package org.yamcs.security;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.CopyOnWriteArraySet;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import org.yamcs.InitException;
import org.yamcs.Spec;
import org.yamcs.ValidationException;
import org.yamcs.YConfiguration;
import org.yamcs.activities.ActivityDb;
import org.yamcs.logging.Log;
import org.yamcs.utils.YObjectLoader;

/* loaded from: input_file:org/yamcs/security/SecurityStore.class */
public class SecurityStore {
    private static final Log log = new Log(SecurityStore.class);
    private boolean enabled;
    private User systemUser;
    private User guestUser;
    private Directory directory;
    private SessionManager sessionManager;
    private boolean blockUnknownUsers;
    private int accessTokenLifespan;
    private UserCache userCache = new UserCache();
    private List<AuthModule> authModules = new ArrayList();
    private Set<SystemPrivilege> systemPrivileges = new CopyOnWriteArraySet();
    private Set<ObjectPrivilegeType> objectPrivilegeTypes = new CopyOnWriteArraySet();
    private Map<String, String> apiKey2username = new ConcurrentHashMap();
    private ExecutorService loginExecutor = Executors.newSingleThreadExecutor();

    public SecurityStore() throws InitException {
        try {
            YConfiguration readConfig = readConfig();
            this.enabled = readConfig.getBoolean("enabled");
            generatePredefinedUsers(readConfig);
            generatePredefinedPrivileges();
            this.directory = new Directory();
            this.sessionManager = new SessionManager();
            this.blockUnknownUsers = readConfig.getBoolean("blockUnknownUsers");
            this.accessTokenLifespan = readConfig.getInt("accessTokenLifespan");
            if (this.directory.getUsers().isEmpty()) {
                try {
                    generateDefaultAdminUser();
                } catch (IOException e) {
                    throw new InitException("Could not create default admin user", e);
                }
            }
            if (readConfig.containsKey("authModules")) {
                Iterator<YConfiguration> it = readConfig.getConfigList("authModules").iterator();
                while (it.hasNext()) {
                    AuthModule loadAuthModule = loadAuthModule(it.next());
                    this.authModules.add(loadAuthModule);
                    if (loadAuthModule instanceof SessionListener) {
                        this.sessionManager.addSessionListener((SessionListener) loadAuthModule);
                    }
                }
            }
            this.authModules.add(new DirectoryAuthModule());
            this.authModules.add(new ApiKeyAuthModule());
        } catch (ValidationException e2) {
            throw new InitException(e2);
        }
    }

    private void generatePredefinedUsers(YConfiguration yConfiguration) {
        this.systemUser = new User("System", null);
        this.systemUser.setId(1);
        this.systemUser.setDisplayName("System");
        this.systemUser.setSuperuser(true);
        YConfiguration config = yConfiguration.getConfig("guest");
        String string = config.getString("username");
        this.guestUser = new User(string, this.systemUser);
        this.guestUser.setId(2);
        this.guestUser.setDisplayName(config.getString("displayName", string));
        this.guestUser.setSuperuser(config.getBoolean("superuser"));
        this.guestUser.setActive(!this.enabled);
        if (config.containsKey("privileges")) {
            YConfiguration config2 = config.getConfig("privileges");
            for (String str : config2.getKeys()) {
                List list = config2.getList(str);
                if (str.equals("System")) {
                    Iterator it = list.iterator();
                    while (it.hasNext()) {
                        this.guestUser.addSystemPrivilege(new SystemPrivilege((String) it.next()), false);
                    }
                } else {
                    ObjectPrivilegeType objectPrivilegeType = new ObjectPrivilegeType(str);
                    Iterator it2 = list.iterator();
                    while (it2.hasNext()) {
                        this.guestUser.addObjectPrivilege(new ObjectPrivilege(objectPrivilegeType, (String) it2.next()), false);
                    }
                }
            }
        }
    }

    private void generateDefaultAdminUser() throws IOException {
        User user = new User("admin", this.systemUser);
        user.setDisplayName("Administrator");
        user.setSuperuser(true);
        user.setEmail("admin@example.com");
        user.setActive(true);
        user.confirm();
        this.directory.addUser(user);
        this.directory.changePassword(user, "admin".toCharArray());
    }

