package com.networknt.aws.lambda.handler.middleware.security;

import com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent;
import com.networknt.aws.lambda.LightLambdaExchange;
import com.networknt.aws.lambda.handler.MiddlewareHandler;
import com.networknt.basicauth.BasicAuthConfig;
import com.networknt.basicauth.UserAuth;
import com.networknt.config.Config;
import com.networknt.ldap.LdapUtil;
import com.networknt.status.Status;
import com.networknt.utility.MapUtil;
import com.networknt.utility.ModuleRegistry;
import com.networknt.utility.StringUtils;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Optional;
import org.apache.commons.codec.binary.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/aws/lambda/handler/middleware/security/BasicAuthMiddleware.class */
public class BasicAuthMiddleware implements MiddlewareHandler {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) BasicAuthMiddleware.class);
    static final String BEARER_PREFIX = "BEARER";
    static final String BASIC_PREFIX = "BASIC";
    static BasicAuthConfig config;
    static final String MISSING_AUTH_TOKEN = "ERR10002";
    static final String INVALID_BASIC_HEADER = "ERR10046";
    static final String INVALID_USERNAME_OR_PASSWORD = "ERR10047";
    static final String NOT_AUTHORIZED_REQUEST_PATH = "ERR10071";
    static final String INVALID_AUTHORIZATION_HEADER = "ERR12003";
    static final String BEARER_USER_NOT_FOUND = "ERR10072";

    public BasicAuthMiddleware() {
        if (LOG.isTraceEnabled()) {
            LOG.trace("BasicAuthMiddleware is loaded.");
        }
        config = BasicAuthConfig.load();
    }

    @Deprecated
    public BasicAuthMiddleware(BasicAuthConfig basicAuthConfig) {
        config = basicAuthConfig;
        if (LOG.isInfoEnabled()) {
            LOG.info("BasicAuthMiddleware is loaded.");
        }
    }

    @Override // com.networknt.aws.lambda.handler.LambdaHandler
    public Status execute(LightLambdaExchange lightLambdaExchange) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("BasicAuthMiddleware.execute starts.");
        }
        Optional valueIgnoreCase = MapUtil.getValueIgnoreCase(lightLambdaExchange.getRequest().getHeaders(), "Authorization");
        String path = lightLambdaExchange.getRequest().getPath();
        if (valueIgnoreCase.isEmpty()) {
            return handleAnonymousAuth(lightLambdaExchange, path);
        }
        String str = (String) valueIgnoreCase.get();
        if (str.trim().isEmpty()) {
            return handleAnonymousAuth(lightLambdaExchange, path);
        }
        if (BASIC_PREFIX.equalsIgnoreCase(str.substring(0, 5))) {
            if (str.trim().length() != 5) {
                return handleBasicAuth(lightLambdaExchange, path, str);
            }
            LOG.error("Invalid/Unsupported authorization header {}", str);
            return new Status(INVALID_AUTHORIZATION_HEADER, str);
        }
        if (BEARER_PREFIX.equalsIgnoreCase(str.substring(0, 6))) {
            return handleBearerToken(lightLambdaExchange, path, str);
        }
        LOG.error("Invalid/Unsupported authorization header {}", str.substring(0, 10));
        return new Status(INVALID_AUTHORIZATION_HEADER, str.substring(0, 10));
    }

