package org.neo4j.server.security.enterprise.auth;

import com.github.benmanes.caffeine.cache.Ticker;
import java.io.File;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.realm.Realm;
import org.neo4j.dbms.DatabaseManagementSystemSettings;
import org.neo4j.helpers.Service;
import org.neo4j.io.fs.FileSystemAbstraction;
import org.neo4j.kernel.api.exceptions.KernelException;
import org.neo4j.kernel.api.proc.Context;
import org.neo4j.kernel.api.security.AuthSubject;
import org.neo4j.kernel.api.security.SecurityModule;
import org.neo4j.kernel.configuration.Config;
import org.neo4j.kernel.enterprise.api.security.EnterpriseAuthManager;
import org.neo4j.kernel.enterprise.api.security.EnterpriseAuthSubject;
import org.neo4j.kernel.impl.factory.GraphDatabaseFacade;
import org.neo4j.kernel.impl.proc.Procedures;
import org.neo4j.kernel.impl.util.JobScheduler;
import org.neo4j.kernel.lifecycle.LifeSupport;
import org.neo4j.kernel.lifecycle.Lifecycle;
import org.neo4j.logging.LogProvider;
import org.neo4j.server.security.auth.BasicPasswordPolicy;
import org.neo4j.server.security.auth.CommunitySecurityModule;
import org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy;
import org.neo4j.server.security.enterprise.auth.ShiroCaffeineCache;
import org.neo4j.server.security.enterprise.auth.plugin.PluginRealm;
import org.neo4j.server.security.enterprise.auth.plugin.spi.AuthPlugin;
import org.neo4j.server.security.enterprise.auth.plugin.spi.AuthenticationPlugin;
import org.neo4j.server.security.enterprise.auth.plugin.spi.AuthorizationPlugin;
import org.neo4j.server.security.enterprise.configuration.SecuritySettings;
import org.neo4j.server.security.enterprise.log.SecurityLog;
import org.neo4j.time.Clocks;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModule.class */
public class EnterpriseSecurityModule extends SecurityModule {
    private static final String ROLE_STORE_FILENAME = "roles";

    public EnterpriseSecurityModule() {
        super("enterprise-security-module", new String[0]);
    }

    public void setup(SecurityModule.Dependencies dependencies) throws KernelException {
        Config config = dependencies.config();
        Procedures procedures = dependencies.procedures();
        LogProvider userLogProvider = dependencies.logService().getUserLogProvider();
        JobScheduler scheduler = dependencies.scheduler();
        FileSystemAbstraction fileSystem = dependencies.fileSystem();
        LifeSupport lifeSupport = dependencies.lifeSupport();
        SecurityLog create = SecurityLog.create(config, dependencies.logService().getInternalLog(GraphDatabaseFacade.class), fileSystem, scheduler);
        lifeSupport.add(create);
        EnterpriseAuthAndUserManager newAuthManager = newAuthManager(config, userLogProvider, create, fileSystem, scheduler);
        lifeSupport.add((Lifecycle) dependencies.dependencySatisfier().satisfyDependency(newAuthManager));
        procedures.registerComponent(SecurityLog.class, context -> {
            return create;
        });
        procedures.registerComponent(EnterpriseAuthManager.class, context2 -> {
            return newAuthManager;
        });
        if (((Boolean) config.get(SecuritySettings.native_authentication_enabled)).booleanValue() || ((Boolean) config.get(SecuritySettings.native_authorization_enabled)).booleanValue()) {
            procedures.registerComponent(EnterpriseUserManager.class, context3 -> {
                return newAuthManager.mo1getUserManager((AuthSubject) asEnterprise((AuthSubject) context3.get(Context.AUTH_SUBJECT)));
            });
            procedures.registerProcedure(UserManagementProcedures.class, true);
        } else {
            procedures.registerComponent(EnterpriseUserManager.class, context4 -> {
                return EnterpriseUserManager.NOOP;
            });
        }
        procedures.registerProcedure(SecurityProcedures.class, true);
    }

    private EnterpriseAuthSubject asEnterprise(AuthSubject authSubject) {
        if (authSubject instanceof EnterpriseAuthSubject) {
            return (EnterpriseAuthSubject) authSubject;
        }
        throw new RuntimeException("Expected EnterpriseAuthSubject, got " + authSubject.getClass().getName());
    }

