package org.glowroot.agent.shaded.glowroot.ui;

import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nullable;
import org.glowroot.agent.shaded.glowroot.common.config.LdapConfig;
import org.glowroot.agent.shaded.glowroot.common.config.RoleConfig;
import org.glowroot.agent.shaded.glowroot.common.config.UserConfig;
import org.glowroot.agent.shaded.glowroot.common.repo.ConfigRepository;
import org.glowroot.agent.shaded.glowroot.common.util.Clock;
import org.glowroot.agent.shaded.glowroot.ui.LdapAuthentication;
import org.glowroot.agent.shaded.google.common.base.Preconditions;
import org.glowroot.agent.shaded.google.common.collect.Maps;
import org.glowroot.agent.shaded.google.common.collect.Sets;
import org.glowroot.agent.shaded.netty.handler.codec.http.FullHttpResponse;
import org.glowroot.agent.shaded.netty.handler.codec.http.HttpHeaderNames;
import org.glowroot.agent.shaded.netty.handler.codec.http.HttpRequest;
import org.glowroot.agent.shaded.netty.handler.codec.http.HttpResponse;
import org.glowroot.agent.shaded.netty.handler.codec.http.HttpResponseStatus;
import org.glowroot.agent.shaded.netty.handler.codec.http.cookie.Cookie;
import org.glowroot.agent.shaded.netty.handler.codec.http.cookie.DefaultCookie;
import org.glowroot.agent.shaded.netty.handler.codec.http.cookie.ServerCookieDecoder;
import org.glowroot.agent.shaded.netty.handler.codec.http.cookie.ServerCookieEncoder;
import org.glowroot.agent.shaded.slf4j.Logger;
import org.glowroot.agent.shaded.slf4j.LoggerFactory;
import org.immutables.value.Value;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/glowroot/agent/shaded/glowroot/ui/HttpSessionManager.class */
public class HttpSessionManager {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) HttpSessionManager.class);
    private static final Logger auditLogger = LoggerFactory.getLogger("audit");
    private final boolean fat;
    private final boolean offlineViewer;
    private final ConfigRepository configRepository;
    private final Clock clock;
    private final LayoutService layoutService;
    private final SecureRandom secureRandom = new SecureRandom();
    private final Map<String, Session> sessions = Maps.newConcurrentMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Immutable
    /* loaded from: input_file:org/glowroot/agent/shaded/glowroot/ui/HttpSessionManager$Authentication.class */
    public static abstract class Authentication {
        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract boolean fat();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract boolean offlineViewer();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract boolean anonymous();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract boolean ldap();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract String caseAmbiguousUsername();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract Set<String> roles();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract ConfigRepository configRepository();

        /* JADX INFO: Access modifiers changed from: package-private */
        public boolean isPermitted(String str, String str2) {
            return str2.startsWith("agent:") ? isAgentPermitted(str, str2) : isAdminPermitted(str2);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public boolean isAgentPermitted(String str, String str2) {
            Preconditions.checkState(str2.startsWith("agent:"));
            return offlineViewer() ? !str2.startsWith("agent:config:edit:") : str2.equals("agent:trace") ? isAgentPermitted(str, "agent:transaction:traces") || isAgentPermitted(str, "agent:error:traces") : isPermitted(RoleConfig.SimplePermission.create(str, str2));
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public boolean isAdminPermitted(String str) {
            Preconditions.checkState(str.startsWith("admin:"));
            return offlineViewer() ? str.equals("admin:view") || str.startsWith("admin:view:") : isPermitted(RoleConfig.SimplePermission.create(str));
        }

        private boolean isPermitted(RoleConfig.SimplePermission simplePermission) {
            for (RoleConfig roleConfig : configRepository().getRoleConfigs()) {
                if (roles().contains(roleConfig.name()) && roleConfig.isPermitted(simplePermission)) {
                    return true;
                }
            }
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/glowroot/agent/shaded/glowroot/ui/HttpSessionManager$Session.class */
    public class Session {
        private final Authentication authentication;
        private volatile long lastRequest;

