package oracle.kv.impl.rep;

import java.util.HashMap;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import oracle.kv.IDCSOAuthCredentials;
import oracle.kv.LoginCredentials;
import oracle.kv.PasswordCredentials;
import oracle.kv.impl.admin.param.GlobalParams;
import oracle.kv.impl.admin.param.RepNodeParams;
import oracle.kv.impl.admin.param.SecurityParams;
import oracle.kv.impl.admin.param.StorageNodeParams;
import oracle.kv.impl.api.RequestDispatcher;
import oracle.kv.impl.api.TopologyManager;
import oracle.kv.impl.param.ParameterMap;
import oracle.kv.impl.pubsub.security.StreamServerAuthHandler;
import oracle.kv.impl.rep.RepNodeService;
import oracle.kv.impl.rep.login.FailoverSessionManager;
import oracle.kv.impl.rep.login.KVSessionManager;
import oracle.kv.impl.security.AccessChecker;
import oracle.kv.impl.security.AccessCheckerImpl;
import oracle.kv.impl.security.Authenticator;
import oracle.kv.impl.security.AuthenticatorManager;
import oracle.kv.impl.security.ExecutionContext;
import oracle.kv.impl.security.KVBuiltInRoleResolver;
import oracle.kv.impl.security.KVStoreUserPrincipal;
import oracle.kv.impl.security.PasswordAuthenticator;
import oracle.kv.impl.security.ProxyCredentials;
import oracle.kv.impl.security.RoleInstance;
import oracle.kv.impl.security.RoleResolver;
import oracle.kv.impl.security.SignatureHelper;
import oracle.kv.impl.security.TopoSignatureHelper;
import oracle.kv.impl.security.UserVerifier;
import oracle.kv.impl.security.login.InternalLoginManager;
import oracle.kv.impl.security.login.KerberosInternalCredentials;
import oracle.kv.impl.security.login.LoginManager;
import oracle.kv.impl.security.login.LoginUpdater;
import oracle.kv.impl.security.login.TokenResolverImpl;
import oracle.kv.impl.security.login.TokenVerifier;
import oracle.kv.impl.security.login.TopoTopoResolver;
import oracle.kv.impl.security.login.TopologyResolver;
import oracle.kv.impl.security.login.UserLoginCallbackHandler;
import oracle.kv.impl.security.metadata.KVStoreUser;
import oracle.kv.impl.security.metadata.SecurityMDChange;
import oracle.kv.impl.security.metadata.SecurityMDUpdater;
import oracle.kv.impl.security.metadata.SecurityMetadata;
import oracle.kv.impl.security.oauth.IDCSOAuthAuthenticator;
import oracle.kv.impl.security.util.CacheBuilder;
import oracle.kv.impl.security.util.SecurityUtils;
import oracle.kv.impl.topo.Topology;

/* loaded from: input_file:oracle/kv/impl/rep/RepNodeSecurity.class */
public class RepNodeSecurity implements LoginUpdater.GlobalParamsUpdater, LoginUpdater.ServiceParamsUpdater, SecurityMDUpdater.UserChangeUpdater, SecurityMDUpdater.RoleChangeUpdater {
    private final RepNodeService repNodeService;
    private final AccessCheckerImpl accessChecker;
    private final TokenResolverImpl tokenResolver;
    private final TopoTopoResolver.TopoMgrTopoHandle topoMgrHandle;
    private final TopoTopoResolver topoResolver;
    private final InternalLoginManager loginMgr;
    private final String storeName;
    private final TokenVerifier tokenVerifier;
    private final Logger logger;
    private final UserVerifier userVerifier;
    private KVSessionManager kvSessionManager;
    private final Map<String, Authenticator> authenticators;
    private final SignatureHelper<Topology> topoSignatureHelper;
    private final StreamServerAuthHandler streamAuthHandler;
    private static final int CHECKER_SUBJECT_CACHE_SIZE = 100;

    /* loaded from: input_file:oracle/kv/impl/rep/RepNodeSecurity$RepNodePasswordAuthenticator.class */
    private class RepNodePasswordAuthenticator extends PasswordAuthenticator {
        private RepNodePasswordAuthenticator() {
        }

        @Override // oracle.kv.impl.security.PasswordAuthenticator
        public KVStoreUser loadUserFromStore(String str) {
            return RepNodeSecurity.this.loadUserFromMd(str);
        }

        @Override // oracle.kv.impl.security.PasswordAuthenticator
        public void logMessage(Level level, String str) {
            RepNodeSecurity.this.logger.log(level, str);
        }
    }

