package org.neo4j.server.security.enterprise.auth;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.DisabledAccountException;
import org.apache.shiro.authc.ExcessiveAttemptsException;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
import org.apache.shiro.authc.pam.UnsupportedTokenException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.authz.SimpleRole;
import org.apache.shiro.authz.permission.RolePermissionResolver;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.neo4j.graphdb.security.AuthorizationViolationException;
import org.neo4j.kernel.api.security.AuthSubject;
import org.neo4j.kernel.api.security.AuthToken;
import org.neo4j.kernel.api.security.AuthenticationResult;
import org.neo4j.kernel.api.security.exception.InvalidArgumentsException;
import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
import org.neo4j.server.security.auth.AuthenticationStrategy;
import org.neo4j.server.security.auth.Credential;
import org.neo4j.server.security.auth.PasswordPolicy;
import org.neo4j.server.security.auth.User;
import org.neo4j.server.security.auth.UserRepository;
import org.neo4j.server.security.auth.exception.ConcurrentModificationException;
import org.neo4j.server.security.enterprise.auth.RoleRecord;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm.class */
public class InternalFlatFileRealm extends AuthorizingRealm implements RealmLifecycle, EnterpriseUserManager {
    public static final String IS_SUSPENDED = "is_suspended";
    private final RolePermissionResolver rolePermissionResolver;
    private final UserRepository userRepository;
    private final RoleRepository roleRepository;
    private final PasswordPolicy passwordPolicy;
    private final AuthenticationStrategy authenticationStrategy;
    private final boolean authenticationEnabled;
    private final boolean authorizationEnabled;
    private final Map<String, SimpleRole> roles;

    /* renamed from: org.neo4j.server.security.enterprise.auth.InternalFlatFileRealm$2, reason: invalid class name */
    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm$2.class */
    static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$org$neo4j$kernel$api$security$AuthenticationResult = new int[AuthenticationResult.values().length];

        static {
            try {
                $SwitchMap$org$neo4j$kernel$api$security$AuthenticationResult[AuthenticationResult.FAILURE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$neo4j$kernel$api$security$AuthenticationResult[AuthenticationResult.TOO_MANY_ATTEMPTS.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public InternalFlatFileRealm(UserRepository userRepository, RoleRepository roleRepository, PasswordPolicy passwordPolicy, AuthenticationStrategy authenticationStrategy, boolean z, boolean z2) {
        this.rolePermissionResolver = new RolePermissionResolver() { // from class: org.neo4j.server.security.enterprise.auth.InternalFlatFileRealm.1
            public Collection<Permission> resolvePermissionsInRole(String str) {
                SimpleRole simpleRole = (SimpleRole) InternalFlatFileRealm.this.roles.get(str);
                return simpleRole != null ? simpleRole.getPermissions() : Collections.emptyList();
            }
        };
        this.userRepository = userRepository;
        this.roleRepository = roleRepository;
        this.passwordPolicy = passwordPolicy;
        this.authenticationStrategy = authenticationStrategy;
        this.authenticationEnabled = z;
        this.authorizationEnabled = z2;
        setCredentialsMatcher(new AllowAllCredentialsMatcher());
        setRolePermissionResolver(this.rolePermissionResolver);
        this.roles = new PredefinedRolesBuilder().buildRoles();
    }

    public InternalFlatFileRealm(UserRepository userRepository, RoleRepository roleRepository, PasswordPolicy passwordPolicy, AuthenticationStrategy authenticationStrategy) {
        this(userRepository, roleRepository, passwordPolicy, authenticationStrategy, true, true);
    }

    @Override // org.neo4j.server.security.enterprise.auth.RealmLifecycle
    public void initialize() throws Throwable {
        this.userRepository.init();
        this.roleRepository.init();
    }

    @Override // org.neo4j.server.security.enterprise.auth.RealmLifecycle
    public void start() throws Throwable {
        this.userRepository.start();
        this.roleRepository.start();
        ensureDefaultUsersAndRoles();
    }

    private void ensureDefaultUsersAndRoles() throws IOException, InvalidArgumentsException {
        if (this.authenticationEnabled || this.authorizationEnabled) {
            if (numberOfRoles() == 0) {
                Iterator<String> it = this.roles.keySet().iterator();
                while (it.hasNext()) {
                    newRole(it.next(), new String[0]);
                }
            }
            if (numberOfUsers() == 0) {
                newUser("neo4j", "neo4j", true);
                addUserToRole("neo4j", PredefinedRolesBuilder.ADMIN);
            }
        }
    }

