package org.neo4j.server.security.enterprise.auth.plugin;

import java.io.File;
import java.nio.file.Path;
import java.time.Clock;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.Optional;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.neo4j.graphdb.factory.GraphDatabaseSettings;
import org.neo4j.graphdb.security.AuthorizationExpiredException;
import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
import org.neo4j.kernel.configuration.Config;
import org.neo4j.kernel.internal.Version;
import org.neo4j.logging.Log;
import org.neo4j.server.security.enterprise.auth.PredefinedRolesBuilder;
import org.neo4j.server.security.enterprise.auth.RealmLifecycle;
import org.neo4j.server.security.enterprise.auth.SecureHasher;
import org.neo4j.server.security.enterprise.auth.ShiroAuthToken;
import org.neo4j.server.security.enterprise.auth.ShiroAuthorizationInfoProvider;
import org.neo4j.server.security.enterprise.auth.plugin.api.AuthProviderOperations;
import org.neo4j.server.security.enterprise.auth.plugin.api.AuthToken;
import org.neo4j.server.security.enterprise.auth.plugin.spi.AuthInfo;
import org.neo4j.server.security.enterprise.auth.plugin.spi.AuthPlugin;
import org.neo4j.server.security.enterprise.auth.plugin.spi.AuthenticationPlugin;
import org.neo4j.server.security.enterprise.auth.plugin.spi.AuthorizationPlugin;
import org.neo4j.server.security.enterprise.auth.plugin.spi.CustomCacheableAuthenticationInfo;
import org.neo4j.server.security.enterprise.configuration.SecuritySettings;
import org.neo4j.server.security.enterprise.log.SecurityLog;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/plugin/PluginRealm.class */
public class PluginRealm extends AuthorizingRealm implements RealmLifecycle, ShiroAuthorizationInfoProvider {
    private AuthenticationPlugin authenticationPlugin;
    private AuthorizationPlugin authorizationPlugin;
    private final Config config;
    private AuthPlugin authPlugin;
    private final Log log;
    private final Clock clock;
    private final SecureHasher secureHasher;
    private AuthProviderOperations authProviderOperations;

    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/plugin/PluginRealm$CredentialsMatcher.class */
    private class CredentialsMatcher implements org.apache.shiro.authc.credential.CredentialsMatcher {
        private CredentialsMatcher() {
        }

        public boolean doCredentialsMatch(AuthenticationToken authenticationToken, AuthenticationInfo authenticationInfo) {
            CustomCacheableAuthenticationInfo.CredentialsMatcher customCredentialsMatcherIfPresent = PluginRealm.getCustomCredentialsMatcherIfPresent(authenticationInfo);
            if (customCredentialsMatcherIfPresent != null) {
                try {
                    return customCredentialsMatcherIfPresent.doCredentialsMatch(PluginApiAuthToken.createFromMap(((ShiroAuthToken) authenticationToken).getAuthTokenMap()));
                } catch (InvalidAuthTokenException e) {
                    throw new AuthenticationException(e.getMessage());
                }
            }
            if (authenticationInfo.getCredentials() != null) {
                return PluginRealm.this.secureHasher.getHashedCredentialsMatcher().doCredentialsMatch(PluginShiroAuthToken.of(authenticationToken), authenticationInfo);
            }
            if (!PluginRealm.this.isAuthenticationCachingEnabled()) {
                return true;
            }
            PluginRealm.this.log.error("Authentication caching is enabled in plugin %s but it does not return cacheable credentials. This configuration is not secure.", new Object[]{PluginRealm.this.getName()});
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/plugin/PluginRealm$PluginRealmOperations.class */
    public class PluginRealmOperations implements AuthProviderOperations {
        private AuthProviderOperations.Log innerLog;

        private PluginRealmOperations() {
            this.innerLog = new AuthProviderOperations.Log() { // from class: org.neo4j.server.security.enterprise.auth.plugin.PluginRealm.PluginRealmOperations.1
                private String withPluginName(String str) {
                    return "{" + PluginRealm.this.getName() + "} " + str;
                }

                public void debug(String str) {
                    PluginRealm.this.log.debug(withPluginName(str));
                }

                public void info(String str) {
                    PluginRealm.this.log.info(withPluginName(str));
                }

                public void warn(String str) {
                    PluginRealm.this.log.warn(withPluginName(str));
                }

                public void error(String str) {
                    PluginRealm.this.log.error(withPluginName(str));
                }