        private Session(Authentication authentication) {
            this.authentication = authentication;
            this.lastRequest = HttpSessionManager.this.clock.currentTimeMillis();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean isTimedOut(long j) {
            return this.lastRequest < j - HttpSessionManager.this.getTimeoutMillis();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void touch(long j) {
            this.lastRequest = j;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public HttpSessionManager(boolean z, boolean z2, ConfigRepository configRepository, Clock clock, LayoutService layoutService) {
        this.fat = z;
        this.offlineViewer = z2;
        this.configRepository = configRepository;
        this.clock = clock;
        this.layoutService = layoutService;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public FullHttpResponse login(String str, String str2) throws Exception {
        if (str.equalsIgnoreCase("anonymous")) {
            auditFailedLogin(str);
            return buildIncorrectLoginResponse();
        }
        Authentication authentication = null;
        UserConfig userConfigCaseInsensitive = getUserConfigCaseInsensitive(str);
        if (userConfigCaseInsensitive == null || userConfigCaseInsensitive.ldap()) {
            try {
                Set<String> authenticateAgainstLdapAndGetGlowrootRoles = authenticateAgainstLdapAndGetGlowrootRoles(str, str2);
                if (userConfigCaseInsensitive != null) {
                    authenticateAgainstLdapAndGetGlowrootRoles = Sets.newHashSet(authenticateAgainstLdapAndGetGlowrootRoles);
                    authenticateAgainstLdapAndGetGlowrootRoles.addAll(userConfigCaseInsensitive.roles());
                }
                if (!authenticateAgainstLdapAndGetGlowrootRoles.isEmpty()) {
                    authentication = getAuthentication(str, authenticateAgainstLdapAndGetGlowrootRoles, true);
                }
            } catch (LdapAuthentication.AuthenticationException e) {
                logger.debug(e.getMessage(), (Throwable) e);
                auditFailedLogin(str);
                return buildIncorrectLoginResponse();
            }
        } else if (userConfigCaseInsensitive != null && validatePassword(str2, userConfigCaseInsensitive.passwordHash())) {
            authentication = getAuthentication(userConfigCaseInsensitive.username(), userConfigCaseInsensitive.roles(), false);
        }
        if (authentication == null) {
            auditFailedLogin(str);
            return buildIncorrectLoginResponse();
        }
        FullHttpResponse createJsonResponse = HttpServices.createJsonResponse(this.layoutService.getLayout(authentication), HttpResponseStatus.OK);
        createSession(createJsonResponse, authentication);
        auditSuccessfulLogin(str);
        return createJsonResponse;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void signOut(HttpRequest httpRequest) {
        Session remove;
        String sessionId = getSessionId(httpRequest);
        if (sessionId == null || (remove = this.sessions.remove(sessionId)) == null) {
            return;
        }
        auditLogout(remove.authentication.caseAmbiguousUsername());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void deleteSessionCookie(HttpResponse httpResponse) {
        DefaultCookie defaultCookie = new DefaultCookie(this.configRepository.getWebConfig().sessionCookieName(), "");
        defaultCookie.setHttpOnly(true);
        defaultCookie.setMaxAge(0L);
        defaultCookie.setPath("/");
        httpResponse.headers().add(HttpHeaderNames.SET_COOKIE, ServerCookieEncoder.STRICT.encode(defaultCookie));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Authentication getAuthentication(HttpRequest httpRequest) {
        Session session;
        if (this.offlineViewer) {
            return getOfflineViewerAuthentication();
        }
        String sessionId = getSessionId(httpRequest);
        if (sessionId != null && (session = this.sessions.get(sessionId)) != null) {
            long currentTimeMillis = this.clock.currentTimeMillis();
            if (session.isTimedOut(currentTimeMillis)) {
                return getAnonymousAuthentication();
            }
            session.touch(currentTimeMillis);
            return session.authentication;
        }
        return getAnonymousAuthentication();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nullable
    public String getSessionId(HttpRequest httpRequest) {
        String asString = httpRequest.headers().getAsString(HttpHeaderNames.COOKIE);
        if (asString == null) {
            return null;
        }
        for (Cookie cookie : ServerCookieDecoder.STRICT.decode(asString)) {
            if (cookie.name().equals(this.configRepository.getWebConfig().sessionCookieName())) {
                return cookie.value();
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Authentication getAnonymousAuthentication() {
        UserConfig userConfigCaseInsensitive = getUserConfigCaseInsensitive("anonymous");
        return userConfigCaseInsensitive == null ? ImmutableAuthentication.builder().fat(this.fat).offlineViewer(false).anonymous(true).ldap(false).caseAmbiguousUsername("anonymous").configRepository(this.configRepository).build() : getAuthentication(userConfigCaseInsensitive.username(), userConfigCaseInsensitive.roles(), false);
    }

