package org.restheart.security.plugins.authenticators;

import org.bson.BsonDocument;
import org.restheart.ConfigurationException;
import org.restheart.exchange.MongoRequest;
import org.restheart.exchange.MongoResponse;
import org.restheart.plugins.InjectPluginsRegistry;
import org.restheart.plugins.InterceptPoint;
import org.restheart.plugins.MongoInterceptor;
import org.restheart.plugins.PluginRecord;
import org.restheart.plugins.PluginsRegistry;
import org.restheart.plugins.RegisterPlugin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RegisterPlugin(name = "denyFilterOnUserPwd", description = "forbids request with filter on the password property", interceptPoint = InterceptPoint.RESPONSE, requiresContent = true)
/* loaded from: input_file:org/restheart/security/plugins/authenticators/DenyFilterOnUserPwd.class */
public class DenyFilterOnUserPwd implements MongoInterceptor {
    static final Logger LOGGER = LoggerFactory.getLogger(DenyFilterOnUserPwd.class);
    private boolean enabled = false;
    private String usersDb;
    private String usersCollection;
    private String propNamePassword;

    @InjectPluginsRegistry
    public void init(PluginsRegistry pluginsRegistry) {
        try {
            PluginRecord authenticator = pluginsRegistry.getAuthenticator("mongoRealmAuthenticator");
            if (authenticator == null || !authenticator.isEnabled()) {
                this.enabled = false;
                return;
            }
            MongoRealmAuthenticator pluginRecord = authenticator.getInstance();
            this.usersDb = pluginRecord.getUsersDb();
            this.usersCollection = pluginRecord.getUsersCollection();
            this.propNamePassword = pluginRecord.getPropPassword();
            if (this.usersDb != null && this.usersCollection != null && this.propNamePassword != null) {
                this.enabled = true;
            } else {
                LOGGER.error("Wrong configuration of mongoRealmAuthenticator! Requests with filters on the password property are not blocked!");
                this.enabled = false;
            }
        } catch (ConfigurationException e) {
            this.enabled = false;
        }
    }

    public boolean resolve(MongoRequest mongoRequest, MongoResponse mongoResponse) {
        return this.enabled && mongoRequest.isGet() && this.usersDb.equalsIgnoreCase(mongoRequest.getDBName()) && this.usersCollection.equalsIgnoreCase(mongoRequest.getCollectionName()) && hasFilterOnPassword(mongoRequest.getFiltersDocument());
    }

    public void handle(MongoRequest mongoRequest, MongoResponse mongoResponse) throws Exception {
        mongoResponse.setInError(403, "Using filters on the password property is forbidden");
    }

    private boolean hasFilterOnPassword(BsonDocument bsonDocument) {
        if (bsonDocument == null || bsonDocument.keySet().isEmpty()) {
            return false;
        }
        return bsonDocument.keySet().contains(this.propNamePassword) || bsonDocument.keySet().stream().filter(str -> {
            return bsonDocument.get(str).isDocument();
        }).map(str2 -> {
            return bsonDocument.get(str2).asDocument();
        }).anyMatch(bsonDocument2 -> {
            return hasFilterOnPassword(bsonDocument2);
        });
    }
}
