package com.gentics.mesh.auth.provider;

import com.gentics.madl.tx.Tx;
import com.gentics.mesh.Mesh;
import com.gentics.mesh.auth.AuthenticationResult;
import com.gentics.mesh.cli.BootstrapInitializer;
import com.gentics.mesh.context.InternalActionContext;
import com.gentics.mesh.core.data.MeshAuthUser;
import com.gentics.mesh.core.data.MeshVertex;
import com.gentics.mesh.core.rest.auth.TokenResponse;
import com.gentics.mesh.core.rest.error.Errors;
import com.gentics.mesh.etc.config.AuthenticationOptions;
import com.gentics.mesh.graphdb.spi.Database;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.vertx.core.AsyncResult;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.Vertx;
import io.vertx.core.json.JsonObject;
import io.vertx.core.logging.Logger;
import io.vertx.core.logging.LoggerFactory;
import io.vertx.ext.auth.AuthProvider;
import io.vertx.ext.auth.KeyStoreOptions;
import io.vertx.ext.auth.User;
import io.vertx.ext.auth.jwt.JWTAuth;
import io.vertx.ext.auth.jwt.JWTAuthOptions;
import io.vertx.ext.jwt.JWTOptions;
import io.vertx.ext.web.Cookie;
import javax.inject.Inject;
import javax.inject.Singleton;
import org.apache.commons.lang.NotImplementedException;
import org.apache.commons.lang3.StringUtils;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@Singleton
/* loaded from: input_file:com/gentics/mesh/auth/provider/MeshJWTAuthProvider.class */
public class MeshJWTAuthProvider implements AuthProvider, JWTAuth {
    private static final Logger log = LoggerFactory.getLogger(MeshJWTAuthProvider.class);
    private JWTAuth jwtProvider;
    public static final String TOKEN_COOKIE_KEY = "mesh.token";
    private static final String USERID_FIELD_NAME = "userUuid";
    private static final String API_KEY_TOKEN_CODE_FIELD_NAME = "jti";
    protected Database db;
    private BCryptPasswordEncoder passwordEncoder;
    private BootstrapInitializer boot;

    @Inject
    public MeshJWTAuthProvider(Vertx vertx, BCryptPasswordEncoder bCryptPasswordEncoder, Database database, BootstrapInitializer bootstrapInitializer) {
        this.passwordEncoder = bCryptPasswordEncoder;
        this.db = database;
        this.boot = bootstrapInitializer;
        AuthenticationOptions authenticationOptions = Mesh.mesh().getOptions().getAuthenticationOptions();
        String keystorePassword = authenticationOptions.getKeystorePassword();
        if (keystorePassword == null) {
            throw new RuntimeException("The keystore password could not be found within the authentication options.");
        }
        String keystorePath = authenticationOptions.getKeystorePath();
        JWTAuthOptions jWTAuthOptions = new JWTAuthOptions();
        jWTAuthOptions.setKeyStore(new KeyStoreOptions().setPath(keystorePath).setPassword(keystorePassword).setType("jceks"));
        this.jwtProvider = JWTAuth.create(vertx, new JWTAuthOptions(jWTAuthOptions));
    }

    public void authenticateJWT(JsonObject jsonObject, Handler<AsyncResult<AuthenticationResult>> handler) {
        if (jsonObject.getString("jwt") != null) {
            this.jwtProvider.authenticate(jsonObject, asyncResult -> {
                if (asyncResult.failed()) {
                    if (log.isDebugEnabled()) {
                        log.debug("Could not authenticate token.", asyncResult.cause());
                    } else {
                        log.warn("Could not authenticate token.");
                    }
                    handler.handle(Future.failedFuture("Invalid Token"));
                    return;
                }
                JsonObject principal = ((User) asyncResult.result()).principal();
                try {
                    AuthenticationResult authenticationResult = new AuthenticationResult(loadUserByJWT(principal));
                    if (principal.containsKey(API_KEY_TOKEN_CODE_FIELD_NAME)) {
                        authenticationResult.setUsingAPIKey(true);
                    }
                    handler.handle(Future.succeededFuture(authenticationResult));
                } catch (Exception e) {
                    handler.handle(Future.failedFuture(e));
                }
            });
        } else {
            authenticate(jsonObject.getString("username"), jsonObject.getString("password"), jsonObject.getString("newPassword"), handler);
        }
    }

    public void authenticate(JsonObject jsonObject, Handler<AsyncResult<User>> handler) {
        throw new NotImplementedException();
    }

    public String generateToken(JsonObject jsonObject, JWTOptions jWTOptions) {
        throw new NotImplementedException();
    }

    public void generateToken(String str, String str2, String str3, Handler<AsyncResult<String>> handler) {
        authenticate(str, str2, str3, asyncResult -> {
            String string;
            if (asyncResult.failed()) {
                handler.handle(Future.failedFuture(asyncResult.cause()));
                return;
            }
            User user = ((AuthenticationResult) asyncResult.result()).getUser();
            if (user instanceof MeshAuthUser) {
                Database database = this.db;
                MeshAuthUser meshAuthUser = (MeshAuthUser) user;
                meshAuthUser.getClass();
                string = (String) database.tx(meshAuthUser::getUuid);
            } else {
                string = user.principal().getString(MeshVertex.UUID_KEY);
            }
            handler.handle(Future.succeededFuture(this.jwtProvider.generateToken(new JsonObject().put(USERID_FIELD_NAME, string), new JWTOptions().setExpiresInSeconds(Mesh.mesh().getOptions().getAuthenticationOptions().getTokenExpirationTime()))));
        });
    }

