package de.sep.sesam.restapi.authentication;

import de.sep.sesam.common.logging.ContextLogger;
import de.sep.sesam.common.logging.LogGroup;
import de.sep.sesam.common.logging.SepLogLevel;
import de.sep.sesam.common.logging.messages.SecurityMessages;
import de.sep.sesam.common.logging.messages.SimpleMessage;
import de.sep.sesam.model.Credentials;
import de.sep.sesam.model.Groups;
import de.sep.sesam.model.UserAllowedHosts;
import de.sep.sesam.model.UserGroupRelations;
import de.sep.sesam.model.Users;
import de.sep.sesam.model.auth.dto.LoginDto;
import de.sep.sesam.model.core.defaults.DefaultUserNames;
import de.sep.sesam.model.type.AuthenticationType;
import de.sep.sesam.model.type.UserOrigin;
import de.sep.sesam.rest.exceptions.AuthenticationException;
import de.sep.sesam.rest.exceptions.ServiceException;
import de.sep.sesam.restapi.dao.DefaultsDaoServer;
import de.sep.sesam.restapi.dao.GroupsDaoServer;
import de.sep.sesam.restapi.dao.UserAllowedHostsDaoServer;
import de.sep.sesam.restapi.dao.UserGroupRelationsDaoServer;
import de.sep.sesam.restapi.dao.UsersDaoServer;
import de.sep.sesam.restapi.service.impl.LoginServiceImpl;
import de.sep.sesam.server.impl.GUIServerParam;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.PropertyAccessor;
import org.springframework.beans.propertyeditors.CustomBooleanEditor;
import org.springframework.jdbc.UncategorizedSQLException;
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider;
import org.xbill.DNS.Address;

/* loaded from: input_file:de/sep/sesam/restapi/authentication/DatabaseCredentialsLogin.class */
public class DatabaseCredentialsLogin extends AbstractCredentialsLogin {
    private static final long REVERSE_LOOKUP_TTL = 3600000;
    private final ContextLogger logger = new ContextLogger(DatabaseCredentialsLogin.class);
    private static final HashMap<String, HostList> reverseLookupCache;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:de/sep/sesam/restapi/authentication/DatabaseCredentialsLogin$HostList.class */
    public class HostList {
        List<String> hosts = new ArrayList();
        long ts = System.currentTimeMillis();

        private HostList() {
        }
    }

    @Override // de.sep.sesam.restapi.authentication.AbstractCredentialsLogin
    public String getCredentialsType() {
        return AuthenticationType.DB.name();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // de.sep.sesam.restapi.authentication.AbstractCredentialsLogin
    public AuthenticationType getAuthenticationType() {
        return AuthenticationType.DB;
    }

