package org.eclipse.hawkbit.security;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;

/* loaded from: input_file:BOOT-INF/lib/hawkbit-security-integration-0.3.0M9.jar:org/eclipse/hawkbit/security/PreAuthTokenSourceTrustAuthenticationProvider.class */
public class PreAuthTokenSourceTrustAuthenticationProvider implements AuthenticationProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) PreAuthenticatedAuthenticationToken.class);
    private final List<String> authorizedSourceIps;

    public PreAuthTokenSourceTrustAuthenticationProvider() {
        this.authorizedSourceIps = null;
    }

    public PreAuthTokenSourceTrustAuthenticationProvider(List<String> list) {
        this.authorizedSourceIps = list;
    }

    public PreAuthTokenSourceTrustAuthenticationProvider(String... strArr) {
        this.authorizedSourceIps = new ArrayList();
        for (String str : strArr) {
            this.authorizedSourceIps.add(str);
        }
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) {
        if (!supports(authentication.getClass())) {
            return null;
        }
        PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = (PreAuthenticatedAuthenticationToken) authentication;
        Object credentials = preAuthenticatedAuthenticationToken.getCredentials();
        Object principal = preAuthenticatedAuthenticationToken.getPrincipal();
        Object details = preAuthenticatedAuthenticationToken.getDetails();
        Collection<GrantedAuthority> authorities = preAuthenticatedAuthenticationToken.getAuthorities();
        if (principal == null) {
            throw new BadCredentialsException("The provided principal and credentials are not match");
        }
        if (!calculateAuthenticationSuccess(principal, credentials, details)) {
            throw new BadCredentialsException("The provided principal and credentials are not match");
        }
        PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken2 = new PreAuthenticatedAuthenticationToken(principal, credentials, authorities);
        preAuthenticatedAuthenticationToken2.setDetails(details);
        return preAuthenticatedAuthenticationToken2;
    }

    private boolean calculateAuthenticationSuccess(Object obj, Object obj2, Object obj3) {
        boolean z = false;
        if (obj2 instanceof Collection) {
            if (((Collection) obj2).contains(obj)) {
                z = checkSourceIPAddressIfNeccessary(obj3);
            }
        } else if (obj.equals(obj2)) {
            z = checkSourceIPAddressIfNeccessary(obj3);
        }
        return z;
    }

    private boolean checkSourceIPAddressIfNeccessary(Object obj) {
        boolean z = this.authorizedSourceIps == null;
        String str = null;
        if (this.authorizedSourceIps != null) {
            if (obj instanceof TenantAwareWebAuthenticationDetails) {
                str = ((TenantAwareWebAuthenticationDetails) obj).getRemoteAddress();
                if (this.authorizedSourceIps.contains(str)) {
                    z = true;
                }
            } else {
                LOGGER.error("Cannot determine the controller remote-ip-address based on the given authentication token - {} , token details are not TenantAwareWebAuthenticationDetails! ", obj);
                z = false;
            }
        }
        if (z) {
            return true;
        }
        throw new InsufficientAuthenticationException("The remote source IP address " + str + " is not in the list of trusted IP addresses " + this.authorizedSourceIps);
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return PreAuthenticatedAuthenticationToken.class.isAssignableFrom(cls);
    }
}
