package org.ametys.plugins.extrausermgt.users.aad;

import com.azure.identity.ClientSecretCredentialBuilder;
import com.microsoft.graph.serviceclient.GraphServiceClient;
import com.microsoft.graph.users.item.UserItemRequestBuilder;
import com.microsoft.kiota.authentication.AccessTokenProvider;
import com.microsoft.kiota.authentication.AllowedHostsValidator;
import com.microsoft.kiota.authentication.BaseBearerTokenAuthenticationProvider;
import java.net.URI;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.annotation.Nonnull;
import org.ametys.core.user.CurrentUserProvider;
import org.ametys.core.user.UserIdentity;
import org.ametys.core.user.UserManager;
import org.ametys.core.util.SessionAttributeProvider;
import org.ametys.plugins.extrausermgt.authentication.msal.AbstractMSALCredentialProvider;
import org.ametys.runtime.config.Config;
import org.ametys.runtime.plugin.component.AbstractLogEnabled;
import org.apache.avalon.framework.activity.Initializable;
import org.apache.avalon.framework.component.Component;
import org.apache.avalon.framework.service.ServiceException;
import org.apache.avalon.framework.service.ServiceManager;
import org.apache.avalon.framework.service.Serviceable;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:org/ametys/plugins/extrausermgt/users/aad/GraphClientProvider.class */
public class GraphClientProvider extends AbstractLogEnabled implements Initializable, Serviceable, Component {
    public static final String ROLE = GraphClientProvider.class.getName();
    private static final String __SCOPE = "https://graph.microsoft.com/.default";
    private GraphServiceClient _graphClient;
    private CurrentUserProvider _currentUserProvider;
    private SessionAttributeProvider _sessionAttributeProvider;
    private UserManager _userManager;

    /* loaded from: input_file:org/ametys/plugins/extrausermgt/users/aad/GraphClientProvider$AccessTokenAuthenticationProvider.class */
    private static class AccessTokenAuthenticationProvider implements AccessTokenProvider {
        private String _accessToken;

        public AccessTokenAuthenticationProvider(@Nonnull String str) {
            this._accessToken = str;
        }

        public String getAuthorizationToken(URI uri, Map<String, Object> map) {
            return this._accessToken;
        }

        public AllowedHostsValidator getAllowedHostsValidator() {
            return null;
        }
    }

    /* loaded from: input_file:org/ametys/plugins/extrausermgt/users/aad/GraphClientProvider$GraphClientException.class */
    public static class GraphClientException extends Exception {
        public GraphClientException(String str) {
            super(str);
        }
    }

    public void service(ServiceManager serviceManager) throws ServiceException {
        this._currentUserProvider = (CurrentUserProvider) serviceManager.lookup(CurrentUserProvider.ROLE);
        this._sessionAttributeProvider = (SessionAttributeProvider) serviceManager.lookup(SessionAttributeProvider.ROLE);
        this._userManager = (UserManager) serviceManager.lookup(UserManager.ROLE);
    }

    public void initialize() {
        if (((Boolean) Config.getInstance().getValue("org.ametys.plugins.extra-user-management.graph.useadmin")).booleanValue()) {
            String str = (String) Config.getInstance().getValue("org.ametys.plugins.extra-user-management.graph.appid");
            this._graphClient = new GraphServiceClient(new ClientSecretCredentialBuilder().clientId(str).clientSecret((String) Config.getInstance().getValue("org.ametys.plugins.extra-user-management.graph.clientsecret")).tenantId((String) Config.getInstance().getValue("org.ametys.plugins.extra-user-management.graph.tenant")).build(), new String[]{__SCOPE});
        }
    }

    public UserItemRequestBuilder getUserRequestBuilder(UserIdentity userIdentity) throws GraphClientException {
        if (this._graphClient != null) {
            return this._graphClient.users().byUserId(_getUserPrincipalName(userIdentity));
        }
        if (!userIdentity.equals(this._currentUserProvider.getUser())) {
            throw new GraphClientException(userIdentity.toString() + " is not the current user. A graph client can only be retrieved for the current user");
        }
        Optional sessionAttribute = this._sessionAttributeProvider.getSessionAttribute(AbstractMSALCredentialProvider.ACCESS_TOKEN_SESSION_ATTRIBUTE);
        Class<String> cls = String.class;
        Objects.requireNonNull(String.class);
        Optional filter = sessionAttribute.filter(cls::isInstance);
        Class<String> cls2 = String.class;
        Objects.requireNonNull(String.class);
        return (UserItemRequestBuilder) filter.map(cls2::cast).map(this::_getClientFromToken).map((v0) -> {
            return v0.me();
        }).orElseThrow(() -> {
            return new GraphClientException("The current user " + this._currentUserProvider.getUser().toString() + "is not logged with Entra ID.");
        });
    }

    public GraphServiceClient getGraphClient() throws GraphClientException {
        if (this._graphClient != null) {
            return this._graphClient;
        }
        Optional sessionAttribute = this._sessionAttributeProvider.getSessionAttribute(AbstractMSALCredentialProvider.ACCESS_TOKEN_SESSION_ATTRIBUTE);
        Class<String> cls = String.class;
        Objects.requireNonNull(String.class);
        Optional filter = sessionAttribute.filter(cls::isInstance);
        Class<String> cls2 = String.class;
        Objects.requireNonNull(String.class);
        return (GraphServiceClient) filter.map(cls2::cast).map(this::_getClientFromToken).orElseThrow(() -> {
            return new GraphClientException("The current user " + this._currentUserProvider.getUser().toString() + "is not logged with Entra ID.");
        });
    }

    private GraphServiceClient _getClientFromToken(String str) {
        return new GraphServiceClient(new BaseBearerTokenAuthenticationProvider(new AccessTokenAuthenticationProvider(str)));
    }

    private String _getUserPrincipalName(UserIdentity userIdentity) throws GraphClientException {
        if (!"email".equals(Config.getInstance().getValue("org.ametys.plugins.extra-user-management.graph.authmethod"))) {
            return userIdentity.getLogin();
        }
        String email = this._userManager.getUser(userIdentity).getEmail();
        if (StringUtils.isBlank(email)) {
            throw new GraphClientException("The user '" + userIdentity.toString() + "' has no email address set, thus exchange cannot be contacted using 'email' authentication method");
        }
        return email;
    }
}
