package org.molgenis.security.google;

import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.googleapis.auth.oauth2.GooglePublicKeysManager;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Collection;
import java.util.Collections;
import java.util.Objects;
import java.util.UUID;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.molgenis.auth.MolgenisGroup;
import org.molgenis.auth.MolgenisGroupMember;
import org.molgenis.auth.MolgenisUser;
import org.molgenis.data.DataService;
import org.molgenis.data.settings.AppSettings;
import org.molgenis.data.support.QueryImpl;
import org.molgenis.security.account.AccountService;
import org.molgenis.security.core.runas.RunAsSystemProxy;
import org.molgenis.security.core.token.UnknownTokenException;
import org.molgenis.security.login.MolgenisLoginController;
import org.molgenis.security.user.MolgenisUserDetailsService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

/* loaded from: input_file:org/molgenis/security/google/GoogleAuthenticationProcessingFilter.class */
public class GoogleAuthenticationProcessingFilter extends AbstractAuthenticationProcessingFilter {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) GoogleAuthenticationProcessingFilter.class);
    public static final String GOOGLE_AUTHENTICATION_URL = "/login/google";
    static final String PARAM_ID_TOKEN = "id_token";
    private static final String PROFILE_KEY_GIVEN_NAME = "given_name";
    private static final String PROFILE_KEY_FAMILY_NAME = "family_name";
    private final GooglePublicKeysManager googlePublicKeysManager;
    private final DataService dataService;
    private final MolgenisUserDetailsService molgenisUserDetailsService;
    private final AppSettings appSettings;

    @Autowired
    public GoogleAuthenticationProcessingFilter(GooglePublicKeysManager googlePublicKeysManager, DataService dataService, MolgenisUserDetailsService molgenisUserDetailsService, AppSettings appSettings) {
        super(new AntPathRequestMatcher(GOOGLE_AUTHENTICATION_URL, HttpMethod.POST.toString()));
        setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler("/login?error"));
        this.googlePublicKeysManager = (GooglePublicKeysManager) Objects.requireNonNull(googlePublicKeysManager);
        this.dataService = (DataService) Objects.requireNonNull(dataService);
        this.molgenisUserDetailsService = (MolgenisUserDetailsService) Objects.requireNonNull(molgenisUserDetailsService);
        this.appSettings = (AppSettings) Objects.requireNonNull(appSettings);
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
        if (!this.appSettings.getGoogleSignIn()) {
            throw new AuthenticationServiceException("Google authentication not available");
        }
        String parameter = httpServletRequest.getParameter(PARAM_ID_TOKEN);
        if (parameter == null) {
            throw new UnknownTokenException(parameter);
        }
        try {
            GoogleIdToken verify = verify(parameter);
            if (verify != null) {
                return createAuthentication(verify.getPayload());
            }
            throw new BadCredentialsException(String.format("Token [%s] verification failed", parameter));
        } catch (GeneralSecurityException e) {
            throw new UnknownTokenException(e.getMessage(), e);
        }
    }

    private GoogleIdToken verify(String str) throws GeneralSecurityException, IOException {
        return new GoogleIdTokenVerifier.Builder(this.googlePublicKeysManager).setAudience((Collection<String>) Collections.singletonList(this.appSettings.getGoogleAppClientId())).build().verify(str);
    }

    private Authentication createAuthentication(GoogleIdToken.Payload payload) {
        String email = payload.getEmail();
        if (email == null) {
            throw new AuthenticationServiceException("Google ID token is missing required [email] claim, did you forget to specify scope [email]?");
        }
        Boolean emailVerified = payload.getEmailVerified();
        if (emailVerified != null && !emailVerified.booleanValue()) {
            throw new AuthenticationServiceException("Google account email is not verified");
        }
        String subject = payload.getSubject();
        String accessTokenHash = payload.getAccessTokenHash();
        return (Authentication) RunAsSystemProxy.runAsSystem(() -> {
            MolgenisUser molgenisUser = (MolgenisUser) this.dataService.findOne("molgenisUser", QueryImpl.EQ(MolgenisUser.GOOGLEACCOUNTID, subject), MolgenisUser.class);
            if (molgenisUser == null) {
                molgenisUser = (MolgenisUser) this.dataService.findOne("molgenisUser", QueryImpl.EQ(MolgenisUser.EMAIL, email), MolgenisUser.class);
                if (molgenisUser != null) {
                    molgenisUser.setGoogleAccountId(subject);
                    this.dataService.update("molgenisUser", molgenisUser);
                } else {
                    molgenisUser = createMolgenisUser(email, email, payload.containsKey(PROFILE_KEY_GIVEN_NAME) ? payload.get(PROFILE_KEY_GIVEN_NAME).toString() : null, payload.containsKey(PROFILE_KEY_FAMILY_NAME) ? payload.get(PROFILE_KEY_FAMILY_NAME).toString() : null, subject);
                }
            }
            if (molgenisUser.isActive().booleanValue()) {
                return new UsernamePasswordAuthenticationToken(molgenisUser.getUsername(), accessTokenHash, this.molgenisUserDetailsService.getAuthorities(molgenisUser));
            }
            throw new DisabledException(MolgenisLoginController.ERROR_MESSAGE_DISABLED);
        });
    }

    private MolgenisUser createMolgenisUser(String str, String str2, String str3, String str4, String str5) {
        if (!this.appSettings.getSignUp()) {
            throw new AuthenticationServiceException("Google authentication not possible: sign up disabled");
        }
        if (this.appSettings.getSignUpModeration()) {
            throw new AuthenticationServiceException("Google authentication not possible: sign up moderation enabled");
        }
        LOG.info("first login for [{}], creating MOLGENIS user", str);
        MolgenisUser molgenisUser = new MolgenisUser();
        molgenisUser.setUsername(str);
        molgenisUser.setPassword(UUID.randomUUID().toString());
        molgenisUser.setEmail(str2);
        molgenisUser.setActive(true);
        molgenisUser.setSuperuser(false);
        molgenisUser.setChangePassword(false);
        if (str3 != null) {
            molgenisUser.setFirstName(str3);
        }
        if (str4 != null) {
            molgenisUser.setLastName(str4);
        }
        molgenisUser.setGoogleAccountId(str5);
        this.dataService.add("molgenisUser", molgenisUser);
        MolgenisGroupMember molgenisGroupMember = new MolgenisGroupMember();
        molgenisGroupMember.setMolgenisGroup((MolgenisGroup) this.dataService.findOne("molgenisGroup", QueryImpl.EQ("name", AccountService.ALL_USER_GROUP), MolgenisGroup.class));
        molgenisGroupMember.setMolgenisUser(molgenisUser);
        this.dataService.add("MolgenisGroupMember", molgenisGroupMember);
        return molgenisUser;
    }
}
