package com.enonic.xp.lib.auth;

import com.enonic.xp.context.Context;
import com.enonic.xp.context.ContextBuilder;
import com.enonic.xp.script.bean.BeanContext;
import com.enonic.xp.script.bean.ScriptBean;
import com.enonic.xp.security.PrincipalKey;
import com.enonic.xp.security.RoleKeys;
import com.enonic.xp.security.SecurityConstants;
import com.enonic.xp.security.SecurityService;
import com.enonic.xp.security.User;
import com.enonic.xp.security.UserStore;
import com.enonic.xp.security.UserStoreKey;
import com.enonic.xp.security.UserStores;
import com.enonic.xp.security.auth.AuthenticationInfo;
import com.enonic.xp.security.auth.EmailPasswordAuthToken;
import com.enonic.xp.security.auth.UsernamePasswordAuthToken;
import com.enonic.xp.security.auth.VerifiedEmailAuthToken;
import com.enonic.xp.security.auth.VerifiedUsernameAuthToken;
import com.enonic.xp.session.Session;
import java.util.Comparator;
import java.util.Iterator;
import java.util.concurrent.Callable;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.apache.commons.lang.StringUtils;

/* loaded from: input_file:com/enonic/xp/lib/auth/LoginHandler.class */
public final class LoginHandler implements ScriptBean {
    private String user;
    private String password;
    private boolean skipAuth;
    private String[] userStore;
    private Supplier<SecurityService> securityService;
    private Supplier<Context> context;

    public void setUser(String str) {
        this.user = str;
    }

    public void setPassword(String str) {
        this.password = str;
    }

    public void setSkipAuth(boolean z) {
        this.skipAuth = z;
    }

    public void setUserStore(String[] strArr) {
        this.userStore = strArr;
    }

    public LoginResultMapper login() {
        AuthenticationInfo attemptLoginWithAllExistingUserStores = noUserStoreSpecified() ? attemptLoginWithAllExistingUserStores() : attemptLogin();
        if (!attemptLoginWithAllExistingUserStores.isAuthenticated()) {
            return new LoginResultMapper(attemptLoginWithAllExistingUserStores, "Access Denied");
        }
        Session session = this.context.get().getLocalScope().getSession();
        if (session != null) {
            session.setAttribute(attemptLoginWithAllExistingUserStores);
        }
        return new LoginResultMapper(attemptLoginWithAllExistingUserStores);
    }

    private boolean noUserStoreSpecified() {
        return this.userStore == null || this.userStore.length == 0;
    }

    private AuthenticationInfo attemptLoginWithAllExistingUserStores() {
        Iterator it = ((UserStores) runAsAuthenticated(this::getSortedUserStores)).iterator();
        while (it.hasNext()) {
            AuthenticationInfo authenticate = authenticate(((UserStore) it.next()).getKey());
            if (authenticate != null && authenticate.isAuthenticated()) {
                return authenticate;
            }
        }
        return AuthenticationInfo.unAuthenticated();
    }

    private UserStores getSortedUserStores() {
        return UserStores.from((Iterable) this.securityService.get().getUserStores().stream().sorted(Comparator.comparing(userStore -> {
            return userStore.getKey().toString();
        })).collect(Collectors.toList()));
    }

    private AuthenticationInfo attemptLogin() {
        for (String str : this.userStore) {
            AuthenticationInfo authenticate = authenticate(UserStoreKey.from(str));
            if (authenticate != null && authenticate.isAuthenticated()) {
                return authenticate;
            }
        }
        return AuthenticationInfo.unAuthenticated();
    }

    private AuthenticationInfo authenticate(UserStoreKey userStoreKey) {
        AuthenticationInfo authenticationInfo = null;
        if (isValidEmail(this.user)) {
            if (this.skipAuth) {
                VerifiedEmailAuthToken verifiedEmailAuthToken = new VerifiedEmailAuthToken();
                verifiedEmailAuthToken.setEmail(this.user);
                verifiedEmailAuthToken.setUserStore(userStoreKey);
                authenticationInfo = (AuthenticationInfo) runAsAuthenticated(() -> {
                    return this.securityService.get().authenticate(verifiedEmailAuthToken);
                });
            } else {
                EmailPasswordAuthToken emailPasswordAuthToken = new EmailPasswordAuthToken();
                emailPasswordAuthToken.setEmail(this.user);
                emailPasswordAuthToken.setPassword(this.password);
                emailPasswordAuthToken.setUserStore(userStoreKey);
                authenticationInfo = (AuthenticationInfo) runAsAuthenticated(() -> {
                    return this.securityService.get().authenticate(emailPasswordAuthToken);
                });
            }
        }
        if (authenticationInfo == null || !authenticationInfo.isAuthenticated()) {
            if (this.skipAuth) {
                VerifiedUsernameAuthToken verifiedUsernameAuthToken = new VerifiedUsernameAuthToken();
                verifiedUsernameAuthToken.setUsername(this.user);
                verifiedUsernameAuthToken.setUserStore(userStoreKey);
                authenticationInfo = (AuthenticationInfo) runAsAuthenticated(() -> {
                    return this.securityService.get().authenticate(verifiedUsernameAuthToken);
                });
            } else {
                UsernamePasswordAuthToken usernamePasswordAuthToken = new UsernamePasswordAuthToken();
                usernamePasswordAuthToken.setUsername(this.user);
                usernamePasswordAuthToken.setPassword(this.password);
                usernamePasswordAuthToken.setUserStore(userStoreKey);
                authenticationInfo = (AuthenticationInfo) runAsAuthenticated(() -> {
                    return this.securityService.get().authenticate(usernamePasswordAuthToken);
                });
            }
        }
        return authenticationInfo;
    }

    private <T> T runAsAuthenticated(Callable<T> callable) {
        return (T) ContextBuilder.from(this.context.get()).authInfo(AuthenticationInfo.create().principals(new PrincipalKey[]{RoleKeys.AUTHENTICATED}).user(User.ANONYMOUS).build()).repositoryId(SecurityConstants.SECURITY_REPO.getId()).branch(SecurityConstants.BRANCH_SECURITY).build().callWith(callable);
    }

    private boolean isValidEmail(String str) {
        return StringUtils.countMatches(str, "@") == 1;
    }

    public void initialize(BeanContext beanContext) {
        this.securityService = beanContext.getService(SecurityService.class);
        this.context = beanContext.getBinding(Context.class);
    }
}
