package oracle.kv.impl.admin.plan;

import com.sleepycat.persist.model.Persistent;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import oracle.kv.KVVersion;
import oracle.kv.impl.admin.Admin;
import oracle.kv.impl.admin.IllegalCommandException;
import oracle.kv.impl.admin.NonfatalAssertionException;
import oracle.kv.impl.admin.param.GlobalParams;
import oracle.kv.impl.admin.param.Parameters;
import oracle.kv.impl.admin.param.StorageNodeParams;
import oracle.kv.impl.admin.plan.task.BroadcastMetadata;
import oracle.kv.impl.admin.plan.task.NewAdminGlobalParameters;
import oracle.kv.impl.admin.plan.task.NewRNGlobalParameters;
import oracle.kv.impl.admin.plan.task.Utils;
import oracle.kv.impl.admin.plan.task.WriteNewGlobalParams;
import oracle.kv.impl.metadata.Metadata;
import oracle.kv.impl.param.ParameterMap;
import oracle.kv.impl.param.ParameterState;
import oracle.kv.impl.param.ParameterUtils;
import oracle.kv.impl.security.KVStorePrivilege;
import oracle.kv.impl.security.SystemPrivilege;
import oracle.kv.impl.security.metadata.SecurityMetadata;
import oracle.kv.impl.security.oauth.IDCSOAuthUtils;
import oracle.kv.impl.security.util.SecurityUtils;
import oracle.kv.impl.topo.AdminId;
import oracle.kv.impl.topo.RepNodeId;
import oracle.kv.impl.topo.StorageNodeId;
import oracle.kv.impl.topo.Topology;
import oracle.kv.impl.util.VersionUtil;

@Persistent
/* loaded from: input_file:oracle/kv/impl/admin/plan/ChangeGlobalSecurityParamsPlan.class */
public class ChangeGlobalSecurityParamsPlan extends AbstractPlan {
    private static final long serialVersionUID = 1;
    private ParameterMap newParams;
    private Parameters currentParams;
    private static final KVVersion SECURITY_VERSION = KVVersion.R3_0;
    private static final KVVersion KERBEROS_AUTH_VERSION = KVVersion.R3_5;
    private static final KVVersion IDCS_OAUTH_AUTH_VERSION = KVVersion.R4_2;
    private static final Set<AdminId> allAdminIds = new HashSet();

    public ChangeGlobalSecurityParamsPlan(String str, Planner planner, Topology topology, ParameterMap parameterMap) {
        super(str, planner);
        this.newParams = null;
        checkSecurityVersion();
        this.newParams = parameterMap;
        this.currentParams = planner.getAdmin().getCurrentParameters();
        allAdminIds.addAll(this.currentParams.getAdminIds());
        ParameterMap filter = this.newParams.readOnlyFilter().filter(EnumSet.of(ParameterState.Info.GLOBAL, ParameterState.Info.SECURITY));
        GlobalParams globalParams = this.currentParams.getGlobalParams();
        if (filter.hasRestartRequiredDiff(globalParams.getMap())) {
            throw new NonfatalAssertionException("Parameter change would require an admin restart, which is not supported.");
        }
        String asString = filter.get(ParameterState.GP_USER_EXTERNAL_AUTH).asString();
        if (asString != null) {
            String[] userExternalAuthMethods = globalParams.getUserExternalAuthMethods();
            if (asString.split(ParameterUtils.HELPER_HOST_SEPARATOR).length > 1) {
                throw new IllegalCommandException("Cannot enable multiple external authentication mechanisms");
            }
            if (SecurityUtils.hasKerberos(asString) && !SecurityUtils.hasKerberos(userExternalAuthMethods)) {
                planner.getLogger().info("Enable Kerberos as one of user external authentication methods");
                enableKerberosAsAuthMethod();
            }
            if (SecurityUtils.hasIDCSOAuth(asString) && !SecurityUtils.hasIDCSOAuth(userExternalAuthMethods)) {
                planner.getLogger().info("Enable OAuth as one of user external authentication methods");
                enableIDCSOAuthAsAuthMethod();
            }
        }
        String asString2 = filter.get(ParameterState.GP_SESSION_EXTEND_ALLOW).asString();
        if (asString2 != null && asString2.equalsIgnoreCase("true")) {
            String[] userExternalAuthMethods2 = globalParams.getUserExternalAuthMethods();
            boolean z = asString != null && SecurityUtils.hasIDCSOAuth(asString);
            boolean z2 = SecurityUtils.hasIDCSOAuth(userExternalAuthMethods2) && asString == null;
            if (z || z2) {
                throw new IllegalCommandException("Cannot enable session extension when IDCS OAuth is enabled");
            }
        }
        String asString3 = filter.get(ParameterState.GP_IDCS_OAUTH_SIG_VERIFY_ALG_NAME).asString();
        if (asString3 != null && !IDCSOAuthUtils.idcsSupportedAlgorithm(asString3)) {
            throw new IllegalCommandException(asString3 + " is not supported, the supported signature verification are " + IDCSOAuthUtils.getIdcsSupportedAlgorithm());
        }
        for (StorageNodeId storageNodeId : topology.getStorageNodeIds()) {
            addTask(new WriteNewGlobalParams(this, filter, storageNodeId, false));
            addNewGlobalParametersTasks(storageNodeId, topology);
        }
    }

