package com.sap.cds.feature.identity;

import com.sap.cds.services.ErrorStatuses;
import com.sap.cds.services.ServiceException;
import com.sap.cds.services.authentication.AuthenticationInfo;
import com.sap.cds.services.authentication.JwtTokenAuthenticationInfo;
import com.sap.cds.services.request.UserInfo;
import com.sap.cds.services.runtime.CdsRuntime;
import com.sap.cds.services.runtime.UserInfoProvider;
import com.sap.cds.services.utils.ClassMethods;
import com.sap.cds.services.utils.ErrorStatusException;
import com.sap.cloud.environment.servicebinding.api.ServiceBinding;
import com.sap.cloud.security.config.Service;
import com.sap.cloud.security.json.JsonParsingException;
import com.sap.cloud.security.token.GrantType;
import com.sap.cloud.security.token.SecurityContext;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.XsuaaToken;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.TreeMap;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sap/cds/feature/identity/IdentityUserInfoProvider.class */
public class IdentityUserInfoProvider implements UserInfoProvider {
    private static final Logger logger = LoggerFactory.getLogger(IdentityUserInfoProvider.class);
    private final CdsRuntime runtime;
    private final ServiceBinding iasBinding;
    private final ServiceBinding xsuaaBinding;
    private static final String SYSTEM_USER_NAME = "system";
    private static final String SYSTEM_INTERNAL_USER_NAME = "system-internal";

    /* renamed from: com.sap.cds.feature.identity.IdentityUserInfoProvider$1, reason: invalid class name */
    /* loaded from: input_file:com/sap/cds/feature/identity/IdentityUserInfoProvider$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$sap$cloud$security$config$Service = new int[Service.values().length];

        static {
            try {
                $SwitchMap$com$sap$cloud$security$config$Service[Service.IAS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$sap$cloud$security$config$Service[Service.XSUAA.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* loaded from: input_file:com/sap/cds/feature/identity/IdentityUserInfoProvider$IasUserInfoImpl.class */
    private class IasUserInfoImpl implements UserInfo {
        private final Token token;
        private final Map<String, List<String>> attributes;
        private final boolean isSystemUser;
        private final boolean isInternalUser;
        private Set<String> roles;
        private static final String BINDING_CLIENT_ID = "clientid";
        private static final String SPECIAL_ATTRIBUTE_TENANT = "tenant";
        private static final String CLAIM_IAS_APIS = "ias_apis";
        private static final Set<String> KNOWN_CLAIMS = new HashSet(Arrays.asList("ias_iss", "iss", "exp", "aud", "nbf", "sub", "user_uuid", "zone_uuid", "app_tid", "azp", "cnf", "x5t#S256", "iat", "jti"));

        IasUserInfoImpl(Token token) {
            this.roles = Collections.emptySet();
            this.token = token;
            this.attributes = (Map) token.getClaims().entrySet().stream().filter(entry -> {
                return !KNOWN_CLAIMS.contains(entry.getKey());
            }).collect(Collectors.toMap(entry2 -> {
                return (String) entry2.getKey();
            }, entry3 -> {
                try {
                    return token.getClaimAsStringList((String) entry3.getKey());
                } catch (JsonParsingException e) {
                    return Collections.singletonList(token.getClaimAsString((String) entry3.getKey()));
                }
            }));
            this.attributes.put(SPECIAL_ATTRIBUTE_TENANT, Collections.singletonList(getTenant()));
            List claimAsStringList = token.getClaimAsStringList("aud");
            String claimAsString = token.getClaimAsString("azp");
            if (claimAsString == null && claimAsStringList.size() == 1) {
                claimAsString = (String) claimAsStringList.get(0);
            }
            this.isSystemUser = claimAsString.equals(token.getClaimAsString("sub"));
            this.isInternalUser = this.isSystemUser && claimAsString.equals(IdentityUserInfoProvider.this.iasBinding.getCredentials().get(BINDING_CLIENT_ID));
            if (IdentityUserInfoProvider.this.runtime.getEnvironment().getCdsProperties().getSecurity().getIdentity().isExposePlansAsRoles()) {
                this.roles = new HashSet();
                if (token.hasClaim(CLAIM_IAS_APIS)) {
                    this.roles.addAll((Collection) token.getClaimAsStringList(CLAIM_IAS_APIS).stream().map((v0) -> {
                        return v0.trim();
                    }).collect(Collectors.toSet()));
                }
                List servicePlans = SecurityContext.getServicePlans();
                if (servicePlans != null) {
                    this.roles.addAll((Collection) servicePlans.stream().map((v0) -> {
                        return v0.trim();
                    }).collect(Collectors.toSet()));
                }
            }
        }

