package org.openmetadata.service.security.auth;

import at.favre.lib.crypto.bcrypt.BCrypt;
import freemarker.template.TemplateException;
import java.io.IOException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Set;
import java.util.UUID;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.openmetadata.common.utils.CommonUtil;
import org.openmetadata.csv.CsvUtil;
import org.openmetadata.schema.TokenInterface;
import org.openmetadata.schema.api.security.AuthorizerConfiguration;
import org.openmetadata.schema.api.teams.CreateUser;
import org.openmetadata.schema.auth.BasicAuthMechanism;
import org.openmetadata.schema.auth.ChangePasswordRequest;
import org.openmetadata.schema.auth.EmailVerificationToken;
import org.openmetadata.schema.auth.JWTAuthMechanism;
import org.openmetadata.schema.auth.LoginRequest;
import org.openmetadata.schema.auth.PasswordResetRequest;
import org.openmetadata.schema.auth.PasswordResetToken;
import org.openmetadata.schema.auth.RefreshToken;
import org.openmetadata.schema.auth.RegistrationRequest;
import org.openmetadata.schema.auth.ServiceTokenType;
import org.openmetadata.schema.auth.TokenRefreshRequest;
import org.openmetadata.schema.auth.TokenType;
import org.openmetadata.schema.email.SmtpSettings;
import org.openmetadata.schema.entity.teams.AuthenticationMechanism;
import org.openmetadata.schema.entity.teams.User;
import org.openmetadata.service.Entity;
import org.openmetadata.service.OpenMetadataApplicationConfig;
import org.openmetadata.service.auth.JwtResponse;
import org.openmetadata.service.exception.CatalogExceptionMessage;
import org.openmetadata.service.exception.CustomExceptionMessage;
import org.openmetadata.service.jdbi3.TokenRepository;
import org.openmetadata.service.jdbi3.UserRepository;
import org.openmetadata.service.search.SearchClient;
import org.openmetadata.service.security.AuthenticationException;
import org.openmetadata.service.security.JwtFilter;
import org.openmetadata.service.security.SecurityUtil;
import org.openmetadata.service.security.jwt.JWTTokenGenerator;
import org.openmetadata.service.util.EmailUtil;
import org.openmetadata.service.util.EntityUtil;
import org.openmetadata.service.util.JsonUtils;
import org.openmetadata.service.util.PasswordUtil;
import org.openmetadata.service.util.RestUtil;
import org.openmetadata.service.util.TokenUtil;
import org.openmetadata.service.util.UserUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/openmetadata/service/security/auth/BasicAuthenticator.class */
public class BasicAuthenticator implements AuthenticatorHandler {
    private static final Logger LOG = LoggerFactory.getLogger(BasicAuthenticator.class);
    private static final int HASHING_COST = 12;
    private UserRepository userRepository;
    private TokenRepository tokenRepository;
    private LoginAttemptCache loginAttemptCache;
    private AuthorizerConfiguration authorizerConfiguration;
    private boolean isEmailServiceEnabled;
    private boolean isSelfSignUpAvailable;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.openmetadata.service.security.auth.BasicAuthenticator$1, reason: invalid class name */
    /* loaded from: input_file:org/openmetadata/service/security/auth/BasicAuthenticator$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$openmetadata$schema$api$teams$CreateUser$CreatePasswordType = new int[CreateUser.CreatePasswordType.values().length];

        static {
            try {
                $SwitchMap$org$openmetadata$schema$api$teams$CreateUser$CreatePasswordType[CreateUser.CreatePasswordType.ADMIN_CREATE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$openmetadata$schema$api$teams$CreateUser$CreatePasswordType[CreateUser.CreatePasswordType.USER_CREATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void init(OpenMetadataApplicationConfig openMetadataApplicationConfig) {
        this.userRepository = (UserRepository) Entity.getEntityRepository(Entity.USER);
        this.tokenRepository = Entity.getTokenRepository();
        this.authorizerConfiguration = openMetadataApplicationConfig.getAuthorizerConfiguration();
        this.loginAttemptCache = new LoginAttemptCache();
        SmtpSettings smtpSettings = openMetadataApplicationConfig.getSmtpSettings();
        this.isEmailServiceEnabled = smtpSettings != null && smtpSettings.getEnableSmtpServer().booleanValue();
