package com.azure.spring.aad.webapp;

import com.azure.spring.autoconfigure.aad.AADAuthenticationProperties;
import com.azure.spring.autoconfigure.aad.AADTokenClaim;
import com.azure.spring.autoconfigure.aad.Constants;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.http.HttpSession;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.util.StringUtils;
import org.springframework.web.context.request.RequestContextHolder;

/* loaded from: input_file:com/azure/spring/aad/webapp/AADOAuth2UserService.class */
public class AADOAuth2UserService implements OAuth2UserService<OidcUserRequest, OidcUser> {
    private final OidcUserService oidcUserService;
    private final List<String> allowedGroupNames;
    private final Set<String> allowedGroupIds;
    private final boolean enableFullList;
    private final GraphClient graphClient;
    private static final String DEFAULT_OIDC_USER = "defaultOidcUser";
    private static final String ROLES = "roles";

    public AADOAuth2UserService(AADAuthenticationProperties aADAuthenticationProperties) {
        this(aADAuthenticationProperties, new GraphClient(aADAuthenticationProperties));
    }

    public AADOAuth2UserService(AADAuthenticationProperties aADAuthenticationProperties, GraphClient graphClient) {
        this.allowedGroupNames = (List) Optional.ofNullable(aADAuthenticationProperties).map((v0) -> {
            return v0.getUserGroup();
        }).map((v0) -> {
            return v0.getAllowedGroupNames();
        }).orElseGet(Collections::emptyList);
        this.allowedGroupIds = (Set) Optional.ofNullable(aADAuthenticationProperties).map((v0) -> {
            return v0.getUserGroup();
        }).map((v0) -> {
            return v0.getAllowedGroupIds();
        }).orElseGet(Collections::emptySet);
        this.enableFullList = ((Boolean) Optional.ofNullable(aADAuthenticationProperties).map((v0) -> {
            return v0.getUserGroup();
        }).map((v0) -> {
            return v0.getEnableFullList();
        }).orElse(false)).booleanValue();
        this.oidcUserService = new OidcUserService();
        this.graphClient = graphClient;
    }

    public OidcUser loadUser(OidcUserRequest oidcUserRequest) throws OAuth2AuthenticationException {
        OidcIdToken idToken = this.oidcUserService.loadUser(oidcUserRequest).getIdToken();
        HashSet hashSet = new HashSet();
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        HttpSession session = RequestContextHolder.currentRequestAttributes().getRequest().getSession(true);
        if (authentication != null) {
            return (DefaultOidcUser) session.getAttribute(DEFAULT_OIDC_USER);
        }
        hashSet.addAll(extractRolesFromIdToken(idToken));
        hashSet.addAll(extractGroupRolesFromAccessToken(oidcUserRequest.getAccessToken()));
        Set<SimpleGrantedAuthority> set = (Set) hashSet.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toSet());
        if (set.isEmpty()) {
            set = Constants.DEFAULT_AUTHORITY_SET;
        }
        DefaultOidcUser defaultOidcUser = new DefaultOidcUser(set, idToken, (String) Optional.of(oidcUserRequest).map((v0) -> {
            return v0.getClientRegistration();
        }).map((v0) -> {
            return v0.getProviderDetails();
        }).map((v0) -> {
            return v0.getUserInfoEndpoint();
        }).map((v0) -> {
            return v0.getUserNameAttributeName();
        }).filter(StringUtils::hasText).orElse(AADTokenClaim.NAME));
        session.setAttribute(DEFAULT_OIDC_USER, defaultOidcUser);
        return defaultOidcUser;
    }

    Set<String> extractRolesFromIdToken(OidcIdToken oidcIdToken) {
        return (Set) ((Stream) Optional.ofNullable(oidcIdToken).map(oidcIdToken2 -> {
            return (Collection) oidcIdToken2.getClaim("roles");
        }).filter(collection -> {
            return collection instanceof List;
        }).map((v0) -> {
            return v0.stream();
        }).orElseGet(Stream::empty)).filter(obj -> {
            return StringUtils.hasText(obj.toString());
        }).map(obj2 -> {
            return Constants.APPROLE_PREFIX + obj2;
        }).collect(Collectors.toSet());
    }

    Set<String> extractGroupRolesFromAccessToken(OAuth2AccessToken oAuth2AccessToken) {
        if (this.allowedGroupNames.isEmpty() && this.allowedGroupIds.isEmpty()) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        GroupInformation groupInformation = getGroupInformation(oAuth2AccessToken);
        if (!this.allowedGroupNames.isEmpty()) {
            Stream stream = (Stream) Optional.of(groupInformation).map((v0) -> {
                return v0.getGroupsNames();
            }).map((v0) -> {
                return v0.stream();
            }).orElseGet(Stream::empty);
            List<String> list = this.allowedGroupNames;
            Objects.requireNonNull(list);
            Stream filter = stream.filter((v1) -> {
                return r1.contains(v1);
            });
            Objects.requireNonNull(hashSet);
            filter.forEach((v1) -> {
                r1.add(v1);
            });
        }
        if (!this.allowedGroupIds.isEmpty()) {
            Stream filter2 = ((Stream) Optional.of(groupInformation).map((v0) -> {
                return v0.getGroupsIds();
            }).map((v0) -> {
                return v0.stream();
            }).orElseGet(Stream::empty)).filter(this::isAllowedGroupId);
            Objects.requireNonNull(hashSet);
            filter2.forEach((v1) -> {
                r1.add(v1);
            });
        }
        return (Set) hashSet.stream().map(str -> {
            return Constants.ROLE_PREFIX + str;
        }).collect(Collectors.toSet());
    }

    private boolean isAllowedGroupId(String str) {
        if (this.enableFullList) {
            return true;
        }
        if (this.allowedGroupIds.size() == 1 && this.allowedGroupIds.contains("all")) {
            return true;
        }
        return this.allowedGroupIds.contains(str);
    }

    private GroupInformation getGroupInformation(OAuth2AccessToken oAuth2AccessToken) {
        Optional map = Optional.of(oAuth2AccessToken).map((v0) -> {
            return v0.getTokenValue();
        });
        GraphClient graphClient = this.graphClient;
        Objects.requireNonNull(graphClient);
        return (GroupInformation) map.map(graphClient::getGroupInformation).orElseGet(GroupInformation::new);
    }
}
