package org.cloudfoundry.identity.uaa.invitations;

import com.fasterxml.jackson.core.type.TypeReference;
import java.io.IOException;
import java.net.URLEncoder;
import java.sql.Timestamp;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.account.PasswordConfirmationValidation;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.authentication.manager.DynamicZoneAwareAuthenticationManager;
import org.cloudfoundry.identity.uaa.codestore.ExpiringCode;
import org.cloudfoundry.identity.uaa.codestore.ExpiringCodeStore;
import org.cloudfoundry.identity.uaa.codestore.ExpiringCodeType;
import org.cloudfoundry.identity.uaa.constants.OriginKeys;
import org.cloudfoundry.identity.uaa.invitations.InvitationsService;
import org.cloudfoundry.identity.uaa.provider.AbstractXOAuthIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
import org.cloudfoundry.identity.uaa.provider.SamlIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.provider.ldap.ExtendedLdapUserDetails;
import org.cloudfoundry.identity.uaa.provider.saml.SamlRedirectUtils;
import org.cloudfoundry.identity.uaa.scim.ScimUser;
import org.cloudfoundry.identity.uaa.scim.ScimUserProvisioning;
import org.cloudfoundry.identity.uaa.scim.exception.InvalidPasswordException;
import org.cloudfoundry.identity.uaa.scim.validate.PasswordValidator;
import org.cloudfoundry.identity.uaa.user.UaaAuthority;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.cloudfoundry.identity.uaa.util.ObjectUtils;
import org.cloudfoundry.identity.uaa.util.UaaHttpRequestUtils;
import org.cloudfoundry.identity.uaa.web.UaaSavedRequestAwareAuthenticationSuccessHandler;
import org.cloudfoundry.identity.uaa.zone.BrandingInformation;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.http.HttpStatus;
import org.springframework.ldap.AuthenticationException;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.PortResolver;
import org.springframework.security.web.PortResolverImpl;
import org.springframework.security.web.savedrequest.DefaultSavedRequest;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.context.request.RequestContextHolder;

@RequestMapping({"/invitations"})
@Controller
/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.24.0.jar:org/cloudfoundry/identity/uaa/invitations/InvitationsController.class */
public class InvitationsController {
    private static Log logger = LogFactory.getLog(InvitationsController.class);
    private final InvitationsService invitationsService;
    private PasswordValidator passwordValidator;
    private ExpiringCodeStore expiringCodeStore;
    private IdentityProviderProvisioning providerProvisioning;
    private UaaUserDatabase userDatabase;
    private DynamicZoneAwareAuthenticationManager zoneAwareAuthenticationManager;
    private ScimUserProvisioning userProvisioning;
    private String spEntityID;

    public void setExpiringCodeStore(ExpiringCodeStore expiringCodeStore) {
        this.expiringCodeStore = expiringCodeStore;
    }

    public void setPasswordValidator(PasswordValidator passwordValidator) {
        this.passwordValidator = passwordValidator;
    }

    public void setProviderProvisioning(IdentityProviderProvisioning identityProviderProvisioning) {
        this.providerProvisioning = identityProviderProvisioning;
    }

    public void setZoneAwareAuthenticationManager(DynamicZoneAwareAuthenticationManager dynamicZoneAwareAuthenticationManager) {
        this.zoneAwareAuthenticationManager = dynamicZoneAwareAuthenticationManager;
    }

    public void setUserDatabase(UaaUserDatabase uaaUserDatabase) {
        this.userDatabase = uaaUserDatabase;
    }

    public InvitationsController(InvitationsService invitationsService) {
        this.invitationsService = invitationsService;
    }

    public String getSpEntityID() {
        return this.spEntityID;
    }

    public void setSpEntityID(String str) {
        this.spEntityID = str;
    }

    @RequestMapping({"/sent", "/new", "/new.do"})
    public void return404(HttpServletResponse httpServletResponse) {
        httpServletResponse.setStatus(404);
    }