        this.isSelfSignUpAvailable = openMetadataApplicationConfig.getAuthenticationConfiguration().getEnableSelfSignup().booleanValue();
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public User registerUser(RegistrationRequest registrationRequest) {
        if (!this.isSelfSignUpAvailable) {
            throw new CustomExceptionMessage(Response.Status.NOT_IMPLEMENTED, CatalogExceptionMessage.SELF_SIGNUP_NOT_ENABLED, CatalogExceptionMessage.SELF_SIGNUP_DISABLED_MESSAGE);
        }
        String email = registrationRequest.getEmail();
        String str = registrationRequest.getEmail().split("@")[1];
        Set allowedEmailRegistrationDomains = this.authorizerConfiguration.getAllowedEmailRegistrationDomains();
        if (!allowedEmailRegistrationDomains.contains(SearchClient.GLOBAL_SEARCH_ALIAS) && !allowedEmailRegistrationDomains.contains(str)) {
            LOG.error("Email with this Domain not allowed: " + email);
            throw new BadRequestException("Email with the given domain is not allowed. Contact Administrator");
        }
        validateEmailAlreadyExists(email);
        PasswordUtil.validatePassword(registrationRequest.getPassword());
        LOG.info("Trying to register new user [" + email + "]");
        User create = this.userRepository.create(null, getUserFromRegistrationRequest(registrationRequest));
        create.setAuthenticationMechanism((AuthenticationMechanism) null);
        return create;
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void confirmEmailRegistration(UriInfo uriInfo, String str) {
        EmailVerificationToken findByToken = this.tokenRepository.findByToken(str);
        User user = this.userRepository.get(null, findByToken.getUserId(), this.userRepository.getFieldsWithUserAuth("*"));
        if (Boolean.TRUE.equals(user.getIsEmailVerified())) {
            LOG.info("User [{}] already registered.", str);
        } else {
            if (findByToken.getExpiryDate().compareTo(Long.valueOf(Instant.now().toEpochMilli())) < 0) {
                throw new CustomExceptionMessage(Response.Status.INTERNAL_SERVER_ERROR, CatalogExceptionMessage.TOKEN_EXPIRED, String.format(CatalogExceptionMessage.TOKEN_EXPIRY_ERROR, findByToken.getToken()));
            }
            user.setIsEmailVerified(true);
            this.userRepository.createOrUpdate(uriInfo, user);
            this.tokenRepository.deleteTokenByUserAndType(user.getId(), TokenType.EMAIL_VERIFICATION.toString());
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void resendRegistrationToken(UriInfo uriInfo, User user) throws IOException {
        this.tokenRepository.deleteTokenByUserAndType(user.getId(), TokenType.EMAIL_VERIFICATION.toString());
        sendEmailVerification(uriInfo, user);
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void sendEmailVerification(UriInfo uriInfo, User user) throws IOException {
        if (this.isEmailServiceEnabled) {
            UUID randomUUID = UUID.randomUUID();
            TokenInterface emailVerificationToken = TokenUtil.getEmailVerificationToken(user.getId(), randomUUID);
            LOG.info("Generated Email verification token [" + randomUUID + "]");
            try {
                EmailUtil.sendEmailVerification(String.format("%s/users/registrationConfirmation?user=%s&token=%s", EmailUtil.getSmtpSettings().getOpenMetadataUrl(), user.getFullyQualifiedName(), randomUUID), user);
                this.tokenRepository.insertToken(emailVerificationToken);
            } catch (TemplateException e) {
                LOG.error("Error in sending mail to the User : {}", e.getMessage(), e);
                throw new CustomExceptionMessage(424, CatalogExceptionMessage.FAILED_SEND_EMAIL, CatalogExceptionMessage.EMAIL_SENDING_ISSUE);
            }
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void sendPasswordResetLink(UriInfo uriInfo, User user, String str, String str2) throws IOException {
        UUID randomUUID = UUID.randomUUID();
        TokenInterface passwordResetToken = TokenUtil.getPasswordResetToken(user.getId(), randomUUID);
        LOG.info("Generated Password Reset verification token [" + randomUUID + "]");
        try {
            EmailUtil.sendPasswordResetLink(String.format("%s/users/password/reset?user=%s&token=%s", EmailUtil.getSmtpSettings().getOpenMetadataUrl(), URLEncoder.encode(user.getName(), StandardCharsets.UTF_8), randomUUID), user, str, str2);
