package net.bluemind.keycloak.utils;

import com.google.common.base.Strings;
import io.vertx.core.json.DecodeException;
import io.vertx.core.json.JsonObject;
import java.net.MalformedURLException;
import java.net.URI;
import java.util.Collections;
import java.util.Map;
import java.util.Optional;
import net.bluemind.core.api.auth.AuthDomainProperties;
import net.bluemind.core.api.auth.AuthTypes;
import net.bluemind.core.api.fault.ErrorCode;
import net.bluemind.core.api.fault.ServerFault;
import net.bluemind.core.container.model.ItemValue;
import net.bluemind.core.context.SecurityContext;
import net.bluemind.core.rest.BmContext;
import net.bluemind.core.rest.ServerSideServiceProvider;
import net.bluemind.domain.api.Domain;
import net.bluemind.domain.api.DomainSettingsKeys;
import net.bluemind.domain.api.IDomainSettings;
import net.bluemind.domain.api.IDomains;
import net.bluemind.utils.SyncHttpClient;

/* loaded from: input_file:net/bluemind/keycloak/utils/AuthConfigHelper.class */
public class AuthConfigHelper {
    private AuthConfigHelper() {
    }

    public static void checkDomain(BmContext bmContext, Domain domain, boolean z) {
        if (z) {
            checkCas(bmContext, domain, Collections.emptyMap());
            return;
        }
        Map map = ((IDomainSettings) ServerSideServiceProvider.getProvider(bmContext.getSecurityContext()).instance(IDomainSettings.class, new String[]{getDomainUid(bmContext, domain)})).get();
        checkKerberos(bmContext, domain, map);
        checkCas(bmContext, domain, map);
        checkExternal(domain, map);
    }

    public static void checkSettings(BmContext bmContext, String str, Map<String, String> map) {
        Domain domain = (Domain) ((IDomains) ServerSideServiceProvider.getProvider(bmContext.getSecurityContext()).instance(IDomains.class, new String[0])).get(str).value;
        checkKerberos(bmContext, domain, map);
        checkCas(bmContext, domain, map);
        checkExternal(domain, map);
    }

    private static void checkKerberos(BmContext bmContext, Domain domain, Map<String, String> map) {
        if (domain.properties == null || AuthTypes.KERBEROS != AuthTypes.get((String) domain.properties.get(AuthDomainProperties.AUTH_TYPE.name()))) {
            return;
        }
        if (map != null && map.get(DomainSettingsKeys.external_url.name()) == null) {
            Optional findFirst = ((IDomains) ServerSideServiceProvider.getProvider(bmContext.getSecurityContext()).instance(IDomains.class, new String[0])).all().stream().filter(itemValue -> {
                return (((Domain) itemValue.value).name.equals(domain.name) || !AuthTypes.KERBEROS.name().equals(((Domain) itemValue.value).properties.get(AuthDomainProperties.AUTH_TYPE.name())) || domainHasExternalUrl(itemValue.uid)) ? false : true;
            }).findFirst();
            if (findFirst.isPresent()) {
                throw new ServerFault("External Url is mandatory to enable Kerberos. Only one domain can have kerberos enabled without an external url, which is the case for " + ((Domain) ((ItemValue) findFirst.get()).value).defaultAlias, ErrorCode.INVALID_AUTH_PARAMETER);
            }
        }
        if (domain.properties.get(AuthDomainProperties.KRB_AD_DOMAIN.name()) == null) {
            throw new ServerFault("AD Domain is mandatory for kerberos configuration", ErrorCode.INVALID_AUTH_PARAMETER);
        }
        if (domain.properties.get(AuthDomainProperties.KRB_AD_IP.name()) == null) {
            throw new ServerFault("AD IP adress is mandatory for kerberos configuration", ErrorCode.INVALID_AUTH_PARAMETER);
        }
        if (domain.properties.get(AuthDomainProperties.KRB_KEYTAB.name()) == null) {
            throw new ServerFault("Keytab file is mandatory for kerberos configuration", ErrorCode.INVALID_AUTH_PARAMETER);
        }
    }

