package org.restheart.security.handlers;

import com.codahale.metrics.Counter;
import com.codahale.metrics.Histogram;
import com.codahale.metrics.MetricRegistry;
import com.codahale.metrics.SharedMetricRegistries;
import com.codahale.metrics.Slf4jReporter;
import com.codahale.metrics.SlidingTimeWindowArrayReservoir;
import io.undertow.attribute.ExchangeAttributes;
import io.undertow.security.api.SecurityContext;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HeaderValues;
import io.undertow.util.HttpString;
import java.io.IOException;
import java.util.concurrent.TimeUnit;
import org.restheart.exchange.Request;
import org.restheart.exchange.Response;
import org.restheart.handlers.CORSHandler;
import org.restheart.handlers.PipelinedHandler;
import org.restheart.metrics.Metrics;
import org.restheart.plugins.security.Authenticator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xnio.channels.StreamSourceChannel;

/* loaded from: input_file:org/restheart/security/handlers/AuthenticationCallHandler.class */
public class AuthenticationCallHandler extends PipelinedHandler {
    private static final Logger LOGGER = LoggerFactory.getLogger(AuthenticationCallHandler.class);
    private static final MetricRegistry AUTH_METRIC_REGISTRY = SharedMetricRegistries.getOrCreate("AUTH");
    private static final String BLOCK_AUTH_ERR_MSG = "Request authentication was blocked";
    private static final String FAILED_AUTH_METRIC_PREFIX = "failed-auth-";
    private static final HttpString TRANSFER_ENCODING;

    public AuthenticationCallHandler(PipelinedHandler pipelinedHandler) {
        super(pipelinedHandler);
    }

    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        SecurityContext securityContext = httpServerExchange.getSecurityContext();
        if (Request.of(httpServerExchange).isBlockForTooManyRequests()) {
            LOGGER.warn(BLOCK_AUTH_ERR_MSG, ExchangeAttributes.remoteIp().readAttribute(httpServerExchange));
            CORSHandler.injectAccessControlAllowHeaders(httpServerExchange);
            httpServerExchange.setStatusCode(429);
            fastEndExchange(httpServerExchange);
            return;
        }
        if (securityContext.authenticate() && (!securityContext.isAuthenticationRequired() || securityContext.isAuthenticated())) {
            if (httpServerExchange.isComplete()) {
                return;
            }
            next(httpServerExchange);
        } else {
            CORSHandler.injectAccessControlAllowHeaders(httpServerExchange);
            updateFailedAuthMetrics(httpServerExchange);
            Response.of(httpServerExchange).setStatusCode(401);
            fastEndExchange(httpServerExchange);
        }
    }

    private void fastEndExchange(HttpServerExchange httpServerExchange) throws IOException {
        StreamSourceChannel requestChannel = httpServerExchange.getRequestChannel();
        HeaderValues headerValues = httpServerExchange.getRequestHeaders().get(TRANSFER_ENCODING);
        if ((headerValues == null || !headerValues.getFirst().startsWith("chunked")) && requestChannel != null) {
            try {
                requestChannel.shutdownReads();
            } catch (IOException e) {
                LOGGER.debug("ingoring error shutting down reads", e);
            }
        }
        httpServerExchange.endExchange();
    }

    private void updateFailedAuthMetrics(HttpServerExchange httpServerExchange) {
        _update(AUTH_METRIC_REGISTRY.histogram(Metrics.failedAuthHistogramName(httpServerExchange), () -> {
            return new Histogram(new SlidingTimeWindowArrayReservoir(10L, TimeUnit.SECONDS));
        }));
        tryPruneMetrics();
    }

    private void _update(Histogram histogram) {
        histogram.update(histogram.getSnapshot().getMax() + 1);
    }

    private void tryPruneMetrics() {
        Counter counter = AUTH_METRIC_REGISTRY.counter(MetricRegistry.name(Authenticator.class, new String[]{"_total"}));
        counter.inc();
        if (counter.getCount() % 100 == 0) {
            counter.dec(counter.getCount());
            LOGGER.trace("Pruning auth metrics");
            AUTH_METRIC_REGISTRY.removeMatching((str, metric) -> {
                return str.startsWith(MetricRegistry.name(Authenticator.class, new String[]{FAILED_AUTH_METRIC_PREFIX}));
            });
        }
    }

    static {
        if (LOGGER.isTraceEnabled()) {
            Slf4jReporter.forRegistry(AUTH_METRIC_REGISTRY).outputTo(LOGGER).filter((str, metric) -> {
                return str.startsWith(MetricRegistry.name(Authenticator.class, new String[]{FAILED_AUTH_METRIC_PREFIX})) && (metric instanceof Histogram) && ((Histogram) metric).getSnapshot().getMax() > 0;
            }).withLoggingLevel(Slf4jReporter.LoggingLevel.TRACE).build().start(5L, TimeUnit.SECONDS);
        }
        TRANSFER_ENCODING = HttpString.tryFromString("Transfer-Encoding");
    }
}
