package oracle.kv.impl.admin.plan;

import com.sleepycat.persist.model.Persistent;
import java.security.SecureRandom;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import oracle.kv.KVVersion;
import oracle.kv.impl.admin.Admin;
import oracle.kv.impl.admin.IllegalCommandException;
import oracle.kv.impl.admin.PlanLocksHeldException;
import oracle.kv.impl.admin.plan.task.AddExternalUser;
import oracle.kv.impl.admin.plan.task.AddRole;
import oracle.kv.impl.admin.plan.task.AddUser;
import oracle.kv.impl.admin.plan.task.ChangeUser;
import oracle.kv.impl.admin.plan.task.GrantNamespacePrivileges;
import oracle.kv.impl.admin.plan.task.GrantPrivileges;
import oracle.kv.impl.admin.plan.task.GrantRoles;
import oracle.kv.impl.admin.plan.task.GrantRolesToRole;
import oracle.kv.impl.admin.plan.task.NewSecurityMDChange;
import oracle.kv.impl.admin.plan.task.RemoveRole;
import oracle.kv.impl.admin.plan.task.RemoveUser;
import oracle.kv.impl.admin.plan.task.RevokeNamespacePrivileges;
import oracle.kv.impl.admin.plan.task.RevokePrivileges;
import oracle.kv.impl.admin.plan.task.RevokeRoles;
import oracle.kv.impl.admin.plan.task.RevokeRolesFromRole;
import oracle.kv.impl.admin.plan.task.UpdateMetadata;
import oracle.kv.impl.admin.plan.task.Utils;
import oracle.kv.impl.metadata.Metadata;
import oracle.kv.impl.security.KVStorePrivilege;
import oracle.kv.impl.security.KVStorePrivilegeLabel;
import oracle.kv.impl.security.KVStoreUserPrincipal;
import oracle.kv.impl.security.PasswordHash;
import oracle.kv.impl.security.RoleInstance;
import oracle.kv.impl.security.RoleResolver;
import oracle.kv.impl.security.SystemPrivilege;
import oracle.kv.impl.security.metadata.KVStoreUser;
import oracle.kv.impl.security.metadata.PasswordHashDigest;
import oracle.kv.impl.security.metadata.SecurityMetadata;
import oracle.kv.impl.topo.AdminId;
import oracle.kv.impl.util.SerialVersion;

@Persistent
/* loaded from: input_file:oracle/kv/impl/admin/plan/SecurityMetadataPlan.class */
public class SecurityMetadataPlan extends MetadataPlan<SecurityMetadata> {
    private static final long serialVersionUID = 1;
    private static final SecureRandom random = new SecureRandom();
    private static final KVVersion BASIC_AUTHENTICATION_VERSION = KVVersion.R3_0;
    public static final KVVersion BASIC_AUTHORIZATION_VERSION = KVVersion.R3_1;
    public static final KVVersion REALTIME_SESSION_UPDATE_VERSION = KVVersion.R3_2;
    public static final KVVersion USER_DEFINED_ROLE_VERSION = KVVersion.R3_3;
    public static final KVVersion CREATE_EXTERNAL_USER_VERSION = KVVersion.R3_5;
    public static final KVVersion PASSWORD_COMPLEXITY_POLICY_VERSION = KVVersion.R4_1;
    public static final KVVersion CASCADE_DROP_USER_VERSION = KVVersion.R4_3;
    private static final String userDefinedRoleNotSupported = "Could not perform operation until all nodes in the store support user-defined role feature";
    private static final String passwordExpireNotSupported = "Could not perform operation until all nodes in the store support password expiration feature";
    private static final String createExternalUserNotSupported = "Could not perform operation until all nodes in the store support creation of external user";
    private static final String passwordComplexityCheckNotSupported = "Could not perform create user or alter user's password operation until all nodes in the store support password complexity check";

    /* JADX INFO: Access modifiers changed from: private */
    @Persistent
    /* loaded from: input_file:oracle/kv/impl/admin/plan/SecurityMetadataPlan$ChangeUserPlan.class */
    public static class ChangeUserPlan extends SecurityMetadataPlan {
        private static final long serialVersionUID = 1;

        private ChangeUserPlan(String str, Planner planner) {
            super(str, planner);
        }

        private ChangeUserPlan() {
            super();
        }

        @Override // oracle.kv.impl.admin.plan.SecurityMetadataPlan, oracle.kv.impl.admin.plan.Plan
        public List<? extends KVStorePrivilege> getRequiredPrivileges() {
            return SystemPrivilege.usrviewPrivList;
        }
    }

