package org.apache.tinkerpop.gremlin.server.auth;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import org.apache.tinkerpop.gremlin.groovy.plugin.dsl.credential.CredentialGraph;
import org.apache.tinkerpop.gremlin.server.auth.Authenticator;
import org.apache.tinkerpop.gremlin.structure.Vertex;
import org.apache.tinkerpop.gremlin.structure.io.IoCore;
import org.apache.tinkerpop.gremlin.structure.util.GraphFactory;
import org.apache.tinkerpop.gremlin.tinkergraph.structure.TinkerGraph;
import org.mindrot.jbcrypt.BCrypt;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/tinkerpop/gremlin/server/auth/SimpleAuthenticator.class */
public class SimpleAuthenticator implements Authenticator {
    private static final Logger logger = LoggerFactory.getLogger(SimpleAuthenticator.class);
    private static final byte NUL = 0;
    private CredentialGraph credentialStore;

    @Deprecated
    public static final String CONFIG_CREDENTIALS_LOCATION = "credentialsDbLocation";
    public static final String CONFIG_CREDENTIALS_DB = "credentialsDb";

    /* loaded from: input_file:org/apache/tinkerpop/gremlin/server/auth/SimpleAuthenticator$PlainTextSaslAuthenticator.class */
    private class PlainTextSaslAuthenticator implements Authenticator.SaslNegotiator {
        private boolean complete;
        private String username;
        private String password;

        private PlainTextSaslAuthenticator() {
            this.complete = false;
        }

        @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator.SaslNegotiator
        public byte[] evaluateResponse(byte[] bArr) throws AuthenticationException {
            decodeCredentials(bArr);
            this.complete = true;
            return null;
        }

        @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator.SaslNegotiator
        public boolean isComplete() {
            return this.complete;
        }

        @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator.SaslNegotiator
        public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException {
            if (!this.complete) {
                throw new AuthenticationException("SASL negotiation not complete");
            }
            HashMap hashMap = new HashMap();
            hashMap.put("username", this.username);
            hashMap.put("password", this.password);
            return SimpleAuthenticator.this.authenticate(hashMap);
        }

        private void decodeCredentials(byte[] bArr) throws AuthenticationException {
            byte[] bArr2 = SimpleAuthenticator.NUL;
            byte[] bArr3 = SimpleAuthenticator.NUL;
            int length = bArr.length;
            for (int length2 = bArr.length - 1; length2 >= 0; length2--) {
                if (bArr[length2] == 0) {
                    if (bArr3 == null) {
                        bArr3 = Arrays.copyOfRange(bArr, length2 + 1, length);
                    } else if (bArr2 == null) {
                        bArr2 = Arrays.copyOfRange(bArr, length2 + 1, length);
                    }
                    length = length2;
                }
            }
            if (SimpleAuthenticator.NUL == bArr2) {
                throw new AuthenticationException("Authentication ID must not be null");
            }
            if (SimpleAuthenticator.NUL == bArr3) {
                throw new AuthenticationException("Password must not be null");
            }
            this.username = new String(bArr2, StandardCharsets.UTF_8);
            this.password = new String(bArr3, StandardCharsets.UTF_8);
        }
    }

    @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator
    public boolean requireAuthentication() {
        return true;
    }

    @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator
    public void setup(Map<String, Object> map) {
        logger.info("Initializing authentication with the {}", SimpleAuthenticator.class.getName());
        if (NUL == map) {
            throw new IllegalArgumentException(String.format("Could not configure a %s - provide a 'config' in the 'authentication' settings", SimpleAuthenticator.class.getName()));
        }
        if (!map.containsKey(CONFIG_CREDENTIALS_DB)) {
            throw new IllegalStateException(String.format("Credentials configuration missing the %s key that points to a graph config file", CONFIG_CREDENTIALS_DB));
        }
        TinkerGraph open = GraphFactory.open((String) map.get(CONFIG_CREDENTIALS_DB));
        if (open instanceof TinkerGraph) {
            TinkerGraph tinkerGraph = open;
            tinkerGraph.createIndex("username", Vertex.class);
            if (map.containsKey(CONFIG_CREDENTIALS_LOCATION)) {
                logger.warn("Using {} configuration option which is deprecated - prefer including the location of the credentials graph data in the TinkerGraph config file.");
                String str = (String) map.get(CONFIG_CREDENTIALS_LOCATION);
                try {
                    tinkerGraph.io(IoCore.gryo()).readGraph(str);
                } catch (IOException e) {
                    logger.warn("Could not read credentials graph from {} - authentication is enabled, but with an empty user database", str);
                }
            }
        }
        this.credentialStore = CredentialGraph.credentials(open);
        logger.info("CredentialGraph initialized at {}", this.credentialStore);
    }

    @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator
    public Authenticator.SaslNegotiator newSaslNegotiator() {
        return new PlainTextSaslAuthenticator();
    }

    @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator
    public AuthenticatedUser authenticate(Map<String, String> map) throws AuthenticationException {
        if (!map.containsKey("username")) {
            throw new IllegalArgumentException(String.format("Credentials must contain a %s", "username"));
        }
        if (!map.containsKey("password")) {
            throw new IllegalArgumentException(String.format("Credentials must contain a %s", "password"));
        }
        String str = map.get("username");
        String str2 = map.get("password");
        try {
            Vertex findUser = this.credentialStore.findUser(str);
            if (NUL == findUser) {
                throw new AuthenticationException("Username and/or password are incorrect");
            }
            if (BCrypt.checkpw(str2, (String) findUser.value("password"))) {
                return new AuthenticatedUser(str);
            }
            throw new AuthenticationException("Username and/or password are incorrect");
        } catch (IllegalStateException e) {
            logger.warn(e.getMessage());
            throw new AuthenticationException("Username and/or password are incorrect", e);
        } catch (Exception e2) {
            throw new AuthenticationException("Username and/or password are incorrect", e2);
        }
    }
}
