package one.microproject.iamservice.core.services.impl;

import io.jsonwebtoken.impl.DefaultClaims;
import java.net.URI;
import java.util.Date;
import java.util.Optional;
import java.util.UUID;
import one.microproject.iamservice.core.IAMUtils;
import one.microproject.iamservice.core.TokenValidator;
import one.microproject.iamservice.core.dto.Code;
import one.microproject.iamservice.core.dto.StandardTokenClaims;
import one.microproject.iamservice.core.dto.TokenResponse;
import one.microproject.iamservice.core.model.Client;
import one.microproject.iamservice.core.model.ClientCredentials;
import one.microproject.iamservice.core.model.ClientId;
import one.microproject.iamservice.core.model.Credentials;
import one.microproject.iamservice.core.model.JWToken;
import one.microproject.iamservice.core.model.OrganizationId;
import one.microproject.iamservice.core.model.PKCEMethod;
import one.microproject.iamservice.core.model.Project;
import one.microproject.iamservice.core.model.ProjectId;
import one.microproject.iamservice.core.model.TokenType;
import one.microproject.iamservice.core.model.User;
import one.microproject.iamservice.core.model.UserId;
import one.microproject.iamservice.core.model.extensions.authentication.up.UPAuthenticationRequest;
import one.microproject.iamservice.core.model.extensions.authentication.up.UPCredentials;
import one.microproject.iamservice.core.services.AuthenticationService;
import one.microproject.iamservice.core.services.TokenGenerator;
import one.microproject.iamservice.core.services.caches.AuthorizationCodeCache;
import one.microproject.iamservice.core.services.caches.ModelCache;
import one.microproject.iamservice.core.services.caches.TokenCache;
import one.microproject.iamservice.core.services.dto.AuthorizationCode;
import one.microproject.iamservice.core.services.dto.AuthorizationCodeContext;
import one.microproject.iamservice.core.services.dto.IdTokenRequest;
import one.microproject.iamservice.core.services.dto.RevokeTokenRequest;
import one.microproject.iamservice.core.services.dto.Scope;
import one.microproject.iamservice.core.services.dto.UserInfoResponse;
import one.microproject.iamservice.core.utils.TokenUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:one/microproject/iamservice/core/services/impl/AuthenticationServiceImpl.class */
public class AuthenticationServiceImpl implements AuthenticationService {
    private static final Logger LOG = LoggerFactory.getLogger(AuthenticationServiceImpl.class);
    private final ModelCache modelCache;
    private final TokenCache tokenCache;
    private final AuthorizationCodeCache codeCache;
    private final TokenGenerator tokenGenerator;
    private final TokenValidator tokenValidator;

    public AuthenticationServiceImpl(ModelCache modelCache, TokenCache tokenCache, AuthorizationCodeCache authorizationCodeCache, TokenGenerator tokenGenerator, TokenValidator tokenValidator) {
        this.modelCache = modelCache;
        this.tokenCache = tokenCache;
        this.codeCache = authorizationCodeCache;
        this.tokenGenerator = tokenGenerator;
        this.tokenValidator = tokenValidator;
    }

    @Override // one.microproject.iamservice.core.services.AuthenticationService
    public Optional<TokenResponse> authenticate(URI uri, OrganizationId organizationId, ProjectId projectId, ClientCredentials clientCredentials, Scope scope, UPAuthenticationRequest uPAuthenticationRequest, IdTokenRequest idTokenRequest) {
        Optional<Project> project = this.modelCache.getProject(organizationId, projectId);
        if (!project.isPresent()) {
            LOG.info("Organization/Project {}/{} not found", organizationId, projectId);
            return Optional.empty();
        }
        Optional<Client> client = this.modelCache.getClient(organizationId, projectId, clientCredentials.getId());
        if (client.isPresent() && Boolean.FALSE.equals(client.get().getProperties().getPasswordCredentialsEnabled())) {
            LOG.info("Invalid flow for client {} !", client.get().getId());
            return Optional.empty();
        }
        ClientCredentials clientCredentials2 = uPAuthenticationRequest.getClientCredentials();
        if (!this.modelCache.verifyClientCredentials(organizationId, projectId, clientCredentials2)) {
            LOG.info("Invalid client {} credentials !", clientCredentials2.getId());
            return Optional.empty();
        }
        Optional<User> user = this.modelCache.getUser(organizationId, projectId, uPAuthenticationRequest.getUserId());
        if (user.isPresent()) {
            User user2 = user.get();
            Optional<Credentials> credentials = user2.getCredentials(uPAuthenticationRequest.getCredentialsType());
            if (credentials.isPresent() && credentials.get().verify(uPAuthenticationRequest)) {
                return Optional.of(this.tokenGenerator.generate(uri, organizationId, project.get(), user2, this.modelCache.getPermissions(organizationId, projectId, user2.getId()), uPAuthenticationRequest.getScope(), uPAuthenticationRequest.getClientCredentials().getId(), idTokenRequest));
            }
        } else {
            LOG.info("JWT subject {} not found", uPAuthenticationRequest.getUserId());
        }
        return Optional.empty();
    }

