package com.atlassian.plugins.authentication.sso.config;

import com.atlassian.plugins.authentication.api.config.IdpConfig;
import com.atlassian.plugins.authentication.api.config.IdpConfigService;
import com.atlassian.plugins.authentication.api.config.IdpSearchParameters;
import com.atlassian.plugins.authentication.api.config.ImmutableSsoConfig;
import com.atlassian.plugins.authentication.api.config.SsoConfig;
import com.atlassian.plugins.authentication.api.config.SsoType;
import com.atlassian.plugins.authentication.api.config.ValidationError;
import com.atlassian.plugins.authentication.api.config.oidc.OidcConfig;
import com.atlassian.plugins.authentication.api.config.saml.SamlConfig;
import com.atlassian.plugins.authentication.api.exception.CannotDisableIdpException;
import com.atlassian.plugins.authentication.api.exception.InvalidConfigException;
import com.atlassian.plugins.authentication.sso.rest.model.IdpConfigEntity;
import com.atlassian.plugins.authentication.sso.util.ApplicationStateValidator;
import com.atlassian.plugins.authentication.sso.util.ProductLicenseDataProvider;
import com.atlassian.plugins.authentication.sso.web.oidc.OidcDiscoveryException;
import com.atlassian.plugins.authentication.sso.web.oidc.OidcDiscoverySupport;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableMultimap;
import com.google.common.collect.ImmutableSetMultimap;
import com.google.common.collect.Multimap;
import java.util.List;
import java.util.Objects;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/plugins/authentication/sso/config/IdpConfigServiceImpl.class */
public class IdpConfigServiceImpl implements IdpConfigService {
    private static final Logger logger = LoggerFactory.getLogger(IdpConfigServiceImpl.class);
    private final SsoConfigDao ssoConfigDao;
    private final IdpConfigValidatorProvider idpConfigValidatorProvider;
    private final OidcDiscoverySupport oidcDiscoverySupport;
    private final ProductLicenseDataProvider productLicenseDataProvider;
    private final ApplicationStateValidator applicationStateValidator;

    public IdpConfigServiceImpl(SsoConfigDao ssoConfigDao, IdpConfigValidatorProvider idpConfigValidatorProvider, OidcDiscoverySupport oidcDiscoverySupport, ProductLicenseDataProvider productLicenseDataProvider, ApplicationStateValidator applicationStateValidator) {
        this.ssoConfigDao = ssoConfigDao;
        this.idpConfigValidatorProvider = idpConfigValidatorProvider;
        this.oidcDiscoverySupport = oidcDiscoverySupport;
        this.productLicenseDataProvider = productLicenseDataProvider;
        this.applicationStateValidator = applicationStateValidator;
    }

    @Override // com.atlassian.plugins.authentication.api.config.IdpConfigService
    public List<IdpConfig> getIdpConfigs() {
        return this.ssoConfigDao.getIdpConfigs();
    }

    @Override // com.atlassian.plugins.authentication.api.config.IdpConfigService
    public List<IdpConfig> getIdpConfigs(IdpSearchParameters idpSearchParameters) {
        return this.ssoConfigDao.getIdpConfigs(idpSearchParameters);
    }

    @Override // com.atlassian.plugins.authentication.api.config.IdpConfigService
    public IdpConfig getIdpConfig(Long l) {
        return this.ssoConfigDao.findById(l);
    }

    @Override // com.atlassian.plugins.authentication.api.config.IdpConfigService
    public IdpConfig updateIdpConfig(@Nonnull IdpConfig idpConfig) {
        Objects.requireNonNull(idpConfig, "IdP configuration cannot be null");
        Objects.requireNonNull(idpConfig.getId(), "The id of the config to update must be specified");
        IdpConfig findById = this.ssoConfigDao.findById(idpConfig.getId());
        List<IdpConfig> idpConfigs = getIdpConfigs();
        if (findById.isEnabled() && !idpConfig.isEnabled()) {
            validateDisablingConfig(findById, idpConfigs);
        }
        if (this.productLicenseDataProvider.isServiceManagementProduct() && findById.isIncludeCustomerLogins() && !idpConfig.isIncludeCustomerLogins()) {
            validateDisablingConfigForJsm(findById, idpConfigs);
        }
        return updateIdpConfigInternal(findById, refreshDiscoveryIfNeeded(idpConfig), idpConfigs);
    }

