package org.usergrid.security.shiro;

import com.google.common.collect.BiMap;
import com.google.common.collect.HashBiMap;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import org.apache.commons.lang.StringUtils;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.CredentialsException;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
import org.apache.shiro.authc.credential.CredentialsMatcher;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.authz.permission.PermissionResolver;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.usergrid.management.ApplicationInfo;
import org.usergrid.management.ManagementService;
import org.usergrid.management.OrganizationInfo;
import org.usergrid.management.UserInfo;
import org.usergrid.persistence.Entity;
import org.usergrid.persistence.EntityManager;
import org.usergrid.persistence.EntityManagerFactory;
import org.usergrid.persistence.Results;
import org.usergrid.persistence.SimpleEntityRef;
import org.usergrid.persistence.cassandra.CassandraService;
import org.usergrid.persistence.entities.Role;
import org.usergrid.persistence.entities.User;
import org.usergrid.security.shiro.credentials.AccessTokenCredentials;
import org.usergrid.security.shiro.credentials.AdminUserAccessToken;
import org.usergrid.security.shiro.credentials.AdminUserPassword;
import org.usergrid.security.shiro.credentials.ApplicationAccessToken;
import org.usergrid.security.shiro.credentials.ApplicationUserAccessToken;
import org.usergrid.security.shiro.credentials.ClientCredentials;
import org.usergrid.security.shiro.credentials.OrganizationAccessToken;
import org.usergrid.security.shiro.credentials.PrincipalCredentials;
import org.usergrid.security.shiro.principals.AdminUserPrincipal;
import org.usergrid.security.shiro.principals.ApplicationGuestPrincipal;
import org.usergrid.security.shiro.principals.ApplicationPrincipal;
import org.usergrid.security.shiro.principals.ApplicationUserPrincipal;
import org.usergrid.security.shiro.principals.OrganizationPrincipal;
import org.usergrid.security.shiro.principals.PrincipalIdentifier;
import org.usergrid.security.shiro.utils.SubjectUtils;
import org.usergrid.security.tokens.TokenInfo;
import org.usergrid.security.tokens.TokenService;

/* loaded from: input_file:usergrid-services-0.0.27.1.jar:org/usergrid/security/shiro/Realm.class */
public class Realm extends AuthorizingRealm {
    private static final Logger logger = LoggerFactory.getLogger(Realm.class);
    public static final String ROLE_SERVICE_ADMIN = "service-admin";
    public static final String ROLE_ADMIN_USER = "admin-user";
    public static final String ROLE_ORGANIZATION_ADMIN = "organization-admin";
    public static final String ROLE_APPLICATION_ADMIN = "application-admin";
    public static final String ROLE_APPLICATION_USER = "application-user";
    private EntityManagerFactory emf;
    private ManagementService management;
    private TokenService tokens;

    @Value("${usergrid.sysadmin.login.allowed}")
    private boolean superUserEnabled;

    @Value("${usergrid.sysadmin.login.name:admin}")
    private String superUser;

    public Realm() {
        setCredentialsMatcher(new AllowAllCredentialsMatcher());
        setPermissionResolver(new CustomPermissionResolver());
    }

    public Realm(CacheManager cacheManager) {
        super(cacheManager);
        setCredentialsMatcher(new AllowAllCredentialsMatcher());
        setPermissionResolver(new CustomPermissionResolver());
    }

    public Realm(CredentialsMatcher credentialsMatcher) {
        super(new AllowAllCredentialsMatcher());
        setPermissionResolver(new CustomPermissionResolver());
    }

    public Realm(CacheManager cacheManager, CredentialsMatcher credentialsMatcher) {
        super(cacheManager, new AllowAllCredentialsMatcher());
        setPermissionResolver(new CustomPermissionResolver());
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm
    public void setCredentialsMatcher(CredentialsMatcher credentialsMatcher) {
        if (!(credentialsMatcher instanceof AllowAllCredentialsMatcher)) {
            logger.debug("Replacing {} with AllowAllCredentialsMatcher", credentialsMatcher);
            credentialsMatcher = new AllowAllCredentialsMatcher();
        }
        super.setCredentialsMatcher(credentialsMatcher);
    }

    @Override // org.apache.shiro.realm.AuthorizingRealm, org.apache.shiro.authz.permission.PermissionResolverAware
    public void setPermissionResolver(PermissionResolver permissionResolver) {
        if (!(permissionResolver instanceof CustomPermissionResolver)) {
            logger.debug("Replacing {} with AllowAllCredentialsMatcher", permissionResolver);
            permissionResolver = new CustomPermissionResolver();
        }
        super.setPermissionResolver(permissionResolver);
    }

    @Autowired
    public void setEntityManagerFactory(EntityManagerFactory entityManagerFactory) {
        this.emf = entityManagerFactory;
    }