    /* loaded from: input_file:oracle/kv/impl/rep/RepNodeSecurity$RepNodeRoleResolver.class */
    private class RepNodeRoleResolver implements RoleResolver {
        private RepNodeRoleResolver() {
        }

        @Override // oracle.kv.impl.security.RoleResolver
        public RoleInstance resolve(String str) {
            RoleInstance resolveRole = KVBuiltInRoleResolver.resolveRole(str);
            if (resolveRole == null) {
                SecurityMetadata securityMetadata = RepNodeSecurity.this.repNodeService.getSecurityMetadata();
                if (securityMetadata == null) {
                    return null;
                }
                resolveRole = securityMetadata.getRole(str);
            }
            return resolveRole;
        }
    }

    /* loaded from: input_file:oracle/kv/impl/rep/RepNodeSecurity$RepNodeUserVerifier.class */
    private class RepNodeUserVerifier implements UserVerifier {
        private RepNodePasswordAuthenticator defaultAuthenticator;

        RepNodeUserVerifier() {
            this.defaultAuthenticator = new RepNodePasswordAuthenticator();
        }

        @Override // oracle.kv.impl.security.UserVerifier
        public Subject verifyUser(LoginCredentials loginCredentials, UserLoginCallbackHandler userLoginCallbackHandler) {
            if (this.defaultAuthenticator.authenticate(loginCredentials, userLoginCallbackHandler)) {
                return RepNodeSecurity.this.makeUserSubject(loginCredentials.getUsername());
            }
            if (RepNodeSecurity.this.repNodeService == null) {
                return null;
            }
            for (String str : RepNodeSecurity.this.repNodeService.getParams().getGlobalParams().getUserExternalAuthMethods()) {
                Authenticator authenticator = (Authenticator) RepNodeSecurity.this.authenticators.get(str);
                if (authenticator != null && authenticator.authenticate(loginCredentials, userLoginCallbackHandler)) {
                    return userLoginCallbackHandler.getUserSessionInfo() != null ? userLoginCallbackHandler.getUserSessionInfo().getSubject() : RepNodeSecurity.this.makeUserSubject(loginCredentials.getUsername());
                }
            }
            if (loginCredentials instanceof ProxyCredentials) {
                return RepNodeSecurity.this.makeUserSubject(loginCredentials.getUsername());
            }
            if ((loginCredentials instanceof ProxyCredentials) || (loginCredentials instanceof PasswordCredentials) || (loginCredentials instanceof KerberosInternalCredentials) || (loginCredentials instanceof IDCSOAuthCredentials)) {
                return null;
            }
            RepNodeSecurity.this.logger.info("Encountered unsupported login credentials of type " + loginCredentials.getClass());
            return null;
        }

        @Override // oracle.kv.impl.security.UserVerifier
        public Subject verifyUser(Subject subject) {
            KVStoreUserPrincipal subjectUserPrincipal = ExecutionContext.getSubjectUserPrincipal(subject);
            if (subjectUserPrincipal == null) {
                return null;
            }
            String userId = subjectUserPrincipal.getUserId();
            if (userId != null && userId.startsWith(SecurityUtils.IDCS_OAUTH_USER_ID_PREFIX)) {
                return subject;
            }
            SecurityMetadata securityMetadata = RepNodeSecurity.this.repNodeService.getSecurityMetadata();
            if (securityMetadata == null) {
                RepNodeSecurity.this.logger.info("Unable to verify user with no security metadata available");
                return null;
            }
            KVStoreUser user = securityMetadata.getUser(subjectUserPrincipal.getName());
            if (user != null && user.isEnabled()) {
                return subject;
            }
            RepNodeSecurity.this.logger.info("User " + subjectUserPrincipal.getName() + " is not valid");
            return null;
        }
    }