    @Override // one.microproject.iamservice.core.services.AuthenticationService
    public Optional<TokenResponse> authenticate(URI uri, OrganizationId organizationId, ProjectId projectId, ClientCredentials clientCredentials, Scope scope, IdTokenRequest idTokenRequest) {
        Optional<Project> project = this.modelCache.getProject(organizationId, projectId);
        if (project.isPresent()) {
            Optional<Client> client = this.modelCache.getClient(organizationId, projectId, clientCredentials.getId());
            if (!client.isPresent()) {
                LOG.info("ClientId {} not found within Organization/Project {}/{}", new Object[]{clientCredentials.getId(), organizationId, projectId});
            } else {
                if (Boolean.FALSE.equals(client.get().getProperties().getClientCredentialsEnabled())) {
                    LOG.info("Invalid flow for client {} !", client.get().getId());
                    return Optional.empty();
                }
                if (this.modelCache.verifyClientCredentials(organizationId, projectId, clientCredentials)) {
                    Client client2 = client.get();
                    return Optional.of(this.tokenGenerator.generate(uri, organizationId, project.get(), this.modelCache.getPermissions(organizationId, projectId, client2.getId()), client2, scope, idTokenRequest));
                }
                LOG.info("Client {} credentials invalid !", clientCredentials.getId());
            }
        } else {
            LOG.info("Organization/Project {}/{} not found", organizationId, projectId);
        }
        return Optional.empty();
    }

    @Override // one.microproject.iamservice.core.services.AuthenticationService
    public Optional<TokenResponse> refreshTokens(OrganizationId organizationId, ProjectId projectId, JWToken jWToken, ClientCredentials clientCredentials, Scope scope, IdTokenRequest idTokenRequest) {
        if (this.tokenCache.isRevoked(jWToken)) {
            LOG.info("JWT is revoked {}", jWToken);
        } else {
            Optional<Project> project = this.modelCache.getProject(organizationId, projectId);
            if (!project.isPresent()) {
                LOG.info("Organization/Project {}/{} not found", organizationId, projectId);
                return Optional.empty();
            }
            if (!this.modelCache.verifyClientCredentials(organizationId, projectId, clientCredentials)) {
                LOG.info("Invalid client {} credentials !", clientCredentials.getId());
                return Optional.empty();
            }
            String subject = TokenUtils.extractClaims(jWToken).getSubject();
            Optional<User> user = this.modelCache.getUser(organizationId, projectId, UserId.from(subject));
            if (user.isPresent()) {
                User user2 = user.get();
                Optional validateToken = this.tokenValidator.validateToken(user2.getCertificate().getPublicKey(), jWToken);
                LOG.info("JWT verified={}", Boolean.valueOf(validateToken.isPresent()));
                if (validateToken.isPresent()) {
                    try {
                        StandardTokenClaims standardTokenClaims = (StandardTokenClaims) validateToken.get();
                        if (TokenType.REFRESH.equals(standardTokenClaims.getType())) {
                            return Optional.of(this.tokenGenerator.generate(standardTokenClaims.getIssuerUri(), organizationId, project.get(), user2, this.modelCache.getPermissions(organizationId, projectId, user2.getId()), scope, clientCredentials.getId(), idTokenRequest));
                        }
                        LOG.info("Invalid JWT type {}, expected type {}", standardTokenClaims.getType(), TokenType.BEARER.getType());
                    } catch (Exception e) {
                        LOG.warn("Exception: {}", e.getMessage());
                    }
                } else {
                    LOG.warn("JWT is invalid !");
                }
            } else {
                Optional<Client> client = this.modelCache.getClient(organizationId, projectId, clientCredentials.getId());
                if (!client.isPresent()) {
                    LOG.info("ClientId {} not found within Organization/Project {}/{}", new Object[]{clientCredentials.getId(), organizationId, projectId});
                } else if (this.modelCache.verifyClientCredentials(organizationId, projectId, clientCredentials)) {
                    try {
                        Client client2 = client.get();
                        Project project2 = project.get();
                        Optional validateToken2 = this.tokenValidator.validateToken(project.get().getCertificate().getPublicKey(), jWToken);
                        LOG.info("JWT verified={}", Boolean.valueOf(validateToken2.isPresent()));
                        if (validateToken2.isPresent()) {
                            return Optional.of(this.tokenGenerator.generate(((StandardTokenClaims) validateToken2.get()).getIssuerUri(), organizationId, project2, this.modelCache.getPermissions(organizationId, projectId, client2.getId()), client2, scope, idTokenRequest));
                        }
                        LOG.warn("JWT is invalid !");
                    } catch (Exception e2) {
                        LOG.warn("Exception: {}", e2.getMessage());
                    }
                } else {
                    LOG.info("Client {} credentials invalid !", clientCredentials.getId());
                }
                LOG.info("JWT subject {} not found", subject);
            }
        }
        return Optional.empty();
    }

