package org.dspace.authenticate;

import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.sql.SQLException;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.dspace.authenticate.oidc.OidcClient;
import org.dspace.authenticate.oidc.model.OidcTokenResponseDTO;
import org.dspace.core.Constants;
import org.dspace.core.Context;
import org.dspace.eperson.EPerson;
import org.dspace.eperson.Group;
import org.dspace.eperson.service.EPersonService;
import org.dspace.services.ConfigurationService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;

/* loaded from: input_file:org/dspace/authenticate/OidcAuthenticationBean.class */
public class OidcAuthenticationBean implements AuthenticationMethod {
    public static final String OIDC_AUTH_ATTRIBUTE = "oidc";
    private static final String LOGIN_PAGE_URL_FORMAT = "%s?client_id=%s&response_type=code&scope=%s&redirect_uri=%s";
    private static final Logger LOGGER = LoggerFactory.getLogger(OidcAuthenticationBean.class);
    private static final String OIDC_AUTHENTICATED = "oidc.authenticated";

    @Autowired
    private ConfigurationService configurationService;

    @Autowired
    private OidcClient oidcClient;

    @Autowired
    private EPersonService ePersonService;

    @Override // org.dspace.authenticate.AuthenticationMethod
    public boolean allowSetPassword(Context context, HttpServletRequest httpServletRequest, String str) throws SQLException {
        return false;
    }

    @Override // org.dspace.authenticate.AuthenticationMethod
    public boolean isImplicit() {
        return false;
    }

    @Override // org.dspace.authenticate.AuthenticationMethod
    public boolean canSelfRegister(Context context, HttpServletRequest httpServletRequest, String str) throws SQLException {
        return canSelfRegister();
    }

    @Override // org.dspace.authenticate.AuthenticationMethod
    public void initEPerson(Context context, HttpServletRequest httpServletRequest, EPerson ePerson) throws SQLException {
    }

    @Override // org.dspace.authenticate.AuthenticationMethod
    public List<Group> getSpecialGroups(Context context, HttpServletRequest httpServletRequest) throws SQLException {
        return List.of();
    }

    @Override // org.dspace.authenticate.AuthenticationMethod
    public String getName() {
        return OIDC_AUTH_ATTRIBUTE;
    }

    @Override // org.dspace.authenticate.AuthenticationMethod
    public int authenticate(Context context, String str, String str2, String str3, HttpServletRequest httpServletRequest) throws SQLException {
        if (httpServletRequest == null) {
            LOGGER.warn("Unable to authenticate using OIDC because the request object is null.");
            return 5;
        }
        if (httpServletRequest.getAttribute(OIDC_AUTH_ATTRIBUTE) == null) {
            return 4;
        }
        String parameter = httpServletRequest.getParameter("code");
        if (!StringUtils.isEmpty(parameter)) {
            return authenticateWithOidc(context, parameter, httpServletRequest);
        }
        LOGGER.warn("The incoming request has not code parameter");
        return 4;
    }

    private int authenticateWithOidc(Context context, String str, HttpServletRequest httpServletRequest) throws SQLException {
        OidcTokenResponseDTO oidcAccessToken = getOidcAccessToken(str);
        if (oidcAccessToken == null) {
            LOGGER.warn("No access token retrieved by code");
            return 4;
        }
        Map<String, Object> oidcUserInfo = getOidcUserInfo(oidcAccessToken.getAccessToken());
        String attributeAsString = getAttributeAsString(oidcUserInfo, getEmailAttribute());
        if (StringUtils.isBlank(attributeAsString)) {
            LOGGER.warn("No email found in the user info attributes");
            return 4;
        }
        EPerson findByEmail = this.ePersonService.findByEmail(context, attributeAsString);
        if (findByEmail != null) {
            httpServletRequest.setAttribute(OIDC_AUTHENTICATED, true);
            if (findByEmail.canLogIn()) {
                return logInEPerson(context, findByEmail);
            }
            return 5;
        }
        if (!canSelfRegister()) {
            LOGGER.warn("Self registration is currently disabled for OIDC, and no ePerson could be found for email: {}", attributeAsString);
        }
        if (canSelfRegister()) {
            return registerNewEPerson(context, oidcUserInfo, attributeAsString);
        }
        return 4;
    }

