package net.smartcosmos.platform.authentication;

import com.google.common.base.Optional;
import io.dropwizard.auth.AuthenticationException;
import io.dropwizard.auth.Authenticator;
import net.smartcosmos.model.context.IAccount;
import net.smartcosmos.model.context.IUser;
import net.smartcosmos.model.event.EventType;
import net.smartcosmos.model.extension.IExternalExtension;
import net.smartcosmos.platform.api.IContext;
import net.smartcosmos.platform.api.authentication.IAuthenticatedUser;
import net.smartcosmos.platform.api.dao.IOAuthTokenTransactionDAO;
import net.smartcosmos.platform.api.oauth.IOAuthTokenTransaction;
import net.smartcosmos.platform.api.oauth.OAuthStatusType;
import net.smartcosmos.platform.api.service.IEventService;
import net.smartcosmos.platform.pojo.authentication.AuthenticatedUser;
import net.smartcosmos.platform.util.OAuthTokenUtil;
import net.smartcosmos.pojo.context.User;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/smartcosmos/platform/authentication/OAuthAuthenticator.class */
public class OAuthAuthenticator implements Authenticator<String, IAuthenticatedUser> {
    private static final Logger LOG = LoggerFactory.getLogger(OAuthAuthenticator.class);
    private final IContext context;

    /* loaded from: input_file:net/smartcosmos/platform/authentication/OAuthAuthenticator$ExpiredTokenAccessAttempt.class */
    public final class ExpiredTokenAccessAttempt {
        private IExternalExtension extension;
        private String bearerAccessToken;
        private IEventService eventSinkImpersonated;
        private IEventService eventSinkExtension;
        private IUser extensionUser;
        private IUser impersonatedUser;
        private IOAuthTokenTransaction oauthTx;
        private IOAuthTokenTransactionDAO oAuthTokenTxDAO;

        public ExpiredTokenAccessAttempt() {
        }

        public IExternalExtension getExtension() {
            return this.extension;
        }

        public ExpiredTokenAccessAttempt setExtension(IExternalExtension iExternalExtension) {
            this.extension = iExternalExtension;
            return this;
        }

        public String getBearerAccessToken() {
            return this.bearerAccessToken;
        }

        public ExpiredTokenAccessAttempt setBearerAccessToken(String str) {
            this.bearerAccessToken = str;
            return this;
        }

        public IEventService getEventSinkImpersonated() {
            return this.eventSinkImpersonated;
        }

        public ExpiredTokenAccessAttempt setEventSinkImpersonated(IEventService iEventService) {
            this.eventSinkImpersonated = iEventService;
            return this;
        }

        public IEventService getEventSinkExtension() {
            return this.eventSinkExtension;
        }

        public ExpiredTokenAccessAttempt setEventSinkExtension(IEventService iEventService) {
            this.eventSinkExtension = iEventService;
            return this;
        }

        public IUser getExtensionUser() {
            return this.extensionUser;
        }

        public ExpiredTokenAccessAttempt setExtensionUser(IUser iUser) {
            this.extensionUser = iUser;
            return this;
        }

        public IUser getImpersonatedUser() {
            return this.impersonatedUser;
        }

        public ExpiredTokenAccessAttempt setImpersonatedUser(IUser iUser) {
            this.impersonatedUser = iUser;
            return this;
        }

        public IOAuthTokenTransaction getOauthTx() {
            return this.oauthTx;
        }

        public ExpiredTokenAccessAttempt setOAuthTx(IOAuthTokenTransaction iOAuthTokenTransaction) {
            this.oauthTx = iOAuthTokenTransaction;
            return this;
        }

        public IOAuthTokenTransactionDAO getOAuthTokenTxDAO() {
            return this.oAuthTokenTxDAO;
        }

        public ExpiredTokenAccessAttempt setOAuthTokenTxDAO(IOAuthTokenTransactionDAO iOAuthTokenTransactionDAO) {
            this.oAuthTokenTxDAO = iOAuthTokenTransactionDAO;
            return this;
        }
    }

    public OAuthAuthenticator(IContext iContext) {
        this.context = iContext;
    }

