package dev.dsf.common.auth.conf;

import dev.dsf.common.auth.DsfOpenIdCredentials;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.codec.binary.Hex;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.hl7.fhir.r4.model.Coding;
import org.hl7.fhir.r4.model.HumanName;
import org.hl7.fhir.r4.model.Identifier;
import org.hl7.fhir.r4.model.Organization;
import org.hl7.fhir.r4.model.Practitioner;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;

/* loaded from: input_file:dev/dsf/common/auth/conf/AbstractIdentityProvider.class */
public abstract class AbstractIdentityProvider implements IdentityProvider, InitializingBean {
    private static final Logger logger = LoggerFactory.getLogger(AbstractIdentityProvider.class);
    private static final String PRACTITIONER_IDENTIFIER_SYSTEM = "http://dsf.dev/sid/practitioner-identifier";
    private final RoleConfig roleConfig;
    private final Set<String> thumbprints;

    public AbstractIdentityProvider(RoleConfig roleConfig) {
        this.roleConfig = roleConfig;
        this.thumbprints = (Set) roleConfig.getEntries().stream().map((v0) -> {
            return v0.getThumbprints();
        }).flatMap((v0) -> {
            return v0.stream();
        }).distinct().collect(Collectors.toUnmodifiableSet());
    }

    public void afterPropertiesSet() throws Exception {
        Objects.requireNonNull(this.roleConfig, "roleConfig");
    }

    @Override // dev.dsf.common.auth.conf.IdentityProvider
    public final Identity getIdentity(DsfOpenIdCredentials dsfOpenIdCredentials) {
        if (dsfOpenIdCredentials == null) {
            return null;
        }
        Optional<Practitioner> practitioner = toPractitioner(dsfOpenIdCredentials);
        Optional<Organization> localOrganization = getLocalOrganization();
        if (!practitioner.isPresent() || !localOrganization.isPresent()) {
            logger.warn("User from OpenID Connect token '{}' not configured as local user or local organization unknown", dsfOpenIdCredentials.getUserId());
            return null;
        }
        Map<String, Object> idToken = dsfOpenIdCredentials.getIdToken();
        Map<String, Object> accessToken = dsfOpenIdCredentials.getAccessToken();
        List<String> rolesFromTokens = getRolesFromTokens(idToken, accessToken);
        List<String> groupsFromTokens = getGroupsFromTokens(idToken, accessToken);
        Set<DsfRole> dsfRolesFor = getDsfRolesFor(practitioner.get(), null, rolesFromTokens, groupsFromTokens);
        Set<Coding> practitionerRolesFor = getPractitionerRolesFor(practitioner.get(), null, rolesFromTokens, groupsFromTokens);
        if (!dsfRolesFor.isEmpty()) {
            return new PractitionerIdentityImpl(localOrganization.get(), dsfRolesFor, null, practitioner.get(), practitionerRolesFor, dsfOpenIdCredentials);
        }
        logger.warn("User from OpenID Connect token '{}' not configured as local user", dsfOpenIdCredentials.getUserId());
        return null;
    }

    protected abstract Optional<Organization> getLocalOrganization();

    protected final String getThumbprint(X509Certificate x509Certificate) {
        try {
            return Hex.encodeHexString(MessageDigest.getInstance("SHA-512").digest(x509Certificate.getEncoded()));
        } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    protected final String getDn(X509Certificate x509Certificate) {
        return x509Certificate.getSubjectX500Principal().getName("RFC1779");
    }

    protected final List<String> getGroupsFromTokens(Map<String, Object> map, Map<String, Object> map2) {
        if (logger.isDebugEnabled()) {
            logger.debug("id_token: groups: {}", getPropertyArray(map, "groups"));
            logger.debug("access_token: groups: {}", getPropertyArray(map2, "groups"));
        }
        return Stream.concat(getPropertyArray(map, "groups").stream(), getPropertyArray(map2, "groups").stream()).toList();
    }

    protected final List<String> getRolesFromTokens(Map<String, Object> map, Map<String, Object> map2) {
        return Stream.concat(getRolesFromToken("id_token", map), getRolesFromToken("access_token", map2)).toList();
    }

