package net.bluemind.authentication.handler;

import com.google.common.base.Splitter;
import io.vertx.core.Handler;
import io.vertx.core.MultiMap;
import io.vertx.core.Vertx;
import io.vertx.core.http.HttpServerRequest;
import io.vertx.core.http.HttpServerResponse;
import java.security.InvalidParameterException;
import java.util.Base64;
import java.util.Iterator;
import java.util.Optional;
import java.util.concurrent.ExecutorService;
import net.bluemind.authentication.api.IAuthentication;
import net.bluemind.authentication.api.ValidationKind;
import net.bluemind.core.container.model.ItemValue;
import net.bluemind.core.context.SecurityContext;
import net.bluemind.core.rest.ServerSideServiceProvider;
import net.bluemind.core.rest.http.vertx.NeedVertxExecutor;
import net.bluemind.domain.api.Domain;
import net.bluemind.domain.api.IDomains;
import net.bluemind.hornetq.client.MQ;
import net.bluemind.lib.vertx.utils.PasswordDecoder;
import net.bluemind.network.topology.IServiceTopology;
import net.bluemind.network.topology.Topology;
import net.bluemind.server.api.Server;
import net.bluemind.server.api.TagDescriptor;
import net.bluemind.system.api.SysConfKeys;
import net.bluemind.user.api.IUser;
import net.bluemind.user.api.User;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/bluemind/authentication/handler/Nginx.class */
public final class Nginx implements Handler<HttpServerRequest>, NeedVertxExecutor {
    private static final Logger logger = LoggerFactory.getLogger(Nginx.class);
    private Vertx vertx;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/bluemind/authentication/handler/Nginx$AuthResponse.class */
    public static class AuthResponse {
        ValidationKind validation;
        String backendSrv;
        String backendLatd;

        private AuthResponse() {
        }

        public static AuthResponse of(ValidationKind validationKind, String str, String str2) {
            AuthResponse authResponse = new AuthResponse();
            authResponse.validation = validationKind;
            authResponse.backendLatd = str;
            authResponse.backendSrv = str2;
            return authResponse;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/bluemind/authentication/handler/Nginx$QueryParameters.class */
    public static class QueryParameters {
        public final String clientIp;
        public final String backendPort;
        public final String protocol;
        public final String password;
        public final String user;
        public final String latd;
        public final long time;
        public final int attempt;
        private static final MQ.SharedMap<String, String> sharedMap = MQ.sharedMap("system.configuration");

        private static final String getDefaultDomain() {
            return (String) sharedMap.get(SysConfKeys.default_domain.name());
        }

        private QueryParameters(String str, String str2, String str3, String str4, String str5, String str6, long j, int i) {
            this.clientIp = str;
            this.protocol = str2;
            this.user = str3;
            this.latd = str4;
            this.password = str5;
            this.backendPort = str6;
            this.time = j;
            this.attempt = i;
        }

        public static QueryParameters fromRequest(HttpServerRequest httpServerRequest, long j) {
            String str = httpServerRequest.headers().get("Client-IP");
            String str2 = httpServerRequest.headers().get("X-Auth-Port");
            String str3 = httpServerRequest.headers().get("Auth-Protocol");
            int intValue = ((Integer) Optional.ofNullable(httpServerRequest.headers().get("Auth-Login-Attempt")).map(Integer::parseInt).orElse(0)).intValue();
            String str4 = httpServerRequest.headers().get("Auth-User");
            if (str4 == null || "".equals(str4)) {
                throw new InvalidParameterException("null or empty login");
            }
            String lowerCase = new String(Nginx.decode(str4)).toLowerCase();
            String defaultDomain = getDefaultDomain();
            String str5 = ("admin0".equals(lowerCase) || defaultDomain == null || lowerCase.contains("@")) ? lowerCase : lowerCase + "@" + defaultDomain;
            String password = PasswordDecoder.getPassword(lowerCase, Nginx.decode(httpServerRequest.headers().get("Auth-Pass")));
            if (Nginx.logger.isDebugEnabled()) {
                Nginx.logger.debug("Password b64: {}, decoded: {}", httpServerRequest.headers().get("Auth-Pass"), password);
            }
            return new QueryParameters(str, str3, lowerCase, str5, password, str2, j, intValue);
        }
    }