        public boolean isSystemUser() {
            return this.isSystemUser;
        }

        public boolean isInternalUser() {
            return this.isInternalUser;
        }

        public String getId() {
            return this.token.getClaimAsString("user_uuid");
        }

        public String getTenant() {
            return this.token.getZoneId();
        }

        public Set<String> getRoles() {
            return this.roles;
        }

        public String getName() {
            return this.isInternalUser ? IdentityUserInfoProvider.SYSTEM_INTERNAL_USER_NAME : this.isSystemUser ? IdentityUserInfoProvider.SYSTEM_USER_NAME : this.token.getClaimAsString("sub");
        }

        public boolean isAuthenticated() {
            return true;
        }

        public boolean isPrivileged() {
            return false;
        }

        public Map<String, List<String>> getAttributes() {
            return this.attributes;
        }

        public Map<String, Object> getAdditionalAttributes() {
            return this.token.getClaims();
        }

        public String toString() {
            return MessageFormat.format("IasUserInfo [id=''{0}'', name=''{1}'', roles=''{2}'', attributes=''{3}''", getId(), getName(), getRoles(), getAttributes());
        }
    }

    /* loaded from: input_file:com/sap/cds/feature/identity/IdentityUserInfoProvider$XsuaaUserInfoImpl.class */
    private class XsuaaUserInfoImpl implements UserInfo {
        private final XsuaaToken token;
        private final String name;
        private final boolean isSystemUser;
        private final boolean isInternalUser;
        private final Set<String> roles;
        private final Map<String, List<String>> attributes;
        private final Map<String, Object> additionalAttributes;
        private static final String SPECIAL_ATTRIBUTE_LOGON_NAME = "logonName";
        private static final String SPECIAL_ATTRIBUTE_TENANT = "tenant";
        private static final String EXTENSION_ATTRIBUTES = "ext_attr";
        private static final String BINDING_CLIENT_ID = "clientid";
        private static final String SERVICEINSTANCEID_ATTRIBUTE = "serviceinstanceid";
        private static final String SPECIAL_ATTRIBUTE_SERVICEINSTANCEID = "ext_attr.serviceinstanceid";
        private final Set<String> KNOWN_CLAIMS = new HashSet(Arrays.asList("user_name", "zid", "user_id", "scope", "xs.user.attributes", "xs.system.attributes", "grant_type", "client_id"));
        private final Set<GrantType> SYSTEM_USER_GRANTS = new HashSet(Arrays.asList(GrantType.CLIENT_CREDENTIALS, GrantType.CLIENT_X509));

