package net.bluemind.webmodule.authenticationfilter;

import com.google.common.base.Strings;
import io.vertx.core.Handler;
import io.vertx.core.buffer.Buffer;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.http.HttpMethod;
import io.vertx.core.http.HttpServerRequest;
import io.vertx.core.http.RequestOptions;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import javax.xml.parsers.FactoryConfigurationError;
import javax.xml.parsers.ParserConfigurationException;
import net.bluemind.core.api.auth.AuthDomainProperties;
import net.bluemind.core.api.fault.ServerFault;
import net.bluemind.utils.DOMUtils;
import net.bluemind.webmodule.authenticationfilter.internal.DomainsHelper;
import net.bluemind.webmodule.authenticationfilter.internal.ExternalCreds;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;

/* loaded from: input_file:net/bluemind/webmodule/authenticationfilter/CasHandler.class */
public class CasHandler extends AbstractAuthHandler implements Handler<HttpServerRequest> {
    private static final Logger logger = LoggerFactory.getLogger(CasHandler.class);

    /* loaded from: input_file:net/bluemind/webmodule/authenticationfilter/CasHandler$CASRequest.class */
    public static class CASRequest {
        public final HttpServerRequest request;
        public final String domainUid;
        public final String ticket;
        public final String casUrl;

        /* loaded from: input_file:net/bluemind/webmodule/authenticationfilter/CasHandler$CASRequest$InvalidUrl.class */
        public static class InvalidUrl extends RuntimeException {
            public InvalidUrl(Throwable th) {
                super(th);
            }
        }

        public static CASRequest build(HttpServerRequest httpServerRequest) {
            String domainUid = DomainsHelper.getDomainUid(httpServerRequest);
            if ("global.virt".equals(domainUid)) {
                throw new ServerFault("No valid domain found for URL: " + httpServerRequest.authority().host());
            }
            return build(httpServerRequest, domainUid);
        }

        public static CASRequest build(HttpServerRequest httpServerRequest, String str) {
            return new CASRequest(httpServerRequest, str, httpServerRequest.params().get("ticket"), (String) Optional.ofNullable(DomainsSettings.forDomain(str)).map(map -> {
                return (String) map.get(AuthDomainProperties.CAS_URL.name());
            }).orElseThrow(() -> {
                return new RuntimeException("CAS URL not found for domain: " + str);
            }));
        }

        private CASRequest(HttpServerRequest httpServerRequest, String str, String str2, String str3) {
            this.request = httpServerRequest;
            this.domainUid = str;
            this.ticket = str2;
            this.casUrl = str3;
        }

        public List<String> getForwardFor() {
            ArrayList arrayList = new ArrayList(this.request.headers().getAll("X-Forwarded-For"));
            arrayList.add(this.request.remoteAddress().host());
            return arrayList;
        }

        public void redirectToCasLogin() {
            this.request.response().headers().add(HttpHeaders.LOCATION, this.casUrl + "login?service=" + callbackTo());
            this.request.response().setStatusCode(302).end();
        }

        public String getValidationUri() {
            return this.casUrl + "serviceValidate?service=" + callbackTo() + "&ticket=" + this.ticket;
        }

        private String callbackTo() {
            try {
                return URLEncoder.encode("https://" + this.request.authority().host() + "/auth/cas", "UTF-8");
            } catch (UnsupportedEncodingException e) {
                throw new InvalidUrl(e);
            }
        }
    }

    /* loaded from: input_file:net/bluemind/webmodule/authenticationfilter/CasHandler$UnsupportedCasFailureResponse.class */
    public static class UnsupportedCasFailureResponse extends RuntimeException {
    }

    public void handle(HttpServerRequest httpServerRequest) {
        try {
            CASRequest build = CASRequest.build(httpServerRequest);
            if (Strings.isNullOrEmpty(build.ticket)) {
                logger.error("Handle CAS authentication, but no ticket found!");
                build.redirectToCasLogin();
            } else {
                if (logger.isDebugEnabled()) {
                    logger.debug("[{}] Validating CAS ticket on {}", build.ticket, build.getValidationUri());
                }
                this.httpClient.request(new RequestOptions().setMethod(HttpMethod.GET).setAbsoluteURI(build.getValidationUri())).onFailure(th -> {
                    error(httpServerRequest, th);
                }).onSuccess(httpClientRequest -> {
                    httpClientRequest.send().onFailure(th2 -> {
                        error(httpServerRequest, th2);
                    }).onSuccess(httpClientResponse -> {
                        httpClientResponse.bodyHandler(buffer -> {
                            validateToken(build, buffer);
                        });
                    });
                });
            }
        } catch (Exception e) {
            error(httpServerRequest, e);
        }
    }

