package org.neo4j.server.security.enterprise.auth;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.CredentialsMatcher;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.authz.SimpleRole;
import org.apache.shiro.authz.permission.RolePermissionResolver;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.neo4j.kernel.api.security.exception.IllegalCredentialsException;
import org.neo4j.server.security.auth.Credential;
import org.neo4j.server.security.auth.User;
import org.neo4j.server.security.auth.UserRepository;
import org.neo4j.server.security.auth.exception.ConcurrentModificationException;
import org.neo4j.server.security.enterprise.auth.RoleRecord;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/FileUserRealm.class */
public class FileUserRealm extends AuthorizingRealm {
    private final UserRepository userRepository;
    private final RoleRepository roleRepository;
    public static final String IS_SUSPENDED = "is_suspended";
    private final CredentialsMatcher credentialsMatcher = (authenticationToken, authenticationInfo) -> {
        UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
        return ((String) authenticationInfo.getPrincipals().getPrimaryPrincipal()).equals(usernamePasswordToken.getUsername()) && ((Credential) authenticationInfo.getCredentials()).matchesPassword(new String(usernamePasswordToken.getPassword()));
    };
    private final RolePermissionResolver rolePermissionResolver = new RolePermissionResolver() { // from class: org.neo4j.server.security.enterprise.auth.FileUserRealm.1
        public Collection<Permission> resolvePermissionsInRole(String str) {
            SimpleRole simpleRole = (SimpleRole) FileUserRealm.this.roles.get(str);
            return simpleRole != null ? simpleRole.getPermissions() : Collections.emptyList();
        }
    };
    private final Map<String, SimpleRole> roles;

    public FileUserRealm(UserRepository userRepository, RoleRepository roleRepository) {
        this.userRepository = userRepository;
        this.roleRepository = roleRepository;
        setCredentialsMatcher(this.credentialsMatcher);
        setRolePermissionResolver(this.rolePermissionResolver);
        this.roles = new PredefinedRolesBuilder().buildRoles();
    }

