package org.yamcs.web;

import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.SimpleChannelInboundHandler;
import io.netty.handler.codec.http.FullHttpRequest;
import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.handler.codec.http.QueryStringDecoder;
import io.netty.handler.codec.http.multipart.Attribute;
import io.netty.handler.codec.http.multipart.HttpPostRequestDecoder;
import io.netty.handler.codec.http.multipart.InterfaceHttpData;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Iterator;
import java.util.concurrent.ExecutionException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.yamcs.YamcsServer;
import org.yamcs.commanding.PreparedCommand;
import org.yamcs.protobuf.Web;
import org.yamcs.security.AuthModule;
import org.yamcs.security.AuthenticationException;
import org.yamcs.security.AuthorizationException;
import org.yamcs.security.SecurityStore;
import org.yamcs.security.SpnegoAuthModule;
import org.yamcs.security.ThirdPartyAuthorizationCode;
import org.yamcs.security.User;
import org.yamcs.security.UsernamePasswordToken;
import org.yamcs.web.TokenStore;
import org.yamcs.web.rest.UserRestHandler;

@ChannelHandler.Sharable
/* loaded from: input_file:org/yamcs/web/AuthHandler.class */
public class AuthHandler extends SimpleChannelInboundHandler<FullHttpRequest> {
    private static final Logger log = LoggerFactory.getLogger(AuthHandler.class);
    private static TokenStore tokenStore = new TokenStore();

    /* JADX INFO: Access modifiers changed from: protected */
    public void channelRead0(ChannelHandlerContext channelHandlerContext, FullHttpRequest fullHttpRequest) throws Exception {
        String path = new QueryStringDecoder(fullHttpRequest.uri()).path();
        if (path.equals("/auth")) {
            handleAuthInfoRequest(channelHandlerContext, fullHttpRequest);
            return;
        }
        if (path.equals("/auth/token")) {
            handleTokenRequest(channelHandlerContext, fullHttpRequest);
            return;
        }
        for (AuthModule authModule : SecurityStore.getInstance().getAuthModules()) {
            if (authModule instanceof AuthModuleHttpHandler) {
                AuthModuleHttpHandler authModuleHttpHandler = (AuthModuleHttpHandler) authModule;
                if (path.equals("/auth/" + authModuleHttpHandler.path())) {
                    authModuleHttpHandler.handle(channelHandlerContext, fullHttpRequest);
                    return;
                }
            }
        }
        HttpRequestHandler.sendPlainTextError(channelHandlerContext, fullHttpRequest, HttpResponseStatus.NOT_FOUND);
    }

    private void handleAuthInfoRequest(ChannelHandlerContext channelHandlerContext, FullHttpRequest fullHttpRequest) throws Exception {
        if (fullHttpRequest.method() != HttpMethod.GET) {
            HttpRequestHandler.sendPlainTextError(channelHandlerContext, fullHttpRequest, HttpResponseStatus.METHOD_NOT_ALLOWED);
        } else {
            HttpRequestHandler.sendMessageResponse(channelHandlerContext, fullHttpRequest, HttpResponseStatus.OK, createAuthInfo(), true);
        }
    }

    public static Web.AuthInfo createAuthInfo() {
        Web.AuthInfo.Builder newBuilder = Web.AuthInfo.newBuilder();
        newBuilder.setRequireAuthentication(SecurityStore.getInstance().isEnabled());
        Iterator<AuthModule> it = SecurityStore.getInstance().getAuthModules().iterator();
        while (it.hasNext()) {
            if (it.next() instanceof SpnegoAuthModule) {
                newBuilder.addFlow(Web.AuthFlow.newBuilder().setType(Web.AuthFlow.Type.SPNEGO));
            }
        }
        newBuilder.addFlow(Web.AuthFlow.newBuilder().setType(Web.AuthFlow.Type.PASSWORD));
        return newBuilder.build();
    }

    private void handleTokenRequest(ChannelHandlerContext channelHandlerContext, FullHttpRequest fullHttpRequest) {
        if (!"application/x-www-form-urlencoded".equals(fullHttpRequest.headers().get("Content-Type"))) {
            HttpRequestHandler.sendPlainTextError(channelHandlerContext, fullHttpRequest, HttpResponseStatus.BAD_REQUEST);
            return;
        }
        HttpPostRequestDecoder httpPostRequestDecoder = new HttpPostRequestDecoder(fullHttpRequest);
        try {
            try {
                String stringFromForm = getStringFromForm(httpPostRequestDecoder, "grant_type");
                log.info("Access token request using grant_type '{}'", stringFromForm);
                boolean z = -1;
                switch (stringFromForm.hashCode()) {
                    case -1432035435:
                        if (stringFromForm.equals("refresh_token")) {
                            z = 2;
                            break;
                        }
                        break;
                    case -895803204:
                        if (stringFromForm.equals("spnego")) {
                            z = 3;
                            break;
                        }
                        break;
                    case 1216985755:
                        if (stringFromForm.equals("password")) {
                            z = false;
                            break;
                        }
                        break;
                    case 1571154419:
                        if (stringFromForm.equals("authorization_code")) {
                            z = true;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        handleTokenRequestWithPasswordGrant(channelHandlerContext, fullHttpRequest, httpPostRequestDecoder);
                        break;
                    case true:
                        handleTokenRequestWithAuthorizationCode(channelHandlerContext, fullHttpRequest, httpPostRequestDecoder);
                        break;
                    case true:
                        handleTokenRequestWithRefreshToken(channelHandlerContext, fullHttpRequest, httpPostRequestDecoder);
                        break;
                    case true:
                    default:
                        HttpRequestHandler.sendPlainTextError(channelHandlerContext, fullHttpRequest, HttpResponseStatus.BAD_REQUEST, "Unsupported grant_type '" + stringFromForm + "'");
                        break;
                }
                httpPostRequestDecoder.destroy();
            } catch (IOException e) {
                log.error("Unexpected error while attempting user login", e);
                HttpRequestHandler.sendPlainTextError(channelHandlerContext, fullHttpRequest, HttpResponseStatus.INTERNAL_SERVER_ERROR);
                httpPostRequestDecoder.destroy();
            }
        } catch (Throwable th) {
            httpPostRequestDecoder.destroy();
            throw th;
        }
    }