    private Stream<String> getRolesFromToken(String str, Map<String, Object> map) {
        if (logger.isDebugEnabled()) {
            logger.debug("{}: realm_access.roles: {}", str, getPropertyArray(getPropertyMap(map, "realm_access"), "roles"));
            logger.debug("{}: resource_access.*.roles: {}", str, getPropertyMap(map, "resource_access").entrySet().stream().flatMap(entry -> {
                return getPropertyArray((Map) entry.getValue(), "roles").stream().map(str2 -> {
                    return ((String) entry.getKey()) + "." + str2;
                });
            }).toList());
        }
        return Stream.concat(getPropertyArray(getPropertyMap(map, "realm_access"), "roles").stream(), getPropertyMap(map, "resource_access").entrySet().stream().flatMap(entry2 -> {
            return getPropertyArray((Map) entry2.getValue(), "roles").stream().map(str2 -> {
                return ((String) entry2.getKey()) + "." + str2;
            });
        }));
    }

    private Map<String, Object> getPropertyMap(Map<String, Object> map, String str) {
        Object obj = map.get(str);
        return (obj == null || !(obj instanceof Map)) ? Collections.emptyMap() : (Map) obj;
    }

    private List<String> getPropertyArray(Map<String, Object> map, String str) {
        Object obj = map.get(str);
        return (obj == null || !(obj instanceof Object[])) ? Collections.emptyList() : Arrays.stream((Object[]) obj).filter(obj2 -> {
            return obj2 instanceof String;
        }).map(obj3 -> {
            return (String) obj3;
        }).toList();
    }

    protected final Set<DsfRole> getDsfRolesFor(Practitioner practitioner, String str, List<String> list, List<String> list2) {
        Stream flatMap;
        Stream flatMap2;
        Stream stream = practitioner.getIdentifier().stream().filter(identifier -> {
            return "http://dsf.dev/sid/practitioner-identifier".equals(identifier.getSystem()) && identifier.hasValue();
        }).map((v0) -> {
            return v0.getValue();
        }).toList().stream();
        RoleConfig roleConfig = this.roleConfig;
        Objects.requireNonNull(roleConfig);
        Stream flatMap3 = stream.map(roleConfig::getDsfRolesForEmail).flatMap((v0) -> {
            return v0.stream();
        });
        Stream<DsfRole> empty = str == null ? Stream.empty() : this.roleConfig.getDsfRolesForThumbprint(str).stream();
        if (list == null) {
            flatMap = Stream.empty();
        } else {
            Stream<String> stream2 = list.stream();
            RoleConfig roleConfig2 = this.roleConfig;
            Objects.requireNonNull(roleConfig2);
            flatMap = stream2.map(roleConfig2::getDsfRolesForTokenRole).flatMap((v0) -> {
                return v0.stream();
            });
        }
        Stream stream3 = flatMap;
        if (list2 == null) {
            flatMap2 = Stream.empty();
        } else {
            Stream<String> stream4 = list2.stream();
            RoleConfig roleConfig3 = this.roleConfig;
            Objects.requireNonNull(roleConfig3);
            flatMap2 = stream4.map(roleConfig3::getDsfRolesForTokenGroup).flatMap((v0) -> {
                return v0.stream();
            });
        }
        return (Set) Stream.of((Object[]) new Stream[]{flatMap3, empty, stream3, flatMap2}).flatMap(Function.identity()).distinct().collect(Collectors.toSet());
    }

    protected final Set<Coding> getPractitionerRolesFor(Practitioner practitioner, String str, List<String> list, List<String> list2) {
        Stream flatMap;
        Stream flatMap2;
        Stream stream = practitioner.getIdentifier().stream().filter(identifier -> {
            return "http://dsf.dev/sid/practitioner-identifier".equals(identifier.getSystem()) && identifier.hasValue();
        }).map((v0) -> {
            return v0.getValue();
        }).toList().stream();
        RoleConfig roleConfig = this.roleConfig;
        Objects.requireNonNull(roleConfig);
        Stream flatMap3 = stream.map(roleConfig::getPractitionerRolesForEmail).flatMap((v0) -> {
            return v0.stream();
        });
        Stream<Coding> empty = str == null ? Stream.empty() : this.roleConfig.getPractitionerRolesForThumbprint(str).stream();
        if (list == null) {
            flatMap = Stream.empty();
        } else {
            Stream<String> stream2 = list.stream();
            RoleConfig roleConfig2 = this.roleConfig;
            Objects.requireNonNull(roleConfig2);
            flatMap = stream2.map(roleConfig2::getPractitionerRolesForTokenRole).flatMap((v0) -> {
                return v0.stream();
            });
        }
        Stream stream3 = flatMap;
        if (list2 == null) {
            flatMap2 = Stream.empty();
        } else {
            Stream<String> stream4 = list2.stream();
            RoleConfig roleConfig3 = this.roleConfig;
            Objects.requireNonNull(roleConfig3);
            flatMap2 = stream4.map(roleConfig3::getPractitionerRolesForTokenGroup).flatMap((v0) -> {
                return v0.stream();
            });
        }
        return (Set) Stream.of((Object[]) new Stream[]{flatMap3, empty, stream3, flatMap2}).flatMap(Function.identity()).distinct().collect(Collectors.toSet());
    }