    private void generatePredefinedPrivileges() {
        this.systemPrivileges.add(SystemPrivilege.ChangeMissionDatabase);
        this.systemPrivileges.add(SystemPrivilege.CommandOptions);
        this.systemPrivileges.add(SystemPrivilege.ControlAccess);
        this.systemPrivileges.add(SystemPrivilege.ControlActivities);
        this.systemPrivileges.add(SystemPrivilege.ControlAlarms);
        this.systemPrivileges.add(SystemPrivilege.ControlArchiving);
        this.systemPrivileges.add(SystemPrivilege.ControlCommandClearances);
        this.systemPrivileges.add(SystemPrivilege.ControlCommandQueue);
        this.systemPrivileges.add(SystemPrivilege.ControlLinks);
        this.systemPrivileges.add(SystemPrivilege.ControlFileTransfers);
        this.systemPrivileges.add(SystemPrivilege.ControlProcessor);
        this.systemPrivileges.add(SystemPrivilege.ControlServices);
        this.systemPrivileges.add(SystemPrivilege.ControlTimeline);
        this.systemPrivileges.add(SystemPrivilege.ControlTimeCorrelation);
        this.systemPrivileges.add(SystemPrivilege.CreateInstances);
        this.systemPrivileges.add(SystemPrivilege.GetMissionDatabase);
        this.systemPrivileges.add(SystemPrivilege.ManageAnyBucket);
        this.systemPrivileges.add(SystemPrivilege.ManageParameterLists);
        this.systemPrivileges.add(SystemPrivilege.ModifyCommandHistory);
        this.systemPrivileges.add(SystemPrivilege.ReadActivities);
        this.systemPrivileges.add(SystemPrivilege.ReadAlarms);
        this.systemPrivileges.add(SystemPrivilege.ReadCommandHistory);
        this.systemPrivileges.add(SystemPrivilege.ReadFileTransfers);
        this.systemPrivileges.add(SystemPrivilege.ReadEvents);
        this.systemPrivileges.add(SystemPrivilege.ReadLinks);
        this.systemPrivileges.add(SystemPrivilege.ReadSystemInfo);
        this.systemPrivileges.add(SystemPrivilege.ReadTables);
        this.systemPrivileges.add(SystemPrivilege.ReadTimeline);
        this.systemPrivileges.add(SystemPrivilege.WriteEvents);
        this.systemPrivileges.add(SystemPrivilege.WriteTables);
        this.objectPrivilegeTypes.add(ObjectPrivilegeType.Command);
        this.objectPrivilegeTypes.add(ObjectPrivilegeType.CommandHistory);
        this.objectPrivilegeTypes.add(ObjectPrivilegeType.ManageBucket);
        this.objectPrivilegeTypes.add(ObjectPrivilegeType.ReadAlgorithm);
        this.objectPrivilegeTypes.add(ObjectPrivilegeType.ReadBucket);
        this.objectPrivilegeTypes.add(ObjectPrivilegeType.ReadPacket);
        this.objectPrivilegeTypes.add(ObjectPrivilegeType.ReadParameter);
        this.objectPrivilegeTypes.add(ObjectPrivilegeType.Stream);
        this.objectPrivilegeTypes.add(ObjectPrivilegeType.WriteParameter);
    }

    public boolean isEnabled() {
        return this.enabled;
    }

    public void addSystemPrivilege(SystemPrivilege systemPrivilege) {
        this.systemPrivileges.add(systemPrivilege);
    }

    public void addObjectPrivilegeType(ObjectPrivilegeType objectPrivilegeType) {
        this.objectPrivilegeTypes.add(objectPrivilegeType);
    }

    private AuthModule loadAuthModule(YConfiguration yConfiguration) throws InitException {
        String string = yConfiguration.getString("class");
        YConfiguration emptyConfig = YConfiguration.emptyConfig();
        if (yConfiguration.containsKey(ActivityDb.CNAME_ARGS)) {
            emptyConfig = yConfiguration.getConfig(ActivityDb.CNAME_ARGS);
        }
        log.debug("Loading AuthModule " + string);
        try {
            AuthModule authModule = (AuthModule) YObjectLoader.loadObject(string, new Object[0]);
            Spec spec = authModule.getSpec();
            if (log.isDebugEnabled()) {
                log.debug("Raw args for {}: {}", string, spec.maskSecrets(emptyConfig.getRoot()));
            }
            YConfiguration validate = spec.validate(emptyConfig);
            if (log.isDebugEnabled()) {
                log.debug("Initializing {} with resolved args: {}", string, spec.maskSecrets(validate.getRoot()));
            }
            authModule.init(validate);
            return authModule;
        } catch (ValidationException e) {
            throw new InitException(e);
        }
    }

