package org.janusgraph.graphdb.tinkerpop.gremlin.server.auth;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableMap;
import java.net.InetAddress;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.charset.Charset;
import java.util.Arrays;
import java.util.Base64;
import java.util.Date;
import java.util.Map;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.lang3.StringUtils;
import org.apache.tinkerpop.gremlin.server.auth.AuthenticatedUser;
import org.apache.tinkerpop.gremlin.server.auth.AuthenticationException;
import org.apache.tinkerpop.gremlin.server.auth.Authenticator;
import org.apache.tinkerpop.gremlin.structure.Vertex;
import org.janusgraph.graphdb.tinkerpop.gremlin.server.handler.HttpHMACAuthenticationHandler;
import org.mindrot.jbcrypt.BCrypt;

/* loaded from: input_file:org/janusgraph/graphdb/tinkerpop/gremlin/server/auth/HMACAuthenticator.class */
public class HMACAuthenticator extends JanusGraphAbstractAuthenticator {
    public static final String CONFIG_HMAC_ALGO = "hmacAlgo";
    public static final String CONFIG_TOKEN_TIMEOUT = "tokenTimeout";
    public static final String CONFIG_HMAC_SECRET = "hmacSecret";
    private static final String AUTH_ERROR = "Username and/or password are incorrect";
    private static final String DEFAULT_HMAC_ALGO = "HmacSHA256";
    private static final char[] DEFAULT_HMAC_SECRET = "secret".toCharArray();
    private static final Long DEFAULT_HMAC_TOKEN_TIMEOUT = 3600000L;
    private char[] secret;
    private String hmacAlgo;
    private Long timeout;

    @Override // org.janusgraph.graphdb.tinkerpop.gremlin.server.auth.JanusGraphAbstractAuthenticator
    public boolean requireAuthentication() {
        return true;
    }

    @Override // org.janusgraph.graphdb.tinkerpop.gremlin.server.auth.JanusGraphAbstractAuthenticator
    public Authenticator.SaslNegotiator newSaslNegotiator(InetAddress inetAddress) {
        throw new RuntimeException("HMACAuthenticator does not use SASL!");
    }

    public Authenticator.SaslNegotiator newSaslNegotiator() {
        throw new RuntimeException("HMACAuthenticator does not use SASL!");
    }

    @Override // org.janusgraph.graphdb.tinkerpop.gremlin.server.auth.JanusGraphAbstractAuthenticator
    public void setup(Map<String, Object> map) {
        Preconditions.checkArgument(map != null, "Credential configuration cannot be null");
        Preconditions.checkState(map.containsKey(CONFIG_HMAC_SECRET), String.format("Credential configuration missing the %s key", CONFIG_HMAC_SECRET));
        if (null == map || !map.containsKey(CONFIG_HMAC_ALGO)) {
            this.hmacAlgo = DEFAULT_HMAC_ALGO;
        } else {
            this.hmacAlgo = map.get(CONFIG_HMAC_ALGO).toString();
        }
        if (null == map || !map.containsKey(CONFIG_TOKEN_TIMEOUT)) {
            this.timeout = DEFAULT_HMAC_TOKEN_TIMEOUT;
        } else {
            this.timeout = Long.valueOf(((Number) map.get(CONFIG_TOKEN_TIMEOUT)).longValue());
        }
        super.setup(map);
        if ((null != map) && map.containsKey(CONFIG_HMAC_SECRET)) {
            this.secret = map.get(CONFIG_HMAC_SECRET).toString().toCharArray();
        } else {
            this.secret = DEFAULT_HMAC_SECRET;
        }
    }

