package org.neo4j.server.security.enterprise.auth;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
import java.util.concurrent.TimeUnit;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.DisabledAccountException;
import org.apache.shiro.authc.ExcessiveAttemptsException;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
import org.apache.shiro.authc.pam.UnsupportedTokenException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.neo4j.kernel.api.exceptions.InvalidArgumentsException;
import org.neo4j.kernel.api.security.AuthToken;
import org.neo4j.kernel.api.security.AuthenticationResult;
import org.neo4j.kernel.api.security.PasswordPolicy;
import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
import org.neo4j.kernel.impl.security.Credential;
import org.neo4j.kernel.impl.security.User;
import org.neo4j.kernel.impl.util.JobScheduler;
import org.neo4j.server.security.auth.AuthenticationStrategy;
import org.neo4j.server.security.auth.ListSnapshot;
import org.neo4j.server.security.auth.UserRepository;
import org.neo4j.server.security.auth.exception.ConcurrentModificationException;
import org.neo4j.server.security.enterprise.auth.RoleRecord;
import org.neo4j.server.security.enterprise.configuration.SecuritySettings;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm.class */
public class InternalFlatFileRealm extends AuthorizingRealm implements RealmLifecycle, EnterpriseUserManager, ShiroAuthorizationInfoProvider {
    static final String IS_SUSPENDED = "is_suspended";
    private static int MAX_READ_ATTEMPTS = 10;
    private final UserRepository userRepository;
    private final RoleRepository roleRepository;
    private final UserRepository initialUserRepository;
    private final UserRepository defaultAdminRepository;
    private final PasswordPolicy passwordPolicy;
    private final AuthenticationStrategy authenticationStrategy;
    private final boolean authenticationEnabled;
    private final boolean authorizationEnabled;
    private final JobScheduler jobScheduler;
    private volatile JobScheduler.JobHandle reloadJobHandle;

    /* renamed from: org.neo4j.server.security.enterprise.auth.InternalFlatFileRealm$1, reason: invalid class name */
    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/InternalFlatFileRealm$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$neo4j$kernel$api$security$AuthenticationResult = new int[AuthenticationResult.values().length];

        static {
            try {
                $SwitchMap$org$neo4j$kernel$api$security$AuthenticationResult[AuthenticationResult.FAILURE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$neo4j$kernel$api$security$AuthenticationResult[AuthenticationResult.TOO_MANY_ATTEMPTS.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public InternalFlatFileRealm(UserRepository userRepository, RoleRepository roleRepository, PasswordPolicy passwordPolicy, AuthenticationStrategy authenticationStrategy, JobScheduler jobScheduler, UserRepository userRepository2, UserRepository userRepository3) {
        this(userRepository, roleRepository, passwordPolicy, authenticationStrategy, true, true, jobScheduler, userRepository2, userRepository3);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public InternalFlatFileRealm(UserRepository userRepository, RoleRepository roleRepository, PasswordPolicy passwordPolicy, AuthenticationStrategy authenticationStrategy, boolean z, boolean z2, JobScheduler jobScheduler, UserRepository userRepository2, UserRepository userRepository3) {
        setName(SecuritySettings.NATIVE_REALM_NAME);
        this.userRepository = userRepository;
        this.roleRepository = roleRepository;
        this.initialUserRepository = userRepository2;
        this.defaultAdminRepository = userRepository3;
        this.passwordPolicy = passwordPolicy;
        this.authenticationStrategy = authenticationStrategy;
        this.authenticationEnabled = z;
        this.authorizationEnabled = z2;
        this.jobScheduler = jobScheduler;
        setAuthenticationCachingEnabled(false);
        setAuthorizationCachingEnabled(false);
        setCredentialsMatcher(new AllowAllCredentialsMatcher());
        setRolePermissionResolver(PredefinedRolesBuilder.rolePermissionResolver);
    }

    @Override // org.neo4j.server.security.enterprise.auth.RealmLifecycle
    public void initialize() throws Throwable {
        this.initialUserRepository.init();
        this.defaultAdminRepository.init();
        this.userRepository.init();
        this.roleRepository.init();
    }

