package com.arcadedb.server.security;

import com.arcadedb.ContextConfiguration;
import com.arcadedb.GlobalConfiguration;
import com.arcadedb.database.DatabaseFactory;
import com.arcadedb.database.DatabaseInternal;
import com.arcadedb.log.LogManager;
import com.arcadedb.security.SecurityManager;
import com.arcadedb.serializer.json.JSONException;
import com.arcadedb.serializer.json.JSONObject;
import com.arcadedb.server.ArcadeDBServer;
import com.arcadedb.server.DefaultConsoleReader;
import com.arcadedb.server.ServerException;
import com.arcadedb.server.ServerPlugin;
import com.arcadedb.server.security.credential.CredentialsValidator;
import com.arcadedb.server.security.credential.DefaultCredentialsValidator;
import com.arcadedb.utility.AnsiCode;
import com.arcadedb.utility.LRUCache;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Timer;
import java.util.TimerTask;
import java.util.logging.Level;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;

/* loaded from: input_file:com/arcadedb/server/security/ServerSecurity.class */
public class ServerSecurity implements ServerPlugin, SecurityManager {
    public static final int LATEST_VERSION = 1;
    private final ArcadeDBServer server;
    private final SecurityUserFileRepository usersRepository;
    private final SecurityGroupFileRepository groupRepository;
    private final String algorithm;
    private final SecretKeyFactory secretKeyFactory;
    private final Map<String, String> saltCache;
    private final int saltIteration;
    private final int checkConfigReloadEveryMs;
    private static final SecureRandom RANDOM = new SecureRandom();
    public static final int SALT_SIZE = 32;
    private Timer reloadConfigurationTimer;
    private final Map<String, ServerSecurityUser> users = new HashMap();
    private CredentialsValidator credentialsValidator = new DefaultCredentialsValidator();

    public ServerSecurity(ArcadeDBServer arcadeDBServer, ContextConfiguration contextConfiguration, String str) {
        this.server = arcadeDBServer;
        this.algorithm = contextConfiguration.getValueAsString(GlobalConfiguration.SERVER_SECURITY_ALGORITHM);
        this.checkConfigReloadEveryMs = contextConfiguration.getValueAsInteger(GlobalConfiguration.SERVER_SECURITY_RELOAD_EVERY);
        int valueAsInteger = contextConfiguration.getValueAsInteger(GlobalConfiguration.SERVER_SECURITY_SALT_CACHE_SIZE);
        if (valueAsInteger > 0) {
            this.saltCache = Collections.synchronizedMap(new LRUCache(valueAsInteger));
        } else {
            this.saltCache = Collections.emptyMap();
        }
        this.saltIteration = contextConfiguration.getValueAsInteger(GlobalConfiguration.SERVER_SECURITY_SALT_ITERATIONS);
        this.usersRepository = new SecurityUserFileRepository(str);
        this.groupRepository = new SecurityGroupFileRepository(str, this.checkConfigReloadEveryMs).onReload(jSONObject -> {
            Iterator<String> it = arcadeDBServer.getDatabaseNames().iterator();
            while (it.hasNext()) {
                updateSchema(arcadeDBServer.getDatabase(it.next()));
            }
            return null;
        });
        try {
            this.secretKeyFactory = SecretKeyFactory.getInstance(this.algorithm);
        } catch (NoSuchAlgorithmException e) {
            LogManager.instance().log(this, Level.SEVERE, "Security algorithm '%s' not available (error=%s)", e, this.algorithm);
            throw new ServerSecurityException("Security algorithm '" + this.algorithm + "' not available", e);
        }
    }

    @Override // com.arcadedb.server.ServerPlugin
    public void configure(ArcadeDBServer arcadeDBServer, ContextConfiguration contextConfiguration) {
    }

