package org.cloudfoundry.identity.uaa.invitations;

import java.net.MalformedURLException;
import java.net.URL;
import java.sql.Timestamp;
import java.util.HashMap;
import java.util.List;
import org.cloudfoundry.identity.uaa.codestore.ExpiringCodeStore;
import org.cloudfoundry.identity.uaa.codestore.ExpiringCodeType;
import org.cloudfoundry.identity.uaa.error.UaaException;
import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
import org.cloudfoundry.identity.uaa.scim.ScimUser;
import org.cloudfoundry.identity.uaa.scim.ScimUserProvisioning;
import org.cloudfoundry.identity.uaa.scim.exception.ScimResourceConflictException;
import org.cloudfoundry.identity.uaa.util.DomainFilter;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.cloudfoundry.identity.uaa.util.UaaUrlUtils;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;

@Controller
/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.4.5.jar:org/cloudfoundry/identity/uaa/invitations/InvitationsEndpoint.class */
public class InvitationsEndpoint {
    public static final int INVITATION_EXPIRY_DAYS = 7;
    private ScimUserProvisioning users;
    private IdentityProviderProvisioning providers;
    private ClientDetailsService clients;
    private ExpiringCodeStore expiringCodeStore;

    public InvitationsEndpoint(ScimUserProvisioning scimUserProvisioning, IdentityProviderProvisioning identityProviderProvisioning, ClientDetailsService clientDetailsService, ExpiringCodeStore expiringCodeStore) {
        this.users = scimUserProvisioning;
        this.providers = identityProviderProvisioning;
        this.clients = clientDetailsService;
        this.expiringCodeStore = expiringCodeStore;
    }

    @RequestMapping(value = {"/invite_users"}, method = {RequestMethod.POST}, consumes = {"application/json"})
    public ResponseEntity<InvitationsResponse> inviteUsers(@RequestBody InvitationsRequest invitationsRequest, @RequestParam(value = "client_id", required = false) String str, @RequestParam("redirect_uri") String str2) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication instanceof OAuth2Authentication) {
            OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) authentication;
            if (str == null) {
                str = oAuth2Authentication.getOAuth2Request().getClientId();
            }
        }
        InvitationsResponse invitationsResponse = new InvitationsResponse();
        List<IdentityProvider> retrieveActive = this.providers.retrieveActive(IdentityZoneHolder.get().getId());
        ClientDetails loadClientByClientId = this.clients.loadClientByClientId(str);
        for (String str3 : invitationsRequest.getEmails()) {
            try {
                List<IdentityProvider> filter = DomainFilter.filter(retrieveActive, loadClientByClientId, str3);
                if (filter.size() == 1) {
                    ScimUser findOrCreateUser = findOrCreateUser(str3, filter.get(0).getOriginKey());
                    String uaaUrl = UaaUrlUtils.getUaaUrl("/invitations/accept", !IdentityZoneHolder.isUaa());
                    HashMap hashMap = new HashMap();
                    hashMap.put("user_id", findOrCreateUser.getId());
                    hashMap.put("email", findOrCreateUser.getPrimaryEmail());
                    hashMap.put("client_id", str);
                    hashMap.put(OAuth2Utils.REDIRECT_URI, str2);
                    hashMap.put("origin", findOrCreateUser.getOrigin());
                    String str4 = uaaUrl + "?code=" + this.expiringCodeStore.generateCode(JsonUtils.writeValueAsString(hashMap), new Timestamp(System.currentTimeMillis() + 604800000), ExpiringCodeType.INVITATION.name()).getCode();
                    try {
                        invitationsResponse.getNewInvites().add(InvitationsResponse.success(findOrCreateUser.getPrimaryEmail(), findOrCreateUser.getId(), findOrCreateUser.getOrigin(), new URL(str4)));
                    } catch (MalformedURLException e) {
                        invitationsResponse.getFailedInvites().add(InvitationsResponse.failure(str3, "invitation.exception.url", String.format("Malformed url", str4)));
                    }
                } else if (filter.size() == 0) {
                    invitationsResponse.getFailedInvites().add(InvitationsResponse.failure(str3, "provider.non-existent", "No authentication provider found."));
                } else {
                    invitationsResponse.getFailedInvites().add(InvitationsResponse.failure(str3, "provider.ambiguous", "Multiple authentication providers found."));
                }
            } catch (UaaException e2) {
                invitationsResponse.getFailedInvites().add(InvitationsResponse.failure(str3, "invitation.exception", e2.getMessage()));
            } catch (ScimResourceConflictException e3) {
                invitationsResponse.getFailedInvites().add(InvitationsResponse.failure(str3, "user.ambiguous", "Multiple users with the same origin matched to the email address."));
            }
        }
        return new ResponseEntity<>(invitationsResponse, HttpStatus.OK);
    }

    protected ScimUser findOrCreateUser(String str, String str2) {
        String lowerCase = str.trim().toLowerCase();
        List<ScimUser> query = this.users.query(String.format("email eq \"%s\" and origin eq \"%s\"", lowerCase, str2));
        if (query != null && query.size() != 0) {
            if (query.size() == 1) {
                return query.get(0);
            }
            throw new ScimResourceConflictException(String.format("Ambiguous users found for email:%s with origin:%s", lowerCase, str2));
        }
        ScimUser scimUser = new ScimUser(null, lowerCase, "", "");
        scimUser.setPrimaryEmail(lowerCase.toLowerCase());
        scimUser.setOrigin(str2);
        scimUser.setVerified(false);
        scimUser.setActive(true);
        return this.users.createUser(scimUser, new RandomValueStringGenerator(12).generate());
    }
}