    /* loaded from: input_file:oracle/kv/impl/admin/plan/SecurityMetadataPlan$PrivilegePlan.class */
    public static class PrivilegePlan extends SecurityMetadataPlan {
        private static final long serialVersionUID = 1;
        private static final String ALLPRIVS = "ALL";
        private static final String versionNotMetMsg = "Cannot grant or revoke privileges when not all nodes in the store supports user-defined role.";
        private final boolean isSystemPrivsOp;

        private PrivilegePlan(String str, Planner planner, Set<String> set, boolean z) {
            super(str, planner);
            checkVersion(planner.getAdmin(), USER_DEFINED_ROLE_VERSION, versionNotMetMsg);
            this.isSystemPrivsOp = z;
            validatePrivileges(set);
        }

        private void validatePrivileges(Set<String> set) {
            for (String str : set) {
                if (!"ALL".equalsIgnoreCase(str)) {
                    try {
                        KVStorePrivilegeLabel valueOf = KVStorePrivilegeLabel.valueOf(str.toUpperCase(Locale.ENGLISH));
                        if (!checkPrivConsistency(valueOf)) {
                            throw new IllegalCommandException("Could not use " + str + " with type of " + valueOf.getType() + " in this operation which needs privilege type of " + (this.isSystemPrivsOp ? "SYSTEM" : "TABLE or NAMESPACE"));
                        }
                    } catch (IllegalArgumentException e) {
                        throw new IllegalCommandException(str + " is not valid privilege name");
                    }
                }
            }
        }

        private boolean checkPrivConsistency(KVStorePrivilegeLabel kVStorePrivilegeLabel) {
            return kVStorePrivilegeLabel.getType().equals(KVStorePrivilege.PrivilegeType.SYSTEM) ? this.isSystemPrivsOp : !this.isSystemPrivsOp;
        }

        @Override // oracle.kv.impl.admin.plan.SecurityMetadataPlan, oracle.kv.impl.admin.plan.Plan
        public List<? extends KVStorePrivilege> getRequiredPrivileges() {
            return this.isSystemPrivsOp ? SystemPrivilege.sysoperPrivList : SystemPrivilege.usrviewPrivList;
        }
    }

    @Persistent
    /* loaded from: input_file:oracle/kv/impl/admin/plan/SecurityMetadataPlan$RolePlan.class */
    public static class RolePlan extends SecurityMetadataPlan {
        private static final long serialVersionUID = 1;
        private static final String roleUnsupportedMsg = "Cannot grant or revoke roles when not all nodes in the store support role management.";

        public RolePlan(String str, Planner planner, Set<String> set) {
            super(str, planner);
            checkVersion(planner.getAdmin(), REALTIME_SESSION_UPDATE_VERSION, roleUnsupportedMsg);
            validateRoleNames(set);
        }

        private RolePlan() {
            super();
        }

        private void validateRoleNames(Set<String> set) {
            RoleResolver roleResolver = this.planner.getAdmin().getRoleResolver();
            if (roleResolver == null) {
                throw new IllegalCommandException("Cannot grant or revole roles. Please make sure the security feature is enabled");
            }
            for (String str : set) {
                RoleInstance resolve = roleResolver.resolve(str);
                if (resolve == null) {
                    throw new IllegalCommandException("Role with name : " + str + " does not exist");
                }
                if (!resolve.assignable()) {
                    throw new IllegalCommandException("Role " + str + " cannot be granted or revoked");
                }
            }
        }
    }

    public SecurityMetadataPlan(String str, Planner planner) {
        super(str, planner, false);
        checkVersion(planner.getAdmin(), BASIC_AUTHENTICATION_VERSION, "Cannot perform plan " + str + " when not all nodes in the store support security feature.");
    }

    private SecurityMetadataPlan() {
    }

    private static void ensureNotSelfDrop(String str) {
        KVStoreUserPrincipal currentUser = KVStoreUserPrincipal.getCurrentUser();
        if (currentUser == null) {
            throw new IllegalCommandException("Could not identify current user");
        }
        if (str.equals(currentUser.getName())) {
            throw new IllegalCommandException("A current online user cannot drop itself");
        }
    }