    @Override // org.neo4j.server.security.enterprise.auth.RealmLifecycle
    public void stop() throws Throwable {
        this.userRepository.stop();
        this.roleRepository.stop();
    }

    @Override // org.neo4j.server.security.enterprise.auth.RealmLifecycle
    public void shutdown() throws Throwable {
        this.userRepository.shutdown();
        this.roleRepository.shutdown();
        setCacheManager(null);
    }

    public boolean supports(AuthenticationToken authenticationToken) {
        try {
            if (authenticationToken instanceof ShiroAuthToken) {
                return ((ShiroAuthToken) authenticationToken).getScheme().equals("basic");
            }
            return false;
        } catch (InvalidAuthTokenException e) {
            return false;
        }
    }

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) throws AuthenticationException {
        String str;
        User userByName;
        if (!this.authorizationEnabled || (str = (String) getAvailablePrincipal(principalCollection)) == null || (userByName = this.userRepository.getUserByName(str)) == null) {
            return null;
        }
        return (userByName.passwordChangeRequired() || userByName.hasFlag(IS_SUSPENDED)) ? new SimpleAuthorizationInfo() : new SimpleAuthorizationInfo(this.roleRepository.getRoleNamesByUsername(userByName.name()));
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        if (!this.authenticationEnabled) {
            return null;
        }
        ShiroAuthToken shiroAuthToken = (ShiroAuthToken) authenticationToken;
        try {
            String safeCast = AuthToken.safeCast("principal", shiroAuthToken.getAuthTokenMap());
            String safeCast2 = AuthToken.safeCast("credentials", shiroAuthToken.getAuthTokenMap());
            User userByName = this.userRepository.getUserByName(safeCast);
            if (userByName == null) {
                throw new UnknownAccountException();
            }
            AuthenticationResult authenticate = this.authenticationStrategy.authenticate(userByName, safeCast2);
            switch (AnonymousClass2.$SwitchMap$org$neo4j$kernel$api$security$AuthenticationResult[authenticate.ordinal()]) {
                case 1:
                    throw new IncorrectCredentialsException();
                case 2:
                    throw new ExcessiveAttemptsException();
                default:
                    if (userByName.hasFlag(IS_SUSPENDED)) {
                        throw new DisabledAccountException("User '" + userByName.name() + "' is suspended");
                    }
                    if (userByName.passwordChangeRequired()) {
                        authenticate = AuthenticationResult.PASSWORD_CHANGE_REQUIRED;
                    }
                    return new ShiroAuthenticationInfo(userByName.name(), userByName.credentials(), getName(), authenticate);
            }
        } catch (InvalidAuthTokenException e) {
            throw new UnsupportedTokenException(e);
        }
    }

    int numberOfUsers() {
        return this.userRepository.numberOfUsers();
    }

    int numberOfRoles() {
        return this.roleRepository.numberOfRoles();
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public void setPassword(AuthSubject authSubject, String str, String str2) throws IOException, InvalidArgumentsException {
        if (!EnterpriseAuthSubject.castOrFail(authSubject).doesUsernameMatch(str)) {
            throw new AuthorizationViolationException("Invalid attempt to change the password for user " + str);
        }
        setUserPassword(str, str2);
        clearCacheForUser(str);
    }

    public User newUser(String str, String str2, boolean z) throws IOException, InvalidArgumentsException {
        assertValidUsername(str);
        this.passwordPolicy.validatePassword(str2);
        User build = new User.Builder().withName(str).withCredentials(Credential.forPassword(str2)).withRequiredPasswordChange(z).build();
        this.userRepository.create(build);
        return build;
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public RoleRecord newRole(String str, String... strArr) throws IOException, InvalidArgumentsException {
        assertValidRoleName(str);
        for (String str2 : strArr) {
            assertValidUsername(str2);
        }
        RoleRecord build = new RoleRecord.Builder().withName(str).withUsers(new TreeSet(Arrays.asList(strArr))).build();
        this.roleRepository.create(build);
        return build;
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public RoleRecord getRole(String str) throws InvalidArgumentsException {
        RoleRecord roleByName = this.roleRepository.getRoleByName(str);
        if (roleByName == null) {
            throw new InvalidArgumentsException("Role '" + str + "' does not exist.");
        }
        return roleByName;
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public void addUserToRole(String str, String str2) throws IOException, InvalidArgumentsException {
        checkValidityOfUsernameAndRoleName(str, str2);
        synchronized (this) {
            getUser(str);
            RoleRecord role = getRole(str2);
            try {
                this.roleRepository.update(role, role.augment().withUser(str).build());
            } catch (ConcurrentModificationException e) {
                addUserToRole(str, str2);
            }
        }
        clearCachedAuthorizationInfoForUser(str);
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public void removeUserFromRole(String str, String str2) throws IOException, InvalidArgumentsException {
        checkValidityOfUsernameAndRoleName(str, str2);
        synchronized (this) {
            getUser(str);
            RoleRecord role = getRole(str2);
            try {
                this.roleRepository.update(role, role.augment().withoutUser(str).build());
            } catch (ConcurrentModificationException e) {
                removeUserFromRole(str, str2);
            }
        }
        clearCachedAuthorizationInfoForUser(str);
    }

