package org.neo4j.internal.kernel.api.security;

import java.util.Arrays;
import java.util.Objects;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.IntStream;
import org.neo4j.graphdb.security.AuthorizationViolationException;
import org.neo4j.internal.kernel.api.TokenSet;
import org.neo4j.kernel.api.exceptions.Status;
import org.neo4j.messages.MessageUtil;
import org.neo4j.storageengine.api.TransactionIdStore;

/* loaded from: input_file:org/neo4j/internal/kernel/api/security/SecurityAuthorizationHandler.class */
public class SecurityAuthorizationHandler {
    AbstractSecurityLog securityLog;

    /* renamed from: org.neo4j.internal.kernel.api.security.SecurityAuthorizationHandler$1, reason: invalid class name */
    /* loaded from: input_file:org/neo4j/internal/kernel/api/security/SecurityAuthorizationHandler$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$neo4j$internal$kernel$api$security$PermissionState;
        static final /* synthetic */ int[] $SwitchMap$org$neo4j$internal$kernel$api$security$PrivilegeAction = new int[PrivilegeAction.values().length];

        static {
            try {
                $SwitchMap$org$neo4j$internal$kernel$api$security$PrivilegeAction[PrivilegeAction.CREATE_LABEL.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$neo4j$internal$kernel$api$security$PrivilegeAction[PrivilegeAction.CREATE_PROPERTYKEY.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$neo4j$internal$kernel$api$security$PrivilegeAction[PrivilegeAction.CREATE_RELTYPE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            $SwitchMap$org$neo4j$internal$kernel$api$security$PermissionState = new int[PermissionState.values().length];
            try {
                $SwitchMap$org$neo4j$internal$kernel$api$security$PermissionState[PermissionState.NOT_GRANTED.ordinal()] = 1;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$neo4j$internal$kernel$api$security$PermissionState[PermissionState.EXPLICIT_DENY.ordinal()] = 2;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    public SecurityAuthorizationHandler(AbstractSecurityLog abstractSecurityLog) {
        this.securityLog = abstractSecurityLog;
    }

    public void assertAllowsCreateNode(SecurityContext securityContext, Function<Integer, String> function, int[] iArr) {
        String str;
        if (securityContext.mode().allowsCreateNode(iArr)) {
            return;
        }
        if (null == iArr) {
            str = "";
        } else {
            IntStream stream = Arrays.stream(iArr);
            Objects.requireNonNull(function);
            str = (String) stream.mapToObj((v1) -> {
                return r1.apply(v1);
            }).collect(Collectors.joining(","));
        }
        throw logAndGetAuthorizationException(securityContext, MessageUtil.createNodeWithLabelsDenied(str, securityContext.database(), securityContext.description()));
    }

    public void assertAllowsDeleteNode(SecurityContext securityContext, Function<Integer, String> function, Supplier<TokenSet> supplier) {
        if (!securityContext.mode().allowsDeleteNode(supplier)) {
            throw logAndGetAuthorizationException(securityContext, String.format("Delete node with labels '%s' on database '%s' is not allowed for %s.", (String) Arrays.stream(supplier.get().all()).mapToObj(j -> {
                return (String) function.apply(Integer.valueOf((int) j));
            }).collect(Collectors.joining(",")), securityContext.database(), securityContext.description()));
        }
    }

    public void assertAllowsCreateRelationship(SecurityContext securityContext, Function<Integer, String> function, int i) {
        if (!securityContext.mode().allowsCreateRelationship(i)) {
            throw logAndGetAuthorizationException(securityContext, String.format("Create relationship with type '%s' on database '%s' is not allowed for %s.", function.apply(Integer.valueOf(i)), securityContext.database(), securityContext.description()));
        }
    }

    public void assertAllowsDeleteRelationship(SecurityContext securityContext, Function<Integer, String> function, int i) {
        if (!securityContext.mode().allowsDeleteRelationship(i)) {
            throw logAndGetAuthorizationException(securityContext, String.format("Delete relationship with type '%s' on database '%s' is not allowed for %s.", function.apply(Integer.valueOf(i)), securityContext.database(), securityContext.description()));
        }
    }

    public void assertAllowsSetLabel(SecurityContext securityContext, Function<Integer, String> function, long j) {
        if (!securityContext.mode().allowsSetLabel(j)) {
            throw logAndGetAuthorizationException(securityContext, String.format("Set label for label '%s' on database '%s' is not allowed for %s.", function.apply(Integer.valueOf((int) j)), securityContext.database(), securityContext.description()));
        }
    }

    public void assertAllowsRemoveLabel(SecurityContext securityContext, Function<Integer, String> function, long j) {
        if (!securityContext.mode().allowsRemoveLabel(j)) {
            throw logAndGetAuthorizationException(securityContext, String.format("Remove label for label '%s' on database '%s' is not allowed for %s.", function.apply(Integer.valueOf((int) j)), securityContext.database(), securityContext.description()));
        }
    }