    @Override // org.neo4j.server.security.enterprise.auth.RealmLifecycle
    public void start() throws Throwable {
        this.initialUserRepository.start();
        this.defaultAdminRepository.start();
        this.userRepository.start();
        this.roleRepository.start();
        ensureDefaultRoles(ensureDefaultUsers());
        scheduleNextFileReload();
    }

    protected void scheduleNextFileReload() {
        this.reloadJobHandle = this.jobScheduler.schedule(JobScheduler.Groups.nativeSecurity, this::readFilesFromDisk, 10L, TimeUnit.SECONDS);
    }

    private void readFilesFromDisk() {
        try {
            readFilesFromDisk(MAX_READ_ATTEMPTS, new LinkedList());
        } finally {
            scheduleNextFileReload();
        }
    }

    private void readFilesFromDisk(int i, List<String> list) {
        boolean z;
        boolean z2;
        if (i < 0) {
            throw new RuntimeException("Unable to load valid flat file repositories! Attempts failed with:\n\t" + String.join("\n\t", list));
        }
        try {
            synchronized (this) {
                ListSnapshot persistedSnapshot = this.userRepository.getPersistedSnapshot();
                ListSnapshot<RoleRecord> persistedSnapshot2 = this.roleRepository.getPersistedSnapshot();
                z = persistedSnapshot.fromPersisted() || persistedSnapshot2.fromPersisted();
                z2 = z && RoleRepository.validate(persistedSnapshot.values(), persistedSnapshot2.values());
                if (z2) {
                    if (persistedSnapshot.fromPersisted()) {
                        this.userRepository.setUsers(persistedSnapshot);
                    }
                    if (persistedSnapshot2.fromPersisted()) {
                        this.roleRepository.setRoles(persistedSnapshot2);
                    }
                }
            }
            if (z && !z2) {
                list.add("Role-auth file combination not valid.");
                Thread.sleep(10L);
                readFilesFromDisk(i - 1, list);
            }
        } catch (IOException | IllegalStateException | InterruptedException | InvalidArgumentsException e) {
            list.add(e.getMessage());
            readFilesFromDisk(i - 1, list);
        }
    }

    private Set<String> ensureDefaultUsers() throws Throwable {
        User userByName;
        if ((!this.authenticationEnabled && !this.authorizationEnabled) || this.userRepository.numberOfUsers() != 0) {
            return Collections.emptySet();
        }
        User newUser = newUser("neo4j", "neo4j", true);
        if (this.initialUserRepository.numberOfUsers() > 0 && (userByName = this.initialUserRepository.getUserByName("neo4j")) != null) {
            this.userRepository.update(newUser, userByName);
        }
        return Collections.singleton("neo4j");
    }

    private void ensureDefaultRoles(Set<String> set) throws IOException, InvalidArgumentsException {
        if (this.authenticationEnabled || this.authorizationEnabled) {
            LinkedList linkedList = new LinkedList(set);
            if (numberOfRoles() == 0) {
                if (linkedList.isEmpty()) {
                    Set allUsernames = this.userRepository.getAllUsernames();
                    if (this.defaultAdminRepository.numberOfUsers() > 1) {
                        throw new InvalidArgumentsException("No roles defined, and multiple users defined as default admin user. Please use `neo4j-admin set-default-admin` to select a valid admin.");
                    }
                    if (this.defaultAdminRepository.numberOfUsers() == 1) {
                        String str = (String) this.defaultAdminRepository.getAllUsernames().iterator().next();
                        if (this.userRepository.getUserByName(str) == null) {
                            throw new InvalidArgumentsException("No roles defined, and default admin user '" + str + "' does not exist. Please use `neo4j-admin set-default-admin` to select a valid admin.");
                        }
                        linkedList.add(str);
                    } else if (allUsernames.size() == 1) {
                        linkedList.add(allUsernames.iterator().next());
                    } else {
                        if (!allUsernames.contains("neo4j")) {
                            throw new InvalidArgumentsException("No roles defined, and cannot determine which user should be admin. Please use `neo4j-admin set-default-admin` to select an admin.");
                        }
                        linkedList.add("neo4j");
                    }
                }
                Iterator<String> it = PredefinedRolesBuilder.roles.keySet().iterator();
                while (it.hasNext()) {
                    newRole(it.next(), new String[0]);
                }
            }
            Iterator it2 = linkedList.iterator();
            while (it2.hasNext()) {
                addRoleToUser("admin", (String) it2.next());
            }
        }
    }

    @Override // org.neo4j.server.security.enterprise.auth.RealmLifecycle
    public void stop() throws Throwable {
        this.initialUserRepository.stop();
        this.defaultAdminRepository.stop();
        this.userRepository.stop();
        this.roleRepository.stop();
        if (this.reloadJobHandle != null) {
            this.reloadJobHandle.cancel(true);
            this.reloadJobHandle = null;
        }
    }

