package org.yamcs.security;

import io.netty.buffer.Unpooled;
import io.netty.channel.ChannelFuture;
import io.netty.channel.ChannelFutureListener;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.DefaultFullHttpResponse;
import io.netty.handler.codec.http.HttpHeaderNames;
import io.netty.handler.codec.http.HttpRequest;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.handler.codec.http.HttpVersion;
import io.netty.util.CharsetUtil;
import java.util.Base64;
import java.util.Map;
import java.util.concurrent.Callable;
import java.util.concurrent.CancellationException;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Future;
import java.util.concurrent.FutureTask;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.yamcs.ConfigurationException;
import org.yamcs.YConfiguration;
import org.yamcs.api.MediaType;
import org.yamcs.protobuf.Web;
import org.yamcs.security.Privilege;
import org.yamcs.web.BadRequestException;
import org.yamcs.web.rest.RestRequest;

/* loaded from: input_file:org/yamcs/security/BasicAuthModule.class */
public class BasicAuthModule implements AuthModule {
    private static final Logger log = LoggerFactory.getLogger(BasicAuthModule.class);
    private final Realm realm;
    private String realmName;
    static final int PRIV_CACHE_TIME = 30000;
    private final ConcurrentHashMap<AuthenticationToken, Future<User>> cache = new ConcurrentHashMap<>();

    public BasicAuthModule(Map<String, Object> map) {
        this.realm = loadRealm(YConfiguration.getString(map, "realm"));
    }

    private Realm loadRealm(String str) throws ConfigurationException {
        try {
            Realm realm = (Realm) Realm.class.getClassLoader().loadClass(str).newInstance();
            this.realmName = realm.getClass().getSimpleName();
            return realm;
        } catch (Exception e) {
            throw new ConfigurationException("Unable to load the realm class: " + str, e);
        }
    }

    @Override // org.yamcs.security.AuthModule
    public String[] getRoles(AuthenticationToken authenticationToken) {
        User user = getUser(authenticationToken);
        if (user == null) {
            return null;
        }
        return user.getRoles();
    }

    @Override // org.yamcs.security.AuthModule
    public CompletableFuture<AuthenticationToken> authenticateHttp(ChannelHandlerContext channelHandlerContext, HttpRequest httpRequest) {
        if (!httpRequest.headers().contains(HttpHeaderNames.AUTHORIZATION)) {
            sendUnauthorized(channelHandlerContext, httpRequest, "No " + HttpHeaderNames.AUTHORIZATION + " header present");
            return completedExceptionally(new AuthenticationPendingException());
        }
        String str = httpRequest.headers().get(HttpHeaderNames.AUTHORIZATION);
        if (!str.startsWith("Basic ")) {
            return completedExceptionally(new BadRequestException("Unsupported Authorization header '" + str + "'"));
        }
        try {
            String[] split = new String(Base64.getDecoder().decode(str.substring(6))).split(":", 2);
            if (split.length < 2) {
                return completedExceptionally(new BadRequestException("Malformed username/password (Not separated by colon?)"));
            }
            AuthenticationToken usernamePasswordToken = new UsernamePasswordToken(split[0], split[1]);
            if (this.realm.authenticates(usernamePasswordToken)) {
                return CompletableFuture.completedFuture(usernamePasswordToken);
            }
            sendUnauthorized(channelHandlerContext, httpRequest, "the realm could not authenticate the provided token");
            return completedExceptionally(new AuthenticationPendingException());
        } catch (IllegalArgumentException e) {
            return completedExceptionally(new BadRequestException("Could not decode Base64-encoded credentials"));
        }
    }

    private static CompletableFuture<AuthenticationToken> completedExceptionally(Exception exc) {
        CompletableFuture<AuthenticationToken> completableFuture = new CompletableFuture<>();
        completableFuture.completeExceptionally(exc);
        return completableFuture;
    }

    @Override // org.yamcs.security.AuthModule
    public User getUser(final AuthenticationToken authenticationToken) {
        User user;
        while (authenticationToken != null) {
            Future<User> future = this.cache.get(authenticationToken);
            if (future == null) {
                FutureTask futureTask = new FutureTask(new Callable<User>() { // from class: org.yamcs.security.BasicAuthModule.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.concurrent.Callable
                    public User call() {
                        try {
                            if (BasicAuthModule.this.realm.supports(authenticationToken)) {
                                return BasicAuthModule.this.realm.loadUser(authenticationToken);
                            }
                            BasicAuthModule.log.error("Realm {} does not support authentication token of type {}", BasicAuthModule.this.realmName, authenticationToken.getClass());
                            return null;
                        } catch (Exception e) {
                            BasicAuthModule.log.error("Unable to load user from realm {}", BasicAuthModule.this.realmName, e);
                            return new User(authenticationToken);
                        }
                    }
                });
                future = this.cache.putIfAbsent(authenticationToken, futureTask);
                if (future == null) {
                    future = futureTask;
                    futureTask.run();
                }
            }
            try {
                user = future.get();
            } catch (InterruptedException e) {
                Thread.currentThread().interrupt();
                return null;
            } catch (CancellationException e2) {
                this.cache.remove(authenticationToken, future);
            } catch (ExecutionException e3) {
                this.cache.remove(authenticationToken, future);
                if (e3.getCause() instanceof RuntimeException) {
                    throw ((RuntimeException) e3.getCause());
                }
            } catch (Exception e4) {
                log.error("Unable to load user", e4);
                return null;
            }
            if (System.currentTimeMillis() - user.lastUpdated < 30000) {
                return user;
            }
            this.cache.remove(authenticationToken, future);
        }
        return null;
    }

    @Override // org.yamcs.security.AuthModule
    public boolean hasPrivilege(AuthenticationToken authenticationToken, Privilege.Type type, String str) {
        User user = getUser(authenticationToken);
        if (user == null) {
            return false;
        }
        return user.hasPrivilege(type, str);
    }

    @Override // org.yamcs.security.AuthModule
    public boolean hasRole(AuthenticationToken authenticationToken, String str) {
        User user = getUser(authenticationToken);
        if (user == null) {
            return false;
        }
        return user.hasRole(str);
    }

    private ChannelFuture sendUnauthorized(ChannelHandlerContext channelHandlerContext, HttpRequest httpRequest, String str) {
        DefaultFullHttpResponse defaultFullHttpResponse = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED, RestRequest.deriveTargetContentType(httpRequest) == MediaType.PROTOBUF ? Unpooled.copiedBuffer(Web.RestExceptionMessage.newBuilder().setMsg(HttpResponseStatus.UNAUTHORIZED.toString()).build().toByteArray()) : Unpooled.copiedBuffer(HttpResponseStatus.UNAUTHORIZED.toString() + "\r\n", CharsetUtil.UTF_8));
        defaultFullHttpResponse.headers().set(HttpHeaderNames.WWW_AUTHENTICATE, "Basic realm=\"" + Privilege.getAuthModuleName() + "\"");
        log.warn("{} {} {} [realm=\"{}\"]: {}", new Object[]{httpRequest.method(), httpRequest.uri(), Integer.valueOf(defaultFullHttpResponse.status().code()), Privilege.getAuthModuleName(), str});
        return channelHandlerContext.writeAndFlush(defaultFullHttpResponse).addListener(ChannelFutureListener.CLOSE);
    }
}