    @Override // one.microproject.iamservice.core.services.AuthenticationService
    public Optional<TokenResponse> authenticate(Code code, IdTokenRequest idTokenRequest) {
        Optional<AuthorizationCodeContext> optional = this.codeCache.get(code);
        if (optional.isPresent()) {
            AuthorizationCodeContext authorizationCodeContext = optional.get();
            Optional<Client> client = this.modelCache.getClient(authorizationCodeContext.getOrganizationId(), authorizationCodeContext.getProjectId(), authorizationCodeContext.getClientId());
            if (client.isPresent() && Boolean.FALSE.equals(client.get().getProperties().getAuthorizationCodeGrantEnabled())) {
                LOG.info("Invalid flow for clientId {} !", client.get().getId());
                return Optional.empty();
            }
            Optional<User> user = this.modelCache.getUser(authorizationCodeContext.getOrganizationId(), authorizationCodeContext.getProjectId(), authorizationCodeContext.getUserId());
            if (user.isPresent()) {
                User user2 = user.get();
                if (!TokenUtils.isPKCEEnabled(authorizationCodeContext.getCodeChallenge(), idTokenRequest.getCodeVerifier())) {
                    LOG.info("PKCE disabled");
                    return Optional.of(this.tokenGenerator.generate(authorizationCodeContext, user2, idTokenRequest));
                }
                if (IAMUtils.verifyPKCE(authorizationCodeContext.getCodeChallenge(), authorizationCodeContext.getCodeChallengeMethod(), idTokenRequest.getCodeVerifier())) {
                    LOG.info("PKCE OK code_challenge={} method={} code_verifier={}", new Object[]{authorizationCodeContext.getCodeChallenge(), authorizationCodeContext.getCodeChallengeMethod(), idTokenRequest.getCodeVerifier()});
                    return Optional.of(this.tokenGenerator.generate(authorizationCodeContext, user2, idTokenRequest));
                }
                LOG.info("PKCE verification failed for code_challenge={} method={} code_verifier={}", new Object[]{authorizationCodeContext.getCodeChallenge(), authorizationCodeContext.getCodeChallengeMethod(), idTokenRequest.getCodeVerifier()});
            } else {
                LOG.info("User {} not found", authorizationCodeContext.getUserId());
            }
        }
        return Optional.empty();
    }

    @Override // one.microproject.iamservice.core.services.AuthenticationService
    public Optional<AuthorizationCodeContext> setScope(Code code, Scope scope) {
        return this.codeCache.setScope(code, scope);
    }