    private YConfiguration readConfig() throws ValidationException {
        Spec spec = new Spec();
        spec.addOption("class", Spec.OptionType.STRING).withRequired(true);
        spec.addOption(ActivityDb.CNAME_ARGS, Spec.OptionType.ANY);
        Spec spec2 = new Spec();
        spec2.addOption("username", Spec.OptionType.STRING).withDefault("guest");
        spec2.addOption("displayName", Spec.OptionType.STRING);
        spec2.addOption("superuser", Spec.OptionType.BOOLEAN).withDefault(true);
        spec2.addOption("privileges", Spec.OptionType.ANY);
        Spec spec3 = new Spec();
        spec3.addOption("blockUnknownUsers", Spec.OptionType.BOOLEAN).withDefault(false);
        spec3.addOption("authModules", Spec.OptionType.LIST).withElementType(Spec.OptionType.MAP).withSpec(spec);
        boolean isDefined = YConfiguration.isDefined("security");
        spec3.addOption("enabled", Spec.OptionType.BOOLEAN).withDefault(Boolean.valueOf(isDefined));
        spec3.addOption("guest", Spec.OptionType.MAP).withSpec(spec2).withApplySpecDefaults(true);
        spec3.addOption("accessTokenLifespan", Spec.OptionType.INTEGER).withDefault(500000);
        YConfiguration emptyConfig = YConfiguration.emptyConfig();
        if (isDefined) {
            emptyConfig = YConfiguration.getConfiguration("security");
        }
        return spec3.validate(emptyConfig);
    }

    public Directory getDirectory() {
        return this.directory;
    }

    public SessionManager getSessionManager() {
        return this.sessionManager;
    }

    public List<AuthModule> getAuthModules() {
        return this.authModules;
    }

    public <T extends AuthModule> T getAuthModule(Class<T> cls) {
        Iterator<AuthModule> it = this.authModules.iterator();
        while (it.hasNext()) {
            T t = (T) it.next();
            if (t.getClass() == cls) {
                return t;
            }
        }
        return null;
    }

    public Set<SystemPrivilege> getSystemPrivileges() {
        return this.systemPrivileges;
    }

    public Set<ObjectPrivilegeType> getObjectPrivilegeTypes() {
        return this.objectPrivilegeTypes;
    }

    public int getAccessTokenLifespan() {
        return this.accessTokenLifespan;
    }