    public void assertAllowsSetProperty(SecurityContext securityContext, Function<Long, String> function, TokenSet tokenSet, long j) {
        if (!securityContext.mode().allowsSetProperty(() -> {
            return tokenSet;
        }, (int) j)) {
            throw logAndGetAuthorizationException(securityContext, String.format("Set property for property '%s' on database '%s' is not allowed for %s.", function.apply(Long.valueOf(j)), securityContext.database(), securityContext.description()));
        }
    }

    public void assertAllowsSetProperty(SecurityContext securityContext, Function<Long, String> function, long j, long j2) {
        if (!securityContext.mode().allowsSetProperty(() -> {
            return (int) j;
        }, (int) j2)) {
            throw logAndGetAuthorizationException(securityContext, String.format("Set property for property '%s' on database '%s' is not allowed for %s.", function.apply(Long.valueOf(j2)), securityContext.database(), securityContext.description()));
        }
    }

    public void assertSchemaWrites(SecurityContext securityContext, PrivilegeAction privilegeAction) {
        switch (AnonymousClass1.$SwitchMap$org$neo4j$internal$kernel$api$security$PermissionState[securityContext.mode().allowsSchemaWrites(privilegeAction).ordinal()]) {
            case TransactionIdStore.UNKNOWN_TX_CHECKSUM /* 1 */:
                throw logAndGetAuthorizationException(securityContext, String.format("Schema operation '%s' on database '%s' is not allowed for %s.", privilegeAction, securityContext.database(), securityContext.description()));
            case 2:
                throw logAndGetAuthorizationException(securityContext, String.format("Schema operation '%s' on database '%s' is denied for %s.", privilegeAction, securityContext.database(), securityContext.description()));
            default:
                return;
        }
    }

    public void assertShowIndexAllowed(SecurityContext securityContext) {
        if (!securityContext.mode().allowsShowIndex()) {
            throw logAndGetAuthorizationException(securityContext, String.format("Show indexes on database '%s' is not allowed for %s.", securityContext.database(), securityContext.description()));
        }
    }

    public void assertShowConstraintAllowed(SecurityContext securityContext) {
        if (!securityContext.mode().allowsShowConstraint()) {
            throw logAndGetAuthorizationException(securityContext, String.format("Show constraints on database '%s' is not allowed for %s.", securityContext.database(), securityContext.description()));
        }
    }

    public final void assertAllowsTokenCreates(SecurityContext securityContext, PrivilegeAction privilegeAction) {
        PermissionState allowsTokenCreates = securityContext.mode().allowsTokenCreates(privilegeAction);
        if (allowsTokenCreates.allowsAccess()) {
            return;
        }
        String str = allowsTokenCreates == PermissionState.NOT_GRANTED ? "not allowed" : "denied";
        switch (AnonymousClass1.$SwitchMap$org$neo4j$internal$kernel$api$security$PrivilegeAction[privilegeAction.ordinal()]) {
            case TransactionIdStore.UNKNOWN_TX_CHECKSUM /* 1 */:
                throw logAndGetAuthorizationException(securityContext, String.format("Creating new node label on database '%s' is %s for %s. See GRANT CREATE NEW NODE LABEL ON DATABASE `%s`...", securityContext.database(), str, securityContext.description(), securityContext.database()));
            case 2:
                throw logAndGetAuthorizationException(securityContext, String.format("Creating new property name on database '%s' is %s for %s. See GRANT CREATE NEW PROPERTY NAME ON DATABASE `%s`...", securityContext.database(), str, securityContext.description(), securityContext.database()));
            case 3:
                throw logAndGetAuthorizationException(securityContext, String.format("Creating new relationship type on database '%s' is %s for %s. See GRANT CREATE NEW RELATIONSHIP TYPE ON DATABASE `%s`...", securityContext.database(), str, securityContext.description(), securityContext.database()));
            default:
                throw logAndGetAuthorizationException(securityContext, String.format("'%s' operations on database '%s' are %s for %s.", privilegeAction, securityContext.database(), str, securityContext.description()));
        }
    }

    public AuthorizationViolationException logAndGetAuthorizationException(SecurityContext securityContext, String str) {
        this.securityLog.error(securityContext, str);
        return new AuthorizationViolationException(str);
    }

    public AuthorizationViolationException logAndGetAuthorizationException(SecurityContext securityContext, String str, Status status) {
        this.securityLog.error(securityContext, str);
        return new AuthorizationViolationException(str, status);
    }

    public static String generateCredentialsExpiredMessage(String str) {
        return String.format("%s%n%nThe credentials you provided were valid, but must be changed before you can use this instance. If this is the first time you are using Neo4j, this is to ensure you are not using the default credentials in production. If you are not using default credentials, you are getting this message because an administrator requires a password change.%nChanging your password is easy to do via the Neo4j Browser.%nIf you are connecting via a shell or programmatically via a driver, just issue a `ALTER CURRENT USER SET PASSWORD FROM 'current password' TO 'new password'` statement against the system database in the current session, and then restart your driver with the new password configured.", str);
    }
}
