package sirius.web.security;

import com.google.common.base.Charsets;
import com.google.common.collect.Sets;
import com.google.common.hash.HashFunction;
import com.google.common.hash.Hashing;
import java.time.Duration;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import sirius.kernel.commons.Strings;
import sirius.kernel.commons.Tuple;
import sirius.kernel.commons.Value;
import sirius.kernel.health.Exceptions;
import sirius.kernel.health.HandledException;
import sirius.kernel.nls.NLS;
import sirius.kernel.settings.Extension;
import sirius.web.controller.Message;
import sirius.web.http.WebContext;
import sirius.web.security.UserInfo;

/* loaded from: input_file:sirius/web/security/GenericUserManager.class */
public abstract class GenericUserManager implements UserManager {
    private static final long DEFAULT_SSO_GRACE_INTERVAL = TimeUnit.HOURS.toSeconds(24);
    private static final String SUFFIX_USER_ID = "-user-id";
    private static final String SUFFIX_TENANT_ID = "-tenant-id";
    private static final String SUFFIX_TTL = "-ttl";
    protected final ScopeInfo scope;
    protected final Extension config;
    protected final String hashFunction;
    protected final long ssoGraceInterval;
    protected boolean ssoEnabled;
    protected boolean keepLoginEnabled;
    protected String ssoSecret;
    protected List<String> publicRoles;
    protected List<String> defaultRoles;
    protected Duration loginTTL;
    protected UserInfo defaultUser;

    /* JADX INFO: Access modifiers changed from: protected */
    public GenericUserManager(ScopeInfo scopeInfo, Extension extension) {
        this.scope = scopeInfo;
        this.config = extension;
        this.ssoSecret = extension.get("ssoSecret").asString();
        this.hashFunction = extension.get("hashFunction").asString("md5");
        this.ssoEnabled = Strings.isFilled(this.ssoSecret) && extension.get("ssoEnabled").asBoolean(false);
        this.ssoGraceInterval = extension.get("ssoGraceInterval").asLong(DEFAULT_SSO_GRACE_INTERVAL);
        this.keepLoginEnabled = extension.get("keepLoginEnabled").asBoolean(true);
        this.publicRoles = (List) extension.get("publicRoles").get(List.class, Collections.emptyList());
        this.defaultRoles = (List) extension.get("defaultRoles").get(List.class, Collections.emptyList());
        this.loginTTL = (Duration) extension.get("loginTTL").get(Duration.class, Duration.ofDays(90L));
        this.defaultUser = buildDefaultUser();
    }

    protected UserInfo buildDefaultUser() {
        return UserInfo.Builder.createUser("(nobody)").withUsername("(nobody)").withPermissions(determineRolesOfDefaultUser()).build();
    }

    protected Set<String> determineRolesOfDefaultUser() {
        return Permissions.applyProfilesAndPublicRoles(this.publicRoles);
    }

    protected abstract Object getUserObject(UserInfo userInfo);

    @Nonnull
    protected UserSettings getUserSettings(@Nonnull UserSettings userSettings, UserInfo userInfo) {
        return userSettings;
    }

    @Override // sirius.web.security.UserManager
    @Nonnull
    public UserInfo bindToRequest(@Nonnull WebContext webContext) {
        UserInfo findUserInSession = findUserInSession(webContext);
        if (findUserInSession != null) {
            return findUserInSession;
        }
        try {
            UserInfo loginViaUsernameAndPassword = loginViaUsernameAndPassword(webContext);
            if (loginViaUsernameAndPassword != null) {
                onLogin(webContext, loginViaUsernameAndPassword);
                return loginViaUsernameAndPassword;
            }
        } catch (Exception e) {
            UserContext.message(Message.error((Throwable) Exceptions.handle(UserContext.LOG, e)));
        } catch (HandledException e2) {
            UserContext.message(Message.error(e2.getMessage()));
        }
        UserInfo loginViaSSOToken = loginViaSSOToken(webContext);
        if (loginViaSSOToken == null) {
            return this.defaultUser;
        }
        onLogin(webContext, loginViaSSOToken);
        return loginViaSSOToken;
    }