    public boolean deleteUser(String str) throws IOException, InvalidArgumentsException {
        boolean z = false;
        synchronized (this) {
            if (this.userRepository.delete(getUser(str))) {
                removeUserFromAllRoles(str);
                z = true;
            } else {
                getUser(str);
            }
        }
        clearCacheForUser(str);
        return z;
    }

    public User getUser(String str) throws InvalidArgumentsException {
        User userByName = this.userRepository.getUserByName(str);
        if (userByName == null) {
            throw new InvalidArgumentsException("User '" + str + "' does not exist.");
        }
        return userByName;
    }

    public void setUserPassword(String str, String str2) throws IOException, InvalidArgumentsException {
        User user = getUser(str);
        this.passwordPolicy.validatePassword(str2);
        if (user.credentials().matchesPassword(str2)) {
            throw new InvalidArgumentsException("Old password and new password cannot be the same.");
        }
        try {
            this.userRepository.update(user, user.augment().withCredentials(Credential.forPassword(str2)).withRequiredPasswordChange(false).build());
        } catch (ConcurrentModificationException e) {
            setUserPassword(str, str2);
        }
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public void suspendUser(String str) throws IOException, InvalidArgumentsException {
        User user = getUser(str);
        if (!user.hasFlag(IS_SUSPENDED)) {
            try {
                this.userRepository.update(user, user.augment().withFlag(IS_SUSPENDED).build());
            } catch (ConcurrentModificationException e) {
                suspendUser(str);
            }
        }
        clearCacheForUser(str);
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public void activateUser(String str) throws IOException, InvalidArgumentsException {
        User user = getUser(str);
        if (user.hasFlag(IS_SUSPENDED)) {
            try {
                this.userRepository.update(user, user.augment().withoutFlag(IS_SUSPENDED).build());
            } catch (ConcurrentModificationException e) {
                activateUser(str);
            }
        }
        clearCacheForUser(str);
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public Set<String> getAllRoleNames() {
        return this.roleRepository.getAllRoleNames();
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public Set<String> getRoleNamesForUser(String str) throws InvalidArgumentsException {
        if (this.userRepository.getUserByName(str) == null) {
            throw new InvalidArgumentsException("User '" + str + "' does not exist.");
        }
        return this.roleRepository.getRoleNamesByUsername(str);
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public Set<String> getUsernamesForRole(String str) throws InvalidArgumentsException {
        return getRole(str).users();
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public Set<String> getAllUsernames() {
        return this.userRepository.getAllUsernames();
    }

    private void removeUserFromAllRoles(String str) throws IOException {
        try {
            this.roleRepository.removeUserFromAllRoles(str);
        } catch (ConcurrentModificationException e) {
            removeUserFromAllRoles(str);
        }
    }

    private void checkValidityOfUsernameAndRoleName(String str, String str2) throws InvalidArgumentsException {
        assertValidUsername(str);
        assertValidRoleName(str2);
    }

    private void assertValidUsername(String str) throws InvalidArgumentsException {
        if (!this.userRepository.isValidUsername(str)) {
            throw new InvalidArgumentsException("User name contains illegal characters. Please use simple ascii characters and numbers.");
        }
    }

    private void assertValidRoleName(String str) throws InvalidArgumentsException {
        if (!this.roleRepository.isValidRoleName(str)) {
            throw new InvalidArgumentsException("Role name contains illegal characters. Please use simple ascii characters and numbers.");
        }
    }

    private void clearCachedAuthorizationInfoForUser(String str) {
        clearCachedAuthorizationInfo(new SimplePrincipalCollection(str, getName()));
    }

    private void clearCacheForUser(String str) {
        clearCache(new SimplePrincipalCollection(str, getName()));
    }
}