    @Override // com.arcadedb.server.ServerPlugin
    public void startService() {
    }

    public void loadUsers() {
        try {
            this.users.clear();
            try {
                Iterator<JSONObject> it = this.usersRepository.getUsers().iterator();
                while (it.hasNext()) {
                    ServerSecurityUser serverSecurityUser = new ServerSecurityUser(this.server, it.next());
                    this.users.put(serverSecurityUser.getName(), serverSecurityUser);
                }
            } catch (JSONException e) {
                this.groupRepository.saveInError(e);
                Iterator<JSONObject> it2 = SecurityUserFileRepository.createDefault().iterator();
                while (it2.hasNext()) {
                    ServerSecurityUser serverSecurityUser2 = new ServerSecurityUser(this.server, it2.next());
                    this.users.put(serverSecurityUser2.getName(), serverSecurityUser2);
                }
            }
            if (this.users.isEmpty() || (this.users.containsKey("root") && this.users.get("root").getPassword() == null)) {
                askForRootPassword();
            }
            if (this.usersRepository.getFileLastModified() > -1 && this.reloadConfigurationTimer == null) {
                this.reloadConfigurationTimer = new Timer();
                this.reloadConfigurationTimer.schedule(new TimerTask() { // from class: com.arcadedb.server.security.ServerSecurity.1
                    @Override // java.util.TimerTask, java.lang.Runnable
                    public void run() {
                        if (ServerSecurity.this.usersRepository.isUserFileChanged()) {
                            LogManager.instance().log(this, Level.INFO, "Reloading user files...");
                            ServerSecurity.this.loadUsers();
                        }
                    }
                }, this.checkConfigReloadEveryMs, this.checkConfigReloadEveryMs);
            }
        } catch (IOException e2) {
            throw new ServerException("Error on starting Security service", e2);
        }
    }

    @Override // com.arcadedb.server.ServerPlugin
    public void stopService() {
        if (this.reloadConfigurationTimer != null) {
            this.reloadConfigurationTimer.cancel();
        }
        this.users.clear();
        if (this.groupRepository != null) {
            this.groupRepository.stop();
        }
    }

    public ServerSecurityUser authenticate(String str, String str2, String str3) {
        ServerSecurityUser serverSecurityUser = this.users.get(str);
        if (serverSecurityUser == null) {
            throw new ServerSecurityException("User/Password not valid");
        }
        if (!passwordMatch(str2, serverSecurityUser.getPassword())) {
            throw new ServerSecurityException("User/Password not valid");
        }
        if (str3 == null || serverSecurityUser.getAuthorizedDatabases().contains("*") || serverSecurityUser.getAuthorizedDatabases().contains(str3)) {
            return serverSecurityUser;
        }
        throw new ServerSecurityException("User has not access to database '" + str3 + "'");
    }

    public void setCredentialsValidator(CredentialsValidator credentialsValidator) {
        this.credentialsValidator = credentialsValidator;
    }

    public boolean existsUser(String str) {
        return this.users.containsKey(str);
    }

    public Set<String> getUsers() {
        return this.users.keySet();
    }

    public ServerSecurityUser getUser(String str) {
        return this.users.get(str);
    }

    public ServerSecurityUser createUser(JSONObject jSONObject) {
        String string = jSONObject.getString("name");
        if (this.users.containsKey(string)) {
            throw new SecurityException("User '" + string + "' already exists");
        }
        ServerSecurityUser serverSecurityUser = new ServerSecurityUser(this.server, jSONObject);
        this.users.put(string, serverSecurityUser);
        saveUsers();
        return serverSecurityUser;
    }

    public boolean dropUser(String str) {
        if (this.users.remove(str) == null) {
            return false;
        }
        saveUsers();
        return true;
    }

    public void updateSchema(DatabaseInternal databaseInternal) {
        JSONObject databaseGroupsConfiguration;
        if (databaseInternal == null) {
            return;
        }
        Iterator<ServerSecurityUser> it = this.users.values().iterator();
        while (it.hasNext()) {
            ServerSecurityDatabaseUser databaseUser = it.next().getDatabaseUser(databaseInternal);
            if (databaseUser != null && (databaseGroupsConfiguration = getDatabaseGroupsConfiguration(databaseInternal.getName())) != null) {
                databaseUser.updateFileAccess(databaseInternal, databaseGroupsConfiguration);
            }
        }
    }