    private void validateToken(CASRequest cASRequest, Buffer buffer) {
        try {
            validateCasTicket(cASRequest, DOMUtils.parse(new ByteArrayInputStream(buffer.getBytes()))).ifPresentOrElse(externalCreds -> {
                createSession(cASRequest.request, new AuthProvider(this.vertx, cASRequest.domainUid), cASRequest.getForwardFor(), externalCreds, "/");
            }, () -> {
                if (cASRequest.request.isEnded()) {
                    return;
                }
                cASRequest.request.response().setStatusCode(500).end();
            });
        } catch (IOException | FactoryConfigurationError | ParserConfigurationException | SAXException e) {
            logger.error("[{}] Invalid CAS ticket validation response: {}", new Object[]{cASRequest.ticket, new String(buffer.getBytes()), e});
            cASRequest.request.response().setStatusCode(500).end();
        } catch (Exception e2) {
            logger.error("[{}] Unsupported CAS ticket validation response: {}", new Object[]{cASRequest.ticket, new String(buffer.getBytes()), e2});
            cASRequest.request.response().setStatusCode(500).end();
        }
    }

    private Optional<ExternalCreds> validateCasTicket(CASRequest cASRequest, Document document) {
        return (Optional) Optional.ofNullable(DOMUtils.getUniqueElement(document.getDocumentElement(), "cas:authenticationSuccess")).map(element -> {
            return handleCasAuthSuccess(cASRequest, document);
        }).orElseGet(() -> {
            handleCasAuthNotSuccess(cASRequest, document);
            return Optional.empty();
        });
    }

    private void handleCasAuthNotSuccess(CASRequest cASRequest, Document document) {
        manageFailure(cASRequest, (Element) Optional.ofNullable(DOMUtils.getUniqueElement(document.getDocumentElement(), "cas:authenticationFailure")).orElseThrow(UnsupportedCasFailureResponse::new));
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Failed to find 'out' block for switch in B:5:0x005b. Please report as an issue. */
    private void manageFailure(CASRequest cASRequest, Element element) {
        String attribute = element.getAttribute("code");
        Logger logger2 = logger;
        Object[] objArr = new Object[3];
        objArr[0] = cASRequest.ticket;
        objArr[1] = element.getAttribute("code");
        objArr[2] = element.getChildNodes().getLength() > 0 ? element.getChildNodes().item(0).getNodeValue().strip() : "unknown";
        logger2.error("[{}] CAS ticket validation fail: {} - {}", objArr);
        switch (attribute.hashCode()) {
            case -1732639158:
                if (attribute.equals("UNAUTHORIZED_SERVICE")) {
                    cASRequest.request.response().setStatusCode(403).end();
                    return;
                }
                cASRequest.request.response().setStatusCode(500).end();
                return;
            case 301330036:
                if (attribute.equals("INVALID_TICKET")) {
                    cASRequest.redirectToCasLogin();
                    return;
                }
                cASRequest.request.response().setStatusCode(500).end();
                return;
            default:
                cASRequest.request.response().setStatusCode(500).end();
                return;
        }
    }

    private Optional<ExternalCreds> handleCasAuthSuccess(CASRequest cASRequest, Document document) {
        String textContent = DOMUtils.getUniqueElement(document.getDocumentElement(), "cas:user").getTextContent();
        if (Strings.isNullOrEmpty(textContent)) {
            logger.error("[{}] No username found in CAS ticket validation response", cASRequest.ticket);
            return Optional.empty();
        }
        logger.info("[{}] Ticket validation successful for user : {}", cASRequest.ticket, textContent);
        ExternalCreds externalCreds = new ExternalCreds();
        externalCreds.setTicket(cASRequest.ticket);
        if (textContent.contains("@")) {
            externalCreds.setLoginAtDomain(textContent.toLowerCase());
        } else {
            externalCreds.setLoginAtDomain(String.format("%s@%s", textContent.toLowerCase(), cASRequest.domainUid));
        }
        return Optional.of(externalCreds);
    }
}
