package io.opencmw.server.rest.login;

import io.javalin.apibuilder.ApiBuilder;
import io.javalin.core.security.AccessManager;
import io.javalin.core.security.Role;
import io.javalin.http.Context;
import io.javalin.http.Handler;
import io.javalin.plugin.openapi.annotations.OpenApi;
import io.javalin.plugin.openapi.annotations.OpenApiContent;
import io.javalin.plugin.openapi.annotations.OpenApiResponse;
import io.opencmw.rbac.BasicRbacRole;
import io.opencmw.rbac.RbacRole;
import io.opencmw.server.rest.RestRole;
import io.opencmw.server.rest.RestServer;
import io.opencmw.server.rest.user.RestUserHandler;
import io.opencmw.server.rest.util.MessageBundle;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/opencmw/server/rest/login/LoginController.class */
public class LoginController {
    public static final String LOGIN_CONTROLLER = "LoginController";
    private static final String HTTP_200_OK = "200";
    private static final String MIME_HTML = "text/html";
    private static final String MIME_JSON = "text/json";
    private static final String DEFAULT_USER = "anonymous";
    private static final String ENDPOINT_LOGIN = "/login";
    private static final String ENDPOINT_LOGOUT = "/logout";
    private static final String ENDPOINT_CHANGE_PASSWORD = "/changepassword";
    private static final String ATTR_LOCALE = "locale";
    private static final String ATTR_CURRENT_USER = "currentUser";
    private static final String ATTR_CURRENT_ROLES = "currentRoles";
    private static final String ATTR_LOGIN_REDIRECT = "loginRedirect";
    private static final String ATTR_LOGGED_OUT = "loggedOut";
    private static final String QUERY_PASSWORD = "password";
    private static final String QUERY_PASSWORD_NEW1 = "passwordNew1";
    private static final String QUERY_PASSWORD_NEW2 = "passwordNew2";
    private static final String QUERY_USERNAME = "username";
    private static final String AUTHENTICATION_SUCCEEDED = "authenticationSucceeded";
    private static final String AUTHENTICATION_FAILED = "authenticationFailed";
    private static final String AUTHENTICATION_PASSWORD_MISMATCH = "authenticationFailedPasswordsMismatch";
    private static final String TEMPLATE_LOGIN = "/velocity/login/login.vm";
    private static final String TEMPLATE_PASSWORD_CHANGE = "/velocity/login/changePassword.vm";
    private static final Logger LOGGER = LoggerFactory.getLogger(LoginController.class);
    private static final Handler handleLocaleChange = context -> {
        if (context.queryParam(ATTR_LOCALE) != null) {
            context.sessionAttribute(ATTR_LOCALE, context.queryParam(ATTR_LOCALE));
            context.redirect(context.path());
        }
    };

    @OpenApi(description = "endpoint to receive password login request", operationId = "handleLoginPost", summary = "POST login command", tags = {LOGIN_CONTROLLER}, responses = {@OpenApiResponse(status = HTTP_200_OK, content = {@OpenApiContent(type = MIME_HTML)}), @OpenApiResponse(status = HTTP_200_OK, content = {@OpenApiContent(type = MIME_JSON)})})
    private static final Handler handleLoginPost = context -> {
        Map<String, Object> baseModel = MessageBundle.baseModel(context);
        RestUserHandler userHandler = RestServer.getUserHandler();
        String formParam = context.formParam(QUERY_USERNAME);
        if (userHandler.authenticate(formParam, context.formParam(QUERY_PASSWORD))) {
            context.sessionAttribute(ATTR_CURRENT_USER, formParam);
            context.sessionAttribute(ATTR_CURRENT_ROLES, userHandler.getUserRolesByUsername(formParam));
            baseModel.put(AUTHENTICATION_SUCCEEDED, true);
            baseModel.put(ATTR_CURRENT_USER, formParam);
            baseModel.put(ATTR_CURRENT_ROLES, userHandler.getUserRolesByUsername(formParam));
            String str = (String) context.sessionAttribute(ATTR_LOGIN_REDIRECT);
            if (str != null) {
                context.redirect(str);
            }
        } else {
            baseModel.put(AUTHENTICATION_FAILED, true);
        }
        context.render(TEMPLATE_LOGIN, baseModel);
    };

