package org.neo4j.server.security.enterprise.auth;

import com.github.benmanes.caffeine.cache.Ticker;
import java.io.File;
import java.time.Duration;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.realm.Realm;
import org.neo4j.dbms.DatabaseManagementSystemSettings;
import org.neo4j.graphdb.factory.GraphDatabaseSettings;
import org.neo4j.helpers.Service;
import org.neo4j.internal.kernel.api.exceptions.KernelException;
import org.neo4j.internal.kernel.api.security.SecurityContext;
import org.neo4j.io.fs.FileSystemAbstraction;
import org.neo4j.kernel.api.proc.Context;
import org.neo4j.kernel.api.security.SecurityModule;
import org.neo4j.kernel.configuration.Config;
import org.neo4j.kernel.enterprise.api.security.EnterpriseAuthManager;
import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext;
import org.neo4j.kernel.impl.factory.GraphDatabaseFacade;
import org.neo4j.kernel.impl.proc.Procedures;
import org.neo4j.kernel.lifecycle.LifeSupport;
import org.neo4j.kernel.lifecycle.Lifecycle;
import org.neo4j.logging.LogProvider;
import org.neo4j.scheduler.JobScheduler;
import org.neo4j.server.security.auth.AuthenticationStrategy;
import org.neo4j.server.security.auth.BasicPasswordPolicy;
import org.neo4j.server.security.auth.CommunitySecurityModule;
import org.neo4j.server.security.auth.FileUserRepository;
import org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy;
import org.neo4j.server.security.auth.UserRepository;
import org.neo4j.server.security.enterprise.auth.ShiroCaffeineCache;
import org.neo4j.server.security.enterprise.auth.plugin.PluginRealm;
import org.neo4j.server.security.enterprise.auth.plugin.spi.AuthPlugin;
import org.neo4j.server.security.enterprise.auth.plugin.spi.AuthenticationPlugin;
import org.neo4j.server.security.enterprise.auth.plugin.spi.AuthorizationPlugin;
import org.neo4j.server.security.enterprise.configuration.SecuritySettings;
import org.neo4j.server.security.enterprise.log.SecurityLog;
import org.neo4j.time.Clocks;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModule.class */
public class EnterpriseSecurityModule extends SecurityModule {
    private static final String ROLE_STORE_FILENAME = "roles";
    private static final String DEFAULT_ADMIN_STORE_FILENAME = "admin.ini";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModule$SecurityConfig.class */
    public static class SecurityConfig {
        final List<String> authProviders;
        final boolean hasNativeProvider;
        final boolean hasLdapProvider;
        final List<String> pluginAuthProviders;
        final boolean nativeAuthentication;
        final boolean nativeAuthorization;
        final boolean ldapAuthentication;
        final boolean ldapAuthorization;
        final boolean pluginAuthentication;
        final boolean pluginAuthorization;
        final boolean propertyAuthorization;
        private final String propertyAuthMapping;
        final Map<String, List<String>> propertyBlacklist = new HashMap();

        SecurityConfig(Config config) {
            this.authProviders = (List) config.get(SecuritySettings.auth_providers);
            this.hasNativeProvider = this.authProviders.contains(SecuritySettings.NATIVE_REALM_NAME);
            this.hasLdapProvider = this.authProviders.contains("ldap");
            this.pluginAuthProviders = (List) this.authProviders.stream().filter(str -> {
                return str.startsWith(SecuritySettings.PLUGIN_REALM_NAME_PREFIX);
            }).collect(Collectors.toList());
            this.nativeAuthentication = ((Boolean) config.get(SecuritySettings.native_authentication_enabled)).booleanValue();
            this.nativeAuthorization = ((Boolean) config.get(SecuritySettings.native_authorization_enabled)).booleanValue();
            this.ldapAuthentication = ((Boolean) config.get(SecuritySettings.ldap_authentication_enabled)).booleanValue();
            this.ldapAuthorization = ((Boolean) config.get(SecuritySettings.ldap_authorization_enabled)).booleanValue();
            this.pluginAuthentication = ((Boolean) config.get(SecuritySettings.plugin_authentication_enabled)).booleanValue();
            this.pluginAuthorization = ((Boolean) config.get(SecuritySettings.plugin_authorization_enabled)).booleanValue();
            this.propertyAuthorization = ((Boolean) config.get(SecuritySettings.property_level_authorization_enabled)).booleanValue();
            this.propertyAuthMapping = (String) config.get(SecuritySettings.property_level_authorization_permissions);
        }

