package org.neo4j.server.security.enterprise.auth;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.function.IntPredicate;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.ExcessiveAttemptsException;
import org.apache.shiro.authc.pam.UnsupportedTokenException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.cache.Cache;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
import org.apache.shiro.mgt.DefaultSubjectDAO;
import org.apache.shiro.mgt.SubjectDAO;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.realm.CachingRealm;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Initializable;
import org.neo4j.collection.primitive.Primitive;
import org.neo4j.collection.primitive.PrimitiveIntSet;
import org.neo4j.graphdb.security.AuthProviderFailedException;
import org.neo4j.graphdb.security.AuthProviderTimeoutException;
import org.neo4j.helpers.Strings;
import org.neo4j.internal.kernel.api.security.AuthSubject;
import org.neo4j.internal.kernel.api.security.AuthenticationResult;
import org.neo4j.internal.kernel.api.security.LoginContext;
import org.neo4j.kernel.api.security.AuthToken;
import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
import org.neo4j.kernel.enterprise.api.security.EnterpriseLoginContext;
import org.neo4j.server.security.enterprise.auth.StandardEnterpriseLoginContext;
import org.neo4j.server.security.enterprise.log.SecurityLog;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/MultiRealmAuthManager.class */
public class MultiRealmAuthManager implements EnterpriseAuthAndUserManager {
    private final EnterpriseUserManager userManager;
    private final Collection<Realm> realms;
    private final DefaultSecurityManager securityManager;
    private final CacheManager cacheManager;
    private final SecurityLog securityLog;
    private final boolean logSuccessfulLogin;
    private final boolean propertyAuthorization;
    private final Map<String, List<String>> roleToPropertyBlacklist;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public MultiRealmAuthManager(EnterpriseUserManager enterpriseUserManager, Collection<Realm> collection, CacheManager cacheManager, SecurityLog securityLog, boolean z, boolean z2, Map<String, List<String>> map) {
        this.userManager = enterpriseUserManager;
        this.realms = collection;
        this.cacheManager = cacheManager;
        this.securityManager = new DefaultSecurityManager(collection);
        this.securityLog = securityLog;
        this.logSuccessfulLogin = z;
        this.propertyAuthorization = z2;
        this.roleToPropertyBlacklist = map;
        this.securityManager.setSubjectFactory(new ShiroSubjectFactory());
        this.securityManager.getAuthenticator().setAuthenticationStrategy(new ShiroAuthenticationStrategy());
        this.securityManager.setSubjectDAO(createSubjectDAO());
    }

    private SubjectDAO createSubjectDAO() {
        DefaultSubjectDAO defaultSubjectDAO = new DefaultSubjectDAO();
        DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator();
        defaultSessionStorageEvaluator.setSessionStorageEnabled(false);
        defaultSubjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);
        return defaultSubjectDAO;
    }