    private void handleTokenRequestWithPasswordGrant(ChannelHandlerContext channelHandlerContext, FullHttpRequest fullHttpRequest, HttpPostRequestDecoder httpPostRequestDecoder) throws IOException {
        String stringFromForm = getStringFromForm(httpPostRequestDecoder, PreparedCommand.CNAME_USERNAME);
        try {
            User user = SecurityStore.getInstance().login(new UsernamePasswordToken(stringFromForm, getStringFromForm(httpPostRequestDecoder, "password").toCharArray())).get();
            sendNewAccessToken(channelHandlerContext, fullHttpRequest, user, tokenStore.generateRefreshToken(user));
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
        } catch (ExecutionException e2) {
            Throwable cause = e2.getCause();
            if ((cause instanceof AuthenticationException) || (cause instanceof AuthorizationException)) {
                log.info("Denying access to '" + stringFromForm + "': " + cause.getMessage());
                HttpRequestHandler.sendPlainTextError(channelHandlerContext, fullHttpRequest, HttpResponseStatus.UNAUTHORIZED);
            } else {
                log.error("Unexpected error while attempting user login", cause);
                HttpRequestHandler.sendPlainTextError(channelHandlerContext, fullHttpRequest, HttpResponseStatus.INTERNAL_SERVER_ERROR);
            }
        }
    }

    private void handleTokenRequestWithAuthorizationCode(ChannelHandlerContext channelHandlerContext, FullHttpRequest fullHttpRequest, HttpPostRequestDecoder httpPostRequestDecoder) throws IOException {
        try {
            User user = SecurityStore.getInstance().login(new ThirdPartyAuthorizationCode(getStringFromForm(httpPostRequestDecoder, "code"))).get();
            sendNewAccessToken(channelHandlerContext, fullHttpRequest, user, tokenStore.generateRefreshToken(user));
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
        } catch (ExecutionException e2) {
            Throwable cause = e2.getCause();
            if ((cause instanceof AuthenticationException) || (cause instanceof AuthorizationException)) {
                log.info("Denying access: " + cause.getMessage());
                HttpRequestHandler.sendPlainTextError(channelHandlerContext, fullHttpRequest, HttpResponseStatus.UNAUTHORIZED);
            } else {
                log.error("Unexpected error while attempting user login", cause);
                HttpRequestHandler.sendPlainTextError(channelHandlerContext, fullHttpRequest, HttpResponseStatus.INTERNAL_SERVER_ERROR);
            }
        }
    }

    private void handleTokenRequestWithRefreshToken(ChannelHandlerContext channelHandlerContext, FullHttpRequest fullHttpRequest, HttpPostRequestDecoder httpPostRequestDecoder) throws IOException {
        TokenStore.IdentifyResult identify = tokenStore.identify(getStringFromForm(httpPostRequestDecoder, "refresh_token"));
        if (identify != null) {
            sendNewAccessToken(channelHandlerContext, fullHttpRequest, identify.user, identify.refreshToken);
        } else {
            log.info("Invalid refresh token");
            HttpRequestHandler.sendPlainTextError(channelHandlerContext, fullHttpRequest, HttpResponseStatus.UNAUTHORIZED);
        }
    }

    private void sendNewAccessToken(ChannelHandlerContext channelHandlerContext, FullHttpRequest fullHttpRequest, User user, String str) {
        try {
            Web.TokenResponse generateTokenResponse = generateTokenResponse(user, str);
            HttpRequestHandler.getAuthorizationChecker().storeTokenToUserMapping(generateTokenResponse.getAccessToken(), user);
            HttpRequestHandler.sendMessageResponse(channelHandlerContext, fullHttpRequest, HttpResponseStatus.OK, generateTokenResponse, true);
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            HttpRequestHandler.sendPlainTextError(channelHandlerContext, fullHttpRequest, HttpResponseStatus.INTERNAL_SERVER_ERROR);
        }
    }

    private Web.TokenResponse generateTokenResponse(User user, String str) throws InvalidKeyException, NoSuchAlgorithmException {
        String generateHS256Token = JwtHelper.generateHS256Token(user, YamcsServer.getSecretKey(), 500);
        Web.TokenResponse.Builder newBuilder = Web.TokenResponse.newBuilder();
        newBuilder.setTokenType("bearer");
        newBuilder.setAccessToken(generateHS256Token);
        newBuilder.setExpiresIn(500);
        newBuilder.setUser(UserRestHandler.toUserInfo(user, false));
        if (str != null) {
            newBuilder.setRefreshToken(str);
        }
        return newBuilder.build();
    }

    private String getStringFromForm(HttpPostRequestDecoder httpPostRequestDecoder, String str) throws IOException {
        Attribute bodyHttpData = httpPostRequestDecoder.getBodyHttpData(str);
        if (bodyHttpData.getHttpDataType() == InterfaceHttpData.HttpDataType.Attribute) {
            return bodyHttpData.getValue();
        }
        return null;
    }
}