    @Override // one.microproject.iamservice.core.services.AuthenticationService
    public Optional<AuthorizationCode> login(URI uri, OrganizationId organizationId, ProjectId projectId, UserId userId, ClientId clientId, String str, Scope scope, String str2, String str3, String str4, PKCEMethod pKCEMethod) {
        Optional<Project> project = this.modelCache.getProject(organizationId, projectId);
        if (!project.isPresent()) {
            LOG.info("Organization/Project {}/{} not found", organizationId, projectId);
            return Optional.empty();
        }
        Optional<Client> client = this.modelCache.getClient(organizationId, projectId, clientId);
        if (!client.isPresent()) {
            LOG.info("Invalid clientId {} !", clientId);
            return Optional.empty();
        }
        if (Boolean.FALSE.equals(client.get().getProperties().getAuthorizationCodeGrantEnabled())) {
            LOG.info("Invalid flow for clientId {} !", clientId);
            return Optional.empty();
        }
        Optional<User> user = this.modelCache.getUser(organizationId, projectId, userId);
        if (user.isPresent()) {
            User user2 = user.get();
            Optional<Credentials> credentials = user2.getCredentials(UPCredentials.class);
            if (credentials.isPresent()) {
                if (credentials.get().verify(new UPAuthenticationRequest(userId, str, scope, null))) {
                    Scope filterScopes = TokenUtils.filterScopes(this.modelCache.getPermissions(organizationId, projectId, user2.getId()), scope);
                    Code from = Code.from(UUID.randomUUID().toString());
                    return Optional.of(this.codeCache.save(from, new AuthorizationCodeContext(from, uri, organizationId, projectId, clientId, userId, str2, new Date(), filterScopes, project.get().getAudience(), str3, str4, pKCEMethod)));
                }
            }
        } else {
            LOG.info("JWT subject {} not found", userId);
        }
        return Optional.empty();
    }

    @Override // one.microproject.iamservice.core.services.AuthenticationService
    public boolean revoke(OrganizationId organizationId, ProjectId projectId, RevokeTokenRequest revokeTokenRequest) {
        JWToken token = revokeTokenRequest.getToken();
        DefaultClaims extractClaims = TokenUtils.extractClaims(token);
        String subject = extractClaims.getSubject();
        Optional<User> user = this.modelCache.getUser(organizationId, projectId, UserId.from(subject));
        if (user.isPresent()) {
            Optional validateToken = this.tokenValidator.validateToken(user.get().getCertificate().getPublicKey(), token);
            LOG.info("JWT verified={}", Boolean.valueOf(validateToken.isPresent()));
            if (!validateToken.isPresent()) {
                return false;
            }
            this.tokenCache.addRevokedToken(token);
            return true;
        }
        Optional<Client> client = this.modelCache.getClient(organizationId, projectId, ClientId.from(extractClaims.getSubject()));
        Optional<Project> project = this.modelCache.getProject(organizationId, projectId);
        if (project.isPresent() && client.isPresent()) {
            Optional validateToken2 = this.tokenValidator.validateToken(project.get().getCertificate().getPublicKey(), token);
            LOG.info("JWT verified={}", Boolean.valueOf(validateToken2.isPresent()));
            if (validateToken2.isPresent()) {
                this.tokenCache.addRevokedToken(token);
                return true;
            }
        }
        LOG.info("JWT subject {} not found", subject);
        return false;
    }

    @Override // one.microproject.iamservice.core.services.AuthenticationService
    public Optional<UserInfoResponse> getUserInfo(OrganizationId organizationId, ProjectId projectId, JWToken jWToken) {
        if (!this.tokenCache.isRevoked(jWToken)) {
            Optional<User> user = this.modelCache.getUser(organizationId, projectId, UserId.from(TokenUtils.extractClaims(jWToken).getSubject()));
            if (user.isPresent()) {
                Optional validateToken = this.tokenValidator.validateToken(user.get().getKeyPairData().getPublicKey(), jWToken);
                if (validateToken.isPresent()) {
                    StandardTokenClaims standardTokenClaims = (StandardTokenClaims) validateToken.get();
                    if (standardTokenClaims.getSubject().equals(user.get().getId().getId()) && TokenType.BEARER.equals(standardTokenClaims.getType())) {
                        return Optional.of(new UserInfoResponse(user.get().getId().getId()));
                    }
                }
            }
        }
        return Optional.empty();
    }
}
