package com.e2eq.framework.model.security.auth.provider.cognito;

import com.e2eq.framework.exceptions.ReferentialIntegrityViolationException;
import com.e2eq.framework.model.persistent.security.DomainContext;
import com.e2eq.framework.model.security.auth.AuthProvider;
import com.e2eq.framework.model.security.auth.UserManagement;
import com.e2eq.framework.util.TokenUtils;
import io.quarkus.logging.Log;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.quarkus.security.runtime.SecurityIdentityAssociation;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import jakarta.json.JsonArray;
import jakarta.json.JsonValue;
import java.security.Principal;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.eclipse.microprofile.jwt.JsonWebToken;
import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminAddUserToGroupRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminCreateUserRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminDeleteUserRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminGetUserRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminInitiateAuthRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminListGroupsForUserRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminRemoveUserFromGroupRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminSetUserPasswordRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AttributeType;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AuthFlowType;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AuthenticationResultType;
import software.amazon.awssdk.services.cognitoidentityprovider.model.CreateGroupRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.GetUserRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.GroupExistsException;
import software.amazon.awssdk.services.cognitoidentityprovider.model.MessageActionType;
import software.amazon.awssdk.services.cognitoidentityprovider.model.NotAuthorizedException;
import software.amazon.awssdk.services.cognitoidentityprovider.model.UserNotFoundException;
import software.amazon.awssdk.services.cognitoidentityprovider.model.UsernameExistsException;

@ApplicationScoped
/* loaded from: input_file:com/e2eq/framework/model/security/auth/provider/cognito/CognitoAuthProvider.class */
public class CognitoAuthProvider implements AuthProvider, UserManagement {
    CognitoTokenValidator tokenValidator;

    @Inject
    SecurityIdentityAssociation securityIdentityAssociation;

    @ConfigProperty(name = "aws.cognito.user-pool-id", defaultValue = "us-west-2_1234567890")
    String userPoolId;

    @ConfigProperty(name = "aws.cognito.client-id", defaultValue = "1234567890abcdefg")
    String clientId;

    @ConfigProperty(name = "com.b2bi.jwt.duration")
    Long durationInSeconds;
    private final CognitoIdentityProviderClient cognitoClient = (CognitoIdentityProviderClient) CognitoIdentityProviderClient.builder().build();

    @Override // com.e2eq.framework.model.security.auth.AuthProvider
    public AuthProvider.LoginResponse login(String str, String str2) {
        try {
            AuthenticationResultType authenticationResult = this.cognitoClient.adminInitiateAuth((AdminInitiateAuthRequest) AdminInitiateAuthRequest.builder().userPoolId(this.userPoolId).clientId(this.clientId).authFlow(AuthFlowType.ADMIN_USER_PASSWORD_AUTH).authParameters(Map.of("USERNAME", str, "PASSWORD", str2)).build()).authenticationResult();
            String accessToken = authenticationResult.accessToken();
            String refreshToken = authenticationResult.refreshToken();
            Set<String> userGroups = getUserGroups(str);
            return new AuthProvider.LoginResponse(true, new AuthProvider.LoginPositiveResponse(str, buildIdentity(str, userGroups), userGroups, accessToken, refreshToken, new Date(TokenUtils.currentTimeInSecs() + this.durationInSeconds.longValue()).getTime()));
        } catch (Exception e) {
            Log.error("Unexpected error during authentication", e);
            throw new SecurityException("Authentication failed: " + e.getMessage());
        } catch (NotAuthorizedException e2) {
            Log.error("Authentication failed for user: " + str, e2);
            throw new SecurityException("Invalid credentials");
        }
    }

    @Override // com.e2eq.framework.model.security.auth.AuthProvider
    public AuthProvider.LoginResponse refreshTokens(String str) {
        HashMap hashMap = new HashMap();
        hashMap.put("REFRESH_TOKEN", str);
        AuthenticationResultType authenticationResult = this.cognitoClient.adminInitiateAuth((AdminInitiateAuthRequest) AdminInitiateAuthRequest.builder().userPoolId(this.userPoolId).clientId(this.clientId).authFlow(AuthFlowType.REFRESH_TOKEN_AUTH).authParameters(hashMap).build()).authenticationResult();
        String username = this.cognitoClient.getUser((GetUserRequest) GetUserRequest.builder().accessToken(authenticationResult.accessToken()).build()).username();
        String idToken = authenticationResult.idToken();
        return new AuthProvider.LoginResponse(true, new AuthProvider.LoginPositiveResponse(username, validateAccessToken(idToken), getUserGroups(username), idToken, str, new Date(TokenUtils.currentTimeInSecs() + this.durationInSeconds.longValue()).getTime()));
    }

    @Override // com.e2eq.framework.model.security.auth.UserManagement
    public boolean userExists(String str) {
        try {
            this.cognitoClient.adminGetUser((AdminGetUserRequest) AdminGetUserRequest.builder().userPoolId(this.userPoolId).username(str).build());
            return true;
        } catch (Exception e) {
            Log.error("Error checking user existence", e);
            throw new SecurityException("Failed to check user existence: " + e.getMessage());
        } catch (UserNotFoundException e2) {
            return false;
        }
    }

    private SecurityIdentity buildIdentity(final String str, Set<String> set) {
        QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder();
        builder.setPrincipal(new Principal(this) { // from class: com.e2eq.framework.model.security.auth.provider.cognito.CognitoAuthProvider.1
            final /* synthetic */ CognitoAuthProvider this$0;

