package com.sap.cloud.security.adapter.xs;

import com.sap.cloud.security.config.ClientCredentials;
import com.sap.cloud.security.config.ClientIdentity;
import com.sap.cloud.security.config.Environments;
import com.sap.cloud.security.config.OAuth2ServiceConfiguration;
import com.sap.cloud.security.json.JsonObject;
import com.sap.cloud.security.json.JsonParsingException;
import com.sap.cloud.security.token.AccessToken;
import com.sap.cloud.security.token.GrantType;
import com.sap.cloud.security.xsuaa.Assertions;
import com.sap.cloud.security.xsuaa.client.DefaultOAuth2TokenService;
import com.sap.cloud.security.xsuaa.client.OAuth2TokenService;
import com.sap.cloud.security.xsuaa.client.XsuaaDefaultEndpoints;
import com.sap.cloud.security.xsuaa.client.XsuaaOAuth2TokenService;
import com.sap.cloud.security.xsuaa.tokenflows.TokenFlowException;
import com.sap.cloud.security.xsuaa.tokenflows.XsuaaTokenFlows;
import com.sap.xsa.security.container.XSTokenRequest;
import com.sap.xsa.security.container.XSUserInfo;
import com.sap.xsa.security.container.XSUserInfoException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Supplier;
import javax.annotation.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sap/cloud/security/adapter/xs/XSUserInfoAdapter.class */
public class XSUserInfoAdapter implements XSUserInfo {
    static final String EXTERNAL_CONTEXT = "ext_ctx";
    static final String CLAIM_ADDITIONAL_AZ_ATTR = "az_attr";
    static final String XS_SYSTEM_ATTRIBUTES = "xs.system.attributes";
    static final String HDB_NAMEDUSER_SAML = "hdb.nameduser.saml";
    static final String SERVICEINSTANCEID = "serviceinstanceid";
    static final String SYSTEM = "SYSTEM";
    static final String HDB = "HDB";
    private static final Logger LOGGER = LoggerFactory.getLogger(XSUserInfoAdapter.class);
    private static final String INVALID_USER_ATTRIBUTE = "Invalid user attribute ";
    private final AccessToken accessToken;
    private final OAuth2ServiceConfiguration configuration;
    private OAuth2TokenService oAuth2TokenService;

    public XSUserInfoAdapter(Object obj) {
        this(obj, Environments.getCurrent().getXsuaaConfiguration());
    }

    public XSUserInfoAdapter(AccessToken accessToken) {
        this(accessToken, Environments.getCurrent().getXsuaaConfiguration());
    }

    XSUserInfoAdapter(Object obj, OAuth2ServiceConfiguration oAuth2ServiceConfiguration) {
        if (!(obj instanceof AccessToken)) {
            throw new XSUserInfoException("token is of instance " + (Objects.isNull(obj) ? null : obj.getClass().getName()) + " but needs to be an instance of AccessToken.");
        }
        this.accessToken = (AccessToken) obj;
        this.configuration = oAuth2ServiceConfiguration;
    }

    public String getLogonName() {
        checkNotGrantTypeClientCredentials("getLogonName");
        return getClaimValue("user_name");
    }

    public String getGivenName() {
        checkNotGrantTypeClientCredentials("getGivenName");
        String externalAttribute = getExternalAttribute("given_name");
        return externalAttribute == null ? getClaimValue("given_name") : externalAttribute;
    }

    public String getFamilyName() {
        checkNotGrantTypeClientCredentials("getFamilyName");
        String externalAttribute = getExternalAttribute("family_name");
        return externalAttribute == null ? getClaimValue("family_name") : externalAttribute;
    }

    public String getOrigin() {
        checkNotGrantTypeClientCredentials("getOrigin");
        return getClaimValue("origin");
    }

    public String getIdentityZone() {
        return getClaimValue("zid");
    }

    public String getSubaccountId() {
        return (String) Optional.ofNullable(getExternalAttribute("subaccountid")).orElse(getClaimValue("zid"));
    }