    @Autowired
    public void setManagementService(ManagementService managementService) {
        this.management = managementService;
    }

    @Autowired
    public void setTokenService(TokenService tokenService) {
        this.tokens = tokenService;
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        PrincipalCredentialsToken principalCredentialsToken = (PrincipalCredentialsToken) authenticationToken;
        if (principalCredentialsToken.getCredentials() == null) {
            throw new CredentialsException("Missing credentials");
        }
        boolean z = false;
        PrincipalIdentifier principal = principalCredentialsToken.getPrincipal();
        PrincipalCredentials credentials = principalCredentialsToken.getCredentials();
        if (credentials instanceof ClientCredentials) {
            z = true;
        } else if ((principal instanceof AdminUserPrincipal) && (credentials instanceof AdminUserPassword)) {
            z = true;
        } else if ((principal instanceof AdminUserPrincipal) && (credentials instanceof AdminUserAccessToken)) {
            z = true;
        } else if ((principal instanceof ApplicationUserPrincipal) && (credentials instanceof ApplicationUserAccessToken)) {
            z = true;
        } else if ((principal instanceof ApplicationPrincipal) && (credentials instanceof ApplicationAccessToken)) {
            z = true;
        } else if ((principal instanceof OrganizationPrincipal) && (credentials instanceof OrganizationAccessToken)) {
            z = true;
        }
        if (principal != null) {
            if (!principal.isActivated()) {
                throw new AuthenticationException("Unactivated identity");
            }
            if (principal.isDisabled()) {
                throw new AuthenticationException("Disabled identity");
            }
        }
        if (!z) {
            throw new AuthenticationException("Unable to authenticate");
        }
        logger.debug("Authenticated: {}", principal);
        return new SimpleAuthenticationInfo(principalCredentialsToken.getPrincipal(), principalCredentialsToken.getCredentials(), getName());
    }