            this.tokenRepository.deleteTokenByUserAndType(user.getId(), TokenType.PASSWORD_RESET.toString());
            this.tokenRepository.insertToken(passwordResetToken);
        } catch (TemplateException e) {
            LOG.error("Error in sending mail to the User : {}", e.getMessage(), e);
            throw new CustomExceptionMessage(424, CatalogExceptionMessage.FAILED_SEND_EMAIL, CatalogExceptionMessage.EMAIL_SENDING_ISSUE);
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void resetUserPasswordWithToken(UriInfo uriInfo, PasswordResetRequest passwordResetRequest) throws IOException {
        PasswordResetToken passwordResetToken = (PasswordResetToken) this.tokenRepository.findByToken(passwordResetRequest.getToken());
        Set<String> allowedFieldsCopy = this.userRepository.getAllowedFieldsCopy();
        allowedFieldsCopy.add("authenticationMechanism");
        User byName = this.userRepository.getByName(uriInfo, passwordResetRequest.getUsername(), new EntityUtil.Fields(allowedFieldsCopy, String.join(CsvUtil.SEPARATOR, allowedFieldsCopy)));
        if (!passwordResetToken.getUserId().equals(byName.getId())) {
            throw new CustomExceptionMessage(Response.Status.BAD_REQUEST, CatalogExceptionMessage.INVALID_TOKEN, "Invalid Token.");
        }
        verifyPasswordResetTokenExpiry(passwordResetToken);
        if (!passwordResetRequest.getPassword().equals(passwordResetRequest.getConfirmPassword())) {
            throw new IllegalArgumentException("Password and Confirm Password should match");
        }
        PasswordUtil.validatePassword(passwordResetRequest.getPassword());
        byName.setAuthenticationMechanism(new AuthenticationMechanism().withAuthType(AuthenticationMechanism.AuthType.BASIC).withConfig(new BasicAuthMechanism().withPassword(BCrypt.withDefaults().hashToString(HASHING_COST, passwordResetRequest.getPassword().toCharArray()))));
        this.userRepository.createOrUpdate(uriInfo, byName);
        this.tokenRepository.deleteTokenByUserAndType(byName.getId(), TokenType.PASSWORD_RESET.toString());
        try {
            EmailUtil.sendAccountStatus(byName, "Update Password", "Change Successful");
            this.loginAttemptCache.recordSuccessfulLogin(passwordResetRequest.getUsername());
        } catch (TemplateException e) {
            LOG.error("Error in sending Password Change Mail to User. Reason : " + e.getMessage(), e);
            throw new CustomExceptionMessage(424, CatalogExceptionMessage.FAILED_SEND_EMAIL, CatalogExceptionMessage.EMAIL_SENDING_ISSUE);
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void changeUserPwdWithOldPwd(UriInfo uriInfo, String str, ChangePasswordRequest changePasswordRequest) throws IOException {
        if (!changePasswordRequest.getNewPassword().equals(changePasswordRequest.getConfirmPassword())) {
            throw new IllegalArgumentException("Password and Confirm Password should match");
        }
        PasswordUtil.validatePassword(changePasswordRequest.getNewPassword());
        User byName = this.userRepository.getByName(uriInfo, str, this.userRepository.getFieldsWithUserAuth("*"));
        if (byName.getAuthenticationMechanism() == null) {
            byName.setAuthenticationMechanism(new AuthenticationMechanism().withAuthType(AuthenticationMechanism.AuthType.BASIC).withConfig(new BasicAuthMechanism().withPassword(BotTokenCache.EMPTY_STRING)));
        }
        BasicAuthMechanism basicAuthMechanism = (BasicAuthMechanism) JsonUtils.convertValue(byName.getAuthenticationMechanism().getConfig(), BasicAuthMechanism.class);
        String password = basicAuthMechanism.getPassword();
        String hashToString = BCrypt.withDefaults().hashToString(HASHING_COST, changePasswordRequest.getNewPassword().toCharArray());
        if (changePasswordRequest.getRequestType() == ChangePasswordRequest.RequestType.SELF && !BCrypt.verifyer().verify(changePasswordRequest.getOldPassword().toCharArray(), password).verified) {
            throw new CustomExceptionMessage(Response.Status.BAD_REQUEST, CatalogExceptionMessage.INCORRECT_OLD_PASSWORD, "Old Password is not correct");
        }
        basicAuthMechanism.setPassword(hashToString);
        byName.getAuthenticationMechanism().setConfig(basicAuthMechanism);
        RestUtil.PutResponse<User> createOrUpdate = this.userRepository.createOrUpdate(uriInfo, byName);
        this.loginAttemptCache.recordSuccessfulLogin(str);
