package net.bluemind.vertx.common.http;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.CharMatcher;
import com.google.common.base.MoreObjects;
import com.google.common.collect.Iterables;
import io.vertx.core.Handler;
import io.vertx.core.Vertx;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.http.HttpServerRequest;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Base64;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.TimeUnit;
import java.util.function.BiConsumer;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import net.bluemind.authentication.api.IAuthenticationPromise;
import net.bluemind.authentication.api.LoginResponse;
import net.bluemind.config.Token;
import net.bluemind.core.caches.registry.CacheRegistry;
import net.bluemind.core.caches.registry.ICacheRegistration;
import net.bluemind.core.container.model.ItemValue;
import net.bluemind.core.rest.http.HttpClientProvider;
import net.bluemind.core.rest.http.ILocator;
import net.bluemind.core.rest.http.VertxPromiseServiceProvider;
import net.bluemind.domain.api.Domain;
import net.bluemind.domain.api.IDomainsPromise;
import net.bluemind.lib.vertx.VertxPlatform;
import net.bluemind.lib.vertx.utils.PasswordDecoder;
import net.bluemind.mailbox.api.IMailboxesPromise;
import net.bluemind.mailbox.api.Mailbox;
import net.bluemind.network.topology.IServiceTopology;
import net.bluemind.network.topology.Topology;
import net.bluemind.network.topology.TopologyException;
import net.bluemind.server.api.Server;
import net.bluemind.system.api.SystemState;
import net.bluemind.vertx.common.CoreStateListener;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.MDC;

/* loaded from: input_file:net/bluemind/vertx/common/http/BasicAuthHandler.class */
public class BasicAuthHandler implements Handler<HttpServerRequest> {
    public final Handler<AuthenticatedRequest> lh;
    private final String origin;
    private final String role;
    private IAuthenticationPromise authApi;
    private VertxPromiseServiceProvider adminProv;
    private IDomainsPromise domainsApi;
    private static final Logger logger = LoggerFactory.getLogger(BasicAuthHandler.class);
    private static final CharMatcher azureAdMatcher = CharMatcher.inRange('a', 'z').or(CharMatcher.inRange('A', 'Z')).or(CharMatcher.inRange('0', '9')).or(CharMatcher.anyOf(" @#$%^&*-_!+=[]{}|\\:',.?/`~\"();<>"));
    private static Cache<String, ValidatedAuth> validated = Caffeine.newBuilder().recordStats().expireAfterWrite(10, TimeUnit.MINUTES).build();
    private static final CharSequence WWW_AUTHENTICATE = HttpHeaders.createOptimized("WWW-Authenticate");
    private static final CharSequence WWW_AUTHENTICATE_VALUE = HttpHeaders.createOptimized("Basic realm=\"bm.basic.auth.v2\", charset=\"UTF-8\"");

    /* loaded from: input_file:net/bluemind/vertx/common/http/BasicAuthHandler$AuthenticatedRequest.class */
    public static final class AuthenticatedRequest {
        public final HttpServerRequest req;
        public final String login;
        public final String sid;
        public final Mailbox.Routing routing;

        public AuthenticatedRequest(HttpServerRequest httpServerRequest, String str, String str2, Mailbox.Routing routing) {
            this.req = httpServerRequest;
            this.login = str;
            this.sid = str2;
            this.routing = routing;
        }
    }

    /* loaded from: input_file:net/bluemind/vertx/common/http/BasicAuthHandler$CacheRegistration.class */
    public static class CacheRegistration implements ICacheRegistration {
        public void registerCaches(CacheRegistry cacheRegistry) {
            cacheRegistry.register(BasicAuthHandler.class, BasicAuthHandler.validated);
        }
    }

    @VisibleForTesting
    /* loaded from: input_file:net/bluemind/vertx/common/http/BasicAuthHandler$Creds.class */
    public static final class Creds {
        private final String login;
        private final String password;

        public Creds(String str, String str2) {
            this.login = str;
            this.password = str2;
        }

        public String getLogin() {
            return this.login;
        }

        public String getPassword() {
            return this.password;
        }

        public String toString() {
            return MoreObjects.toStringHelper(Creds.class).add("l", this.login).add("p", this.password).toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:net/bluemind/vertx/common/http/BasicAuthHandler$DomainInfo.class */
    public static final class DomainInfo extends Record {
        private final String defaultAlias;
        private final String externalUrl;