    @Override // org.neo4j.server.security.enterprise.auth.RealmLifecycle
    public void shutdown() throws Throwable {
        this.initialUserRepository.shutdown();
        this.defaultAdminRepository.shutdown();
        this.userRepository.shutdown();
        this.roleRepository.shutdown();
        setCacheManager(null);
    }

    public boolean supports(AuthenticationToken authenticationToken) {
        try {
            if (!(authenticationToken instanceof ShiroAuthToken)) {
                return false;
            }
            ShiroAuthToken shiroAuthToken = (ShiroAuthToken) authenticationToken;
            if (shiroAuthToken.getScheme().equals("basic")) {
                if (shiroAuthToken.supportsRealm(SecuritySettings.NATIVE_REALM_NAME)) {
                    return true;
                }
            }
            return false;
        } catch (InvalidAuthTokenException e) {
            return false;
        }
    }

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) throws AuthenticationException {
        String str;
        User userByName;
        if (!this.authorizationEnabled || (str = (String) getAvailablePrincipal(principalCollection)) == null || (userByName = this.userRepository.getUserByName(str)) == null) {
            return null;
        }
        return (userByName.passwordChangeRequired() || userByName.hasFlag(IS_SUSPENDED)) ? new SimpleAuthorizationInfo() : new SimpleAuthorizationInfo(this.roleRepository.getRoleNamesByUsername(userByName.name()));
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        if (!this.authenticationEnabled) {
            return null;
        }
        ShiroAuthToken shiroAuthToken = (ShiroAuthToken) authenticationToken;
        try {
            String safeCast = AuthToken.safeCast("principal", shiroAuthToken.getAuthTokenMap());
            String safeCast2 = AuthToken.safeCast("credentials", shiroAuthToken.getAuthTokenMap());
            User userByName = this.userRepository.getUserByName(safeCast);
            if (userByName == null) {
                throw new UnknownAccountException();
            }
            AuthenticationResult authenticate = this.authenticationStrategy.authenticate(userByName, safeCast2);
            switch (AnonymousClass1.$SwitchMap$org$neo4j$kernel$api$security$AuthenticationResult[authenticate.ordinal()]) {
                case 1:
                    throw new IncorrectCredentialsException();
                case 2:
                    throw new ExcessiveAttemptsException();
                default:
                    if (userByName.hasFlag(IS_SUSPENDED)) {
                        throw new DisabledAccountException("User '" + userByName.name() + "' is suspended.");
                    }
                    if (userByName.passwordChangeRequired()) {
                        authenticate = AuthenticationResult.PASSWORD_CHANGE_REQUIRED;
                    }
                    return new ShiroAuthenticationInfo(userByName.name(), getName(), authenticate);
            }
        } catch (InvalidAuthTokenException e) {
            throw new UnsupportedTokenException(e);
        }
    }

    @Override // org.neo4j.server.security.enterprise.auth.ShiroAuthorizationInfoProvider
    public AuthorizationInfo getAuthorizationInfoSnapshot(PrincipalCollection principalCollection) {
        return getAuthorizationInfo(principalCollection);
    }

    private int numberOfUsers() {
        return this.userRepository.numberOfUsers();
    }

    private int numberOfRoles() {
        return this.roleRepository.numberOfRoles();
    }

    public User newUser(String str, String str2, boolean z) throws IOException, InvalidArgumentsException {
        this.userRepository.assertValidUsername(str);
        this.passwordPolicy.validatePassword(str2);
        User build = new User.Builder().withName(str).withCredentials(Credential.forPassword(str2)).withRequiredPasswordChange(z).build();
        synchronized (this) {
            this.userRepository.create(build);
        }
        return build;
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public RoleRecord newRole(String str, String... strArr) throws IOException, InvalidArgumentsException {
        this.roleRepository.assertValidRoleName(str);
        for (String str2 : strArr) {
            this.userRepository.assertValidUsername(str2);
        }
        RoleRecord build = new RoleRecord.Builder().withName(str).withUsers(new TreeSet(Arrays.asList(strArr))).build();
        synchronized (this) {
            for (String str3 : strArr) {
                getUser(str3);
            }
            this.roleRepository.create(build);
        }
        return build;
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public boolean deleteRole(String str) throws IOException, InvalidArgumentsException {
        assertNotPredefinedRoleName(str);
        boolean z = false;
        synchronized (this) {
            if (this.roleRepository.delete(getRole(str))) {
                z = true;
            } else {
                getRole(str);
            }
        }
        return z;
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public RoleRecord getRole(String str) throws InvalidArgumentsException {
        RoleRecord roleByName = this.roleRepository.getRoleByName(str);
        if (roleByName == null) {
            throw new InvalidArgumentsException("Role '" + str + "' does not exist.");
        }
        return roleByName;
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public RoleRecord silentlyGetRole(String str) {
        return this.roleRepository.getRoleByName(str);
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public void addRoleToUser(String str, String str2) throws IOException, InvalidArgumentsException {
        this.roleRepository.assertValidRoleName(str);
        this.userRepository.assertValidUsername(str2);
        synchronized (this) {
            getUser(str2);
            RoleRecord role = getRole(str);
            try {
                this.roleRepository.update(role, role.augment().withUser(str2).build());
            } catch (ConcurrentModificationException e) {
                addRoleToUser(str, str2);
            }
        }
        clearCachedAuthorizationInfoForUser(str2);
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public void removeRoleFromUser(String str, String str2) throws IOException, InvalidArgumentsException {
        this.roleRepository.assertValidRoleName(str);
        this.userRepository.assertValidUsername(str2);
        synchronized (this) {
            getUser(str2);
            RoleRecord role = getRole(str);
            try {
                this.roleRepository.update(role, role.augment().withoutUser(str2).build());
            } catch (ConcurrentModificationException e) {
                removeRoleFromUser(str, str2);
            }
        }
        clearCachedAuthorizationInfoForUser(str2);
    }

