package org.eclipse.kura.internal.rest.auth;

import java.security.Principal;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.eclipse.kura.audit.AuditConstants;
import org.eclipse.kura.audit.AuditContext;
import org.eclipse.kura.internal.rest.auth.dto.AuthenticationInfoDTO;
import org.eclipse.kura.internal.rest.auth.dto.AuthenticationResponseDTO;
import org.eclipse.kura.internal.rest.auth.dto.IdentityInfoDTO;
import org.eclipse.kura.internal.rest.auth.dto.UpdatePasswordDTO;
import org.eclipse.kura.internal.rest.auth.dto.UsernamePasswordDTO;
import org.eclipse.kura.internal.rest.auth.dto.XsrfTokenDTO;
import org.eclipse.kura.internal.rest.provider.RestServiceOptions;
import org.eclipse.kura.request.handler.jaxrs.DefaultExceptionHandler;
import org.eclipse.kura.util.useradmin.UserAdminHelper;
import org.eclipse.kura.util.validation.PasswordStrengthValidators;
import org.eclipse.kura.util.validation.Validator;
import org.eclipse.kura.util.validation.ValidatorOptions;
import org.osgi.service.cm.ConfigurationAdmin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Path(SessionRestServiceConstants.BASE_PATH)
/* loaded from: input_file:org/eclipse/kura/internal/rest/auth/SessionRestService.class */
public class SessionRestService {
    private static final String AUDIT_FORMAT_STRING = "{} Rest - Failure - {}";
    private static final String INVALID_SESSION_MESSAGE = "Current session is not valid";
    private static final String BAD_USERNAME_OR_PASSWORD_MESSAGE = "Authentication failed as username or password not matching";
    private static final String PASSWORD_CHANGE_SAME_PASSWORD_MESSAGE = "Password change failed as previous password equals new one";
    private static final String IDENTITY_NOT_IN_ROLE_MESSAGE = "Identity does not have the required permissions";
    private static final Logger auditLogger = LoggerFactory.getLogger("AuditLogger");
    private final UserAdminHelper userAdminHelper;
    private final RestSessionHelper restSessionHelper;
    private final ConfigurationAdmin configAdmin;
    private RestServiceOptions options;
    private static /* synthetic */ int[] $SWITCH_TABLE$org$eclipse$kura$util$useradmin$UserAdminHelper$AuthenticationException$Reason;

    public SessionRestService(UserAdminHelper userAdminHelper, RestSessionHelper restSessionHelper, ConfigurationAdmin configurationAdmin) {
        this.userAdminHelper = userAdminHelper;
        this.restSessionHelper = restSessionHelper;
        this.configAdmin = configurationAdmin;
    }

    public void setOptions(RestServiceOptions restServiceOptions) {
        this.options = restServiceOptions;
    }

    @Path(SessionRestServiceConstants.LOGIN_PASSWORD_PATH)
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    public AuthenticationResponseDTO authenticateWithUsernameAndPassword(UsernamePasswordDTO usernamePasswordDTO, @Context HttpServletRequest httpServletRequest) {
        if (!this.options.isSessionManagementEnabled() || !this.options.isPasswordAuthEnabled()) {
            throw new WebApplicationException(Response.Status.NOT_FOUND);
        }
        AuditContext currentOrInternal = AuditContext.currentOrInternal();
        usernamePasswordDTO.validate();
        currentOrInternal.getProperties().put(AuditConstants.KEY_IDENTITY.getValue(), usernamePasswordDTO.getUsername());
        try {
            this.userAdminHelper.verifyUsernamePassword(usernamePasswordDTO.getUsername(), usernamePasswordDTO.getPassword());
            HttpSession createNewAuthenticatedSession = this.restSessionHelper.createNewAuthenticatedSession(httpServletRequest, usernamePasswordDTO.getUsername());
            AuthenticationResponseDTO buildAuthenticationResponse = buildAuthenticationResponse(usernamePasswordDTO.getUsername());
            if (buildAuthenticationResponse.isPasswordChangeNeeded()) {
                this.restSessionHelper.lockSession(createNewAuthenticatedSession);
            }
            auditLogger.info("{} Rest - Success - Create session via password authentication succeeded", currentOrInternal);
            return buildAuthenticationResponse;
        } catch (UserAdminHelper.AuthenticationException e) {
            handleAuthenticationException(e);
            throw new IllegalStateException("unreachable");
        }
    }

    @POST
    @Produces({"application/json"})
    @Path(SessionRestServiceConstants.LOGIN_CERTIFICATE_PATH)
    public AuthenticationResponseDTO authenticateWithCertificate(@Context HttpServletRequest httpServletRequest, @Context ContainerRequestContext containerRequestContext) {
        if (!this.options.isSessionManagementEnabled() || !this.options.isCertificateAuthEnabled()) {
            throw new WebApplicationException(Response.Status.NOT_FOUND);
        }
        Optional<Principal> authenticate = new CertificateAuthenticationProvider(this.userAdminHelper).authenticate(containerRequestContext, "Create session via certificate authentication");
        if (!authenticate.isPresent()) {
            throw DefaultExceptionHandler.buildWebApplicationException(Response.Status.UNAUTHORIZED, "Certificate authentication failed");
        }
        this.restSessionHelper.createNewAuthenticatedSession(httpServletRequest, authenticate.get().getName());
        return buildAuthenticationResponse(authenticate.get().getName());
    }