        private XsuaaUserInfoImpl(XsuaaToken xsuaaToken) {
            this.token = xsuaaToken;
            this.isSystemUser = this.SYSTEM_USER_GRANTS.contains(xsuaaToken.getGrantType());
            this.isInternalUser = this.isSystemUser && xsuaaToken.getClientId() != null && xsuaaToken.getClientId().equals(IdentityUserInfoProvider.this.xsuaaBinding.getCredentials().get(BINDING_CLIENT_ID));
            if (this.isInternalUser) {
                this.name = IdentityUserInfoProvider.SYSTEM_INTERNAL_USER_NAME;
            } else if (this.isSystemUser) {
                this.name = IdentityUserInfoProvider.SYSTEM_USER_NAME;
            } else {
                this.name = xsuaaToken.getClaimAsString("user_name");
            }
            String str = ((String) IdentityUserInfoProvider.this.xsuaaBinding.getCredentials().get("xsappname")) + ".";
            this.roles = (Set) xsuaaToken.getScopes().stream().map(str2 -> {
                int indexOf = str2.indexOf(str);
                return indexOf >= 0 ? str2.substring(indexOf + str.length()) : str2;
            }).collect(Collectors.toSet());
            this.attributes = new TreeMap();
            Map<? extends String, ? extends List<String>> map = (Map) xsuaaToken.getClaims().get("xs.user.attributes");
            if (map != null) {
                this.attributes.putAll(map);
            }
            this.attributes.put(SPECIAL_ATTRIBUTE_TENANT, Collections.singletonList(xsuaaToken.getZoneId()));
            String attributeFromClaimAsString = xsuaaToken.getAttributeFromClaimAsString(EXTENSION_ATTRIBUTES, SERVICEINSTANCEID_ATTRIBUTE);
            if (attributeFromClaimAsString != null) {
                this.attributes.put(SPECIAL_ATTRIBUTE_SERVICEINSTANCEID, Collections.singletonList(attributeFromClaimAsString));
            }
            this.additionalAttributes = new HashMap();
            this.additionalAttributes.put("givenName", xsuaaToken.getClaimAsString("given_name"));
            this.additionalAttributes.put("familyName", xsuaaToken.getClaimAsString("family_name"));
            this.additionalAttributes.put("subDomain", xsuaaToken.getAttributeFromClaimAsString(EXTENSION_ATTRIBUTES, "zdn"));
            xsuaaToken.getClaims().entrySet().stream().filter(entry -> {
                return !this.KNOWN_CLAIMS.contains(entry.getKey());
            }).forEach(entry2 -> {
                this.additionalAttributes.put((String) entry2.getKey(), entry2.getValue());
            });
            if (this.isSystemUser) {
                return;
            }
            this.additionalAttributes.put(SPECIAL_ATTRIBUTE_LOGON_NAME, xsuaaToken.getPrincipal().getName());
        }

        public String getId() {
            return this.token.getClaimAsString("user_id");
        }

        public String getName() {
            return this.name;
        }

        public String getTenant() {
            return this.token.getZoneId();
        }

        public Set<String> getRoles() {
            return this.roles;
        }

        public boolean isSystemUser() {
            return this.isSystemUser;
        }

        public boolean isInternalUser() {
            return this.isInternalUser;
        }

        public boolean isAuthenticated() {
            return true;
        }

        public boolean isPrivileged() {
            return false;
        }

        public Map<String, List<String>> getAttributes() {
            return this.attributes;
        }

        public Map<String, Object> getAdditionalAttributes() {
            return this.additionalAttributes;
        }

        public <T extends UserInfo> T as(Class<T> cls) {
            return (T) ClassMethods.as(cls, UserInfo.class, this, this::getAdditionalAttributes);
        }

        public String toString() {
            return MessageFormat.format("XsuaaUserInfo [id=''{0}'', name=''{1}'', roles=''{2}'', attributes=''{3}''", getId(), getName(), getRoles(), getAttributes());
        }
    }

    public IdentityUserInfoProvider(CdsRuntime cdsRuntime, Optional<ServiceBinding> optional, Optional<ServiceBinding> optional2) {
        this.runtime = cdsRuntime;
        this.xsuaaBinding = optional2.orElse(null);
        this.iasBinding = optional.orElse(null);
    }

    public UserInfo get() {
        AuthenticationInfo providedAuthenticationInfo = this.runtime.getProvidedAuthenticationInfo();
        if (providedAuthenticationInfo == null || !providedAuthenticationInfo.is(JwtTokenAuthenticationInfo.class)) {
            return null;
        }
        try {
            XsuaaToken create = Token.create(providedAuthenticationInfo.as(JwtTokenAuthenticationInfo.class).getToken());
            logger.debug("Creating UserInfo based on token {}", create);
            switch (AnonymousClass1.$SwitchMap$com$sap$cloud$security$config$Service[create.getService().ordinal()]) {
                case 1:
                    IasUserInfoImpl iasUserInfoImpl = new IasUserInfoImpl(create);
                    logger.debug("Resolved {}", iasUserInfoImpl);
                    return iasUserInfoImpl;
                case 2:
                    XsuaaUserInfoImpl xsuaaUserInfoImpl = new XsuaaUserInfoImpl(create);
                    logger.debug("Resolved {}", xsuaaUserInfoImpl);
                    return xsuaaUserInfoImpl;
                default:
                    throw new ErrorStatusException(ErrorStatuses.UNAUTHORIZED, new Object[0]);
            }
        } catch (Exception e) {
            throw new ErrorStatusException(ErrorStatuses.UNAUTHORIZED, new Object[]{e});
        } catch (ServiceException e2) {
            throw e2;
        }
    }
}