    @OpenApi(description = "endpoint to receive password changes", operationId = "handleChangePasswordPost", summary = "POST password change page", tags = {LOGIN_CONTROLLER}, responses = {@OpenApiResponse(status = HTTP_200_OK, content = {@OpenApiContent(type = MIME_HTML)})})
    private static final Handler handleChangePasswordPost = context -> {
        String formParam;
        Map<String, Object> baseModel = MessageBundle.baseModel(context);
        String formParam2 = context.formParam(QUERY_USERNAME);
        String formParam3 = context.formParam(QUERY_PASSWORD_NEW1);
        String formParam4 = context.formParam(QUERY_PASSWORD_NEW2);
        if (formParam2 == null || formParam3 == null || formParam4 == null) {
            baseModel.put(AUTHENTICATION_FAILED, true);
            context.render(TEMPLATE_PASSWORD_CHANGE, baseModel);
            return;
        }
        if (!checkPasswordCriteria(formParam3) || !checkPasswordCriteria(formParam4) || !formParam3.equals(formParam4)) {
            LOGGER.atWarn().addArgument(formParam2).log("password do not match for user '{}'");
            baseModel.put(AUTHENTICATION_PASSWORD_MISMATCH, true);
            context.render(TEMPLATE_PASSWORD_CHANGE, baseModel);
            return;
        }
        baseModel.put(AUTHENTICATION_PASSWORD_MISMATCH, false);
        try {
            formParam = context.formParam(QUERY_PASSWORD);
        } catch (SecurityException e) {
            LOGGER.atWarn().setCause(e).addArgument(formParam2).log("may not change password for user '{}'");
        }
        if (formParam == null) {
            baseModel.put(AUTHENTICATION_FAILED, true);
            context.render(TEMPLATE_PASSWORD_CHANGE, baseModel);
            return;
        }
        RestUserHandler userHandler = RestServer.getUserHandler();
        if (!userHandler.setPassword(formParam2, formParam, formParam3)) {
            baseModel.put(AUTHENTICATION_FAILED, true);
            context.render(TEMPLATE_PASSWORD_CHANGE, baseModel);
            baseModel.put(AUTHENTICATION_FAILED, true);
            context.render(TEMPLATE_PASSWORD_CHANGE, baseModel);
            return;
        }
        context.sessionAttribute(ATTR_CURRENT_USER, formParam2);
        context.sessionAttribute(ATTR_CURRENT_ROLES, userHandler.getUserRolesByUsername(formParam2));
        baseModel.put(AUTHENTICATION_SUCCEEDED, true);
        baseModel.put(ATTR_CURRENT_USER, formParam2);
        baseModel.put(ATTR_CURRENT_ROLES, userHandler.getUserRolesByUsername(formParam2));
        context.render(TEMPLATE_PASSWORD_CHANGE, baseModel);
    };

    @OpenApi(description = "endpoint to receive password logout request", operationId = "handleLogoutPost", summary = "POST logout command", tags = {LOGIN_CONTROLLER}, responses = {@OpenApiResponse(status = HTTP_200_OK, content = {@OpenApiContent(type = MIME_HTML)}), @OpenApiResponse(status = HTTP_200_OK, content = {@OpenApiContent(type = MIME_JSON)})})
    private static final Handler handleLogoutPost = context -> {
        context.sessionAttribute(ATTR_CURRENT_USER, (Object) null);
        context.sessionAttribute(ATTR_CURRENT_ROLES, (Object) null);
        context.sessionAttribute(ATTR_LOGGED_OUT, "true");
        context.redirect(ENDPOINT_LOGIN);
    };

    @OpenApi(description = "endpoint to serve login page", operationId = "serveLoginPage", summary = "GET serve login page (HTML-only)", tags = {LOGIN_CONTROLLER}, responses = {@OpenApiResponse(status = HTTP_200_OK, content = {@OpenApiContent(type = MIME_HTML)})})
    private static final Handler serveLoginPage = context -> {
        Map<String, Object> baseModel = MessageBundle.baseModel(context);
        baseModel.put(ATTR_LOGGED_OUT, Boolean.valueOf(removeSessionAttrLoggedOut(context)));
        context.render(TEMPLATE_LOGIN, baseModel);
    };