    public String getZoneId() {
        return this.accessToken.hasClaim("zone_uuid") ? this.accessToken.getClaimAsString("zone_uuid") : getClaimValue("zid");
    }

    public String getSubdomain() {
        return (String) Optional.ofNullable(getExternalAttribute("zdn")).orElse(null);
    }

    public String getClientId() {
        return this.accessToken.getClientId();
    }

    public String getJsonValue(String str) {
        return getClaimValue(str);
    }

    public String getEmail() {
        checkNotGrantTypeClientCredentials("getEmail");
        return getClaimValue("email");
    }

    public String getDBToken() {
        return getHdbToken();
    }

    public String getHdbToken() {
        return getToken(SYSTEM, HDB);
    }

    public String getAppToken() {
        return this.accessToken.getTokenValue();
    }

    public String getToken(String str, String str2) {
        if (!getGrantType().equals(GrantType.CLIENT_CREDENTIALS.toString()) && hasAttributes() && isInForeignMode()) {
            throw new XSUserInfoException("The SecurityContext has been initialized with an access token of a foreign OAuth Client Id and/or Identity Zone. Furthermore, the access token contains attributes. Due to the fact that we want to restrict attribute access to the application that provides the attributes, the getToken() function does not return a token.");
        }
        if (!str.equals(SYSTEM)) {
            throw new XSUserInfoException("Invalid namespace " + str);
        }
        if (!str2.equals(HDB)) {
            if (str2.equals("JobScheduler")) {
                return this.accessToken.getTokenValue();
            }
            throw new XSUserInfoException("Invalid name " + str2 + " for namespace " + str);
        }
        String attributeFromClaimAsString = this.accessToken.hasClaim(EXTERNAL_CONTEXT) ? this.accessToken.getAttributeFromClaimAsString(EXTERNAL_CONTEXT, HDB_NAMEDUSER_SAML) : this.accessToken.getClaimAsString(HDB_NAMEDUSER_SAML);
        if (attributeFromClaimAsString == null) {
            attributeFromClaimAsString = this.accessToken.getTokenValue();
        }
        return attributeFromClaimAsString;
    }

    public String[] getAttribute(String str) {
        checkNotGrantTypeClientCredentials("getAttribute");
        return getMultiValueAttributeFromExtObject("xs.user.attributes", str);
    }

    public boolean hasAttributes() {
        checkNotGrantTypeClientCredentials("hasAttributes");
        if (this.accessToken.hasClaim(EXTERNAL_CONTEXT)) {
            JsonObject claimAsJsonObject = getClaimAsJsonObject(EXTERNAL_CONTEXT);
            return (claimAsJsonObject == null || !claimAsJsonObject.contains("xs.user.attributes") || claimAsJsonObject.getJsonObject(EXTERNAL_CONTEXT).isEmpty()) ? false : true;
        }
        JsonObject claimAsJsonObject2 = getClaimAsJsonObject("xs.user.attributes");
        return (claimAsJsonObject2 == null || claimAsJsonObject2.isEmpty()) ? false : true;
    }

    public String[] getSystemAttribute(String str) {
        return getMultiValueAttributeFromExtObject(XS_SYSTEM_ATTRIBUTES, str);
    }

    public boolean checkScope(String str) {
        return this.accessToken.hasScope(str);
    }

    public boolean checkLocalScope(String str) {
        try {
            return this.accessToken.hasLocalScope(str);
        } catch (IllegalArgumentException e) {
            throw new XSUserInfoException(e.getMessage());
        }
    }

    public String getAdditionalAuthAttribute(String str) {
        return (String) Optional.ofNullable(this.accessToken.getAttributeFromClaimAsString(CLAIM_ADDITIONAL_AZ_ATTR, str)).orElseThrow(createXSUserInfoException(str));
    }

    public String getCloneServiceInstanceId() {
        return (String) Optional.ofNullable(getExternalAttribute(SERVICEINSTANCEID)).orElseThrow(createXSUserInfoException(SERVICEINSTANCEID));
    }

