package org.cloudfoundry.identity.uaa.authentication.manager;

import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.cloudfoundry.identity.uaa.authentication.ProviderConfigurationException;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails;
import org.cloudfoundry.identity.uaa.authentication.UaaLoginHint;
import org.cloudfoundry.identity.uaa.constants.OriginKeys;
import org.cloudfoundry.identity.uaa.impl.config.RestTemplateConfig;
import org.cloudfoundry.identity.uaa.login.LoginInfoEndpoint;
import org.cloudfoundry.identity.uaa.login.Prompt;
import org.cloudfoundry.identity.uaa.oauth.DisableIdTokenResponseTypeFilter;
import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
import org.cloudfoundry.identity.uaa.provider.OIDCIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationManager;
import org.cloudfoundry.identity.uaa.provider.oauth.XOAuthCodeToken;
import org.cloudfoundry.identity.uaa.provider.oauth.XOAuthProviderConfigurator;
import org.cloudfoundry.identity.uaa.zone.ClientServicesExtension;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.core.ParameterizedTypeReference;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.util.Base64Utils;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.StringUtils;
import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.24.0.jar:org/cloudfoundry/identity/uaa/authentication/manager/PasswordGrantAuthenticationManager.class */
public class PasswordGrantAuthenticationManager implements AuthenticationManager {
    private DynamicZoneAwareAuthenticationManager zoneAwareAuthzAuthenticationManager;
    private IdentityProviderProvisioning identityProviderProvisioning;
    private RestTemplateConfig restTemplateConfig;
    private XOAuthAuthenticationManager xoAuthAuthenticationManager;
    private ClientServicesExtension clientDetailsService;
    private XOAuthProviderConfigurator xoauthProviderProvisioning;

    public PasswordGrantAuthenticationManager(DynamicZoneAwareAuthenticationManager dynamicZoneAwareAuthenticationManager, IdentityProviderProvisioning identityProviderProvisioning, RestTemplateConfig restTemplateConfig, XOAuthAuthenticationManager xOAuthAuthenticationManager, ClientServicesExtension clientServicesExtension, XOAuthProviderConfigurator xOAuthProviderConfigurator) {
        this.zoneAwareAuthzAuthenticationManager = dynamicZoneAwareAuthenticationManager;
        this.identityProviderProvisioning = identityProviderProvisioning;
        this.restTemplateConfig = restTemplateConfig;
        this.xoAuthAuthenticationManager = xOAuthAuthenticationManager;
        this.clientDetailsService = clientServicesExtension;
        this.xoauthProviderProvisioning = xOAuthProviderConfigurator;
    }

    @Override // org.springframework.security.authentication.AuthenticationManager
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        List<String> list;
        UaaLoginHint uaaLoginHint;
        UaaLoginHint extractLoginHint = this.zoneAwareAuthzAuthenticationManager.extractLoginHint(authentication);
        List<String> allowedProviders = getAllowedProviders();
        String defaultIdentityProvider = IdentityZoneHolder.get().getConfig().getDefaultIdentityProvider();
        List<String> list2 = (List) this.identityProviderProvisioning.retrieveActive(IdentityZoneHolder.get().getId()).stream().filter(this::providerSupportsPasswordGrant).map((v0) -> {
            return v0.getOriginKey();
        }).collect(Collectors.toList());
        if (allowedProviders == null) {
            list = list2;
        } else {
            Stream<String> stream = allowedProviders.stream();
            list2.getClass();
            list = (List) stream.filter((v1) -> {
                return r1.contains(v1);
            }).collect(Collectors.toList());
        }
        if (extractLoginHint == null) {
            uaaLoginHint = (defaultIdentityProvider == null || !list.contains(defaultIdentityProvider)) ? getUaaLoginHintForChainedAuth(list) : new UaaLoginHint(defaultIdentityProvider);
        } else {
            if (!list.contains(extractLoginHint.getOrigin())) {
                if (allowedProviders == null || allowedProviders.contains(extractLoginHint.getOrigin())) {
                    throw new ProviderConfigurationException("The origin provided in the login_hint does not match an active Identity Provider, that supports password grant.");
                }
                throw new ProviderConfigurationException("Client is not authorized for specified user's identity provider.");
            }
            uaaLoginHint = extractLoginHint;
        }
        if (uaaLoginHint != null) {
            this.zoneAwareAuthzAuthenticationManager.setLoginHint(authentication, uaaLoginHint);
        }
        return (uaaLoginHint == null || uaaLoginHint.getOrigin() == null || uaaLoginHint.getOrigin().equals(OriginKeys.UAA) || uaaLoginHint.getOrigin().equals("ldap")) ? this.zoneAwareAuthzAuthenticationManager.authenticate(authentication) : oidcPasswordGrant(authentication, (OIDCIdentityProviderDefinition) this.xoauthProviderProvisioning.retrieveByOrigin(uaaLoginHint.getOrigin(), IdentityZoneHolder.get().getId()).getConfig());
    }