    @Override // oracle.kv.impl.admin.plan.MetadataPlan
    protected Metadata.MetadataType getMetadataType() {
        return Metadata.MetadataType.SECURITY;
    }

    @Override // oracle.kv.impl.admin.plan.MetadataPlan
    protected Class<SecurityMetadata> getMetadataClass() {
        return SecurityMetadata.class;
    }

    @Override // oracle.kv.impl.admin.plan.AbstractPlan, oracle.kv.impl.admin.plan.Plan
    public boolean isExclusive() {
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // oracle.kv.impl.admin.plan.AbstractPlan
    public void preExecutionSave() {
    }

    @Override // oracle.kv.impl.admin.plan.Plan
    public String getDefaultName() {
        return "Change SecurityMetadata";
    }

    @Override // oracle.kv.impl.admin.plan.AbstractPlan, oracle.kv.impl.admin.plan.Plan
    public void getCatalogLocks() throws PlanLocksHeldException {
        this.planner.lockElasticity(getId(), getName());
        getPerTaskLocks();
    }

    public PasswordHashDigest makeDefaultHashDigest(char[] cArr) {
        return PasswordHashDigest.getHashDigest(PasswordHash.SUGG_ALGO, 5000, 16, PasswordHash.generateSalt(random, 16), cArr);
    }

    static void addNewMDChangeTasks(Admin admin, AbstractPlan abstractPlan) {
        Iterator<AdminId> it = admin.getCurrentParameters().getAdminIds().iterator();
        while (it.hasNext()) {
            abstractPlan.addTask(new NewSecurityMDChange(abstractPlan, it.next()));
        }
    }

    public static SecurityMetadataPlan createCreateUserPlan(String str, Planner planner, String str2, boolean z, boolean z2, char[] cArr, Long l) {
        if (l != null) {
            checkVersion(planner.getAdmin(), USER_DEFINED_ROLE_VERSION, passwordExpireNotSupported);
        }
        if (cArr != null) {
            checkVersion(planner.getAdmin(), PASSWORD_COMPLEXITY_POLICY_VERSION, passwordComplexityCheckNotSupported);
        }
        SecurityMetadataPlan securityMetadataPlan = new SecurityMetadataPlan(str != null ? str : "Create User", planner);
        securityMetadataPlan.addTask(new AddUser(securityMetadataPlan, str2, z, z2, cArr, l));
        return securityMetadataPlan;
    }

    public static SecurityMetadataPlan createCreateExternalUserPlan(String str, Planner planner, String str2, boolean z, boolean z2) {
        checkVersion(planner.getAdmin(), CREATE_EXTERNAL_USER_VERSION, createExternalUserNotSupported);
        SecurityMetadataPlan securityMetadataPlan = new SecurityMetadataPlan(str != null ? str : "Create External User", planner);
        securityMetadataPlan.addTask(new AddExternalUser(securityMetadataPlan, str2, z, z2));
        return securityMetadataPlan;
    }

    public static SecurityMetadataPlan createChangeUserPlan(String str, Planner planner, String str2, Boolean bool, char[] cArr, boolean z, boolean z2, Long l) {
        if (l != null) {
            checkVersion(planner.getAdmin(), USER_DEFINED_ROLE_VERSION, passwordExpireNotSupported);
        }
        if (cArr != null) {
            checkVersion(planner.getAdmin(), PASSWORD_COMPLEXITY_POLICY_VERSION, passwordComplexityCheckNotSupported);
        }
        String str3 = str != null ? str : "Change User";
        SecurityMetadataPlan changeUserPlan = Utils.storeHasVersion(planner.getAdmin(), BASIC_AUTHORIZATION_VERSION) ? new ChangeUserPlan(str3, planner) : new SecurityMetadataPlan(str3, planner);
        changeUserPlan.addTask(new ChangeUser(changeUserPlan, str2, bool, cArr, z, z2, l));
        return changeUserPlan;
    }

