package org.neo4j.server.security.enterprise.auth;

import java.io.IOException;
import java.time.Clock;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.cache.ehcache.EhCacheManager;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.neo4j.graphdb.security.AuthorizationViolationException;
import org.neo4j.kernel.api.security.AuthSubject;
import org.neo4j.kernel.api.security.AuthToken;
import org.neo4j.kernel.api.security.AuthenticationResult;
import org.neo4j.kernel.api.security.exception.IllegalCredentialsException;
import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
import org.neo4j.server.security.auth.AuthenticationStrategy;
import org.neo4j.server.security.auth.BasicAuthManager;
import org.neo4j.server.security.auth.PasswordPolicy;
import org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy;
import org.neo4j.server.security.auth.User;
import org.neo4j.server.security.auth.UserRepository;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/ShiroAuthManager.class */
public class ShiroAuthManager extends BasicAuthManager implements RoleManager {
    private final SecurityManager securityManager;
    private final EhCacheManager cacheManager;
    private final FileUserRealm realm;
    private final RoleRepository roleRepository;

    public ShiroAuthManager(UserRepository userRepository, RoleRepository roleRepository, PasswordPolicy passwordPolicy, AuthenticationStrategy authenticationStrategy, boolean z) {
        super(userRepository, passwordPolicy, authenticationStrategy, z);
        this.realm = new FileUserRealm(userRepository, roleRepository);
        this.cacheManager = new EhCacheManager();
        this.securityManager = new DefaultSecurityManager(this.realm);
        this.roleRepository = roleRepository;
    }

    public ShiroAuthManager(UserRepository userRepository, RoleRepository roleRepository, PasswordPolicy passwordPolicy, AuthenticationStrategy authenticationStrategy) {
        this(userRepository, roleRepository, passwordPolicy, authenticationStrategy, true);
    }

    public ShiroAuthManager(UserRepository userRepository, RoleRepository roleRepository, PasswordPolicy passwordPolicy, Clock clock, boolean z) {
        this(userRepository, roleRepository, passwordPolicy, (AuthenticationStrategy) new RateLimitedAuthenticationStrategy(clock, 3), z);
    }

    public void init() throws Throwable {
        super.init();
        this.roleRepository.init();
        this.cacheManager.init();
        this.realm.setCacheManager(this.cacheManager);
        this.realm.init();
    }

    public void start() throws Throwable {
        this.users.start();
        this.roleRepository.start();
        if (this.authEnabled) {
            if (this.realm.numberOfRoles() == 0) {
                Iterator<String> it = new PredefinedRolesBuilder().buildRoles().keySet().iterator();
                while (it.hasNext()) {
                    this.realm.newRole(it.next(), new String[0]);
                }
            }
            if (this.realm.numberOfUsers() == 0) {
                this.realm.newUser("neo4j", "neo4j", true);
                this.realm.addUserToRole("neo4j", PredefinedRolesBuilder.ADMIN);
            }
        }
    }

    public void stop() throws Throwable {
        super.stop();
        this.roleRepository.stop();
    }

    public void shutdown() throws Throwable {
        super.shutdown();
        this.roleRepository.shutdown();
        this.realm.setCacheManager(null);
        this.cacheManager.destroy();
    }

    public User newUser(String str, String str2, boolean z) throws IOException, IllegalCredentialsException {
        assertAuthEnabled();
        this.passwordPolicy.validatePassword(str2);
        return this.realm.newUser(str, str2, z);
    }

    public RoleRecord newRole(String str, String... strArr) throws IOException, IllegalCredentialsException {
        assertAuthEnabled();
        return this.realm.newRole(str, strArr);
    }

    public AuthSubject login(Map<String, Object> map) throws InvalidAuthTokenException {
        assertAuthEnabled();
        String safeCast = AuthToken.safeCast("principal", map);
        String safeCast2 = AuthToken.safeCast("credentials", map);
        Subject buildSubject = buildSubject(null);
        UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken(safeCast, safeCast2);
        AuthenticationResult authenticationResult = AuthenticationResult.SUCCESS;
        if (this.authStrategy.isAuthenticationPermitted(safeCast)) {
            try {
                buildSubject.login(usernamePasswordToken);
                if (this.realm.findUser(safeCast).passwordChangeRequired()) {
                    authenticationResult = AuthenticationResult.PASSWORD_CHANGE_REQUIRED;
                }
            } catch (AuthenticationException e) {
                authenticationResult = AuthenticationResult.FAILURE;
            }
            this.authStrategy.updateWithAuthenticationResult(authenticationResult, safeCast);
        } else {
            authenticationResult = AuthenticationResult.TOO_MANY_ATTEMPTS;
        }
        return new ShiroAuthSubject(this, buildSubject, authenticationResult);
    }

    public void setPassword(AuthSubject authSubject, String str, String str2) throws IOException, IllegalCredentialsException {
        if (!ShiroAuthSubject.castOrFail(authSubject).doesUsernameMatch(str)) {
            throw new AuthorizationViolationException("Invalid attempt to change the password for user " + str);
        }
        setUserPassword(str, str2);
        authSubject.logout();
    }

    @Override // org.neo4j.server.security.enterprise.auth.RoleManager
    public void addUserToRole(String str, String str2) throws IOException {
        assertAuthEnabled();
        this.realm.addUserToRole(str, str2);
    }

    @Override // org.neo4j.server.security.enterprise.auth.RoleManager
    public void removeUserFromRole(String str, String str2) throws IOException {
        assertAuthEnabled();
        this.realm.removeUserFromRole(str, str2);
    }

    public boolean deleteUser(String str) throws IOException {
        assertAuthEnabled();
        return this.realm.deleteUser(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void suspendUser(String str) throws IOException {
        assertAuthEnabled();
        this.realm.suspendUser(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void activateUser(String str) throws IOException {
        assertAuthEnabled();
        this.realm.activateUser(str);
    }

    @Override // org.neo4j.server.security.enterprise.auth.RoleManager
    public Set<String> getAllRoleNames() {
        assertAuthEnabled();
        return this.roleRepository.getAllRoleNames();
    }

    @Override // org.neo4j.server.security.enterprise.auth.RoleManager
    public Set<String> getRoleNamesForUser(String str) {
        assertAuthEnabled();
        if (this.users.getUserByName(str) == null) {
            throw new IllegalArgumentException("User " + str + " does not exist.");
        }
        return this.roleRepository.getRoleNamesByUsername(str);
    }

    @Override // org.neo4j.server.security.enterprise.auth.RoleManager
    public Set<String> getUsernamesForRole(String str) {
        assertAuthEnabled();
        RoleRecord roleByName = this.roleRepository.getRoleByName(str);
        if (roleByName == null) {
            throw new IllegalArgumentException("Role " + str + " does not exist.");
        }
        return roleByName.users();
    }

    public Set<String> getAllUsernames() {
        assertAuthEnabled();
        return this.realm.getAllUsernames();
    }

    private Subject buildSubject(String str) {
        Subject.Builder builder = new Subject.Builder(this.securityManager);
        if (str != null) {
            builder = builder.principals(new SimplePrincipalCollection(str, this.realm.getName()));
        }
        return builder.buildSubject();
    }
}