    @Override // org.apache.shiro.realm.AuthorizingRealm
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
        HashBiMap create = HashBiMap.create();
        HashBiMap create2 = HashBiMap.create();
        OrganizationInfo organizationInfo = null;
        ApplicationInfo applicationInfo = null;
        for (PrincipalIdentifier principalIdentifier : principalCollection.byType(PrincipalIdentifier.class)) {
            if (principalIdentifier instanceof OrganizationPrincipal) {
                organizationInfo = ((OrganizationPrincipal) principalIdentifier).getOrganization();
                role(simpleAuthorizationInfo, principalIdentifier, ROLE_ORGANIZATION_ADMIN);
                role(simpleAuthorizationInfo, principalIdentifier, ROLE_APPLICATION_ADMIN);
                grant(simpleAuthorizationInfo, principalIdentifier, "organizations:access:" + organizationInfo.getUuid());
                create.put(organizationInfo.getUuid(), organizationInfo.getName());
                BiMap<UUID, String> biMap = null;
                try {
                    biMap = this.management.getApplicationsForOrganization(organizationInfo.getUuid());
                } catch (Exception e) {
                    e.printStackTrace();
                }
                if (biMap != null && !biMap.isEmpty()) {
                    grant(simpleAuthorizationInfo, principalIdentifier, "applications:admin,access,get,put,post,delete:" + StringUtils.join((Collection) biMap.keySet(), ','));
                    create2.putAll(biMap);
                }
            } else if (principalIdentifier instanceof ApplicationPrincipal) {
                role(simpleAuthorizationInfo, principalIdentifier, ROLE_APPLICATION_ADMIN);
                applicationInfo = ((ApplicationPrincipal) principalIdentifier).getApplication();
                grant(simpleAuthorizationInfo, principalIdentifier, "applications:admin,access,get,put,post,delete:" + applicationInfo.getId());
                create2.put(applicationInfo.getId(), applicationInfo.getName());
            } else if (principalIdentifier instanceof AdminUserPrincipal) {
                UserInfo user = ((AdminUserPrincipal) principalIdentifier).getUser();
                if (this.superUserEnabled && this.superUser != null && this.superUser.equals(user.getUsername())) {
                    role(simpleAuthorizationInfo, principalIdentifier, ROLE_SERVICE_ADMIN);
                    role(simpleAuthorizationInfo, principalIdentifier, ROLE_ORGANIZATION_ADMIN);
                    role(simpleAuthorizationInfo, principalIdentifier, ROLE_APPLICATION_ADMIN);
                    role(simpleAuthorizationInfo, principalIdentifier, ROLE_ADMIN_USER);
                    grant(simpleAuthorizationInfo, principalIdentifier, "system:access");
                    grant(simpleAuthorizationInfo, principalIdentifier, "organizations:admin,access,get,put,post,delete:*");
                    grant(simpleAuthorizationInfo, principalIdentifier, "applications:admin,access,get,put,post,delete:*");
                    grant(simpleAuthorizationInfo, principalIdentifier, "organizations:admin,access,get,put,post,delete:*:/**");
                    grant(simpleAuthorizationInfo, principalIdentifier, "applications:admin,access,get,put,post,delete:*:/**");
                    grant(simpleAuthorizationInfo, principalIdentifier, "users:access:*");
                    grant(simpleAuthorizationInfo, principalIdentifier, SubjectUtils.getPermissionFromPath(CassandraService.MANAGEMENT_APPLICATION_ID, "access", new String[0]));
                    grant(simpleAuthorizationInfo, principalIdentifier, SubjectUtils.getPermissionFromPath(CassandraService.MANAGEMENT_APPLICATION_ID, "get,put,post,delete", "/**"));
                } else {
                    grant(simpleAuthorizationInfo, principalIdentifier, SubjectUtils.getPermissionFromPath(CassandraService.MANAGEMENT_APPLICATION_ID, "access", new String[0]));
                    grant(simpleAuthorizationInfo, principalIdentifier, SubjectUtils.getPermissionFromPath(CassandraService.MANAGEMENT_APPLICATION_ID, "get,put,post,delete", "/**"));
                    role(simpleAuthorizationInfo, principalIdentifier, ROLE_ADMIN_USER);
                    try {
                        BiMap<UUID, String> organizationsForAdminUser = this.management.getOrganizationsForAdminUser(user.getUuid());
                        if (organizationsForAdminUser != null) {
                            Iterator<UUID> it = organizationsForAdminUser.keySet().iterator();
                            while (it.hasNext()) {
                                grant(simpleAuthorizationInfo, principalIdentifier, "organizations:admin,access,get,put,post,delete:" + it.next());
                            }
                            create.putAll(organizationsForAdminUser);
                            BiMap<UUID, String> applicationsForOrganizations = this.management.getApplicationsForOrganizations(organizationsForAdminUser.keySet());
                            if (applicationsForOrganizations != null && !applicationsForOrganizations.isEmpty()) {
                                grant(simpleAuthorizationInfo, principalIdentifier, "applications:admin,access,get,put,post,delete:" + StringUtils.join((Collection) applicationsForOrganizations.keySet(), ','));
                                create2.putAll(applicationsForOrganizations);
                            }
                            role(simpleAuthorizationInfo, principalIdentifier, ROLE_ORGANIZATION_ADMIN);
                            role(simpleAuthorizationInfo, principalIdentifier, ROLE_APPLICATION_ADMIN);
                        }
                    } catch (Exception e2) {
                        logger.error("Unable to construct admin user permissions", (Throwable) e2);
                    }
                }
            } else if (principalIdentifier instanceof ApplicationUserPrincipal) {
                role(simpleAuthorizationInfo, principalIdentifier, ROLE_APPLICATION_USER);
                UUID applicationId = ((ApplicationUserPrincipal) principalIdentifier).getApplicationId();
                AccessTokenCredentials accessTokenCredentials = ((ApplicationUserPrincipal) principalIdentifier).getAccessTokenCredentials();
                TokenInfo tokenInfo = null;
                if (accessTokenCredentials != null) {
                    try {
                        tokenInfo = this.tokens.getTokenInfo(accessTokenCredentials.getToken());
                    } catch (Exception e3) {
                        logger.error("Unable to retrieve token info", (Throwable) e3);
                    }
                    logger.debug("Token: {}", tokenInfo);
                }
                grant(simpleAuthorizationInfo, principalIdentifier, SubjectUtils.getPermissionFromPath(applicationId, "access", new String[0]));
                EntityManager entityManager = this.emf.getEntityManager(applicationId);
                try {
                    String str = (String) entityManager.getProperty(entityManager.getApplicationRef(), "name");
                    create2.put(applicationId, str);
                    applicationInfo = new ApplicationInfo(applicationId, str);
                } catch (Exception e4) {
                }
                try {
                    grant(simpleAuthorizationInfo, principalIdentifier, applicationId, entityManager.getRolePermissions("default"));
                } catch (Exception e5) {
                    logger.error("Unable to get user default role permissions", (Throwable) e5);
                }
                UserInfo user2 = ((ApplicationUserPrincipal) principalIdentifier).getUser();
                try {
                    grant(simpleAuthorizationInfo, principalIdentifier, applicationId, entityManager.getUserPermissions(user2.getUuid()));
                } catch (Exception e6) {
                    logger.error("Unable to get user permissions", (Throwable) e6);
                }
                try {
                    grantAppRoles(simpleAuthorizationInfo, entityManager, applicationId, tokenInfo, principalIdentifier, entityManager.getUserRoles(user2.getUuid()));
                } catch (Exception e7) {
                    logger.error("Unable to get user role permissions", (Throwable) e7);
                }
                try {
                    Results collection = entityManager.getCollection(new SimpleEntityRef(User.ENTITY_TYPE, user2.getUuid()), "groups", null, 1000, Results.Level.IDS, false);
                    if (collection != null) {
                        HashSet hashSet = new HashSet();
                        Iterator<UUID> it2 = collection.getIds().iterator();
                        while (it2.hasNext()) {
                            Iterator<Entity> it3 = entityManager.getCollection(new SimpleEntityRef("group", it2.next()), "roles", null, 1000, Results.Level.CORE_PROPERTIES, false).getEntities().iterator();
                            while (it3.hasNext()) {
                                hashSet.add(it3.next().getName());
                            }
                        }
                        grantAppRoles(simpleAuthorizationInfo, entityManager, applicationId, tokenInfo, principalIdentifier, hashSet);
                    }
                } catch (Exception e8) {
                    logger.error("Unable to get user group role permissions", (Throwable) e8);
                }
            } else if (principalIdentifier instanceof ApplicationGuestPrincipal) {
                role(simpleAuthorizationInfo, principalIdentifier, ROLE_APPLICATION_USER);
                UUID applicationId2 = ((ApplicationGuestPrincipal) principalIdentifier).getApplicationId();
                EntityManager entityManager2 = this.emf.getEntityManager(applicationId2);
                try {
                    String str2 = (String) entityManager2.getProperty(entityManager2.getApplicationRef(), "name");
                    create2.put(applicationId2, str2);
                    applicationInfo = new ApplicationInfo(applicationId2, str2);
                } catch (Exception e9) {
                }
                grant(simpleAuthorizationInfo, principalIdentifier, SubjectUtils.getPermissionFromPath(applicationId2, "access", new String[0]));
                try {
                    grant(simpleAuthorizationInfo, principalIdentifier, applicationId2, entityManager2.getRolePermissions("guest"));
                } catch (Exception e10) {
                    logger.error("Unable to get user default role permissions", (Throwable) e10);
                }
            }
        }
        Session session = SecurityUtils.getSubject().getSession();
        session.setAttribute("applications", create2);
        session.setAttribute("organizations", create);
        if (organizationInfo != null) {
            session.setAttribute("organization", organizationInfo);
        }
        if (applicationInfo != null) {
            session.setAttribute("application", applicationInfo);
        }
        return simpleAuthorizationInfo;
    }

