package org.jahia.community.aws.cognito.client;

import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.locks.ReentrantLock;
import java.util.stream.Collectors;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.jahia.community.aws.cognito.api.AwsCognitoConfiguration;
import org.json.JSONException;
import org.json.JSONObject;
import org.osgi.service.component.annotations.Component;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient;
import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClientBuilder;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminListGroupsForUserRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminListGroupsForUserResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AuthFlowType;
import software.amazon.awssdk.services.cognitoidentityprovider.model.GetGroupRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.GetGroupResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.GroupType;
import software.amazon.awssdk.services.cognitoidentityprovider.model.InitiateAuthRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.InitiateAuthResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.ListGroupsRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.ListGroupsResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.ListUsersInGroupRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.ListUsersInGroupResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.ListUsersRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.ListUsersResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.UserType;

@Component(service = {AwsCognitoClientService.class})
/* loaded from: input_file:org/jahia/community/aws/cognito/client/AwsCognitoClientService.class */
public class AwsCognitoClientService {
    private static final Logger logger = LoggerFactory.getLogger(AwsCognitoClientService.class);
    private static final String HMAC_SHA256 = "HmacSHA256";
    private final ReentrantLock lock = new ReentrantLock();

    private static CognitoIdentityProviderClient getCognitoIdentityProviderClient(AwsCognitoConfiguration awsCognitoConfiguration) {
        return ((CognitoIdentityProviderClientBuilder) ((CognitoIdentityProviderClientBuilder) CognitoIdentityProviderClient.builder().region(Region.of(awsCognitoConfiguration.getRegion()))).credentialsProvider(StaticCredentialsProvider.create(AwsBasicCredentials.create(awsCognitoConfiguration.getAccessKeyId(), awsCognitoConfiguration.getSecretAccessKey())))).mo1542build();
    }

    public Optional<AwsCognitoUser> getUser(AwsCognitoConfiguration awsCognitoConfiguration, String str, String str2) {
        this.lock.lock();
        ListUsersRequest listUsersRequest = (ListUsersRequest) ListUsersRequest.builder().userPoolId(awsCognitoConfiguration.getUserPoolId()).filter(str + "^=\"" + str2 + "\"").mo1542build();
        try {
            try {
                CognitoIdentityProviderClient cognitoIdentityProviderClient = getCognitoIdentityProviderClient(awsCognitoConfiguration);
                try {
                    ListUsersResponse listUsers = cognitoIdentityProviderClient.listUsers(listUsersRequest);
                    if (logger.isDebugEnabled()) {
                        logger.debug(listUsers.toString());
                    }
                    if (!listUsers.hasUsers() || CollectionUtils.isEmpty(listUsers.users())) {
                        Optional<AwsCognitoUser> empty = Optional.empty();
                        if (cognitoIdentityProviderClient != null) {
                            cognitoIdentityProviderClient.close();
                        }
                        this.lock.unlock();
                        return empty;
                    }
                    Optional<AwsCognitoUser> of = Optional.of(new AwsCognitoUser(listUsers.users().get(0)));
                    if (cognitoIdentityProviderClient != null) {
                        cognitoIdentityProviderClient.close();
                    }
                    this.lock.unlock();
                    return of;
                } catch (Throwable th) {
                    if (cognitoIdentityProviderClient != null) {
                        try {
                            cognitoIdentityProviderClient.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                this.lock.unlock();
                throw th3;
            }
        } catch (Exception e) {
            logger.warn("Unable to get user searching {}:{}", str, str2);
            if (logger.isDebugEnabled()) {
                logger.debug("", e);
            }
            Optional<AwsCognitoUser> empty2 = Optional.empty();
            this.lock.unlock();
            return empty2;
        }
    }