    @GET
    @Path(SessionRestServiceConstants.XSRF_TOKEN_PATH)
    public XsrfTokenDTO getXSRFToken(@Context HttpServletRequest httpServletRequest, @Context ContainerRequestContext containerRequestContext) {
        if (!this.options.isSessionManagementEnabled()) {
            throw new WebApplicationException(Response.Status.NOT_FOUND);
        }
        Optional<HttpSession> existingSession = this.restSessionHelper.getExistingSession(httpServletRequest);
        if (!existingSession.isPresent()) {
            throw DefaultExceptionHandler.buildWebApplicationException(Response.Status.UNAUTHORIZED, INVALID_SESSION_MESSAGE);
        }
        if (this.restSessionHelper.getCurrentPrincipal(containerRequestContext).isPresent()) {
            return new XsrfTokenDTO(this.restSessionHelper.getOrCreateXsrfToken(existingSession.get()));
        }
        throw DefaultExceptionHandler.buildWebApplicationException(Response.Status.UNAUTHORIZED, INVALID_SESSION_MESSAGE);
    }

    @POST
    @Path(SessionRestServiceConstants.CHANGE_PASSWORD_PATH)
    public void updateUserPassword(@Context ContainerRequestContext containerRequestContext, @Context HttpServletRequest httpServletRequest, UpdatePasswordDTO updatePasswordDTO) {
        updatePasswordDTO.validate();
        try {
            Optional<U> flatMap = this.restSessionHelper.getCurrentPrincipal(containerRequestContext).flatMap(principal -> {
                return Optional.ofNullable(principal.getName());
            });
            if (!flatMap.isPresent()) {
                throw DefaultExceptionHandler.buildWebApplicationException(Response.Status.UNAUTHORIZED, INVALID_SESSION_MESSAGE);
            }
            this.userAdminHelper.verifyUsernamePassword((String) flatMap.get(), updatePasswordDTO.getCurrentPassword());
            validatePasswordStrength(updatePasswordDTO.getNewPassword());
            this.userAdminHelper.changeUserPassword((String) flatMap.get(), updatePasswordDTO.getNewPassword());
            Optional<HttpSession> existingSession = this.restSessionHelper.getExistingSession(httpServletRequest);
            if (existingSession.isPresent()) {
                this.restSessionHelper.unlockSession(existingSession.get());
            }
        } catch (UserAdminHelper.AuthenticationException e) {
            handleAuthenticationException(e);
        }
    }

    @POST
    @Path(SessionRestServiceConstants.LOGOUT_PATH)
    public void logout(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, @Context ContainerRequestContext containerRequestContext) {
        if (!this.options.isSessionManagementEnabled()) {
            throw new WebApplicationException(Response.Status.NOT_FOUND);
        }
        if (!this.restSessionHelper.getCurrentPrincipal(containerRequestContext).isPresent()) {
            throw DefaultExceptionHandler.buildWebApplicationException(Response.Status.UNAUTHORIZED, INVALID_SESSION_MESSAGE);
        }
        this.restSessionHelper.logout(httpServletRequest, httpServletResponse);
        auditLogger.info("{} Rest - Success - Logout succeeded", AuditContext.currentOrInternal());
    }

    @GET
    @Produces({"application/json"})
    @Path(SessionRestServiceConstants.CURRENT_IDENTITY)
    public IdentityInfoDTO getCurrentIdentityInfo(@Context ContainerRequestContext containerRequestContext, @Context HttpServletRequest httpServletRequest) {
        if (!this.options.isSessionManagementEnabled()) {
            throw new WebApplicationException(Response.Status.NOT_FOUND);
        }
        Optional<Principal> currentPrincipal = this.restSessionHelper.getCurrentPrincipal(containerRequestContext);
        if (!currentPrincipal.isPresent()) {
            throw DefaultExceptionHandler.buildWebApplicationException(Response.Status.UNAUTHORIZED, INVALID_SESSION_MESSAGE);
        }
        String name = currentPrincipal.get().getName();
        return new IdentityInfoDTO(name, this.userAdminHelper.isPasswordChangeRequired(name), this.userAdminHelper.getIdentityPermissions(name));
    }

