplateEngine templateEngine = authentication.getContext().getTemplateEngine();
            if (templateEngine != null) {
                if (((Boolean) templateEngine.getValue(str.trim(), Boolean.class)).booleanValue()) {
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            this.logger.warn("Cannot evaluate the expression [{}] as boolean", str);
            return false;
        }
    }

    private InternalAuthenticationServiceException getInternalAuthenticationServiceException(Client client) {
        return new InternalAuthenticationServiceException("No identity provider found for client : " + client.getClientId());
    }
}
