package org.restheart.security.interceptors;

import com.codahale.metrics.Histogram;
import com.codahale.metrics.MetricRegistry;
import com.codahale.metrics.SharedMetricRegistries;
import com.codahale.metrics.SlidingTimeWindowArrayReservoir;
import io.undertow.attribute.ExchangeAttributes;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HttpString;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import org.restheart.ConfigurationException;
import org.restheart.exchange.ServiceRequest;
import org.restheart.exchange.ServiceResponse;
import org.restheart.plugins.InjectConfiguration;
import org.restheart.plugins.InterceptPoint;
import org.restheart.plugins.RegisterPlugin;
import org.restheart.plugins.WildcardInterceptor;
import org.restheart.utils.LogUtils;
import org.restheart.utils.MetricsUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RegisterPlugin(name = "bruteForceAttackGuard", description = "defends from brute force attacks by returning 429 Too Many Requests when failed auth attempts in last 10 seconds from same ip are more than 50%", interceptPoint = InterceptPoint.REQUEST_BEFORE_AUTH, enabledByDefault = false)
/* loaded from: input_file:org/restheart/security/interceptors/BruteForceAttackGuard.class */
public class BruteForceAttackGuard implements WildcardInterceptor {
    private static final Logger LOGGER = LoggerFactory.getLogger(BruteForceAttackGuard.class);
    private static final MetricRegistry AUTH_METRIC_REGISTRY = SharedMetricRegistries.getOrCreate("AUTH");
    private static int xForwardedForValueFromLast = 0;
    private int maxFailedAttempts = 5;

    @InjectConfiguration
    public void config(Map<String, Object> map) {
        try {
            if (((Boolean) arg(map, "trust-x-forwarded-for")).booleanValue()) {
                xForwardedForValueFromLast = ((Integer) arg(map, "x-forwarded-for-value-from-last")).intValue();
                if (xForwardedForValueFromLast < 0) {
                    LOGGER.warn("x-forwarded-for-value-from-last is negative, set to 0");
                    xForwardedForValueFromLast = 0;
                }
                LOGGER.info("Failed auth requests will be counted on X-Forwarded-For header, tracking the {}th value from the last", Integer.valueOf(xForwardedForValueFromLast));
                MetricsUtils.collectFailedAuthBy(MetricsUtils.FAILED_AUTH_KEY.X_FORWARDED_FOR);
                MetricsUtils.xffValueRIndex(xForwardedForValueFromLast);
            } else {
                LOGGER.info("Failed auth requests will be counted on remote ip");
                MetricsUtils.collectFailedAuthBy(MetricsUtils.FAILED_AUTH_KEY.REMOTE_IP);
            }
        } catch (ConfigurationException e) {
            LOGGER.info("Failed auth requests will be counted on remote ip");
            MetricsUtils.collectFailedAuthBy(MetricsUtils.FAILED_AUTH_KEY.REMOTE_IP);
        }
        try {
            this.maxFailedAttempts = ((Integer) arg(map, "max-failed-attempts")).intValue();
        } catch (ConfigurationException e2) {
            this.maxFailedAttempts = 5;
        }
        LOGGER.info("Requests will be blocked when got more than {} failed attempts in last 10 seconds", Integer.valueOf(this.maxFailedAttempts));
    }

    public void handle(ServiceRequest<?> serviceRequest, ServiceResponse<?> serviceResponse) throws Exception {
        long max = authHisto(serviceRequest).getSnapshot().getMax();
        if (max > this.maxFailedAttempts) {
            logWarning(serviceRequest.getExchange(), max);
            serviceRequest.blockForTooManyRequests();
        }
    }

    public boolean resolve(ServiceRequest<?> serviceRequest, ServiceResponse<?> serviceResponse) {
        return !serviceRequest.isOptions();
    }

    private void logWarning(HttpServerExchange httpServerExchange, double d) {
        String readAttribute = ExchangeAttributes.requestHeader(HttpString.tryFromString("X-Forwarded-For")).readAttribute(httpServerExchange);
        LogUtils.boxedWarn(LOGGER, new String[]{"A brute force attack might be in progress...", "", "Got too many of failed auth attempts in last 10 seconds from:", "", "remote ip: " + ExchangeAttributes.remoteIp().readAttribute(httpServerExchange), "X-Forwarded-For header: " + readAttribute, "X-Forwarded-For tracked value: " + MetricsUtils.xffValue(readAttribute, xForwardedForValueFromLast), "", "transport protocol: " + ExchangeAttributes.transportProtocol().readAttribute(httpServerExchange), "request method: " + ExchangeAttributes.requestMethod().readAttribute(httpServerExchange), "request url: " + ExchangeAttributes.requestURL().readAttribute(httpServerExchange)});
    }

    private Histogram authHisto(ServiceRequest<?> serviceRequest) {
        return AUTH_METRIC_REGISTRY.histogram(MetricsUtils.failedAuthHistogramName(serviceRequest.getExchange()), () -> {
            return new Histogram(new SlidingTimeWindowArrayReservoir(10L, TimeUnit.SECONDS));
        });
    }
}