    public RepNodeSecurity(RepNodeService repNodeService, Logger logger) {
        this.repNodeService = repNodeService;
        this.logger = logger;
        RepNodeService.Params params = repNodeService.getParams();
        SecurityParams securityParams = params.getSecurityParams();
        this.storeName = params.getGlobalParams().getKVStoreName();
        this.kvSessionManager = null;
        if (!securityParams.isSecure()) {
            this.userVerifier = null;
            this.accessChecker = null;
            this.tokenResolver = null;
            this.topoMgrHandle = null;
            this.topoResolver = null;
            this.loginMgr = null;
            this.tokenVerifier = null;
            this.topoSignatureHelper = null;
            this.authenticators = null;
            this.streamAuthHandler = null;
            return;
        }
        this.userVerifier = new RepNodeUserVerifier();
        StorageNodeParams storageNodeParams = params.getStorageNodeParams();
        String hostname = storageNodeParams.getHostname();
        int registryPort = storageNodeParams.getRegistryPort();
        this.topoMgrHandle = new TopoTopoResolver.TopoMgrTopoHandle(null);
        this.topoResolver = new TopoTopoResolver(this.topoMgrHandle, new TopologyResolver.SNInfo(hostname, registryPort, repNodeService.getStorageNodeId()), logger);
        this.loginMgr = new InternalLoginManager(this.topoResolver);
        this.tokenResolver = new TokenResolverImpl(hostname, registryPort, this.storeName, this.topoResolver, this.loginMgr, logger);
        int loginCacheSize = repNodeService.getRepNodeParams().getLoginCacheSize();
        GlobalParams globalParams = repNodeService.getParams().getGlobalParams();
        this.tokenVerifier = new TokenVerifier(new CacheBuilder.CacheConfig().capacity(loginCacheSize).entryLifetime(globalParams.getLoginCacheTimeoutUnit().toMillis(globalParams.getLoginCacheTimeout())), this.tokenResolver);
        this.accessChecker = new AccessCheckerImpl(this.tokenVerifier, new RepNodeRoleResolver(), new CacheBuilder.CacheConfig().capacity(100).entryLifetime(globalParams.getSessionTimeout()), logger);
        this.authenticators = new HashMap();
        for (AuthenticatorManager.SystemAuthMethod systemAuthMethod : AuthenticatorManager.SystemAuthMethod.values()) {
            Authenticator createAuthenticator = createAuthenticator(systemAuthMethod, securityParams, globalParams);
            if (createAuthenticator != null) {
                logger.info("RNSecurity: " + systemAuthMethod + " authenticator is initialized");
                this.authenticators.put(systemAuthMethod.name(), createAuthenticator);
            }
        }
        if (securityParams.allTransportSSLDisabled()) {
            this.topoSignatureHelper = null;
            this.streamAuthHandler = null;
        } else {
            this.topoSignatureHelper = TopoSignatureHelper.buildFromSecurityParams(securityParams);
            this.streamAuthHandler = isStreamSupported() ? StreamServerAuthHandler.getAuthHandler(this.accessChecker, logger) : null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setDispatcher(RequestDispatcher requestDispatcher) {
        if (this.tokenResolver != null) {
            this.kvSessionManager = new KVSessionManager(requestDispatcher, this.repNodeService.getRepNodeParams(), FailoverSessionManager.PERSISTENT_PREFIX, 16, this.userVerifier, this.logger, this.repNodeService.getKVStoreCreator());
            this.tokenResolver.setPersistentResolver(this.kvSessionManager);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void startup() {
        if (this.kvSessionManager != null) {
            this.kvSessionManager.start();
        }
    }

    public void stop() {
        if (this.kvSessionManager != null) {
            this.kvSessionManager.stop();
        }
    }

    public AccessChecker getAccessChecker() {
        return this.accessChecker;
    }

    public LoginManager getLoginManager() {
        return this.loginMgr;
    }

    public KVSessionManager getKVSessionManager() {
        return this.kvSessionManager;
    }

    public UserVerifier getUserVerifier() {
        return this.userVerifier;
    }

    public IDCSOAuthAuthenticator getIDCSOAuthAuthenticator() {
        if (this.authenticators == null) {
            return null;
        }
        return this.authenticators.get(AuthenticatorManager.SystemAuthMethod.IDCSOAUTH.name());
    }

    public SignatureHelper<Topology> getTopoSignatureHelper() {
        return this.topoSignatureHelper;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setTopologyManager(TopologyManager topologyManager) {
        if (this.topoMgrHandle != null) {
            this.topoMgrHandle.setTopoMgr(topologyManager);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public KVStoreUser loadUserFromMd(String str) {
        SecurityMetadata securityMetadata = this.repNodeService.getSecurityMetadata();
        if (securityMetadata != null) {
            return securityMetadata.getUser(str);
        }
        this.logger.info("Unable to verify user credentials with no security metadata available");
        return null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Subject makeUserSubject(String str) {
        SecurityMetadata securityMetadata = this.repNodeService.getSecurityMetadata();
        if (securityMetadata == null) {
            this.logger.info("Unable to make user subject with no security metadata available");
            return null;
        }
        KVStoreUser user = securityMetadata.getUser(str);
        if (user != null && user.isEnabled()) {
            return user.makeKVSubject();
        }
        this.logger.log(Level.INFO, "User " + str + " is not valid");
        return null;
    }