    private Status handleAnonymousAuth(LightLambdaExchange lightLambdaExchange, String str) {
        if (!config.isAllowAnonymous() || !config.getUsers().containsKey(BasicAuthConfig.ANONYMOUS)) {
            LOG.error("Anonymous is not allowed and authorization header is missing.");
            Status status = new Status(MISSING_AUTH_TOKEN, new Object[0]);
            APIGatewayProxyResponseEvent aPIGatewayProxyResponseEvent = new APIGatewayProxyResponseEvent();
            HashMap hashMap = new HashMap();
            hashMap.put("WWW-Authenticate", "Basic realm=\"Basic Auth\"");
            aPIGatewayProxyResponseEvent.setHeaders(hashMap);
            aPIGatewayProxyResponseEvent.setStatusCode(Integer.valueOf(status.getStatusCode()));
            aPIGatewayProxyResponseEvent.setBody(status.toString());
            lightLambdaExchange.setInitialResponse(aPIGatewayProxyResponseEvent);
            if (LOG.isDebugEnabled()) {
                LOG.debug("BasicAuthMiddleware.execute ends with an error.");
            }
            return status;
        }
        boolean z = false;
        Iterator<String> it = config.getUsers().get(BasicAuthConfig.ANONYMOUS).getPaths().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (str.startsWith(it.next())) {
                z = true;
                break;
            }
        }
        if (z) {
            return successMiddlewareStatus();
        }
        LOG.error("Request path '{}' is not authorized for user '{}'", str, BasicAuthConfig.ANONYMOUS);
        Status status2 = new Status(NOT_AUTHORIZED_REQUEST_PATH, str, BasicAuthConfig.ANONYMOUS);
        APIGatewayProxyResponseEvent aPIGatewayProxyResponseEvent2 = new APIGatewayProxyResponseEvent();
        HashMap hashMap2 = new HashMap();
        hashMap2.put("WWW-Authenticate", "Basic realm=\"Default Realm\"");
        aPIGatewayProxyResponseEvent2.setHeaders(hashMap2);
        aPIGatewayProxyResponseEvent2.setStatusCode(Integer.valueOf(status2.getStatusCode()));
        aPIGatewayProxyResponseEvent2.setBody(status2.toString());
        lightLambdaExchange.setInitialResponse(aPIGatewayProxyResponseEvent2);
        if (LOG.isDebugEnabled()) {
            LOG.debug("BasicAuthMiddleware.execute ends with an error.");
        }
        return status2;
    }

    public Status handleBasicAuth(LightLambdaExchange lightLambdaExchange, String str, String str2) {
        String substring = str2.substring(6);
        if (substring.indexOf(58) == -1) {
            substring = new String(Base64.decodeBase64(substring), StandardCharsets.UTF_8);
        }
        int indexOf = substring.indexOf(58);
        if (indexOf == -1) {
            LOG.error("Invalid basic authentication header. It must be username:password base64 encode.");
            if (LOG.isDebugEnabled()) {
                LOG.debug("BasicAuthMiddleware.execute ends with an error.");
            }
            return new Status(INVALID_BASIC_HEADER, str2.substring(0, 10));
        }
        String substring2 = substring.substring(0, indexOf);
        String substring3 = substring.substring(indexOf + 1);
        if (LOG.isTraceEnabled()) {
            LOG.trace("input username = {}, password = {}", substring2, StringUtils.maskHalfString(substring3));
        }
        UserAuth userAuth = config.getUsers().get(substring2);
        if (userAuth == null) {
            LOG.error("User '{}' is not found in the configuration file.", substring2);
            if (LOG.isDebugEnabled()) {
                LOG.debug("BasicAuthMiddleware.execute ends with an error.");
            }
            return new Status(INVALID_USERNAME_OR_PASSWORD, new Object[0]);
        }
        if (substring2.equals(userAuth.getUsername()) && StringUtils.isEmpty(userAuth.getPassword()) && config.isEnableAD()) {
            if (LOG.isTraceEnabled()) {
                LOG.trace("Call LdapUtil with LDAP authentication and authorization for user = {}", substring2);
            }
            if (!handleLdapAuth(userAuth, substring3)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("BasicAuthMiddleware.execute ends with an error.");
                }
                return new Status(INVALID_USERNAME_OR_PASSWORD, new Object[0]);
            }
        } else {
            if (LOG.isTraceEnabled()) {
                LOG.trace("Validate basic auth based on config username {} and password {}", userAuth.getUsername(), StringUtils.maskHalfString(userAuth.getPassword()));
            }
            if (!userAuth.getUsername().equals(substring2) || !substring3.equals(userAuth.getPassword())) {
                LOG.error("Invalid username or password with authorization header = {}", StringUtils.maskHalfString(str2));
                if (LOG.isDebugEnabled()) {
                    LOG.debug("BasicAuthMiddleware.execute ends with an error.");
                }
                return new Status(INVALID_USERNAME_OR_PASSWORD, new Object[0]);
            }
        }
        if (LOG.isTraceEnabled()) {
            LOG.trace("Username and password validation is done for user = {}", substring2);
        }
        boolean z = false;
        Iterator<String> it = userAuth.getPaths().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (str.startsWith(it.next())) {
                z = true;
                break;
            }
        }
        if (z) {
            return successMiddlewareStatus();
        }
        LOG.error("Request path '{}' is not authorized for user '{}", str, userAuth.getUsername());
        if (LOG.isDebugEnabled()) {
            LOG.debug("BasicAuthMiddleware.execute ends with an error.");
        }
        return new Status(NOT_AUTHORIZED_REQUEST_PATH, str, userAuth.getUsername());
    }