    @RequestMapping(value = {"/accept"}, method = {RequestMethod.GET}, params = {"code"})
    public String acceptInvitePage(@RequestParam String str, Model model, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        ExpiringCode retrieveCode = this.expiringCodeStore.retrieveCode(str, IdentityZoneHolder.get().getId());
        if (null == retrieveCode || !(null == retrieveCode.getIntent() || ExpiringCodeType.INVITATION.name().equals(retrieveCode.getIntent()))) {
            return handleUnprocessableEntity(model, httpServletResponse, "error_message_code", "code_expired", "invitations/accept_invite");
        }
        transferErrorParameters(model, httpServletRequest);
        Map map = (Map) JsonUtils.readValue(retrieveCode.getData(), new TypeReference<Map<String, String>>() { // from class: org.cloudfoundry.identity.uaa.invitations.InvitationsController.1
        });
        String str2 = (String) map.get("origin");
        try {
            IdentityProvider retrieveByOrigin = this.providerProvisioning.retrieveByOrigin(str2, IdentityZoneHolder.get().getId());
            String code = this.expiringCodeStore.generateCode(retrieveCode.getData(), new Timestamp(System.currentTimeMillis() + 600000), retrieveCode.getIntent(), IdentityZoneHolder.get().getId()).getCode();
            UaaUser retrieveUserById = this.userDatabase.retrieveUserById((String) map.get("user_id"));
            boolean z = OriginKeys.UAA.equals(retrieveByOrigin.getType()) && retrieveUserById.isVerified();
            boolean z2 = !OriginKeys.UAA.equals(retrieveByOrigin.getType()) && UaaHttpRequestUtils.isAcceptedInvitationAuthentication();
            if (z || z2) {
                String str3 = "redirect:" + this.invitationsService.acceptInvitation(code, "").getRedirectUri();
                logger.debug(String.format("Redirecting accepted invitation for email:%s, id:%s to URL:%s", map.get("email"), map.get("user_id"), str3));
                return str3;
            }
            if (OriginKeys.SAML.equals(retrieveByOrigin.getType())) {
                setRequestAttributes(httpServletRequest, code, retrieveUserById);
                String str4 = "redirect:/" + SamlRedirectUtils.getIdpRedirectUrl((SamlIdentityProviderDefinition) ObjectUtils.castInstance(retrieveByOrigin.getConfig(), SamlIdentityProviderDefinition.class), getSpEntityID());
                logger.debug(String.format("Redirecting invitation for email:%s, id:%s single SAML IDP URL:%s", map.get("email"), map.get("user_id"), str4));
                return str4;
            }
            if (OriginKeys.OIDC10.equals(retrieveByOrigin.getType()) || OriginKeys.OAUTH20.equals(retrieveByOrigin.getType())) {
                setRequestAttributes(httpServletRequest, code, retrieveUserById);
                AbstractXOAuthIdentityProviderDefinition abstractXOAuthIdentityProviderDefinition = (AbstractXOAuthIdentityProviderDefinition) ObjectUtils.castInstance(retrieveByOrigin.getConfig(), AbstractXOAuthIdentityProviderDefinition.class);
                String str5 = "redirect:" + abstractXOAuthIdentityProviderDefinition.getAuthUrl() + "?client_id=" + abstractXOAuthIdentityProviderDefinition.getRelyingPartyId() + "&response_type=code&redirect_uri=" + (httpServletRequest.getScheme() + "://" + httpServletRequest.getHeader("Host") + httpServletRequest.getContextPath()) + "/login/callback/" + retrieveByOrigin.getOriginKey();
                logger.debug(String.format("Redirecting invitation for email:%s, id:%s OIDC IDP URL:%s", map.get("email"), map.get("user_id"), str5));
                return str5;
            }
            SecurityContextHolder.getContext().setAuthentication(new AnonymousAuthenticationToken("scim.invite", new UaaPrincipal((String) map.get("user_id"), (String) map.get("email"), (String) map.get("email"), str2, null, IdentityZoneHolder.get().getId()), Arrays.asList(UaaAuthority.UAA_INVITED)));
            model.addAttribute("provider", retrieveByOrigin.getType());
            model.addAttribute("code", code);
            model.addAttribute("email", map.get("email"));
            logger.debug(String.format("Sending user to accept invitation page email:%s, id:%s", map.get("email"), map.get("user_id")));
            updateModelWithConsentAttributes(model);
            return "invitations/accept_invite";
        } catch (EmptyResultDataAccessException e) {
            logger.debug(String.format("No available invitation providers for email:%s, id:%s", map.get("email"), map.get("user_id")));
            return handleUnprocessableEntity(model, httpServletResponse, "error_message_code", "no_suitable_idp", "invitations/accept_invite");
        }
    }

