package org.alliancegenome.curation_api.auth;

import com.okta.jwt.Jwt;
import com.okta.jwt.JwtVerificationException;
import com.okta.sdk.authc.credentials.TokenClientCredentials;
import com.okta.sdk.client.Clients;
import com.okta.sdk.resource.application.Application;
import com.okta.sdk.resource.group.Group;
import com.okta.sdk.resource.group.GroupList;
import com.okta.sdk.resource.user.User;
import io.quarkus.logging.Log;
import io.quarkus.scheduler.Scheduled;
import jakarta.annotation.Priority;
import jakarta.enterprise.event.Event;
import jakarta.enterprise.inject.Instance;
import jakarta.inject.Inject;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.ext.Provider;
import java.io.IOException;
import java.util.Iterator;
import java.util.UUID;
import org.alliancegenome.curation_api.constants.EntityFieldConstants;
import org.alliancegenome.curation_api.dao.AllianceMemberDAO;
import org.alliancegenome.curation_api.dao.PersonDAO;
import org.alliancegenome.curation_api.model.entities.AllianceMember;
import org.alliancegenome.curation_api.model.entities.Person;
import org.alliancegenome.curation_api.response.SearchResponse;
import org.alliancegenome.curation_api.services.PersonService;
import org.alliancegenome.curation_api.services.helpers.persons.PersonUniqueIdHelper;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.jboss.logging.Logger;

@Provider
@Priority(1000)
/* loaded from: input_file:org/alliancegenome/curation_api/auth/AuthenticationFilter.class */
public class AuthenticationFilter implements ContainerRequestFilter {
    private static final Logger log = Logger.getLogger(AuthenticationFilter.class);

    @Inject
    @AuthenticatedUser
    Event<Person> userAuthenticatedEvent;

    @Inject
    AuthenticationService authenticationService;

    @Inject
    PersonDAO personDAO;

    @Inject
    AllianceMemberDAO allianceMemberDAO;

    @Inject
    PersonService personService;

    @Inject
    PersonUniqueIdHelper loggedInPersonUniqueId;

    @ConfigProperty(name = "okta.authentication")
    Instance<Boolean> oktaAuth;

    @ConfigProperty(name = "okta.url")
    Instance<String> oktaUrl;

    @ConfigProperty(name = "okta.client.id")
    Instance<String> clientId;

    @ConfigProperty(name = "okta.client.secret")
    Instance<String> clientSecret;

    @ConfigProperty(name = "okta.api.token")
    Instance<String> apiToken;
    private static final String AUTHENTICATION_SCHEME = "Bearer";

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (!((Boolean) this.oktaAuth.get()).booleanValue()) {
            loginDevUser();
            return;
        }
        if (((String) this.oktaUrl.get()).equals("\"\"") || ((String) this.clientId.get()).equals("\"\"") || ((String) this.clientSecret.get()).equals("\"\"") || ((String) this.apiToken.get()).equals("\"\"")) {
            loginDevUser();
            return;
        }
        String headerString = containerRequestContext.getHeaderString("Authorization");
        if (headerString == null || !headerString.toLowerCase().startsWith(AUTHENTICATION_SCHEME.toLowerCase() + " ")) {
            failAuthentication(containerRequestContext);
            return;
        }
        String trim = headerString.substring(AUTHENTICATION_SCHEME.length()).trim();
        Person person = null;
        try {
            Jwt verifyToken = this.authenticationService.verifyToken(trim);
            if (0 == 0) {
                person = validateUserToken(verifyToken);
            }
            if (person == null) {
                person = validateAdminToken(verifyToken);
            }
        } catch (JwtVerificationException e) {
            person = this.personService.findPersonByApiToken(trim);
        }
        if (person != null) {
            this.userAuthenticatedEvent.fire(person);
        } else {
            failAuthentication(containerRequestContext);
        }
    }

    private void failAuthentication(ContainerRequestContext containerRequestContext) {
        containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", AUTHENTICATION_SCHEME).build());
    }