    public static AbstractPlan createDropUserPlan(String str, Planner planner, String str2, boolean z) {
        SecurityMetadataPlan securityMetadataPlan;
        ensureNotSelfDrop(str2);
        String str3 = str != null ? str : "Drop User";
        if (Utils.storeHasVersion(planner.getAdmin(), CASCADE_DROP_USER_VERSION)) {
            return createDropUserPlanV2(str, planner, str2, z);
        }
        if (Utils.storeHasVersion(planner.getAdmin(), USER_DEFINED_ROLE_VERSION)) {
            securityMetadataPlan = new RemoveUserPlan(str3, planner, str2, z);
            addNewMDChangeTasks(planner.getAdmin(), securityMetadataPlan);
        } else {
            if (z) {
                throw new IllegalCommandException("The CASCADE option is not enabled until all nodes in the store have been upgraded to " + USER_DEFINED_ROLE_VERSION + " or higher");
            }
            securityMetadataPlan = new SecurityMetadataPlan(str3, planner);
            securityMetadataPlan.addTask(RemoveUser.newInstance(securityMetadataPlan, str2));
        }
        return securityMetadataPlan;
    }

    private static RemoveUserPlanV2 createDropUserPlanV2(String str, Planner planner, String str2, boolean z) {
        RemoveUserPlanV2 removeUserPlanV2 = new RemoveUserPlanV2(str + " CASCADE", planner, str2, z);
        addNewMDChangeTasks(planner.getAdmin(), removeUserPlanV2);
        return removeUserPlanV2;
    }

    public static SecurityMetadataPlan createGrantPlan(String str, Planner planner, String str2, Set<String> set) {
        RolePlan rolePlan = new RolePlan(str != null ? str : "Grant Roles", planner, set);
        rolePlan.addTask(new GrantRoles(rolePlan, str2, set));
        addNewMDChangeTasks(planner.getAdmin(), rolePlan);
        return rolePlan;
    }

    public static SecurityMetadataPlan createGrantRolesToRolePlan(String str, Planner planner, String str2, Set<String> set) {
        checkVersion(planner.getAdmin(), USER_DEFINED_ROLE_VERSION, userDefinedRoleNotSupported);
        RolePlan rolePlan = new RolePlan(str != null ? str : "Grant Roles (To Role)", planner, set);
        rolePlan.addTask(new GrantRolesToRole(rolePlan, str2, set));
        addNewMDChangeTasks(planner.getAdmin(), rolePlan);
        return rolePlan;
    }

    public static SecurityMetadataPlan createGrantPrivsPlan(String str, Planner planner, String str2, String str3, String str4, Set<String> set) {
        PrivilegePlan privilegePlan = new PrivilegePlan(str != null ? str : "Grant Privileges", planner, set, str4 == null);
        privilegePlan.addTask(new GrantPrivileges(privilegePlan, str2, str3, str4, set));
        addNewMDChangeTasks(planner.getAdmin(), privilegePlan);
        return privilegePlan;
    }

    public static SecurityMetadataPlan createRevokePlan(String str, Planner planner, String str2, Set<String> set) {
        RolePlan rolePlan = new RolePlan(str != null ? str : "Revoke Roles", planner, set);
        rolePlan.addTask(new RevokeRoles(rolePlan, str2, set));
        addNewMDChangeTasks(planner.getAdmin(), rolePlan);
        return rolePlan;
    }

    public static SecurityMetadataPlan createRevokeRolesFromRolePlan(String str, Planner planner, String str2, Set<String> set) {
        checkVersion(planner.getAdmin(), USER_DEFINED_ROLE_VERSION, userDefinedRoleNotSupported);
        RolePlan rolePlan = new RolePlan(str != null ? str : "Revoke Roles (From Role)", planner, set);
        rolePlan.addTask(new RevokeRolesFromRole(rolePlan, str2, set));
        addNewMDChangeTasks(planner.getAdmin(), rolePlan);
        return rolePlan;
    }

    public static SecurityMetadataPlan createRevokePrivsPlan(String str, Planner planner, String str2, String str3, String str4, Set<String> set) {
        PrivilegePlan privilegePlan = new PrivilegePlan(str != null ? str : "Revoke Privileges", planner, set, str4 == null);
        privilegePlan.addTask(new RevokePrivileges(privilegePlan, str2, str3, str4, set));
        addNewMDChangeTasks(planner.getAdmin(), privilegePlan);
        return privilegePlan;
    }

