package org.graylog.security.authservice.backend;

import com.unboundid.util.Base64;
import jakarta.inject.Inject;
import java.util.Collections;
import java.util.Optional;
import javax.annotation.Nullable;
import org.graylog.security.authservice.AuthServiceBackend;
import org.graylog.security.authservice.AuthServiceBackendDTO;
import org.graylog.security.authservice.AuthServiceCredentials;
import org.graylog.security.authservice.AuthenticationDetails;
import org.graylog.security.authservice.ProvisionerService;
import org.graylog.security.authservice.test.AuthServiceBackendTestResult;
import org.graylog2.plugin.database.users.User;
import org.graylog2.plugin.security.PasswordAlgorithm;
import org.graylog2.security.PasswordAlgorithmFactory;
import org.graylog2.security.encryption.EncryptedValue;
import org.graylog2.security.encryption.EncryptedValueService;
import org.graylog2.shared.users.UserService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog/security/authservice/backend/MongoDBAuthServiceBackend.class */
public class MongoDBAuthServiceBackend implements AuthServiceBackend {
    public static final String NAME = "internal-mongodb";
    private static final Logger LOG = LoggerFactory.getLogger(MongoDBAuthServiceBackend.class);
    private final UserService userService;
    private final EncryptedValueService encryptedValueService;
    private final PasswordAlgorithmFactory passwordAlgorithmFactory;

    @Inject
    public MongoDBAuthServiceBackend(UserService userService, EncryptedValueService encryptedValueService, PasswordAlgorithmFactory passwordAlgorithmFactory) {
        this.userService = userService;
        this.encryptedValueService = encryptedValueService;
        this.passwordAlgorithmFactory = passwordAlgorithmFactory;
    }

    @Override // org.graylog.security.authservice.AuthServiceBackend
    public Optional<AuthenticationDetails> authenticateAndProvision(AuthServiceCredentials authServiceCredentials, ProvisionerService provisionerService) {
        String username = authServiceCredentials.username();
        LOG.debug("Trying to load user <{}> from database", username);
        User load = this.userService.load(username);
        if (load == null) {
            LOG.debug("User <{}> not found in database", username);
            return Optional.empty();
        }
        if (load.isLocalAdmin()) {
            throw new IllegalStateException("Local admin user should have been handled earlier and not reach the authentication service authenticator");
        }
        if (!load.getAccountStatus().equals(User.AccountStatus.ENABLED)) {
            LOG.warn("Account for user <{}> is disabled.", load.getName());
            return Optional.empty();
        }
        if (load.isExternalUser()) {
            LOG.trace("Skipping mongodb-based password check for external user {}", authServiceCredentials.username());
            return Optional.empty();
        }
        if (!authServiceCredentials.isAuthenticated() && !isValidPassword(load, authServiceCredentials.password())) {
            LOG.warn("Failed to validate password for user <{}>", username);
            return Optional.empty();
        }
        LOG.debug("Successfully validated password for user <{}>", username);
        return Optional.of(AuthenticationDetails.builder().userDetails(provisionerService.provision(provisionerService.newDetails(this).databaseId(load.getId()).username(load.getName()).accountIsEnabled(load.getAccountStatus().equals(User.AccountStatus.ENABLED)).email(load.getEmail()).firstName(load.getFirstName().orElse(null)).lastName(load.getLastName().orElse(null)).fullName(load.getFullName()).defaultRoles(Collections.emptySet()).base64AuthServiceUid(Base64.encode(load.getId())).build())).build());
    }

    private boolean isValidPassword(User user, EncryptedValue encryptedValue) {
        PasswordAlgorithm forPassword = this.passwordAlgorithmFactory.forPassword(user.getHashedPassword());
        if (forPassword == null) {
            return false;
        }
        return forPassword.matches(user.getHashedPassword(), this.encryptedValueService.decrypt(encryptedValue));
    }

    @Override // org.graylog.security.authservice.AuthServiceBackend
    public String backendType() {
        return NAME;
    }

    @Override // org.graylog.security.authservice.AuthServiceBackend
    public String backendId() {
        return "000000000000000000000001";
    }

    @Override // org.graylog.security.authservice.AuthServiceBackend
    public String backendTitle() {
        return "Internal MongoDB";
    }

    @Override // org.graylog.security.authservice.AuthServiceBackend
    public AuthServiceBackendDTO prepareConfigUpdate(AuthServiceBackendDTO authServiceBackendDTO, AuthServiceBackendDTO authServiceBackendDTO2) {
        return authServiceBackendDTO2;
    }

    @Override // org.graylog.security.authservice.AuthServiceBackend
    public AuthServiceBackendTestResult testConnection(@Nullable AuthServiceBackendDTO authServiceBackendDTO) {
        return AuthServiceBackendTestResult.createFailure("Not implemented");
    }

    @Override // org.graylog.security.authservice.AuthServiceBackend
    public AuthServiceBackendTestResult testLogin(AuthServiceCredentials authServiceCredentials, @Nullable AuthServiceBackendDTO authServiceBackendDTO) {
        return AuthServiceBackendTestResult.createFailure("Not implemented");
    }
}