    private void updateModelWithConsentAttributes(Model model) {
        BrandingInformation branding = IdentityZoneHolder.get().getConfig().getBranding();
        if (branding == null || branding.getConsent() == null) {
            return;
        }
        model.addAttribute("consent_text", branding.getConsent().getText());
        model.addAttribute("consent_link", branding.getConsent().getLink());
    }

    public void transferErrorParameters(Model model, HttpServletRequest httpServletRequest) {
        for (String str : Arrays.asList("error_message_code", "error_code", "error_message")) {
            if (StringUtils.hasText(httpServletRequest.getParameter(str))) {
                model.addAttribute(str, httpServletRequest.getParameter(str));
            }
        }
    }

    private void setRequestAttributes(HttpServletRequest httpServletRequest, String str, UaaUser uaaUser) {
        RequestContextHolder.getRequestAttributes().setAttribute("IS_INVITE_ACCEPTANCE", true, 1);
        RequestContextHolder.getRequestAttributes().setAttribute("user_id", uaaUser.getId(), 1);
        RequestContextHolder.getRequestAttributes().setAttribute(UaaSavedRequestAwareAuthenticationSuccessHandler.SAVED_REQUEST_SESSION_ATTRIBUTE, new DefaultSavedRequest((HttpServletRequest) getNewCodeWrapper(httpServletRequest, str), (PortResolver) new PortResolverImpl()), 1);
    }

    protected HttpServletRequestWrapper getNewCodeWrapper(HttpServletRequest httpServletRequest, final String str) {
        return new HttpServletRequestWrapper(httpServletRequest) { // from class: org.cloudfoundry.identity.uaa.invitations.InvitationsController.2
            public String getParameter(String str2) {
                return "code".equals(str2) ? str : super.getParameter(str2);
            }

            public Map<String, String[]> getParameterMap() {
                HashMap hashMap = new HashMap(super.getParameterMap());
                hashMap.remove("code");
                hashMap.put("code", new String[]{str});
                return hashMap;
            }

            public Enumeration<String> getParameterNames() {
                return super.getParameterNames();
            }

            public String[] getParameterValues(String str2) {
                return "code".equals(str2) ? new String[]{str} : super.getParameterValues(str2);
            }

            public String getQueryString() {
                return "code=" + str;
            }
        };
    }