    @Override // org.dspace.authenticate.AuthenticationMethod
    public String loginPageURL(Context context, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String property = this.configurationService.getProperty("authentication-oidc.authorize-endpoint");
        String property2 = this.configurationService.getProperty("authentication-oidc.client-id");
        String property3 = this.configurationService.getProperty("authentication-oidc.client-secret");
        String property4 = this.configurationService.getProperty("authentication-oidc.redirect-url");
        String property5 = this.configurationService.getProperty("authentication-oidc.token-endpoint");
        String property6 = this.configurationService.getProperty("authentication-oidc.user-info-endpoint");
        String join = String.join(" ", this.configurationService.getArrayProperty("authentication-oidc.scopes", new String[]{"openid", "email", "profile"}));
        if (!StringUtils.isAnyBlank(new CharSequence[]{property, property2, property4, property3, property5, property6})) {
            try {
                return String.format(LOGIN_PAGE_URL_FORMAT, property, property2, join, URLEncoder.encode(property4, Constants.DEFAULT_ENCODING));
            } catch (UnsupportedEncodingException e) {
                LOGGER.error(e.getMessage(), e);
                return "";
            }
        }
        LOGGER.error("Missing mandatory configuration properties for OidcAuthenticationBean");
        for (Map.Entry entry : Map.of("authorizeUrl", property, "clientId", property2, "redirectUri", property4, "clientSecret", property3, "tokenUrl", property5, "userInfoUrl", property6).entrySet()) {
            if (StringUtils.isBlank((CharSequence) entry.getValue())) {
                LOGGER.error(" * {} is missing", entry.getKey());
            }
        }
        return "";
    }

    private int logInEPerson(Context context, EPerson ePerson) {
        context.setCurrentUser(ePerson);
        return 1;
    }

    private int registerNewEPerson(Context context, Map<String, Object> map, String str) throws SQLException {
        try {
            try {
                context.turnOffAuthorisationSystem();
                EPerson create = this.ePersonService.create(context);
                create.setNetid(str);
                create.setEmail(str);
                String attributeAsString = getAttributeAsString(map, getFirstNameAttribute());
                if (attributeAsString != null) {
                    create.setFirstName(context, attributeAsString);
                }
                String attributeAsString2 = getAttributeAsString(map, getLastNameAttribute());
                if (attributeAsString2 != null) {
                    create.setLastName(context, attributeAsString2);
                }
                create.setCanLogIn(true);
                create.setSelfRegistered(true);
                this.ePersonService.update(context, create);
                context.setCurrentUser(create);
                context.dispatchEvents();
                context.restoreAuthSystemState();
                return 1;
            } catch (Exception e) {
                LOGGER.error("An error occurs registering a new EPerson from OIDC", e);
                context.restoreAuthSystemState();
                return 4;
            }
        } catch (Throwable th) {
            context.restoreAuthSystemState();
            throw th;
        }
    }

    private OidcTokenResponseDTO getOidcAccessToken(String str) {
        try {
            return this.oidcClient.getAccessToken(str);
        } catch (Exception e) {
            LOGGER.error("An error occurs retriving the OIDC access_token", e);
            return null;
        }
    }

    private Map<String, Object> getOidcUserInfo(String str) {
        try {
            return this.oidcClient.getUserInfo(str);
        } catch (Exception e) {
            LOGGER.error("An error occurs retriving the OIDC user info", e);
            return Map.of();
        }
    }

    private String getAttributeAsString(Map<String, Object> map, String str) {
        if (!StringUtils.isBlank(str) && map.containsKey(str)) {
            return String.valueOf(map.get(str));
        }
        return null;
    }

    private String getEmailAttribute() {
        return this.configurationService.getProperty("authentication-oidc.user-info.email", "email");
    }

    private String getFirstNameAttribute() {
        return this.configurationService.getProperty("authentication-oidc.user-info.first-name", "given_name");
    }

    private String getLastNameAttribute() {
        return this.configurationService.getProperty("authentication-oidc.user-info.last-name", "family_name");
    }

    private boolean canSelfRegister() {
        String property = this.configurationService.getProperty("authentication-oidc.can-self-register", "true");
        if (StringUtils.isBlank(property)) {
            return true;
        }
        return BooleanUtils.toBoolean(property);
    }

    public OidcClient getOidcClient() {
        return this.oidcClient;
    }

    public void setOidcClient(OidcClient oidcClient) {
        this.oidcClient = oidcClient;
    }

    @Override // org.dspace.authenticate.AuthenticationMethod
    public boolean isUsed(Context context, HttpServletRequest httpServletRequest) {
        return (httpServletRequest == null || context.getCurrentUser() == null || httpServletRequest.getAttribute(OIDC_AUTHENTICATED) == null) ? false : true;
    }
}