    @Override // sirius.web.security.UserManager
    @Nonnull
    public UserInfo findUserForRequest(@Nonnull WebContext webContext) {
        UserInfo findUserInSession = findUserInSession(webContext);
        return findUserInSession != null ? findUserInSession : this.defaultUser;
    }

    private void onLogin(WebContext webContext, UserInfo userInfo) {
        updateLoginCookie(webContext, userInfo);
        recordUserLogin(webContext, userInfo);
    }

    protected void recordUserLogin(WebContext webContext, UserInfo userInfo) {
    }

    public void updateLoginCookie(WebContext webContext, UserInfo userInfo, boolean z) {
        webContext.setCustomSessionCookieTTL((this.keepLoginEnabled && z) ? null : Duration.ZERO);
        webContext.setSessionValue(this.scope.getScopeId() + SUFFIX_USER_ID, userInfo.getUserId());
        webContext.setSessionValue(this.scope.getScopeId() + SUFFIX_TENANT_ID, userInfo.getTenantId());
        webContext.setSessionValue(this.scope.getScopeId() + SUFFIX_TTL, Long.valueOf(TimeUnit.SECONDS.convert(System.currentTimeMillis(), TimeUnit.MILLISECONDS) + this.loginTTL.getSeconds()));
    }

    protected void updateLoginCookie(WebContext webContext, UserInfo userInfo) {
        updateLoginCookie(webContext, userInfo, webContext.get("keepLogin").asBoolean(false));
    }

    private UserInfo loginViaSSOToken(WebContext webContext) {
        Tuple<String, String> extractChallengeAndResponse;
        if (!this.ssoEnabled) {
            return null;
        }
        String trim = webContext.get("user").trim();
        if (Strings.isEmpty(trim) || (extractChallengeAndResponse = extractChallengeAndResponse(webContext)) == null) {
            return null;
        }
        webContext.hidePost();
        UserInfo findUserByName = findUserByName(webContext, trim);
        if (findUserByName == null) {
            UserContext.message(Message.error(NLS.get("GenericUserManager.invalidSSO")));
            return null;
        }
        if (!checkTokenTTL(Value.of(extractChallengeAndResponse.getFirst()).asLong(0L), this.ssoGraceInterval)) {
            log("SSO-Login of %s failed due to outdated timestamp in token: %s", trim, extractChallengeAndResponse);
            return null;
        }
        if (checkTokenValidity(trim, extractChallengeAndResponse)) {
            log("SSO-Login of %s succeeded with token: %s", trim, extractChallengeAndResponse);
            return findUserByName;
        }
        log("SSO-Login of %s failed due to invalid hash in token: %s", trim, extractChallengeAndResponse);
        return null;
    }

    protected Tuple<String, String> extractChallengeAndResponse(WebContext webContext) {
        String trim = webContext.get("token").trim();
        if (Strings.isFilled(trim)) {
            return Strings.split(trim, ":");
        }
        String trim2 = webContext.get("hash").trim();
        String trim3 = webContext.get("timestamp").trim();
        if (Strings.isFilled(trim2) && Strings.isFilled(trim3)) {
            return Tuple.create(trim3, trim2);
        }
        return null;
    }

    private boolean checkTokenTTL(long j, long j2) {
        return Math.abs(j - (System.currentTimeMillis() / 1000)) < j2;
    }

    private boolean checkTokenValidity(String str, Tuple<String, String> tuple) {
        return getSSOHashFunction().hashBytes(computeSSOHashInput(str, (String) tuple.getFirst()).getBytes(Charsets.UTF_8)).toString().equalsIgnoreCase((String) tuple.getSecond());
    }

    public String computeSSOToken(String str) {
        String valueOf = String.valueOf(System.currentTimeMillis() / 1000);
        return valueOf + ":" + getSSOHashFunction().hashBytes(computeSSOHashInput(str, valueOf).getBytes(Charsets.UTF_8)).toString();
    }

