package com.coreoz.plume.admin.webservices;

import com.coreoz.plume.admin.security.login.LoginFailAttemptsManager;
import com.coreoz.plume.admin.services.configuration.AdminConfigurationService;
import com.coreoz.plume.admin.services.configuration.AdminSecurityConfigurationService;
import com.coreoz.plume.admin.services.user.AdminUserService;
import com.coreoz.plume.admin.services.user.AuthenticatedUser;
import com.coreoz.plume.admin.webservices.data.session.AdminCredentials;
import com.coreoz.plume.admin.webservices.data.session.AdminSession;
import com.coreoz.plume.admin.webservices.validation.AdminWsError;
import com.coreoz.plume.admin.websession.JwtSessionSigner;
import com.coreoz.plume.admin.websession.WebSessionAdmin;
import com.coreoz.plume.admin.websession.WebSessionPermission;
import com.coreoz.plume.admin.websession.jersey.JerseySessionParser;
import com.coreoz.plume.jersey.errors.Validators;
import com.coreoz.plume.jersey.errors.WsException;
import com.coreoz.plume.jersey.security.permission.PublicApi;
import com.coreoz.plume.services.time.TimeProvider;
import com.google.common.collect.ImmutableList;
import com.google.common.io.BaseEncoding;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import java.security.SecureRandom;
import javax.inject.Inject;
import javax.inject.Singleton;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Response;

@Api("Manage the administration session")
@PublicApi
@Path("/admin/session")
@Consumes({"application/json"})
@Produces({"application/json"})
@Singleton
/* loaded from: input_file:com/coreoz/plume/admin/webservices/SessionWs.class */
public class SessionWs {
    public static final FingerprintWithHash NULL_FINGERPRINT = new FingerprintWithHash(null, null);
    private final AdminUserService adminUserService;
    private final JwtSessionSigner jwtSessionSigner;
    private final TimeProvider timeProvider;
    private final LoginFailAttemptsManager failAttemptsManager;
    private final long blockedDurationInSeconds;
    private final long maxTimeSessionDurationInMilliseconds;
    private final long sessionRefreshDurationInMillis;
    private final long sessionInactiveDurationInMillis;
    private final SecureRandom fingerprintGenerator = new SecureRandom();
    private final boolean sessionUseFingerprintCookie;
    private final boolean sessionFingerprintCookieHttpsOnly;

    /* loaded from: input_file:com/coreoz/plume/admin/webservices/SessionWs$FingerprintWithHash.class */
    public static class FingerprintWithHash {
        private final String fingerprint;
        private final String hash;

        public FingerprintWithHash(String str, String str2) {
            this.fingerprint = str;
            this.hash = str2;
        }

        public String getFingerprint() {
            return this.fingerprint;
        }

        public String getHash() {
            return this.hash;
        }
    }

    @Inject
    public SessionWs(AdminUserService adminUserService, JwtSessionSigner jwtSessionSigner, AdminConfigurationService adminConfigurationService, AdminSecurityConfigurationService adminSecurityConfigurationService, TimeProvider timeProvider) {
        this.adminUserService = adminUserService;
        this.jwtSessionSigner = jwtSessionSigner;
        this.timeProvider = timeProvider;
        this.failAttemptsManager = new LoginFailAttemptsManager(adminConfigurationService.loginMaxAttempts(), adminConfigurationService.loginBlockedDuration());
        this.blockedDurationInSeconds = adminConfigurationService.loginBlockedDuration().getSeconds();
        this.maxTimeSessionDurationInMilliseconds = adminConfigurationService.sessionExpireDurationInMillis();
        this.sessionRefreshDurationInMillis = adminConfigurationService.sessionRefreshDurationInMillis();
        this.sessionInactiveDurationInMillis = adminConfigurationService.sessionInactiveDurationInMillis();
        this.sessionUseFingerprintCookie = adminSecurityConfigurationService.sessionUseFingerprintCookie();
        this.sessionFingerprintCookieHttpsOnly = adminSecurityConfigurationService.sessionFingerprintCookieHttpsOnly();
    }

    @POST
    @ApiOperation("Authenticate a user and create a session token")
    public Response authenticate(AdminCredentials adminCredentials) {
        AuthenticatedUser authenticateUser = authenticateUser(adminCredentials);
        FingerprintWithHash generateFingerprint = this.sessionUseFingerprintCookie ? generateFingerprint() : NULL_FINGERPRINT;
        return withFingerprintCookie(Response.ok(toAdminSession(toWebSession(authenticateUser, generateFingerprint.getHash()))), generateFingerprint.getFingerprint()).build();
    }

    @PUT
    @Consumes({"text/plain"})
    @ApiOperation("Renew a valid session token")
    public AdminSession renew(String str) {
        Validators.checkRequired("sessionToken", str);
        WebSessionAdmin webSessionAdmin = (WebSessionAdmin) this.jwtSessionSigner.parseSession(str, WebSessionAdmin.class);
        if (webSessionAdmin == null) {
            throw new WsException(AdminWsError.ALREADY_EXPIRED_SESSION_TOKEN);
        }
        return toAdminSession(webSessionAdmin);
    }

    public AuthenticatedUser authenticateUser(AdminCredentials adminCredentials) {
        Validators.checkRequired("Json creadentials", adminCredentials);
        Validators.checkRequired("users.USERNAME", adminCredentials.getUserName());
        Validators.checkRequired("users.PASSWORD", adminCredentials.getPassword());
        if (adminCredentials.getUserName() == null || !this.failAttemptsManager.isBlocked(adminCredentials.getUserName())) {
            return this.adminUserService.authenticate(adminCredentials.getUserName(), adminCredentials.getPassword()).orElseThrow(() -> {
                this.failAttemptsManager.addAttempt(adminCredentials.getUserName());
                return new WsException(AdminWsError.WRONG_LOGIN_OR_PASSWORD);
            });
        }
        throw new WsException(AdminWsError.TOO_MANY_WRONG_ATTEMPS, ImmutableList.of(String.valueOf(this.blockedDurationInSeconds)));
    }

    public WebSessionPermission toWebSession(AuthenticatedUser authenticatedUser, String str) {
        return new WebSessionAdmin().setPermissions(authenticatedUser.getPermissions()).setIdUser(authenticatedUser.getUser().getId().longValue()).setUserName(authenticatedUser.getUser().getUserName()).setFullName(authenticatedUser.getUser().getFirstName() + " " + authenticatedUser.getUser().getLastName()).setHashedFingerprint(str);
    }

    public AdminSession toAdminSession(WebSessionPermission webSessionPermission) {
        return new AdminSession(this.jwtSessionSigner.serializeSession(webSessionPermission, Long.valueOf(this.timeProvider.currentTime() + this.maxTimeSessionDurationInMilliseconds)), this.sessionRefreshDurationInMillis, this.sessionInactiveDurationInMillis);
    }

    public Response.ResponseBuilder withFingerprintCookie(Response.ResponseBuilder responseBuilder, String str) {
        return responseBuilder.header("Set-Cookie", "session-fgp=" + str + "; path=/; SameSite=Strict; HttpOnly" + (this.sessionFingerprintCookieHttpsOnly ? "; Secure" : ""));
    }

    public FingerprintWithHash generateFingerprint() {
        byte[] bArr = new byte[50];
        this.fingerprintGenerator.nextBytes(bArr);
        String encode = BaseEncoding.base16().encode(bArr);
        return new FingerprintWithHash(encode, JerseySessionParser.hashFingerprint(encode));
    }
}