            {
                this.this$0 = this;
            }

            @Override // java.security.Principal
            public String getName() {
                return str;
            }
        });
        Objects.requireNonNull(builder);
        set.forEach(builder::addRole);
        builder.addAttribute("token_type", "custom");
        builder.addAttribute("auth_time", Long.valueOf(System.currentTimeMillis()));
        return builder.build();
    }

    @Override // com.e2eq.framework.model.security.auth.AuthProvider
    public SecurityIdentity validateAccessToken(String str) {
        try {
            JsonWebToken validateToken = this.tokenValidator.validateToken(str);
            String optional = validateToken.claim("username").toString();
            Set<String> hashSet = new HashSet();
            if (validateToken.containsClaim("cognito:groups")) {
                Optional claim = validateToken.claim("cognito:groups");
                if (claim.isPresent()) {
                    Iterator it = ((JsonArray) claim.get()).iterator();
                    while (it.hasNext()) {
                        hashSet.add(((JsonValue) it.next()).toString().replace("\"", ""));
                    }
                }
            } else {
                hashSet = getUserGroups(optional);
            }
            SecurityIdentity buildIdentity = buildIdentity(optional, hashSet);
            this.securityIdentityAssociation.setIdentity(buildIdentity);
            return buildIdentity;
        } catch (Exception e) {
            Log.error("Token validation failed", e);
            throw new SecurityException("Invalid token");
        }
    }

    private Set<String> getUserGroups(String str) {
        try {
            return (Set) this.cognitoClient.adminListGroupsForUser((AdminListGroupsForUserRequest) AdminListGroupsForUserRequest.builder().userPoolId(this.userPoolId).username(str).build()).groups().stream().map((v0) -> {
                return v0.groupName();
            }).collect(Collectors.toSet());
        } catch (Exception e) {
            Log.error("Failed to get user groups", e);
            return new HashSet();
        }
    }

    @Override // com.e2eq.framework.model.security.auth.UserManagement
    public void createUser(String str, String str2, Set<String> set, DomainContext domainContext) throws SecurityException {
        try {
            this.cognitoClient.adminCreateUser((AdminCreateUserRequest) AdminCreateUserRequest.builder().userPoolId(this.userPoolId).username(str).temporaryPassword(str2).messageAction(MessageActionType.SUPPRESS).userAttributes(new AttributeType[]{(AttributeType) AttributeType.builder().name("email").value(str).build(), (AttributeType) AttributeType.builder().name("email_verified").value("true").build()}).build());
            this.cognitoClient.adminSetUserPassword((AdminSetUserPasswordRequest) AdminSetUserPasswordRequest.builder().userPoolId(this.userPoolId).username(str).password(str2).permanent(true).build());
            if (!set.isEmpty()) {
                assignRoles(str, set);
            }
        } catch (UsernameExistsException e) {
            throw new SecurityException("User already exists: " + str);
        } catch (Exception e2) {
            Log.error("Failed to create user", e2);
            throw new SecurityException("Failed to create user: " + e2.getMessage());
        }
    }

    @Override // com.e2eq.framework.model.security.auth.UserManagement
    public boolean removeUser(String str) throws ReferentialIntegrityViolationException {
        try {
            this.cognitoClient.adminDeleteUser((AdminDeleteUserRequest) AdminDeleteUserRequest.builder().userPoolId(this.userPoolId).username(str).build());
            return true;
        } catch (UserNotFoundException e) {
            return false;
        }
    }

    @Override // com.e2eq.framework.model.security.auth.UserManagement
    public void assignRoles(String str, Set<String> set) throws SecurityException {
        try {
            for (String str2 : set) {
                try {
                    this.cognitoClient.createGroup((CreateGroupRequest) CreateGroupRequest.builder().groupName(str2).userPoolId(this.userPoolId).build());
                } catch (GroupExistsException e) {
                }
                this.cognitoClient.adminAddUserToGroup((AdminAddUserToGroupRequest) AdminAddUserToGroupRequest.builder().userPoolId(this.userPoolId).username(str).groupName(str2).build());
            }
        } catch (Exception e2) {
            Log.error("Failed to assign roles", e2);
            throw new SecurityException("Failed to assign roles: " + e2.getMessage());
        }
    }

    @Override // com.e2eq.framework.model.security.auth.UserManagement
    public void removeRoles(String str, Set<String> set) throws SecurityException {
        try {
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                this.cognitoClient.adminRemoveUserFromGroup((AdminRemoveUserFromGroupRequest) AdminRemoveUserFromGroupRequest.builder().userPoolId(this.userPoolId).username(str).groupName(it.next()).build());
            }
        } catch (Exception e) {
            Log.error("Failed to remove roles", e);
            throw new SecurityException("Failed to remove roles: " + e.getMessage());
        }
    }

    @Override // com.e2eq.framework.model.security.auth.UserManagement
    public Set<String> getUserRoles(String str) throws SecurityException {
        return getUserGroups(str);
    }
}
