package at.itsv.security.servicesecurity.identityprovider.ldap;

import at.itsv.commons.config.keyvalue.KeyValueConfiguration;
import at.itsv.security.servicesecurity.fileobserver.FileChangeNotifiable;
import at.itsv.security.servicesecurity.fileobserver.FileObserver;
import at.itsv.security.servicesecurity.identityprovider.ConsumerIdentity;
import at.itsv.security.servicesecurity.identityprovider.ConsumerIdentityProvider;
import at.itsv.security.servicesecurity.identityprovider.ConsumerIdentityProviderFactory;
import at.itsv.security.servicesecurity.identityprovider.ldap.credentials.ConsumerCredentials;
import at.itsv.security.servicesecurity.identityprovider.ldap.credentials.ConsumerCredentialsProvider;
import at.itsv.security.servicesecurity.identityprovider.ldap.credentials.provider.ConnectionFactory;
import at.itsv.security.servicesecurity.identityprovider.ldap.credentials.provider.LdapCredentialsProvider;
import at.itsv.security.servicesecurity.identityprovider.ldap.credentials.provider.filebackup.FileBackupCredentialsProvider;
import at.itsv.security.servicesecurity.identityprovider.ldap.crypto.AccessCredentials;
import at.itsv.security.servicesecurity.identityprovider.ldap.crypto.binarycipher.BinaryCipher;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.time.Clock;
import java.time.ZoneId;
import java.time.ZoneOffset;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:at/itsv/security/servicesecurity/identityprovider/ldap/LdapConsumerIdentityProviderFactory.class */
public final class LdapConsumerIdentityProviderFactory implements ConsumerIdentityProviderFactory {
    public static final String CONFIG_KEY_BACKUP_PATH = "LDAP_BackupPath";
    public static final String CONFIG_KEY_KEYSTORE_PATH = "LDAP_KeystorePath";
    public static final String CONFIG_KEY_KEYSTORE_PASS_PHRASE = "LDAP_KeystorePassword";
    public static final String CONFIG_KEY_TRUSTSTORE_PATH = "LDAP_TruststorePath";
    public static final String CONFIG_KEY_TRUSTSTORE_PASS_PHRASE = "LDAP_TruststorePassword";
    public static final String CONFIG_KEY_CREDENTIALS_RECEIVER = "LDAP_CredentialsReceiver";
    public static final String CONFIG_KEY_SERVER_URL = "LDAP_ServerUrl";
    public static final String CONFIG_KEY_CONNECT_TIMEOUT = "LDAP_ConnectTimeout";
    public static final String CONFIG_KEY_READ_TIMEOUT = "LDAP_ReadTimeout";
    public static final String CONFIG_KEY_OBSERVED_FILE_PATH = "LDAP_ObserverPath";
    private static final Logger LOG = LoggerFactory.getLogger(LdapConsumerIdentityProviderFactory.class);
    private static final LdapConsumerIdentityProviderFactory SINGLETON = new LdapConsumerIdentityProviderFactory();
    private static final ZoneId CREDENTIAL_VALIDITY_ZONE = ZoneOffset.UTC;
    static final Clock CREDENTIAL_VALIDITY_CLOCK = Clock.system(CREDENTIAL_VALIDITY_ZONE);

    public static ConsumerIdentityProviderFactory instance() {
        return SINGLETON;
    }

    public ConsumerIdentityProvider identityProviderFor(String str, String str2, KeyValueConfiguration keyValueConfiguration) {
        LOG.info("Creating identity provider for realm {}", str);
        return cachingIdentityProvider(credentialsProvider(str, str2, keyValueConfiguration), str, keyValueConfiguration);
    }

    private static ConsumerCredentialsProvider credentialsProvider(String str, String str2, KeyValueConfiguration keyValueConfiguration) {
        AccessCredentials accessCredentials = accessCredentials(keyValueConfiguration);
        return validCredentialsProviderOf(fileBackupProviderOf(ldapCredentialsProviderOf(str, str2, accessCredentials, keyValueConfiguration), accessCredentials, keyValueConfiguration));
    }

    static CachingCredentialsConsumerIdentityProvider cachingIdentityProvider(ConsumerCredentialsProvider consumerCredentialsProvider, String str, KeyValueConfiguration keyValueConfiguration) {
        CachingCredentialsConsumerIdentityProvider cachingCredentialsConsumerIdentityProvider = new CachingCredentialsConsumerIdentityProvider(consumerCredentialsProvider, LdapConsumerIdentityProviderFactory::credentialsAsConsumerIdentities, str);
        cachingCredentialsConsumerIdentityProvider.getClass();
        FileObserver fileObserverOf = fileObserverOf(keyValueConfiguration, cachingCredentialsConsumerIdentityProvider::reloadCache);
        try {
            ExecutorService fileObserverThreadPool = fileObserverThreadPool(str);
            fileObserverOf.start(fileObserverThreadPool);
            Runtime.getRuntime().addShutdownHook(new Thread(cacheReloadFileObserverShutdownHook(str, fileObserverOf, fileObserverThreadPool)));
            return cachingCredentialsConsumerIdentityProvider;
        } catch (IOException e) {
            throw new IllegalArgumentException("Could not start file observer of " + str, e);
        }
    }