    public EnterpriseLoginContext login(Map<String, Object> map) throws InvalidAuthTokenException {
        StandardEnterpriseLoginContext standardEnterpriseLoginContext;
        ShiroAuthToken shiroAuthToken = new ShiroAuthToken(map);
        assertValidScheme(shiroAuthToken);
        try {
            standardEnterpriseLoginContext = new StandardEnterpriseLoginContext(this, this.securityManager.login((Subject) null, shiroAuthToken));
            AuthenticationResult authenticationResult = standardEnterpriseLoginContext.subject().getAuthenticationResult();
            if (authenticationResult == AuthenticationResult.SUCCESS) {
                if (this.logSuccessfulLogin) {
                    this.securityLog.info(standardEnterpriseLoginContext.subject(), "logged in");
                }
            } else if (authenticationResult == AuthenticationResult.PASSWORD_CHANGE_REQUIRED) {
                this.securityLog.info(standardEnterpriseLoginContext.subject(), "logged in (password change required)");
            } else {
                this.securityLog.error("[%s]: failed to log in: %s", Strings.escape(shiroAuthToken.getPrincipal().toString()), ((StandardEnterpriseLoginContext.NeoShiroSubject) standardEnterpriseLoginContext.subject()).getAuthenticationFailureMessage());
            }
            ((StandardEnterpriseLoginContext.NeoShiroSubject) standardEnterpriseLoginContext.subject()).clearAuthenticationInfo();
        } catch (UnsupportedTokenException e) {
            this.securityLog.error("Unknown user failed to log in: %s", e.getMessage());
            Throwable cause = e.getCause();
            if (cause == null || !(cause instanceof InvalidAuthTokenException)) {
                throw AuthToken.invalidToken(": " + shiroAuthToken);
            }
            throw new InvalidAuthTokenException(cause.getMessage() + ": " + shiroAuthToken);
        } catch (ExcessiveAttemptsException e2) {
            standardEnterpriseLoginContext = new StandardEnterpriseLoginContext(this, new ShiroSubject(this.securityManager, AuthenticationResult.TOO_MANY_ATTEMPTS));
            this.securityLog.error("[%s]: failed to log in: too many failed attempts", Strings.escape(shiroAuthToken.getPrincipal().toString()));
        } catch (AuthenticationException e3) {
            if (e3.getCause() != null && (e3.getCause() instanceof AuthProviderTimeoutException)) {
                Throwable cause2 = e3.getCause().getCause();
                SecurityLog securityLog = this.securityLog;
                Object[] objArr = new Object[2];
                objArr[0] = Strings.escape(shiroAuthToken.getPrincipal().toString());
                objArr[1] = (cause2 == null || cause2.getMessage() == null) ? "" : " (" + cause2.getMessage() + ")";
                securityLog.error("[%s]: failed to log in: auth server timeout%s", objArr);
                throw new AuthProviderTimeoutException(e3.getCause().getMessage(), e3.getCause());
            }
            if (e3.getCause() != null && (e3.getCause() instanceof AuthProviderFailedException)) {
                Throwable cause3 = e3.getCause().getCause();
                SecurityLog securityLog2 = this.securityLog;
                Object[] objArr2 = new Object[2];
                objArr2[0] = Strings.escape(shiroAuthToken.getPrincipal().toString());
                objArr2[1] = (cause3 == null || cause3.getMessage() == null) ? "" : " (" + cause3.getMessage() + ")";
                securityLog2.error("[%s]: failed to log in: auth server connection refused%s", objArr2);
                throw new AuthProviderFailedException(e3.getCause().getMessage(), e3.getCause());
            }
            standardEnterpriseLoginContext = new StandardEnterpriseLoginContext(this, new ShiroSubject(this.securityManager, AuthenticationResult.FAILURE));
            Throwable cause4 = e3.getCause();
            Throwable cause5 = e3.getCause() != null ? e3.getCause().getCause() : null;
            SecurityLog securityLog3 = this.securityLog;
            Object[] objArr3 = new Object[3];
            objArr3[0] = Strings.escape(shiroAuthToken.getPrincipal().toString());
            objArr3[1] = (cause4 == null || cause4.getMessage() == null) ? "" : " (" + cause4.getMessage() + ")";
            objArr3[2] = (cause5 == null || cause5.getMessage() == null) ? "" : " (" + cause5.getMessage() + ")";
            securityLog3.error("[%s]: failed to log in: invalid principal or credentials%s%s", objArr3);
        }
        return standardEnterpriseLoginContext;
    }

    private void assertValidScheme(ShiroAuthToken shiroAuthToken) throws InvalidAuthTokenException {
        String schemeSilently = shiroAuthToken.getSchemeSilently();
        if (schemeSilently == null) {
            throw AuthToken.invalidToken("missing key `scheme`: " + shiroAuthToken);
        }
        if (schemeSilently.equals("none")) {
            throw AuthToken.invalidToken("scheme='none' only allowed when auth is disabled: " + shiroAuthToken);
        }
    }

    public void init() throws Throwable {
        Iterator<Realm> it = this.realms.iterator();
        while (it.hasNext()) {
            Initializable initializable = (Realm) it.next();
            if (initializable instanceof Initializable) {
                initializable.init();
            }
            if (initializable instanceof CachingRealm) {
                ((CachingRealm) initializable).setCacheManager(this.cacheManager);
            }
            if (initializable instanceof RealmLifecycle) {
                ((RealmLifecycle) initializable).initialize();
            }
        }
    }