    public boolean deleteUser(String str) throws IOException, InvalidArgumentsException {
        synchronized (this) {
            User user = getUser(str);
            removeUserFromAllRoles(str);
            this.userRepository.delete(user);
        }
        clearCacheForUser(str);
        return true;
    }

    public User getUser(String str) throws InvalidArgumentsException {
        User userByName = this.userRepository.getUserByName(str);
        if (userByName == null) {
            throw new InvalidArgumentsException("User '" + str + "' does not exist.");
        }
        return userByName;
    }

    public User silentlyGetUser(String str) {
        return this.userRepository.getUserByName(str);
    }

    public void setUserPassword(String str, String str2, boolean z) throws IOException, InvalidArgumentsException {
        User user = getUser(str);
        this.passwordPolicy.validatePassword(str2);
        if (user.credentials().matchesPassword(str2)) {
            throw new InvalidArgumentsException("Old password and new password cannot be the same.");
        }
        try {
            User build = user.augment().withCredentials(Credential.forPassword(str2)).withRequiredPasswordChange(z).build();
            synchronized (this) {
                this.userRepository.update(user, build);
            }
        } catch (ConcurrentModificationException e) {
            setUserPassword(str, str2, z);
        }
        clearCacheForUser(str);
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public void suspendUser(String str) throws IOException, InvalidArgumentsException {
        User user = getUser(str);
        if (!user.hasFlag(IS_SUSPENDED)) {
            User build = user.augment().withFlag(IS_SUSPENDED).build();
            try {
                synchronized (this) {
                    this.userRepository.update(user, build);
                }
            } catch (ConcurrentModificationException e) {
                suspendUser(str);
            }
        }
        clearCacheForUser(str);
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public void activateUser(String str, boolean z) throws IOException, InvalidArgumentsException {
        User user = getUser(str);
        if (user.hasFlag(IS_SUSPENDED)) {
            User build = user.augment().withoutFlag(IS_SUSPENDED).withRequiredPasswordChange(z).build();
            try {
                synchronized (this) {
                    this.userRepository.update(user, build);
                }
            } catch (ConcurrentModificationException e) {
                activateUser(str, z);
            }
        }
        clearCacheForUser(str);
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public Set<String> getAllRoleNames() {
        return this.roleRepository.getAllRoleNames();
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public Set<String> getRoleNamesForUser(String str) throws InvalidArgumentsException {
        getUser(str);
        return this.roleRepository.getRoleNamesByUsername(str);
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public Set<String> silentlyGetRoleNamesForUser(String str) {
        return this.roleRepository.getRoleNamesByUsername(str);
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public Set<String> getUsernamesForRole(String str) throws InvalidArgumentsException {
        return getRole(str).users();
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseUserManager
    public Set<String> silentlyGetUsernamesForRole(String str) {
        RoleRecord silentlyGetRole = silentlyGetRole(str);
        return silentlyGetRole == null ? Collections.emptySet() : silentlyGetRole.users();
    }

    public Set<String> getAllUsernames() {
        return this.userRepository.getAllUsernames();
    }

    private void removeUserFromAllRoles(String str) throws IOException {
        try {
            this.roleRepository.removeUserFromAllRoles(str);
        } catch (ConcurrentModificationException e) {
            removeUserFromAllRoles(str);
        }
    }

    private void assertNotPredefinedRoleName(String str) throws InvalidArgumentsException {
        if (str != null && PredefinedRolesBuilder.roles.keySet().contains(str)) {
            throw new InvalidArgumentsException(String.format("'%s' is a predefined role and can not be deleted.", str));
        }
    }

    private void clearCachedAuthorizationInfoForUser(String str) {
        clearCachedAuthorizationInfo(new SimplePrincipalCollection(str, getName()));
    }

    private void clearCacheForUser(String str) {
        clearCache(new SimplePrincipalCollection(str, getName()));
    }
}
