package oracle.kv.impl.security;

import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import oracle.kv.AuthenticationRequiredException;
import oracle.kv.UnauthorizedException;
import oracle.kv.impl.security.login.LoginToken;
import oracle.kv.impl.security.login.TokenVerifier;
import oracle.kv.impl.security.metadata.KVStoreUser;
import oracle.kv.impl.security.util.BloomFilter;
import oracle.kv.impl.security.util.Cache;
import oracle.kv.impl.security.util.CacheBuilder;
import oracle.kv.impl.security.util.SecurityUtils;
import oracle.kv.impl.topo.ResourceId;
import oracle.kv.impl.util.RateLimitingLogger;

/* loaded from: input_file:oracle/kv/impl/security/AccessCheckerImpl.class */
public class AccessCheckerImpl implements AccessChecker {
    private static final int LIMIT_FAULTS = 20;
    private static final int ONE_MINUTE_MS = 60000;
    private final TokenVerifier verifier;
    private final RoleResolver roleResolver;
    private volatile Logger logger;
    private volatile RateLimitingLogger<String> rateLimitingLogger;
    private final Cache<String, PrivilegeEntry> userPrivCache;

    /* loaded from: input_file:oracle/kv/impl/security/AccessCheckerImpl$PrivilegeEntry.class */
    public static class PrivilegeEntry extends CacheBuilder.CacheEntry {
        private final Set<KVStorePrivilege> privsSet;
        private final String princId;
        private final byte[] leafRoleBf;

        public PrivilegeEntry(String str, Set<KVStorePrivilege> set, Set<String> set2) {
            this.privsSet = set;
            this.princId = str;
            if (set2 == null || set2.isEmpty()) {
                this.leafRoleBf = null;
                return;
            }
            this.leafRoleBf = new byte[BloomFilter.getByteSize(set2.size())];
            BloomFilter.HashContext hashContext = new BloomFilter.HashContext();
            Iterator<String> it = set2.iterator();
            while (it.hasNext()) {
                BloomFilter.add(this.leafRoleBf, RoleInstance.getNormalizedName(it.next()).getBytes(), hashContext);
            }
        }

        String getPrincId() {
            return this.princId;
        }

        public Set<KVStorePrivilege> getPrivileges() {
            return Collections.unmodifiableSet(this.privsSet);
        }

        public boolean hasRole(String str) {
            if (this.leafRoleBf == null) {
                return false;
            }
            return BloomFilter.contains(this.leafRoleBf, RoleInstance.getNormalizedName(str).getBytes());
        }
    }

    public AccessCheckerImpl(TokenVerifier tokenVerifier, RoleResolver roleResolver, CacheBuilder.CacheConfig cacheConfig, Logger logger) {
        this(tokenVerifier, roleResolver, cacheConfig, logger, ONE_MINUTE_MS, 20);
    }

    protected AccessCheckerImpl(TokenVerifier tokenVerifier, RoleResolver roleResolver, CacheBuilder.CacheConfig cacheConfig, Logger logger, int i, int i2) {
        this.verifier = tokenVerifier;
        this.roleResolver = roleResolver;
        this.logger = logger;
        this.rateLimitingLogger = new RateLimitingLogger<>(i, i2, logger);
        if (cacheConfig != null) {
            this.userPrivCache = CacheBuilder.build(cacheConfig);
        } else {
            this.userPrivCache = null;
        }
    }

    public void logError(String str, ExecutionContext executionContext, OperationContext operationContext) {
        AccessCheckUtils.logSecurityError(str, operationContext.describe(), executionContext, this.rateLimitingLogger);
    }

    public void setLogger(Logger logger) {
        this.logger = logger;
        this.rateLimitingLogger = new RateLimitingLogger<>(ONE_MINUTE_MS, 20, logger);
    }

    @Override // oracle.kv.impl.security.AccessChecker
    public Subject identifyRequestor(AuthContext authContext) throws SessionAccessException {
        LoginToken loginToken;
        if (authContext == null || (loginToken = authContext.getLoginToken()) == null) {
            return null;
        }
        try {
            return this.verifier.verifyToken(loginToken);
        } catch (SessionAccessException e) {
            throw new SessionAccessException((Throwable) e, false);
        }
    }