    private void loginDevUser() {
        log.debug("OKTA Authentication Disabled using Test Dev User");
        Person findPersonByOktaEmail = this.personService.findPersonByOktaEmail("test@alliancegenome.org");
        if (findPersonByOktaEmail != null) {
            this.userAuthenticatedEvent.fire(findPersonByOktaEmail);
            return;
        }
        Person person = new Person();
        person.setApiToken(UUID.randomUUID().toString());
        person.setOktaEmail("test@alliancegenome.org");
        person.setFirstName("Local");
        person.setLastName("Dev User");
        person.setUniqueId("Local|Dev User|test@alliancegenome.org");
        this.personDAO.persist((PersonDAO) person);
        this.userAuthenticatedEvent.fire(person);
    }

    private Person validateUserToken(Jwt jwt) {
        String str = (String) jwt.getClaims().get("uid");
        if (str == null || str.length() <= 0) {
            return null;
        }
        Person findPersonByOktaEmail = this.personService.findPersonByOktaEmail((String) jwt.getClaims().get("sub"));
        if (findPersonByOktaEmail != null) {
            if (findPersonByOktaEmail.getAllianceMember() == null) {
                findPersonByOktaEmail.setAllianceMember(getAllianceMember(getOktaUser(str).listGroups()));
                this.personDAO.persist((PersonDAO) findPersonByOktaEmail);
            }
            return findPersonByOktaEmail;
        }
        Log.info("Making OKTA call to get user info: ");
        User oktaUser = getOktaUser(str);
        if (oktaUser == null) {
            return null;
        }
        Person person = new Person();
        person.setApiToken(UUID.randomUUID().toString());
        person.setOktaId(str);
        person.setAllianceMember(getAllianceMember(oktaUser.listGroups()));
        person.setOktaEmail(oktaUser.getProfile().getEmail());
        person.setFirstName(oktaUser.getProfile().getFirstName());
        person.setLastName(oktaUser.getProfile().getLastName());
        person.setUniqueId(this.loggedInPersonUniqueId.createLoggedInPersonUniqueId(person));
        this.personDAO.persist((PersonDAO) person);
        return person;
    }

    private Person validateAdminToken(Jwt jwt) {
        String str = (String) jwt.getClaims().get("cid");
        if (str == null || str.length() <= 0) {
            return null;
        }
        Person findPersonByOktaId = this.personService.findPersonByOktaId(str);
        if (findPersonByOktaId != null) {
            return findPersonByOktaId;
        }
        Log.info("Making OKTA call to get app info: ");
        Application oktaClient = getOktaClient(str);
        if (oktaClient == null) {
            return null;
        }
        log.debug("OKTA Authentication for Admin user via token");
        Person person = new Person();
        person.setApiToken(UUID.randomUUID().toString());
        person.setOktaId(oktaClient.getId());
        person.setOktaEmail("admin@alliancegenome.org");
        person.setFirstName(oktaClient.getLabel());
        person.setLastName(oktaClient.getName());
        person.setUniqueId(oktaClient.getLabel() + "|" + oktaClient.getName() + "|" + "admin@alliancegenome.org");
        this.personDAO.persist((PersonDAO) person);
        return person;
    }

    private User getOktaUser(String str) {
        return Clients.builder().setOrgUrl((String) this.oktaUrl.get()).setClientId((String) this.clientId.get()).setClientCredentials(new TokenClientCredentials((String) this.apiToken.get())).build().getUser(str);
    }

    @Scheduled(cron = "0 0 2 ? * SUN")
    public void rotateAPIKey() {
        Application oktaClient = getOktaClient((String) this.clientId.get());
        log.info("Rotating Okta App API Key: " + oktaClient.getName() + " " + oktaClient.getLabel());
    }

    private Application getOktaClient(String str) {
        return Clients.builder().setOrgUrl((String) this.oktaUrl.get()).setClientId((String) this.clientId.get()).setClientCredentials(new TokenClientCredentials((String) this.apiToken.get())).build().getApplication(str);
    }

    private AllianceMember getAllianceMember(GroupList groupList) {
        Iterator it = groupList.iterator();
        while (it.hasNext()) {
            String str = (String) ((Group) it.next()).getProfile().get("affiliated_alliance_member");
            if (str != null) {
                SearchResponse<AllianceMember> findByField = this.allianceMemberDAO.findByField(EntityFieldConstants.SOURCE_ORGANIZATION, str);
                if (findByField.getResults().size() == 1) {
                    return findByField.getResults().get(0);
                }
                log.info("Alliance Look up error: more than one member found");
            }
        }
        return null;
    }
}