    private static void checkCas(BmContext bmContext, Domain domain, Map<String, String> map) {
        boolean equals = AuthTypes.CAS.name().equals(domain.properties == null ? null : (String) domain.properties.get(AuthDomainProperties.AUTH_TYPE.name()));
        boolean z = map != null && map.containsKey(DomainSettingsKeys.external_url.name());
        IDomains iDomains = (IDomains) ServerSideServiceProvider.getProvider(bmContext.getSecurityContext()).instance(IDomains.class, new String[0]);
        if (!z) {
            Optional findFirst = iDomains.all().stream().filter(itemValue -> {
                return ("global.virt".equals(((Domain) itemValue.value).name) || ((Domain) itemValue.value).name.equals(domain.name) || !AuthTypes.CAS.name().equals(((Domain) itemValue.value).properties.get(AuthDomainProperties.AUTH_TYPE.name())) || domainHasExternalUrl(itemValue.uid)) ? false : true;
            }).findFirst();
            if (findFirst.isPresent()) {
                throw new ServerFault("Operation is forbidden, because of the presence of a CAS domain without an external_url (" + ((Domain) ((ItemValue) findFirst.get()).value).defaultAlias + ")", ErrorCode.INVALID_AUTH_PARAMETER);
            }
        }
        if (equals && !z) {
            Optional findFirst2 = iDomains.all().stream().filter(itemValue2 -> {
                return ("global.virt".equals(((Domain) itemValue2.value).name) || ((Domain) itemValue2.value).name.equals(domain.name) || domainHasExternalUrl(itemValue2.uid)) ? false : true;
            }).findFirst();
            if (findFirst2.isPresent()) {
                throw new ServerFault("Operation is forbidden, because of the presence of a domain without an external_url (" + ((Domain) ((ItemValue) findFirst2.get()).value).defaultAlias + ")", ErrorCode.INVALID_AUTH_PARAMETER);
            }
        }
        if (equals) {
            String str = (String) domain.properties.get(AuthDomainProperties.CAS_URL.name());
            if (str == null || str.trim().isEmpty()) {
                throw new ServerFault("CAS server URL is mandatory for CAS configuration", ErrorCode.INVALID_AUTH_PARAMETER);
            }
            try {
                URI.create(str).toURL();
                if (!str.startsWith("http") || !str.endsWith("/")) {
                    throw new ServerFault("CAS server URL must be a valid http URL ending with a '/'", ErrorCode.INVALID_AUTH_PARAMETER);
                }
            } catch (MalformedURLException unused) {
                throw new ServerFault("CAS server URL must be a valid http URL ending with a '/'", ErrorCode.INVALID_AUTH_PARAMETER);
            }
        }
    }

    private static void checkExternal(Domain domain, Map<String, String> map) {
        if (domain.properties == null || AuthTypes.OPENID != AuthTypes.get((String) domain.properties.get(AuthDomainProperties.AUTH_TYPE.name()))) {
            return;
        }
        if (map == null || map.get(DomainSettingsKeys.external_url.name()) == null || map.get(DomainSettingsKeys.external_url.name()).trim().isEmpty()) {
            throw new ServerFault("External_url is mandatory for a domain with external authentication", ErrorCode.INVALID_AUTH_PARAMETER);
        }
        if (domain.properties.get(AuthDomainProperties.OPENID_HOST.name()) == null) {
            throw new ServerFault("OpenId configuration URL is mandatory for external authentication configuration", ErrorCode.INVALID_AUTH_PARAMETER);
        }
        try {
            new JsonObject(SyncHttpClient.getInstance().get((String) domain.properties.get(AuthDomainProperties.OPENID_HOST.name())));
            if (domain.properties.get(AuthDomainProperties.OPENID_CLIENT_ID.name()) == null) {
                throw new ServerFault("Client ID is mandatory for external authentication configuration", ErrorCode.INVALID_AUTH_PARAMETER);
            }
            if (domain.properties.get(AuthDomainProperties.OPENID_CLIENT_SECRET.name()) == null) {
                throw new ServerFault("Client secret is mandatory for external authentication configuration", ErrorCode.INVALID_AUTH_PARAMETER);
            }
        } catch (ServerFault | DecodeException e) {
            throw new ServerFault("Invalid OpenId configuration URL: " + ((String) domain.properties.get(AuthDomainProperties.OPENID_HOST.name())) + ", cause: " + e.getMessage(), ErrorCode.INVALID_AUTH_PARAMETER);
        }
    }

    private static String getDomainUid(BmContext bmContext, Domain domain) {
        ItemValue findByNameOrAliases = ((IDomains) ServerSideServiceProvider.getProvider(bmContext.getSecurityContext()).instance(IDomains.class, new String[0])).findByNameOrAliases(domain.name);
        if (findByNameOrAliases == null) {
            return null;
        }
        return findByNameOrAliases.uid;
    }

    private static boolean domainHasExternalUrl(String str) {
        return !Strings.isNullOrEmpty((String) ((IDomainSettings) ServerSideServiceProvider.getProvider(SecurityContext.SYSTEM).instance(IDomainSettings.class, new String[]{str})).get().get(DomainSettingsKeys.external_url.name()));
    }
}
