package ru.greatbit.whoru.auth.providers;

import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.io.IOException;
import java.util.Collections;
import java.util.Set;
import javax.annotation.PostConstruct;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import okhttp3.Interceptor;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import org.springframework.util.StringUtils;
import ru.greatbit.whoru.auth.Person;
import ru.greatbit.whoru.auth.RedirectResponse;
import ru.greatbit.whoru.auth.Session;
import ru.greatbit.whoru.auth.error.UnauthorizedException;
import ru.greatbit.whoru.auth.utils.HttpUtils;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient;
import software.amazon.awssdk.services.cognitoidentityprovider.model.GetUserRequest;

@Service
/* loaded from: input_file:ru/greatbit/whoru/auth/providers/CognitoAuthProvider.class */
public class CognitoAuthProvider extends BaseAuthProvider {

    @Value("${cognito.login.url}")
    private String cognitoLoginUrl;

    @Value("${aws.cognito.access.key}")
    private String awsCognitoAccessKey;

    @Value("${aws.cognito.secret.key}")
    private String awsCognitoSecretKey;

    @Value("${aws.cognito.region}")
    private String awsCognitoRegion;

    @Value("${aws.cognito.oauth.endpoint}")
    private String cognitoOauthEndpoint;

    @Value("${aws.cognito.client.id}")
    private String cognitoClientId;

    @Value("${aws.cognito.redirect.url}")
    private String cognitoRedirectUrl;
    private final long OAUTH_API_TIMEOUT = 30000;
    private final String GRANT_TYPE = "authorization_code";
    private CognitoIdentityProviderClient cognitoIdentityProviderClient;

    @PostConstruct
    private void postConstruct() {
        this.cognitoIdentityProviderClient = (CognitoIdentityProviderClient) CognitoIdentityProviderClient.builder().region(Region.of(this.awsCognitoRegion)).credentialsProvider(StaticCredentialsProvider.create(AwsBasicCredentials.create(this.awsCognitoAccessKey, this.awsCognitoSecretKey))).build();
    }

    public Session authImpl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (HttpUtils.isTokenAccessRequest(httpServletRequest)) {
            return authByToken(httpServletRequest, httpServletResponse);
        }
        try {
            Cookie findCookie = HttpUtils.findCookie(httpServletRequest, "whoruSessionId");
            if (findCookie == null || !this.sessionProvider.sessionExists(findCookie.getValue()) || !this.sessionProvider.getSessionById(findCookie.getValue()).getPerson().getLogin().equals(httpServletRequest.getParameter("login"))) {
                this.logger.info("No session found. Auth by login/password ip={}", HttpUtils.getRemoteAddr(httpServletRequest, "X-Real-IP"));
                return authWithJwtToken(httpServletRequest, httpServletResponse);
            }
            this.logger.info("Updating session for user with ip={}", HttpUtils.getRemoteAddr(httpServletRequest, "X-Real-IP"));
            httpServletResponse.addCookie(HttpUtils.createCookie("whoruSessionId", findCookie.getValue(), this.authDomain, this.sessionTtl));
            sendRedirect(httpServletRequest, httpServletResponse);
            return this.sessionProvider.getSessionById(findCookie.getValue());
        } catch (UnauthorizedException e) {
            throw e;
        } catch (Exception e2) {
            this.logger.error("Can't authenticate user", e2);
            throw new UnauthorizedException(e2);
        }
    }

    private Session authByToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        throw new UnauthorizedException("Authorisation by token is not supporter by cognito auth provider");
    }

    public Session authWithJwtToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        CognitoTokensResponse cognitoTokensResponse = (CognitoTokensResponse) getOauthClient().getOauthTokens("authorization_code", this.cognitoClientId, httpServletRequest.getParameter("code"), this.cognitoRedirectUrl).execute().body();
        if (cognitoTokensResponse == null) {
            throw new UnauthorizedException("Unable to retrieve tokens by authorization code");
        }
        String id_token = cognitoTokensResponse.getId_token();
        String access_token = cognitoTokensResponse.getAccess_token();
        if (StringUtils.isEmpty(id_token) || StringUtils.isEmpty(access_token)) {
            try {
                httpServletResponse.sendRedirect(getLoginUrl(httpServletRequest));
            } catch (IOException e) {
                this.logger.warn("Unable to send redirect to Cognito login page", e);
                return null;
            }
        }
        if (this.cognitoIdentityProviderClient.getUser((GetUserRequest) GetUserRequest.builder().accessToken(access_token).build()) == null) {
            try {
                httpServletResponse.sendRedirect(getLoginUrl(httpServletRequest));
            } catch (IOException e2) {
                this.logger.warn("Unable to send redirect to Cognito login page", e2);
                return null;
            }
        }
        DecodedJWT decode = JWT.decode(id_token);
        decode.getClaims();
        Session withPerson = new Session().withId(((Claim) decode.getClaims().get("jti")).asString()).withName(getName(decode)).withLogin(((Claim) decode.getClaims().get("email")).asString()).withTimeout(((Claim) decode.getClaims().get("exp")).asLong().longValue()).withPerson(new Person().withLogin(((Claim) decode.getClaims().get("email")).asString()).withFirstName(((Claim) decode.getClaims().get("given_name")).asString()).withLastName(((Claim) decode.getClaims().get("family_name")).asString()));
        this.sessionProvider.addSession(withPerson);
        httpServletResponse.addCookie(HttpUtils.createCookie("whoruSessionId", withPerson.getId(), this.authDomain, this.sessionTtl));
        return withPerson;
    }

    private String getName(DecodedJWT decodedJWT) {
        return (ru.greatbit.utils.string.StringUtils.emptyIfNull(((Claim) decodedJWT.getClaims().get("given_name")).asString()) + " " + ru.greatbit.utils.string.StringUtils.emptyIfNull(((Claim) decodedJWT.getClaims().get("family_name")).asString())).trim();
    }

    private String getAccessToken(String str) {
        return null;
    }

    public RedirectResponse redirectNotAuthTo(HttpServletRequest httpServletRequest) {
        return new RedirectResponse(getLoginUrl(httpServletRequest), "retpath", true);
    }

    public boolean isAuthenticated(HttpServletRequest httpServletRequest) throws UnauthorizedException {
        return getCognitoUser(httpServletRequest) != null;
    }

    public void doAuthByOnetimeToken(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        throw new UnsupportedOperationException("Cognito doesn't allow one-time tokens authentication");
    }

    public Set<String> suggestGroups(HttpServletRequest httpServletRequest, String str) {
        return Collections.emptySet();
    }

    public Set<String> getAllUsers(HttpServletRequest httpServletRequest) {
        return Collections.emptySet();
    }

    public Set<String> suggestUser(HttpServletRequest httpServletRequest, String str) {
        return Collections.emptySet();
    }

    private Object getCognitoUser(HttpServletRequest httpServletRequest) {
        return false;
    }

    private String getLoginUrl(HttpServletRequest httpServletRequest) {
        return this.cognitoLoginUrl;
    }

    private CognitoOauthClient getOauthClient() {
        return (CognitoOauthClient) HttpClientBuilder.builder(this.cognitoOauthEndpoint, 30000L, new Interceptor[0]).build().create(CognitoOauthClient.class);
    }
}
