package org.yamcs.http.auth;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.protobuf.Message;
import io.netty.handler.codec.http.HttpHeaderNames;
import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.handler.codec.http.QueryStringEncoder;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.HashMap;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import org.yamcs.YamcsServer;
import org.yamcs.http.BadRequestException;
import org.yamcs.http.BodyHandler;
import org.yamcs.http.HandlerContext;
import org.yamcs.http.HttpServer;
import org.yamcs.http.InternalServerErrorException;
import org.yamcs.http.NotFoundException;
import org.yamcs.http.UnauthorizedException;
import org.yamcs.http.api.IamApi;
import org.yamcs.http.audit.AuditLogDb;
import org.yamcs.http.auth.TokenStore;
import org.yamcs.protobuf.AuthInfo;
import org.yamcs.protobuf.OpenIDConnectInfo;
import org.yamcs.protobuf.TokenResponse;
import org.yamcs.security.ApplicationCredentials;
import org.yamcs.security.AuthModule;
import org.yamcs.security.AuthenticationException;
import org.yamcs.security.AuthenticationInfo;
import org.yamcs.security.AuthorizationException;
import org.yamcs.security.Directory;
import org.yamcs.security.OpenIDAuthModule;
import org.yamcs.security.SecurityStore;
import org.yamcs.security.SpnegoAuthModule;
import org.yamcs.security.ThirdPartyAuthorizationCode;
import org.yamcs.security.User;
import org.yamcs.security.UserSession;
import org.yamcs.security.UsernamePasswordToken;

/* loaded from: input_file:org/yamcs/http/auth/AuthHandler.class */
public class AuthHandler extends BodyHandler {
    private static final SecureRandom RNG = new SecureRandom();
    private static Cache<String, AuthenticationInfo> CODE_CACHE = CacheBuilder.newBuilder().expireAfterWrite(60, TimeUnit.SECONDS).build();
    private TokenStore tokenStore;

    public AuthHandler(HttpServer httpServer) {
        this.tokenStore = httpServer.getTokenStore();
    }

    @Override // org.yamcs.http.HttpHandler
    public boolean requireAuth() {
        return false;
    }

    @Override // org.yamcs.http.HttpHandler
    public void handle(HandlerContext handlerContext) {
        String pathWithoutContext = handlerContext.getPathWithoutContext();
        if (pathWithoutContext.equals("/auth")) {
            handleAuthInfoRequest(handlerContext);
            return;
        }
        if (pathWithoutContext.equals("/auth/assets/auth.css")) {
            handlerContext.sendResource("/auth/static/auth.css");
            return;
        }
        if (pathWithoutContext.equals("/auth/assets/yamcs300.png")) {
            handlerContext.sendResource("/auth/static/yamcs300.png");
            return;
        }
        if (pathWithoutContext.equals("/auth/authorize")) {
            handleAuthorize(handlerContext);
            return;
        }
        if (pathWithoutContext.equals("/auth/token")) {
            handleToken(handlerContext);
            return;
        }
        if (pathWithoutContext.equals("/auth/spnego")) {
            SpnegoAuthModule spnegoAuthModule = (SpnegoAuthModule) getSecurityStore().getAuthModule(SpnegoAuthModule.class);
            if (spnegoAuthModule != null) {
                spnegoAuthModule.handle(handlerContext);
                return;
            }
        } else if (pathWithoutContext.equals("/auth/actions/login")) {
            handleLoginAction(handlerContext);
            return;
        }
        throw new NotFoundException();
    }

    private void handleAuthInfoRequest(HandlerContext handlerContext) {
        handlerContext.requireGET();
        handlerContext.sendOK((Message) createAuthInfo());
    }

    private void handleAuthorize(HandlerContext handlerContext) {
        handlerContext.requireMethod(HttpMethod.GET, HttpMethod.POST);
        showLoginForm(handlerContext, new OpenIDAuthenticationRequest(handlerContext));
    }

    private void handleLoginAction(HandlerContext handlerContext) {
        handlerContext.requirePOST();
        handlerContext.requireFormEncoding();
        LoginRequest loginRequest = new LoginRequest(handlerContext);
        getSecurityStore().login(loginRequest.getUsernamePasswordToken()).whenComplete((authenticationInfo, th) -> {
            if (th == null) {
                redirectWithCode(handlerContext, authenticationInfo, loginRequest);
                return;
            }
            if ((th instanceof AuthenticationException) || (th instanceof AuthorizationException)) {
                this.log.info("Denying access to '" + loginRequest.getUsername() + "': " + th.getMessage());
                showLoginError(handlerContext, loginRequest, "Invalid username or password");
            } else {
                this.log.error("Unexpected error while attempting user login", th);
                showLoginError(handlerContext, loginRequest, "Server Error");
            }
        });
    }

