package org.restheart.security.plugins.tokens;

import com.google.common.collect.Sets;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.Credential;
import io.undertow.security.idm.PasswordCredential;
import io.undertow.server.HttpServerExchange;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Arrays;
import java.util.Map;
import java.util.Optional;
import org.restheart.ConfigurationException;
import org.restheart.cache.Cache;
import org.restheart.cache.CacheFactory;
import org.restheart.exchange.JsonProxyRequest;
import org.restheart.idm.PwdCredentialAccount;
import org.restheart.plugins.ConfigurablePlugin;
import org.restheart.plugins.InjectConfiguration;
import org.restheart.plugins.InjectPluginsRegistry;
import org.restheart.plugins.PluginRecord;
import org.restheart.plugins.PluginsRegistry;
import org.restheart.plugins.RegisterPlugin;
import org.restheart.plugins.security.TokenManager;
import org.restheart.utils.URLUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RegisterPlugin(name = "rndTokenManager", description = "generates random auth tokens", enabledByDefault = false)
/* loaded from: input_file:org/restheart/security/plugins/tokens/RndTokenManager.class */
public class RndTokenManager implements TokenManager {
    private static final Logger LOGGER = LoggerFactory.getLogger(RndTokenManager.class);
    private static final SecureRandom RND_GENERATOR = new SecureRandom();
    private static Cache<String, PwdCredentialAccount> CACHE = null;
    private int ttl = -1;
    private String srvURI = null;

    @InjectConfiguration
    @InjectPluginsRegistry
    public void init(Map<String, Object> map, PluginsRegistry pluginsRegistry) throws ConfigurationException {
        this.ttl = ((Integer) ConfigurablePlugin.argValue(map, "ttl")).intValue();
        this.srvURI = (String) ConfigurablePlugin.argValue(map, "srv-uri");
        CACHE = CacheFactory.createLocalCache(Long.MAX_VALUE, Cache.EXPIRE_POLICY.AFTER_READ, this.ttl * 60 * 1000);
        String[] strArr = {AUTH_TOKEN_HEADER.toString(), AUTH_TOKEN_VALID_HEADER.toString(), AUTH_TOKEN_LOCATION_HEADER.toString()};
        Optional findFirst = pluginsRegistry.getInterceptors().stream().filter(pluginRecord -> {
            return "tokenCORSResponseInterceptor".equals(pluginRecord.getName());
        }).findFirst();
        if (findFirst.isPresent()) {
            ((PluginRecord) findFirst.get()).getInstance().setHeaders(strArr);
        } else {
            LOGGER.warn("Cound not find tokenCORSResponseInterceptor. Auth token headers are not added to CORS");
        }
    }

    public Account verify(Account account) {
        return account;
    }

    public Account verify(String str, Credential credential) {
        Optional optional = CACHE.get(str);
        if (optional != null && optional.isPresent() && verifyToken((PwdCredentialAccount) optional.get(), credential)) {
            return (Account) optional.get();
        }
        return null;
    }

    public Account verify(Credential credential) {
        return null;
    }

    private boolean verifyToken(PwdCredentialAccount pwdCredentialAccount, Credential credential) {
        if (credential instanceof PasswordCredential) {
            return Arrays.equals(((PasswordCredential) credential).getPassword(), pwdCredentialAccount.getCredentials().getPassword());
        }
        return false;
    }

    public Cache<String, PwdCredentialAccount> getCACHE() {
        return CACHE;
    }

    public PasswordCredential get(Account account) {
        Optional optional = CACHE.get(account.getPrincipal().getName());
        if (optional != null && optional.isPresent()) {
            return ((PwdCredentialAccount) optional.get()).getCredentials();
        }
        PwdCredentialAccount pwdCredentialAccount = new PwdCredentialAccount(account.getPrincipal().getName(), nextToken(), Sets.newTreeSet(account.getRoles()));
        CACHE.put(account.getPrincipal().getName(), pwdCredentialAccount);
        return pwdCredentialAccount.getCredentials();
    }

    public void invalidate(Account account) {
        CACHE.invalidate(account.getPrincipal().getName());
    }

    public void update(Account account) {
        String name = account.getPrincipal().getName();
        Optional optional = CACHE.get(name);
        if (optional == null || !optional.isPresent()) {
            return;
        }
        CACHE.put(name, new PwdCredentialAccount(name, ((PwdCredentialAccount) optional.get()).getCredentials().getPassword(), account.getRoles()));
    }

    public void injectTokenHeaders(HttpServerExchange httpServerExchange, PasswordCredential passwordCredential) {
        httpServerExchange.getResponseHeaders().add(AUTH_TOKEN_HEADER, new String(passwordCredential.getPassword()));
        httpServerExchange.getResponseHeaders().add(AUTH_TOKEN_VALID_HEADER, Instant.now().plus(this.ttl, (TemporalUnit) ChronoUnit.MINUTES).toString());
        JsonProxyRequest of = JsonProxyRequest.of(httpServerExchange);
        if (of.getAuthenticatedAccount() == null || of.getAuthenticatedAccount().getPrincipal() == null || of.getAuthenticatedAccount().getPrincipal().getName() == null) {
            return;
        }
        httpServerExchange.getResponseHeaders().add(AUTH_TOKEN_LOCATION_HEADER, URLUtils.removeTrailingSlashes(this.srvURI).concat("/").concat(of.getAuthenticatedAccount().getPrincipal().getName()));
    }

    private static char[] nextToken() {
        return new BigInteger(256, RND_GENERATOR).toString(36).toCharArray();
    }
}
