package com.cloudera.server.web.cmf;

import com.cloudera.cmf.service.auth.AuthServiceUtil;
import com.cloudera.cmf.service.scm.ScmParamTrackerStore;
import com.cloudera.cmf.user.UserRole;
import com.cloudera.parcel.ParcelIdentity;
import com.cloudera.server.cmf.OperationsManager;
import com.cloudera.server.web.cmf.CMFUserDetailsService;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.persistence.EntityManagerFactory;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken;
import org.keycloak.representations.AccessToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:com/cloudera/server/web/cmf/CmfKeycloakAuthenticationProvider.class */
public class CmfKeycloakAuthenticationProvider extends KeycloakAuthenticationProvider {
    private static final Logger LOG = LoggerFactory.getLogger(CmfKeycloakAuthenticationProvider.class);
    private final EntityManagerFactory emf;
    private final OperationsManager om;
    private final ScmParamTrackerStore spts;

    @Autowired
    public CmfKeycloakAuthenticationProvider(EntityManagerFactory entityManagerFactory, OperationsManager operationsManager, ScmParamTrackerStore scmParamTrackerStore) {
        this.emf = entityManagerFactory;
        this.om = operationsManager;
        this.spts = scmParamTrackerStore;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        Preconditions.checkState(authentication instanceof KeycloakAuthenticationToken);
        KeycloakAuthenticationToken keycloakAuthenticationToken = (KeycloakAuthenticationToken) authentication;
        String obj = keycloakAuthenticationToken.getPrincipal().toString();
        LOG.debug("Authenticating user: " + obj);
        HashSet hashSet = new HashSet();
        for (String str : keycloakAuthenticationToken.getAccount().getRoles()) {
            LOG.debug("User " + obj + "has realm-level role " + str);
            UserRole byName = UserRole.getByName(str.toUpperCase());
            if (byName != null) {
                LOG.debug("User " + obj + " has CM role " + byName.name());
                hashSet.add(byName);
            }
        }
        for (String str2 : getClientRoles(keycloakAuthenticationToken.getPrincipal())) {
            LOG.debug("User " + obj + "has client-level role " + str2);
            UserRole byName2 = UserRole.getByName(str2.toUpperCase());
            if (byName2 != null) {
                LOG.debug("User " + obj + " has CM role " + byName2.name());
                hashSet.add(byName2);
            }
        }
        CMFUserDetailsService.CMFUser mapUser = mapUser(obj, ImmutableMap.of(AuthScope.global(), hashSet));
        LOG.info("Authenticated " + obj + " has authorities " + mapUser.getAuthorities());
        return new CmfKeycloakAuthenticationToken(keycloakAuthenticationToken.getAccount(), mapUser);
    }

    private Set<String> getClientRoles(Object obj) {
        AccessToken.Access resourceAccess;
        return (!(obj instanceof KeycloakPrincipal) || (resourceAccess = ((KeycloakPrincipal) obj).getKeycloakSecurityContext().getToken().getResourceAccess(AuthServiceUtil.CM_SERVER_CLIENT_NAME)) == null) ? ImmutableSet.of() : resourceAccess.getRoles();
    }

    private CMFUserDetailsService.CMFUser mapUser(String str, Map<AuthScope, Set<UserRole>> map) {
        Preconditions.checkNotNull(str);
        Preconditions.checkNotNull(map);
        return (map.isEmpty() || !map.containsKey(AuthScope.global()) || map.get(AuthScope.global()).isEmpty()) ? CMFUserDetailsService.CMFUser.newBuilder().setUsername(str).setPasswordHash(ParcelIdentity.SEP).setAuthorities(ImmutableMap.of(AuthScope.global(), ImmutableList.of())).setSalt(0L).setIsExternal(true).build() : new UserMapper(this.emf, this.om).mapUser(str, map);
    }
}