    private FullHttpResponse buildIncorrectLoginResponse() {
        return HttpServices.createJsonResponse("{\"incorrectLogin\":true}", HttpResponseStatus.OK);
    }

    private void createSession(HttpResponse httpResponse, Authentication authentication) throws Exception {
        String bigInteger = new BigInteger(130, this.secureRandom).toString(32);
        this.sessions.put(bigInteger, new Session(authentication));
        DefaultCookie defaultCookie = new DefaultCookie(this.configRepository.getWebConfig().sessionCookieName(), bigInteger);
        defaultCookie.setHttpOnly(true);
        defaultCookie.setPath("/");
        httpResponse.headers().add(HttpHeaderNames.SET_COOKIE, ServerCookieEncoder.STRICT.encode(defaultCookie));
        purgeExpiredSessions();
    }

    private Authentication getAuthentication(String str, Set<String> set, boolean z) {
        return ImmutableAuthentication.builder().fat(this.fat).offlineViewer(false).anonymous(str.equalsIgnoreCase("anonymous")).ldap(z).caseAmbiguousUsername(str).roles(set).configRepository(this.configRepository).build();
    }

    private Authentication getOfflineViewerAuthentication() {
        return ImmutableAuthentication.builder().fat(true).offlineViewer(true).anonymous(true).ldap(false).caseAmbiguousUsername("anonymous").configRepository(this.configRepository).build();
    }

    @Nullable
    private UserConfig getUserConfigCaseInsensitive(String str) {
        for (UserConfig userConfig : this.configRepository.getUserConfigs()) {
            if (userConfig.username().equalsIgnoreCase(str)) {
                return userConfig;
            }
        }
        return null;
    }

    private void purgeExpiredSessions() {
        long currentTimeMillis = this.clock.currentTimeMillis();
        Iterator<Map.Entry<String, Session>> it = this.sessions.entrySet().iterator();
        while (it.hasNext()) {
            Session value = it.next().getValue();
            if (value.isTimedOut(currentTimeMillis)) {
                it.remove();
                auditSessionTimeout(value.authentication.caseAmbiguousUsername());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public long getTimeoutMillis() {
        return TimeUnit.MINUTES.toMillis(this.configRepository.getWebConfig().sessionTimeoutMinutes());
    }

    private Set<String> authenticateAgainstLdapAndGetGlowrootRoles(String str, String str2) throws Exception {
        LdapConfig ldapConfig = this.configRepository.getLdapConfig();
        if (ldapConfig.host().isEmpty()) {
            throw new LdapAuthentication.AuthenticationException("LDAP is not configured");
        }
        return LdapAuthentication.getGlowrootRoles(LdapAuthentication.authenticateAndGetLdapGroupDns(str, str2, ldapConfig, this.configRepository.getSecretKey()), ldapConfig);
    }

    private void auditFailedLogin(String str) {
        auditLogger.info("{} - failed login", str);
    }

    private void auditSuccessfulLogin(String str) {
        auditLogger.info("{} - successful login", str);
    }

    private void auditLogout(String str) {
        auditLogger.info("{} - logout", str);
    }

    private void auditSessionTimeout(String str) {
        auditLogger.info("{} - session timeout", str);
    }

    private static boolean validatePassword(String str, String str2) throws GeneralSecurityException {
        return str2.isEmpty() ? str.isEmpty() : PasswordHash.validatePassword(str, str2);
    }
}