    public User getSystemUser() {
        return this.systemUser;
    }

    public User getGuestUser() {
        return this.guestUser;
    }

    public CompletableFuture<AuthenticationInfo> login(AuthenticationToken authenticationToken) {
        CompletableFuture<AuthenticationInfo> completableFuture = new CompletableFuture<>();
        CompletableFuture.runAsync(() -> {
            AuthenticationInfo authenticationInfo = null;
            Iterator<AuthModule> it = this.authModules.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                AuthModule next = it.next();
                try {
                    authenticationInfo = next.getAuthenticationInfo(authenticationToken);
                    if (authenticationInfo != null) {
                        break;
                    } else {
                        log.trace("User does not exist according to {}", next.getClass().getName());
                    }
                } catch (AuthenticationException e) {
                    log.info("{} aborted the login process", next.getClass().getName());
                    completableFuture.completeExceptionally(e);
                    return;
                } catch (Exception e2) {
                    log.info("{} threw an unexpected exception", next.getClass().getName());
                    completableFuture.completeExceptionally(e2);
                    return;
                }
            }
            if (authenticationInfo == null) {
                log.info("Cannot identify account for token");
                completableFuture.completeExceptionally(new AuthenticationException("Cannot identify account for token"));
                return;
            }
            for (AuthModule authModule : this.authModules) {
                try {
                    authModule.authenticationSucceeded(authenticationInfo);
                } catch (Exception e3) {
                    log.info("{} threw an unexpected exception", authModule.getClass().getName());
                    completableFuture.completeExceptionally(e3);
                    return;
                }
            }
            if (authenticationInfo instanceof SystemUserAuthenticationInfo) {
                this.userCache.putUserInCache(this.systemUser);
                completableFuture.complete(authenticationInfo);
                return;
            }
            if (isReservedUsername(authenticationInfo.getUsername())) {
                log.warn("Denying access to {}. Username is reserved.", authenticationInfo.getUsername());
                completableFuture.completeExceptionally(new AuthenticationException("Access denied"));
                return;
            }
            User user = this.directory.getUser(authenticationInfo.getUsername());
            if (user == null) {
                user = new User(authenticationInfo.getUsername(), this.systemUser);
                if (!this.blockUnknownUsers) {
                    user.confirm();
                }
                try {
                    this.directory.addUser(user);
                } catch (IOException e4) {
                    completableFuture.completeExceptionally(e4);
                    return;
                }
            }
            if (!user.isActive()) {
                log.warn("Denying access to {}. Account is not active.", user);
                completableFuture.completeExceptionally(new AuthenticationException("Access denied"));
                return;
            }
            for (AuthModule authModule2 : this.authModules) {
                try {
                    AuthorizationInfo authorizationInfo = authModule2.getAuthorizationInfo(authenticationInfo);
                    if (authorizationInfo != null) {
                        if (authorizationInfo.isSuperuser()) {
                            user.setSuperuser(true);
                        }
                        Iterator<String> it2 = authorizationInfo.getRoles().iterator();
                        while (it2.hasNext()) {
                            user.addRole(it2.next(), true);
                        }
                        Iterator<SystemPrivilege> it3 = authorizationInfo.getSystemPrivileges().iterator();
                        while (it3.hasNext()) {
                            user.addSystemPrivilege(it3.next(), true);
                        }
                        Iterator<ObjectPrivilege> it4 = authorizationInfo.getObjectPrivileges().iterator();
                        while (it4.hasNext()) {
                            user.addObjectPrivilege(it4.next(), true);
                        }
                    }
                } catch (AuthorizationException e5) {
                    log.info("{} aborted the login process", authModule2.getClass().getName());
                    completableFuture.completeExceptionally(e5);
                    return;
                } catch (Exception e6) {
                    log.info("{} threw an unexpected exception", authModule2.getClass().getName());
                    completableFuture.completeExceptionally(e6);
                    return;
                }
            }
            log.info("Successfully logged in {}", user);
            user.updateLoginData();
            if (!authenticationInfo.getExternalIdentities().isEmpty()) {
                Map<String, String> externalIdentities = authenticationInfo.getExternalIdentities();
                User user2 = user;
                Objects.requireNonNull(user2);
                externalIdentities.forEach(user2::addIdentity);
                if (authenticationInfo.getDisplayName() != null) {
                    user.setDisplayName(authenticationInfo.getDisplayName());
                }
                if (authenticationInfo.getEmail() != null) {
                    user.setEmail(authenticationInfo.getEmail());
                }
            }
            try {
                this.directory.updateUserProperties(user);
                this.userCache.putUserInCache(user);
                completableFuture.complete(authenticationInfo);
            } catch (Throwable th) {
                completableFuture.completeExceptionally(th);
            }
        }, this.loginExecutor);
        return completableFuture;
    }

    public User getUserFromCache(String str) {
        return this.userCache.getUserFromCache(str);
    }

    private boolean isReservedUsername(String str) {
        return this.systemUser.getName().equals(str) || this.guestUser.getName().equals(str);
    }

    public boolean verifyValidity(AuthenticationInfo authenticationInfo) {
        for (AuthModule authModule : this.authModules) {
            if (authenticationInfo != null && authModule.equals(authenticationInfo.getAuthenticator())) {
                return authModule.verifyValidity(authenticationInfo);
            }
        }
        return true;
    }

    public String getUsernameForApiKey(String str) {
        return this.apiKey2username.get(str);
    }

    public String generateApiKey(String str) {
        String uuid = UUID.randomUUID().toString();
        this.apiKey2username.put(uuid, str);
        return uuid;
    }

    public void removeApiKey(String str) {
        this.apiKey2username.remove(str);
    }
}