    public AuthenticatedUser authenticate(Map<String, String> map) throws AuthenticationException {
        if (map.get(HttpHMACAuthenticationHandler.PROPERTY_GENERATE_TOKEN) != null) {
            AuthenticatedUser authenticateUser = authenticateUser(map);
            if (authenticateUser == null) {
                throw new AuthenticationException(AUTH_ERROR);
            }
            map.put(HttpHMACAuthenticationHandler.PROPERTY_TOKEN, getToken(map));
            return authenticateUser;
        }
        if (map.get(HttpHMACAuthenticationHandler.PROPERTY_TOKEN) == null) {
            return authenticateUser(map);
        }
        if (validateToken(map)) {
            return new AuthenticatedUser(parseToken(map.get(HttpHMACAuthenticationHandler.PROPERTY_TOKEN)).get("username"));
        }
        throw new AuthenticationException("Invalid token");
    }

    private AuthenticatedUser authenticateUser(Map<String, String> map) throws AuthenticationException {
        Vertex findUser = findUser(map.get("username"));
        if (null == findUser || !BCrypt.checkpw(map.get("password"), (String) findUser.value("password"))) {
            throw new AuthenticationException(AUTH_ERROR);
        }
        return new AuthenticatedUser(map.get("username"));
    }

    private boolean validateToken(Map<String, String> map) {
        String str = map.get(HttpHMACAuthenticationHandler.PROPERTY_TOKEN);
        Map<String, String> parseToken = parseToken(str);
        String str2 = parseToken.get("username");
        String str3 = parseToken.get("time");
        String generateToken = generateToken(str2, getBcryptSaltFromStoredPassword((String) findUser(str2).value("password")), str3);
        Long valueOf = Long.valueOf(Long.parseLong(str3));
        Long valueOf2 = Long.valueOf(new Date().getTime());
        String str4 = new String(Base64.getUrlEncoder().encode(str.getBytes()));
        if (valueOf.longValue() + this.timeout.longValue() < valueOf2.longValue() || generateToken.length() != str4.length()) {
            return false;
        }
        boolean z = true;
        for (int i = 0; i < generateToken.length(); i++) {
            if (str4.charAt(i) != generateToken.charAt(i)) {
                z = false;
            }
        }
        return z;
    }

    private Map<String, String> parseToken(String str) {
        String[] split = str.split(":");
        return ImmutableMap.of("username", split[0], "time", split[1], "hmac", split[2]);
    }

    private String generateToken(String str, String str2, String str3) {
        try {
            CharBuffer allocate = CharBuffer.allocate(this.secret.length + str2.length() + 1);
            allocate.put(this.secret);
            allocate.put(":");
            allocate.put(str2);
            String str4 = str + ":" + str3.toString() + ":";
            SecretKeySpec secretKeySpec = new SecretKeySpec(toBytes(allocate.array()), this.hmacAlgo);
            Mac mac = Mac.getInstance(this.hmacAlgo);
            mac.init(secretKeySpec);
            mac.update(str.getBytes());
            mac.update(str3.toString().getBytes());
            Base64.Encoder urlEncoder = Base64.getUrlEncoder();
            byte[] encode = urlEncoder.encode(mac.doFinal());
            byte[] bytes = str4.getBytes();
            return new String(urlEncoder.encode(ByteBuffer.wrap(new byte[bytes.length + encode.length]).put(bytes).put(encode).array()));
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private String getToken(Map<String, String> map) {
        String str = map.get("username");
        return generateToken(str, getBcryptSaltFromStoredPassword((String) findUser(str).value("password")), Long.toString(new Date().getTime()));
    }

    private String getBcryptSaltFromStoredPassword(String str) {
        Integer valueOf = Integer.valueOf(StringUtils.ordinalIndexOf(str, "$", 3));
        return str.substring(valueOf.intValue() + 1, valueOf.intValue() + 23);
    }

    private byte[] toBytes(char[] cArr) {
        CharBuffer wrap = CharBuffer.wrap(cArr);
        ByteBuffer encode = Charset.forName("UTF-8").encode(wrap);
        byte[] copyOfRange = Arrays.copyOfRange(encode.array(), encode.position(), encode.limit());
        Arrays.fill(wrap.array(), (char) 0);
        Arrays.fill(encode.array(), (byte) 0);
        return copyOfRange;
    }
}