    protected final Optional<Practitioner> toPractitioner(DsfOpenIdCredentials dsfOpenIdCredentials) {
        return dsfOpenIdCredentials == null ? Optional.empty() : toPractitioner(Stream.of(dsfOpenIdCredentials.getStringClaimOrDefault("family_name", "")), Stream.of(dsfOpenIdCredentials.getStringClaimOrDefault("given_name", "")), ((Set) Stream.of((Object[]) new String[]{dsfOpenIdCredentials.getStringClaimOrDefault("email", ""), toEmail(dsfOpenIdCredentials.getStringClaimOrDefault("iss", ""), dsfOpenIdCredentials.getStringClaimOrDefault("sub", ""))}).filter(str -> {
            return str != null;
        }).distinct().collect(Collectors.toSet())).stream());
    }

    private Optional<Practitioner> toPractitioner(Stream<String> stream, Stream<String> stream2, Stream<String> stream3) {
        Practitioner practitioner = new Practitioner();
        Stream<R> map = stream3.filter(str -> {
            return str != null;
        }).filter(str2 -> {
            return str2.contains("@");
        }).map(str3 -> {
            return new Identifier().setSystem("http://dsf.dev/sid/practitioner-identifier").setValue(str3);
        });
        Objects.requireNonNull(practitioner);
        map.forEach(practitioner::addIdentifier);
        HumanName humanName = new HumanName();
        humanName.setFamily((String) stream.collect(Collectors.joining(" ")));
        Objects.requireNonNull(humanName);
        stream2.forEach(humanName::addGiven);
        practitioner.addName(humanName);
        return Optional.of(practitioner);
    }

    private String toEmail(String str, String str2) {
        if (str == null || str2 == null || str.isBlank() || str2.isBlank()) {
            return null;
        }
        try {
            return str2 + "@" + new URL(str).getHost();
        } catch (MalformedURLException e) {
            return null;
        }
    }

    protected final Optional<Practitioner> toPractitioner(X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            return Optional.empty();
        }
        return !this.thumbprints.contains(getThumbprint(x509Certificate)) ? Optional.empty() : toJcaX509CertificateHolder(x509Certificate).flatMap(this::toPractitioner);
    }

    private Optional<JcaX509CertificateHolder> toJcaX509CertificateHolder(X509Certificate x509Certificate) {
        try {
            return Optional.of(new JcaX509CertificateHolder(x509Certificate));
        } catch (CertificateEncodingException e) {
            logger.debug("Unable to decode certificate", e);
            logger.warn("Unable to decode certificate: {} - {}", e.getClass().getName(), e.getMessage());
            return Optional.empty();
        }
    }

    private Optional<Practitioner> toPractitioner(JcaX509CertificateHolder jcaX509CertificateHolder) {
        X500Name subject = jcaX509CertificateHolder.getSubject();
        List<String> values = getValues(subject, BCStyle.GIVENNAME);
        List<String> values2 = getValues(subject, BCStyle.SURNAME);
        List<String> values3 = getValues(subject, BCStyle.CN);
        List<String> values4 = getValues(subject, BCStyle.E);
        List<String> values5 = getValues(subject, BCStyle.EmailAddress);
        Extension extension = jcaX509CertificateHolder.getExtension(Extension.subjectAlternativeName);
        return toPractitioner(!values2.isEmpty() ? values2.stream() : values3.stream(), values.stream(), Stream.concat(Stream.concat(values4.stream(), values5.stream()), (extension == null ? Collections.emptyList() : Stream.of((Object[]) GeneralNames.getInstance(extension.getParsedValue()).getNames()).filter(generalName -> {
            return generalName.getTagNo() == 1;
        }).map((v0) -> {
            return v0.getName();
        }).map(IETFUtils::valueToString).toList()).stream()));
    }

    private List<String> getValues(X500Name x500Name, ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        return Stream.of((Object[]) x500Name.getRDNs(aSN1ObjectIdentifier)).flatMap(rdn -> {
            return Stream.of((Object[]) rdn.getTypesAndValues());
        }).map((v0) -> {
            return v0.getValue();
        }).map(IETFUtils::valueToString).toList();
    }
}
