package com.aerospike.firefly.security;

import com.aerospike.firefly.security.UserContext;
import com.aerospike.firefly.util.ConfigurationHelper;
import com.aerospike.firefly.util.exceptions.AerospikeGraphAuthException;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTCreator;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.interfaces.JWTVerifier;
import gnu.crypto.util.Base64;
import io.vertx.ext.auth.authorization.impl.RoleBasedAuthorizationConverter;
import java.net.InetAddress;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import org.apache.commons.configuration2.MapConfiguration;
import org.apache.tinkerpop.gremlin.server.auth.AuthenticatedUser;
import org.apache.tinkerpop.gremlin.server.auth.AuthenticationException;
import org.apache.tinkerpop.gremlin.server.auth.Authenticator;
import org.apache.tinkerpop.gremlin.server.auth.SimpleAuthenticator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/aerospike/firefly/security/JWTAuthenticator.class */
public class JWTAuthenticator implements Authenticator {
    private static final byte NUL = 0;
    private JWTVerifier verifier;
    private String issuer = null;
    private Algorithm algo = null;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) JWTAuthenticator.class);
    public static final Set<String> SUPPORTED_ALGORITHMS = Set.of("HMAC256", "HMAC384", "HMAC512");
    private static JWTAuthenticator INSTANCE = null;

    /* loaded from: input_file:com/aerospike/firefly/security/JWTAuthenticator$JWTAuthenticatedUser.class */
    public static class JWTAuthenticatedUser extends AuthenticatedUser implements UserContext {
        private final DecodedJWT decodedJWT;

        public JWTAuthenticatedUser(DecodedJWT decodedJWT) {
            super(decodedJWT.getSubject());
            this.decodedJWT = decodedJWT;
        }

        @Override // com.aerospike.firefly.security.UserContext
        public UserContext.ROLE getRole() {
            throw new IllegalStateException("Role should always be used with Graph");
        }

        public Object getRoles() {
            try {
                Claim claim = this.decodedJWT.getClaims().get(RoleBasedAuthorizationConverter.TYPE);
                if (claim == null) {
                    return null;
                }
                return claim.asMap() != null ? claim.asMap() : UserContext.ROLE.valueOf(claim.toString().replaceAll("\"", ""));
            } catch (IllegalArgumentException e) {
                return null;
            }
        }

        public UserContext.ROLE getRole(String str) {
            try {
                Claim claim = this.decodedJWT.getClaims().get(RoleBasedAuthorizationConverter.TYPE);
                if (claim == null) {
                    return null;
                }
                if (claim.asMap() == null) {
                    return UserContext.ROLE.valueOf(claim.toString().replaceAll("\"", ""));
                }
                Object obj = claim.asMap().get(str);
                if (obj == null) {
                    return null;
                }
                return UserContext.ROLE.valueOf(obj.toString().replaceAll("\"", ""));
            } catch (IllegalArgumentException e) {
                return null;
            }
        }

        @Override // com.aerospike.firefly.security.UserContext
        public boolean valid() {
            Instant expiresAtAsInstant = this.decodedJWT.getExpiresAtAsInstant();
            return expiresAtAsInstant == null || expiresAtAsInstant.isAfter(Instant.now());
        }
    }

    /* loaded from: input_file:com/aerospike/firefly/security/JWTAuthenticator$PlainTextSaslAuthenticator.class */
    private class PlainTextSaslAuthenticator implements Authenticator.SaslNegotiator {
        private boolean complete = false;
        private String username;
        private String password;

        private PlainTextSaslAuthenticator() {
        }

        @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator.SaslNegotiator
        public byte[] evaluateResponse(byte[] bArr) throws AuthenticationException {
            decodeCredentials(bArr);
            this.complete = true;
            return null;
        }

        @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator.SaslNegotiator
        public boolean isComplete() {
            return this.complete;
        }

        @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator.SaslNegotiator
        public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException {
            if (!this.complete) {
                throw new AuthenticationException("SASL negotiation not complete");
            }
            HashMap hashMap = new HashMap();
            hashMap.put("username", this.username);
            hashMap.put("password", this.password);
            return JWTAuthenticator.this.authenticate(hashMap);
        }

        private void decodeCredentials(byte[] bArr) throws AuthenticationException {
            byte[] bArr2 = null;
            byte[] bArr3 = null;
            int length = bArr.length;
            for (int length2 = bArr.length - 1; length2 >= 0; length2--) {
                if (bArr[length2] == 0) {
                    if (bArr3 == null) {
                        bArr3 = Arrays.copyOfRange(bArr, length2 + 1, length);
                    } else if (bArr2 == null) {
                        bArr2 = Arrays.copyOfRange(bArr, length2 + 1, length);
                    }
                    length = length2;
                }
            }
            if (null == bArr2) {
                throw new AuthenticationException("Authentication ID must not be null");
            }
            if (null == bArr3) {
                throw new AuthenticationException("Password must not be null");
            }
            this.username = new String(bArr2, StandardCharsets.UTF_8);
            this.password = new String(bArr3, StandardCharsets.UTF_8);
        }
    }