    @RequestMapping(value = {"/accept.do"}, method = {RequestMethod.POST})
    public String acceptInvitation(@RequestParam("password") String str, @RequestParam("password_confirmation") String str2, @RequestParam("code") String str3, @RequestParam(value = "does_user_consent", required = false) boolean z, Model model, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String str4;
        PasswordConfirmationValidation passwordConfirmationValidation = new PasswordConfirmationValidation(str, str2);
        UaaPrincipal uaaPrincipal = (UaaPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        ExpiringCode retrieveCode = this.expiringCodeStore.retrieveCode(str3, IdentityZoneHolder.get().getId());
        if (retrieveCode == null || retrieveCode.getData() == null) {
            logger.debug("Failing invitation. Code not found.");
            SecurityContextHolder.clearContext();
            return handleUnprocessableEntity(model, httpServletResponse, "error_message_code", "code_expired", "invitations/accept_invite");
        }
        Map map = (Map) JsonUtils.readValue(retrieveCode.getData(), new TypeReference<Map<String, String>>() { // from class: org.cloudfoundry.identity.uaa.invitations.InvitationsController.3
        });
        if (uaaPrincipal == null || map.get("user_id") == null || !((String) map.get("user_id")).equals(uaaPrincipal.getId())) {
            logger.debug("Failing invitation. Code and user ID mismatch.");
            SecurityContextHolder.clearContext();
            return handleUnprocessableEntity(model, httpServletResponse, "error_message_code", "code_expired", "invitations/accept_invite");
        }
        String code = this.expiringCodeStore.generateCode(retrieveCode.getData(), new Timestamp(System.currentTimeMillis() + 600000), retrieveCode.getIntent(), IdentityZoneHolder.get().getId()).getCode();
        BrandingInformation branding = IdentityZoneHolder.get().getConfig().getBranding();
        if (branding != null && branding.getConsent() != null && !z) {
            return processErrorReload(code, model, uaaPrincipal.getEmail(), httpServletResponse, "error_message_code", "missing_consent");
        }
        if (!passwordConfirmationValidation.valid()) {
            return processErrorReload(code, model, uaaPrincipal.getEmail(), httpServletResponse, "error_message_code", passwordConfirmationValidation.getMessageCode());
        }
        try {
            this.passwordValidator.validate(str);
            try {
                InvitationsService.AcceptedInvitation acceptInvitation = this.invitationsService.acceptInvitation(code, str);
                str4 = "redirect:/login?success=invite_accepted";
                return acceptInvitation.getRedirectUri().equals("/home") ? "redirect:/login?success=invite_accepted" : str4 + "&form_redirect_uri=" + acceptInvitation.getRedirectUri();
            } catch (HttpClientErrorException e) {
                return handleUnprocessableEntity(model, httpServletResponse, "error_message_code", "code_expired", "invitations/accept_invite");
            }
        } catch (InvalidPasswordException e2) {
            return processErrorReload(code, model, uaaPrincipal.getEmail(), httpServletResponse, "error_message", e2.getMessagesAsOneString());
        }
    }

    private String processErrorReload(String str, Model model, String str2, HttpServletResponse httpServletResponse, String str3, String str4) {
        ExpiringCode retrieveCode = this.expiringCodeStore.retrieveCode(str, IdentityZoneHolder.get().getId());
        Map map = (Map) JsonUtils.readValue(retrieveCode.getData(), new TypeReference<Map<String, String>>() { // from class: org.cloudfoundry.identity.uaa.invitations.InvitationsController.4
        });
        try {
            String code = this.expiringCodeStore.generateCode(retrieveCode.getData(), new Timestamp(System.currentTimeMillis() + 600000), retrieveCode.getIntent(), IdentityZoneHolder.get().getId()).getCode();
            model.addAttribute(str3, str4);
            model.addAttribute("code", code);
            return "redirect:accept";
        } catch (EmptyResultDataAccessException e) {
            logger.debug(String.format("No available invitation providers for email:%s, id:%s", map.get("email"), map.get("user_id")));
            return handleUnprocessableEntity(model, httpServletResponse, "error_message_code", "no_suitable_idp", "invitations/accept_invite");
        }
    }