    public String getGrantType() {
        return (String) Optional.ofNullable(this.accessToken.getGrantType()).map((v0) -> {
            return v0.toString();
        }).orElseThrow(createXSUserInfoException("grant_type"));
    }

    public boolean isInForeignMode() {
        if (this.configuration == null) {
            LOGGER.info("No configuration provided -> falling back to foreignMode = true!");
            return true;
        }
        try {
            String clientId = getClientId();
            String identityZone = getIdentityZone();
            boolean equals = clientId.equals(this.configuration.getClientId());
            boolean equals2 = identityZone.equals(this.configuration.getProperty("identityzone"));
            boolean contains = clientId.contains("!t");
            boolean contains2 = clientId.contains("!b");
            if (equals && (equals2 || contains || contains2)) {
                LOGGER.info("Token not in foreign mode because because client ids match and identityZonesMatch={}, isApplicationPlan={} ", Boolean.valueOf(equals2), Boolean.valueOf(contains));
                return false;
            }
            String property = this.configuration.getProperty("trustedclientidsuffix");
            if (property == null || !clientId.endsWith(property)) {
                LOGGER.info("Token in foreign mode: clientIdsMatch={}, identityZonesMatch={}, isApplicationPlan={}, bindingTrustedClientIdSuffix={}", new Object[]{Boolean.valueOf(equals), Boolean.valueOf(equals2), Boolean.valueOf(contains), property});
                return true;
            }
            LOGGER.info("Token not in foreign mode because token client id matches binding trusted client suffix");
            return false;
        } catch (XSUserInfoException e) {
            LOGGER.warn("Tried to access missing attribute when checking for foreign mode", e);
            return true;
        }
    }

    public String requestTokenForClient(String str, String str2, String str3) {
        return performTokenFlow(str3, 1, str, str2, new HashMap());
    }

    public String requestTokenForUser(String str, String str2, String str3) {
        return performTokenFlow(str3, 0, str, str2, new HashMap());
    }

    public String requestToken(XSTokenRequest xSTokenRequest) {
        Assertions.assertNotNull(xSTokenRequest, "TokenRequest argument is required");
        if (!xSTokenRequest.isValid()) {
            throw new XSUserInfoException("Invalid grant type or missing parameters for requested grant type.");
        }
        return performTokenFlow(xSTokenRequest.getTokenEndpoint().toString().replace(xSTokenRequest.getTokenEndpoint().getPath(), ""), xSTokenRequest.getType(), xSTokenRequest.getClientId(), xSTokenRequest.getClientSecret(), xSTokenRequest.getAdditionalAuthorizationAttributes());
    }

    private OAuth2TokenService getOrCreateOAuth2TokenService() {
        if (this.oAuth2TokenService == null) {
            this.oAuth2TokenService = tryToCreateDefaultOAuth2TokenService();
            if (this.oAuth2TokenService == null) {
                this.oAuth2TokenService = tryToCreateXsuaaOAuth2TokenService();
            }
        }
        if (this.oAuth2TokenService == null) {
            throw new UnsupportedOperationException("Failed to create OAuth2TokenService. Make sure your project has a dependency to either spring-web or apache HTTP client.");
        }
        return this.oAuth2TokenService;
    }

    private OAuth2TokenService tryToCreateDefaultOAuth2TokenService() {
        LOGGER.debug("Trying to create DefaultOAuth2TokenService.");
        try {
            return new DefaultOAuth2TokenService();
        } catch (Exception | LinkageError e) {
            LOGGER.debug("Failed to create DefaultOAuth2TokenService.", e);
            return null;
        }
    }

    private OAuth2TokenService tryToCreateXsuaaOAuth2TokenService() {
        LOGGER.debug("Trying to create XsuaaOAuth2TokenService.");
        try {
            return new XsuaaOAuth2TokenService();
        } catch (Exception | LinkageError e) {
            LOGGER.debug("Failed to create XsuaaOAuth2TokenService.", e);
            return null;
        }
    }

