package dev.dsf.fhir.authentication;

import dev.dsf.common.auth.DsfOpenIdCredentials;
import dev.dsf.common.auth.conf.DsfRole;
import dev.dsf.common.auth.conf.Identity;
import dev.dsf.common.auth.conf.IdentityProvider;
import dev.dsf.common.auth.conf.RoleConfig;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.hl7.fhir.r4.model.Coding;
import org.hl7.fhir.r4.model.Organization;
import org.hl7.fhir.r4.model.Practitioner;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;

/* loaded from: input_file:dev/dsf/fhir/authentication/IdentityProviderImpl.class */
public class IdentityProviderImpl extends AbstractProvider implements IdentityProvider, InitializingBean {
    private static final Logger logger = LoggerFactory.getLogger(IdentityProviderImpl.class);
    private final OrganizationProvider organizationProvider;
    private final PractitionerProvider practitionerProvider;
    private final String localOrganizationIdentifierValue;
    private final RoleConfig roleConfig;

    public IdentityProviderImpl(OrganizationProvider organizationProvider, PractitionerProvider practitionerProvider, String str, RoleConfig roleConfig) {
        this.organizationProvider = organizationProvider;
        this.practitionerProvider = practitionerProvider;
        this.localOrganizationIdentifierValue = str;
        this.roleConfig = roleConfig;
    }

    public void afterPropertiesSet() throws Exception {
        Objects.requireNonNull(this.organizationProvider, "organizationProvider");
        Objects.requireNonNull(this.practitionerProvider, "practitionerProvider");
        Objects.requireNonNull(this.localOrganizationIdentifierValue, "localOrganizationIdentifierValue");
        Objects.requireNonNull(this.roleConfig, "roleConfig");
    }

    public Identity getIdentity(DsfOpenIdCredentials dsfOpenIdCredentials) {
        if (dsfOpenIdCredentials == null) {
            return null;
        }
        Optional<Practitioner> practitioner = this.practitionerProvider.getPractitioner(dsfOpenIdCredentials);
        Optional<Organization> localOrganization = this.organizationProvider.getLocalOrganization();
        if (!practitioner.isPresent() || !localOrganization.isPresent()) {
            logger.warn("User from OpenID Connect token '{}' not configured as local user or local organization unknown", dsfOpenIdCredentials.getUserId());
            return null;
        }
        Map<String, Object> idToken = dsfOpenIdCredentials.getIdToken();
        Map<String, Object> accessToken = dsfOpenIdCredentials.getAccessToken();
        List<String> rolesFromTokens = getRolesFromTokens(idToken, accessToken);
        List<String> groupsFromTokens = getGroupsFromTokens(idToken, accessToken);
        return new PractitionerIdentityImpl(localOrganization.get(), getDsfRolesFor(practitioner.get(), null, rolesFromTokens, groupsFromTokens), null, practitioner.get(), getPractitionerRolesFor(practitioner.get(), null, rolesFromTokens, groupsFromTokens), dsfOpenIdCredentials);
    }

    private List<String> getGroupsFromTokens(Map<String, Object> map, Map<String, Object> map2) {
        if (logger.isDebugEnabled()) {
            logger.debug("id_token: groups: {}", getPropertyArray(map, "groups"));
            logger.debug("access_token: groups: {}", getPropertyArray(map2, "groups"));
        }
        return Stream.concat(getPropertyArray(map, "groups").stream(), getPropertyArray(map2, "groups").stream()).toList();
    }

    private List<String> getRolesFromTokens(Map<String, Object> map, Map<String, Object> map2) {
        return Stream.concat(getRolesFromToken("id_token", map), getRolesFromToken("access_token", map2)).toList();
    }

    private Stream<String> getRolesFromToken(String str, Map<String, Object> map) {
        if (logger.isDebugEnabled()) {
            logger.debug("{}: realm_access.roles: {}", str, getPropertyArray(getPropertyMap(map, "realm_access"), "roles"));
            logger.debug("{}: resource_access.*.roles: {}", str, getPropertyMap(map, "resource_access").entrySet().stream().flatMap(entry -> {
                return getPropertyArray((Map) entry.getValue(), "roles").stream().map(str2 -> {
                    return ((String) entry.getKey()) + "." + str2;
                });
            }).toList());
        }
        return Stream.concat(getPropertyArray(getPropertyMap(map, "realm_access"), "roles").stream(), getPropertyMap(map, "resource_access").entrySet().stream().flatMap(entry2 -> {
            return getPropertyArray((Map) entry2.getValue(), "roles").stream().map(str2 -> {
                return ((String) entry2.getKey()) + "." + str2;
            });
        }));
    }

    private Map<String, Object> getPropertyMap(Map<String, Object> map, String str) {
        Object obj = map.get(str);
        return (obj == null || !(obj instanceof Map)) ? Collections.emptyMap() : (Map) obj;
    }

    private List<String> getPropertyArray(Map<String, Object> map, String str) {
        Object obj = map.get(str);
        return (obj == null || !(obj instanceof Object[])) ? Collections.emptyList() : Arrays.stream((Object[]) obj).filter(obj2 -> {
            return obj2 instanceof String;
        }).map(obj3 -> {
            return (String) obj3;
        }).toList();
    }