    @RequestMapping(value = {"/accept_enterprise.do"}, method = {RequestMethod.POST})
    public String acceptLdapInvitation(@RequestParam("enterprise_username") String str, @RequestParam("enterprise_password") String str2, @RequestParam("enterprise_email") String str3, @RequestParam("code") String str4, Model model, HttpServletResponse httpServletResponse) throws IOException {
        ExpiringCode retrieveCode = this.expiringCodeStore.retrieveCode(str4, IdentityZoneHolder.get().getId());
        if (retrieveCode == null) {
            return handleUnprocessableEntity(model, httpServletResponse, "error_message_code", "code_expired", "invitations/accept_enterprise.do");
        }
        String code = this.expiringCodeStore.generateCode(retrieveCode.getData(), new Timestamp(System.currentTimeMillis() + 600000), null, IdentityZoneHolder.get().getId()).getCode();
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(str, str2);
        try {
            IdentityProvider retrieveByOrigin = this.providerProvisioning.retrieveByOrigin("ldap", IdentityZoneHolder.get().getId());
            this.zoneAwareAuthenticationManager.getLdapAuthenticationManager(IdentityZoneHolder.get(), retrieveByOrigin).getLdapAuthenticationManager();
            try {
                Authentication authenticate = this.zoneAwareAuthenticationManager.getLdapAuthenticationManager(IdentityZoneHolder.get(), retrieveByOrigin).getLdapManagerActual().authenticate(usernamePasswordAuthenticationToken);
                Map map = (Map) JsonUtils.readValue(retrieveCode.getData(), new TypeReference<Map<String, String>>() { // from class: org.cloudfoundry.identity.uaa.invitations.InvitationsController.5
                });
                ScimUser retrieve = this.userProvisioning.retrieve((String) map.get("user_id"), IdentityZoneHolder.get().getId());
                if (!retrieve.getPrimaryEmail().equalsIgnoreCase(((ExtendedLdapUserDetails) authenticate.getPrincipal()).getEmailAddress())) {
                    model.addAttribute("email", map.get("email"));
                    model.addAttribute("provider", "ldap");
                    model.addAttribute("code", this.expiringCodeStore.generateCode(retrieveCode.getData(), new Timestamp(System.currentTimeMillis() + 600000), null, IdentityZoneHolder.get().getId()).getCode());
                    return handleUnprocessableEntity(model, httpServletResponse, "error_message", "invite.email_mismatch", "invitations/accept_invite");
                }
                if (!authenticate.isAuthenticated()) {
                    return handleUnprocessableEntity(model, httpServletResponse, "error_message", "not authenticated", "invitations/accept_invite");
                }
                retrieve.setUserName(((ExtendedLdapUserDetails) authenticate.getPrincipal()).getUsername());
                this.userProvisioning.update(retrieve.getId(), retrieve, IdentityZoneHolder.get().getId());
                this.zoneAwareAuthenticationManager.getLdapAuthenticationManager(IdentityZoneHolder.get(), retrieveByOrigin).authenticate(usernamePasswordAuthenticationToken);
                return "redirect:/login?success=invite_accepted&form_redirect_uri=" + URLEncoder.encode(this.invitationsService.acceptInvitation(code, "").getRedirectUri());
            } catch (AuthenticationException e) {
                return handleUnprocessableEntity(model, httpServletResponse, "error_message", e.getMessage(), "invitations/accept_invite");
            } catch (Exception e2) {
                logger.error("Unable to authenticate against LDAP", e2);
                model.addAttribute("ldap", true);
                model.addAttribute("email", str3);
                return handleUnprocessableEntity(model, httpServletResponse, "error_message", "bad_credentials", "invitations/accept_invite");
            }
        } catch (EmptyResultDataAccessException e3) {
            return handleUnprocessableEntity(model, httpServletResponse, "error_message_code", "no_suitable_idp", "invitations/accept_invite");
        } catch (Exception e4) {
            logger.error("Unable to retrieve LDAP config.", e4);
            return handleUnprocessableEntity(model, httpServletResponse, "error_message_code", "no_suitable_idp", "invitations/accept_invite");
        }
    }

    private String handleUnprocessableEntity(Model model, HttpServletResponse httpServletResponse, String str, String str2, String str3) {
        model.addAttribute(str, str2);
        httpServletResponse.setStatus(HttpStatus.UNPROCESSABLE_ENTITY.value());
        return str3;
    }

    public void setUserProvisioning(ScimUserProvisioning scimUserProvisioning) {
        this.userProvisioning = scimUserProvisioning;
    }
}