        if (changePasswordRequest.getRequestType() == ChangePasswordRequest.RequestType.USER && this.isEmailServiceEnabled) {
            sendInviteMailToUser(uriInfo, createOrUpdate.getEntity(), String.format("%s: Password Update", EmailUtil.getEmailingEntity()), CreateUser.CreatePasswordType.ADMIN_CREATE, changePasswordRequest.getNewPassword());
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void sendInviteMailToUser(UriInfo uriInfo, User user, String str, CreateUser.CreatePasswordType createPasswordType, String str2) throws IOException {
        switch (AnonymousClass1.$SwitchMap$org$openmetadata$schema$api$teams$CreateUser$CreatePasswordType[createPasswordType.ordinal()]) {
            case 1:
                HashMap hashMap = new HashMap();
                hashMap.put(EmailUtil.ENTITY, EmailUtil.getEmailingEntity());
                hashMap.put(EmailUtil.SUPPORT_URL, EmailUtil.getSupportUrl());
                hashMap.put("userName", user.getName());
                hashMap.put(EmailUtil.PASSWORD, str2);
                hashMap.put(EmailUtil.APPLICATION_LOGIN_LINK, EmailUtil.getOMUrl());
                try {
                    EmailUtil.sendMail(str, hashMap, user.getEmail(), EmailUtil.EMAIL_TEMPLATE_BASEPATH, EmailUtil.INVITE_RANDOM_PWD, true);
                    return;
                } catch (TemplateException e) {
                    LOG.error("Failed in sending Mail to user [{}]. Reason : {}", new Object[]{user.getEmail(), e.getMessage(), e});
                    return;
                }
            case 2:
                sendPasswordResetLink(uriInfo, user, str, EmailUtil.INVITE_CREATE_PWD);
                return;
            default:
                LOG.error("Invalid Password Create Type");
                return;
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public RefreshToken createRefreshTokenForLogin(UUID uuid) {
        TokenInterface refreshToken = TokenUtil.getRefreshToken(uuid, UUID.randomUUID());
        this.tokenRepository.insertToken(refreshToken);
        return refreshToken;
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public JwtResponse getNewAccessToken(TokenRefreshRequest tokenRefreshRequest) {
        if (CommonUtil.nullOrEmpty(tokenRefreshRequest.getRefreshToken())) {
            throw new BadRequestException("Token Cannot be Null or Empty String");
        }
        User user = this.userRepository.get(null, this.tokenRepository.findByToken(tokenRefreshRequest.getRefreshToken()).getUserId(), this.userRepository.getFieldsWithUserAuth("*"));
        if (user.getIsBot() != null && user.getIsBot().booleanValue()) {
            throw new IllegalArgumentException("User are only allowed to login");
        }
        RefreshToken validateAndReturnNewRefresh = validateAndReturnNewRefresh(user.getId(), tokenRefreshRequest);
        JWTAuthMechanism generateJWTToken = JWTTokenGenerator.getInstance().generateJWTToken(user.getName(), UserUtil.getRoleListFromUser(user), !CommonUtil.nullOrEmpty(user.getIsAdmin()) && user.getIsAdmin().booleanValue(), user.getEmail(), SecurityUtil.getLoginConfiguration().getJwtTokenExpiryTime().intValue(), false, ServiceTokenType.OM_USER);
        JwtResponse jwtResponse = new JwtResponse();
        jwtResponse.setTokenType(JwtFilter.TOKEN_PREFIX);
        jwtResponse.setAccessToken(generateJWTToken.getJWTToken());
        jwtResponse.setRefreshToken(validateAndReturnNewRefresh.getToken().toString());
        jwtResponse.setExpiryDuration(generateJWTToken.getJWTTokenExpiresAt());
        return jwtResponse;
    }

    public void verifyPasswordResetTokenExpiry(PasswordResetToken passwordResetToken) {
        if (passwordResetToken.getExpiryDate().compareTo(Long.valueOf(Instant.now().toEpochMilli())) < 0) {
            throw new CustomExceptionMessage(Response.Status.INTERNAL_SERVER_ERROR, CatalogExceptionMessage.PASSWORD_RESET_TOKEN_EXPIRED, String.format("Password Reset Token %s Expired token. Please issue a new request", passwordResetToken.getToken()));
        }
        if (Boolean.FALSE.equals(passwordResetToken.getIsActive())) {
            throw new CustomExceptionMessage(Response.Status.INTERNAL_SERVER_ERROR, CatalogExceptionMessage.PASSWORD_RESET_TOKEN_EXPIRED, String.format("Password Reset Token %s Token was marked inactive", passwordResetToken.getToken()));
        }
    }

    public RefreshToken validateAndReturnNewRefresh(UUID uuid, TokenRefreshRequest tokenRefreshRequest) {