    public void handle(HttpServerRequest httpServerRequest) {
        long currentTimeMillis = System.currentTimeMillis();
        httpServerRequest.endHandler(r9 -> {
            HttpServerResponse response = httpServerRequest.response();
            if (this.vertx == null) {
                response.setStatusCode(500).setStatusMessage("missing vertx").end();
            } else {
                QueryParameters fromRequest = QueryParameters.fromRequest(httpServerRequest, currentTimeMillis);
                this.vertx.executeBlocking(() -> {
                    return computeResponse(fromRequest);
                }, false).onSuccess(authResponse -> {
                    if (authResponse.validation == ValidationKind.NONE || authResponse.validation == ValidationKind.PASSWORDEXPIRED) {
                        fail(fromRequest, response);
                    } else {
                        succeed(response, fromRequest, authResponse.backendSrv, authResponse.backendLatd);
                    }
                    response.end();
                }).onFailure(th -> {
                    logger.error(th.getMessage(), th);
                    fail(fromRequest, response);
                    response.end();
                });
            }
        });
    }

    private AuthResponse computeResponse(QueryParameters queryParameters) {
        ValidationKind validate = ((IAuthentication) ServerSideServiceProvider.getProvider(SecurityContext.ANONYMOUS).instance(IAuthentication.class, new String[0])).validate(queryParameters.latd, queryParameters.password, "nginx-imap-password-check");
        if (validate == ValidationKind.NONE || validate == ValidationKind.PASSWORDEXPIRED) {
            return AuthResponse.of(validate, null, null);
        }
        if (!queryParameters.latd.contains("@")) {
            throw new InvalidParameterException("Invalid login@domain " + queryParameters.latd);
        }
        Iterator it = Splitter.on('@').omitEmptyStrings().trimResults().split(queryParameters.latd).iterator();
        it.next();
        String str = (String) it.next();
        ServerSideServiceProvider provider = ServerSideServiceProvider.getProvider(SecurityContext.SYSTEM);
        ItemValue findByNameOrAliases = ((IDomains) provider.instance(IDomains.class, new String[0])).findByNameOrAliases(str);
        if (findByNameOrAliases == null) {
            throw new InvalidParameterException("Fail to find domain " + str);
        }
        ItemValue byEmail = ((IUser) provider.instance(IUser.class, new String[]{findByNameOrAliases.uid})).byEmail(queryParameters.latd);
        if (byEmail == null) {
            return AuthResponse.of(ValidationKind.NONE, null, null);
        }
        String str2 = ((User) byEmail.value).login + "@" + ((Domain) findByNameOrAliases.value).name;
        IServiceTopology iServiceTopology = Topology.get();
        String address = iServiceTopology.singleNode() ? ((Server) iServiceTopology.core().value).address() : ((Server) iServiceTopology.any(TagDescriptor.bm_core.getTag()).value).address();
        logger.info("[name={};protocol={},oip={};backend={}] resolved in {}ms.", new Object[]{queryParameters.latd, queryParameters.protocol, queryParameters.clientIp, address, Long.valueOf(System.currentTimeMillis() - queryParameters.time)});
        return AuthResponse.of(validate, str2, address);
    }

    private void fail(QueryParameters queryParameters, HttpServerResponse httpServerResponse) {
        logger.error("[{}] Denied auth from {}", queryParameters == null ? null : queryParameters.latd, queryParameters == null ? null : queryParameters.clientIp);
        httpServerResponse.headers().add("Auth-Status", "Invalid login or password");
        if (queryParameters == null || queryParameters.attempt >= 10) {
            return;
        }
        httpServerResponse.headers().add("Auth-Wait", "2");
    }

    private void succeed(HttpServerResponse httpServerResponse, QueryParameters queryParameters, String str, String str2) {
        MultiMap headers = httpServerResponse.headers();
        headers.add("Auth-Status", "OK");
        headers.add("Auth-Server", str);
        headers.add("Auth-Port", queryParameters.backendPort);
        if (queryParameters.user.equals(str2) && queryParameters.latd.equals(str2)) {
            return;
        }
        headers.add("Auth-User", str2);
    }

    public static byte[] decode(String str) {
        return Base64.getDecoder().decode(str);
    }

    public void setVertxExecutor(Vertx vertx, ExecutorService executorService) {
        this.vertx = vertx;
    }
}