                public boolean isDebugEnabled() {
                    return PluginRealm.this.log.isDebugEnabled();
                }
            };
        }

        public Path neo4jHome() {
            return ((File) PluginRealm.this.config.get(GraphDatabaseSettings.neo4j_home)).getAbsoluteFile().toPath();
        }

        public Optional<Path> neo4jConfigFile() {
            return Optional.empty();
        }

        public String neo4jVersion() {
            return Version.getNeo4jVersion();
        }

        public Clock clock() {
            return PluginRealm.this.clock;
        }

        public AuthProviderOperations.Log log() {
            return this.innerLog;
        }

        public void setAuthenticationCachingEnabled(boolean z) {
            PluginRealm.this.setAuthenticationCachingEnabled(z);
        }

        public void setAuthorizationCachingEnabled(boolean z) {
            PluginRealm.this.setAuthorizationCachingEnabled(z);
        }
    }

    public PluginRealm(Config config, SecurityLog securityLog, Clock clock, SecureHasher secureHasher) {
        this.authProviderOperations = new PluginRealmOperations();
        this.config = config;
        this.clock = clock;
        this.secureHasher = secureHasher;
        this.log = securityLog;
        setCredentialsMatcher(new CredentialsMatcher());
        setAuthenticationCachingEnabled(false);
        setAuthorizationCachingEnabled(true);
        setRolePermissionResolver(PredefinedRolesBuilder.rolePermissionResolver);
    }

    public PluginRealm(AuthenticationPlugin authenticationPlugin, AuthorizationPlugin authorizationPlugin, Config config, SecurityLog securityLog, Clock clock, SecureHasher secureHasher) {
        this(config, securityLog, clock, secureHasher);
        this.authenticationPlugin = authenticationPlugin;
        this.authorizationPlugin = authorizationPlugin;
        resolvePluginName();
    }

    public PluginRealm(AuthPlugin authPlugin, Config config, SecurityLog securityLog, Clock clock, SecureHasher secureHasher) {
        this(config, securityLog, clock, secureHasher);
        this.authPlugin = authPlugin;
        resolvePluginName();
    }

    private void resolvePluginName() {
        String str = null;
        if (this.authPlugin != null) {
            str = this.authPlugin.name();
        } else if (this.authenticationPlugin != null) {
            str = this.authenticationPlugin.name();
        } else if (this.authorizationPlugin != null) {
            str = this.authorizationPlugin.name();
        }
        if (str == null || str.isEmpty()) {
            return;
        }
        setName(SecuritySettings.PLUGIN_REALM_NAME_PREFIX + str);
    }

    private Collection<AuthorizationPlugin.PrincipalAndProvider> getPrincipalAndProviderCollection(PrincipalCollection principalCollection) {
        ArrayList arrayList = new ArrayList();
        for (String str : principalCollection.getRealmNames()) {
            Iterator it = principalCollection.fromRealm(str).iterator();
            while (it.hasNext()) {
                arrayList.add(new AuthorizationPlugin.PrincipalAndProvider(it.next(), str));
            }
        }
        return arrayList;
    }

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        if (this.authorizationPlugin == null) {
            if (this.authPlugin == null || principalCollection.fromRealm(getName()).isEmpty()) {
                return null;
            }
            throw new AuthorizationExpiredException("Plugin '" + getName() + "' authorization info expired.");
        }
        try {
            org.neo4j.server.security.enterprise.auth.plugin.spi.AuthorizationInfo authorize = this.authorizationPlugin.authorize(getPrincipalAndProviderCollection(principalCollection));
            if (authorize != null) {
                return PluginAuthorizationInfo.create(authorize);
            }
            return null;
        } catch (org.neo4j.server.security.enterprise.auth.plugin.api.AuthorizationExpiredException e) {
            throw new AuthorizationExpiredException("Plugin '" + getName() + "' authorization info expired: " + e.getMessage(), e);
        }
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        org.neo4j.server.security.enterprise.auth.plugin.spi.AuthenticationInfo authenticate;
        if (!(authenticationToken instanceof ShiroAuthToken)) {
            return null;
        }
        try {
            AuthToken createFromMap = PluginApiAuthToken.createFromMap(((ShiroAuthToken) authenticationToken).getAuthTokenMap());
            if (this.authPlugin == null) {
                if (this.authenticationPlugin == null || (authenticate = this.authenticationPlugin.authenticate(createFromMap)) == null) {
                    return null;
                }
                return PluginAuthenticationInfo.createCacheable(authenticate, getName(), this.secureHasher);
            }
            AuthInfo authenticateAndAuthorize = this.authPlugin.authenticateAndAuthorize(createFromMap);
            if (authenticateAndAuthorize == null) {
                return null;
            }
            PluginAuthInfo createCacheable = PluginAuthInfo.createCacheable(authenticateAndAuthorize, getName(), this.secureHasher);
            cacheAuthorizationInfo(createCacheable);
            return createCacheable;
        } catch (org.neo4j.server.security.enterprise.auth.plugin.api.AuthenticationException | InvalidAuthTokenException e) {
            throw new AuthenticationException(e.getMessage(), e.getCause());
        }
    }