    public EnterpriseAuthAndUserManager newAuthManager(Config config, LogProvider logProvider, SecurityLog securityLog, FileSystemAbstraction fileSystemAbstraction, JobScheduler jobScheduler) {
        List list = (List) config.get(SecuritySettings.active_realms);
        ArrayList arrayList = new ArrayList(list.size() + 1);
        SecureHasher secureHasher = new SecureHasher();
        InternalFlatFileRealm internalFlatFileRealm = null;
        if (((Boolean) config.get(SecuritySettings.native_authentication_enabled)).booleanValue() || ((Boolean) config.get(SecuritySettings.native_authorization_enabled)).booleanValue()) {
            internalFlatFileRealm = createInternalRealm(config, logProvider, fileSystemAbstraction, jobScheduler);
            arrayList.add(internalFlatFileRealm);
        }
        if ((((Boolean) config.get(SecuritySettings.ldap_authentication_enabled)).booleanValue() || ((Boolean) config.get(SecuritySettings.ldap_authorization_enabled)).booleanValue()) && list.contains("ldap")) {
            arrayList.add(new LdapRealm(config, securityLog, secureHasher));
        }
        arrayList.addAll(createPluginRealms(config, logProvider, secureHasher));
        List<Realm> selectOrderedActiveRealms = selectOrderedActiveRealms(list, arrayList);
        if (selectOrderedActiveRealms.isEmpty()) {
            throw new IllegalArgumentException("Illegal configuration: No valid security realm is active.");
        }
        return new MultiRealmAuthManager(internalFlatFileRealm, selectOrderedActiveRealms, createCacheManager(config), securityLog, ((Boolean) config.get(SecuritySettings.security_log_successful_authentication)).booleanValue());
    }

    private static List<Realm> selectOrderedActiveRealms(List<String> list, List<Realm> list2) {
        ArrayList arrayList = new ArrayList(list.size());
        for (String str : list) {
            Iterator<Realm> it = list2.iterator();
            while (true) {
                if (it.hasNext()) {
                    Realm next = it.next();
                    if (str.equals(next.getName())) {
                        arrayList.add(next);
                        break;
                    }
                }
            }
        }
        return arrayList;
    }

    public static InternalFlatFileRealm createInternalRealm(Config config, LogProvider logProvider, FileSystemAbstraction fileSystemAbstraction, JobScheduler jobScheduler) {
        return new InternalFlatFileRealm(CommunitySecurityModule.getUserRepository(config, logProvider, fileSystemAbstraction), getRoleRepository(config, logProvider, fileSystemAbstraction), new BasicPasswordPolicy(), new RateLimitedAuthenticationStrategy(Clocks.systemClock(), 3), ((Boolean) config.get(SecuritySettings.native_authentication_enabled)).booleanValue(), ((Boolean) config.get(SecuritySettings.native_authorization_enabled)).booleanValue(), jobScheduler, CommunitySecurityModule.getInitialUserRepository(config, logProvider, fileSystemAbstraction));
    }

    private static CacheManager createCacheManager(Config config) {
        return new ShiroCaffeineCache.Manager(Ticker.systemTicker(), ((Long) config.get(SecuritySettings.auth_cache_ttl)).longValue(), ((Integer) config.get(SecuritySettings.auth_cache_max_capacity)).intValue());
    }

    private static List<Realm> createPluginRealms(Config config, LogProvider logProvider, SecureHasher secureHasher) {
        PluginRealm pluginRealm;
        ArrayList arrayList = new ArrayList();
        HashSet hashSet = new HashSet();
        Boolean bool = (Boolean) config.get(SecuritySettings.plugin_authentication_enabled);
        Boolean bool2 = (Boolean) config.get(SecuritySettings.plugin_authorization_enabled);
        if (bool.booleanValue() && bool2.booleanValue()) {
            Iterator it = Service.load(AuthPlugin.class).iterator();
            while (it.hasNext()) {
                arrayList.add(new PluginRealm((AuthPlugin) it.next(), config, logProvider, Clocks.systemClock(), secureHasher));
            }
        }
        if (bool.booleanValue()) {
            for (AuthenticationPlugin authenticationPlugin : Service.load(AuthenticationPlugin.class)) {
                if (bool2.booleanValue() && (authenticationPlugin instanceof AuthorizationPlugin)) {
                    pluginRealm = new PluginRealm(authenticationPlugin, (AuthorizationPlugin) authenticationPlugin, config, logProvider, Clocks.systemClock(), secureHasher);
                    hashSet.add(authenticationPlugin.getClass());
                } else {
                    pluginRealm = new PluginRealm(authenticationPlugin, null, config, logProvider, Clocks.systemClock(), secureHasher);
                }
                arrayList.add(pluginRealm);
            }
        }
        if (bool2.booleanValue()) {
            for (AuthorizationPlugin authorizationPlugin : Service.load(AuthorizationPlugin.class)) {
                if (!hashSet.contains(authorizationPlugin.getClass())) {
                    arrayList.add(new PluginRealm(null, authorizationPlugin, config, logProvider, Clocks.systemClock(), secureHasher));
                }
            }
        }
        return arrayList;
    }

    public static RoleRepository getRoleRepository(Config config, LogProvider logProvider, FileSystemAbstraction fileSystemAbstraction) {
        return new FileRoleRepository(fileSystemAbstraction, new File((File) config.get(DatabaseManagementSystemSettings.auth_store_directory), ROLE_STORE_FILENAME), logProvider);
    }
}