    @Override // oracle.kv.impl.security.AccessChecker
    public void checkAccess(ExecutionContext executionContext, OperationContext operationContext) throws AuthenticationRequiredException, UnauthorizedException {
        List<? extends KVStorePrivilege> requiredPrivileges = operationContext.getRequiredPrivileges();
        if (requiredPrivileges.size() == 0) {
            return;
        }
        if (executionContext.requestorSubject() != null) {
            if (executionContext.hasAllPrivileges(requiredPrivileges)) {
                return;
            }
            logError("Insufficient access rights", executionContext, operationContext);
            throw new UnauthorizedException("Insufficient access rights granted");
        }
        AuthContext requestorContext = executionContext.requestorContext();
        if (requestorContext == null || requestorContext.getLoginToken() == null) {
            logError("Attempt to call method without authentication", executionContext, operationContext);
            throw new AuthenticationRequiredException("Authentication required for access", false);
        }
        ResourceId allocator = requestorContext.getLoginToken().getSessionId().getAllocator();
        if (allocator == null || !allocator.getType().isStorageNode()) {
            logError("Attempt to call method with invalid authentication: the login token is invalid or expired, and should either be renewed automatically or reauthentication should be performed.", executionContext, operationContext);
        } else {
            logInvalidInternalTokenError(executionContext, operationContext);
        }
        throw new AuthenticationRequiredException("Authentication required for access", false);
    }

    private void logInvalidInternalTokenError(ExecutionContext executionContext, OperationContext operationContext) {
        if (this.rateLimitingLogger.getInternalLogger() == null) {
            return;
        }
        KVStoreUserPrincipal subjectUserPrincipal = ExecutionContext.getSubjectUserPrincipal(executionContext.requestorSubject());
        if (subjectUserPrincipal != null) {
            logError("Unexpected access by internal node as user " + subjectUserPrincipal, executionContext, operationContext);
        } else {
            this.rateLimitingLogger.log(operationContext.describe(), Level.INFO, String.format("Internal operation %s access from %s, accessing with an expired or non-existent login token, will attempt to acquire a new token.", operationContext.describe(), executionContext.requestorHost()));
        }
    }

    @Override // oracle.kv.impl.security.AccessChecker
    public Set<KVStorePrivilege> identifyPrivileges(Subject subject) {
        PrivilegeEntry privilegeEntry;
        if (subject == null) {
            return null;
        }
        KVStoreUserPrincipal subjectUserPrincipal = ExecutionContext.getSubjectUserPrincipal(subject);
        if (this.userPrivCache != null && subjectUserPrincipal != null && (privilegeEntry = this.userPrivCache.get(subjectUserPrincipal.getUserId())) != null) {
            return privilegeEntry.getPrivileges();
        }
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        Iterator it = subject.getPrincipals(KVStoreRolePrincipal.class).iterator();
        while (it.hasNext()) {
            recursiveGetRolesAndPrivis(((KVStoreRolePrincipal) it.next()).getName(), hashSet2, hashSet);
        }
        if (this.userPrivCache != null && subjectUserPrincipal != null) {
            String userId = subjectUserPrincipal.getUserId();
            if (userId != null && userId.startsWith(SecurityUtils.IDCS_OAUTH_USER_ID_PREFIX)) {
                return hashSet;
            }
            this.userPrivCache.put(subjectUserPrincipal.getUserId(), new PrivilegeEntry(subjectUserPrincipal.getUserId(), hashSet, hashSet2));
        }
        return hashSet;
    }

    RateLimitingLogger<String> getRateLimitingLogger() {
        return this.rateLimitingLogger;
    }

    private void recursiveGetRolesAndPrivis(String str, Set<String> set, Set<KVStorePrivilege> set2) {
        RoleInstance resolve = this.roleResolver.resolve(str);
        if (resolve == null) {
            this.logger.info("Could not resolve role with name of " + str);
            return;
        }
        this.logger.fine("Role " + str + " resolved successfully.");
        set2.addAll(resolve.getPrivileges());
        set.add(str);
        Iterator<String> it = resolve.getGrantedRoles().iterator();
        while (it.hasNext()) {
            recursiveGetRolesAndPrivis(it.next(), set, set2);
        }
    }

    public boolean updateRoleDefinition(RoleInstance roleInstance) {
        boolean z = false;
        for (PrivilegeEntry privilegeEntry : this.userPrivCache.getAllValues()) {
            if (privilegeEntry.hasRole(roleInstance.name())) {
                PrivilegeEntry invalidate = this.userPrivCache.invalidate(privilegeEntry.getPrincId());
                if (!z) {
                    z = invalidate != null;
                }
            }
        }
        return z;
    }

    public boolean updateUserDefinition(KVStoreUser kVStoreUser) {
        return this.userPrivCache.invalidate(kVStoreUser.getElementId()) != null;
    }
}
