package net.bluemind.authentication.handler;

import com.google.common.base.Splitter;
import java.security.InvalidParameterException;
import java.util.Base64;
import java.util.Optional;
import java.util.concurrent.ExecutorService;
import net.bluemind.authentication.api.IAuthentication;
import net.bluemind.authentication.api.ValidationKind;
import net.bluemind.core.container.model.ItemValue;
import net.bluemind.core.context.SecurityContext;
import net.bluemind.core.rest.ServerSideServiceProvider;
import net.bluemind.core.rest.http.vertx.NeedVertxExecutor;
import net.bluemind.domain.api.IDomains;
import net.bluemind.lib.vertx.BlockingCode;
import net.bluemind.network.topology.IServiceTopology;
import net.bluemind.network.topology.Topology;
import net.bluemind.pool.impl.BmConfIni;
import net.bluemind.server.api.Server;
import net.bluemind.user.api.IUser;
import net.bluemind.user.api.User;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.vertx.java.core.Handler;
import org.vertx.java.core.MultiMap;
import org.vertx.java.core.Vertx;
import org.vertx.java.core.eventbus.Message;
import org.vertx.java.core.http.HttpServerRequest;
import org.vertx.java.core.http.HttpServerResponse;

/* loaded from: input_file:net/bluemind/authentication/handler/Nginx.class */
public final class Nginx implements Handler<HttpServerRequest>, NeedVertxExecutor {
    private Vertx vertx;
    private BlockingCode blocking;
    private static String defaultDomain;
    private static final Logger logger = LoggerFactory.getLogger(Nginx.class);
    private static final Splitter atSplitter = Splitter.on('@').omitEmptyStrings().trimResults();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/bluemind/authentication/handler/Nginx$AuthResponse.class */
    public static class AuthResponse {
        ValidationKind validation;
        String backendSrv;
        String backendLatd;

        private AuthResponse() {
        }

        public static AuthResponse of(ValidationKind validationKind, String str, String str2) {
            AuthResponse authResponse = new AuthResponse();
            authResponse.validation = validationKind;
            authResponse.backendLatd = str;
            authResponse.backendSrv = str2;
            return authResponse;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/bluemind/authentication/handler/Nginx$QueryParameters.class */
    public static class QueryParameters {
        public final String clientIp;
        public final String backendPort;
        public final String protocol;
        public final String password;
        public final String latd;
        public final long time;
        public final int attempt;

        private QueryParameters(String str, String str2, String str3, String str4, String str5, long j, int i) {
            this.clientIp = str;
            this.protocol = str2;
            this.latd = str3;
            this.password = str4;
            this.backendPort = str5;
            this.time = j;
            this.attempt = i;
        }

        public static QueryParameters fromRequest(HttpServerRequest httpServerRequest, long j) {
            String str = httpServerRequest.headers().get("Client-IP");
            String str2 = httpServerRequest.headers().get("X-Auth-Port");
            String str3 = httpServerRequest.headers().get("Auth-Protocol");
            int intValue = ((Integer) Optional.ofNullable(httpServerRequest.headers().get("Auth-Login-Attempt")).map(Integer::parseInt).orElse(0)).intValue();
            String str4 = httpServerRequest.headers().get("Auth-User");
            if (str4 == null || "".equals(str4)) {
                throw new InvalidParameterException("null or empty login");
            }
            String lowerCase = Nginx.decode(str4).toLowerCase();
            return new QueryParameters(str, str3, ("admin0".equals(lowerCase) || Nginx.defaultDomain == null || lowerCase.contains("@")) ? lowerCase : String.valueOf(lowerCase) + "@" + Nginx.defaultDomain, Nginx.decode(httpServerRequest.headers().get("Auth-Pass")), str2, j, intValue);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/bluemind/authentication/handler/Nginx$ResolvedUser.class */
    public static class ResolvedUser {
        public final String latd;
        public final String address;

        public ResolvedUser(ItemValue<User> itemValue, ItemValue<Server> itemValue2, String str) {
            this.address = ((Server) itemValue2.value).address();
            this.latd = String.valueOf(((User) itemValue.value).login) + "@" + str;
        }
    }

    public Nginx() {
        loadDefaultDomain();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void loadDefaultDomain() {
        defaultDomain = new BmConfIni().get("default-domain");
    }