        String refreshToken = tokenRefreshRequest.getRefreshToken();
        RefreshToken findByToken = this.tokenRepository.findByToken(refreshToken);
        if (findByToken.getExpiryDate().compareTo(Long.valueOf(Instant.now().toEpochMilli())) < 0) {
            throw new CustomExceptionMessage(Response.Status.BAD_REQUEST, CatalogExceptionMessage.PASSWORD_RESET_TOKEN_EXPIRED, "Expired token. Please login again : " + findByToken.getToken().toString());
        }
        this.tokenRepository.deleteToken(refreshToken);
        TokenInterface refreshToken2 = TokenUtil.getRefreshToken(uuid, UUID.randomUUID());
        this.tokenRepository.insertToken(refreshToken2);
        return refreshToken2;
    }

    private User getUserFromRegistrationRequest(RegistrationRequest registrationRequest) {
        String str = registrationRequest.getEmail().split("@")[0];
        return UserUtil.getUser(str, new CreateUser().withName(str).withEmail(registrationRequest.getEmail()).withDisplayName(String.format("%s%s", registrationRequest.getFirstName(), registrationRequest.getLastName())).withIsBot(false).withIsAdmin(false)).withAuthenticationMechanism(new AuthenticationMechanism().withAuthType(AuthenticationMechanism.AuthType.BASIC).withConfig(new BasicAuthMechanism().withPassword(BCrypt.withDefaults().hashToString(HASHING_COST, registrationRequest.getPassword().toCharArray()))));
    }

    public void validateEmailAlreadyExists(String str) {
        if (this.userRepository.checkEmailAlreadyExists(str)) {
            throw new CustomExceptionMessage(Response.Status.BAD_REQUEST, CatalogExceptionMessage.EMAIL_EXISTS, "User with Email Already Exists");
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public JwtResponse loginUser(LoginRequest loginRequest) throws IOException, TemplateException {
        String email = loginRequest.getEmail();
        checkIfLoginBlocked(email);
        User lookUserInProvider = lookUserInProvider(email);
        validatePassword(email, lookUserInProvider, loginRequest.getPassword());
        return getJwtResponse(lookUserInProvider, SecurityUtil.getLoginConfiguration().getJwtTokenExpiryTime().intValue());
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void checkIfLoginBlocked(String str) {
        if (this.loginAttemptCache.isLoginBlocked(str)) {
            throw new AuthenticationException(CatalogExceptionMessage.MAX_FAILED_LOGIN_ATTEMPT);
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void recordFailedLoginAttempt(String str, User user) throws TemplateException, IOException {
        this.loginAttemptCache.recordFailedLogin(str);
        if (this.loginAttemptCache.getUserFailedLoginCount(str) == SecurityUtil.getLoginConfiguration().getMaxLoginFailAttempts().intValue()) {
            EmailUtil.sendAccountStatus(user, "Multiple Failed Login Attempts.", String.format("Someone is trying to access your account. Login is Blocked for %s minutes. Please change your password.", SecurityUtil.getLoginConfiguration().getAccessBlockTime()));
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void validatePassword(String str, User user, String str2) throws TemplateException, IOException {
        if (user.getAuthenticationMechanism() == null) {
            throw new AuthenticationException(CatalogExceptionMessage.INVALID_USERNAME_PASSWORD);
        }
        if (BCrypt.verifyer().verify(str2.toCharArray(), (String) ((LinkedHashMap) user.getAuthenticationMechanism().getConfig()).get(EmailUtil.PASSWORD)).verified) {
            return;
        }
        recordFailedLoginAttempt(str, user);
        throw new AuthenticationException(CatalogExceptionMessage.INVALID_USERNAME_PASSWORD);
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public User lookUserInProvider(String str) {
        User user = null;
        try {
            if (str.contains("@")) {
                user = this.userRepository.getByEmail(null, str, new EntityUtil.Fields((Set<String>) Set.of("authenticationMechanism", JWTTokenGenerator.ROLES_CLAIM), "authenticationMechanism,roles"));
            }
        } catch (Exception e) {
        }
        if (user == null || Boolean.TRUE.equals(user.getIsBot())) {
            throw new CustomExceptionMessage(Response.Status.BAD_REQUEST, CatalogExceptionMessage.INVALID_USER_OR_PASSWORD, CatalogExceptionMessage.INVALID_USERNAME_PASSWORD);
        }
        return user;
    }
}
