package org.openmetadata.service.security;

import com.auth0.jwt.interfaces.Claim;
import com.google.common.collect.ImmutableMap;
import java.security.Principal;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import javax.ws.rs.client.Invocation;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.SecurityContext;
import org.openmetadata.common.utils.CommonUtil;
import org.openmetadata.service.OpenMetadataApplicationConfig;
import org.openmetadata.service.security.auth.BotTokenCache;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/openmetadata/service/security/SecurityUtil.class */
public final class SecurityUtil {
    private static final Logger LOG = LoggerFactory.getLogger(SecurityUtil.class);
    public static final String DEFAULT_PRINCIPAL_DOMAIN = "openmetadata.org";

    private SecurityUtil() {
    }

    public static String getUserName(SecurityContext securityContext) {
        Principal userPrincipal = securityContext.getUserPrincipal();
        if (userPrincipal == null) {
            return null;
        }
        return userPrincipal.getName().split("[/@]")[0];
    }

    public static Map<String, String> authHeaders(String str) {
        ImmutableMap.Builder builder = ImmutableMap.builder();
        if (str != null) {
            builder.put(CatalogOpenIdAuthorizationRequestFilter.X_AUTH_PARAMS_EMAIL_HEADER, str);
        }
        return builder.build();
    }

    public static String getPrincipalName(Map<String, String> map) {
        String str;
        if (map == null || (str = map.get(CatalogOpenIdAuthorizationRequestFilter.X_AUTH_PARAMS_EMAIL_HEADER)) == null) {
            return null;
        }
        return str.split("@")[0];
    }

    public static String getDomain(OpenMetadataApplicationConfig openMetadataApplicationConfig) {
        String principalDomain = openMetadataApplicationConfig.getAuthorizerConfiguration().getPrincipalDomain();
        return CommonUtil.nullOrEmpty(principalDomain) ? "openmetadata.org" : principalDomain;
    }

    public static Invocation.Builder addHeaders(WebTarget webTarget, Map<String, String> map) {
        return map != null ? webTarget.request().header(CatalogOpenIdAuthorizationRequestFilter.X_AUTH_PARAMS_EMAIL_HEADER, map.get(CatalogOpenIdAuthorizationRequestFilter.X_AUTH_PARAMS_EMAIL_HEADER)) : webTarget.request();
    }

    public static String findUserNameFromClaims(Map<String, String> map, List<String> list, Map<String, ?> map2) {
        String str;
        if (CommonUtil.nullOrEmpty(map)) {
            String firstMatchJwtClaim = getFirstMatchJwtClaim(list, map2);
            str = firstMatchJwtClaim.contains("@") ? firstMatchJwtClaim.split("@")[0] : firstMatchJwtClaim;
        } else {
            String claimOrObject = getClaimOrObject(map2.get(map.get(JwtFilter.USERNAME_CLAIM_KEY)));
            if (CommonUtil.nullOrEmpty(claimOrObject)) {
                throw new AuthenticationException("Invalid JWT token, 'username' claim is not present");
            }
            str = claimOrObject;
        }
        return str.toLowerCase();
    }

    public static String findEmailFromClaims(Map<String, String> map, List<String> list, Map<String, ?> map2, String str) {
        String format;
        if (CommonUtil.nullOrEmpty(map)) {
            String firstMatchJwtClaim = getFirstMatchJwtClaim(list, map2);
            format = firstMatchJwtClaim.contains("@") ? firstMatchJwtClaim : String.format("%s@%s", firstMatchJwtClaim, str);
        } else {
            String claimOrObject = getClaimOrObject(map2.get(map.get(JwtFilter.EMAIL_CLAIM_KEY)));
            if (CommonUtil.nullOrEmpty(claimOrObject) || !claimOrObject.contains("@")) {
                throw new AuthenticationException(String.format("Invalid JWT token, 'email' claim is not present or invalid : %s", claimOrObject));
            }
            format = claimOrObject;
        }
        return format.toLowerCase();
    }

    public static String getClaimOrObject(Object obj) {
        return obj == null ? BotTokenCache.EMPTY_STRING : obj instanceof Claim ? ((Claim) obj).asString() : obj instanceof String ? (String) obj : BotTokenCache.EMPTY_STRING;
    }

    public static String getFirstMatchJwtClaim(List<String> list, Map<String, ?> map) {
        Stream<String> stream = list.stream();
        Objects.requireNonNull(map);
        Optional<String> findFirst = stream.filter((v1) -> {
            return r1.containsKey(v1);
        }).findFirst();
        Objects.requireNonNull(map);
        return (String) findFirst.map((v1) -> {
            return r1.get(v1);
        }).map(SecurityUtil::getClaimOrObject).orElseThrow(() -> {
            return new AuthenticationException("Invalid JWT token, none of the following claims are present " + list);
        });
    }

    public static void validatePrincipalClaimsMapping(Map<String, String> map) {
        if (CommonUtil.nullOrEmpty(map)) {
            return;
        }
        String str = map.get(JwtFilter.USERNAME_CLAIM_KEY);
        String str2 = map.get(JwtFilter.EMAIL_CLAIM_KEY);
        if (CommonUtil.nullOrEmpty(str) || CommonUtil.nullOrEmpty(str2)) {
            throw new IllegalArgumentException("Invalid JWT Principal Claims Mapping. Both username and email should be present");
        }
    }

    public static void validateDomainEnforcement(Map<String, String> map, List<String> list, Map<String, Claim> map2, String str, boolean z) {
        String str2 = BotTokenCache.EMPTY_STRING;
        if (CommonUtil.nullOrEmpty(map)) {
            String firstMatchJwtClaim = getFirstMatchJwtClaim(list, map2);
            if (firstMatchJwtClaim.contains("@")) {
                str2 = firstMatchJwtClaim.split("@")[1];
            }
        } else {
            String claimOrObject = getClaimOrObject(map2.get(map.get(JwtFilter.EMAIL_CLAIM_KEY)));
            if (CommonUtil.nullOrEmpty(claimOrObject)) {
                throw new AuthenticationException("Invalid JWT token, 'email' claim is not present");
            }
            if (claimOrObject.contains("@")) {
                str2 = claimOrObject.split("@")[1];
            }
        }
        if (!isBot(map2) && z && !str2.equals(str)) {
            throw new AuthenticationException(String.format("Not Authorized! Email does not match the principal domain %s", str));
        }
    }

    public static boolean isBot(Map<String, Claim> map) {
        return map.containsKey(JwtFilter.BOT_CLAIM) && Boolean.TRUE.equals(map.get(JwtFilter.BOT_CLAIM).asBoolean());
    }
}