        DomainInfo(String str, String str2) {
            this.defaultAlias = str;
            this.externalUrl = str2;
        }

        public String defaultAlias() {
            return this.defaultAlias;
        }

        public String externalUrl() {
            return this.externalUrl;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, DomainInfo.class), DomainInfo.class, "defaultAlias;externalUrl", "FIELD:Lnet/bluemind/vertx/common/http/BasicAuthHandler$DomainInfo;->defaultAlias:Ljava/lang/String;", "FIELD:Lnet/bluemind/vertx/common/http/BasicAuthHandler$DomainInfo;->externalUrl:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, DomainInfo.class), DomainInfo.class, "defaultAlias;externalUrl", "FIELD:Lnet/bluemind/vertx/common/http/BasicAuthHandler$DomainInfo;->defaultAlias:Ljava/lang/String;", "FIELD:Lnet/bluemind/vertx/common/http/BasicAuthHandler$DomainInfo;->externalUrl:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, DomainInfo.class, Object.class), DomainInfo.class, "defaultAlias;externalUrl", "FIELD:Lnet/bluemind/vertx/common/http/BasicAuthHandler$DomainInfo;->defaultAlias:Ljava/lang/String;", "FIELD:Lnet/bluemind/vertx/common/http/BasicAuthHandler$DomainInfo;->externalUrl:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/bluemind/vertx/common/http/BasicAuthHandler$ValidatedAuth.class */
    public static class ValidatedAuth {
        String login;
        String sid;
        Mailbox.Routing routing;

        public ValidatedAuth(String str, String str2, Mailbox.Routing routing) {
            this.login = str;
            this.sid = str2;
            this.routing = routing;
        }

        public String toString() {
            return "ValidatedAuth[login = " + this.login + ", sid = " + this.sid + "]";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/bluemind/vertx/common/http/BasicAuthHandler$WithRouting.class */
    public static class WithRouting {
        LoginResponse lr;
        Mailbox.Routing mboxRouting;

        public WithRouting(LoginResponse loginResponse, ItemValue<Mailbox> itemValue) {
            this.lr = loginResponse;
            this.mboxRouting = itemValue != null ? ((Mailbox) itemValue.value).routing : Mailbox.Routing.none;
        }
    }

    public BasicAuthHandler(Vertx vertx, String str, Handler<AuthenticatedRequest> handler) {
        this(vertx, str, null, handler);
    }

    public BasicAuthHandler(Vertx vertx, String str, String str2, Handler<AuthenticatedRequest> handler) {
        this.lh = handler;
        this.origin = str;
        this.role = str2;
        ILocator iLocator = (str3, asyncHandler) -> {
            Optional ifAvailable = Topology.getIfAvailable();
            if (ifAvailable.isPresent()) {
                asyncHandler.success(new String[]{((Server) ((IServiceTopology) ifAvailable.get()).core().value).address()});
            } else {
                asyncHandler.failure(new TopologyException("topology not available"));
            }
        };
        this.authApi = (IAuthenticationPromise) new VertxPromiseServiceProvider(new HttpClientProvider(vertx), iLocator, (String) null).instance(IAuthenticationPromise.class, new String[0]);
        this.adminProv = new VertxPromiseServiceProvider(new HttpClientProvider(vertx), iLocator, Token.admin0());
        this.domainsApi = (IDomainsPromise) this.adminProv.instance(IDomainsPromise.class, new String[0]);
    }

    private boolean roleCheck(String str, LoginResponse loginResponse) {
        return str == null || loginResponse.authUser.roles.contains("systemManagement") || checkUserRole(str, loginResponse);
    }

    private boolean checkUserRole(String str, LoginResponse loginResponse) {
        if (loginResponse.authUser.roles.contains(str)) {
            return true;
        }
        if (!logger.isWarnEnabled()) {
            return false;
        }
        logger.warn("User {} does not have role {}", loginResponse.authUser.value.defaultEmailAddress(), str);
        return false;
    }

    public void handle(HttpServerRequest httpServerRequest) {
        MDC.clear();
        if (CoreStateListener.state != SystemState.CORE_STATE_RUNNING) {
            VertxPlatform.getVertx().setTimer(500L, l -> {
                logger.warn("Core state is {}", CoreStateListener.state);
                httpServerRequest.response().setStatusCode(503).setStatusMessage("Service Unavailable").end();
            });
            return;
        }
        String str = httpServerRequest.headers().get(HttpHeaders.AUTHORIZATION);
        if (str == null) {
            logger.debug("Missing Auth header => 401");
            httpServerRequest.response().putHeader(WWW_AUTHENTICATE, WWW_AUTHENTICATE_VALUE).setStatusCode(401).end();
            return;
        }
        ValidatedAuth validatedAuth = (ValidatedAuth) validated.getIfPresent(str);
        if (validatedAuth != null) {
            this.lh.handle(new AuthenticatedRequest(httpServerRequest, validatedAuth.login, validatedAuth.sid, validatedAuth.routing));
        } else {
            httpServerRequest.pause();
            getCredentials(httpServerRequest.absoluteURI(), str).thenCompose(creds -> {
                return this.authApi.login(creds.getLogin(), creds.getPassword(), this.origin).thenApply(loginResponse -> {
                    if (loginResponse.status == LoginResponse.Status.Ok && roleCheck(this.role, loginResponse)) {
                        return loginResponse;
                    }
                    return null;
                }).thenCompose(loginResponse2 -> {
                    return loginResponse2 == null ? CompletableFuture.completedFuture(null) : ((IMailboxesPromise) this.adminProv.instance(IMailboxesPromise.class, new String[]{loginResponse2.authUser.domainUid})).byName(loginResponse2.authUser.value.login).thenApply(itemValue -> {
                        return new WithRouting(loginResponse2, itemValue);
                    });
                });
            }).whenComplete((BiConsumer<? super U, ? super Throwable>) (withRouting, th) -> {
                httpServerRequest.resume();
                if (th != null) {
                    logger.warn("auth problem, check core.log ({})", th.getMessage());
                    httpServerRequest.response().putHeader(WWW_AUTHENTICATE, WWW_AUTHENTICATE_VALUE).setStatusCode(401).end();
                } else {
                    if (withRouting == null) {
                        httpServerRequest.response().putHeader(WWW_AUTHENTICATE, WWW_AUTHENTICATE_VALUE).setStatusCode(401).end();
                        return;
                    }
                    validated.put(str, new ValidatedAuth(withRouting.lr.latd, withRouting.lr.authKey, withRouting.mboxRouting));
                    this.lh.handle(new AuthenticatedRequest(httpServerRequest, withRouting.lr.latd, withRouting.lr.authKey, withRouting.mboxRouting));
                }
            });
        }
    }