    @Override // de.sep.sesam.restapi.authentication.AbstractCredentialsLogin
    public SessionContext createAndAuthenticateUser(LoginDto loginDto) throws AuthenticationException {
        this.logger.start("createAndAuthenticateUser", SepLogLevel.INFO, LogGroup.SECURITY, loginDto.getUsername(), loginDto.getIp());
        ArrayList arrayList = new ArrayList();
        if (loginDto.getIp() != null) {
            arrayList.add(loginDto.getIp());
        }
        Users users = null;
        if (LoginServiceImpl.isPolicyBasedPermissions() && !arrayList.isEmpty()) {
            users = getUser(loginDto.getUsername(), null, getAuthenticationType());
            if (users != null && users.getOrigin() != null) {
                switch (users.getOrigin()) {
                    case LDAP:
                    case AD:
                        return null;
                    default:
                        if (!UserOrigin.POLICY.equals(users.getOrigin()) && !users.isFromJavaPolicy()) {
                            return null;
                        }
                        break;
                }
            }
            if (users != null) {
                if (!users.getEnabled().booleanValue()) {
                    this.logger.info("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("Account for user {0} is disabled."), loginDto.getUsername());
                    throw new AuthenticationException(AuthenticationException.AuthMessage.USER_DISABLED, loginDto.getUsername());
                }
                if (users.getAccountExpired().booleanValue()) {
                    this.logger.info("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("Account for user {0} is expired."), loginDto.getUsername());
                    throw new AuthenticationException(AuthenticationException.AuthMessage.ACCOUNT_INVALID, loginDto.getUsername());
                }
                if ((users.getAllowHostAuth() == null || !users.getAllowHostAuth().booleanValue()) && !LoginServiceImpl.isLocalFullAccess()) {
                    if (StringUtils.isEmpty(users.getPassword())) {
                        throw new AuthenticationException(AuthenticationException.AuthMessage.PASSWORD_INVALID, loginDto.getUsername());
                    }
                    throw new AuthenticationException(AuthenticationException.AuthMessage.CREDENTIALS_INVALID, loginDto.getUsername());
                }
                if (!checkAllowedHosts(users, arrayList)) {
                    users = null;
                }
                if (users != null && users.getId() != null) {
                    List<UserGroupRelations> list = null;
                    try {
                        list = ((UserGroupRelationsDaoServer) getDaos().getService(UserGroupRelationsDaoServer.class)).getByUserId(users.getId());
                    } catch (ServiceException e) {
                    }
                    if (CollectionUtils.isEmpty(list)) {
                        this.logger.warn("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("User ''{0}'' exist in database but no groups are associated with the user!"), loginDto.getUsername());
                    }
                }
            }
            if (users == null && LoginServiceImpl.getParams() != null) {
                GUIServerParam params = LoginServiceImpl.getParams();
                String[] strArr = {params.defaultAdminUser, params.defaultOperatorUser, params.defaultRestoreUser, params.defaultBackupUser};
                this.logger.info("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("Checking for user wild card permission rules..."), new Object[0]);
                for (String str : strArr) {
                    users = getUser(str, null, getAuthenticationType());
                    if (users != null) {
                        if (!checkAllowedHosts(users, arrayList)) {
                            users = null;
                        }
                    }
                }
            }
        } else if (loginDto.getCertificate() != null && !LoginServiceImpl.isPolicyBasedPermissions()) {
            users = ((UsersDaoServer) getDaos().getService(UsersDaoServer.class)).login(loginDto.getUsername(), loginDto.getSecret(), loginDto.getCertificate());
        } else if (StringUtils.isNotBlank(loginDto.getSecret()) && !LoginServiceImpl.isPolicyBasedPermissions()) {
            users = ((UsersDaoServer) getDaos().getService(UsersDaoServer.class)).login(loginDto.getUsername(), loginDto.getSecret(), null);
        } else if (StringUtils.isBlank(loginDto.getSecret()) && loginDto.getCertificate() == null && !LoginServiceImpl.isPolicyBasedPermissions() && Boolean.TRUE.equals(loginDto.getPreAuthenticated())) {
            String str2 = null;
            try {
                str2 = StringUtils.trim(((DefaultsDaoServer) getDaos().getService(DefaultsDaoServer.class)).getSystemDefault("gui.enable.credentials.preauthenticated"));
            } catch (ServiceException e2) {
            }
            if (StringUtils.equalsIgnoreCase(str2, CustomBooleanEditor.VALUE_1)) {
                users = getUser(loginDto.getUsername(), null, getAuthenticationType());
                if (users != null && (UserOrigin.POLICY.equals(users.getOrigin()) || users.isFromJavaPolicy())) {
                    users = null;
                }
            }
        }
        if (users == null) {
            this.logger.error("createAndAuthenticateUser", LogGroup.SECURITY, AuthenticationException.AuthMessage.CREDENTIALS_INVALID, loginDto.getUsername());
            return null;
        }
        this.logger.info("createAndAuthenticateUser", LogGroup.SECURITY, SecurityMessages.LOGIN_SUCCESS, users.getName(), loginDto.getIp());
        List<Groups> list2 = null;
        try {
            list2 = ((GroupsDaoServer) getDaos().getService(GroupsDaoServer.class)).getGroupsByUser(users);
        } catch (ServiceException e3) {
        }
        this.logger.success("createAndAuthenticateUser", SepLogLevel.INFO, LogGroup.SECURITY, loginDto.getUsername(), list2);
        AuthenticationType authenticationType = getAuthenticationType();
        if ($assertionsDisabled || authenticationType != null) {
            return new SessionContext(getDaos(), loginDto.getType(), authenticationType, users, loginDto.getIp(), loginDto.getLoginName());
        }
        throw new AssertionError();
    }