    @GET
    @Produces({"application/json"})
    @Path(SessionRestServiceConstants.AUTHENTICATION_INFO)
    public AuthenticationInfoDTO getAuthenticationMethodInfo() {
        boolean isPasswordAuthEnabled = this.options.isPasswordAuthEnabled();
        boolean isCertificateAuthEnabled = this.options.isCertificateAuthEnabled();
        String orElse = ConfigurationAdminHelper.getLoginMessage(ConfigurationAdminHelper.loadConsoleConfigurationProperties(this.configAdmin)).orElse(null);
        if (!isCertificateAuthEnabled) {
            return new AuthenticationInfoDTO(isPasswordAuthEnabled, false, null, orElse);
        }
        Set<Integer> httpsMutualAuthPorts = ConfigurationAdminHelper.getHttpsMutualAuthPorts(ConfigurationAdminHelper.loadHttpServiceConfigurationProperties(this.configAdmin));
        return !httpsMutualAuthPorts.isEmpty() ? new AuthenticationInfoDTO(isPasswordAuthEnabled, true, httpsMutualAuthPorts, orElse) : new AuthenticationInfoDTO(isPasswordAuthEnabled, false, null, orElse);
    }

    private void validatePasswordStrength(String str) {
        List<Validator> fromConfig = PasswordStrengthValidators.fromConfig(new ValidatorOptions(ConfigurationAdminHelper.loadConsoleConfigurationProperties(this.configAdmin)));
        ArrayList arrayList = new ArrayList();
        for (Validator validator : fromConfig) {
            arrayList.getClass();
            validator.validate(str, (v1) -> {
                r2.add(v1);
            });
            if (!arrayList.isEmpty()) {
                throw DefaultExceptionHandler.buildWebApplicationException(Response.Status.BAD_REQUEST, "The new password does not satisfy password strenght requirements: " + ((String) arrayList.get(0)));
            }
        }
    }

    private AuthenticationResponseDTO buildAuthenticationResponse(String str) {
        return new AuthenticationResponseDTO(this.userAdminHelper.isPasswordChangeRequired(str));
    }

    private void handleAuthenticationException(UserAdminHelper.AuthenticationException authenticationException) {
        AuditContext currentOrInternal = AuditContext.currentOrInternal();
        switch ($SWITCH_TABLE$org$eclipse$kura$util$useradmin$UserAdminHelper$AuthenticationException$Reason()[authenticationException.getReason().ordinal()]) {
            case 1:
            case 2:
                auditLogger.warn(AUDIT_FORMAT_STRING, currentOrInternal, BAD_USERNAME_OR_PASSWORD_MESSAGE);
                throw DefaultExceptionHandler.buildWebApplicationException(Response.Status.UNAUTHORIZED, BAD_USERNAME_OR_PASSWORD_MESSAGE);
            case 3:
                auditLogger.warn(AUDIT_FORMAT_STRING, currentOrInternal, IDENTITY_NOT_IN_ROLE_MESSAGE);
                throw DefaultExceptionHandler.buildWebApplicationException(Response.Status.FORBIDDEN, IDENTITY_NOT_IN_ROLE_MESSAGE);
            case 4:
                auditLogger.warn(AUDIT_FORMAT_STRING, currentOrInternal, PASSWORD_CHANGE_SAME_PASSWORD_MESSAGE);
                throw DefaultExceptionHandler.buildWebApplicationException(Response.Status.BAD_REQUEST, PASSWORD_CHANGE_SAME_PASSWORD_MESSAGE);
            default:
                throw DefaultExceptionHandler.buildWebApplicationException(Response.Status.INTERNAL_SERVER_ERROR, "An internal error occurred");
        }
    }

    static /* synthetic */ int[] $SWITCH_TABLE$org$eclipse$kura$util$useradmin$UserAdminHelper$AuthenticationException$Reason() {
        int[] iArr = $SWITCH_TABLE$org$eclipse$kura$util$useradmin$UserAdminHelper$AuthenticationException$Reason;
        if (iArr != null) {
            return iArr;
        }
        int[] iArr2 = new int[UserAdminHelper.AuthenticationException.Reason.values().length];
        try {
            iArr2[UserAdminHelper.AuthenticationException.Reason.ENCRYPTION_ERROR.ordinal()] = 5;
        } catch (NoSuchFieldError unused) {
        }
        try {
            iArr2[UserAdminHelper.AuthenticationException.Reason.INCORRECT_PASSWORD.ordinal()] = 2;
        } catch (NoSuchFieldError unused2) {
        }
        try {
            iArr2[UserAdminHelper.AuthenticationException.Reason.PASSWORD_CHANGE_WITH_SAME_PASSWORD.ordinal()] = 4;
        } catch (NoSuchFieldError unused3) {
        }
        try {
            iArr2[UserAdminHelper.AuthenticationException.Reason.USER_NOT_FOUND.ordinal()] = 1;
        } catch (NoSuchFieldError unused4) {
        }
        try {
            iArr2[UserAdminHelper.AuthenticationException.Reason.USER_NOT_IN_ROLE.ordinal()] = 3;
        } catch (NoSuchFieldError unused5) {
        }
        $SWITCH_TABLE$org$eclipse$kura$util$useradmin$UserAdminHelper$AuthenticationException$Reason = iArr2;
        return iArr2;
    }
}
