package com.appiancorp.security.auth.phpmyadmin;

import com.appiancorp.common.monitoring.WebApiAggregatedData;
import com.appiancorp.integration.http.HttpParameterConstants;
import com.appiancorp.security.auth.SpringSecurityContextHelper;
import com.appiancorp.security.auth.phpmyadmin.usermap.DbProxyUsermapService;
import com.appiancorp.security.auth.token.UserTokenService;
import com.appiancorp.suite.cfg.ConfigurationFactory;
import com.fasterxml.jackson.core.JsonParseException;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ObjectNode;
import io.prometheus.client.Counter;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Map;
import java.util.Objects;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.springframework.web.HttpRequestHandler;

/* loaded from: input_file:com/appiancorp/security/auth/phpmyadmin/PhpMyAdminAuthenticatorRequestHandler.class */
public class PhpMyAdminAuthenticatorRequestHandler implements HttpRequestHandler {
    public static final String BASIC_AUTH_PREFIX = "Basic ";
    private static final String USERNAME_KEY = "username";
    private static final String PASSWORD_KEY = "password";
    private final UserTokenService phpMyAdminUserTokenService;
    private final PhpMyAdminAuthConfiguration phpMyAdminAuthConfig;
    private final PhpMyAdminSessionUtils phpMyAdminSessionUtils;
    private final PhpMyAdminUserHelper phpMyAdminUserHelper;
    private final PhpMyAdminUserGroupResolver phpMyAdminUserGroupResolver;
    private final ObjectMapper mapper;
    private final String authToken;
    private final DbProxyUsermapService dbProxyUsermapService;
    private static final Logger LOG = Logger.getLogger(PhpMyAdminAuthenticatorRequestHandler.class);
    private static final Counter authenticatorForbiddenCount = Counter.build().namespace("appian").subsystem(PhpMyAdminLoginServlet.PHPMYADMIN_SUBSYSTEM).name("authenticator_forbidden_request_count").help("Unauthorized requests sent to /dbauth").register();
    private static final Counter authenticatorRequestCount = Counter.build().namespace("appian").subsystem(PhpMyAdminLoginServlet.PHPMYADMIN_SUBSYSTEM).name("authenticator_request_count").help("Total number of requests sent to /dbauth").register();
    private static final Counter authenticatorTokenErrorCount = Counter.build().namespace("appian").subsystem(PhpMyAdminLoginServlet.PHPMYADMIN_SUBSYSTEM).name("authenticator_token_error_count").help("Count of general token parsing errors").register();

    public PhpMyAdminAuthenticatorRequestHandler(UserTokenService userTokenService, PhpMyAdminUserHelper phpMyAdminUserHelper, PhpMyAdminUserGroupResolver phpMyAdminUserGroupResolver, DbProxyUsermapService dbProxyUsermapService) {
        this(userTokenService, phpMyAdminUserHelper, phpMyAdminUserGroupResolver, dbProxyUsermapService, PhpMyAdminSessionUtils.getInstance());
    }

    public PhpMyAdminAuthenticatorRequestHandler(UserTokenService userTokenService, PhpMyAdminUserHelper phpMyAdminUserHelper, PhpMyAdminUserGroupResolver phpMyAdminUserGroupResolver, DbProxyUsermapService dbProxyUsermapService, PhpMyAdminSessionUtils phpMyAdminSessionUtils) {
        this.phpMyAdminUserTokenService = userTokenService;
        this.phpMyAdminSessionUtils = phpMyAdminSessionUtils;
        this.phpMyAdminUserHelper = phpMyAdminUserHelper;
        this.phpMyAdminUserGroupResolver = phpMyAdminUserGroupResolver;
        this.dbProxyUsermapService = dbProxyUsermapService;
        this.phpMyAdminAuthConfig = (PhpMyAdminAuthConfiguration) ConfigurationFactory.getConfiguration(PhpMyAdminAuthConfiguration.class);
        this.mapper = new ObjectMapper();
        this.authToken = this.phpMyAdminAuthConfig.getToken();
    }

