package org.geoserver.security;

import com.google.common.net.HttpHeaders;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import org.apache.batik.css.parser.CSSLexicalUnit;
import org.geoserver.config.impl.GeoServerLifecycleHandler;
import org.geoserver.security.config.BruteForcePreventionConfig;
import org.geotools.util.logging.Logging;
import org.springframework.context.ApplicationListener;
import org.springframework.security.authentication.event.AbstractAuthenticationEvent;
import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
import org.springframework.security.authentication.event.AuthenticationFailureProviderNotFoundEvent;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;

/* loaded from: input_file:WEB-INF/lib/gs-main-2.18.7-georchestra.jar:org/geoserver/security/BruteForceListener.class */
public class BruteForceListener implements ApplicationListener<AbstractAuthenticationEvent>, GeoServerLifecycleHandler {
    static final Logger LOGGER = Logging.getLogger((Class<?>) BruteForceListener.class);
    Map<String, AtomicInteger> delayedUsers = new ConcurrentHashMap();
    private GeoServerSecurityManager securityManager;

    public BruteForceListener(GeoServerSecurityManager geoServerSecurityManager) {
        this.securityManager = geoServerSecurityManager;
    }

    private BruteForcePreventionConfig getConfig() {
        BruteForcePreventionConfig bruteForcePrevention = this.securityManager.getSecurityConfig().getBruteForcePrevention();
        return bruteForcePrevention == null ? BruteForcePreventionConfig.DEFAULT : bruteForcePrevention;
    }

    @Override // org.springframework.context.ApplicationListener
    public void onApplicationEvent(AbstractAuthenticationEvent abstractAuthenticationEvent) {
        BruteForcePreventionConfig config = getConfig();
        if (config.isEnabled()) {
            HttpServletRequest httpServletRequest = GeoServerSecurityFilterChainProxy.REQUEST.get();
            if (requestAddressInWhiteList(httpServletRequest, config)) {
                return;
            }
            Authentication authentication = abstractAuthenticationEvent.getAuthentication();
            String userName = getUserName(authentication);
            if (userName == null) {
                LOGGER.warning("Brute force attack prevention enabled, but Spring Authentication does not provide a user name, skipping: " + authentication);
            }
            AtomicInteger atomicInteger = this.delayedUsers.get(userName);
            if (atomicInteger != null) {
                int incrementAndGet = atomicInteger.incrementAndGet();
                logFailedRequest(httpServletRequest, userName, incrementAndGet);
                throw new ConcurrentAuthenticationException(userName, incrementAndGet);
            }
            if ((abstractAuthenticationEvent instanceof AuthenticationFailureBadCredentialsEvent) || (abstractAuthenticationEvent instanceof AuthenticationFailureProviderNotFoundEvent)) {
                int maxBlockedThreads = config.getMaxBlockedThreads();
                if (maxBlockedThreads > 0 && this.delayedUsers.size() > maxBlockedThreads) {
                    throw new MaxBlockedThreadsException(1);
                }
                this.delayedUsers.put(userName, new AtomicInteger(1));
                try {
                    logFailedRequest(httpServletRequest, userName, 0);
                    long computeDelay = computeDelay(config);
                    if (computeDelay > 0) {
                        if (LOGGER.isLoggable(Level.INFO)) {
                            LOGGER.info("Brute force attack prevention, delaying login for " + computeDelay + CSSLexicalUnit.UNIT_TEXT_MILLISECOND);
                        }
                        Thread.sleep(computeDelay);
                    }
                    this.delayedUsers.remove(userName);
                } catch (InterruptedException e) {
                    this.delayedUsers.remove(userName);
                } catch (Throwable th) {
                    this.delayedUsers.remove(userName);
                    throw th;
                }
            }
        }
    }

    private boolean requestAddressInWhiteList(HttpServletRequest httpServletRequest, BruteForcePreventionConfig bruteForcePreventionConfig) {
        if (bruteForcePreventionConfig.getWhitelistAddressMatchers() == null) {
            return false;
        }
        return bruteForcePreventionConfig.getWhitelistAddressMatchers().stream().anyMatch(ipAddressMatcher -> {
            return ipAddressMatcher.matches(httpServletRequest);
        });
    }

    private long computeDelay(BruteForcePreventionConfig bruteForcePreventionConfig) {
        return (bruteForcePreventionConfig.getMinDelaySeconds() * 1000) + ((long) (((bruteForcePreventionConfig.getMaxDelaySeconds() * 1000) - r0) * Math.random()));
    }

    private String getUserName(Authentication authentication) {
        if (authentication == null) {
            return null;
        }
        Object principal = authentication.getPrincipal();
        if (principal != null) {
            if (principal instanceof UserDetails) {
                return ((UserDetails) principal).getUsername();
            }
            if (principal instanceof String) {
                return (String) principal;
            }
        }
        return authentication.getName();
    }

    private void logFailedRequest(HttpServletRequest httpServletRequest, String str, int i) {
        StringBuilder append = new StringBuilder("Failed login, user ").append(str).append(" from ");
        append.append(httpServletRequest.getRemoteAddr());
        String header = httpServletRequest.getHeader(HttpHeaders.X_FORWARDED_FOR);
        if (header != null) {
            append.append(", forwarded for ").append(header);
        }
        if (i > 0) {
            append.append(", stopped ").append(i).append(" concurrent logins during authentication delay");
        }
        LOGGER.warning(append.toString());
    }

    @Override // org.geoserver.config.impl.GeoServerLifecycleHandler
    public void onReset() {
        this.delayedUsers.clear();
    }

    @Override // org.geoserver.config.impl.GeoServerLifecycleHandler
    public void onDispose() {
    }

    @Override // org.geoserver.config.impl.GeoServerLifecycleHandler
    public void beforeReload() {
    }

    @Override // org.geoserver.config.impl.GeoServerLifecycleHandler
    public void onReload() {
        this.delayedUsers.clear();
    }
}
