package org.apache.james.smtpserver;

import jakarta.inject.Inject;
import java.net.URL;
import java.util.Optional;
import org.apache.james.core.Username;
import org.apache.james.jwt.OidcJwtTokenVerifier;
import org.apache.james.jwt.introspection.IntrospectionEndpoint;
import org.apache.james.mailbox.Authorizator;
import org.apache.james.mailbox.exception.MailboxException;
import org.apache.james.protocols.api.OIDCSASLParser;
import org.apache.james.protocols.api.OidcSASLConfiguration;
import org.apache.james.protocols.smtp.SMTPSession;
import org.apache.james.protocols.smtp.hook.AuthHook;
import org.apache.james.protocols.smtp.hook.HookResult;
import org.apache.james.protocols.smtp.hook.HookReturnCode;
import org.apache.james.user.api.UsersRepository;
import org.apache.james.user.api.UsersRepositoryException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import reactor.core.publisher.Mono;

/* loaded from: input_file:org/apache/james/smtpserver/UsersRepositoryAuthHook.class */
public class UsersRepositoryAuthHook implements AuthHook {
    private static final Logger LOGGER = LoggerFactory.getLogger(UsersRepositoryAuthHook.class);
    private final UsersRepository users;
    private final Authorizator authorizator;

    @Inject
    public UsersRepositoryAuthHook(UsersRepository usersRepository, Authorizator authorizator) {
        this.users = usersRepository;
        this.authorizator = authorizator;
    }

    public HookResult doAuth(SMTPSession sMTPSession, Username username, String str) {
        try {
            Optional test = this.users.test(username, str);
            if (test.isPresent()) {
                sMTPSession.setUsername((Username) test.get());
                sMTPSession.setRelayingAllowed(true);
                return HookResult.builder().hookReturnCode(HookReturnCode.ok()).smtpDescription("Authentication Successful").build();
            }
        } catch (UsersRepositoryException e) {
            LOGGER.info("Unable to access UsersRepository", e);
        }
        return HookResult.DECLINED;
    }

    public HookResult doSasl(SMTPSession sMTPSession, OidcSASLConfiguration oidcSASLConfiguration, String str) {
        return (HookResult) OIDCSASLParser.parse(str).flatMap(oIDCInitialResponse -> {
            return validateToken(oidcSASLConfiguration, oIDCInitialResponse.getToken()).map(username -> {
                Username of = Username.of(oIDCInitialResponse.getAssociatedUser());
                return !of.equals(username) ? doAuthWithDelegation(sMTPSession, username, of) : saslSuccess(sMTPSession, username);
            });
        }).orElse(HookResult.DECLINED);
    }

    private HookResult doAuthWithDelegation(SMTPSession sMTPSession, Username username, Username username2) {
        try {
            if (Authorizator.AuthorizationState.ALLOWED.equals(this.authorizator.user(username).canLoginAs(username2))) {
                return saslSuccess(sMTPSession, username2);
            }
        } catch (MailboxException e) {
            LOGGER.info("Unable to authorization", e);
        }
        return HookResult.DECLINED;
    }

    private HookResult saslSuccess(SMTPSession sMTPSession, Username username) {
        try {
            this.users.assertValid(username);
            sMTPSession.setUsername(username);
            sMTPSession.setRelayingAllowed(true);
            return HookResult.builder().hookReturnCode(HookReturnCode.ok()).smtpDescription("Authentication successful.").build();
        } catch (UsersRepositoryException e) {
            LOGGER.warn("Invalid username", e);
            return HookResult.DECLINED;
        }
    }

    private Optional<Username> validateToken(OidcSASLConfiguration oidcSASLConfiguration, String str) {
        return oidcSASLConfiguration.isCheckTokenByIntrospectionEndpoint() ? validTokenWithIntrospection(oidcSASLConfiguration, str) : oidcSASLConfiguration.isCheckTokenByUserinfoEndpoint() ? validTokenWithUserInfo(oidcSASLConfiguration, str) : OidcJwtTokenVerifier.verifySignatureAndExtractClaim(str, oidcSASLConfiguration.getJwksURL(), oidcSASLConfiguration.getClaim()).map(Username::of);
    }

    private Optional<Username> validTokenWithUserInfo(OidcSASLConfiguration oidcSASLConfiguration, String str) {
        return Mono.from(OidcJwtTokenVerifier.verifyWithUserinfo(str, oidcSASLConfiguration.getJwksURL(), oidcSASLConfiguration.getClaim(), (URL) oidcSASLConfiguration.getUserInfoEndpoint().orElseThrow())).blockOptional().map(Username::of);
    }

    private static Optional<Username> validTokenWithIntrospection(OidcSASLConfiguration oidcSASLConfiguration, String str) {
        return Mono.from(OidcJwtTokenVerifier.verifyWithIntrospection(str, oidcSASLConfiguration.getJwksURL(), oidcSASLConfiguration.getClaim(), (IntrospectionEndpoint) oidcSASLConfiguration.getIntrospectionEndpoint().map(url -> {
            return new IntrospectionEndpoint(url, oidcSASLConfiguration.getIntrospectionEndpointAuthorization());
        }).orElseThrow())).blockOptional().map(Username::of);
    }
}
