package io.stargate.auth.table;

import com.datastax.oss.driver.shaded.guava.common.base.Strings;
import io.stargate.auth.AuthenticationService;
import io.stargate.auth.StoredCredentials;
import io.stargate.auth.UnauthorizedException;
import io.stargate.db.Persistence;
import io.stargate.db.QueryOptions;
import io.stargate.db.QueryState;
import io.stargate.db.datastore.DataStore;
import io.stargate.db.datastore.ResultSet;
import io.stargate.db.datastore.Row;
import io.stargate.db.datastore.query.WhereCondition;
import java.time.Instant;
import java.util.Collections;
import java.util.Optional;
import java.util.UUID;
import java.util.concurrent.ExecutionException;
import org.apache.cassandra.stargate.db.ConsistencyLevel;
import org.mindrot.jbcrypt.BCrypt;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/stargate/auth/table/AuthTableBasedService.class */
public class AuthTableBasedService implements AuthenticationService {
    private Persistence persistence;
    private DataStore dataStore;
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) AuthTableBasedService.class);
    private static final String AUTH_KEYSPACE = System.getProperty("stargate.auth_keyspace", "data_endpoint_auth");
    private static final String AUTH_TABLE = System.getProperty("stargate.auth_table", "token");
    private static final int tokenTTL = Integer.parseInt(System.getProperty("stargate.auth_tokenttl", "1800"));
    private static final boolean shouldInitializeAuthKeyspace = Boolean.parseBoolean(System.getProperty("stargate.auth_tablebased_init", "true"));

    public Persistence getPersistence() {
        return this.persistence;
    }

    public void setPersistence(Persistence persistence) {
        this.persistence = persistence;
        this.dataStore = persistence.newDataStore((QueryState) null, (QueryOptions) null);
        if (shouldInitializeAuthKeyspace) {
            initAuthTable(this.dataStore);
        }
    }

    private void initAuthTable(DataStore dataStore) {
        try {
            logger.info("Initializing keyspace {} and table {} for table based auth", AUTH_KEYSPACE, AUTH_TABLE);
            dataStore.query(String.format("CREATE KEYSPACE IF NOT EXISTS %s WITH REPLICATION = {'class': 'SimpleStrategy', 'replication_factor':1}", AUTH_KEYSPACE), Optional.of(ConsistencyLevel.LOCAL_QUORUM), new Object[]{Collections.emptyList()}).get();
            dataStore.query(String.format("CREATE TABLE IF NOT EXISTS %s.\"%s\" (auth_token UUID, username text, created_timestamp int, PRIMARY KEY (auth_token))", AUTH_KEYSPACE, AUTH_TABLE), Optional.of(ConsistencyLevel.LOCAL_QUORUM), new Object[]{Collections.emptyList()}).get();
        } catch (Exception e) {
            logger.error("Failed to initialize auth table", (Throwable) e);
            throw new RuntimeException(e);
        }
    }

    public String createToken(String str, String str2) throws UnauthorizedException {
        UUID randomUUID = UUID.randomUUID();
        try {
            String queryHashedPassword = queryHashedPassword(str);
            if (queryHashedPassword == null || queryHashedPassword.isEmpty() || !checkpw(str2, queryHashedPassword)) {
                throw new UnauthorizedException(String.format("Provided username %s and/or password are incorrect", str));
            }
            saveToken(str, randomUUID);
            return randomUUID.toString();
        } catch (Exception e) {
            throw new UnauthorizedException(e.getMessage());
        }
    }

    public String createToken(String str) throws UnauthorizedException {
        UUID randomUUID = UUID.randomUUID();
        try {
            String queryUsername = queryUsername(str);
            if (queryUsername == null || queryUsername.isEmpty()) {
                throw new UnauthorizedException(String.format("Provided username %s is incorrect", str));
            }
            saveToken(str, randomUUID);
            return randomUUID.toString();
        } catch (Exception e) {
            throw new UnauthorizedException(e.getMessage());
        }
    }

    private void saveToken(String str, UUID uuid) {
        try {
            this.dataStore.query().insertInto(AUTH_KEYSPACE, AUTH_TABLE).value("username", str).value("auth_token", uuid).value("created_timestamp", Integer.valueOf(Math.toIntExact(Instant.now().getEpochSecond()))).ttl(tokenTTL).consistencyLevel(ConsistencyLevel.LOCAL_QUORUM).execute(new Object[0]);
        } catch (Exception e) {
            logger.error("Failed to add new token", (Throwable) e);
            throw new RuntimeException(e);
        }
    }

    private String queryUsername(String str) throws ExecutionException, InterruptedException {
        ResultSet execute = this.dataStore.query().select().column("role").from("system_auth", "roles").where("role", WhereCondition.Predicate.Eq, str).execute(new Object[0]);
        if (execute.isEmpty()) {
            throw new RuntimeException(String.format("Provided username %s is incorrect", str));
        }
        Row one = execute.one();
        if (one.has("role")) {
            return one.getString("role");
        }
        throw new RuntimeException(String.format("Provided username %s is incorrect", str));
    }

    private String queryHashedPassword(String str) throws ExecutionException, InterruptedException {
        ResultSet execute = this.dataStore.query().select().column("salted_hash").from("system_auth", "roles").where("role", WhereCondition.Predicate.Eq, str).execute(new Object[0]);
        if (execute.isEmpty()) {
            throw new RuntimeException(String.format("Provided username %s and/or password are incorrect", str));
        }
        Row one = execute.one();
        if (one.has("salted_hash")) {
            return one.getString("salted_hash");
        }
        throw new RuntimeException(String.format("Provided username %s and/or password are incorrect", str));
    }

    protected static boolean checkpw(String str, String str2) {
        try {
            return BCrypt.checkpw(str, str2);
        } catch (Exception e) {
            logger.warn("Error: invalid password hash encountered, rejecting user", (Throwable) e);
            return false;
        }
    }

    public StoredCredentials validateToken(String str) throws UnauthorizedException {
        if (Strings.isNullOrEmpty(str)) {
            throw new UnauthorizedException("authorization failed - missing token");
        }
        try {
            UUID fromString = UUID.fromString(str);
            StoredCredentials storedCredentials = new StoredCredentials();
            try {
                ResultSet execute = this.dataStore.query().select().star().from(AUTH_KEYSPACE, AUTH_TABLE).where("auth_token", WhereCondition.Predicate.Eq, fromString).execute(new Object[0]);
                if (execute.isEmpty()) {
                    throw new UnauthorizedException("authorization failed");
                }
                Row one = execute.one();
                if (!one.has("username")) {
                    throw new RuntimeException("unable to get username from token table");
                }
                int i = one.getInt("created_timestamp");
                String string = one.getString("username");
                storedCredentials.setRoleName(string);
                this.dataStore.query().update(AUTH_KEYSPACE, AUTH_TABLE).ttl(tokenTTL).value("username", string).value("created_timestamp", Integer.valueOf(i)).where("auth_token", WhereCondition.Predicate.Eq, UUID.fromString(str)).consistencyLevel(ConsistencyLevel.LOCAL_QUORUM).execute(new Object[0]);
                return storedCredentials;
            } catch (InterruptedException | ExecutionException e) {
                logger.error("Failed to validate token", e);
                throw new RuntimeException(e);
            } catch (UnauthorizedException e2) {
                throw e2;
            }
        } catch (IllegalArgumentException e3) {
            throw new UnauthorizedException("authorization failed - bad token");
        }
    }
}