    public String getEncodedHash(String str, String str2, int i) {
        try {
            return new String(Base64.getEncoder().encode(this.secretKeyFactory.generateSecret(new PBEKeySpec(str.toCharArray(), str2.getBytes(StandardCharsets.UTF_8), i, 256)).getEncoded()), DatabaseFactory.getDefaultCharset());
        } catch (InvalidKeySpecException e) {
            throw new ServerSecurityException("Error on generating security key", e);
        }
    }

    protected String encodePassword(String str, String str2) {
        return encodePassword(str, str2, this.saltIteration);
    }

    public String encodePassword(String str) {
        return encodePassword(str, generateRandomSalt());
    }

    public boolean passwordMatch(String str, String str2) {
        String[] split = str2.split("\\$");
        if (split.length != 4) {
            return false;
        }
        return encodePassword(str, split[2], Integer.parseInt(split[1])).equals(str2);
    }

    protected static String generateRandomSalt() {
        byte[] bArr = new byte[32];
        RANDOM.nextBytes(bArr);
        return new String(Base64.getEncoder().encode(bArr), DatabaseFactory.getDefaultCharset());
    }

    protected String encodePassword(String str, String str2, int i) {
        String str3;
        if (!this.saltCache.isEmpty() && (str3 = this.saltCache.get(str + "$" + str2 + "$" + i)) != null) {
            return str3;
        }
        String formatted = "%s$%d$%s$%s".formatted(this.algorithm, Integer.valueOf(i), str2, getEncodedHash(str, str2, i));
        this.saltCache.put(str + "$" + str2 + "$" + i, formatted);
        return formatted;
    }

    public List<JSONObject> usersToJSON() {
        ArrayList arrayList = new ArrayList(this.users.size());
        Iterator<ServerSecurityUser> it = this.users.values().iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().toJSON());
        }
        return arrayList;
    }

    public JSONObject groupsToJSON() {
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("databases", this.groupRepository.getGroups().getJSONObject("databases"));
        jSONObject.put("version", 1);
        return jSONObject;
    }

    public void saveUsers() {
        try {
            this.usersRepository.save(usersToJSON());
        } catch (IOException e) {
            LogManager.instance().log(this, Level.SEVERE, "Error on saving security configuration to file '%s'", e, SecurityUserFileRepository.FILE_NAME);
        }
    }

    public void saveGroups() {
        try {
            this.groupRepository.save(groupsToJSON());
        } catch (IOException e) {
            LogManager.instance().log(this, Level.SEVERE, "Error on saving security configuration to file '%s'", e, SecurityGroupFileRepository.FILE_NAME);
        }
    }