    @Override // com.atlassian.plugins.authentication.api.config.IdpConfigService
    public IdpConfig addIdpConfig(@Nonnull IdpConfig idpConfig) {
        Objects.requireNonNull(idpConfig, "IdP configuration cannot be null");
        return updateIdpConfigInternal(null, refreshDiscoveryIfNeeded(idpConfig), getIdpConfigs());
    }

    @Override // com.atlassian.plugins.authentication.api.config.IdpConfigService
    public IdpConfig removeIdpConfig(Long l) {
        SsoConfig ssoConfig = this.ssoConfigDao.getSsoConfig();
        ImmutableSsoConfig.Builder builder = ImmutableSsoConfig.toBuilder(ssoConfig);
        if (isInsufficientNumberOfGlobalEnabledLoginOptions(l)) {
            enableNativeLogin(builder);
        }
        if (isInsufficientNumberOfJsmEnabledLoginOptions(l)) {
            enableNativeLoginForJsm(builder);
        }
        ImmutableSsoConfig build = builder.build();
        if (!ssoConfig.equals(build)) {
            this.ssoConfigDao.saveSsoConfig(build);
        }
        return this.ssoConfigDao.removeIdpConfig(l);
    }

    @Override // com.atlassian.plugins.authentication.api.config.IdpConfigService
    public IdpConfig refreshIdpConfig(IdpConfig idpConfig) {
        return updateIdpConfigInternal(idpConfig, refreshDiscoveryIfNeeded(idpConfig), getIdpConfigs());
    }

    private void validateDisablingConfigForJsm(IdpConfig idpConfig, List<IdpConfig> list) {
        if (isInsufficientNumberOfJsmEnabledLoginOptions(idpConfig.getId(), (List) list.stream().filter((v0) -> {
            return v0.isIncludeCustomerLogins();
        }).collect(Collectors.toList()))) {
            throw new CannotDisableIdpException("Can't disable IDP for Jira Service Management.");
        }
    }

    private void validateDisablingConfig(IdpConfig idpConfig, List<IdpConfig> list) {
        if (isInsufficientNumberOfGlobalEnabledLoginOptions(idpConfig.getId(), (List) list.stream().filter((v0) -> {
            return v0.isEnabled();
        }).collect(Collectors.toList()))) {
            throw new CannotDisableIdpException("Can't disable IDP.");
        }
    }

    private boolean isInsufficientNumberOfGlobalEnabledLoginOptions(Long l) {
        return isInsufficientNumberOfGlobalEnabledLoginOptions(l, getIdpConfigs(IdpSearchParameters.allEnabled()));
    }

    private boolean isInsufficientNumberOfGlobalEnabledLoginOptions(Long l, List<IdpConfig> list) {
        return isInsufficientNumberOfEnabledLoginOptions((v0) -> {
            return v0.getShowLoginForm();
        }, l, list);
    }

    private boolean isInsufficientNumberOfEnabledLoginOptions(Predicate<SsoConfig> predicate, Long l, List<IdpConfig> list) {
        Stream<IdpConfig> filter = list.stream().filter(idpConfig -> {
            return !Objects.equals(idpConfig.getId(), l);
        });
        ApplicationStateValidator applicationStateValidator = this.applicationStateValidator;
        applicationStateValidator.getClass();
        long count = filter.filter(applicationStateValidator::canProcessAuthenticationRequest).count();
        if (predicate.test(this.ssoConfigDao.getSsoConfig())) {
            count++;
        }
        return count < 1;
    }

    private boolean isInsufficientNumberOfJsmEnabledLoginOptions(Long l) {
        return isInsufficientNumberOfJsmEnabledLoginOptions(l, getIdpConfigs(IdpSearchParameters.builder().setIncludeCustomerLoginsRestriction(true).build()));
    }