    private static boolean handleLdapAuth(UserAuth userAuth, String str) {
        if (LdapUtil.authenticate(userAuth.getUsername(), str)) {
            return true;
        }
        LOG.error("user '" + userAuth.getUsername() + "' Ldap authentication failed");
        return false;
    }

    private Status handleBearerToken(LightLambdaExchange lightLambdaExchange, String str, String str2) {
        if (!config.isAllowBearerToken()) {
            LOG.error("Not a basic authentication header, and bearer token is not allowed.");
            if (LOG.isDebugEnabled()) {
                LOG.debug("BasicAuthMiddleware.execute ends with an error.");
            }
            return new Status(INVALID_BASIC_HEADER, str2.substring(0, 10));
        }
        UserAuth userAuth = config.getUsers().get(BasicAuthConfig.BEARER);
        if (userAuth == null) {
            LOG.error("Bearer token is allowed but missing the bearer user path definitions for authorization");
            if (LOG.isDebugEnabled()) {
                LOG.debug("BasicAuthMiddleware.execute ends with an error.");
            }
            return new Status(BEARER_USER_NOT_FOUND, new Object[0]);
        }
        boolean z = false;
        Iterator<String> it = userAuth.getPaths().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (str.startsWith(it.next())) {
                z = true;
                break;
            }
        }
        if (z) {
            return successMiddlewareStatus();
        }
        LOG.error("Request path '{}' is not authorized for user '{}' ", str, BasicAuthConfig.BEARER);
        if (LOG.isDebugEnabled()) {
            LOG.debug("BasicAuthMiddleware.execute ends with an error.");
        }
        return new Status(NOT_AUTHORIZED_REQUEST_PATH, str, BasicAuthConfig.BEARER);
    }

    @Override // com.networknt.aws.lambda.handler.LambdaHandler
    public boolean isEnabled() {
        return config.isEnabled();
    }

    @Override // com.networknt.aws.lambda.handler.LambdaHandler
    public void register() {
        ArrayList arrayList = new ArrayList();
        arrayList.add("password");
        ModuleRegistry.registerModule(BasicAuthConfig.CONFIG_NAME, BasicAuthMiddleware.class.getName(), Config.getNoneDecryptedInstance().getJsonMapConfigNoCache(BasicAuthConfig.CONFIG_NAME), arrayList);
    }

    @Override // com.networknt.aws.lambda.handler.LambdaHandler
    public void reload() {
    }

    @Override // com.networknt.aws.lambda.handler.LambdaHandler
    public boolean isAsynchronous() {
        return false;
    }

    @Override // com.networknt.aws.lambda.handler.MiddlewareHandler
    public boolean isContinueOnFailure() {
        return false;
    }

    @Override // com.networknt.aws.lambda.handler.MiddlewareHandler
    public boolean isAudited() {
        return false;
    }

    @Override // com.networknt.aws.lambda.handler.MiddlewareHandler
    public void getCachedConfigurations() {
    }
}
