package inc.yukawa.chain.security.service;

import inc.yukawa.chain.security.domain.AccessToken;
import inc.yukawa.chain.security.domain.Account;
import inc.yukawa.chain.security.domain.Credentials;
import inc.yukawa.chain.security.domain.RoleContext;
import inc.yukawa.chain.security.jwt.token.JwsAccessToken;
import inc.yukawa.chain.security.jwt.token.json.JsonWebAuthenticationToken;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.security.auth.login.AccountNotFoundException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
import org.springframework.security.crypto.password.PasswordEncoder;
import reactor.core.publisher.Mono;

/* loaded from: input_file:inc/yukawa/chain/security/service/OrgTokenAuthService.class */
public class OrgTokenAuthService extends TokenAuthService {
    private static final Logger log = LoggerFactory.getLogger(OrgTokenAuthService.class);

    @Value("${chain.security.fixedOrgId:#{null}}")
    private String fixedOrgId;

    @Value("${chain.security.checkOrg}")
    private boolean checkOrg;

    @Autowired
    public OrgTokenAuthService(ReactiveUserDetailsService reactiveUserDetailsService, TokenFactory<Authentication, JwsAccessToken, Jws<Claims>> tokenFactory, PasswordEncoder passwordEncoder) {
        super(reactiveUserDetailsService, tokenFactory, passwordEncoder);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // inc.yukawa.chain.security.service.TokenAuthService
    public boolean hasAccess(Credentials credentials, Account account) {
        if (!super.hasAccess(credentials, account)) {
            return false;
        }
        if (this.fixedOrgId != null) {
            credentials.setOrgId(this.fixedOrgId);
            return true;
        }
        if (!this.checkOrg) {
            return true;
        }
        Map details = account.getDetails();
        List list = (List) details.get("organisationIds");
        if (list == null || list.isEmpty()) {
            log.debug("hasAccess: {} denied - No allowed orgs", credentials.getUsername());
            return false;
        }
        if (credentials.getOrgId() == null) {
            credentials.setOrgId((String) details.get("defaultOrgId"));
        }
        if (credentials.getOrgId() != null) {
            if (list.contains(credentials.getOrgId())) {
                return true;
            }
            log.debug("hasAccess: {} denied - access to org {} not allowed. {}", new Object[]{credentials.getUsername(), credentials.getOrgId(), list});
            throw new RuntimeException((Throwable) new AccountNotFoundException("INVALID ORG : " + credentials.getOrgId() + " : " + list));
        }
        if (list.size() == 1) {
            credentials.setOrgId((String) list.get(0));
            return true;
        }
        log.debug("hasAccess: {} denied - no orgId found {}", credentials.getUsername(), credentials);
        return false;
    }

    @Override // inc.yukawa.chain.security.service.TokenAuthService
    protected Map<String, Object> buildDetails(Credentials credentials, Account account) {
        HashMap hashMap = new HashMap(account.getDetails());
        hashMap.put("orgId", credentials.getOrgId());
        return hashMap;
    }

    @Override // inc.yukawa.chain.security.service.TokenAuthService
    protected Set<String> findRoles(Credentials credentials, Account account) {
        Set<RoleContext> roleContexts = account.getRoleContexts();
        if (roleContexts != null) {
            for (RoleContext roleContext : roleContexts) {
                if (credentials.getOrgId().equals(roleContext.getOrgId())) {
                    return roleContext.getRoles();
                }
            }
        }
        log.debug("findRoles: {} - no roleContext for org {} ", credentials.getUsername(), credentials.getOrgId());
        return Collections.emptySet();
    }

    @Override // inc.yukawa.chain.security.service.TokenAuthService
    /* renamed from: switchOrg */
    public Mono<Map<String, Object>> mo1switchOrg(String str) {
        return ReactiveSecurityContextHolder.getContext().map(securityContext -> {
            return securityContext.getAuthentication().getName();
        }).flatMap(this::loadAccount).map(account -> {
            String username = account.getUsername();
            log.debug("switchOrg: {} {} {}", new Object[]{username, str, account});
            if (!hasAccess(account, str)) {
                log.debug("switchOrg: {} {} failed - invalid status or org", username, str);
                fireEvent("auth:denied", username, null);
                throw new BadCredentialsException(username);
            }
            Credentials credentials = new Credentials(username, (String) null, str);
            Map<String, Object> buildDetails = buildDetails(credentials, account);
            log.debug("switchOrg: {} {} details {}", new Object[]{username, str, buildDetails});
            JsonWebAuthenticationToken jsonWebAuthenticationToken = new JsonWebAuthenticationToken(account.getUsername(), (Object) null, buildDetails, (List) findRoles(credentials, account).stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
            AccessToken<?> accessToken = (AccessToken) this.tokenFactory.createAccessToken(jsonWebAuthenticationToken);
            AccessToken<?> accessToken2 = (AccessToken) this.tokenFactory.createRefreshToken(jsonWebAuthenticationToken);
            fireEvent("auth:authenticated", username, accessToken);
            return buildTokenMap(accessToken, accessToken2, account);
        });
    }

    protected boolean hasAccess(Account account, String str) {
        if (!hasAccess(account)) {
            return false;
        }
        List list = (List) account.getDetails().get("organisationIds");
        if (list == null || list.isEmpty()) {
            log.debug("hasAccess: {} denied - No allowed orgs", account.getUsername());
            return false;
        }
        if (list.contains(str)) {
            return true;
        }
        log.debug("hasAccess: {} denied - org {} not allowed", account.getUsername(), str);
        return false;
    }
}