    public static AuthInfo createAuthInfo() {
        AuthInfo.Builder newBuilder = AuthInfo.newBuilder();
        newBuilder.setRequireAuthentication(!getSecurityStore().getGuestUser().isActive());
        for (AuthModule authModule : getSecurityStore().getAuthModules()) {
            if (authModule instanceof SpnegoAuthModule) {
                newBuilder.setSpnego(true);
            }
            if (authModule instanceof OpenIDAuthModule) {
                OpenIDConnectInfo.Builder newBuilder2 = OpenIDConnectInfo.newBuilder();
                newBuilder2.setClientId(((OpenIDAuthModule) authModule).getClientId());
                newBuilder2.setAuthorizationEndpoint(((OpenIDAuthModule) authModule).getAuthorizationEndpoint());
                newBuilder2.setScope(((OpenIDAuthModule) authModule).getScope());
                newBuilder.setOpenid(newBuilder2.build());
            }
        }
        return newBuilder.build();
    }

    private void showLoginForm(HandlerContext handlerContext, OpenIDAuthenticationRequest openIDAuthenticationRequest) {
        HashMap hashMap = new HashMap();
        hashMap.put("contextPath", handlerContext.getContextPath());
        hashMap.put(AuditLogDb.CNAME_REQUEST, openIDAuthenticationRequest.getMap());
        handlerContext.render(HttpResponseStatus.OK, "/auth/templates/authorize.html", hashMap);
    }

    private void showLoginError(HandlerContext handlerContext, LoginRequest loginRequest, String str) {
        HashMap hashMap = new HashMap();
        hashMap.put("contextPath", handlerContext.getContextPath());
        hashMap.put(AuditLogDb.CNAME_REQUEST, loginRequest.getMap());
        if (str != null) {
            hashMap.put("errorMessage", str);
        }
        handlerContext.render(HttpResponseStatus.OK, "/auth/templates/authorize.html", hashMap);
    }

    private void redirectWithCode(HandlerContext handlerContext, AuthenticationInfo authenticationInfo, LoginRequest loginRequest) {
        String generateUrlSafeCode = generateUrlSafeCode();
        CODE_CACHE.put(generateUrlSafeCode, authenticationInfo);
        QueryStringEncoder queryStringEncoder = new QueryStringEncoder(loginRequest.getRedirectURI());
        queryStringEncoder.addParam("code", generateUrlSafeCode);
        String state = loginRequest.getState();
        if (state != null) {
            queryStringEncoder.addParam(LoginRequest.STATE, state);
        }
        this.log.info("Redirecting to " + queryStringEncoder.toString());
        handlerContext.sendRedirect(queryStringEncoder.toString());
    }

    private void handleToken(HandlerContext handlerContext) {
        handlerContext.requireFormEncoding();
        String requireFormParameter = handlerContext.requireFormParameter("grant_type");
        this.log.info("Access token request using grant_type '{}'", requireFormParameter);
        boolean z = -1;
        switch (requireFormParameter.hashCode()) {
            case -1432035435:
                if (requireFormParameter.equals("refresh_token")) {
                    z = 2;
                    break;
                }
                break;
            case 290069640:
                if (requireFormParameter.equals("client_credentials")) {
                    z = 3;
                    break;
                }
                break;
            case 1216985755:
                if (requireFormParameter.equals(LoginRequest.PASSWORD)) {
                    z = false;
                    break;
                }
                break;
            case 1571154419:
                if (requireFormParameter.equals("authorization_code")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                handleTokenRequestWithPasswordGrant(handlerContext);
                return;
            case true:
                handleTokenRequestWithAuthorizationCode(handlerContext);
                return;
            case true:
                handleTokenRequestWithRefreshToken(handlerContext);
                return;
            case true:
                handleTokenRequestWithClientCredentials(handlerContext);
                return;
            default:
                throw new BadRequestException("Unsupported grant_type '" + requireFormParameter + "'");
        }
    }

    private void handleTokenRequestWithPasswordGrant(HandlerContext handlerContext) {
        String requireFormParameter = handlerContext.requireFormParameter("username");
        try {
            AuthenticationInfo authenticationInfo = getSecurityStore().login(new UsernamePasswordToken(requireFormParameter, handlerContext.requireFormParameter(LoginRequest.PASSWORD).toCharArray())).get();
            sendNewAccessToken(handlerContext, authenticationInfo, this.tokenStore.generateRefreshToken(createSession(handlerContext, authenticationInfo)));
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
        } catch (ExecutionException e2) {
            Throwable cause = e2.getCause();
            if ((cause instanceof AuthenticationException) || (cause instanceof AuthorizationException)) {
                this.log.info("Denying access to '" + requireFormParameter + "': " + cause.getMessage());
                throw new UnauthorizedException();
            }
            this.log.error("Unexpected error while attempting user login", cause);
            throw new InternalServerErrorException(cause);
        }
    }

