package org.restheart.security.authenticators;

import com.google.gson.JsonArray;
import com.google.gson.JsonElement;
import com.google.gson.JsonParseException;
import com.jayway.jsonpath.DocumentContext;
import com.jayway.jsonpath.JsonPath;
import com.jayway.jsonpath.PathNotFoundException;
import com.jayway.jsonpath.Predicate;
import com.mongodb.client.MongoClient;
import com.mongodb.client.model.Filters;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.Credential;
import io.undertow.security.idm.DigestCredential;
import io.undertow.security.idm.PasswordCredential;
import io.undertow.util.HexConverter;
import io.undertow.util.HttpString;
import io.undertow.util.RedirectBuilder;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Optional;
import org.bson.BsonDocument;
import org.mindrot.jbcrypt.BCrypt;
import org.restheart.cache.Cache;
import org.restheart.cache.CacheFactory;
import org.restheart.cache.LoadingCache;
import org.restheart.configuration.ConfigurationException;
import org.restheart.mongodb.ConnectionChecker;
import org.restheart.plugins.Inject;
import org.restheart.plugins.OnInit;
import org.restheart.plugins.PluginRecord;
import org.restheart.plugins.PluginsRegistry;
import org.restheart.plugins.RegisterPlugin;
import org.restheart.plugins.security.Authenticator;
import org.restheart.plugins.security.TokenManager;
import org.restheart.security.MongoRealmAccount;
import org.restheart.security.PwdCredentialAccount;
import org.restheart.security.utils.MongoUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RegisterPlugin(name = "mongoRealmAuthenticator", description = "authenticate requests against client credentials stored in mongodb")
/* loaded from: input_file:org/restheart/security/authenticators/MongoRealmAuthenticator.class */
public class MongoRealmAuthenticator implements Authenticator {
    public static final String X_FORWARDED_ACCOUNT_ID = "rhAuthenticator";
    public static final String X_FORWARDED_ROLE = "RESTHeart";
    String usersDb;
    String usersCollection;

    @Inject("registry")
    private PluginsRegistry registry;

    @Inject("config")
    Map<String, Object> config;

    @Inject("mclient")
    private MongoClient mclient;
    private static final Logger LOGGER = LoggerFactory.getLogger(MongoRealmAuthenticator.class);
    private static final transient Cache<String, String> USERS_PWDS_CACHE = CacheFactory.createLocalCache(1000, Cache.EXPIRE_POLICY.AFTER_READ, 1200000);
    private String propId = "_id";
    String propPassword = "password";
    private String jsonPathRoles = "$.roles";
    private Boolean bcryptHashedPassword = false;
    Integer bcryptComplexity = 12;
    private Boolean enforceMinimumPasswordStrenght = false;
    private Integer minimumPasswordStrength = 3;
    private Boolean createUser = false;
    private BsonDocument createUserDocument = null;
    private Boolean cacheEnabled = false;
    private Integer cacheSize = 1000;
    private Integer cacheTTL = 60000;
    private Cache.EXPIRE_POLICY cacheExpirePolicy = Cache.EXPIRE_POLICY.AFTER_WRITE;
    private LoadingCache<String, MongoRealmAccount> USERS_CACHE = null;