    @Override // oracle.kv.impl.security.login.LoginUpdater.ServiceParamsUpdater
    public void newServiceParameters(ParameterMap parameterMap) {
        if (this.tokenVerifier == null) {
            return;
        }
        int loginCacheSize = new RepNodeParams(parameterMap).getLoginCacheSize();
        if (this.tokenVerifier.updateLoginCacheSize(loginCacheSize)) {
            this.logger.info(String.format("RNSecurity: loginCacheSize has been updated to %d", Integer.valueOf(loginCacheSize)));
        }
    }

    @Override // oracle.kv.impl.security.login.LoginUpdater.GlobalParamsUpdater
    public void newGlobalParameters(ParameterMap parameterMap) {
        if (this.tokenVerifier == null) {
            return;
        }
        GlobalParams globalParams = new GlobalParams(parameterMap);
        long millis = globalParams.getLoginCacheTimeoutUnit().toMillis(globalParams.getLoginCacheTimeout());
        if (this.tokenVerifier.updateLoginCacheTimeout(millis)) {
            this.logger.info(String.format("RNSecurity: loginCacheTimeout has been updated to %d ms", Long.valueOf(millis)));
        }
        if (this.authenticators == null) {
            return;
        }
        String[] userExternalAuthMethods = globalParams.getUserExternalAuthMethods();
        for (Map.Entry<String, Authenticator> entry : this.authenticators.entrySet()) {
            String key = entry.getKey();
            boolean z = false;
            int length = userExternalAuthMethods.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (key.equals(userExternalAuthMethods[i])) {
                    z = true;
                    break;
                }
                i++;
            }
            if (!z) {
                Authenticator value = entry.getValue();
                this.logger.info("RNSecurity: disable authenticator " + key);
                value.resetAuthenticator();
            }
        }
    }

    @Override // oracle.kv.impl.security.metadata.SecurityMDUpdater.UserChangeUpdater
    public void newUserDefinition(SecurityMDChange securityMDChange) {
        if (!(securityMDChange.getElement() instanceof KVStoreUser)) {
            throw new AssertionError();
        }
        KVStoreUser kVStoreUser = (KVStoreUser) securityMDChange.getElement();
        if (this.tokenVerifier == null) {
            return;
        }
        if (this.tokenVerifier.updateLoginCacheSessions(kVStoreUser)) {
            this.logger.info(String.format("RNSecurity: update sessions in login cache with metadata %d", Integer.valueOf(securityMDChange.getSeqNum())));
        }
        if (this.accessChecker.updateUserDefinition(kVStoreUser)) {
            this.logger.fine(String.format("RNSecurity: updated user %s definition in access checker privilege cache", kVStoreUser.getName()));
        }
    }

    @Override // oracle.kv.impl.security.metadata.SecurityMDUpdater.RoleChangeUpdater
    public void newRoleDefinition(SecurityMDChange securityMDChange) {
        if (!(securityMDChange.getElement() instanceof RoleInstance)) {
            throw new AssertionError();
        }
        RoleInstance roleInstance = (RoleInstance) securityMDChange.getElement();
        if (this.accessChecker != null && this.accessChecker.updateRoleDefinition(roleInstance)) {
            this.logger.fine(String.format("RNSecurity: update role %s definition in access checker privilege cache", roleInstance.name()));
        }
    }

    private Authenticator createAuthenticator(AuthenticatorManager.SystemAuthMethod systemAuthMethod, SecurityParams securityParams, GlobalParams globalParams) {
        try {
            return AuthenticatorManager.getAuthenticator(systemAuthMethod.name(), securityParams, globalParams);
        } catch (ClassNotFoundException e) {
            this.logger.info("RNSecurity: authenticator " + systemAuthMethod + " is not initialized, no implementation found");
            return null;
        } catch (Exception e2) {
            this.logger.info("RNSecurity: authenticator " + systemAuthMethod + " is not initialized, " + e2.getMessage());
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public StreamServerAuthHandler getStreamAuthHandler() {
        return this.streamAuthHandler;
    }

    private static boolean isStreamSupported() {
        try {
            Class.forName("oracle.kv.impl.pubsub.security.StreamServerAuthHandler");
            return true;
        } catch (ClassNotFoundException e) {
            return false;
        }
    }
}