    private ChangeGlobalSecurityParamsPlan() {
        this.newParams = null;
    }

    private void addNewGlobalParametersTasks(StorageNodeId storageNodeId, Topology topology) {
        Iterator<RepNodeId> it = topology.getHostedRepNodeIds(storageNodeId).iterator();
        while (it.hasNext()) {
            addTask(new NewRNGlobalParameters(this, it.next()));
        }
        for (AdminId adminId : allAdminIds) {
            StorageNodeId storageNodeId2 = this.currentParams.get(adminId).getStorageNodeId();
            if (storageNodeId2.equals(storageNodeId)) {
                StorageNodeParams storageNodeParams = this.currentParams.get(storageNodeId2);
                addTask(new NewAdminGlobalParameters(this, storageNodeParams.getHostname(), storageNodeParams.getRegistryPort(), adminId));
            }
        }
    }

    private void checkSecurityVersion() {
        KVVersion storeVersion = this.planner.getAdmin().getStoreVersion();
        if (VersionUtil.compareMinorVersion(storeVersion, SECURITY_VERSION) < 0) {
            throw new IllegalCommandException("Cannot perform security metadata related operations when not all nodes in the store support security feature. The highest version supported by all nodes is " + storeVersion.getNumericVersionString() + ", but security metadata operations require version " + SECURITY_VERSION.getNumericVersionString() + " or later.");
        }
    }

    private void enableKerberosAsAuthMethod() {
        Admin admin = this.planner.getAdmin();
        if (!Utils.storeHasVersion(admin, KERBEROS_AUTH_VERSION)) {
            throw new IllegalCommandException(String.format("The highest version supported by all nodes is lower than the required version of %s or later.Could not enable Kerberos as user external authentication method until all nodes in the store support Kerberos", KERBEROS_AUTH_VERSION.getNumericVersionString()));
        }
        SecurityMetadata securityMetadata = (SecurityMetadata) admin.getMetadata(SecurityMetadata.class, Metadata.MetadataType.SECURITY);
        if (admin.getParams().getSecurityParams().isSecure()) {
            try {
                if (Utils.storeKerberosInfo(this, securityMetadata)) {
                    addTask(new BroadcastMetadata(this, securityMetadata));
                }
            } catch (Exception e) {
                throw new IllegalStateException("Unexpected error occur while storing Kerberos principal in metadata: " + e.getMessage(), e);
            }
        }
    }

    private void enableIDCSOAuthAsAuthMethod() {
        if (!Utils.storeHasVersion(this.planner.getAdmin(), IDCS_OAUTH_AUTH_VERSION)) {
            throw new IllegalCommandException(String.format("The highest version supported by all nodes is lower than the required version of %s or later.Could not enable IDCS OAuth as user external authentication method until all nodes in the store support IDCS OAuth", IDCS_OAUTH_AUTH_VERSION.getNumericVersionString()));
        }
        boolean sessionExtendAllow = this.currentParams.getGlobalParams().getSessionExtendAllow();
        String asString = this.newParams.get(ParameterState.GP_SESSION_EXTEND_ALLOW).asString();
        if (sessionExtendAllow) {
            if (asString != null && asString.equalsIgnoreCase("false")) {
                return;
            }
        } else if (asString == null || asString.equalsIgnoreCase("false")) {
            return;
        }
        throw new IllegalCommandException("To enable IDCS OAuth, session extension must be disabled");
    }

    @Override // oracle.kv.impl.admin.plan.Plan
    public String getDefaultName() {
        return "Change Global Security Params";
    }

    @Override // oracle.kv.impl.admin.plan.AbstractPlan, oracle.kv.impl.admin.plan.Plan
    public boolean isExclusive() {
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // oracle.kv.impl.admin.plan.AbstractPlan
    public void preExecutionSave() {
    }

    @Override // oracle.kv.impl.admin.plan.AbstractPlan, oracle.kv.impl.admin.plan.Plan
    public void stripForDisplay() {
        this.newParams = null;
        this.currentParams = null;
    }

    @Override // oracle.kv.impl.admin.plan.AbstractPlan, oracle.kv.impl.admin.plan.Plan
    public boolean updatingMetadata(Metadata<?> metadata) {
        if (!metadata.getType().equals(Metadata.MetadataType.SECURITY)) {
            return false;
        }
        SecurityMetadata securityMetadata = (SecurityMetadata) getAdmin().getMetadata(SecurityMetadata.class, Metadata.MetadataType.SECURITY);
        return securityMetadata == null || metadata.getSequenceNumber() > securityMetadata.getSequenceNumber();
    }

    @Override // oracle.kv.impl.admin.plan.Plan
    public List<? extends KVStorePrivilege> getRequiredPrivileges() {
        return SystemPrivilege.sysoperPrivList;
    }
}