        void validate() {
            if (!this.nativeAuthentication && !this.ldapAuthentication && !this.pluginAuthentication) {
                throw EnterpriseSecurityModule.illegalConfiguration("All authentication providers are disabled.");
            }
            if (!this.nativeAuthorization && !this.ldapAuthorization && !this.pluginAuthorization) {
                throw EnterpriseSecurityModule.illegalConfiguration("All authorization providers are disabled.");
            }
            if (this.hasNativeProvider && !this.nativeAuthentication && !this.nativeAuthorization) {
                throw EnterpriseSecurityModule.illegalConfiguration("Native auth provider configured, but both authentication and authorization are disabled.");
            }
            if (this.hasLdapProvider && !this.ldapAuthentication && !this.ldapAuthorization) {
                throw EnterpriseSecurityModule.illegalConfiguration("LDAP auth provider configured, but both authentication and authorization are disabled.");
            }
            if (!this.pluginAuthProviders.isEmpty() && !this.pluginAuthentication && !this.pluginAuthorization) {
                throw EnterpriseSecurityModule.illegalConfiguration("Plugin auth provider configured, but both authentication and authorization are disabled.");
            }
            if (this.propertyAuthorization && !parsePropertyPermissions()) {
                throw EnterpriseSecurityModule.illegalConfiguration("Property level authorization is enabled but there is a error in the permissions mapping.");
            }
        }

        private boolean parsePropertyPermissions() {
            if (this.propertyAuthMapping == null || this.propertyAuthMapping.isEmpty()) {
                return true;
            }
            String str = "\\s*[a-zA-Z0-9_]+\\s*=\\s*[a-zA-Z0-9_]+\\s*(,\\s*[a-zA-Z0-9_]+\\s*)*";
            if (!this.propertyAuthMapping.matches(str + "(;" + str + ")*")) {
                return false;
            }
            for (String str2 : this.propertyAuthMapping.split(";")) {
                if (!str2.isEmpty()) {
                    String[] split = str2.split("=");
                    String trim = split[0].trim();
                    String str3 = split[1];
                    ArrayList arrayList = new ArrayList();
                    for (String str4 : str3.split(",")) {
                        if (!str4.isEmpty()) {
                            arrayList.add(str4.trim());
                        }
                    }
                    this.propertyBlacklist.put(trim, arrayList);
                }
            }
            return true;
        }

        public boolean onlyPluginAuthentication() {
            return (this.nativeAuthentication || this.ldapAuthentication || !this.pluginAuthentication) ? false : true;
        }

        public boolean onlyPluginAuthorization() {
            return (this.nativeAuthorization || this.ldapAuthorization || !this.pluginAuthorization) ? false : true;
        }
    }

    public EnterpriseSecurityModule() {
        super("enterprise-security-module", new String[0]);
    }

    public void setup(SecurityModule.Dependencies dependencies) throws KernelException {
        Config config = dependencies.config();
        Procedures procedures = dependencies.procedures();
        LogProvider userLogProvider = dependencies.logService().getUserLogProvider();
        JobScheduler scheduler = dependencies.scheduler();
        FileSystemAbstraction fileSystem = dependencies.fileSystem();
        LifeSupport lifeSupport = dependencies.lifeSupport();
        SecurityLog create = SecurityLog.create(config, dependencies.logService().getInternalLog(GraphDatabaseFacade.class), fileSystem, scheduler);
        lifeSupport.add(create);
        EnterpriseAuthAndUserManager newAuthManager = newAuthManager(config, userLogProvider, create, fileSystem, scheduler);
        lifeSupport.add((Lifecycle) dependencies.dependencySatisfier().satisfyDependency(newAuthManager));
        procedures.registerComponent(SecurityLog.class, context -> {
            return create;
        }, false);
        procedures.registerComponent(EnterpriseAuthManager.class, context2 -> {
            return newAuthManager;
        }, false);
        procedures.registerComponent(EnterpriseSecurityContext.class, context3 -> {
            return asEnterprise((SecurityContext) context3.get(Context.SECURITY_CONTEXT));
        }, true);
        if (((Boolean) config.get(SecuritySettings.native_authentication_enabled)).booleanValue() || ((Boolean) config.get(SecuritySettings.native_authorization_enabled)).booleanValue()) {
            procedures.registerComponent(EnterpriseUserManager.class, context4 -> {
                return newAuthManager.mo1getUserManager(((SecurityContext) context4.get(Context.SECURITY_CONTEXT)).subject(), ((SecurityContext) context4.get(Context.SECURITY_CONTEXT)).isAdmin());
            }, true);
            if (((List) config.get(SecuritySettings.auth_providers)).size() > 1) {
                procedures.registerProcedure(UserManagementProcedures.class, true, "%s only applies to native users.");
            } else {
                procedures.registerProcedure(UserManagementProcedures.class, true);
            }
        } else {
            procedures.registerComponent(EnterpriseUserManager.class, context5 -> {
                return EnterpriseUserManager.NOOP;
            }, true);
        }
        procedures.registerProcedure(SecurityProcedures.class, true);
    }