    @OnInit
    public void init() {
        setUsersDb((String) arg(this.config, "users-db"));
        this.usersCollection = (String) arg(this.config, "users-collection");
        this.cacheEnabled = (Boolean) arg(this.config, "cache-enabled");
        this.cacheSize = (Integer) arg(this.config, "cache-size");
        this.cacheTTL = (Integer) arg(this.config, "cache-ttl");
        String str = (String) arg(this.config, "cache-expire-policy");
        if (str != null) {
            try {
                this.cacheExpirePolicy = Cache.EXPIRE_POLICY.valueOf(str);
            } catch (IllegalArgumentException e) {
                throw new ConfigurationException("wrong configuration file format. cache-expire-policy valid values are ".concat(Arrays.toString(Cache.EXPIRE_POLICY.values())));
            }
        }
        this.enforceMinimumPasswordStrenght = (Boolean) argOrDefault(this.config, "enforce-minimum-password-strength", false);
        this.minimumPasswordStrength = (Integer) argOrDefault(this.config, "minimum-password-strength", 3);
        this.bcryptHashedPassword = (Boolean) arg(this.config, "bcrypt-hashed-password");
        this.bcryptComplexity = (Integer) arg(this.config, "bcrypt-complexity");
        this.createUser = (Boolean) arg(this.config, "create-user");
        try {
            this.createUserDocument = BsonDocument.parse((String) arg(this.config, "create-user-document"));
            this.propId = (String) arg(this.config, "prop-id");
            if (this.propId.startsWith("$")) {
                throw new ConfigurationException("prop-id must be a root property name not a json path expression. It can use the dot notation.");
            }
            this.propPassword = (String) arg(this.config, "prop-password");
            if (this.propPassword.contains(".")) {
                throw new ConfigurationException("prop-password must be a root level property and cannot contain the char '.'");
            }
            this.jsonPathRoles = (String) arg(this.config, "json-path-roles");
            if (this.cacheEnabled.booleanValue()) {
                this.USERS_CACHE = CacheFactory.createLocalLoadingCache(this.cacheSize.intValue(), this.cacheExpirePolicy, this.cacheTTL.intValue(), str2 -> {
                    return findAccount(accountIdTrasformer(str2));
                });
            }
            try {
                if (!checkUserCollection()) {
                    LOGGER.error("Users collection does not exist and could not be created");
                } else if (this.createUser.booleanValue()) {
                    LOGGER.trace("Create user option enabled");
                    if (countAccounts() < 1) {
                        createDefaultAccount();
                        LOGGER.info("No user found. Created default user with _id {}", this.createUserDocument.get(this.propId));
                    } else {
                        LOGGER.trace("Not creating default user since users exist");
                    }
                }
            } catch (IllegalStateException e2) {
                LOGGER.error(e2.getMessage());
            }
        } catch (JsonParseException e3) {
            throw new ConfigurationException("wrong configuration file format. create-user-document must be a json document", e3);
        }
    }

    public Account verify(Account account) {
        return account;
    }

    public Account verify(String str, Credential credential) {
        boolean z;
        if (credential == null) {
            LOGGER.debug("cannot verify null credential");
            return null;
        }
        MongoRealmAccount account = getAccount(str);
        if (credential instanceof PasswordCredential) {
            z = verifyPasswordCredential(account, (PasswordCredential) credential);
        } else if (credential instanceof DigestCredential) {
            z = verifyDigestCredential(account, (DigestCredential) credential);
        } else {
            LOGGER.warn("mongoRealmAuthenticator does not support credential of type {}", credential.getClass().getSimpleName());
            z = false;
        }
        if (!z) {
            return null;
        }
        updateAuthTokenCache(account);
        return account;
    }

    public Integer getBcryptComplexity() {
        return this.bcryptComplexity;
    }

    public boolean isBcryptHashedPassword() {
        return this.bcryptHashedPassword.booleanValue();
    }

    public Integer getMinimumPasswordStrength() {
        return this.minimumPasswordStrength;
    }

    public boolean isEnforceMinimumPasswordStrenght() {
        return this.enforceMinimumPasswordStrenght.booleanValue();
    }

    private boolean verifyPasswordCredential(PwdCredentialAccount pwdCredentialAccount, PasswordCredential passwordCredential) {
        if (pwdCredentialAccount == null || pwdCredentialAccount.getPrincipal() == null || pwdCredentialAccount.getPrincipal().getName() == null || pwdCredentialAccount.getCredentials() == null || pwdCredentialAccount.getCredentials().getPassword() == null || passwordCredential == null || passwordCredential.getPassword() == null) {
            return false;
        }
        return checkPassword(pwdCredentialAccount.getPrincipal().getName(), this.bcryptHashedPassword.booleanValue(), passwordCredential.getPassword(), pwdCredentialAccount.getCredentials().getPassword());
    }