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) throws AuthenticationException {
        User userByName = this.userRepository.getUserByName((String) principalCollection.getPrimaryPrincipal());
        if (userByName == null) {
            throw new AuthenticationException("User " + principalCollection.getPrimaryPrincipal() + " does not exist");
        }
        return (userByName.passwordChangeRequired() || userByName.hasFlag(IS_SUSPENDED)) ? new SimpleAuthorizationInfo() : new SimpleAuthorizationInfo(this.roleRepository.getRoleNamesByUsername(userByName.name()));
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
        User userByName = this.userRepository.getUserByName(usernamePasswordToken.getUsername());
        if (userByName == null) {
            throw new AuthenticationException("User " + usernamePasswordToken.getUsername() + " does not exist");
        }
        SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(userByName.name(), userByName.credentials(), getName());
        if (!userByName.hasFlag(IS_SUSPENDED)) {
            return simpleAuthenticationInfo;
        }
        assertCredentialsMatch(authenticationToken, simpleAuthenticationInfo);
        throw new AuthenticationException("User " + userByName.name() + " is suspended");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int numberOfUsers() {
        return this.userRepository.numberOfUsers();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int numberOfRoles() {
        return this.roleRepository.numberOfRoles();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public User newUser(String str, String str2, boolean z) throws IOException, IllegalCredentialsException {
        assertValidUsername(str);
        User build = new User.Builder().withName(str).withCredentials(Credential.forPassword(str2)).withRequiredPasswordChange(z).build();
        this.userRepository.create(build);
        return build;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RoleRecord newRole(String str, String... strArr) throws IOException {
        assertValidRoleName(str);
        for (String str2 : strArr) {
            assertValidUsername(str2);
        }
        RoleRecord build = new RoleRecord.Builder().withName(str).withUsers(new TreeSet(Arrays.asList(strArr))).build();
        this.roleRepository.create(build);
        return build;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void addUserToRole(String str, String str2) throws IOException {
        checkValidityOfUsernameAndRoleName(str, str2);
        synchronized (this) {
            if (this.userRepository.getUserByName(str) == null) {
                throw new IllegalArgumentException("User " + str + " does not exist.");
            }
            RoleRecord roleByName = this.roleRepository.getRoleByName(str2);
            if (roleByName == null) {
                throw new IllegalArgumentException("Role " + str2 + " does not exist.");
            }
            try {
                this.roleRepository.update(roleByName, roleByName.augment().withUser(str).build());
            } catch (ConcurrentModificationException e) {
                addUserToRole(str, str2);
            }
        }
        clearCachedAuthorizationInfoForUser(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void removeUserFromRole(String str, String str2) throws IOException {
        checkValidityOfUsernameAndRoleName(str, str2);
        synchronized (this) {
            if (this.userRepository.getUserByName(str) == null) {
                throw new IllegalArgumentException("User " + str + " does not exist.");
            }
            RoleRecord roleByName = this.roleRepository.getRoleByName(str2);
            if (roleByName == null) {
                throw new IllegalArgumentException("Role " + str2 + " does not exist.");
            }
            try {
                this.roleRepository.update(roleByName, roleByName.augment().withoutUser(str).build());
            } catch (ConcurrentModificationException e) {
                removeUserFromRole(str, str2);
            }
        }
        clearCachedAuthorizationInfoForUser(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean deleteUser(String str) throws IOException {
        synchronized (this) {
            User userByName = this.userRepository.getUserByName(str);
            if (userByName == null || !this.userRepository.delete(userByName)) {
                throw new IllegalArgumentException("The user '" + str + "' does not exist");
            }
            removeUserFromAllRoles(str);
        }
        clearCacheForUser(str);
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void suspendUser(String str) throws IOException {
        User userByName = this.userRepository.getUserByName(str);
        if (userByName == null) {
            throw new IllegalArgumentException("User " + str + " does not exist.");
        }
        if (!userByName.hasFlag(IS_SUSPENDED)) {
            try {
                this.userRepository.update(userByName, userByName.augment().withFlag(IS_SUSPENDED).build());
            } catch (ConcurrentModificationException e) {
                suspendUser(str);
            }
        }
        clearCacheForUser(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void activateUser(String str) throws IOException {
        User userByName = this.userRepository.getUserByName(str);
        if (userByName == null) {
            throw new IllegalArgumentException("User " + str + " does not exist.");
        }
        if (userByName.hasFlag(IS_SUSPENDED)) {
            try {
                this.userRepository.update(userByName, userByName.augment().withoutFlag(IS_SUSPENDED).build());
            } catch (ConcurrentModificationException e) {
                activateUser(str);
            }
        }
        clearCacheForUser(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public User findUser(String str) {
        return this.userRepository.getUserByName(str);
    }

    private void removeUserFromAllRoles(String str) throws IOException {
        try {
            this.roleRepository.removeUserFromAllRoles(str);
        } catch (ConcurrentModificationException e) {
            removeUserFromAllRoles(str);
        }
    }

    public Set<String> getAllUsernames() {
        return this.userRepository.getAllUsernames();
    }

    private void checkValidityOfUsernameAndRoleName(String str, String str2) throws IllegalArgumentException {
        assertValidUsername(str);
        assertValidRoleName(str2);
    }

    private void assertValidUsername(String str) {
        if (!this.userRepository.isValidUsername(str)) {
            throw new IllegalArgumentException("User name contains illegal characters. Please use simple ascii characters and numbers.");
        }
    }

    private void assertValidRoleName(String str) {
        if (!this.roleRepository.isValidRoleName(str)) {
            throw new IllegalArgumentException("Role name contains illegal characters. Please use simple ascii characters and numbers.");
        }
    }

    private void clearCachedAuthorizationInfoForUser(String str) {
        clearCachedAuthorizationInfo(new SimplePrincipalCollection(str, getName()));
    }

    private void clearCacheForUser(String str) {
        clearCache(new SimplePrincipalCollection(str, getName()));
    }
}