    private void grantAppRoles(SimpleAuthorizationInfo simpleAuthorizationInfo, EntityManager entityManager, UUID uuid, TokenInfo tokenInfo, PrincipalIdentifier principalIdentifier, Set<String> set) throws Exception {
        Role role;
        Map<String, Role> rolesWithTitles = entityManager.getRolesWithTitles(set);
        for (String str : set) {
            if (rolesWithTitles == null || tokenInfo == null || (role = rolesWithTitles.get(str)) == null || role.getInactivity().longValue() <= 0 || tokenInfo.getInactive() <= role.getInactivity().longValue()) {
                grant(simpleAuthorizationInfo, principalIdentifier, uuid, entityManager.getRolePermissions(str));
                role(simpleAuthorizationInfo, principalIdentifier, "application-role:".concat(uuid.toString()).concat(":").concat(str));
            }
        }
    }

    public static void grant(SimpleAuthorizationInfo simpleAuthorizationInfo, PrincipalIdentifier principalIdentifier, String str) {
        logger.debug("Principal {} granted permission: {}", principalIdentifier, str);
        simpleAuthorizationInfo.addStringPermission(str);
    }

    public static void role(SimpleAuthorizationInfo simpleAuthorizationInfo, PrincipalIdentifier principalIdentifier, String str) {
        logger.debug("Principal {} added to role: {}", principalIdentifier, str);
        simpleAuthorizationInfo.addRole(str);
    }

    private static void grant(SimpleAuthorizationInfo simpleAuthorizationInfo, PrincipalIdentifier principalIdentifier, UUID uuid, Set<String> set) {
        if (set != null) {
            for (String str : set) {
                if (StringUtils.isNotBlank(str)) {
                    String stringOrSubstringBeforeFirst = str.indexOf(58) != -1 ? org.usergrid.utils.StringUtils.stringOrSubstringBeforeFirst(str, ':') : "*";
                    if (StringUtils.isBlank(stringOrSubstringBeforeFirst)) {
                        stringOrSubstringBeforeFirst = "*";
                    }
                    grant(simpleAuthorizationInfo, principalIdentifier, "applications:" + stringOrSubstringBeforeFirst + ":" + uuid + ":" + org.usergrid.utils.StringUtils.stringOrSubstringAfterFirst(str, ':'));
                }
            }
        }
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm, org.apache.shiro.realm.Realm
    public boolean supports(AuthenticationToken authenticationToken) {
        return authenticationToken instanceof PrincipalCredentialsToken;
    }
}