    private boolean verifyDigestCredential(PwdCredentialAccount pwdCredentialAccount, DigestCredential digestCredential) {
        if (this.bcryptHashedPassword.booleanValue()) {
            LOGGER.error("Digest authentication cannot support bcryped stored password, consider using basic authetication over TLS");
            return false;
        }
        if (pwdCredentialAccount == null || pwdCredentialAccount.getCredentials() == null || pwdCredentialAccount.getCredentials().getPassword() == null || pwdCredentialAccount.getPrincipal() == null || pwdCredentialAccount.getPrincipal().getName() == null || digestCredential == null) {
            return false;
        }
        try {
            MessageDigest messageDigest = digestCredential.getAlgorithm().getMessageDigest();
            messageDigest.update(pwdCredentialAccount.getPrincipal().getName().getBytes(RedirectBuilder.UTF_8));
            messageDigest.update((byte) 58);
            messageDigest.update(digestCredential.getRealm().getBytes(RedirectBuilder.UTF_8));
            messageDigest.update((byte) 58);
            messageDigest.update(new String(pwdCredentialAccount.getCredentials().getPassword()).getBytes(RedirectBuilder.UTF_8));
            return digestCredential.verifyHA1(HexConverter.convertToHexBytes(messageDigest.digest()));
        } catch (UnsupportedEncodingException e) {
            LOGGER.error(e.getMessage(), e);
            return false;
        } catch (NoSuchAlgorithmException e2) {
            LOGGER.error(e2.getMessage(), e2);
            return false;
        }
    }

    public Account verify(Credential credential) {
        return null;
    }

    static boolean checkPassword(String str, boolean z, char[] cArr, char[] cArr2) {
        if (!z) {
            return Arrays.equals(cArr, cArr2);
        }
        if (str == null || cArr == null || cArr2 == null) {
            return false;
        }
        String str2 = new String(cArr);
        String str3 = new String(cArr2);
        Optional optional = USERS_PWDS_CACHE.get(str.concat(str3));
        if (optional != null && optional.isPresent() && ((String) optional.get()).equals(str2)) {
            return true;
        }
        try {
            if (!BCrypt.checkpw(str2, str3)) {
                return false;
            }
            USERS_PWDS_CACHE.put(str.concat(str3), str2);
            return true;
        } catch (Throwable th) {
            USERS_PWDS_CACHE.invalidate(str.concat(str3));
            LOGGER.warn("Error checking bcryped pwd hash", th);
            return false;
        }
    }

    private MongoRealmAccount getAccount(String str) {
        if (this.mclient == null) {
            LOGGER.error("Cannot find account: mongo service is not enabled.");
            return null;
        }
        if (this.USERS_CACHE == null) {
            return findAccount(accountIdTrasformer(str));
        }
        Optional loading = this.USERS_CACHE.getLoading(str);
        if (loading == null || !loading.isPresent()) {
            return null;
        }
        return (MongoRealmAccount) loading.get();
    }

    protected String accountIdTrasformer(String str) {
        return str;
    }

    private void updateAuthTokenCache(PwdCredentialAccount pwdCredentialAccount) {
        try {
            PluginRecord tokenManager = this.registry.getTokenManager();
            if (tokenManager != null) {
                TokenManager pluginRecord = tokenManager.getInstance();
                if (pluginRecord.get(pwdCredentialAccount) != null) {
                    pluginRecord.update(pwdCredentialAccount);
                }
            }
        } catch (ConfigurationException e) {
            LOGGER.warn("error getting the token manager", e);
        }
    }

    public String getPropPassword() {
        return this.propPassword;
    }

    public static HttpString getXForwardedHeaderName(String str) {
        return HttpString.tryFromString("X-Forwarded-".concat(str));
    }

    public static HttpString getXForwardedAccountIdHeaderName() {
        return getXForwardedHeaderName("Account-Id");
    }

    public static HttpString getXForwardedRolesHeaderName() {
        return getXForwardedHeaderName("Account-Roles");
    }

    public boolean checkUserCollection() throws IllegalStateException {
        if (this.mclient == null) {
            throw new IllegalStateException("Cannot check user collection: mongo service is not enabled.");
        }
        if (!ConnectionChecker.connected(this.mclient)) {
            throw new IllegalStateException("Cannot check user collection: MongoDB not connected.");
        }
        try {
            MongoUtils mongoUtils = new MongoUtils(this.mclient);
            if (!mongoUtils.doesDbExist(this.usersDb)) {
                mongoUtils.createDb(this.usersDb);
            }
            if (!mongoUtils.doesCollectionExist(this.usersDb, this.usersCollection)) {
                mongoUtils.createCollection(this.usersDb, this.usersCollection);
            }
            return true;
        } catch (Throwable th) {
            LOGGER.error("Error creating users collection", th);
            return false;
        }
    }