    void setOAuth2TokenService(OAuth2TokenService oAuth2TokenService) {
        this.oAuth2TokenService = oAuth2TokenService;
    }

    private String[] getMultiValueAttributeFromExtObject(String str, String str2) {
        List attributeFromClaimAsStringList = this.accessToken.getAttributeFromClaimAsStringList(str, str2);
        if (!attributeFromClaimAsStringList.isEmpty() || (attributeFromClaimAsStringList instanceof ArrayList)) {
            return (String[]) attributeFromClaimAsStringList.toArray(new String[0]);
        }
        throw new XSUserInfoException(INVALID_USER_ATTRIBUTE + str2);
    }

    private void checkNotGrantTypeClientCredentials(String str) {
        if (GrantType.CLIENT_CREDENTIALS == this.accessToken.getGrantType()) {
            throw new XSUserInfoException(String.format("Method '%s' is not supported for grant type '%s'", str, GrantType.CLIENT_CREDENTIALS) + GrantType.CLIENT_CREDENTIALS);
        }
    }

    private Supplier<XSUserInfoException> createXSUserInfoException(String str) {
        return () -> {
            return new XSUserInfoException(INVALID_USER_ATTRIBUTE + str);
        };
    }

    private String getClaimValue(String str) {
        String claimAsString = this.accessToken.getClaimAsString(str);
        if (claimAsString == null) {
            throw new XSUserInfoException(INVALID_USER_ATTRIBUTE + str);
        }
        return claimAsString;
    }

    @Nullable
    private JsonObject getClaimAsJsonObject(String str) {
        try {
            return this.accessToken.getClaimAsJsonObject(str);
        } catch (JsonParsingException e) {
            throw createXSUserInfoException(str).get();
        }
    }

    String getExternalAttribute(String str) {
        return this.accessToken.getAttributeFromClaimAsString("ext_attr", str);
    }

    XsuaaTokenFlows getXsuaaTokenFlows(String str, ClientIdentity clientIdentity) {
        return new XsuaaTokenFlows(getOrCreateOAuth2TokenService(), new XsuaaDefaultEndpoints(str, (String) null), clientIdentity);
    }

    private String performTokenFlow(String str, int i, String str2, String str3, Map<String, String> map) {
        try {
            return performRequest(getXsuaaTokenFlows(str, new ClientCredentials(str2, str3)), i, map);
        } catch (RuntimeException e) {
            throw new XSUserInfoException(e.getMessage());
        }
    }

    private String performRequest(XsuaaTokenFlows xsuaaTokenFlows, int i, Map<String, String> map) {
        switch (i) {
            case 0:
                return performUserTokenFlow(xsuaaTokenFlows, map);
            case 1:
                return performClientCredentialsFlow(xsuaaTokenFlows, map);
            default:
                throw new XSUserInfoException("Found unsupported XSTokenRequest type. The only supported types are XSTokenRequest.TYPE_USER_TOKEN and XSTokenRequest.TYPE_CLIENT_CREDENTIALS_TOKEN.");
        }
    }

    private String performUserTokenFlow(XsuaaTokenFlows xsuaaTokenFlows, Map<String, String> map) {
        try {
            return xsuaaTokenFlows.userTokenFlow().subdomain(getSubdomain()).token(getAppToken()).attributes(map).execute().getAccessToken();
        } catch (TokenFlowException e) {
            throw new XSUserInfoException("Error performing User Token Flow.", e);
        }
    }

    private String performClientCredentialsFlow(XsuaaTokenFlows xsuaaTokenFlows, Map<String, String> map) {
        try {
            return xsuaaTokenFlows.clientCredentialsTokenFlow().subdomain(getSubdomain()).attributes(map).execute().getAccessToken();
        } catch (TokenFlowException e) {
            throw new XSUserInfoException("Error performing Client Credentials Flow.", e);
        }
    }
}