    public Optional<IAuthenticatedUser> authenticate(String str) throws AuthenticationException {
        LOG.info("Attempting validate bearer access token {}", str);
        IOAuthTokenTransactionDAO oAuthTokenTransactionDAO = this.context.getDAOFactory().getOAuthTokenTransactionDAO();
        IOAuthTokenTransaction findByBearerToken = oAuthTokenTransactionDAO.findByBearerToken(str);
        if (findByBearerToken == null) {
            LOG.warn("Bearer access token {} is not recognized", str);
            User user = new User();
            user.setEmailAddress(str);
            this.context.getServiceFactory().getEventService((IAccount) null).recordEvent(EventType.OAuthLoginFailure, null, null, user);
            return Optional.absent();
        }
        LOG.debug("Successfully found oauth tx associated with bearer access token {}", str);
        IExternalExtension extension = findByBearerToken.getExtension();
        IUser user2 = new User();
        user2.setGivenName(extension.getName());
        user2.setSurname(extension.getAccount().getName());
        user2.setEmailAddress(extension.getSupportEmail());
        user2.setAccount(extension.getAccount());
        IUser authorizingUser = findByBearerToken.getAuthorizingUser();
        IEventService eventService = this.context.getServiceFactory().getEventService(extension.getAccount());
        IEventService eventService2 = this.context.getServiceFactory().getEventService(authorizingUser.getAccount());
        if (findByBearerToken.getBearerTokenStatus() == OAuthStatusType.StaleToken_Expired || findByBearerToken.getBearerTokenStatus() == OAuthStatusType.StaleToken_Refreshed) {
            return logExpiredTokenAccessAttempt(this.context, new ExpiredTokenAccessAttempt().setExtension(extension).setBearerAccessToken(str).setEventSinkExtension(eventService).setEventSinkImpersonated(eventService2).setExtensionUser(user2).setImpersonatedUser(authorizingUser).setOAuthTx(findByBearerToken).setOAuthTokenTxDAO(oAuthTokenTransactionDAO));
        }
        if (findByBearerToken.getBearerTokenStatus() != OAuthStatusType.ActiveToken) {
            LOG.warn("bearer access token {} never existed in the database", str);
            eventService.recordEvent(EventType.OAuthLoginFailure, extension.getAccount(), user2, authorizingUser);
            eventService2.recordEvent(EventType.OAuthLoginFailure, findByBearerToken.getAuthorizingUser().getAccount(), findByBearerToken.getAuthorizingUser(), findByBearerToken.getExtension());
            return Optional.absent();
        }
        LOG.debug("bearer access token {} is still ACTIVE", str);
        if (OAuthTokenUtil.isBearerTokenExpired(this.context, findByBearerToken)) {
            return logExpiredTokenAccessAttempt(this.context, new ExpiredTokenAccessAttempt().setExtension(extension).setBearerAccessToken(str).setEventSinkExtension(eventService).setEventSinkImpersonated(eventService2).setExtensionUser(user2).setImpersonatedUser(authorizingUser).setOAuthTx(findByBearerToken).setOAuthTokenTxDAO(oAuthTokenTransactionDAO));
        }
        LOG.debug("bearer access token {} is has NOT EXPIRED", str);
        if (this.context.getServiceFactory().getDirectoryService().isUserEnabled(authorizingUser)) {
            LOG.debug("bearer access token {} impersonated user {} is ENABLED", str, authorizingUser.getEmailAddress());
            AuthenticatedUser authenticatedUser = new AuthenticatedUser(authorizingUser, user2);
            LOG.debug("Token exchanged successfully; impersonating username {}", authorizingUser.getEmailAddress());
            eventService.recordEvent(EventType.OAuthLoginSuccess, extension.getAccount(), user2, authorizingUser);
            eventService2.recordEvent(EventType.OAuthLoginSuccess, findByBearerToken.getAuthorizingUser().getAccount(), findByBearerToken.getAuthorizingUser(), findByBearerToken.getExtension());
            return Optional.of(authenticatedUser);
        }
        LOG.info("bearer access token {} denied because {} account was marked disabled", str, authorizingUser.getEmailAddress());
        findByBearerToken.setBearerTokenStatus(OAuthStatusType.StaleToken_AuthorizingUserDisabled);
        oAuthTokenTransactionDAO.update(findByBearerToken);
        this.context.getSessionFactory().getCurrentSession().getTransaction().commit();
        eventService.recordEvent(EventType.OAuthLoginFailureDisabledUser, extension.getAccount(), user2, authorizingUser);
        eventService2.recordEvent(EventType.OAuthLoginFailureDisabledUser, findByBearerToken.getAuthorizingUser().getAccount(), findByBearerToken.getAuthorizingUser(), findByBearerToken.getExtension());
        return Optional.absent();
    }

    private Optional<IAuthenticatedUser> logExpiredTokenAccessAttempt(IContext iContext, ExpiredTokenAccessAttempt expiredTokenAccessAttempt) {
        LOG.warn("bearer access token {} EXPIRED or REFRESHED and cannot be used", expiredTokenAccessAttempt.getBearerAccessToken());
        expiredTokenAccessAttempt.getOauthTx().setBearerTokenStatus(OAuthStatusType.StaleToken_Expired);
        expiredTokenAccessAttempt.getOAuthTokenTxDAO().update(expiredTokenAccessAttempt.getOauthTx());
        iContext.getSessionFactory().getCurrentSession().getTransaction().commit();
        expiredTokenAccessAttempt.getEventSinkExtension().recordEvent(EventType.OAuthLoginFailureStaleBearerAccessToken, expiredTokenAccessAttempt.getExtension().getAccount(), expiredTokenAccessAttempt.getExtensionUser(), expiredTokenAccessAttempt.getImpersonatedUser());
        expiredTokenAccessAttempt.getEventSinkImpersonated().recordEvent(EventType.OAuthLoginFailureStaleBearerAccessToken, expiredTokenAccessAttempt.getOauthTx().getAuthorizingUser().getAccount(), expiredTokenAccessAttempt.getOauthTx().getAuthorizingUser(), expiredTokenAccessAttempt.getOauthTx().getExtension());
        return Optional.absent();
    }
}
