package com.networknt.basicauth;

import com.networknt.config.Config;
import com.networknt.handler.Handler;
import com.networknt.handler.MiddlewareHandler;
import com.networknt.ldap.LdapUtil;
import com.networknt.utility.ModuleRegistry;
import com.networknt.utility.StringUtils;
import io.undertow.Handlers;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.Headers;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Iterator;
import org.apache.commons.codec.binary.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/basicauth/BasicAuthHandler.class */
public class BasicAuthHandler implements MiddlewareHandler {
    static final Logger logger = LoggerFactory.getLogger((Class<?>) BasicAuthHandler.class);
    static final String BEARER_PREFIX = "BEARER";
    static final String BASIC_PREFIX = "BASIC";
    static BasicAuthConfig config;
    static final String MISSING_AUTH_TOKEN = "ERR10002";
    static final String INVALID_BASIC_HEADER = "ERR10046";
    static final String INVALID_USERNAME_OR_PASSWORD = "ERR10047";
    static final String NOT_AUTHORIZED_REQUEST_PATH = "ERR10071";
    static final String INVALID_AUTHORIZATION_HEADER = "ERR12003";
    static final String BEARER_USER_NOT_FOUND = "ERR10072";
    private volatile HttpHandler next;

    public BasicAuthHandler() {
        config = BasicAuthConfig.load();
        if (logger.isInfoEnabled()) {
            logger.info("BasicAuthHandler is loaded.");
        }
    }

    @Deprecated
    public BasicAuthHandler(BasicAuthConfig basicAuthConfig) {
        config = basicAuthConfig;
        if (logger.isInfoEnabled()) {
            logger.info("BasicAuthHandler is loaded.");
        }
    }

    @Override // io.undertow.server.HttpHandler
    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        if (logger.isDebugEnabled()) {
            logger.debug("BasicAuthHandler.handleRequest starts.");
        }
        String first = httpServerExchange.getRequestHeaders().getFirst(Headers.AUTHORIZATION);
        String requestPath = httpServerExchange.getRequestPath();
        if (first == null || first.trim().length() == 0) {
            if (!handleAnonymousAuth(httpServerExchange, requestPath)) {
                return;
            }
        } else if (BASIC_PREFIX.equalsIgnoreCase(first.substring(0, 5))) {
            if (first.trim().length() == 5) {
                logger.error("Invalid/Unsupported authorization header {}", first);
                setExchangeStatus(httpServerExchange, INVALID_AUTHORIZATION_HEADER, first);
                httpServerExchange.endExchange();
                return;
            } else if (!handleBasicAuth(httpServerExchange, requestPath, first)) {
                return;
            }
        } else if (!BEARER_PREFIX.equalsIgnoreCase(first.substring(0, 6))) {
            logger.error("Invalid/Unsupported authorization header {}", first.substring(0, 10));
            setExchangeStatus(httpServerExchange, INVALID_AUTHORIZATION_HEADER, first.substring(0, 10));
            httpServerExchange.endExchange();
            return;
        } else if (!handleBearerToken(httpServerExchange, requestPath, first)) {
            return;
        }
        if (logger.isDebugEnabled()) {
            logger.debug("BasicAuthHandler.handleRequest ends.");
        }
        Handler.next(httpServerExchange, this.next);
    }

    private boolean handleAnonymousAuth(HttpServerExchange httpServerExchange, String str) {
        if (!config.isAllowAnonymous() || !config.getUsers().containsKey(BasicAuthConfig.ANONYMOUS)) {
            logger.error("Anonymous is not allowed and authorization header is missing.");
            httpServerExchange.getResponseHeaders().put(Headers.WWW_AUTHENTICATE, "Basic realm=\"Basic Auth\"");
            setExchangeStatus(httpServerExchange, MISSING_AUTH_TOKEN, new Object[0]);
            if (logger.isDebugEnabled()) {
                logger.debug("BasicAuthHandler.handleRequest ends with an error.");
            }
            httpServerExchange.endExchange();
            return false;
        }
        boolean z = false;
        Iterator<String> it = config.getUsers().get(BasicAuthConfig.ANONYMOUS).getPaths().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (str.startsWith(it.next())) {
                z = true;
                break;
            }
        }
        if (z) {
            return true;
        }
        logger.error("Request path '{}' is not authorized for user '{}'", str, BasicAuthConfig.ANONYMOUS);
        httpServerExchange.getResponseHeaders().put(Headers.WWW_AUTHENTICATE, "Basic realm=\"Default Realm\"");
        setExchangeStatus(httpServerExchange, NOT_AUTHORIZED_REQUEST_PATH, str, BasicAuthConfig.ANONYMOUS);
        if (logger.isDebugEnabled()) {
            logger.debug("BasicAuthHandler.handleRequest ends with an error.");
        }
        httpServerExchange.endExchange();
        return false;
    }