    private static Runnable cacheReloadFileObserverShutdownHook(String str, FileObserver fileObserver, ExecutorService executorService) {
        return () -> {
            try {
                fileObserver.stop();
            } catch (IOException e) {
                LOG.warn("Could not stop file observer cleanly", e);
            }
            LOG.info("Shutting down file observer Thread pool of {}", str);
            executorService.shutdown();
        };
    }

    private static Map<String, ConsumerIdentity> credentialsAsConsumerIdentities(Stream<ConsumerCredentials> stream) {
        try {
            return (Map) ((Map) stream.collect(Collectors.groupingBy((v0) -> {
                return v0.username();
            }))).entrySet().stream().map(entry -> {
                return ConsumerIdentityMapper.SINGLETON.apply((String) entry.getKey(), (List<ConsumerCredentials>) entry.getValue());
            }).collect(Collectors.toMap((v0) -> {
                return v0.name();
            }, Function.identity()));
        } finally {
            stream.close();
        }
    }

    static ConsumerCredentialsProvider validCredentialsProviderOf(ConsumerCredentialsProvider consumerCredentialsProvider) {
        return () -> {
            return consumerCredentialsProvider.consumerCredentials().filter(consumerCredentials -> {
                return consumerCredentials.willBecomeValidAfter(CREDENTIAL_VALIDITY_CLOCK.instant());
            });
        };
    }

    private static FileObserver fileObserverOf(KeyValueConfiguration keyValueConfiguration, FileChangeNotifiable fileChangeNotifiable) {
        Path path = (Path) keyValueConfiguration.valueOf(CONFIG_KEY_OBSERVED_FILE_PATH).map(str -> {
            return Paths.get(str, new String[0]);
        }).orElseThrow(() -> {
            return new NoSuchElementException("Observer file path is not configured LDAP_ObserverPath");
        });
        if (Files.notExists(path, new LinkOption[0])) {
            try {
                Files.createFile(path, new FileAttribute[0]);
            } catch (IOException e) {
                throw new IllegalArgumentException("Could not create observer file " + path.toAbsolutePath(), e);
            }
        }
        return FileObserver.of(path, fileChangeNotifiable);
    }

    private static ExecutorService fileObserverThreadPool(String str) {
        return Executors.newSingleThreadExecutor(runnable -> {
            Thread thread = new Thread(runnable, "ITSV-Service-Security-FileObserver-".concat(str));
            thread.setDaemon(true);
            return thread;
        });
    }

    private static ConsumerCredentialsProvider ldapCredentialsProviderOf(String str, String str2, AccessCredentials accessCredentials, KeyValueConfiguration keyValueConfiguration) {
        return new LdapCredentialsProvider(str, str2, ConnectionFactory.of(keyValueConfiguration.requiredValueOf(CONFIG_KEY_SERVER_URL), ((Integer) keyValueConfiguration.intValueOf(CONFIG_KEY_CONNECT_TIMEOUT).orElse(1000)).intValue(), ((Integer) keyValueConfiguration.intValueOf(CONFIG_KEY_READ_TIMEOUT).orElse(1000)).intValue(), accessCredentials), accessCredentials, CREDENTIAL_VALIDITY_ZONE);
    }

    static ConsumerCredentialsProvider fileBackupProviderOf(ConsumerCredentialsProvider consumerCredentialsProvider, AccessCredentials accessCredentials, KeyValueConfiguration keyValueConfiguration) {
        return FileBackupCredentialsProvider.of(consumerCredentialsProvider, Paths.get(keyValueConfiguration.requiredValueOf(CONFIG_KEY_BACKUP_PATH), new String[0]), BinaryCipher.rsa(accessCredentials.getPrivateKey(), accessCredentials.getPublicKey()));
    }

    static AccessCredentials accessCredentials(KeyValueConfiguration keyValueConfiguration) {
        return new AccessCredentials((AccessCredentials.AccessType) keyValueConfiguration.valueOf(CONFIG_KEY_CREDENTIALS_RECEIVER).map(AccessCredentials.AccessType::valueOf).orElse(AccessCredentials.AccessType.SERVICE_PROVIDER), Paths.get(keyValueConfiguration.requiredValueOf(CONFIG_KEY_KEYSTORE_PATH), new String[0]), keyValueConfiguration.requiredValueOf(CONFIG_KEY_KEYSTORE_PASS_PHRASE), Paths.get(keyValueConfiguration.requiredValueOf(CONFIG_KEY_TRUSTSTORE_PATH), new String[0]), keyValueConfiguration.requiredValueOf(CONFIG_KEY_TRUSTSTORE_PASS_PHRASE));
    }
}