    private void getUsersRecursively(AwsCognitoConfiguration awsCognitoConfiguration, List<UserType> list, int i, int i2, String str) {
        this.lock.lock();
        ListUsersRequest.Builder userPoolId = ListUsersRequest.builder().userPoolId(awsCognitoConfiguration.getUserPoolId());
        if (str != null) {
            userPoolId.paginationToken(str);
        }
        try {
            try {
                CognitoIdentityProviderClient cognitoIdentityProviderClient = getCognitoIdentityProviderClient(awsCognitoConfiguration);
                try {
                    ListUsersResponse listUsers = cognitoIdentityProviderClient.listUsers((ListUsersRequest) userPoolId.mo1542build());
                    if (logger.isDebugEnabled()) {
                        logger.debug(listUsers.toString());
                    }
                    if (listUsers.hasUsers() && !CollectionUtils.isEmpty(listUsers.users())) {
                        list.addAll(listUsers.users());
                        String paginationToken = listUsers.paginationToken();
                        if (paginationToken != null && (i2 == -1 || list.size() <= i + i2)) {
                            getUsersRecursively(awsCognitoConfiguration, list, i, i2, paginationToken);
                        }
                    }
                    if (cognitoIdentityProviderClient != null) {
                        cognitoIdentityProviderClient.close();
                    }
                    this.lock.unlock();
                } catch (Throwable th) {
                    if (cognitoIdentityProviderClient != null) {
                        try {
                            cognitoIdentityProviderClient.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                this.lock.unlock();
                throw th3;
            }
        } catch (Exception e) {
            logger.warn("Unable to get users");
            if (logger.isDebugEnabled()) {
                logger.debug("", e);
            }
            this.lock.unlock();
        }
    }

    public Optional<List<AwsCognitoUser>> getUsers(AwsCognitoConfiguration awsCognitoConfiguration, int i, int i2) {
        ArrayList arrayList = new ArrayList();
        getUsersRecursively(awsCognitoConfiguration, arrayList, i, i2, null);
        return arrayList.isEmpty() ? Optional.empty() : Optional.of((List) arrayList.stream().map(AwsCognitoUser::new).collect(Collectors.toList())).map(list -> {
            return i2 == -1 ? list : list.subList(i, Math.min(list.size(), i + i2));
        });
    }

    private void getGroupMembersRecursively(AwsCognitoConfiguration awsCognitoConfiguration, String str, List<UserType> list, String str2) {
        this.lock.lock();
        ListUsersInGroupRequest.Builder groupName = ListUsersInGroupRequest.builder().userPoolId(awsCognitoConfiguration.getUserPoolId()).groupName(str);
        if (str2 != null) {
            groupName.nextToken(str2);
        }
        try {
            try {
                CognitoIdentityProviderClient cognitoIdentityProviderClient = getCognitoIdentityProviderClient(awsCognitoConfiguration);
                try {
                    ListUsersInGroupResponse listUsersInGroup = cognitoIdentityProviderClient.listUsersInGroup((ListUsersInGroupRequest) groupName.mo1542build());
                    if (logger.isDebugEnabled()) {
                        logger.debug(listUsersInGroup.toString());
                    }
                    if (listUsersInGroup.hasUsers() && !CollectionUtils.isEmpty(listUsersInGroup.users())) {
                        list.addAll(listUsersInGroup.users());
                        String nextToken = listUsersInGroup.nextToken();
                        if (nextToken != null) {
                            getGroupMembersRecursively(awsCognitoConfiguration, str, list, nextToken);
                        }
                    }
                    if (cognitoIdentityProviderClient != null) {
                        cognitoIdentityProviderClient.close();
                    }
                    this.lock.unlock();
                } catch (Throwable th) {
                    if (cognitoIdentityProviderClient != null) {
                        try {
                            cognitoIdentityProviderClient.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                this.lock.unlock();
                throw th3;
            }
        } catch (Exception e) {
            logger.warn("Unable to get group {} members", str);
            if (logger.isDebugEnabled()) {
                logger.debug("", e);
            }
            this.lock.unlock();
        }
    }

    public Optional<List<AwsCognitoUser>> getGroupMembers(AwsCognitoConfiguration awsCognitoConfiguration, String str) {
        ArrayList arrayList = new ArrayList();
        getGroupMembersRecursively(awsCognitoConfiguration, str, arrayList, null);
        return arrayList.isEmpty() ? Optional.empty() : Optional.of((List) arrayList.stream().map(AwsCognitoUser::new).collect(Collectors.toList()));
    }

