package org.neo4j.server.security.enterprise.auth;

import java.io.IOException;
import java.util.Collection;
import java.util.Set;
import java.util.TreeSet;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.neo4j.graphdb.security.AuthorizationViolationException;
import org.neo4j.kernel.api.exceptions.InvalidArgumentsException;
import org.neo4j.kernel.api.security.AccessMode;
import org.neo4j.kernel.api.security.AuthSubject;
import org.neo4j.kernel.api.security.AuthenticationResult;
import org.neo4j.kernel.api.security.SecurityContext;
import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/StandardEnterpriseSecurityContext.class */
public class StandardEnterpriseSecurityContext implements EnterpriseSecurityContext {
    private static final String SCHEMA_READ_WRITE = "schema:read,write";
    private static final String TOKEN_CREATE = "token:create";
    private static final String READ_WRITE = "data:read,write";
    private static final String READ = "data:read";
    private final MultiRealmAuthManager authManager;
    private final ShiroSubject shiroSubject;
    private final NeoShiroSubject neoShiroSubject = new NeoShiroSubject();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/StandardEnterpriseSecurityContext$NeoShiroSubject.class */
    public class NeoShiroSubject implements AuthSubject {
        private NeoShiroSubject() {
        }

        public String username() {
            Object principal = StandardEnterpriseSecurityContext.this.shiroSubject.getPrincipal();
            return principal != null ? principal.toString() : "";
        }

        public void logout() {
            StandardEnterpriseSecurityContext.this.shiroSubject.logout();
        }

        public AuthenticationResult getAuthenticationResult() {
            return StandardEnterpriseSecurityContext.this.shiroSubject.getAuthenticationResult();
        }

        public void setPassword(String str, boolean z) throws IOException, InvalidArgumentsException {
            StandardEnterpriseSecurityContext.this.getUserManager().setUserPassword((String) StandardEnterpriseSecurityContext.this.shiroSubject.getPrincipal(), str, z);
            setPasswordChangeNoLongerRequired();
        }

        public void setPasswordChangeNoLongerRequired() {
            if (getAuthenticationResult() == AuthenticationResult.PASSWORD_CHANGE_REQUIRED) {
                StandardEnterpriseSecurityContext.this.shiroSubject.setAuthenticationResult(AuthenticationResult.SUCCESS);
            }
        }

        public boolean hasUsername(String str) {
            Object principal = StandardEnterpriseSecurityContext.this.shiroSubject.getPrincipal();
            return (principal == null || str == null || !str.equals(principal)) ? false : true;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/StandardEnterpriseSecurityContext$StandardAccessMode.class */
    public static class StandardAccessMode implements AccessMode {
        private final boolean allowsReads;
        private final boolean allowsWrites;
        private final boolean allowsSchemaWrites;
        private final boolean allowsTokenCreates;
        private final boolean passwordChangeRequired;
        private final Set<String> roles;

        StandardAccessMode(boolean z, boolean z2, boolean z3, boolean z4, boolean z5, Set<String> set) {
            this.allowsReads = z;
            this.allowsWrites = z2;
            this.allowsTokenCreates = z3;
            this.allowsSchemaWrites = z4;
            this.passwordChangeRequired = z5;
            this.roles = set;
        }

        public boolean allowsReads() {
            return this.allowsReads;
        }

        public boolean allowsWrites() {
            return this.allowsWrites;
        }

        public boolean allowsTokenCreates() {
            return this.allowsTokenCreates;
        }

        public boolean allowsSchemaWrites() {
            return this.allowsSchemaWrites;
        }

        public boolean allowsProcedureWith(String[] strArr) throws InvalidArgumentsException {
            for (String str : strArr) {
                if (this.roles.contains(str)) {
                    return true;
                }
            }
            return false;
        }

        public AuthorizationViolationException onViolation(String str) {
            return this.passwordChangeRequired ? AccessMode.Static.CREDENTIALS_EXPIRED.onViolation(str) : new AuthorizationViolationException(str);
        }

        public String name() {
            return this.roles.isEmpty() ? "no roles" : "roles [" + String.join(",", new TreeSet(this.roles)) + "]";
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public StandardEnterpriseSecurityContext(MultiRealmAuthManager multiRealmAuthManager, ShiroSubject shiroSubject) {
        this.authManager = multiRealmAuthManager;
        this.shiroSubject = shiroSubject;
    }

    public EnterpriseUserManager getUserManager() {
        return this.authManager.mo1getUserManager((SecurityContext) this);
    }

    public boolean isAdmin() {
        return this.shiroSubject.isAuthenticated() && this.shiroSubject.isPermitted("*");
    }

    public AuthSubject subject() {
        return this.neoShiroSubject;
    }

    /* renamed from: mode, reason: merged with bridge method [inline-methods] */
    public StandardAccessMode m11mode() {
        boolean isAuthenticated = this.shiroSubject.isAuthenticated();
        return new StandardAccessMode(isAuthenticated && this.shiroSubject.isPermitted(READ), isAuthenticated && this.shiroSubject.isPermitted(READ_WRITE), isAuthenticated && this.shiroSubject.isPermitted(TOKEN_CREATE), isAuthenticated && this.shiroSubject.isPermitted(SCHEMA_READ_WRITE), this.shiroSubject.getAuthenticationResult() == AuthenticationResult.PASSWORD_CHANGE_REQUIRED, queryForRoleNames());
    }

    public String toString() {
        return defaultString("enterprise-security-context");
    }

    /* renamed from: freeze, reason: merged with bridge method [inline-methods] */
    public EnterpriseSecurityContext m10freeze() {
        StandardAccessMode m11mode = m11mode();
        return new EnterpriseSecurityContext.Frozen(this.neoShiroSubject, m11mode, m11mode.roles, isAdmin());
    }

    /* renamed from: withMode, reason: merged with bridge method [inline-methods] */
    public EnterpriseSecurityContext m9withMode(AccessMode accessMode) {
        return new EnterpriseSecurityContext.Frozen(this.neoShiroSubject, accessMode, queryForRoleNames(), isAdmin());
    }

    public Set<String> roles() {
        return queryForRoleNames();
    }

    private Set<String> queryForRoleNames() {
        return (Set) this.authManager.getAuthorizationInfo(this.shiroSubject.getPrincipals()).stream().flatMap(authorizationInfo -> {
            Collection roles = authorizationInfo.getRoles();
            return roles == null ? Stream.empty() : roles.stream();
        }).collect(Collectors.toSet());
    }
}