    public void handle(HttpServerRequest httpServerRequest) {
        long currentTimeMillis = System.currentTimeMillis();
        httpServerRequest.endHandler(r9 -> {
            HttpServerResponse response = httpServerRequest.response();
            if (this.vertx == null) {
                response.setStatusCode(500).setStatusMessage("missing vertx").end();
            } else {
                QueryParameters fromRequest = QueryParameters.fromRequest(httpServerRequest, currentTimeMillis);
                this.blocking.run(() -> {
                    return computeResponse(fromRequest);
                }).whenComplete((authResponse, th) -> {
                    if (th != null) {
                        logger.error(th.getMessage(), th);
                        fail(fromRequest, response);
                    } else if (authResponse.validation == ValidationKind.NONE) {
                        fail(fromRequest, response);
                    } else {
                        succeed(response, fromRequest, authResponse.backendSrv, authResponse.backendLatd);
                    }
                    response.end();
                });
            }
        });
    }

    private AuthResponse computeResponse(QueryParameters queryParameters) {
        ValidationKind validate = ((IAuthentication) ServerSideServiceProvider.getProvider(SecurityContext.ANONYMOUS).instance(IAuthentication.class, new String[0])).validate(queryParameters.latd, queryParameters.password, "nginx-imap-password-check");
        if (validate == ValidationKind.NONE || validate == ValidationKind.PASSWORDEXPIRED) {
            return AuthResponse.of(validate, null, null);
        }
        ResolvedUser backendSrv = getBackendSrv(queryParameters.protocol, queryParameters.latd);
        logger.info("[{}][{}][{}] will use cyrus backend {} using login [{}], done in {}ms.", new Object[]{queryParameters.clientIp, queryParameters.protocol, queryParameters.latd, backendSrv.address, backendSrv.latd, Long.valueOf(System.currentTimeMillis() - queryParameters.time)});
        return AuthResponse.of(validate, backendSrv.latd, backendSrv.address);
    }

    private void fail(QueryParameters queryParameters, HttpServerResponse httpServerResponse) {
        logger.error("[{}] Denied auth from {}", queryParameters == null ? null : queryParameters.latd, queryParameters == null ? null : queryParameters.clientIp);
        httpServerResponse.headers().add("Auth-Status", "Invalid login or password");
        if (queryParameters == null || queryParameters.attempt >= 10) {
            return;
        }
        httpServerResponse.headers().add("Auth-Wait", "4");
    }

    private void succeed(HttpServerResponse httpServerResponse, QueryParameters queryParameters, String str, String str2) {
        MultiMap headers = httpServerResponse.headers();
        headers.add("Auth-Status", "OK");
        headers.add("Auth-Server", str);
        headers.add("Auth-Port", queryParameters.backendPort);
        if (queryParameters.latd.equals(str2)) {
            return;
        }
        headers.add("Auth-User", str2);
    }

    private ResolvedUser getBackendSrv(String str, String str2) {
        if (str2.contains("@")) {
            String str3 = (String) atSplitter.splitToList(str2).get(1);
            ServerSideServiceProvider provider = ServerSideServiceProvider.getProvider(SecurityContext.SYSTEM);
            ItemValue findByNameOrAliases = ((IDomains) provider.instance(IDomains.class, new String[0])).findByNameOrAliases(str3);
            if (findByNameOrAliases != null) {
                ItemValue byEmail = ((IUser) provider.instance(IUser.class, new String[]{findByNameOrAliases.uid})).byEmail(str2);
                IServiceTopology iServiceTopology = Topology.get();
                ItemValue core = iServiceTopology.singleNode() ? iServiceTopology.core() : (iServiceTopology.imapOnDatalocation() || "pop3".equals(str)) ? iServiceTopology.datalocation(((User) byEmail.value).dataLocation) : iServiceTopology.any("mail/imap_frontend");
                if (core != null) {
                    return new ResolvedUser(byEmail, core, findByNameOrAliases.uid);
                }
            }
        }
        throw new InvalidParameterException("No backend server found for '" + str2 + "'");
    }

    public static String decode(String str) {
        return new String(Base64.getDecoder().decode(str));
    }

    public void setVertxExecutor(Vertx vertx, ExecutorService executorService) {
        this.vertx = vertx;
        this.blocking = BlockingCode.forVertx(this.vertx).withExecutor(executorService);
        logger.info("Init with {}", vertx);
        vertx.eventBus().registerHandler("bm.defaultdomain.changed", new Handler<Message<?>>() { // from class: net.bluemind.authentication.handler.Nginx.1
            public void handle(Message<?> message) {
                Nginx.this.loadDefaultDomain();
            }
        });
    }
}