    protected void askForRootPassword() throws IOException {
        String valueAsString = this.server != null ? this.server.getConfiguration().getValueAsString(GlobalConfiguration.SERVER_ROOT_PASSWORD) : GlobalConfiguration.SERVER_ROOT_PASSWORD.getValueAsString();
        if (valueAsString == null) {
            String valueAsString2 = this.server != null ? this.server.getConfiguration().getValueAsString(GlobalConfiguration.SERVER_ROOT_PASSWORD_PATH) : GlobalConfiguration.SERVER_ROOT_PASSWORD_PATH.getValueAsString();
            if (valueAsString2 != null) {
                if (!Files.isReadable(Path.of(valueAsString2, new String[0]))) {
                    throw new ServerSecurityException("Error reading password file at path '" + valueAsString2 + "'");
                }
                valueAsString = Files.readString(Path.of(valueAsString2, new String[0]));
            }
        }
        if (valueAsString != null) {
            LogManager.instance().log(this, Level.INFO, "Creating root user with the provided password");
        } else {
            if (this.server == null ? GlobalConfiguration.HA_K8S.getValueAsBoolean() : this.server.getConfiguration().getValueAsBoolean(GlobalConfiguration.HA_K8S)) {
                LogManager.instance().log(this, Level.SEVERE, "Unable to start a server under Kubernetes if the environment variable `arcadedb.server.rootPassword` is not set");
                throw new ServerSecurityException("Unable to start a server under Kubernetes if the environment variable `arcadedb.server.rootPassword` is not set");
            }
            LogManager.instance().flush();
            System.err.flush();
            System.out.flush();
            System.out.println();
            System.out.println();
            System.out.println(AnsiCode.format("$ANSI{yellow +--------------------------------------------------------------------+}"));
            System.out.println(AnsiCode.format("$ANSI{yellow |                WARNING: FIRST RUN CONFIGURATION                    |}"));
            System.out.println(AnsiCode.format("$ANSI{yellow +--------------------------------------------------------------------+}"));
            System.out.println(AnsiCode.format("$ANSI{yellow | This is the first time the server is running. Please type a        |}"));
            System.out.println(AnsiCode.format("$ANSI{yellow | password of your choice for the 'root' user or leave it blank      |}"));
            System.out.println(AnsiCode.format("$ANSI{yellow | to auto-generate it.                                               |}"));
            System.out.println(AnsiCode.format("$ANSI{yellow |                                                                    |}"));
            System.out.println(AnsiCode.format("$ANSI{yellow | To avoid this message set the environment variable or JVM          |}"));
            System.out.println(AnsiCode.format("$ANSI{yellow | setting `arcadedb.server.rootPassword` to the root password to use.|}"));
            System.out.println(AnsiCode.format("$ANSI{yellow +--------------------------------------------------------------------+}"));
            DefaultConsoleReader defaultConsoleReader = new DefaultConsoleReader();
            do {
                System.out.print(AnsiCode.format("\n$ANSI{yellow Root password [BLANK=auto generate it]: }"));
                valueAsString = defaultConsoleReader.readPassword();
                if (valueAsString != null) {
                    valueAsString = valueAsString.trim();
                    if (valueAsString.isEmpty()) {
                        valueAsString = null;
                    }
                }
                if (valueAsString == null) {
                    valueAsString = this.credentialsValidator.generateRandomPassword();
                    System.out.print(AnsiCode.format("Automatic generated password: $ANSI{green " + valueAsString + "}. Please save it in a safe place.\n"));
                }
                if (valueAsString != null) {
                    System.out.print(AnsiCode.format("$ANSI{yellow Please type the root password for confirmation (copy and paste will not work): }"));
                    String readPassword = defaultConsoleReader.readPassword();
                    if (readPassword != null) {
                        readPassword = readPassword.trim();
                        if (readPassword.isEmpty()) {
                            readPassword = null;
                        }
                    }
                    if (valueAsString.equals(readPassword)) {
                        try {
                            this.credentialsValidator.validateCredentials("root", valueAsString);
                            break;
                        } catch (ServerSecurityException e) {
                            System.out.println(AnsiCode.format("$ANSI{red ERROR: Root password does not match the password policies" + (e.getMessage() != null ? ": " + e.getMessage() : "") + "}"));
                            try {
                                Thread.sleep(500L);
                                valueAsString = null;
                            } catch (InterruptedException e2) {
                                return;
                            }
                        }
                    } else {
                        System.out.println(AnsiCode.format("$ANSI{red ERROR: Passwords do not match, please reinsert both of them, or press ENTER to auto generate it}"));
                        try {
                            Thread.sleep(500L);
                            valueAsString = null;
                        } catch (InterruptedException e3) {
                            return;
                        }
                    }
                }
            } while (valueAsString == null);
        }
        this.credentialsValidator.validateCredentials("root", valueAsString);
        String encodePassword = encodePassword(valueAsString, generateRandomSalt());
        if (!existsUser("root")) {
            createUser(new JSONObject().put("name", "root").put("password", encodePassword));
        } else {
            getUser("root").setPassword(encodePassword);
            saveUsers();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public JSONObject getDatabaseGroupsConfiguration(String str) {
        JSONObject jSONObject = this.groupRepository.getGroups().getJSONObject("databases");
        JSONObject jSONObject2 = jSONObject.has(str) ? jSONObject.getJSONObject(str) : null;
        if (jSONObject2 == null) {
            jSONObject2 = jSONObject.has("*") ? jSONObject.getJSONObject("*") : null;
        }
        if (jSONObject2 == null || !jSONObject2.has("groups")) {
            return null;
        }
        return jSONObject2.getJSONObject("groups");
    }
}