    public static SecurityMetadataPlan createGrantNamespacePrivsPlan(String str, Planner planner, String str2, String str3, Set<String> set) {
        checkVersion(planner.getAdmin(), SerialVersion.getKVVersion((short) 17), "Cannot grant namespace privileges until all nodes in the store have been upgraded to " + SerialVersion.getKVVersion((short) 17));
        PrivilegePlan privilegePlan = new PrivilegePlan(str != null ? str : "Grant Namespace Privileges", planner, set, false);
        privilegePlan.addTask(new GrantNamespacePrivileges(privilegePlan, str2, str3, set));
        addNewMDChangeTasks(planner.getAdmin(), privilegePlan);
        return privilegePlan;
    }

    public static SecurityMetadataPlan createRevokeNamespacePrivsPlan(String str, Planner planner, String str2, String str3, Set<String> set) {
        checkVersion(planner.getAdmin(), SerialVersion.getKVVersion((short) 17), "Cannot revoke namespace privileges until all nodes in the store have been upgraded to " + SerialVersion.getKVVersion((short) 17));
        PrivilegePlan privilegePlan = new PrivilegePlan(str != null ? str : "Revoke Namespace Privileges", planner, set, false);
        HashSet hashSet = new HashSet();
        GrantNamespacePrivileges.parseToPrivileges(set, hashSet, str3);
        privilegePlan.addTask(new RevokeNamespacePrivileges(privilegePlan, str2, str3, hashSet));
        addNewMDChangeTasks(planner.getAdmin(), privilegePlan);
        return privilegePlan;
    }

    public static SecurityMetadataPlan createCreateRolePlan(String str, Planner planner, String str2) {
        checkVersion(planner.getAdmin(), USER_DEFINED_ROLE_VERSION, userDefinedRoleNotSupported);
        SecurityMetadataPlan securityMetadataPlan = new SecurityMetadataPlan(str != null ? str : "Create Role", planner);
        securityMetadataPlan.addTask(new AddRole(securityMetadataPlan, str2));
        return securityMetadataPlan;
    }

    public static SecurityMetadataPlan createDropRolePlan(String str, Planner planner, String str2) {
        checkVersion(planner.getAdmin(), USER_DEFINED_ROLE_VERSION, userDefinedRoleNotSupported);
        SecurityMetadataPlan securityMetadataPlan = new SecurityMetadataPlan(str != null ? str : "Drop Role", planner);
        securityMetadataPlan.addTask(new RemoveRole(securityMetadataPlan, str2));
        addNewMDChangeTasks(planner.getAdmin(), securityMetadataPlan);
        SecurityMetadata metadata = securityMetadataPlan.getMetadata();
        for (KVStoreUser kVStoreUser : metadata.getAllUsers()) {
            if (kVStoreUser.getGrantedRoles().contains(str2.toLowerCase())) {
                securityMetadataPlan.addTask(new RevokeRoles(securityMetadataPlan, kVStoreUser.getName(), Collections.singleton(str2)));
                addNewMDChangeTasks(planner.getAdmin(), securityMetadataPlan);
            }
        }
        for (RoleInstance roleInstance : metadata.getAllRoles()) {
            if (roleInstance.getGrantedRoles().contains(RoleInstance.getNormalizedName(str2))) {
                securityMetadataPlan.addTask(new RevokeRolesFromRole(securityMetadataPlan, roleInstance.name(), Collections.singleton(str2)));
                addNewMDChangeTasks(planner.getAdmin(), securityMetadataPlan);
            }
        }
        return securityMetadataPlan;
    }

    public static SecurityMetadataPlan createBroadcastSecurityMDPlan(Planner planner) {
        SecurityMetadataPlan securityMetadataPlan = new SecurityMetadataPlan("Broadcast Security MD", planner);
        securityMetadataPlan.addTask(new UpdateMetadata(securityMetadataPlan));
        return securityMetadataPlan;
    }

    @Override // oracle.kv.impl.admin.plan.Plan
    public List<? extends KVStorePrivilege> getRequiredPrivileges() {
        return SystemPrivilege.sysoperPrivList;
    }
}