    private void authenticate(String str, String str2, String str3, Handler<AsyncResult<AuthenticationResult>> handler) {
        MeshAuthUser meshAuthUser = (MeshAuthUser) this.db.tx(() -> {
            return this.boot.userRoot().findMeshAuthUserByUsername(str);
        });
        if (meshAuthUser == null) {
            if (log.isDebugEnabled()) {
                log.debug("Could not load user with username {" + str + "}.");
            }
            handler.handle(Future.failedFuture(Errors.error(HttpResponseStatus.UNAUTHORIZED, "auth_login_failed", new String[0])));
            return;
        }
        Database database = this.db;
        meshAuthUser.getClass();
        String str4 = (String) database.tx(meshAuthUser::getPasswordHash);
        if (StringUtils.isEmpty(str4) && str2 != null) {
            if (log.isDebugEnabled()) {
                log.debug("The account password hash or token password string are invalid.");
            }
            handler.handle(Future.failedFuture(Errors.error(HttpResponseStatus.UNAUTHORIZED, "auth_login_failed", new String[0])));
            return;
        }
        if (log.isDebugEnabled()) {
            log.debug("Validating password using the bcrypt password encoder");
        }
        if (!this.passwordEncoder.matches(str2, str4)) {
            handler.handle(Future.failedFuture(Errors.error(HttpResponseStatus.UNAUTHORIZED, "auth_login_failed", new String[0])));
            return;
        }
        Database database2 = this.db;
        meshAuthUser.getClass();
        boolean booleanValue = ((Boolean) database2.tx(meshAuthUser::isForcedPasswordChange)).booleanValue();
        if (booleanValue && str3 == null) {
            handler.handle(Future.failedFuture(Errors.error(HttpResponseStatus.BAD_REQUEST, "auth_login_password_change_required", new String[0])));
            return;
        }
        if (!booleanValue && str3 != null) {
            handler.handle(Future.failedFuture(Errors.error(HttpResponseStatus.BAD_REQUEST, "auth_login_newpassword_failed", new String[0])));
            return;
        }
        if (booleanValue) {
            this.db.tx(() -> {
                return meshAuthUser.setPassword(str3);
            });
        }
        handler.handle(Future.succeededFuture(new AuthenticationResult(meshAuthUser)));
    }

    public String generateToken(User user) {
        if (!(user instanceof MeshAuthUser)) {
            log.error("Can't generate token for user of type {" + user.getClass().getName() + "}");
            throw Errors.error(HttpResponseStatus.INTERNAL_SERVER_ERROR, "error_internal", new String[0]);
        }
        AuthenticationOptions authenticationOptions = Mesh.mesh().getOptions().getAuthenticationOptions();
        JsonObject jsonObject = new JsonObject();
        Database database = this.db;
        MeshAuthUser meshAuthUser = (MeshAuthUser) user;
        meshAuthUser.getClass();
        return this.jwtProvider.generateToken(jsonObject.put(USERID_FIELD_NAME, (String) database.tx(meshAuthUser::getUuid)), new JWTOptions().setAlgorithm(authenticationOptions.getAlgorithm()).setExpiresInSeconds(authenticationOptions.getTokenExpirationTime()));
    }

    public String generateAPIToken(com.gentics.mesh.core.data.User user, String str, Integer num) {
        AuthenticationOptions authenticationOptions = Mesh.mesh().getOptions().getAuthenticationOptions();
        JsonObject put = new JsonObject().put(USERID_FIELD_NAME, user.getUuid()).put(API_KEY_TOKEN_CODE_FIELD_NAME, str);
        JWTOptions algorithm = new JWTOptions().setAlgorithm(authenticationOptions.getAlgorithm());
        if (num != null) {
            algorithm.setExpiresInMinutes(num.intValue());
        }
        return this.jwtProvider.generateToken(put, algorithm);
    }

    private User loadUserByJWT(JsonObject jsonObject) throws Exception {
        String string;
        Tx tx = this.db.tx();
        Throwable th = null;
        try {
            String string2 = jsonObject.getString(USERID_FIELD_NAME);
            MeshAuthUser findMeshAuthUserByUuid = this.boot.userRoot().findMeshAuthUserByUuid(string2);
            if (findMeshAuthUserByUuid == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Could not load user with UUID {" + string2 + "}.");
                }
                throw new Exception("Invalid credentials!");
            }
            findMeshAuthUserByUuid.setCachedUuid(string2);
            if (!jsonObject.containsKey("exp") && (string = jsonObject.getString(API_KEY_TOKEN_CODE_FIELD_NAME)) != null) {
                String aPIKeyTokenCode = findMeshAuthUserByUuid.getAPIKeyTokenCode();
                if (string != null && !string.equals(aPIKeyTokenCode)) {
                    throw new Exception("API key token is invalid.");
                }
            }
            return findMeshAuthUserByUuid;
        } finally {
            if (tx != null) {
                if (0 != 0) {
                    try {
                        tx.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    tx.close();
                }
            }
        }
    }

    public void login(InternalActionContext internalActionContext, String str, String str2, String str3) {
        generateToken(str, str2, str3, asyncResult -> {
            if (asyncResult.failed()) {
                throw ((RuntimeException) asyncResult.cause());
            }
            internalActionContext.addCookie(Cookie.cookie(TOKEN_COOKIE_KEY, (String) asyncResult.result()).setMaxAge(Mesh.mesh().getOptions().getAuthenticationOptions().getTokenExpirationTime()).setPath("/"));
            internalActionContext.send(new TokenResponse((String) asyncResult.result()).toJson());
        });
    }
}
