package org.opencastproject.kernel.security;

import java.util.Collection;
import java.util.Dictionary;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.opencastproject.security.util.SecurityUtil;
import org.osgi.service.cm.ConfigurationException;
import org.osgi.service.cm.ManagedService;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.oauth.provider.ConsumerAuthentication;
import org.springframework.security.oauth.provider.OAuthAuthenticationHandler;
import org.springframework.security.oauth.provider.token.OAuthAccessProviderToken;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;

/* loaded from: input_file:org/opencastproject/kernel/security/LtiLaunchAuthenticationHandler.class */
public class LtiLaunchAuthenticationHandler implements OAuthAuthenticationHandler, ManagedService {
    private static final Logger logger = LoggerFactory.getLogger(LtiLaunchAuthenticationHandler.class);
    private static final String LTI_USER_ID_PARAM = "user_id";
    private static final String LTI_CONSUMER_GUID = "tool_consumer_instance_guid";
    private static final String ROLES = "roles";
    private static final String CONTEXT_ID = "context_id";
    private static final String LTI_USER_ID_PREFIX = "lti";
    private static final String LTI_ID_DELIMITER = ":";
    private static final String ROLE_OAUTH_USER = "ROLE_OAUTH_USER";
    private static final String DEFAULT_CONTEXT = "LTI";
    private static final String DEFAULT_LEARNER = "USER";
    private static final String HIGHLY_TRUSTED_CONSUMER_KEY_PREFIX = "lti.oauth.highly_trusted_consumer_key.";
    private static final String BLACKLIST_USER_PREFIX = "lti.blacklist.user.";
    private static final String ALLOW_SYSTEM_ADMINISTRATOR_KEY = "lti.allow_system_administrator";
    private static final String ALLOW_DIGEST_USER_KEY = "lti.allow_digest_user";
    private UserDetailsService userDetailsService;
    private ComponentContext componentContext;
    private Set<String> highlyTrustedConsumerKeys = new HashSet();
    private Set<String> usernameBlacklist = new HashSet();

    public void setUserDetailsService(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    public void activate(ComponentContext componentContext) {
        logger.info("Activating LtiLaunchAuthenticationHandler");
        this.componentContext = componentContext;
    }

    public void updated(Dictionary<String, ?> dictionary) throws ConfigurationException {
        String trimToNull;
        logger.debug("Updating LtiLaunchAuthenticationHandler");
        this.highlyTrustedConsumerKeys.clear();
        this.usernameBlacklist.clear();
        if (dictionary == null) {
            logger.warn("LtiLaunchAuthenticationHandler is not configured");
            return;
        }
        int i = 1;
        while (true) {
            logger.debug("Looking for configuration of {}", HIGHLY_TRUSTED_CONSUMER_KEY_PREFIX + i);
            String trimToNull2 = StringUtils.trimToNull((String) dictionary.get(HIGHLY_TRUSTED_CONSUMER_KEY_PREFIX + i));
            if (trimToNull2 == null) {
                break;
            }
            this.highlyTrustedConsumerKeys.add(trimToNull2);
            i++;
        }
        if (!BooleanUtils.toBoolean(StringUtils.trimToNull((String) dictionary.get(ALLOW_SYSTEM_ADMINISTRATOR_KEY))) && (trimToNull = StringUtils.trimToNull(this.componentContext.getBundleContext().getProperty("org.opencastproject.security.admin.user"))) != null) {
            this.usernameBlacklist.add(trimToNull);
        }
        if (!BooleanUtils.toBoolean(StringUtils.trimToNull((String) dictionary.get(ALLOW_DIGEST_USER_KEY)))) {
            this.usernameBlacklist.add(SecurityUtil.getSystemUserName(this.componentContext));
        }
        int i2 = 1;
        while (true) {
            logger.debug("Looking for configuration of {}", BLACKLIST_USER_PREFIX + i2);
            String trimToNull3 = StringUtils.trimToNull((String) dictionary.get(BLACKLIST_USER_PREFIX + i2));
            if (trimToNull3 == null) {
                return;
            }
            this.usernameBlacklist.add(trimToNull3);
            i2++;
        }
    }

    @Override // org.springframework.security.oauth.provider.OAuthAuthenticationHandler
    public Authentication createAuthentication(HttpServletRequest httpServletRequest, ConsumerAuthentication consumerAuthentication, OAuthAccessProviderToken oAuthAccessProviderToken) {
        HashSet hashSet;
        UserDetails user;
        String parameter = httpServletRequest.getParameter(LTI_USER_ID_PARAM);
        if (StringUtils.isBlank(parameter)) {
            logger.warn("Received authentication request without user id ({})", LTI_USER_ID_PARAM);
            return null;
        }
        String parameter2 = httpServletRequest.getParameter(LTI_CONSUMER_GUID);
        if (StringUtils.isBlank(parameter2)) {
            parameter2 = "UnknownConsumer";
        }
        String str = "lti:" + parameter2 + LTI_ID_DELIMITER + parameter;
        String parameter3 = httpServletRequest.getParameter("oauth_consumer_key");
        if (this.highlyTrustedConsumerKeys.contains(parameter3)) {
            logger.debug("{} is a trusted key", parameter3);
            String parameter4 = httpServletRequest.getParameter("ext_user_username");
            if (StringUtils.isBlank(parameter4)) {
                parameter4 = httpServletRequest.getParameter("lis_person_sourcedid");
                if (StringUtils.isBlank(parameter4)) {
                    parameter4 = parameter;
                }
            }
            if (this.usernameBlacklist.contains(parameter4)) {
                logger.debug("{} is blacklisted", parameter4);
            } else {
                str = parameter4;
            }
        }
        if (logger.isDebugEnabled()) {
            logger.debug("LTI user id is : {}", str);
        }
        try {
            user = this.userDetailsService.loadUserByUsername(str);
            hashSet = new HashSet(user.getAuthorities());
            enrichRoleGrants(httpServletRequest.getParameter(ROLES), httpServletRequest.getParameter(CONTEXT_ID), hashSet);
        } catch (UsernameNotFoundException e) {
            hashSet = new HashSet();
            enrichRoleGrants(httpServletRequest.getParameter(ROLES), httpServletRequest.getParameter(CONTEXT_ID), hashSet);
            logger.info("Returning user with {} authorities", Integer.valueOf(hashSet.size()));
            user = new User(str, "oauth", true, true, true, true, hashSet);
        }
        hashSet.add(new SimpleGrantedAuthority(ROLE_OAUTH_USER));
        hashSet.add(new SimpleGrantedAuthority("ROLE_USER"));
        hashSet.add(new SimpleGrantedAuthority("ROLE_ANONYMOUS"));
        PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(user, consumerAuthentication.getCredentials(), hashSet);
        SecurityContextHolder.getContext().setAuthentication(preAuthenticatedAuthenticationToken);
        return preAuthenticatedAuthenticationToken;
    }

    private void enrichRoleGrants(String str, String str2, Collection<GrantedAuthority> collection) {
        if (str != null) {
            String[] split = str.split(",");
            String str3 = StringUtils.isBlank(str2) ? DEFAULT_CONTEXT : str2;
            for (String str4 : split) {
                String str5 = StringUtils.isBlank(str4) ? str3 + "_" + DEFAULT_LEARNER : str3 + "_" + str4;
                if (str5.trim().toUpperCase().startsWith("ROLE_")) {
                    logger.warn("Discarding attempt to acquire role “{}”", str5);
                } else {
                    logger.debug("Adding role: {}", str5);
                    collection.add(new SimpleGrantedAuthority(str5));
                }
            }
        }
    }
}