    private EnterpriseSecurityContext asEnterprise(SecurityContext securityContext) {
        if (securityContext instanceof EnterpriseSecurityContext) {
            return (EnterpriseSecurityContext) securityContext;
        }
        throw new RuntimeException("Expected EnterpriseSecurityContext, got " + securityContext.getClass().getName());
    }

    public EnterpriseAuthAndUserManager newAuthManager(Config config, LogProvider logProvider, SecurityLog securityLog, FileSystemAbstraction fileSystemAbstraction, JobScheduler jobScheduler) {
        SecurityConfig securityConfig = new SecurityConfig(config);
        securityConfig.validate();
        ArrayList arrayList = new ArrayList(securityConfig.authProviders.size() + 1);
        SecureHasher secureHasher = new SecureHasher();
        InternalFlatFileRealm internalFlatFileRealm = null;
        if (securityConfig.hasNativeProvider) {
            internalFlatFileRealm = createInternalRealm(config, logProvider, fileSystemAbstraction, jobScheduler);
            arrayList.add(internalFlatFileRealm);
        }
        if (securityConfig.hasLdapProvider) {
            arrayList.add(new LdapRealm(config, securityLog, secureHasher));
        }
        if (!securityConfig.pluginAuthProviders.isEmpty()) {
            arrayList.addAll(createPluginRealms(config, securityLog, secureHasher, securityConfig));
        }
        List<Realm> selectOrderedActiveRealms = selectOrderedActiveRealms(securityConfig.authProviders, arrayList);
        if (selectOrderedActiveRealms.isEmpty()) {
            throw illegalConfiguration("No valid auth provider is active.");
        }
        return new MultiRealmAuthManager(internalFlatFileRealm, selectOrderedActiveRealms, createCacheManager(config), securityLog, ((Boolean) config.get(SecuritySettings.security_log_successful_authentication)).booleanValue(), securityConfig.propertyAuthorization, securityConfig.propertyBlacklist);
    }

    private static List<Realm> selectOrderedActiveRealms(List<String> list, List<Realm> list2) {
        ArrayList arrayList = new ArrayList(list.size());
        for (String str : list) {
            Iterator<Realm> it = list2.iterator();
            while (true) {
                if (it.hasNext()) {
                    Realm next = it.next();
                    if (str.equals(next.getName())) {
                        arrayList.add(next);
                        break;
                    }
                }
            }
        }
        return arrayList;
    }

    public static InternalFlatFileRealm createInternalRealm(Config config, LogProvider logProvider, FileSystemAbstraction fileSystemAbstraction, JobScheduler jobScheduler) {
        return new InternalFlatFileRealm(CommunitySecurityModule.getUserRepository(config, logProvider, fileSystemAbstraction), getRoleRepository(config, logProvider, fileSystemAbstraction), new BasicPasswordPolicy(), createAuthenticationStrategy(config), ((Boolean) config.get(SecuritySettings.native_authentication_enabled)).booleanValue(), ((Boolean) config.get(SecuritySettings.native_authorization_enabled)).booleanValue(), jobScheduler, CommunitySecurityModule.getInitialUserRepository(config, logProvider, fileSystemAbstraction), getDefaultAdminRepository(config, logProvider, fileSystemAbstraction));
    }

    private static AuthenticationStrategy createAuthenticationStrategy(Config config) {
        return new RateLimitedAuthenticationStrategy(Clocks.systemClock(), ((Integer) config.get(GraphDatabaseSettings.auth_max_failed_attempts)).intValue());
    }