    public Optional<AwsCognitoGroup> getGroup(AwsCognitoConfiguration awsCognitoConfiguration, String str) {
        this.lock.lock();
        GetGroupRequest getGroupRequest = (GetGroupRequest) GetGroupRequest.builder().userPoolId(awsCognitoConfiguration.getUserPoolId()).groupName(str).mo1542build();
        try {
            try {
                CognitoIdentityProviderClient cognitoIdentityProviderClient = getCognitoIdentityProviderClient(awsCognitoConfiguration);
                try {
                    GetGroupResponse group = cognitoIdentityProviderClient.getGroup(getGroupRequest);
                    if (logger.isDebugEnabled()) {
                        logger.debug(group.toString());
                    }
                    if (group.group() == null) {
                        Optional<AwsCognitoGroup> empty = Optional.empty();
                        if (cognitoIdentityProviderClient != null) {
                            cognitoIdentityProviderClient.close();
                        }
                        this.lock.unlock();
                        return empty;
                    }
                    Optional<AwsCognitoGroup> of = Optional.of(new AwsCognitoGroup(group.group()));
                    if (cognitoIdentityProviderClient != null) {
                        cognitoIdentityProviderClient.close();
                    }
                    this.lock.unlock();
                    return of;
                } catch (Throwable th) {
                    if (cognitoIdentityProviderClient != null) {
                        try {
                            cognitoIdentityProviderClient.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                this.lock.unlock();
                throw th3;
            }
        } catch (Exception e) {
            logger.warn("Unable to get group: {}", str);
            if (logger.isDebugEnabled()) {
                logger.debug("", e);
            }
            Optional<AwsCognitoGroup> empty2 = Optional.empty();
            this.lock.unlock();
            return empty2;
        }
    }

    private void getGroupsRecursively(AwsCognitoConfiguration awsCognitoConfiguration, List<GroupType> list, int i, int i2, String str) {
        this.lock.lock();
        ListGroupsRequest.Builder userPoolId = ListGroupsRequest.builder().userPoolId(awsCognitoConfiguration.getUserPoolId());
        if (str != null) {
            userPoolId.nextToken(str);
        }
        try {
            try {
                CognitoIdentityProviderClient cognitoIdentityProviderClient = getCognitoIdentityProviderClient(awsCognitoConfiguration);
                try {
                    ListGroupsResponse listGroups = cognitoIdentityProviderClient.listGroups((ListGroupsRequest) userPoolId.mo1542build());
                    if (logger.isDebugEnabled()) {
                        logger.debug(listGroups.toString());
                    }
                    if (listGroups.hasGroups() && !CollectionUtils.isEmpty(listGroups.groups())) {
                        list.addAll(listGroups.groups());
                        String nextToken = listGroups.nextToken();
                        if (nextToken != null && (i2 == -1 || list.size() <= i + i2)) {
                            getGroupsRecursively(awsCognitoConfiguration, list, i, i2, nextToken);
                        }
                    }
                    if (cognitoIdentityProviderClient != null) {
                        cognitoIdentityProviderClient.close();
                    }
                    this.lock.unlock();
                } catch (Throwable th) {
                    if (cognitoIdentityProviderClient != null) {
                        try {
                            cognitoIdentityProviderClient.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                this.lock.unlock();
                throw th3;
            }
        } catch (Exception e) {
            logger.warn("Unable to get groups");
            if (logger.isDebugEnabled()) {
                logger.debug("", e);
            }
            this.lock.unlock();
        }
    }

    public Optional<List<AwsCognitoGroup>> getGroups(AwsCognitoConfiguration awsCognitoConfiguration, String str, int i, int i2) {
        ArrayList arrayList = new ArrayList();
        getGroupsRecursively(awsCognitoConfiguration, arrayList, i, -1, null);
        return arrayList.isEmpty() ? Optional.empty() : Optional.of((List) arrayList.stream().filter(groupType -> {
            return str == null || StringUtils.containsIgnoreCase(groupType.groupName(), str);
        }).map(AwsCognitoGroup::new).collect(Collectors.toList())).map(list -> {
            return i2 == -1 ? list : list.subList(i, Math.min(list.size(), i + i2));
        });
    }

