package com.datadog.appsec.user;

import datadog.appsec.api.blocking.BlockingException;
import datadog.slf4j.Logger;
import datadog.slf4j.LoggerFactory;
import datadog.trace.api.UserIdCollectionMode;
import datadog.trace.api.appsec.AppSecEventTracker;
import datadog.trace.api.function.TriFunction;
import datadog.trace.api.gateway.BlockResponseFunction;
import datadog.trace.api.gateway.CallbackProvider;
import datadog.trace.api.gateway.EventType;
import datadog.trace.api.gateway.Events;
import datadog.trace.api.gateway.Flow;
import datadog.trace.api.gateway.RequestContext;
import datadog.trace.api.gateway.RequestContextSlot;
import datadog.trace.api.internal.TraceSegment;
import datadog.trace.api.telemetry.LogCollector;
import datadog.trace.api.telemetry.WafMetricCollector;
import datadog.trace.bootstrap.ActiveSubsystems;
import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
import datadog.trace.bootstrap.instrumentation.api.Tags;
import datadog.trace.util.Strings;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Map;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.annotation.Nonnull;

/* loaded from: input_file:appsec/com/datadog/appsec/user/AppSecEventTrackerImpl.classdata */
public class AppSecEventTrackerImpl extends AppSecEventTracker {
    private static final int HASH_SIZE_BYTES = 16;
    private static final String ANON_PREFIX = "anon_";
    private static final String LOGIN_FAILURE_NO_USER_TAG = "appsec.events.users.login.failure.usr.exists";
    private static final String LOGIN_FAILURE_USER_ID_EXTRA_TAG = "appsec.events.users.login.failure.usr.id";
    private static final String USER_COLLECTION_MODE_TAG = "_dd.appsec.user.collection_mode";
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) AppSecEventTrackerImpl.class);
    private static final AtomicBoolean SHA_MISSING_REPORTED = new AtomicBoolean(false);

    protected boolean isEnabled(UserIdCollectionMode userIdCollectionMode) {
        return ActiveSubsystems.APPSEC_ACTIVE && userIdCollectionMode != UserIdCollectionMode.DISABLED;
    }

    @Override // datadog.trace.api.appsec.AppSecEventTracker
    public void onUserNotFound(UserIdCollectionMode userIdCollectionMode) {
        TraceSegment beforeEvent = beforeEvent(userIdCollectionMode);
        if (beforeEvent == null) {
            return;
        }
        beforeEvent.setTagTop(LOGIN_FAILURE_NO_USER_TAG, false);
    }

    @Override // datadog.trace.api.appsec.AppSecEventTracker
    public void onSignupEvent(UserIdCollectionMode userIdCollectionMode, String str, Map<String, String> map) {
        TraceSegment beforeEvent = beforeEvent(userIdCollectionMode, str);
        if (beforeEvent == null) {
            return;
        }
        onUserId(userIdCollectionMode, beforeEvent, str, Events.EVENTS.userId(), new String[0]);
        onEvent(userIdCollectionMode, beforeEvent, "users.signup", false, map);
    }

    @Override // datadog.trace.api.appsec.AppSecEventTracker
    public void onLoginSuccessEvent(UserIdCollectionMode userIdCollectionMode, String str, Map<String, String> map) {
        TraceSegment beforeEvent = beforeEvent(userIdCollectionMode, str);
        if (beforeEvent == null) {
            return;
        }
        onUserId(userIdCollectionMode, beforeEvent, str, Events.EVENTS.loginSuccess(), new String[0]);
        onEvent(userIdCollectionMode, beforeEvent, "users.login.success", false, map);
    }

    @Override // datadog.trace.api.appsec.AppSecEventTracker
    public void onLoginFailureEvent(UserIdCollectionMode userIdCollectionMode, String str, Boolean bool, Map<String, String> map) {
        TraceSegment beforeEvent = beforeEvent(userIdCollectionMode, str);
        if (beforeEvent == null) {
            return;
        }
        onUserId(userIdCollectionMode, beforeEvent, str, Events.EVENTS.loginFailure(), LOGIN_FAILURE_USER_ID_EXTRA_TAG);
        onEvent(userIdCollectionMode, beforeEvent, "users.login.failure", false, map);
        if (bool != null) {
            beforeEvent.setTagTop(LOGIN_FAILURE_NO_USER_TAG, bool, false);
        }
    }

    @Override // datadog.trace.api.appsec.AppSecEventTracker
    public void onUserEvent(UserIdCollectionMode userIdCollectionMode, String str) {
        TraceSegment beforeEvent = beforeEvent(userIdCollectionMode, str);
        if (beforeEvent == null) {
            return;
        }
        onUserId(userIdCollectionMode, beforeEvent, str, Events.EVENTS.userId(), new String[0]);
    }

