package de.sep.sesam.restapi.authentication;

import de.sep.sesam.gui.common.DefaultUserNames;
import de.sep.sesam.gui.common.logging.ContextLogger;
import de.sep.sesam.gui.common.logging.LogGroup;
import de.sep.sesam.gui.common.logging.SepLogLevel;
import de.sep.sesam.gui.common.logging.SesamComponent;
import de.sep.sesam.gui.common.logging.messages.SecurityMessages;
import de.sep.sesam.gui.common.logging.messages.SimpleMessage;
import de.sep.sesam.gui.server.GUIServerParam;
import de.sep.sesam.model.Credentials;
import de.sep.sesam.model.Groups;
import de.sep.sesam.model.UserAllowedHosts;
import de.sep.sesam.model.Users;
import de.sep.sesam.model.dto.SEPAuthentication;
import de.sep.sesam.model.type.LoginType;
import de.sep.sesam.model.type.UserOrigin;
import de.sep.sesam.restapi.dao.DaoAccessor;
import de.sep.sesam.restapi.exception.AuthenticationException;
import de.sep.sesam.restapi.exception.ServiceException;
import de.sep.sesam.restapi.service.impl.LoginServiceImpl;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.springframework.beans.PropertyAccessor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.jdbc.UncategorizedSQLException;
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider;
import org.xbill.DNS.Address;

/* loaded from: input_file:de/sep/sesam/restapi/authentication/DatabaseCredentialsLogin.class */
public class DatabaseCredentialsLogin extends AbstractLoginMethod {
    private static final long REVERSE_LOOKUP_TTL = 3600000;
    private ContextLogger logger = new ContextLogger(DatabaseCredentialsLogin.class, SesamComponent.DATA_ACCESS);

    @Autowired
    private DaoAccessor daos;
    private static HashMap<String, HostList> reverseLookupCache;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:de/sep/sesam/restapi/authentication/DatabaseCredentialsLogin$HostList.class */
    public class HostList {
        List<String> hosts;
        long ts;

        private HostList() {
            this.hosts = new ArrayList();
            this.ts = System.currentTimeMillis();
        }
    }

    @Override // de.sep.sesam.restapi.authentication.AbstractLoginMethod
    public SessionContext createAndAuthenticateUser(SEPAuthentication sEPAuthentication) throws AuthenticationException {
        this.logger.start("createAndAuthenticateUser", SepLogLevel.INFO, LogGroup.SECURITY, sEPAuthentication.name, sEPAuthentication.ip);
        ArrayList arrayList = new ArrayList();
        if (sEPAuthentication.ip != null) {
            arrayList.add(sEPAuthentication.ip);
        }
        Users users = null;
        if (LoginServiceImpl.isPolicyBasedPermissions() && !arrayList.isEmpty()) {
            users = this.daos.getUsersDao().get(sEPAuthentication.name);
            if (users != null && users.getOrigin() != null) {
                switch (users.getOrigin()) {
                    case LDAP:
                    case AD:
                        return null;
                    default:
                        if (!UserOrigin.POLICY.equals(users.getOrigin()) && !users.isFromJavaPolicy()) {
                            return null;
                        }
                        break;
                }
            }
            if (users != null) {
                if (!users.getEnabled().booleanValue() || users.getAccountExpired().booleanValue()) {
                    this.logger.info("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("Account for user {0} is " + (users.getAccountExpired().booleanValue() ? "expired." : "disabled.")), sEPAuthentication.name);
                    throw new AuthenticationException(AuthenticationException.AuthMessage.ACCOUNT_INVALID, sEPAuthentication.name);
                }
                if ((users.isAllowHostAuth() == null || !users.isAllowHostAuth().booleanValue()) && !LoginServiceImpl.isLocalFullAccess()) {
                    if (StringUtils.isEmpty(users.getPassword())) {
                        throw new AuthenticationException(AuthenticationException.AuthMessage.PASSWORD_INVALID, sEPAuthentication.name);
                    }
                    throw new AuthenticationException(AuthenticationException.AuthMessage.INVALID_CREDENTIALS, sEPAuthentication.name);
                }
                if (!checkAllowedHosts(users, arrayList)) {
                    users = null;
                }
            }
            if (users == null && LoginServiceImpl.getParams() != null) {
                GUIServerParam params = LoginServiceImpl.getParams();
                String[] strArr = {params.defaultAdminUser, params.defaultOperatorUser, params.defaultRestoreUser, params.defaultBackupUser};
                this.logger.info("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("Checking for user wild card permission rules..."), new Object[0]);
                for (String str : strArr) {
                    users = this.daos.getUsersDao().get(str);
                    if (users != null) {
                        if (!checkAllowedHosts(users, arrayList)) {
                            users = null;
                        }
                    }
                }
            }
        } else if (StringUtils.isNotEmpty(sEPAuthentication.password) && !LoginServiceImpl.isPolicyBasedPermissions()) {
            users = this.daos.getUsersDao().login(sEPAuthentication.name, sEPAuthentication.password);
        }
        if (users == null) {
            this.logger.error("createAndAuthenticateUser", LogGroup.SECURITY, AuthenticationException.AuthMessage.INVALID_CREDENTIALS, sEPAuthentication.name);
            return null;
        }
        this.logger.info("createAndAuthenticateUser", LogGroup.SECURITY, SecurityMessages.LOGIN_SUCCESS, users.getName(), sEPAuthentication.ip);
        this.logger.success("createAndAuthenticateUser", SepLogLevel.INFO, LogGroup.SECURITY, sEPAuthentication.name);
        List<Groups> list = null;
        try {
            list = this.daos.getGroupsDao().getGroupsByUser(users);
        } catch (ServiceException e) {
        }
        return new SessionContext(this.daos, LoginType.DB, users, list, this.daos.getUsersDao().getPermissions(users), null, sEPAuthentication.ip);
    }