    private void getMembershipRecursively(AwsCognitoConfiguration awsCognitoConfiguration, String str, List<GroupType> list, String str2) {
        this.lock.lock();
        AdminListGroupsForUserRequest.Builder username = AdminListGroupsForUserRequest.builder().userPoolId(awsCognitoConfiguration.getUserPoolId()).username(str);
        if (str2 != null) {
            username.nextToken(str2);
        }
        try {
            try {
                CognitoIdentityProviderClient cognitoIdentityProviderClient = getCognitoIdentityProviderClient(awsCognitoConfiguration);
                try {
                    AdminListGroupsForUserResponse adminListGroupsForUser = cognitoIdentityProviderClient.adminListGroupsForUser((AdminListGroupsForUserRequest) username.mo1542build());
                    if (logger.isDebugEnabled()) {
                        logger.debug(adminListGroupsForUser.toString());
                    }
                    if (adminListGroupsForUser.hasGroups() && !CollectionUtils.isEmpty(adminListGroupsForUser.groups())) {
                        list.addAll(adminListGroupsForUser.groups());
                        String nextToken = adminListGroupsForUser.nextToken();
                        if (nextToken != null) {
                            getMembershipRecursively(awsCognitoConfiguration, str, list, nextToken);
                        }
                    }
                    if (cognitoIdentityProviderClient != null) {
                        cognitoIdentityProviderClient.close();
                    }
                    this.lock.unlock();
                } catch (Throwable th) {
                    if (cognitoIdentityProviderClient != null) {
                        try {
                            cognitoIdentityProviderClient.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                this.lock.unlock();
                throw th3;
            }
        } catch (Exception e) {
            logger.warn("Unable to get membership for user: {}", str);
            if (logger.isDebugEnabled()) {
                logger.debug("", e);
            }
            this.lock.unlock();
        }
    }

    public Optional<List<AwsCognitoGroup>> getMembership(AwsCognitoConfiguration awsCognitoConfiguration, String str) {
        ArrayList arrayList = new ArrayList();
        getMembershipRecursively(awsCognitoConfiguration, str, arrayList, null);
        return arrayList.isEmpty() ? Optional.empty() : Optional.of((List) arrayList.stream().map(AwsCognitoGroup::new).collect(Collectors.toList()));
    }

    public Optional<String> login(AwsCognitoConfiguration awsCognitoConfiguration, String str, String str2) {
        this.lock.lock();
        HashMap hashMap = new HashMap();
        hashMap.put("USERNAME", str);
        hashMap.put("PASSWORD", str2);
        hashMap.put("SECRET_HASH", calculateSecretHash(awsCognitoConfiguration.getClientId(), awsCognitoConfiguration.getClientSecret(), str));
        try {
            try {
                CognitoIdentityProviderClient cognitoIdentityProviderClient = getCognitoIdentityProviderClient(awsCognitoConfiguration);
                try {
                    InitiateAuthResponse initiateAuth = cognitoIdentityProviderClient.initiateAuth((InitiateAuthRequest) InitiateAuthRequest.builder().clientId(awsCognitoConfiguration.getClientId()).authFlow(AuthFlowType.USER_PASSWORD_AUTH).authParameters(hashMap).mo1542build());
                    if (logger.isDebugEnabled()) {
                        logger.debug(initiateAuth.toString());
                    }
                    Optional<String> map = Optional.ofNullable(initiateAuth.authenticationResult()).map(authenticationResultType -> {
                        try {
                            return new JSONObject(new String(Base64.getDecoder().decode(authenticationResultType.idToken().split("\\.")[1].getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8)).getString("sub");
                        } catch (JSONException e) {
                            logger.error("", e);
                            return null;
                        }
                    });
                    if (cognitoIdentityProviderClient != null) {
                        cognitoIdentityProviderClient.close();
                    }
                    this.lock.unlock();
                    return map;
                } catch (Throwable th) {
                    if (cognitoIdentityProviderClient != null) {
                        try {
                            cognitoIdentityProviderClient.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e) {
                logger.warn("Unable to log in user: {}", str);
                if (logger.isDebugEnabled()) {
                    logger.debug("", e);
                }
                Optional<String> empty = Optional.empty();
                this.lock.unlock();
                return empty;
            }
        } catch (Throwable th3) {
            this.lock.unlock();
            throw th3;
        }
    }

    private static String calculateSecretHash(String str, String str2, String str3) {
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(str2.getBytes(StandardCharsets.UTF_8), HMAC_SHA256);
            Mac mac = Mac.getInstance(HMAC_SHA256);
            mac.init(secretKeySpec);
            mac.update(str3.getBytes(StandardCharsets.UTF_8));
            return Base64.getEncoder().encodeToString(mac.doFinal(str.getBytes(StandardCharsets.UTF_8)));
        } catch (Exception e) {
            throw new RuntimeException("Error while calculating secret hash", e);
        }
    }
}