    public Identity getIdentity(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            return null;
        }
        String thumbprint = getThumbprint(x509CertificateArr[0]);
        Optional<Organization> organization = this.organizationProvider.getOrganization(x509CertificateArr[0]);
        if (organization.isPresent()) {
            return isLocalOrganization(organization.get()) ? new OrganizationIdentityImpl(true, organization.get(), FhirServerRole.LOCAL_ORGANIZATION, x509CertificateArr[0]) : new OrganizationIdentityImpl(false, organization.get(), FhirServerRole.REMOTE_ORGANIZATION, x509CertificateArr[0]);
        }
        Optional<Practitioner> practitioner = this.practitionerProvider.getPractitioner(x509CertificateArr[0]);
        Optional<Organization> localOrganization = this.organizationProvider.getLocalOrganization();
        if (practitioner.isPresent() && localOrganization.isPresent()) {
            Practitioner practitioner2 = practitioner.get();
            return new PractitionerIdentityImpl(localOrganization.get(), getDsfRolesFor(practitioner2, thumbprint, null, null), x509CertificateArr[0], practitioner2, getPractitionerRolesFor(practitioner2, thumbprint, null, null), null);
        }
        logger.warn("Certificate with thumbprint '{}' for '{}' unknown, not part of allowlist and not configured as local user or local organization", thumbprint, getDn(x509CertificateArr[0]));
        return null;
    }

    private boolean isLocalOrganization(Organization organization) {
        return organization != null && organization.getIdentifier().stream().filter(identifier -> {
            return identifier != null;
        }).filter(identifier2 -> {
            return OrganizationProvider.ORGANIZATION_IDENTIFIER_SYSTEM.equals(identifier2.getSystem());
        }).anyMatch(identifier3 -> {
            return this.localOrganizationIdentifierValue.equals(identifier3.getValue());
        });
    }

    private Set<DsfRole> getDsfRolesFor(Practitioner practitioner, String str, List<String> list, List<String> list2) {
        Stream flatMap;
        Stream flatMap2;
        Stream map = practitioner.getIdentifier().stream().filter(identifier -> {
            return PractitionerProvider.PRACTITIONER_IDENTIFIER_SYSTEM.equals(identifier.getSystem()) && identifier.hasValue();
        }).map((v0) -> {
            return v0.getValue();
        });
        RoleConfig roleConfig = this.roleConfig;
        Objects.requireNonNull(roleConfig);
        Stream flatMap3 = map.map(roleConfig::getDsfRolesForEmail).flatMap((v0) -> {
            return v0.stream();
        });
        Stream empty = str == null ? Stream.empty() : this.roleConfig.getDsfRolesForThumbprint(str).stream();
        if (list == null) {
            flatMap = Stream.empty();
        } else {
            Stream<String> stream = list.stream();
            RoleConfig roleConfig2 = this.roleConfig;
            Objects.requireNonNull(roleConfig2);
            flatMap = stream.map(roleConfig2::getDsfRolesForTokenRole).flatMap((v0) -> {
                return v0.stream();
            });
        }
        Stream stream2 = flatMap;
        if (list2 == null) {
            flatMap2 = Stream.empty();
        } else {
            Stream<String> stream3 = list2.stream();
            RoleConfig roleConfig3 = this.roleConfig;
            Objects.requireNonNull(roleConfig3);
            flatMap2 = stream3.map(roleConfig3::getDsfRolesForTokenGroup).flatMap((v0) -> {
                return v0.stream();
            });
        }
        return (Set) Stream.of((Object[]) new Stream[]{flatMap3, empty, stream2, flatMap2}).flatMap(Function.identity()).distinct().collect(Collectors.toSet());
    }

    private Set<Coding> getPractitionerRolesFor(Practitioner practitioner, String str, List<String> list, List<String> list2) {
        Stream flatMap;
        Stream flatMap2;
        Stream map = practitioner.getIdentifier().stream().filter(identifier -> {
            return PractitionerProvider.PRACTITIONER_IDENTIFIER_SYSTEM.equals(identifier.getSystem()) && identifier.hasValue();
        }).map((v0) -> {
            return v0.getValue();
        });
        RoleConfig roleConfig = this.roleConfig;
        Objects.requireNonNull(roleConfig);
        Stream flatMap3 = map.map(roleConfig::getPractitionerRolesForEmail).flatMap((v0) -> {
            return v0.stream();
        });
        Stream empty = str == null ? Stream.empty() : this.roleConfig.getPractitionerRolesForThumbprint(str).stream();
        if (list == null) {
            flatMap = Stream.empty();
        } else {
            Stream<String> stream = list.stream();
            RoleConfig roleConfig2 = this.roleConfig;
            Objects.requireNonNull(roleConfig2);
            flatMap = stream.map(roleConfig2::getPractitionerRolesForTokenRole).flatMap((v0) -> {
                return v0.stream();
            });
        }
        Stream stream2 = flatMap;
        if (list2 == null) {
            flatMap2 = Stream.empty();
        } else {
            Stream<String> stream3 = list2.stream();
            RoleConfig roleConfig3 = this.roleConfig;
            Objects.requireNonNull(roleConfig3);
            flatMap2 = stream3.map(roleConfig3::getPractitionerRolesForTokenGroup).flatMap((v0) -> {
                return v0.stream();
            });
        }
        return (Set) Stream.of((Object[]) new Stream[]{flatMap3, empty, stream2, flatMap2}).flatMap(Function.identity()).distinct().collect(Collectors.toSet());
    }
}