    @OpenApi(description = "endpoint to serve password change page", operationId = "servePasswordChangePage", summary = "GET serve password change page (HTML-only)", tags = {LOGIN_CONTROLLER}, responses = {@OpenApiResponse(status = HTTP_200_OK, content = {@OpenApiContent(type = MIME_HTML)})})
    private static final Handler servePasswordChangePage = context -> {
        Map<String, Object> baseModel = MessageBundle.baseModel(context);
        baseModel.put(ATTR_LOGGED_OUT, Boolean.valueOf(removeSessionAttrLoggedOut(context)));
        context.render(TEMPLATE_PASSWORD_CHANGE, baseModel);
    };
    public static final AccessManager accessManager = (handler, context, set) -> {
        Set<RbacRole> sessionCurrentRoles = getSessionCurrentRoles(context);
        Set<RbacRole> convertRoles = convertRoles(set);
        HashSet hashSet = new HashSet(convertRoles);
        hashSet.retainAll(sessionCurrentRoles);
        if (convertRoles.isEmpty() || convertRoles.contains(BasicRbacRole.ANYONE) || !hashSet.isEmpty()) {
            handler.handle(context);
            return;
        }
        LOGGER.atWarn().addArgument(context.path()).addArgument(convertRoles).addArgument(hashSet).log("could not log into '{}' permitted roles {} vs. have {}");
        if (context.sessionAttribute(ATTR_CURRENT_USER) != null) {
            context.status(401).result("Unauthorized");
        } else {
            context.sessionAttribute(ATTR_LOGIN_REDIRECT, context.path());
            context.redirect(ENDPOINT_LOGIN);
        }
    };

    private static Set<RbacRole> convertRoles(Set<Role> set) {
        HashSet hashSet = new HashSet();
        for (Role role : set) {
            if (role instanceof RestRole) {
                hashSet.add(((RestRole) role).rbacRole);
            }
        }
        return hashSet;
    }

    private LoginController() {
    }

    public static Set<RbacRole> getSessionCurrentRoles(Context context) {
        Object sessionAttribute = context.sessionAttribute(ATTR_CURRENT_ROLES);
        if (sessionAttribute == null) {
            sessionAttribute = RestServer.getUserHandler().getUserRolesByUsername(DEFAULT_USER);
        }
        if (!(sessionAttribute instanceof Set)) {
            return Collections.singleton(BasicRbacRole.NULL);
        }
        try {
            return (Set) sessionAttribute;
        } catch (ClassCastException e) {
            LOGGER.atError().setCause(e).addArgument(ATTR_CURRENT_ROLES).log("could not cast '{}' attribute to Set<RbacRole> -- something fishy is going on");
            return Collections.singleton(BasicRbacRole.NULL);
        }
    }

    public static String getSessionCurrentUser(Context context) {
        return (String) context.sessionAttribute(ATTR_CURRENT_USER);
    }

    public static String getSessionLocale(Context context) {
        return (String) context.sessionAttribute(ATTR_LOCALE);
    }

    public static void register() {
        RestServer.getInstance().config.accessManager(accessManager);
        RestServer.getInstance().routes(() -> {
            ApiBuilder.before(handleLocaleChange);
            ApiBuilder.post(ENDPOINT_LOGIN, handleLoginPost);
            ApiBuilder.post(ENDPOINT_LOGOUT, handleLogoutPost);
            ApiBuilder.post(ENDPOINT_CHANGE_PASSWORD, handleChangePasswordPost);
            ApiBuilder.get(ENDPOINT_LOGIN, serveLoginPage);
            ApiBuilder.get(ENDPOINT_CHANGE_PASSWORD, servePasswordChangePage);
        });
    }

    private static boolean checkPasswordCriteria(String str) {
        return str != null && str.length() >= 8;
    }

    private static boolean removeSessionAttrLoggedOut(Context context) {
        String str = (String) context.sessionAttribute(ATTR_LOGGED_OUT);
        context.sessionAttribute(ATTR_LOGGED_OUT, (Object) null);
        return str != null;
    }
}