    public void handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        authenticatorRequestCount.inc();
        if ("POST".equalsIgnoreCase(httpServletRequest.getMethod())) {
            try {
                Map map = (Map) this.mapper.readValue(httpServletRequest.getReader(), new TypeReference<Map<String, String>>() { // from class: com.appiancorp.security.auth.phpmyadmin.PhpMyAdminAuthenticatorRequestHandler.1
                });
                if (!map.containsKey(PhpMyAdminSessionUtils.MY_SSO_COOKIE)) {
                    LOG.error("mySSO token absent from PhpMyAdmin request. Request received: " + map.toString());
                    authenticatorTokenErrorCount.inc();
                    httpServletResponse.sendError(WebApiAggregatedData.STATUS_CODE_RANGE_5XX_KEY);
                    return;
                }
                String str = (String) map.get(PhpMyAdminSessionUtils.MY_SSO_COOKIE);
                setupResponse(httpServletResponse);
                try {
                    String validateEncryptedTokenAndGetUsername = this.phpMyAdminUserTokenService.validateEncryptedTokenAndGetUsername(str);
                    LOG.info("PhpMyAdmin user token successfully decrypted and username " + validateEncryptedTokenAndGetUsername + " extracted.");
                    if (!isRequestAuthenticated(httpServletRequest.getHeader("Authorization")) || !isUserAuthorized(validateEncryptedTokenAndGetUsername)) {
                        authenticatorForbiddenCount.inc();
                        httpServletResponse.sendError(403);
                    } else {
                        String parameter = httpServletRequest.getParameter("schema");
                        if (parameter != null) {
                            parameter = parameter.replaceAll("\\s+", "");
                        }
                        addCredentialsToResponse(validateEncryptedTokenAndGetUsername, parameter, httpServletResponse);
                    }
                } catch (Exception e) {
                    authenticatorTokenErrorCount.inc();
                    sendTokenValidationError(httpServletResponse);
                }
            } catch (JsonProcessingException e2) {
                LOG.error("Unable to process request", e2);
                httpServletResponse.sendError(WebApiAggregatedData.STATUS_CODE_RANGE_5XX_KEY);
            } catch (Exception e3) {
                LOG.error("Unable to handle request", e3);
                httpServletResponse.sendError(WebApiAggregatedData.STATUS_CODE_RANGE_5XX_KEY);
            } catch (JsonParseException e4) {
                LOG.error("Invalid request contents", e4);
                httpServletResponse.sendError(WebApiAggregatedData.STATUS_CODE_RANGE_5XX_KEY);
            }
        }
    }

    double getAuthenticatorForbiddenCounterValue() {
        return authenticatorForbiddenCount.get();
    }

    double getAuthenticatorRequestCounterValue() {
        return authenticatorRequestCount.get();
    }

    double getAuthenticatorTokenErrorCounterValue() {
        return authenticatorTokenErrorCount.get();
    }

    void resetMetrics() {
        authenticatorForbiddenCount.clear();
        authenticatorRequestCount.clear();
        authenticatorTokenErrorCount.clear();
    }

    private void setupResponse(HttpServletResponse httpServletResponse) {
        httpServletResponse.setContentType(HttpParameterConstants.APPLICATION_JSON_TYPE);
        httpServletResponse.setCharacterEncoding("UTF-8");
    }

    private void sendTokenValidationError(HttpServletResponse httpServletResponse) throws IOException {
        ObjectNode createObjectNode = this.mapper.createObjectNode();
        createObjectNode.put("error", "token validation error");
        httpServletResponse.setStatus(302);
        httpServletResponse.getWriter().print(this.mapper.writeValueAsString(createObjectNode));
        httpServletResponse.getWriter().flush();
    }

    private void addCredentialsToResponse(String str, String str2, HttpServletResponse httpServletResponse) throws IOException {
        ObjectNode createObjectNode = this.mapper.createObjectNode();
        if (this.phpMyAdminAuthConfig.useAuthenticatedSessions()) {
            LOG.debug("Starting authenticated php session");
            String str3 = (String) SpringSecurityContextHelper.runAsAdmin(() -> {
                return this.phpMyAdminUserGroupResolver.getDatabaseUsername(str, str2);
            });
            String proxyUsername = getProxyUsername(str);
            this.dbProxyUsermapService.mapUser(proxyUsername, str3);
            createObjectNode.put("username", proxyUsername);
            createObjectNode.put("password", this.phpMyAdminSessionUtils.getTemporaryMySQLPasswordForUser(str, str3));
        } else {
            LOG.debug("Starting anonymous php session");
            createObjectNode.put("username", this.phpMyAdminAuthConfig.getAnonymousAccessMysqlUsername());
            createObjectNode.put("password", this.phpMyAdminAuthConfig.getAnonymousAccessMysqlPassword());
        }
        String writeValueAsString = this.mapper.writeValueAsString(createObjectNode);
        PrintWriter writer = httpServletResponse.getWriter();
        writer.print(writeValueAsString);
        writer.flush();
    }

    static String getProxyUsername(String str) {
        return "phpMyAdminUser\\" + str;
    }

    private boolean isUserAuthorized(String str) {
        if (this.phpMyAdminAuthConfig.getDatabaseAdminGroupUuid() == null) {
            return true;
        }
        return ((Boolean) SpringSecurityContextHelper.runAsAdmin(() -> {
            return Boolean.valueOf(this.phpMyAdminUserGroupResolver.doesUserHaveDatabaseAccess(str));
        })).booleanValue();
    }

    private boolean isRequestAuthenticated(String str) {
        if (Objects.isNull(this.authToken) || Objects.isNull(str)) {
            return false;
        }
        return this.authToken.equals(str.substring(BASIC_AUTH_PREFIX.length()));
    }
}
