package org.zowe.apiml.zaas.security.service.schema.source;

import jakarta.servlet.http.HttpServletRequest;
import java.util.Optional;
import java.util.function.Function;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.cache.annotation.Cacheable;
import org.springframework.stereotype.Service;
import org.zowe.apiml.message.core.MessageType;
import org.zowe.apiml.message.log.ApimlLogger;
import org.zowe.apiml.product.logging.annotations.InjectApimlLogger;
import org.zowe.apiml.security.common.token.NoMainframeIdentityException;
import org.zowe.apiml.security.common.token.OIDCProvider;
import org.zowe.apiml.security.common.token.QueryResponse;
import org.zowe.apiml.security.common.token.TokenNotValidException;
import org.zowe.apiml.zaas.security.mapping.AuthenticationMapper;
import org.zowe.apiml.zaas.security.service.AuthenticationService;
import org.zowe.apiml.zaas.security.service.TokenCreationService;
import org.zowe.apiml.zaas.security.service.schema.source.AuthSource;

@ConditionalOnProperty(value = {"apiml.security.oidc.enabled"}, havingValue = "true")
@Service
/* loaded from: input_file:org/zowe/apiml/zaas/security/service/schema/source/OIDCAuthSourceService.class */
public class OIDCAuthSourceService extends TokenAuthSourceService {

    @InjectApimlLogger
    protected final ApimlLogger logger = ApimlLogger.empty();

    @Qualifier("oidcMapper")
    private final AuthenticationMapper mapper;
    private final AuthenticationService authenticationService;
    private final OIDCProvider oidcProvider;
    private final TokenCreationService tokenService;

    @Override // org.zowe.apiml.zaas.security.service.schema.source.TokenAuthSourceService
    protected ApimlLogger getLogger() {
        return this.logger;
    }

    @Override // org.zowe.apiml.zaas.security.service.schema.source.TokenAuthSourceService
    public Function<String, AuthSource> getMapper() {
        return OIDCAuthSource::new;
    }

    @Override // org.zowe.apiml.zaas.security.service.schema.source.TokenAuthSourceService
    public Optional<String> getToken(HttpServletRequest httpServletRequest) {
        Optional<String> jwtTokenFromRequest = this.authenticationService.getJwtTokenFromRequest(httpServletRequest);
        if (jwtTokenFromRequest.isPresent()) {
            if (AuthSource.Origin.OIDC == this.authenticationService.getTokenOrigin(jwtTokenFromRequest.get())) {
                return jwtTokenFromRequest;
            }
        }
        return Optional.empty();
    }

    @Override // org.zowe.apiml.zaas.security.service.schema.source.AuthSourceService
    @Cacheable(value = {"validationOIDCToken"}, key = "#oidcToken", condition = "#oidcToken != null")
    public boolean isValid(AuthSource authSource) {
        if (authSource instanceof OIDCAuthSource) {
            String rawSource = ((OIDCAuthSource) authSource).getRawSource();
            if (StringUtils.isNotBlank(rawSource)) {
                this.logger.log(MessageType.DEBUG, "Validating OIDC token.", new Object[0]);
                if (this.oidcProvider.isValid(rawSource)) {
                    this.logger.log(MessageType.DEBUG, "OIDC token is valid, set the distributed id to the auth source.", new Object[0]);
                    ((OIDCAuthSource) authSource).setDistributedId(this.authenticationService.parseJwtToken(rawSource).getUserId());
                    return true;
                }
                this.logger.log(MessageType.DEBUG, "OIDC token is not valid or the validation failed.", new Object[0]);
            }
            this.logger.log(MessageType.DEBUG, "Invalid auth source type provided.", new Object[0]);
        }
        this.logger.log(MessageType.DEBUG, "Authentication source is invalid.", new Object[0]);
        return false;
    }

    @Override // org.zowe.apiml.zaas.security.service.schema.source.AuthSourceService
    @Cacheable(value = {"parseOIDCToken"}, key = "#parsedOIDCToken", condition = "#parsedOIDCToken != null")
    public AuthSource.Parsed parse(AuthSource authSource) {
        if (!(authSource instanceof OIDCAuthSource)) {
            return null;
        }
        if (isValid(authSource)) {
            return parseOIDCToken((OIDCAuthSource) authSource, this.mapper);
        }
        throw new TokenNotValidException("OIDC token is not valid.");
    }

    private AuthSource.Parsed parseOIDCToken(OIDCAuthSource oIDCAuthSource, AuthenticationMapper authenticationMapper) {
        String rawSource = oIDCAuthSource.getRawSource();
        this.logger.log(MessageType.DEBUG, "Calling identity mapper to retrieve mainframe user id.", new Object[0]);
        String mapToMainframeUserId = authenticationMapper.mapToMainframeUserId(oIDCAuthSource);
        if (StringUtils.isEmpty(mapToMainframeUserId)) {
            this.logger.log(MessageType.DEBUG, "No mainframe user id retrieved. Cancel parsing of OIDC token.", new Object[0]);
            throw new NoMainframeIdentityException("No mainframe identity found.", rawSource, true);
        }
        this.logger.log(MessageType.DEBUG, "Parsing OIDC token.", new Object[0]);
        QueryResponse parseJwtToken = this.authenticationService.parseJwtToken(rawSource);
        return new ParsedTokenAuthSource(mapToMainframeUserId, parseJwtToken.getCreation(), parseJwtToken.getExpiration(), AuthSource.Origin.valueByTokenSource(parseJwtToken.getSource()));
    }

    @Override // org.zowe.apiml.zaas.security.service.schema.source.AuthSourceService
    public String getLtpaToken(AuthSource authSource) {
        String jwt = getJWT(authSource);
        if (AuthSource.Origin.ZOWE.equals(this.authenticationService.getTokenOrigin(jwt))) {
            jwt = this.authenticationService.getLtpaToken(jwt);
        }
        return jwt;
    }

    @Override // org.zowe.apiml.zaas.security.service.schema.source.AuthSourceService
    public String getJWT(AuthSource authSource) {
        return this.tokenService.createJwtTokenWithoutCredentials(parse(authSource).getUserId());
    }

    @Generated
    public OIDCAuthSourceService(@Qualifier("oidcMapper") AuthenticationMapper authenticationMapper, AuthenticationService authenticationService, OIDCProvider oIDCProvider, TokenCreationService tokenCreationService) {
        this.mapper = authenticationMapper;
        this.authenticationService = authenticationService;
        this.oidcProvider = oIDCProvider;
        this.tokenService = tokenCreationService;
    }
}
