package org.alliancegenome.curation_api.auth;

import com.okta.jwt.Jwt;
import com.okta.jwt.JwtVerificationException;
import com.okta.sdk.authc.credentials.TokenClientCredentials;
import com.okta.sdk.client.Clients;
import com.okta.sdk.resource.group.Group;
import com.okta.sdk.resource.group.GroupList;
import com.okta.sdk.resource.user.User;
import io.quarkus.logging.Log;
import java.io.IOException;
import java.util.Iterator;
import java.util.UUID;
import javax.annotation.Priority;
import javax.enterprise.event.Event;
import javax.enterprise.inject.Instance;
import javax.inject.Inject;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;
import org.alliancegenome.curation_api.dao.AllianceMemberDAO;
import org.alliancegenome.curation_api.dao.LoggedInPersonDAO;
import org.alliancegenome.curation_api.model.entities.AllianceMember;
import org.alliancegenome.curation_api.model.entities.LoggedInPerson;
import org.alliancegenome.curation_api.response.SearchResponse;
import org.alliancegenome.curation_api.services.LoggedInPersonService;
import org.alliancegenome.curation_api.services.helpers.persons.LoggedInPersonUniqueIdHelper;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.jboss.logging.Logger;

@Provider
@Priority(1000)
/* loaded from: input_file:org/alliancegenome/curation_api/auth/AuthenticationFilter.class */
public class AuthenticationFilter implements ContainerRequestFilter {
    private static final Logger log = Logger.getLogger(AuthenticationFilter.class);

    @Inject
    @AuthenticatedUser
    Event<LoggedInPerson> userAuthenticatedEvent;

    @Inject
    AuthenticationService authenticationService;

    @Inject
    LoggedInPersonDAO loggedInPersonDAO;

    @Inject
    AllianceMemberDAO allianceMemberDAO;

    @Inject
    LoggedInPersonService loggedInPersonService;

    @Inject
    LoggedInPersonUniqueIdHelper loggedInPersonUniqueId;

    @ConfigProperty(name = "okta.authentication")
    Instance<Boolean> okta_auth;

    @ConfigProperty(name = "okta.url")
    Instance<String> okta_url;

    @ConfigProperty(name = "okta.client.id")
    Instance<String> client_id;

    @ConfigProperty(name = "okta.client.secret")
    Instance<String> client_secret;

    @ConfigProperty(name = "okta.api.token")
    Instance<String> api_token;
    private static final String AUTHENTICATION_SCHEME = "Bearer";

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (!((Boolean) this.okta_auth.get()).booleanValue()) {
            loginDevUser();
            return;
        }
        if (((String) this.okta_url.get()).equals("\"\"") || ((String) this.client_id.get()).equals("\"\"") || ((String) this.client_secret.get()).equals("\"\"") || ((String) this.api_token.get()).equals("\"\"")) {
            loginDevUser();
            return;
        }
        String headerString = containerRequestContext.getHeaderString("Authorization");
        if (headerString == null || !headerString.toLowerCase().startsWith(AUTHENTICATION_SCHEME.toLowerCase() + " ")) {
            failAuthentication(containerRequestContext);
            return;
        }
        LoggedInPerson validateToken = validateToken(headerString.substring(AUTHENTICATION_SCHEME.length()).trim());
        if (validateToken != null) {
            this.userAuthenticatedEvent.fire(validateToken);
        } else {
            failAuthentication(containerRequestContext);
        }
    }

    private LoggedInPerson validateLocalToken(String str) {
        SearchResponse<LoggedInPerson> findByField = this.loggedInPersonDAO.findByField("apiToken", str);
        if (findByField == null || findByField.getResults().size() != 1) {
            return null;
        }
        Log.info("User Found in local DB via: " + str);
        return findByField.getResults().get(0);
    }

    private void failAuthentication(ContainerRequestContext containerRequestContext) {
        containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", AUTHENTICATION_SCHEME).build());
    }

    private void loginDevUser() {
        log.debug("OKTA Authentication Disabled using Test Dev User");
        LoggedInPerson findLoggedInPersonByOktaEmail = this.loggedInPersonService.findLoggedInPersonByOktaEmail("test@alliancegenome.org");
        if (findLoggedInPersonByOktaEmail != null) {
            this.userAuthenticatedEvent.fire(findLoggedInPersonByOktaEmail);
            return;
        }
        LoggedInPerson loggedInPerson = new LoggedInPerson();
        loggedInPerson.setApiToken(UUID.randomUUID().toString());
        loggedInPerson.setOktaEmail("test@alliancegenome.org");
        loggedInPerson.setFirstName("Local");
        loggedInPerson.setLastName("Dev User");
        loggedInPerson.setUniqueId("Local|Dev User|test@alliancegenome.org");
        this.loggedInPersonDAO.persist((LoggedInPersonDAO) loggedInPerson);
        this.userAuthenticatedEvent.fire(loggedInPerson);
    }

    private LoggedInPerson validateToken(String str) {
        try {
            Jwt verifyToken = this.authenticationService.verifyToken(str);
            String str2 = (String) verifyToken.getClaims().get("sub");
            String str3 = (String) verifyToken.getClaims().get("uid");
            LoggedInPerson findLoggedInPersonByOktaEmail = this.loggedInPersonService.findLoggedInPersonByOktaEmail(str2);
            if (findLoggedInPersonByOktaEmail != null) {
                if (findLoggedInPersonByOktaEmail.getAllianceMember() == null) {
                    findLoggedInPersonByOktaEmail.setAllianceMember(getAllianceMember(getOktaUser(str3).listGroups()));
                    this.loggedInPersonDAO.persist((LoggedInPersonDAO) findLoggedInPersonByOktaEmail);
                }
                return findLoggedInPersonByOktaEmail;
            }
            Log.info("Making OKTA call to get user info: ");
            User oktaUser = getOktaUser(str3);
            if (oktaUser == null) {
                return null;
            }
            LoggedInPerson loggedInPerson = new LoggedInPerson();
            loggedInPerson.setApiToken(UUID.randomUUID().toString());
            loggedInPerson.setOktaId(str3);
            loggedInPerson.setAllianceMember(getAllianceMember(oktaUser.listGroups()));
            loggedInPerson.setOktaEmail(oktaUser.getProfile().getEmail());
            loggedInPerson.setFirstName(oktaUser.getProfile().getFirstName());
            loggedInPerson.setLastName(oktaUser.getProfile().getLastName());
            loggedInPerson.setUniqueId(this.loggedInPersonUniqueId.createLoggedInPersonUniqueId(loggedInPerson));
            this.loggedInPersonDAO.persist((LoggedInPersonDAO) loggedInPerson);
            return loggedInPerson;
        } catch (JwtVerificationException e) {
            return validateLocalToken(str);
        }
    }

    private User getOktaUser(String str) {
        return Clients.builder().setOrgUrl((String) this.okta_url.get()).setClientId((String) this.client_id.get()).setClientCredentials(new TokenClientCredentials((String) this.api_token.get())).build().getUser(str);
    }

    private AllianceMember getAllianceMember(GroupList groupList) {
        Iterator it = groupList.iterator();
        while (it.hasNext()) {
            String str = (String) ((Group) it.next()).getProfile().get("affiliated_alliance_member");
            if (str != null) {
                SearchResponse<AllianceMember> findByField = this.allianceMemberDAO.findByField("uniqueId", str);
                if (findByField.getTotalResults().longValue() == 1) {
                    return findByField.getResults().get(0);
                }
                log.info("Alliance Look up error: more than one member found");
            }
        }
        return null;
    }
}