    public long countAccounts() {
        try {
            return this.mclient.getDatabase(getUsersDb()).getCollection(getUsersCollection()).estimatedDocumentCount();
        } catch (Throwable th) {
            LOGGER.error("Error counting accounts", th);
            return 1L;
        }
    }

    public void createDefaultAccount() {
        if (this.mclient == null) {
            LOGGER.error("Cannot find account: mongo service is not enabled.");
        } else if (this.createUserDocument != null) {
            try {
                this.mclient.getDatabase(getUsersDb()).getCollection(getUsersCollection()).withDocumentClass(BsonDocument.class).insertOne(this.createUserDocument);
            } catch (Throwable th) {
                LOGGER.error("Error creating default account", th);
            }
        }
    }

    public MongoRealmAccount findAccount(String str) {
        JsonElement jsonArray;
        try {
            BsonDocument bsonDocument = (BsonDocument) this.mclient.getDatabase(getUsersDb()).getCollection(getUsersCollection()).withDocumentClass(BsonDocument.class).find(Filters.eq(this.propId, str)).first();
            if (bsonDocument == null) {
                return null;
            }
            try {
                JsonElement jsonElement = (JsonElement) JsonPath.read(bsonDocument.toJson(), "$", new Predicate[0]);
                if (!jsonElement.isJsonObject()) {
                    LOGGER.warn("Retrived document for account {} is not an object", str);
                    return null;
                }
                try {
                    DocumentContext parse = JsonPath.parse(jsonElement);
                    JsonElement jsonElement2 = (JsonElement) parse.read("$.".concat(this.propPassword), new Predicate[0]);
                    JsonElement jsonElement3 = (JsonElement) parse.delete("$.".concat(this.propPassword), new Predicate[0]).json();
                    if (!jsonElement2.isJsonPrimitive() || !jsonElement2.getAsJsonPrimitive().isString()) {
                        LOGGER.warn("Pwd property of account {} is not a string", str);
                        return null;
                    }
                    try {
                        jsonArray = (JsonElement) JsonPath.read(jsonElement3, this.jsonPathRoles, new Predicate[0]);
                    } catch (PathNotFoundException e) {
                        LOGGER.warn("Account with id: {} does not have roles");
                        jsonArray = new JsonArray();
                    }
                    if (!jsonArray.isJsonArray()) {
                        LOGGER.warn("Roles property of account {} is not an array", str);
                        return null;
                    }
                    LinkedHashSet linkedHashSet = new LinkedHashSet();
                    jsonArray.getAsJsonArray().forEach(jsonElement4 -> {
                        if (jsonElement4 != null && jsonElement4.isJsonPrimitive() && jsonElement4.getAsJsonPrimitive().isString()) {
                            linkedHashSet.add(jsonElement4.getAsJsonPrimitive().getAsString());
                        } else {
                            LOGGER.warn("A role of account {} is not a string", str);
                        }
                    });
                    return new MongoRealmAccount(str, jsonElement2.getAsJsonPrimitive().getAsString().toCharArray(), linkedHashSet, BsonDocument.parse(jsonElement3.toString()));
                } catch (PathNotFoundException e2) {
                    LOGGER.warn("Cannot find pwd property '{}' for account {}", this.propPassword, str);
                    return null;
                }
            } catch (IllegalArgumentException | PathNotFoundException e3) {
                LOGGER.warn("Cannot find account {}", str);
                return null;
            }
        } catch (Throwable th) {
            LOGGER.error("Error finding account {}", this.propId, th);
            return null;
        }
    }

    public String getUsersDb() {
        return this.usersDb;
    }

    public void setUsersDb(String str) {
        this.usersDb = str;
    }

    public String getUsersCollection() {
        return this.usersCollection;
    }
}
