package com.dynfi.security;

import com.dynfi.services.JwtService;
import com.dynfi.services.LogService;
import com.dynfi.services.UserService;
import com.dynfi.storage.entities.LogEntry;
import com.dynfi.storage.entities.MessageCode;
import com.dynfi.storage.entities.User;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.ImmutableMap;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.UnsupportedJwtException;
import io.jsonwebtoken.security.SignatureException;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Map;
import java.util.Set;
import javax.annotation.Priority;
import javax.inject.Inject;
import javax.validation.ConstraintViolationException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.UnauthenticatedException;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.ThreadContext;
import org.apache.sshd.client.auth.keyboard.UserInteraction;
import org.apache.sshd.common.util.io.IoUtils;
import org.glassfish.jersey.server.ContainerRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(1000)
@PreMatching
/* loaded from: input_file:com/dynfi/security/AuthenticationFilter.class */
public class AuthenticationFilter implements ContainerRequestFilter {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) AuthenticationFilter.class);
    public static final String BASIC = "Basic ";
    public static final String BEARER = "Bearer ";
    public static final String CREATE_TOKEN_ENDPOINT = "users/createToken";
    private static final String LDAP_REALM = "LdapRealm";
    private final JwtService jwtService;
    private final UserService userService;
    private final LogService logService;

    @Inject
    public AuthenticationFilter(JwtService jwtService, UserService userService, LogService logService) {
        this.jwtService = jwtService;
        this.userService = userService;
        this.logService = logService;
    }

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        String headerString = containerRequestContext.getHeaderString("Authorization");
        AuthenticationToken authenticationToken = null;
        if (StringUtils.startsWith(headerString, BASIC)) {
            logger.trace("Basic authentication attempt, path [{}]", ((ContainerRequest) containerRequestContext).getPath(false));
            authenticationToken = getAuthenticationTokenFromBasic(StringUtils.substringAfter(headerString, BASIC));
            logger.trace("Basic username [{}]", authenticationToken.getPrincipal());
        } else if (StringUtils.startsWith(headerString, BEARER)) {
            logger.trace("Bearer authentication attempt, path [{}], header [{}]", ((ContainerRequest) containerRequestContext).getPath(false), headerString);
            authenticationToken = getAuthenticationTokenFromJwt(StringUtils.substringAfter(headerString, BEARER));
        }
        if (authenticationToken == null) {
            logger.trace("Not authenticated request.");
            ThreadContext.unbindSubject();
            return;
        }
        if (authenticationToken instanceof JwtOneTimePasswordToken) {
            if (!containerRequestContext.getUriInfo().getPath().equals(CREATE_TOKEN_ENDPOINT)) {
                logger.trace("Not authenticated request.");
                ThreadContext.unbindSubject();
                return;
            } else {
                logger.trace("Two-factor authentication attempt, finish 2nd step - get otp from request and verify, path [{}] ", ((ContainerRequest) containerRequestContext).getPath(false));
                ((JwtOneTimePasswordToken) authenticationToken).setOneTimePassword(new String(Base64.getDecoder().decode((String) ((Map) new ObjectMapper().readValue(IoUtils.toByteArray(containerRequestContext.getEntityStream()), Map.class)).get("oneTimePassword")), StandardCharsets.UTF_8));
            }
        }
        Subject subject = SecurityUtils.getSubject();
        subject.login(authenticationToken);
        if (authenticationToken instanceof UsernamePasswordToken) {
            Set<String> realmNames = subject.getPrincipals().getRealmNames();
            User currentUser = this.userService.getCurrentUser();
            if (currentUser == null || (!User.AccountType.LDAP.equals(currentUser.getAccountType()) && realmNames.iterator().next().contains(LDAP_REALM))) {
                currentUser = createLdapUser(subject, (UsernamePasswordToken) authenticationToken);
            } else if (User.AccountType.LDAP.equals(currentUser.getAccountType()) && realmNames.iterator().next().contains(LDAP_REALM)) {
                currentUser = updateLdapUser(subject, currentUser);
            }
            if (currentUser != null && User.TwoFactorAuthStatus.ENABLED.equals(currentUser.getTwoFactorAuthStatus()) && currentUser.getTwoFactorAuthSecret() != null) {
                logger.trace("Two-factor authentication attempt, start 2nd step - ask for otp, path [{}] ", ((ContainerRequest) containerRequestContext).getPath(false));
                subject.logout();
                containerRequestContext.abortWith(Response.ok().header("Authorization", "Bearer " + this.jwtService.issueOneTimePasswordToken(currentUser, containerRequestContext.getUriInfo().getAbsolutePath().toString())).build());
            }
        }
        logger.trace("Authenticated user {}.", subject.getPrincipal());
    }

    private User updateLdapUser(Subject subject, User user) {
        try {
            return this.userService.updateLdapUser(user);
        } catch (ConstraintViolationException e) {
            logger.error("Cannot update LDAP user due to: {}", e.getMessage());
            this.logService.addLogEntry(MessageCode.UPDATE_LDAP_USER_ERROR, LogEntry.Severity.ERROR, ImmutableMap.of("login", user.getLogin(), "validationErrors", e.getMessage()));
            subject.logout();
            return null;
        }
    }

    private User createLdapUser(Subject subject, UsernamePasswordToken usernamePasswordToken) {
        try {
            return this.userService.createLdapUser(usernamePasswordToken);
        } catch (ConstraintViolationException e) {
            logger.error("Cannot create LDAP user {} due to: {}", subject.getPrincipal().toString(), e.getMessage());
            this.logService.addLogEntry(MessageCode.CREATE_LDAP_USER_ERROR, LogEntry.Severity.ERROR, ImmutableMap.of("login", subject.getPrincipal().toString(), "validationErrors", e.getMessage()));
            subject.logout();
            return null;
        }
    }

    public static UsernamePasswordToken getAuthenticationTokenFromBasic(String str) {
        try {
            String[] split = new String(Base64.getDecoder().decode(str), StandardCharsets.UTF_8).split(UserInteraction.DEFAULT_CHECK_INTERACTIVE_PASSWORD_DELIM);
            return new UsernamePasswordToken(split[0], split[1]);
        } catch (Exception e) {
            logger.info("Incorrect basic auth attempt for hash {}.", str, e);
            throw new UnauthenticatedException("Invalid, malformed or expired Basic header");
        }
    }

    private AuthenticationToken getAuthenticationTokenFromJwt(String str) {
        try {
            Pair<String, JwtTokenType> parseTokenToSubjectAndType = this.jwtService.parseTokenToSubjectAndType(str);
            return parseTokenToSubjectAndType.getRight().equals(JwtTokenType.OTP) ? new JwtOneTimePasswordToken(parseTokenToSubjectAndType.getLeft(), str) : new JwtToken(parseTokenToSubjectAndType.getLeft(), str);
        } catch (ExpiredJwtException | MalformedJwtException | UnsupportedJwtException | SignatureException | IllegalArgumentException e) {
            logger.info("Incorrect bearer auth attempt for token {}.", str, e);
            throw new UnauthenticatedException("Invalid, malformed or expired JWT");
        }
    }
}