    private boolean isInsufficientNumberOfJsmEnabledLoginOptions(Long l, List<IdpConfig> list) {
        return isInsufficientNumberOfEnabledLoginOptions((v0) -> {
            return v0.getShowLoginFormForJsm();
        }, l, list);
    }

    private void enableNativeLogin(ImmutableSsoConfig.Builder builder) {
        builder.setShowLoginForm(true);
    }

    private void enableNativeLoginForJsm(ImmutableSsoConfig.Builder builder) {
        builder.setShowLoginFormForJsm(true);
    }

    private IdpConfig updateIdpConfigInternal(@Nullable IdpConfig idpConfig, @Nonnull IdpConfig idpConfig2, List<IdpConfig> list) {
        if (Objects.equals(idpConfig2, idpConfig)) {
            logger.debug("Skipping IdP config update as new config is identical to current config");
            return idpConfig;
        }
        Multimap<String, ValidationError> validate = this.idpConfigValidatorProvider.getValidatorUnchecked(idpConfig2.getSsoType()).validate(idpConfig2);
        if (!validate.isEmpty()) {
            throw new InvalidConfigException(validate);
        }
        validateUniqueFields(idpConfig2, list);
        return this.ssoConfigDao.saveIdpConfig(idpConfig2);
    }

    private void validateUniqueFields(IdpConfig idpConfig, List<IdpConfig> list) {
        ImmutableSetMultimap.Builder builder = ImmutableSetMultimap.builder();
        List list2 = (List) list.stream().filter(idpConfig2 -> {
            return !Objects.equals(idpConfig2.getId(), idpConfig.getId());
        }).collect(Collectors.toList());
        if (list2.stream().anyMatch(idpConfig3 -> {
            return Objects.equals(idpConfig.getButtonText(), idpConfig3.getButtonText());
        })) {
            builder.put("button-text", ValidationError.nonUnique());
        }
        if (list2.stream().anyMatch(idpConfig4 -> {
            return Objects.equals(idpConfig.getName(), idpConfig4.getName());
        })) {
            builder.put("name", ValidationError.nonUnique());
        }
        if (list2.stream().anyMatch(idpConfig5 -> {
            return Objects.equals(idpConfig.getIssuer(), idpConfig5.getIssuer());
        })) {
            builder.put(issuerField(idpConfig), ValidationError.nonUnique());
        }
        ImmutableMultimap build = builder.build();
        if (!build.isEmpty()) {
            throw new InvalidConfigException(build);
        }
    }

    @VisibleForTesting
    @NotNull
    String issuerField(IdpConfig idpConfig) {
        switch (idpConfig.getSsoType()) {
            case SAML:
                return SamlConfig.from(idpConfig).get().getIdpType() == SamlConfig.IdpType.CROWD ? IdpConfigEntity.Config.Saml.CROWD_URL : "sso-issuer";
            case OIDC:
                return "issuer-url";
            default:
                throw new IllegalStateException("Unknown SSO type: " + idpConfig.getSsoType());
        }
    }

    private IdpConfig refreshDiscoveryIfNeeded(IdpConfig idpConfig) {
        return (IdpConfig) OidcConfig.from(idpConfig).map(oidcConfig -> {
            if (!oidcConfig.isDiscoveryEnabled()) {
                return idpConfig;
            }
            logger.info("Performing IdP discovery with issuer {}", oidcConfig.getIssuer());
            try {
                Multimap<String, ValidationError> validate = this.idpConfigValidatorProvider.getValidatorUnchecked(SsoType.OIDC).validate(oidcConfig, ValidationContext.OIDC_DISCOVERY);
                if (validate.isEmpty()) {
                    return this.oidcDiscoverySupport.refresh(oidcConfig);
                }
                throw new InvalidConfigException(validate);
            } catch (OidcDiscoveryException e) {
                logger.info("Failed fetching metadata from OIDC discovery, issuer: {}.", oidcConfig.getIssuer(), e);
                throw new InvalidConfigException(ImmutableMultimap.of(IdpConfigEntity.Config.Oidc.DISCOVERY_ENABLED, ValidationError.incorrect()));
            }
        }).orElse(idpConfig);
    }
}