    private UaaLoginHint getUaaLoginHintForChainedAuth(List<String> list) {
        UaaLoginHint uaaLoginHint = null;
        if (list.size() == 1) {
            uaaLoginHint = new UaaLoginHint(list.get(0));
        } else if (list.contains(OriginKeys.UAA)) {
            if (!list.contains("ldap")) {
                uaaLoginHint = new UaaLoginHint(OriginKeys.UAA);
            }
        } else {
            if (!list.contains("ldap")) {
                if (list.size() == 0) {
                    throw new BadCredentialsException("The client is not authorized for any identity provider that supports password grant.");
                }
                throw new BadCredentialsException("The client is authorized for multiple identity providers that support password grant and could not determine which identity provider to use.");
            }
            uaaLoginHint = new UaaLoginHint("ldap");
        }
        return uaaLoginHint;
    }

    private Authentication oidcPasswordGrant(Authentication authentication, OIDCIdentityProviderDefinition oIDCIdentityProviderDefinition) {
        URL tokenUrl = oIDCIdentityProviderDefinition.getTokenUrl();
        String relyingPartyId = oIDCIdentityProviderDefinition.getRelyingPartyId();
        String relyingPartySecret = oIDCIdentityProviderDefinition.getRelyingPartySecret();
        if (relyingPartyId == null || relyingPartySecret == null) {
            throw new ProviderConfigurationException("External OpenID Connect provider configuration is missing relyingPartyId or relyingPartySecret.");
        }
        String str = authentication.getPrincipal() instanceof String ? (String) authentication.getPrincipal() : null;
        String str2 = authentication.getCredentials() instanceof String ? (String) authentication.getCredentials() : null;
        if (str == null || str2 == null) {
            throw new BadCredentialsException("Request is missing username or password.");
        }
        RestTemplate trustingRestTemplate = oIDCIdentityProviderDefinition.isSkipSslValidation() ? this.restTemplateConfig.trustingRestTemplate() : this.restTemplateConfig.nonTrustingRestTemplate();
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));
        httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
        httpHeaders.add("Authorization", "Basic " + Base64Utils.encodeToString((relyingPartyId + ":" + relyingPartySecret).getBytes()));
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add("grant_type", "password");
        linkedMultiValueMap.add(OAuth2Utils.RESPONSE_TYPE, DisableIdTokenResponseTypeFilter.ID_TOKEN);
        linkedMultiValueMap.add("username", str);
        linkedMultiValueMap.add("password", str2);
        List<Prompt> prompts = oIDCIdentityProviderDefinition.getPrompts();
        ArrayList<String> arrayList = new ArrayList();
        if (prompts != null) {
            for (Prompt prompt : prompts) {
                if (!"username".equals(prompt.getName()) && !"password".equals(prompt.getName()) && !LoginInfoEndpoint.PASSCODE.equals(prompt.getName())) {
                    arrayList.add(prompt.getName());
                }
            }
        }
        if (authentication.getDetails() instanceof UaaAuthenticationDetails) {
            UaaAuthenticationDetails uaaAuthenticationDetails = (UaaAuthenticationDetails) authentication.getDetails();
            for (String str3 : arrayList) {
                String[] strArr = uaaAuthenticationDetails.getParameterMap().get(str3);
                if (strArr != null && strArr.length == 1 && StringUtils.hasText(strArr[0])) {
                    linkedMultiValueMap.add(str3, strArr[0]);
                }
            }
        }
        try {
            ResponseEntity exchange = trustingRestTemplate.exchange(tokenUrl.toString(), HttpMethod.POST, new HttpEntity<>(linkedMultiValueMap, httpHeaders), new ParameterizedTypeReference<Map<String, String>>() { // from class: org.cloudfoundry.identity.uaa.authentication.manager.PasswordGrantAuthenticationManager.1
            }, new Object[0]);
            String str4 = exchange.hasBody() ? (String) ((Map) exchange.getBody()).get(DisableIdTokenResponseTypeFilter.ID_TOKEN) : null;
            if (str4 == null) {
                throw new BadCredentialsException("Could not obtain id_token from external OpenID Connect provider.");
            }
            return this.xoAuthAuthenticationManager.authenticate(new XOAuthCodeToken(null, null, null, str4, null, null));
        } catch (HttpClientErrorException e) {
            throw new BadCredentialsException(e.getResponseBodyAsString(), e);
        }
    }

    private boolean providerSupportsPasswordGrant(IdentityProvider identityProvider) {
        if (OriginKeys.UAA.equals(identityProvider.getType()) || "ldap".equals(identityProvider.getType())) {
            return true;
        }
        if (OriginKeys.OIDC10.equals(identityProvider.getType()) && (identityProvider.getConfig() instanceof OIDCIdentityProviderDefinition)) {
            return ((OIDCIdentityProviderDefinition) identityProvider.getConfig()).isPasswordGrantEnabled();
        }
        return false;
    }

    private List<String> getAllowedProviders() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            throw new BadCredentialsException("No client authentication found.");
        }
        return (List) this.clientDetailsService.loadClientByClientId(authentication.getName(), IdentityZoneHolder.get().getId()).getAdditionalInformation().get(ClientConstants.ALLOWED_PROVIDERS);
    }
}
