package org.eclipse.kura.internal.rest.provider;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.util.Base64;
import java.util.Dictionary;
import java.util.Objects;
import java.util.Optional;
import java.util.StringTokenizer;
import javax.annotation.Priority;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.ext.Provider;
import org.eclipse.kura.audit.AuditConstants;
import org.eclipse.kura.audit.AuditContext;
import org.eclipse.kura.crypto.CryptoService;
import org.eclipse.kura.rest.auth.AuthenticationProvider;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.useradmin.User;
import org.osgi.service.useradmin.UserAdmin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(200)
/* loaded from: input_file:org/eclipse/kura/internal/rest/provider/PasswordAuthenticationProvider.class */
public class PasswordAuthenticationProvider implements AuthenticationProvider {
    private static final String PASSWORD_AUTH_FAILED_MSG = "{} Rest - Failure - Authentication failed as username or password not matching";
    private static final String KURA_USER_PREFIX = "kura.user.";
    private static final String KURA_NEED_PASSWORD_CHANGE = "kura.need.password.change";
    private static final String KURA_PASSWORD_CREDENTIAL = "kura.password";
    private final UserAdmin userAdmin;
    private final CryptoService cryptoService;
    private final BundleContext bundleContext;
    private Optional<ServiceRegistration<ContainerResponseFilter>> registration = Optional.empty();
    private static final Logger logger = LoggerFactory.getLogger(PasswordAuthenticationProvider.class);
    private static final Logger auditLogger = LoggerFactory.getLogger("AuditLogger");
    private static final Base64.Decoder BASE64_DECODER = Base64.getDecoder();

    @Provider
    /* loaded from: input_file:org/eclipse/kura/internal/rest/provider/PasswordAuthenticationProvider$AuthenticateResponseFilter.class */
    private static class AuthenticateResponseFilter implements ContainerResponseFilter {
        private AuthenticateResponseFilter() {
        }

        public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) throws IOException {
            int status = containerResponseContext.getStatus();
            if (status == 401 || status == 403) {
                containerResponseContext.getHeaders().add("WWW-Authenticate", "Basic realm=\"kura-rest-api\"");
            }
        }

        /* synthetic */ AuthenticateResponseFilter(AuthenticateResponseFilter authenticateResponseFilter) {
            this();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/kura/internal/rest/provider/PasswordAuthenticationProvider$RequestCredentials.class */
    public static class RequestCredentials {
        final String username;
        final String password;

        RequestCredentials(String str, String str2) {
            this.username = str;
            this.password = str2;
        }

        static RequestCredentials fromBasicAuthorizationHeader(String str) {
            String str2 = new String(PasswordAuthenticationProvider.BASE64_DECODER.decode(str), StandardCharsets.UTF_8);
            int indexOf = str2.indexOf(58);
            return new RequestCredentials(str2.substring(0, indexOf), str2.substring(indexOf + 1));
        }
    }

    public PasswordAuthenticationProvider(BundleContext bundleContext, UserAdmin userAdmin, CryptoService cryptoService) {
        this.userAdmin = userAdmin;
        this.cryptoService = cryptoService;
        this.bundleContext = bundleContext;
    }

    @Override // org.eclipse.kura.rest.auth.AuthenticationProvider
    public Optional<Principal> authenticate(HttpServletRequest httpServletRequest, ContainerRequestContext containerRequestContext) {
        AuditContext currentOrInternal = AuditContext.currentOrInternal();
        String headerString = containerRequestContext.getHeaderString("Authorization");
        if (Objects.isNull(headerString)) {
            return Optional.empty();
        }
        StringTokenizer stringTokenizer = new StringTokenizer(headerString);
        if (!"Basic".equals(stringTokenizer.nextToken())) {
            return Optional.empty();
        }
        try {
            RequestCredentials fromBasicAuthorizationHeader = RequestCredentials.fromBasicAuthorizationHeader(stringTokenizer.nextToken());
            currentOrInternal.getProperties().put(AuditConstants.KEY_IDENTITY.getValue(), fromBasicAuthorizationHeader.username);
            User role = this.userAdmin.getRole(KURA_USER_PREFIX + fromBasicAuthorizationHeader.username);
            if (!(role instanceof User)) {
                auditLogger.warn(PASSWORD_AUTH_FAILED_MSG, currentOrInternal);
                return Optional.empty();
            }
            User user = role;
            if ("true".equals(user.getProperties().get(KURA_NEED_PASSWORD_CHANGE))) {
                return Optional.empty();
            }
            String str = (String) user.getCredentials().get(KURA_PASSWORD_CREDENTIAL);
            if (Objects.isNull(str)) {
                auditLogger.warn(PASSWORD_AUTH_FAILED_MSG, currentOrInternal);
                return Optional.empty();
            }
            try {
                if (this.cryptoService.sha256Hash(fromBasicAuthorizationHeader.password).equals(str)) {
                    auditLogger.info("{} Rest - Success - Authentication succeeded via password provider", currentOrInternal);
                    return Optional.of(() -> {
                        return fromBasicAuthorizationHeader.username;
                    });
                }
                auditLogger.warn(PASSWORD_AUTH_FAILED_MSG, currentOrInternal);
                return Optional.empty();
            } catch (Exception e) {
                auditLogger.warn(PASSWORD_AUTH_FAILED_MSG, currentOrInternal);
                logger.warn("Failed to compute password hash", e);
                return Optional.empty();
            }
        } catch (Exception e2) {
            logger.debug("failed to parse basic credentials", e2);
            auditLogger.warn(PASSWORD_AUTH_FAILED_MSG, currentOrInternal);
            return Optional.empty();
        }
    }

    @Override // org.eclipse.kura.rest.auth.AuthenticationProvider
    public void onEnabled() {
        if (this.registration.isPresent()) {
            return;
        }
        this.registration = Optional.of(this.bundleContext.registerService(ContainerResponseFilter.class, new AuthenticateResponseFilter(null), (Dictionary) null));
    }

    @Override // org.eclipse.kura.rest.auth.AuthenticationProvider
    public void onDisabled() {
        this.registration.ifPresent((v0) -> {
            v0.unregister();
        });
        this.registration = Optional.empty();
    }
}