    private static CacheManager createCacheManager(Config config) {
        long millis = ((Duration) config.get(SecuritySettings.auth_cache_ttl)).toMillis();
        boolean booleanValue = ((Boolean) config.get(SecuritySettings.auth_cache_use_ttl)).booleanValue();
        return new ShiroCaffeineCache.Manager(Ticker.systemTicker(), millis, ((Integer) config.get(SecuritySettings.auth_cache_max_capacity)).intValue(), booleanValue);
    }

    private static List<PluginRealm> createPluginRealms(Config config, SecurityLog securityLog, SecureHasher secureHasher, SecurityConfig securityConfig) {
        PluginRealm pluginRealm;
        ArrayList arrayList = new ArrayList();
        HashSet hashSet = new HashSet();
        if (securityConfig.pluginAuthentication && securityConfig.pluginAuthorization) {
            Iterator it = Service.load(AuthPlugin.class).iterator();
            while (it.hasNext()) {
                arrayList.add(new PluginRealm((AuthPlugin) it.next(), config, securityLog, Clocks.systemClock(), secureHasher));
            }
        }
        if (securityConfig.pluginAuthentication) {
            for (AuthorizationPlugin authorizationPlugin : Service.load(AuthenticationPlugin.class)) {
                if (securityConfig.pluginAuthorization && (authorizationPlugin instanceof AuthorizationPlugin)) {
                    pluginRealm = new PluginRealm(authorizationPlugin, authorizationPlugin, config, securityLog, Clocks.systemClock(), secureHasher);
                    hashSet.add(authorizationPlugin.getClass());
                } else {
                    pluginRealm = new PluginRealm(authorizationPlugin, null, config, securityLog, Clocks.systemClock(), secureHasher);
                }
                arrayList.add(pluginRealm);
            }
        }
        if (securityConfig.pluginAuthorization) {
            for (AuthorizationPlugin authorizationPlugin2 : Service.load(AuthorizationPlugin.class)) {
                if (!hashSet.contains(authorizationPlugin2.getClass())) {
                    arrayList.add(new PluginRealm(null, authorizationPlugin2, config, securityLog, Clocks.systemClock(), secureHasher));
                }
            }
        }
        for (String str : securityConfig.pluginAuthProviders) {
            if (arrayList.stream().noneMatch(pluginRealm2 -> {
                return pluginRealm2.getName().equals(str);
            })) {
                throw illegalConfiguration(String.format("Failed to load auth plugin '%s'.", str));
            }
        }
        List<PluginRealm> list = (List) arrayList.stream().filter(pluginRealm3 -> {
            return securityConfig.pluginAuthProviders.contains(pluginRealm3.getName());
        }).collect(Collectors.toList());
        boolean z = securityConfig.onlyPluginAuthentication() && list.stream().noneMatch((v0) -> {
            return v0.canAuthenticate();
        });
        boolean z2 = securityConfig.onlyPluginAuthorization() && list.stream().noneMatch((v0) -> {
            return v0.canAuthorize();
        });
        if (z || z2) {
            throw illegalConfiguration(String.format("No plugin %s provider loaded even though required by configuration.", (z && z2) ? "authentication or authorization" : z ? "authentication" : "authorization"));
        }
        return list;
    }

    public static RoleRepository getRoleRepository(Config config, LogProvider logProvider, FileSystemAbstraction fileSystemAbstraction) {
        return new FileRoleRepository(fileSystemAbstraction, getRoleRepositoryFile(config), logProvider);
    }

    public static UserRepository getDefaultAdminRepository(Config config, LogProvider logProvider, FileSystemAbstraction fileSystemAbstraction) {
        return new FileUserRepository(fileSystemAbstraction, getDefaultAdminRepositoryFile(config), logProvider);
    }

    private static File getRoleRepositoryFile(Config config) {
        return new File((File) config.get(DatabaseManagementSystemSettings.auth_store_directory), ROLE_STORE_FILENAME);
    }

    private static File getDefaultAdminRepositoryFile(Config config) {
        return new File((File) config.get(DatabaseManagementSystemSettings.auth_store_directory), DEFAULT_ADMIN_STORE_FILENAME);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static IllegalArgumentException illegalConfiguration(String str) {
        return new IllegalArgumentException("Illegal configuration: " + str);
    }
}