    private void handleTokenRequestWithAuthorizationCode(HandlerContext handlerContext) {
        String requireFormParameter = handlerContext.requireFormParameter("code");
        AuthenticationInfo authenticationInfo = (AuthenticationInfo) CODE_CACHE.getIfPresent(requireFormParameter);
        if (authenticationInfo == null) {
            try {
                authenticationInfo = getSecurityStore().login(new ThirdPartyAuthorizationCode(requireFormParameter)).get();
            } catch (InterruptedException e) {
                Thread.currentThread().interrupt();
                return;
            } catch (ExecutionException e2) {
                Throwable cause = e2.getCause();
                if ((cause instanceof AuthenticationException) || (cause instanceof AuthorizationException)) {
                    this.log.info("Denying access: " + cause.getMessage());
                    throw new UnauthorizedException();
                }
                this.log.error("Unexpected error while attempting user login", cause);
                throw new InternalServerErrorException(cause);
            }
        }
        UserSession createSession = createSession(handlerContext, authenticationInfo);
        String str = null;
        if (authenticationInfo.getAuthenticator() instanceof SpnegoAuthModule) {
            createSession.setLifespan(getSecurityStore().getAccessTokenLifespan());
        } else {
            str = this.tokenStore.generateRefreshToken(createSession);
        }
        sendNewAccessToken(handlerContext, authenticationInfo, str);
    }

    private UserSession createSession(HandlerContext handlerContext, AuthenticationInfo authenticationInfo) {
        UserSession createSession = YamcsServer.getServer().getSecurityStore().getSessionManager().createSession(authenticationInfo, handlerContext.getOriginalHostAddress(), handlerContext.getOriginalHostName());
        String header = handlerContext.getHeader(HttpHeaderNames.USER_AGENT);
        if (header != null) {
            createSession.getClients().add(header);
        }
        return createSession;
    }

    private void handleTokenRequestWithRefreshToken(HandlerContext handlerContext) {
        TokenStore.RefreshResult verifyRefreshToken = this.tokenStore.verifyRefreshToken(handlerContext.getFormParameter("refresh_token"));
        if (verifyRefreshToken == null) {
            throw new UnauthorizedException("Invalid refresh token");
        }
        sendNewAccessToken(handlerContext, verifyRefreshToken.session.getAuthenticationInfo(), verifyRefreshToken.refreshToken);
    }

    private void handleTokenRequestWithClientCredentials(HandlerContext handlerContext) {
        String formParameter;
        String formParameter2;
        String[] basicCredentials = handlerContext.getBasicCredentials();
        if (basicCredentials != null) {
            formParameter = basicCredentials[0];
            formParameter2 = basicCredentials[1];
        } else {
            formParameter = handlerContext.getFormParameter(LoginRequest.CLIENT_ID);
            formParameter2 = handlerContext.getFormParameter("client_secret");
        }
        if (formParameter == null || formParameter2 == null) {
            throw new BadRequestException("Missing client id or secret");
        }
        ApplicationCredentials applicationCredentials = new ApplicationCredentials(formParameter, formParameter2);
        applicationCredentials.setBecome(handlerContext.getFormParameter("become"));
        try {
            sendNewAccessToken(handlerContext, getSecurityStore().login(applicationCredentials).get(), null);
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
        } catch (ExecutionException e2) {
            Throwable cause = e2.getCause();
            if ((cause instanceof AuthenticationException) || (cause instanceof AuthorizationException)) {
                this.log.info("Denying access to '" + formParameter + "': " + cause.getMessage());
                throw new UnauthorizedException();
            }
            this.log.error("Unexpected error while attempting user login", cause);
            throw new InternalServerErrorException(cause);
        }
    }

    private void sendNewAccessToken(HandlerContext handlerContext, AuthenticationInfo authenticationInfo, String str) {
        try {
            TokenResponse generateTokenResponse = generateTokenResponse(getSecurityStore().getUserFromCache(authenticationInfo.getUsername()), str);
            this.tokenStore.registerAccessToken(generateTokenResponse.getAccessToken(), authenticationInfo);
            handlerContext.sendOK((Message) generateTokenResponse);
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new InternalServerErrorException(e);
        }
    }

    private TokenResponse generateTokenResponse(User user, String str) throws InvalidKeyException, NoSuchAlgorithmException {
        int accessTokenLifespan = getSecurityStore().getAccessTokenLifespan() / 1000;
        String generateHS256Token = JwtHelper.generateHS256Token("Yamcs", user.getName(), YamcsServer.getServer().getSecretKey(), accessTokenLifespan);
        TokenResponse.Builder newBuilder = TokenResponse.newBuilder();
        newBuilder.setTokenType("bearer");
        newBuilder.setAccessToken(generateHS256Token);
        newBuilder.setExpiresIn(accessTokenLifespan);
        newBuilder.setUser(IamApi.toUserInfo(user, true, getDirectory()));
        if (str != null) {
            newBuilder.setRefreshToken(str);
        }
        return newBuilder.build();
    }

    private static String generateUrlSafeCode() {
        byte[] bArr = new byte[10];
        RNG.nextBytes(bArr);
        return Base64.getUrlEncoder().withoutPadding().encodeToString(bArr);
    }

    public static SecurityStore getSecurityStore() {
        return YamcsServer.getServer().getSecurityStore();
    }

    private static Directory getDirectory() {
        return getSecurityStore().getDirectory();
    }
}