    private boolean checkAllowedHosts(Users users, List<String> list) {
        int indexOf;
        if (!$assertionsDisabled && users == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && list == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && list.size() <= 0) {
            throw new AssertionError();
        }
        List<UserAllowedHosts> list2 = null;
        try {
            list2 = ((UserAllowedHostsDaoServer) getDaos().getService(UserAllowedHostsDaoServer.class)).getByUser(users.getId());
        } catch (ServiceException e) {
        }
        if (list2 == null || list2.isEmpty()) {
            return false;
        }
        String str = list.get(0);
        for (UserAllowedHosts userAllowedHosts : list2) {
            if (userAllowedHosts.getHost().equals("*") || str.equals(userAllowedHosts.getHost())) {
                return true;
            }
        }
        if (list.size() == 1) {
            HostList hostList = reverseLookupCache.get(str);
            if (hostList != null && System.currentTimeMillis() > hostList.ts + 3600000) {
                reverseLookupCache.remove(str);
                hostList = null;
            }
            if (hostList == null) {
                hostList = new HostList();
                try {
                    InetAddress byAddress = Address.getByAddress(str);
                    String hostName = byAddress.getHostName();
                    if (!hostList.hosts.contains(hostName)) {
                        hostList.hosts.add(hostName);
                    }
                    String canonicalHostName = byAddress.getCanonicalHostName();
                    if (!hostList.hosts.contains(canonicalHostName)) {
                        hostList.hosts.add(canonicalHostName);
                    }
                    if (!canonicalHostName.matches("[0-9.]+") && (indexOf = canonicalHostName.indexOf(46)) != -1) {
                        String substring = canonicalHostName.substring(0, indexOf);
                        if (!hostList.hosts.contains(substring)) {
                            hostList.hosts.add(substring);
                        }
                    }
                    if (byAddress.isAnyLocalAddress() || byAddress.isLoopbackAddress()) {
                        for (String str2 : LoginServiceImpl.getLocalNames()) {
                            if (!hostList.hosts.contains(str2)) {
                                hostList.hosts.add(str2);
                            }
                        }
                    }
                    reverseLookupCache.put(str, hostList);
                } catch (UnknownHostException e2) {
                }
            }
            list.addAll(hostList.hosts);
        }
        for (int i = 1; i < list.size(); i++) {
            String str3 = list.get(i);
            Iterator<UserAllowedHosts> it = list2.iterator();
            while (it.hasNext()) {
                if (str3.equalsIgnoreCase(it.next().getHost())) {
                    return true;
                }
            }
        }
        StringBuilder sb = new StringBuilder(PropertyAccessor.PROPERTY_KEY_PREFIX);
        for (UserAllowedHosts userAllowedHosts2 : list2) {
            if (sb.length() > 1) {
                sb.append(",");
            }
            sb.append(StringUtils.SPACE);
            sb.append(userAllowedHosts2.getHost());
        }
        if (sb.length() > 1) {
            sb.append(StringUtils.SPACE);
        }
        sb.append("]");
        this.logger.info("checkAllowedHosts", LogGroup.SECURITY, new SimpleMessage("None of the resolved host names ({0}) matched the list of allowed hosts for user {1}. ({2})"), list.toString(), users.getName(), sb);
        return false;
    }

    public SessionContext forceCreateAndAuthenticateAdmin(LoginDto loginDto) throws AuthenticationException {
        this.logger.start("forceCreateAndAuthenticateAdmin", SepLogLevel.INFO, LogGroup.SECURITY, loginDto.getUsername(), loginDto.getIp());
        Users users = null;
        try {
            users = getUser(loginDto.getUsername(), null, getAuthenticationType());
            if (users == null && DefaultUserNames.ADMIN_USER.equals(loginDto.getUsername())) {
                users = getUser("root", null, getAuthenticationType());
            }
        } catch (UncategorizedSQLException e) {
            e.printStackTrace();
        }
        if (users == null || !Boolean.TRUE.equals(users.getEnabled())) {
            throw new AuthenticationException(AuthenticationException.AuthMessage.CREDENTIALS_INVALID, loginDto.getUsername());
        }
        List<Groups> list = null;
        try {
            list = ((GroupsDaoServer) getDaos().getService(GroupsDaoServer.class)).getGroupsByUser(users);
        } catch (ServiceException e2) {
        }
        this.logger.success("forceCreateAndAuthenticateAdmin", SepLogLevel.INFO, LogGroup.SECURITY, loginDto.getUsername(), list);
        AuthenticationType authenticationType = getAuthenticationType();
        if ($assertionsDisabled || authenticationType != null) {
            return new SessionContext(getDaos(), loginDto.getType(), authenticationType, users, loginDto.getIp(), loginDto.getLoginName());
        }
        throw new AssertionError();
    }

    @Override // de.sep.sesam.restapi.authentication.AbstractCredentialsLogin
    public AbstractLdapAuthenticationProvider createAuthenticationProvider(Credentials credentials) {
        return null;
    }

    static {
        $assertionsDisabled = !DatabaseCredentialsLogin.class.desiredAssertionStatus();
        reverseLookupCache = new HashMap<>();
    }
}