    public boolean handleBasicAuth(HttpServerExchange httpServerExchange, String str, String str2) {
        String substring = str2.substring(6);
        if (substring.indexOf(58) == -1) {
            substring = new String(Base64.decodeBase64(substring), StandardCharsets.UTF_8);
        }
        int indexOf = substring.indexOf(58);
        if (indexOf == -1) {
            logger.error("Invalid basic authentication header. It must be username:password base64 encode.");
            setExchangeStatus(httpServerExchange, INVALID_BASIC_HEADER, str2.substring(0, 10));
            if (logger.isDebugEnabled()) {
                logger.debug("BasicAuthHandler.handleRequest ends with an error.");
            }
            httpServerExchange.endExchange();
            return false;
        }
        String substring2 = substring.substring(0, indexOf);
        String substring3 = substring.substring(indexOf + 1);
        if (logger.isTraceEnabled()) {
            logger.trace("input username = {}, password = {}", substring2, StringUtils.maskHalfString(substring3));
        }
        UserAuth userAuth = config.getUsers().get(substring2);
        if (userAuth == null) {
            logger.error("User '{}' is not found in the configuration file.", substring2);
            setExchangeStatus(httpServerExchange, INVALID_USERNAME_OR_PASSWORD, new Object[0]);
            httpServerExchange.endExchange();
            if (!logger.isDebugEnabled()) {
                return false;
            }
            logger.debug("BasicAuthHandler.handleRequest ends with an error.");
            return false;
        }
        if (substring2.equals(userAuth.getUsername()) && StringUtils.isEmpty(userAuth.getPassword()) && config.enableAD) {
            if (logger.isTraceEnabled()) {
                logger.trace("Call LdapUtil with LDAP authentication and authorization for user = {}", substring2);
            }
            if (!handleLdapAuth(userAuth, substring3)) {
                setExchangeStatus(httpServerExchange, INVALID_USERNAME_OR_PASSWORD, new Object[0]);
                httpServerExchange.endExchange();
                if (!logger.isDebugEnabled()) {
                    return false;
                }
                logger.debug("BasicAuthHandler.handleRequest ends with an error.");
                return false;
            }
        } else {
            if (logger.isTraceEnabled()) {
                logger.trace("Validate basic auth based on config username {} and password {}", userAuth.getUsername(), StringUtils.maskHalfString(userAuth.getPassword()));
            }
            if (!userAuth.getUsername().equals(substring2) || !substring3.equals(userAuth.getPassword())) {
                logger.error("Invalid username or password with authorization header = {}", StringUtils.maskHalfString(str2));
                setExchangeStatus(httpServerExchange, INVALID_USERNAME_OR_PASSWORD, new Object[0]);
                httpServerExchange.endExchange();
                if (!logger.isDebugEnabled()) {
                    return false;
                }
                logger.debug("BasicAuthHandler.handleRequest ends with an error.");
                return false;
            }
        }
        if (logger.isTraceEnabled()) {
            logger.trace("Username and password validation is done for user = {}", substring2);
        }
        boolean z = false;
        Iterator<String> it = userAuth.getPaths().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (str.startsWith(it.next())) {
                z = true;
                break;
            }
        }
        if (z) {
            return true;
        }
        logger.error("Request path '{}' is not authorized for user '{}", str, userAuth.getUsername());
        setExchangeStatus(httpServerExchange, NOT_AUTHORIZED_REQUEST_PATH, str, userAuth.getUsername());
        if (logger.isDebugEnabled()) {
            logger.debug("BasicAuthHandler.handleRequest ends with an error.");
        }
        httpServerExchange.endExchange();
        return false;
    }

    private static boolean handleLdapAuth(UserAuth userAuth, String str) {
        if (LdapUtil.authenticate(userAuth.getUsername(), str)) {
            return true;
        }
        logger.error("user '" + userAuth.getUsername() + "' Ldap authentication failed");
        return false;
    }

    private boolean handleBearerToken(HttpServerExchange httpServerExchange, String str, String str2) {
        if (!config.allowBearerToken) {
            logger.error("Not a basic authentication header, and bearer token is not allowed.");
            setExchangeStatus(httpServerExchange, INVALID_BASIC_HEADER, str2.substring(0, 10));
            if (logger.isDebugEnabled()) {
                logger.debug("BasicAuthHandler.handleRequest ends with an error.");
            }
            httpServerExchange.endExchange();
            return false;
        }
        UserAuth userAuth = config.getUsers().get(BasicAuthConfig.BEARER);
        if (userAuth == null) {
            logger.error("Bearer token is allowed but missing the bearer user path definitions for authorization");
            setExchangeStatus(httpServerExchange, BEARER_USER_NOT_FOUND, new Object[0]);
            if (logger.isDebugEnabled()) {
                logger.debug("BasicAuthHandler.handleRequest ends with an error.");
            }
            httpServerExchange.endExchange();
            return false;
        }
        boolean z = false;
        Iterator<String> it = userAuth.getPaths().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (str.startsWith(it.next())) {
                z = true;
                break;
            }
        }
        if (z) {
            return true;
        }
        logger.error("Request path '{}' is not authorized for user '{}' ", str, BasicAuthConfig.BEARER);
        setExchangeStatus(httpServerExchange, NOT_AUTHORIZED_REQUEST_PATH, str, BasicAuthConfig.BEARER);
        if (logger.isDebugEnabled()) {
            logger.debug("BasicAuthHandler.handleRequest ends with an error.");
        }
        httpServerExchange.endExchange();
        return false;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public HttpHandler getNext() {
        return this.next;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public MiddlewareHandler setNext(HttpHandler httpHandler) {
        Handlers.handlerNotNull(httpHandler);
        this.next = httpHandler;
        return this;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public boolean isEnabled() {
        return config.isEnabled();
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public void register() {
        ArrayList arrayList = new ArrayList();
        arrayList.add("password");
        ModuleRegistry.registerModule(BasicAuthConfig.CONFIG_NAME, BasicAuthHandler.class.getName(), Config.getNoneDecryptedInstance().getJsonMapConfigNoCache(BasicAuthConfig.CONFIG_NAME), arrayList);
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public void reload() {
        config.reload();
        ArrayList arrayList = new ArrayList();
        arrayList.add("password");
        ModuleRegistry.registerModule(BasicAuthConfig.CONFIG_NAME, BasicAuthHandler.class.getName(), Config.getNoneDecryptedInstance().getJsonMapConfigNoCache(BasicAuthConfig.CONFIG_NAME), arrayList);
        if (logger.isInfoEnabled()) {
            logger.info("BasicAuthHandler is reloaded.");
        }
    }
}