    public void start() throws Throwable {
        Iterator<Realm> it = this.realms.iterator();
        while (it.hasNext()) {
            RealmLifecycle realmLifecycle = (Realm) it.next();
            if (realmLifecycle instanceof RealmLifecycle) {
                realmLifecycle.start();
            }
        }
    }

    public void stop() throws Throwable {
        Iterator<Realm> it = this.realms.iterator();
        while (it.hasNext()) {
            RealmLifecycle realmLifecycle = (Realm) it.next();
            if (realmLifecycle instanceof RealmLifecycle) {
                realmLifecycle.stop();
            }
        }
    }

    public void shutdown() throws Throwable {
        Iterator<Realm> it = this.realms.iterator();
        while (it.hasNext()) {
            CachingRealm cachingRealm = (Realm) it.next();
            if (cachingRealm instanceof CachingRealm) {
                cachingRealm.setCacheManager((CacheManager) null);
            }
            if (cachingRealm instanceof RealmLifecycle) {
                ((RealmLifecycle) cachingRealm).shutdown();
            }
        }
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseAuthAndUserManager
    /* renamed from: getUserManager */
    public EnterpriseUserManager mo1getUserManager(AuthSubject authSubject, boolean z) {
        return new PersonalUserManager(this.userManager, authSubject, this.securityLog, z);
    }

    @Override // org.neo4j.server.security.enterprise.auth.EnterpriseAuthAndUserManager
    /* renamed from: getUserManager */
    public EnterpriseUserManager mo0getUserManager() {
        return this.userManager;
    }

    public void clearAuthCache() {
        Cache authorizationCache;
        Cache authenticationCache;
        Iterator<Realm> it = this.realms.iterator();
        while (it.hasNext()) {
            AuthenticatingRealm authenticatingRealm = (Realm) it.next();
            if ((authenticatingRealm instanceof AuthenticatingRealm) && (authenticationCache = authenticatingRealm.getAuthenticationCache()) != null) {
                authenticationCache.clear();
            }
            if ((authenticatingRealm instanceof AuthorizingRealm) && (authorizationCache = ((AuthorizingRealm) authenticatingRealm).getAuthorizationCache()) != null) {
                authorizationCache.clear();
            }
        }
    }

    public Collection<AuthorizationInfo> getAuthorizationInfo(PrincipalCollection principalCollection) {
        AuthorizationInfo authorizationInfoSnapshot;
        ArrayList arrayList = new ArrayList(1);
        Iterator<Realm> it = this.realms.iterator();
        while (it.hasNext()) {
            ShiroAuthorizationInfoProvider shiroAuthorizationInfoProvider = (Realm) it.next();
            if ((shiroAuthorizationInfoProvider instanceof ShiroAuthorizationInfoProvider) && (authorizationInfoSnapshot = shiroAuthorizationInfoProvider.getAuthorizationInfoSnapshot(principalCollection)) != null) {
                arrayList.add(authorizationInfoSnapshot);
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public IntPredicate getPropertyPermissions(Set<String> set, Function<String, Integer> function) {
        if (!this.propertyAuthorization) {
            return i -> {
                return true;
            };
        }
        PrimitiveIntSet intSet = Primitive.intSet();
        for (String str : set) {
            if (this.roleToPropertyBlacklist.containsKey(str)) {
                if (!$assertionsDisabled && this.roleToPropertyBlacklist.get(str) == null) {
                    throw new AssertionError("Blacklist has to contain properties");
                }
                for (String str2 : this.roleToPropertyBlacklist.get(str)) {
                    try {
                        intSet.add(function.apply(str2).intValue());
                    } catch (Exception e) {
                        this.securityLog.error("Error in setting up property permissions, '" + str2 + "' is not a valid property name.");
                    }
                }
            }
        }
        return i2 -> {
            return !intSet.contains(i2);
        };
    }

    /* renamed from: login, reason: collision with other method in class */
    public /* bridge */ /* synthetic */ LoginContext m6login(Map map) throws InvalidAuthTokenException {
        return login((Map<String, Object>) map);
    }

    static {
        $assertionsDisabled = !MultiRealmAuthManager.class.desiredAssertionStatus();
    }
}