    private void cacheAuthorizationInfo(PluginAuthInfo pluginAuthInfo) {
        getAuthorizationCache().put(getAuthorizationCacheKey(pluginAuthInfo.getPrincipals()), pluginAuthInfo);
    }

    public boolean canAuthenticate() {
        return (this.authPlugin == null && this.authenticationPlugin == null) ? false : true;
    }

    public boolean canAuthorize() {
        return (this.authPlugin == null && this.authorizationPlugin == null) ? false : true;
    }

    @Override // org.neo4j.server.security.enterprise.auth.ShiroAuthorizationInfoProvider
    public AuthorizationInfo getAuthorizationInfoSnapshot(PrincipalCollection principalCollection) {
        return getAuthorizationInfo(principalCollection);
    }

    protected Object getAuthorizationCacheKey(PrincipalCollection principalCollection) {
        return getAvailablePrincipal(principalCollection);
    }

    protected Object getAuthenticationCacheKey(AuthenticationToken authenticationToken) {
        if (authenticationToken != null) {
            return authenticationToken.getPrincipal();
        }
        return null;
    }

    public boolean supports(AuthenticationToken authenticationToken) {
        return supportsSchemeAndRealm(authenticationToken);
    }

    private boolean supportsSchemeAndRealm(AuthenticationToken authenticationToken) {
        if (authenticationToken instanceof ShiroAuthToken) {
            return ((ShiroAuthToken) authenticationToken).supportsRealm(getName());
        }
        return false;
    }

    @Override // org.neo4j.server.security.enterprise.auth.RealmLifecycle
    public void initialize() throws Throwable {
        if (this.authenticationPlugin != null) {
            this.authenticationPlugin.initialize(this.authProviderOperations);
        }
        if (this.authorizationPlugin != null && this.authorizationPlugin != this.authenticationPlugin) {
            this.authorizationPlugin.initialize(this.authProviderOperations);
        }
        if (this.authPlugin != null) {
            this.authPlugin.initialize(this.authProviderOperations);
        }
    }

    @Override // org.neo4j.server.security.enterprise.auth.RealmLifecycle
    public void start() {
        if (this.authenticationPlugin != null) {
            this.authenticationPlugin.start();
        }
        if (this.authorizationPlugin != null && this.authorizationPlugin != this.authenticationPlugin) {
            this.authorizationPlugin.start();
        }
        if (this.authPlugin != null) {
            this.authPlugin.start();
        }
    }

    @Override // org.neo4j.server.security.enterprise.auth.RealmLifecycle
    public void stop() {
        if (this.authenticationPlugin != null) {
            this.authenticationPlugin.stop();
        }
        if (this.authorizationPlugin != null && this.authorizationPlugin != this.authenticationPlugin) {
            this.authorizationPlugin.stop();
        }
        if (this.authPlugin != null) {
            this.authPlugin.stop();
        }
    }

    @Override // org.neo4j.server.security.enterprise.auth.RealmLifecycle
    public void shutdown() {
        if (this.authenticationPlugin != null) {
            this.authenticationPlugin.shutdown();
        }
        if (this.authorizationPlugin != null && this.authorizationPlugin != this.authenticationPlugin) {
            this.authorizationPlugin.shutdown();
        }
        if (this.authPlugin != null) {
            this.authPlugin.shutdown();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static CustomCacheableAuthenticationInfo.CredentialsMatcher getCustomCredentialsMatcherIfPresent(AuthenticationInfo authenticationInfo) {
        if (authenticationInfo instanceof CustomCredentialsMatcherSupplier) {
            return ((CustomCredentialsMatcherSupplier) authenticationInfo).getCredentialsMatcher();
        }
        return null;
    }
}
