package org.jfrog.access.server.service.auth;

import java.nio.CharBuffer;
import java.security.Principal;
import java.util.Optional;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.jfrog.access.server.config.AccessConfig;
import org.jfrog.access.server.db.service.TokenStorageService;
import org.jfrog.access.server.exception.ForbiddenException;
import org.jfrog.access.server.exception.UnauthorizedException;
import org.jfrog.access.server.model.User;
import org.jfrog.access.server.service.CertificateService;
import org.jfrog.access.server.service.auth.model.AccessPrincipal;
import org.jfrog.access.server.service.auth.model.AnonymousPrincipal;
import org.jfrog.access.server.service.auth.model.TokenPrincipal;
import org.jfrog.access.server.service.auth.model.UserPrincipal;
import org.jfrog.access.server.service.storage.UserStorageService;
import org.jfrog.access.token.JwtAccessToken;
import org.jfrog.access.token.JwtAccessTokenImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:WEB-INF/lib/access-server-core-2.0.1.jar:org/jfrog/access/server/service/auth/AuthenticationServiceImpl.class */
public class AuthenticationServiceImpl implements AuthenticationService {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AuthenticationServiceImpl.class);
    private final InheritableThreadLocal<Principal> principalHolder = new InheritableThreadLocal<Principal>() { // from class: org.jfrog.access.server.service.auth.AuthenticationServiceImpl.1
        /* JADX INFO: Access modifiers changed from: protected */
        @Override // java.lang.ThreadLocal
        public Principal initialValue() {
            return AnonymousPrincipal.ANONYMOUS_PRINCIPAL;
        }
    };

    @Autowired
    private UserStorageService userStorageService;

    @Autowired
    private TokenStorageService tokenStorageService;

    @Autowired
    private CertificateService certificateService;

    @Autowired
    private AccessConfig accessConfig;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Override // org.jfrog.access.server.service.auth.AuthenticationService
    @Nonnull
    public Principal getLoggedInPrincipal() {
        return this.principalHolder.get();
    }

    @Override // org.jfrog.access.server.service.auth.AuthenticationService
    public void login(@Nonnull AccessPrincipal accessPrincipal) {
        this.principalHolder.set(accessPrincipal);
    }

    @Override // org.jfrog.access.server.service.auth.AuthenticationService
    public void logout() {
        this.principalHolder.set(AnonymousPrincipal.ANONYMOUS_PRINCIPAL);
    }

    @Override // org.jfrog.access.server.service.auth.AuthenticationService
    @Nonnull
    public AccessPrincipal authenticate(@Nonnull String str, @Nonnull String str2, @Nonnull String str3) throws UnauthorizedException, ForbiddenException {
        Optional<User> findUserByUsername = this.userStorageService.findUserByUsername(str);
        if (!findUserByUsername.isPresent()) {
            return authenticate(CharBuffer.wrap(str2).toString(), str);
        }
        log.trace("Found user by username '{}': {}", str, findUserByUsername.get().getId());
        if (!this.passwordEncoder.matches(str2, findUserByUsername.get().getPassword())) {
            throw new UnauthorizedException("invalid credentials");
        }
        log.debug("Remote address: {}", str3);
        if (!remoteAddressAllowedForUser(str3, findUserByUsername.get())) {
            throw new ForbiddenException("User '" + str + "' is not allowed to login from remote address: " + str3);
        }
        log.debug("User '{}' authenticated successfully", str);
        return new UserPrincipal(this.accessConfig.getAccessServerId(), findUserByUsername.get());
    }

    private static boolean remoteAddressAllowedForUser(String str, User user) {
        return user.getAllowedIps().stream().anyMatch(str2 -> {
            return str2.equals("*") || equalIpAddress(str, str2);
        });
    }

    private static boolean equalIpAddress(String str, String str2) {
        return (isLocalhost(str) && isLocalhost(str2)) || str.equals(str2);
    }

    private static boolean isLocalhost(String str) {
        return str.equals("127.0.0.1") || str.equals("0:0:0:0:0:0:0:1");
    }

    @Override // org.jfrog.access.server.service.auth.AuthenticationService
    @Nonnull
    public AccessPrincipal authenticate(@Nonnull String str, @Nullable String str2) throws UnauthorizedException {
        log.trace("Trying to authenticate using token. subjectName={}", str2);
        try {
            JwtAccessToken parseTokenValue = JwtAccessTokenImpl.parseTokenValue(str);
            if (!parseTokenValue.verify(this.certificateService.getRootCertificate().getPublicKey())) {
                throw new UnauthorizedException("Invalid token, signature verification failed.");
            }
            if (str2 != null && !str2.equals(parseTokenValue.getSubject())) {
                throw new UnauthorizedException("Invalid token, given subject name and token subject do not match.");
            }
            if (parseTokenValue.getExpiry() != null && System.currentTimeMillis() > parseTokenValue.getExpiry().longValue()) {
                throw new UnauthorizedException("Invalid token, token has expired.");
            }
            if (parseTokenValue.getExpiry() == null && !this.tokenStorageService.findTokenById(parseTokenValue.getTokenId()).isPresent()) {
                throw new UnauthorizedException("Invalid token, token does not exist (might have been revoked).");
            }
            if (parseTokenValue.getAudience().stream().noneMatch(str3 -> {
                return this.accessConfig.getAccessServerId().toString().equals(str3);
            })) {
                throw new UnauthorizedException("Invalid token, this access server is not part of the token's audience.");
            }
            log.debug("Token authenticated successfully. id={}, subject={}", parseTokenValue.getTokenId(), parseTokenValue.getSubject());
            return new TokenPrincipal(parseTokenValue);
        } catch (IllegalArgumentException e) {
            throw new UnauthorizedException("Invalid token.", e);
        }
    }
}