    @Override // datadog.trace.api.appsec.AppSecEventTracker
    public void onCustomEvent(UserIdCollectionMode userIdCollectionMode, String str, Map<String, String> map) {
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("EventName is null or empty");
        }
        TraceSegment beforeEvent = beforeEvent(userIdCollectionMode);
        if (beforeEvent == null) {
            return;
        }
        onEvent(userIdCollectionMode, beforeEvent, str, true, map);
    }

    protected void onUserId(@Nonnull UserIdCollectionMode userIdCollectionMode, TraceSegment traceSegment, String str, EventType<TriFunction<RequestContext, UserIdCollectionMode, String, Flow<Void>>> eventType, String... strArr) {
        RequestContext requestContext;
        if (userIdCollectionMode == UserIdCollectionMode.SDK || !isSdkCollectedUser(traceSegment)) {
            String anonymize = userIdCollectionMode == UserIdCollectionMode.ANONYMIZATION ? anonymize(str) : str;
            for (String str2 : strArr) {
                traceSegment.setTagTop(str2, anonymize, false);
            }
            AgentSpan activeSpan = tracer().activeSpan();
            if (activeSpan == null || (requestContext = activeSpan.getRequestContext()) == null) {
                return;
            }
            Flow.Action action = callIGCallbackUserId(tracer().activeSpan(), userIdCollectionMode, anonymize, eventType).getAction();
            if (action instanceof Flow.Action.RequestBlockingAction) {
                BlockResponseFunction blockResponseFunction = requestContext.getBlockResponseFunction();
                if (blockResponseFunction != null) {
                    Flow.Action.RequestBlockingAction requestBlockingAction = (Flow.Action.RequestBlockingAction) action;
                    blockResponseFunction.tryCommitBlockingResponse(requestContext.getTraceSegment(), requestBlockingAction.getStatusCode(), requestBlockingAction.getBlockingContentType(), requestBlockingAction.getExtraHeaders());
                }
                throw new BlockingException("Blocked request (for user id)");
            }
        }
    }

    private void onEvent(@Nonnull UserIdCollectionMode userIdCollectionMode, @Nonnull TraceSegment traceSegment, String str, boolean z, Map<String, String> map) {
        traceSegment.setTagTop("appsec.events." + str + ".track", true, z);
        traceSegment.setTagTop(Tags.ASM_KEEP, true);
        traceSegment.setTagTop(Tags.PROPAGATED_APPSEC, true);
        if (userIdCollectionMode == UserIdCollectionMode.SDK) {
            traceSegment.setTagTop("_dd.appsec.events." + str + ".sdk", true, z);
        } else {
            traceSegment.setTagTop("_dd.appsec.events." + str + ".auto.mode", userIdCollectionMode.fullName(), z);
        }
        if (map == null || map.isEmpty()) {
            return;
        }
        traceSegment.setTagTop("appsec.events." + str, map, z);
    }

    protected TraceSegment beforeEvent(UserIdCollectionMode userIdCollectionMode, String str) {
        if (str != null && !str.isEmpty()) {
            return beforeEvent(userIdCollectionMode);
        }
        if (userIdCollectionMode == UserIdCollectionMode.SDK) {
            throw new IllegalArgumentException("UserId is null or empty");
        }
        WafMetricCollector.get().missingUserId();
        return null;
    }

    protected TraceSegment beforeEvent(UserIdCollectionMode userIdCollectionMode) {
        if (isEnabled(userIdCollectionMode)) {
            return tracer().getTraceSegment();
        }
        return null;
    }

    protected boolean isSdkCollectedUser(TraceSegment traceSegment) {
        if (traceSegment == null) {
            return false;
        }
        return UserIdCollectionMode.SDK.shortName().equals(traceSegment.getTagTop(USER_COLLECTION_MODE_TAG));
    }

    protected static String anonymize(String str) {
        if (str == null) {
            return null;
        }
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(str.getBytes());
            byte[] digest = messageDigest.digest();
            if (digest.length > 16) {
                byte[] bArr = new byte[16];
                System.arraycopy(digest, 0, bArr, 0, bArr.length);
                digest = bArr;
            }
            return ANON_PREFIX + Strings.toHexString(digest);
        } catch (NoSuchAlgorithmException e) {
            if (SHA_MISSING_REPORTED.getAndSet(true)) {
                return null;
            }
            LOGGER.error(LogCollector.SEND_TELEMETRY, "Missing SHA-256 digest, user collection in 'anon' mode cannot continue", (Throwable) e);
            return null;
        }
    }

    private Flow<Void> callIGCallbackUserId(AgentSpan agentSpan, UserIdCollectionMode userIdCollectionMode, String str, EventType<TriFunction<RequestContext, UserIdCollectionMode, String, Flow<Void>>> eventType) {
        CallbackProvider callbackProvider = tracer().getCallbackProvider(RequestContextSlot.APPSEC);
        RequestContext requestContext = agentSpan.getRequestContext();
        if (callbackProvider == null || requestContext == null) {
            return Flow.ResultFlow.empty();
        }
        TriFunction triFunction = (TriFunction) callbackProvider.getCallback(eventType);
        return triFunction == null ? Flow.ResultFlow.empty() : (Flow) triFunction.apply(requestContext, userIdCollectionMode, str);
    }

    protected AgentTracer.TracerAPI tracer() {
        return AgentTracer.get();
    }
}