    @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator
    public boolean requireAuthentication() {
        return true;
    }

    public String createToken(String str, Object obj, Number number) {
        if (this.algo == null || this.issuer == null) {
            throw new IllegalStateException("Cannot issue JWT token; JWTAuthenticator is not initialized.");
        }
        if (!(obj instanceof String) && !(obj instanceof Map)) {
            throw new IllegalStateException("Cannot issue JWT token; User role must be Map or String.");
        }
        JWTCreator.Builder withIssuer = JWT.create().withSubject(str).withIssuer(this.issuer);
        if (number != null) {
            withIssuer.withExpiresAt(Instant.now().plusSeconds(number.longValue()));
        }
        if (obj instanceof Map) {
            withIssuer.withClaim(RoleBasedAuthorizationConverter.TYPE, (Map<String, ?>) obj);
        } else {
            withIssuer.withClaim(RoleBasedAuthorizationConverter.TYPE, (String) obj);
        }
        return withIssuer.sign(this.algo);
    }

    public static JWTAuthenticator getInstance() {
        if (INSTANCE == null) {
            throw AerospikeGraphAuthException.authNotInitialized();
        }
        return INSTANCE;
    }

    @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator
    public void setup(Map<String, Object> map) {
        LOG.info("Initializing authentication with the {}", SimpleAuthenticator.class.getName());
        if (null == map || map.isEmpty()) {
            throw new IllegalArgumentException(String.format("Could not configure a %s - provide a 'config' in the 'authentication' settings", SimpleAuthenticator.class.getName()));
        }
        MapConfiguration mapConfiguration = new MapConfiguration((Map<String, ?>) map);
        ArrayList arrayList = new ArrayList();
        if (!map.containsKey(ConfigurationHelper.Keys.JWT_SECRET)) {
            arrayList.add(ConfigurationHelper.Keys.JWT_SECRET);
        }
        if (!map.containsKey(ConfigurationHelper.Keys.JWT_ISSUER)) {
            arrayList.add(ConfigurationHelper.Keys.JWT_ISSUER);
        }
        if (!arrayList.isEmpty()) {
            throw new IllegalStateException(String.format("Configuration missing the following key(s) %s", arrayList));
        }
        if (map.containsKey(ConfigurationHelper.Keys.JWT_ALGORITHM)) {
            String orDefaultString = ConfigurationHelper.getOrDefaultString(ConfigurationHelper.Keys.JWT_ALGORITHM, mapConfiguration);
            if (orDefaultString == null) {
                throw new IllegalArgumentException("aerospike.graph-service.auth.jwt.algorithm cannot be null, must be one of " + SUPPORTED_ALGORITHMS + ".");
            }
            String orDefaultString2 = ConfigurationHelper.getOrDefaultString(ConfigurationHelper.Keys.JWT_SECRET, mapConfiguration);
            if (orDefaultString2 == null) {
                throw new IllegalArgumentException("aerospike.graph-service.auth.jwt.secret cannot be null.");
            }
            String upperCase = orDefaultString.toUpperCase();
            boolean z = -1;
            switch (upperCase.hashCode()) {
                case 1742274828:
                    if (upperCase.equals("HMAC256")) {
                        z = false;
                        break;
                    }
                    break;
                case 1742275880:
                    if (upperCase.equals("HMAC384")) {
                        z = true;
                        break;
                    }
                    break;
                case 1742277583:
                    if (upperCase.equals("HMAC512")) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    this.algo = Algorithm.HMAC256(orDefaultString2);
                    break;
                case true:
                    this.algo = Algorithm.HMAC384(orDefaultString2);
                    break;
                case true:
                    this.algo = Algorithm.HMAC512(orDefaultString2);
                    break;
                default:
                    throw new IllegalArgumentException(String.format("aerospike.graph-service.auth.jwt.algorithm '%s' is not supported, supported algorithms are %s.", orDefaultString, SUPPORTED_ALGORITHMS));
            }
        }
        this.issuer = ConfigurationHelper.getOrDefaultString(ConfigurationHelper.Keys.JWT_ISSUER, mapConfiguration);
        this.verifier = JWT.require(this.algo).withIssuer(this.issuer).build();
        INSTANCE = this;
    }

    @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator
    public Authenticator.SaslNegotiator newSaslNegotiator(InetAddress inetAddress) {
        return new PlainTextSaslAuthenticator();
    }

    public AuthenticatedUser authenticate(String str) throws AuthenticationException {
        try {
            DecodedJWT verify = this.verifier.verify(new String(Base64.decode(str)));
            Instant expiresAtAsInstant = verify.getExpiresAtAsInstant();
            if (expiresAtAsInstant == null || !expiresAtAsInstant.isBefore(Instant.now())) {
                return new JWTAuthenticatedUser(verify);
            }
            throw new AuthenticationException(String.format("JWT is already expired, expiry date: %s", verify.getExpiresAtAsInstant()));
        } catch (Exception e) {
            throw new AuthenticationException(String.format("Failure to validate credentials: %s", e.getMessage()));
        }
    }

    @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator
    public AuthenticatedUser authenticate(Map<String, String> map) throws AuthenticationException {
        if (!map.containsKey("username")) {
            throw new AuthenticationException(String.format("Credentials must contain a %s", "username"));
        }
        if (!map.containsKey("password")) {
            throw new AuthenticationException(String.format("Credentials must contain a %s", "password"));
        }
        try {
            DecodedJWT verify = this.verifier.verify(map.get("password"));
            Instant expiresAtAsInstant = verify.getExpiresAtAsInstant();
            if (expiresAtAsInstant != null && expiresAtAsInstant.isBefore(Instant.now())) {
                throw new AuthenticationException(String.format("JWT is already expired, expiry date: %s", verify.getExpiresAtAsInstant()));
            }
            if (verify.getSubject() == null || !verify.getSubject().equals(map.get("username"))) {
                throw new AuthenticationException("User does not match token subject");
            }
            return new JWTAuthenticatedUser(verify);
        } catch (Exception e) {
            throw new AuthenticationException(String.format("Failure to validate credentials: %s", e.getMessage()));
        }
    }
}
