package com.vertexinc.oseries.security;

import com.vertexinc.common.fw.rba.domain.AppUser;
import com.vertexinc.common.fw.rba.domain.ClientClaimMappingDao;
import com.vertexinc.common.fw.rba.domain.SubjectClaimMappingDao;
import com.vertexinc.common.fw.rba.ipersist.AppRolePersister;
import com.vertexinc.common.fw.rba.ipersist.AppUserPersister;
import com.vertexinc.common.fw.rba.ipersist.AppUserPersisterException;
import com.vertexinc.common.fw.rba.ipersist.ClientClaimMappingPersister;
import com.vertexinc.common.fw.rba.ipersist.SubjectClaimMappingPersister;
import com.vertexinc.common.fw.sprt.ipersist.SourcePersisterException;
import com.vertexinc.oseries.security.service.AppRoleAuthorityConverter;
import com.vertexinc.oseries.security.service.SecurityHelper;
import com.vertexinc.util.error.VertexException;
import java.util.Collection;
import java.util.Map;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.access.AuthorizationServiceException;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:patchedFiles.zip:web/vertex-ws.war:WEB-INF/lib/vertex-oseries-security-lib.jar:com/vertexinc/oseries/security/CustomJwtAuthenticationConverter.class */
public class CustomJwtAuthenticationConverter implements Converter<Jwt, AbstractAuthenticationToken> {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) CustomJwtAuthenticationConverter.class);
    private final AppUserPersister appUserPersister;
    private final AppRolePersister appRolePersister;
    private final SecurityHelper securityHelper;
    private final SubjectClaimMappingPersister subjectClaimMappingPersister;
    private final ClientClaimMappingPersister clientClaimMappingPersister;
    protected static final String CLAIM_USERID = "userId";
    protected static final String CLAIM_GTY = "gty";
    protected static final String CLAIM_GTY_VALUE = "client-credentials";
    protected static final String CLAIM_AZP = "azp";

    public CustomJwtAuthenticationConverter(AppUserPersister appUserPersister, AppRolePersister appRolePersister, SecurityHelper securityHelper, SubjectClaimMappingPersister subjectClaimMappingPersister, ClientClaimMappingPersister clientClaimMappingPersister) {
        this.appUserPersister = appUserPersister;
        this.appRolePersister = appRolePersister;
        this.securityHelper = securityHelper;
        this.subjectClaimMappingPersister = subjectClaimMappingPersister;
        this.clientClaimMappingPersister = clientClaimMappingPersister;
    }

    protected Long getUserId(Map<String, Object> map) {
        if (map.get("userId") != null) {
            return Long.valueOf(((Long) map.get("userId")).longValue());
        }
        String str = (String) map.get("iss");
        String str2 = (String) map.get("sub");
        String str3 = (String) map.get("client_id");
        if (str2 == null || str == null) {
            if (str3 == null || str == null) {
                throw new UsernameNotFoundException("Missing required claim in token.");
            }
            return lookupUserId(str, str3);
        }
        String str4 = (String) map.get(CLAIM_GTY);
        String str5 = (String) map.get("azp");
        if (str4 != null && !str4.isEmpty() && str4.equalsIgnoreCase(CLAIM_GTY_VALUE) && str5 != null && !str5.isEmpty()) {
            return lookupUserId(str, str5);
        }
        try {
            SubjectClaimMappingDao findByIssuerAndSubject = this.subjectClaimMappingPersister.findByIssuerAndSubject(str, str2);
            if (findByIssuerAndSubject != null) {
                return findByIssuerAndSubject.getUserId();
            }
            logger.error("Unable to verify Identity.- issuer: " + str + ", subject: " + str2);
            throw new UsernameNotFoundException("Unable to verify Identity.");
        } catch (VertexException e) {
            throw new UsernameNotFoundException("Error on identity verification.");
        }
    }

    protected Long lookupUserId(String str, String str2) {
        try {
            ClientClaimMappingDao findByIssuerAndClientId = this.clientClaimMappingPersister.findByIssuerAndClientId(str, str2);
            if (findByIssuerAndClientId != null) {
                return findByIssuerAndClientId.getUserId();
            }
            logger.error("Unable to verify Identity.- issuer: " + str + ", clientId: " + str2);
            throw new UsernameNotFoundException("Unable to verify Identity.");
        } catch (VertexException e) {
            throw new UsernameNotFoundException("Error on identity verification.");
        }
    }

    @Override // org.springframework.core.convert.converter.Converter
    public AbstractAuthenticationToken convert(Jwt jwt) {
        OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt());
        Map<String, Object> claims = jwt.getClaims();
        long longValue = getUserId(claims).longValue();
        try {
            AppUser findByPK = this.appUserPersister.findByPK(longValue);
            if (findByPK == null) {
                throw new UsernameNotFoundException("User not found: " + longValue);
            }
            if (findByPK.isDisabled()) {
                throw new AuthorizationServiceException("Unable to access the system");
            }
            Collection collection = (Collection) this.appRolePersister.find(findByPK.getRoleIds()).values().stream().map(appRole -> {
                return AppRoleAuthorityConverter.toGrantedAuthority(appRole.getName());
            }).collect(Collectors.toList());
            DefaultOAuth2AuthenticatedPrincipal defaultOAuth2AuthenticatedPrincipal = new DefaultOAuth2AuthenticatedPrincipal(findByPK.getUserName(), claims, collection);
            try {
                this.securityHelper.setupSystemContext(findByPK);
                return new BearerTokenAuthentication(defaultOAuth2AuthenticatedPrincipal, oAuth2AccessToken, collection);
            } catch (SourcePersisterException e) {
                throw new UsernameNotFoundException("Error reading user, unable to read partition information: " + claims.get("userId"), e);
            }
        } catch (AppUserPersisterException e2) {
            throw new UsernameNotFoundException("User not found: " + longValue);
        }
    }
}