    @VisibleForTesting
    public CompletableFuture<Creds> getCredentials(String str, String str2) {
        if (!str2.startsWith("Basic ")) {
            return CompletableFuture.failedFuture(new NullPointerException("No Basic auth header found"));
        }
        byte[] decode = Base64.getDecoder().decode(str2.substring(6));
        int i = 0;
        while (i < decode.length && decode[i] != 58) {
            i++;
        }
        int length = decode.length - (i + 1);
        if (length <= 0) {
            logger.warn("Can't extract password bytes from {}", str2);
            return CompletableFuture.failedFuture(new NullPointerException("Can't extract password bytes from " + str2));
        }
        byte[] bArr = new byte[length];
        System.arraycopy(decode, i + 1, bArr, 0, length);
        String str3 = new String(decode, 0, i);
        String password = PasswordDecoder.getPassword(str3, bArr);
        if (!azureAdMatcher.matchesAllOf(password) && logger.isWarnEnabled()) {
            logger.warn("[{}] Password contains error-prone characters ({})", str3, azureAdMatcher.removeFrom(password));
        }
        int indexOf = str3.indexOf(92);
        if (indexOf > 0) {
            String substring = str3.substring(indexOf + 1);
            if (!substring.contains("@")) {
                substring = str3.substring(indexOf + 1) + "@" + str3.substring(0, indexOf);
            }
            str3 = substring;
        }
        String lowerCase = str3.toLowerCase();
        logger.info("creds: {}", lowerCase);
        return !str3.contains("@") ? resolveDomainPart(str, password, lowerCase) : CompletableFuture.completedFuture(new Creds(lowerCase, password));
    }

    private CompletableFuture<Creds> resolveDomainPart(String str, String str2, String str3) {
        try {
            String host = new URI(str).getHost();
            logger.info("login {} does not contain domain part, trying to detect using host: {}", str3, host);
            return this.domainsApi.all().thenCompose(list -> {
                List list = (List) list.stream().map(itemValue -> {
                    return getDomainInfo(itemValue, this.domainsApi.getExternalUrl(itemValue.uid));
                }).collect(Collectors.toList());
                return CompletableFuture.allOf((CompletableFuture[]) Iterables.toArray(list, CompletableFuture.class)).thenApply(r10 -> {
                    Optional findAny = list.stream().map((v0) -> {
                        return v0.join();
                    }).filter(domainInfo -> {
                        return domainInfo.externalUrl.equals(host);
                    }).findAny();
                    if (findAny.isPresent()) {
                        return new Creds(str3 + "@" + ((DomainInfo) findAny.get()).defaultAlias, str2);
                    }
                    logger.warn("Missing domainpart in login '{}'", str3);
                    throw new NullPointerException("Missing domainpart in login " + str3);
                });
            });
        } catch (URISyntaxException e) {
            return CompletableFuture.failedFuture(e);
        }
    }

    private CompletableFuture<DomainInfo> getDomainInfo(ItemValue<Domain> itemValue, CompletableFuture<String> completableFuture) {
        return completableFuture.thenApply(str -> {
            return new DomainInfo(((Domain) itemValue.value).defaultAlias, str);
        });
    }

    public static void purgeSessions() {
        validated.invalidateAll();
    }

    public static List<String> purgeSession(String str) {
        List list = validated.asMap().entrySet().stream().filter(entry -> {
            return ((ValidatedAuth) entry.getValue()).sid.equalsIgnoreCase(str);
        }).toList();
        Stream map = list.stream().map(entry2 -> {
            return (String) entry2.getKey();
        });
        Cache<String, ValidatedAuth> cache = validated;
        cache.getClass();
        map.forEach((v1) -> {
            r1.invalidate(v1);
        });
        return list.stream().map(entry3 -> {
            return ((ValidatedAuth) entry3.getValue()).login;
        }).toList();
    }
}
