package com.adobe.granite.auth.ims.impl;

import com.adobe.granite.auth.ims.IMSInstance;
import com.adobe.granite.auth.ims.ImsConfigProvider;
import com.adobe.granite.auth.oauth.CredentialsValidator;
import java.util.Collections;
import java.util.HashMap;
import java.util.Set;
import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.oak.spi.security.authentication.credentials.AbstractCredentials;
import org.jetbrains.annotations.Nullable;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Config.class)
@Component(service = {CredentialsValidator.class}, property = {"service.description=Validates that users have access to the instance"}, configurationPolicy = ConfigurationPolicy.REQUIRE)
/* loaded from: input_file:com/adobe/granite/auth/ims/impl/IMSInstanceCredentialsValidator.class */
public class IMSInstanceCredentialsValidator implements CredentialsValidator, IMSConstants {
    public static final String AUDIENCE = "audience";
    public static final String OU = "ou";
    public static final String SERVICE_CODE = "serviceCode";
    private ImsConfigProvider imsConfigProvider;
    private String id;
    static final String SERVICE_DESCRIPTION = "Validates that users have access to the instance";
    private static final Logger LOG = LoggerFactory.getLogger(IMSInstanceCredentialsValidator.class);

    @ObjectClassDefinition(name = "Adobe Granite OAuth IMS Instance Credentials Validator", description = IMSInstanceCredentialsValidator.SERVICE_DESCRIPTION)
    /* loaded from: input_file:com/adobe/granite/auth/ims/impl/IMSInstanceCredentialsValidator$Config.class */
    public @interface Config {
        @AttributeDefinition(name = "Provider ID", description = "Assign a unique Provider ID")
        String oauth_provider_id() default "ims";
    }

    @Activate
    public IMSInstanceCredentialsValidator(@Reference ImsConfigProvider imsConfigProvider, Config config) {
        this.imsConfigProvider = imsConfigProvider;
        this.id = config.oauth_provider_id();
    }

    public boolean validate(AbstractCredentials abstractCredentials) throws LoginException {
        Object attribute = abstractCredentials.getAttribute(IMSConstants.PROJECTED_PRODUCT_CONTEXT);
        Set<IMSInstance> set = null;
        if ((attribute instanceof Set) && ((Set) attribute).stream().allMatch(obj -> {
            return obj instanceof IMSInstance;
        })) {
            set = (Set) attribute;
        }
        if (set == null) {
            set = buildIMSInstanceFromHashMap(attribute);
        }
        if (set == null) {
            LOG.info("Given credentials does not have any instances specified.");
            throw new LoginException("Given credentials [" + abstractCredentials.getUserId() + "] does not have any instances specified.");
        }
        IMSInstance currentIMSInstance = this.imsConfigProvider.currentIMSInstance();
        if (currentIMSInstance == null) {
            LOG.info("No IMS instance configured, all IMS users are allowed to access the instance regardless of their (instance_id, owningEntity).");
            return true;
        }
        if (set.contains(currentIMSInstance)) {
            return true;
        }
        String format = String.format("User %s does not have access to current instance %s", abstractCredentials.getUserId(), currentIMSInstance);
        abstractCredentials.setAttribute(CredentialsValidator.FAILED_VALIDATION_REASON, format);
        LOG.debug(format);
        return false;
    }

    @Nullable
    private Set<IMSInstance> buildIMSInstanceFromHashMap(@Nullable Object obj) {
        if (!(obj instanceof HashMap)) {
            LOG.debug("buildIMSInstanceFromHashMap: the credentials are not a HashMap.");
            return null;
        }
        try {
            String str = (String) ((HashMap) obj).get(AUDIENCE);
            if (str == null) {
                LOG.error("buildIMSInstanceFromHashMap: no AEM instance to build IMSInstance object.");
                return null;
            }
            try {
                String str2 = (String) ((HashMap) obj).get(OU);
                if (str2 == null) {
                    LOG.error("buildIMSInstanceFromHashMap: no IMS Org owner to build IMSInstance object.");
                    return null;
                }
                try {
                    String str3 = (String) ((HashMap) obj).get("serviceCode");
                    if (str3 == null) {
                        LOG.error("buildIMSInstanceFromHashMap: no service code to build IMSInstance object.");
                        return null;
                    }
                    LOG.debug("buildIMSInstanceFromHashMap: building and returning IMSInstance.");
                    return Collections.singleton(new IMSInstance(str, str2, str3));
                } catch (ClassCastException e) {
                    LOG.error("buildIMSInstanceFromHashMap: Unexpected error casting the ou value to String.");
                    return null;
                }
            } catch (ClassCastException e2) {
                LOG.error("buildIMSInstanceFromHashMap: Unexpected error casting the ou value to String.");
                return null;
            }
        } catch (ClassCastException e3) {
            LOG.error("buildIMSInstanceFromHashMap: Unexpected error casting the audience value to String.");
            return null;
        }
    }

    public String getId() {
        return this.id;
    }
}
