package org.georchestra.gateway.security.preauth;

import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.georchestra.commons.security.SecurityHeaders;
import org.georchestra.security.model.GeorchestraUser;
import org.springframework.http.HttpHeaders;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.security.web.server.authentication.ServerAuthenticationConverter;
import org.springframework.util.StringUtils;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

/* loaded from: input_file:BOOT-INF/classes/org/georchestra/gateway/security/preauth/PreauthAuthenticationManager.class */
public class PreauthAuthenticationManager implements ReactiveAuthenticationManager, ServerAuthenticationConverter {
    public static final String PREAUTH_HEADER_NAME = "sec-georchestra-preauthenticated";
    public static final String PREAUTH_USERNAME = "preauth-username";
    public static final String PREAUTH_EMAIL = "preauth-email";
    public static final String PREAUTH_FIRSTNAME = "preauth-firstname";
    public static final String PREAUTH_LASTNAME = "preauth-lastname";
    public static final String PREAUTH_ORG = "preauth-org";
    public static final String PREAUTH_ROLES = "preauth-roles";
    public static final String PREAUTH_PROVIDER = "preauth-provider";
    public static final String PREAUTH_PROVIDER_ID = "preauth-provider-id";

    @Override // org.springframework.security.web.server.authentication.ServerAuthenticationConverter
    public Mono<Authentication> convert(ServerWebExchange serverWebExchange) {
        if (!isPreAuthenticated(serverWebExchange)) {
            return Mono.empty();
        }
        HttpHeaders headers = serverWebExchange.getRequest().getHeaders();
        String first = headers.getFirst(PREAUTH_USERNAME);
        if (StringUtils.hasText(first)) {
            return Mono.just(new PreAuthenticatedAuthenticationToken(first, extract(headers), List.of()));
        }
        throw new IllegalStateException("Pre-authenticated user headers not provided");
    }

    private Map<String, String> extract(HttpHeaders httpHeaders) {
        return (Map) httpHeaders.toSingleValueMap().entrySet().stream().filter(entry -> {
            return ((String) entry.getKey()).toLowerCase().startsWith("preauth-");
        }).collect(Collectors.toMap(entry2 -> {
            return ((String) entry2.getKey()).toLowerCase();
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    @Override // org.springframework.security.authentication.ReactiveAuthenticationManager
    public Mono<Authentication> authenticate(Authentication authentication) {
        return Mono.just(authentication);
    }

    public static boolean isPreAuthenticated(ServerWebExchange serverWebExchange) {
        return "true".equalsIgnoreCase(serverWebExchange.getRequest().getHeaders().getFirst(PREAUTH_HEADER_NAME));
    }

    public static GeorchestraUser map(Map<String, String> map) {
        String decode = SecurityHeaders.decode(map.get(PREAUTH_USERNAME));
        String decode2 = SecurityHeaders.decode(map.get(PREAUTH_EMAIL));
        String decode3 = SecurityHeaders.decode(map.get(PREAUTH_FIRSTNAME));
        String decode4 = SecurityHeaders.decode(map.get(PREAUTH_LASTNAME));
        String decode5 = SecurityHeaders.decode(map.get(PREAUTH_ORG));
        String decode6 = SecurityHeaders.decode(map.get(PREAUTH_ROLES));
        String decode7 = SecurityHeaders.decode(map.get(PREAUTH_PROVIDER));
        String decode8 = SecurityHeaders.decode(map.get(PREAUTH_PROVIDER_ID));
        List<String> list = (List) ((Stream) Optional.ofNullable(decode6).map(str -> {
            return Stream.concat(Stream.of("ROLE_USER"), Stream.of((Object[]) str.split(";")).filter(StringUtils::hasText)).distinct();
        }).orElse(Stream.of("ROLE_USER"))).collect(Collectors.toList());
        GeorchestraUser georchestraUser = new GeorchestraUser();
        georchestraUser.setUsername(decode);
        georchestraUser.setEmail(decode2);
        georchestraUser.setFirstName(decode3);
        georchestraUser.setLastName(decode4);
        georchestraUser.setOrganization(decode5);
        georchestraUser.setRoles(list);
        georchestraUser.setOAuth2Provider(decode7);
        georchestraUser.setOAuth2Uid(decode8);
        return georchestraUser;
    }

    public void removePreauthHeaders(HttpHeaders httpHeaders) {
        httpHeaders.remove(PREAUTH_HEADER_NAME);
        httpHeaders.remove(PREAUTH_USERNAME);
        httpHeaders.remove(PREAUTH_EMAIL);
        httpHeaders.remove(PREAUTH_FIRSTNAME);
        httpHeaders.remove(PREAUTH_LASTNAME);
        httpHeaders.remove(PREAUTH_ORG);
        httpHeaders.remove(PREAUTH_ROLES);
        httpHeaders.remove(PREAUTH_PROVIDER);
        httpHeaders.remove(PREAUTH_PROVIDER_ID);
    }
}