    private boolean checkAllowedHosts(Users users, List<String> list) {
        int indexOf;
        if (!$assertionsDisabled && users == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && list == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && list.size() <= 0) {
            throw new AssertionError();
        }
        String str = list.get(0);
        for (UserAllowedHosts userAllowedHosts : users.getAllowedHosts()) {
            if (userAllowedHosts.getName().equals("*") || str.equals(userAllowedHosts.getName())) {
                return true;
            }
        }
        if (list.size() == 1) {
            HostList hostList = reverseLookupCache.get(str);
            if (hostList != null && System.currentTimeMillis() > hostList.ts + 3600000) {
                reverseLookupCache.remove(str);
                hostList = null;
            }
            if (hostList == null) {
                hostList = new HostList();
                try {
                    InetAddress byAddress = Address.getByAddress(str);
                    String hostName = byAddress.getHostName();
                    if (!hostList.hosts.contains(hostName)) {
                        hostList.hosts.add(hostName);
                    }
                    String canonicalHostName = byAddress.getCanonicalHostName();
                    if (!hostList.hosts.contains(canonicalHostName)) {
                        hostList.hosts.add(canonicalHostName);
                    }
                    if (!canonicalHostName.matches("[0-9.]+") && (indexOf = canonicalHostName.indexOf(46)) != -1) {
                        String substring = canonicalHostName.substring(0, indexOf);
                        if (!hostList.hosts.contains(substring)) {
                            hostList.hosts.add(substring);
                        }
                    }
                    if (byAddress.isAnyLocalAddress() || byAddress.isLoopbackAddress()) {
                        for (String str2 : LoginServiceImpl.getLocalNames()) {
                            if (!hostList.hosts.contains(str2)) {
                                hostList.hosts.add(str2);
                            }
                        }
                    }
                    reverseLookupCache.put(str, hostList);
                } catch (UnknownHostException e) {
                }
            }
            list.addAll(hostList.hosts);
        }
        for (int i = 1; i < list.size(); i++) {
            String str3 = list.get(i);
            Iterator<UserAllowedHosts> it = users.getAllowedHosts().iterator();
            while (it.hasNext()) {
                if (str3.equalsIgnoreCase(it.next().getName())) {
                    return true;
                }
            }
        }
        StringBuilder sb = new StringBuilder(PropertyAccessor.PROPERTY_KEY_PREFIX);
        for (UserAllowedHosts userAllowedHosts2 : users.getAllowedHosts()) {
            if (sb.length() > 1) {
                sb.append(",");
            }
            sb.append(" ");
            sb.append(userAllowedHosts2.getName());
        }
        if (sb.length() > 1) {
            sb.append(" ");
        }
        sb.append("]");
        this.logger.info("checkAllowedHosts", LogGroup.SECURITY, new SimpleMessage("None of the resolved host names ({0}) matched the list of allowed hosts for user {1}. ({2})"), list.toString(), users.getName(), sb);
        return false;
    }

    public SessionContext forceCreateAndAuthenticateAdmin(SEPAuthentication sEPAuthentication) throws AuthenticationException {
        this.logger.start("forceCreateAndAuthenticateAdmin", SepLogLevel.INFO, LogGroup.SECURITY, sEPAuthentication.name, sEPAuthentication.ip);
        Users users = null;
        try {
            users = this.daos.getUsersDao().get(sEPAuthentication.name);
            if (users == null && DefaultUserNames.ADMIN_USER.equals(sEPAuthentication.name)) {
                users = this.daos.getUsersDao().get("root");
            }
        } catch (UncategorizedSQLException e) {
            e.printStackTrace();
        }
        if (users == null || !Boolean.TRUE.equals(users.getEnabled())) {
            throw new AuthenticationException(AuthenticationException.AuthMessage.INVALID_CREDENTIALS, sEPAuthentication.name);
        }
        this.logger.success("forceCreateAndAuthenticateAdmin", SepLogLevel.INFO, LogGroup.SECURITY, sEPAuthentication.name, sEPAuthentication.name);
        return new SessionContext(this.daos, LoginType.DB, users, null, this.daos.getUsersDao().getPermissions(users), null, sEPAuthentication.ip);
    }

    @Override // de.sep.sesam.restapi.authentication.AbstractLoginMethod
    protected AbstractLdapAuthenticationProvider createAuthenticationProvider(Credentials credentials) {
        return null;
    }

    @Override // de.sep.sesam.restapi.authentication.AbstractLoginMethod
    protected String getCredentialsType() {
        return null;
    }

    @Override // de.sep.sesam.restapi.authentication.AbstractLoginMethod
    public DaoAccessor getDaos() {
        return this.daos;
    }

    static {
        $assertionsDisabled = !DatabaseCredentialsLogin.class.desiredAssertionStatus();
        reverseLookupCache = new HashMap<>();
    }
}