    protected HashFunction getSSOHashFunction() {
        if ("md5".equalsIgnoreCase(this.hashFunction)) {
            return Hashing.md5();
        }
        if ("sha1".equalsIgnoreCase(this.hashFunction)) {
            return Hashing.sha1();
        }
        throw Exceptions.handle().to(UserContext.LOG).withSystemErrorMessage("No valid hash function was given ('%s'). Cannot compute SSO token. Pick either md5 or sha1", new Object[]{this.hashFunction}).handle();
    }

    protected String computeSSOHashInput(String str, String str2) {
        return str + str2 + this.ssoSecret;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set<String> transformRoles(Collection<String> collection) {
        TreeSet newTreeSet = Sets.newTreeSet(collection);
        newTreeSet.addAll(this.defaultRoles);
        return Permissions.applyProfilesAndPublicRoles(newTreeSet);
    }

    protected void log(String str, Object... objArr) {
        UserContext.LOG.FINE("UserManager '%s' for scope '%s' (%s) - %s", new Object[]{getClass().getSimpleName(), this.scope.getScopeId(), this.scope.getScopeType(), Strings.apply(str, objArr)});
    }

    private UserInfo loginViaUsernameAndPassword(WebContext webContext) {
        if (!webContext.get("user").isFilled() || !webContext.get("password").isFilled()) {
            return null;
        }
        webContext.hidePost();
        String trim = webContext.get("user").trim();
        UserInfo findUserByCredentials = findUserByCredentials(webContext, trim, webContext.get("password").trim());
        if (findUserByCredentials != null) {
            log("Login of %s succeeded using password", trim);
            return findUserByCredentials;
        }
        log("Login of %s failed using password", trim);
        UserContext.message(Message.error(NLS.get("GenericUserManager.invalidLogin")));
        return null;
    }

    protected UserInfo findUserInSession(WebContext webContext) {
        Set<String> computeRoles;
        Value sessionValue = webContext.getSessionValue(this.scope.getScopeId() + SUFFIX_USER_ID);
        String asString = webContext.getSessionValue(this.scope.getScopeId() + SUFFIX_TENANT_ID).asString();
        Long l = webContext.getSessionValue(this.scope.getScopeId() + SUFFIX_TTL).getLong();
        if ((l == null || l.longValue() >= TimeUnit.SECONDS.convert(System.currentTimeMillis(), TimeUnit.MILLISECONDS)) && sessionValue.isFilled() && isUserStillValid(sessionValue.asString()) && (computeRoles = computeRoles(webContext, sessionValue.asString())) != null) {
            return UserInfo.Builder.createUser(sessionValue.asString()).withUsername(computeUsername(webContext, sessionValue.asString())).withTenantId(asString).withTenantName(computeTenantname(webContext, asString)).withLang(computeLang(webContext, sessionValue.asString())).withPermissions(computeRoles).withSettingsSupplier(userInfo -> {
                return getUserSettings(getScopeSettings(), userInfo);
            }).withUserSupplier(this::getUserObject).build();
        }
        return null;
    }

    protected boolean isUserStillValid(String str) {
        return true;
    }

    protected UserSettings getScopeSettings() {
        return UserContext.getCurrentScope().getSettings();
    }

    @Nullable
    protected abstract Set<String> computeRoles(@Nullable WebContext webContext, String str);

    @Nonnull
    protected abstract String computeUsername(@Nullable WebContext webContext, String str);

    @Nonnull
    protected abstract String computeTenantname(@Nullable WebContext webContext, String str);

    @Nonnull
    protected abstract String computeLang(WebContext webContext, String str);

    @Override // sirius.web.security.UserManager
    public void logout(@Nonnull WebContext webContext) {
        webContext.setSessionValue(this.scope.getScopeId() + SUFFIX_TENANT_ID, null);
        webContext.setSessionValue(this.scope.getScopeId() + SUFFIX_USER_ID, null);
        webContext.setSessionValue(this.scope.getScopeId() + SUFFIX_TTL, null);
    }

    @Override // sirius.web.security.UserManager
    public boolean isLoginSupported() {
        return true;
    }

    @Override // sirius.web.security.UserManager
    public boolean isKeepLoginSupported() {
        return this.keepLoginEnabled;
    }
}
