package org.gridgain.grid.security.rolebased;

import java.util.Collections;
import java.util.EnumSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.ignite.Ignite;
import org.apache.ignite.IgniteCheckedException;
import org.apache.ignite.IgniteException;
import org.apache.ignite.IgniteLogger;
import org.apache.ignite.cluster.ClusterState;
import org.apache.ignite.internal.util.tostring.GridToStringExclude;
import org.apache.ignite.internal.util.typedef.F;
import org.apache.ignite.internal.util.typedef.T2;
import org.apache.ignite.internal.util.typedef.T3;
import org.apache.ignite.lifecycle.LifecycleAware;
import org.apache.ignite.plugin.security.AuthenticationContext;
import org.apache.ignite.plugin.security.SecurityCredentials;
import org.apache.ignite.plugin.security.SecuritySubject;
import org.apache.ignite.plugin.security.SecuritySubjectType;
import org.apache.ignite.resources.IgniteInstanceResource;
import org.apache.ignite.resources.LoggerResource;
import org.gridgain.control.agent.utils.AgentUtils;
import org.gridgain.grid.internal.util.security.GridSecurityPermissionSetJsonParser;
import org.gridgain.grid.security.AuthenticationValidator;
import org.gridgain.grid.security.Authenticator;
import org.gridgain.grid.security.SecuritySubjectAdapter;

/* loaded from: input_file:org/gridgain/grid/security/rolebased/RoleBasedAuthenticator.class */
public class RoleBasedAuthenticator implements Authenticator, AuthenticationValidator, LifecycleAware {
    public static final String SECURITY_ROLES_CACHE = "ignite-roles-cache";
    public static final String SECURITY_USERS_CACHE = "ignite-users-cache";
    public static final String USER_ROLE = "user";
    private Map<String, UserCredential> staticUsers = Collections.emptyMap();
    private Map<String, String> staticRoles = Collections.emptyMap();

    @IgniteInstanceResource
    @GridToStringExclude
    private Ignite ignite;

    @LoggerResource
    private IgniteLogger log;
    static final /* synthetic */ boolean $assertionsDisabled;

    public Object validationToken() {
        return new T2((List) this.staticUsers.entrySet().stream().sorted(Map.Entry.comparingByKey()).map(entry -> {
            return new T3(entry.getKey(), ((UserCredential) entry.getValue()).getRole(), ((UserCredential) entry.getValue()).getPassword());
        }).collect(Collectors.toList()), this.staticRoles);
    }

    public boolean supported(SecuritySubjectType securitySubjectType) {
        if ($assertionsDisabled || securitySubjectType != null) {
            return true;
        }
        throw new AssertionError();
    }

    public SecuritySubject authenticate(AuthenticationContext authenticationContext) throws IgniteCheckedException {
        String str;
        if (!$assertionsDisabled && authenticationContext == null) {
            throw new AssertionError();
        }
        SecurityCredentials credentials = authenticationContext.credentials();
        if (credentials == null || F.isEmpty((String) credentials.getLogin())) {
            return null;
        }
        String str2 = (String) credentials.getLogin();
        UserCredential userCredential = this.staticUsers.get(str2);
        if (userCredential != null) {
            if (!userCredential.getPassword().equals(credentials.getPassword())) {
                if (!this.log.isInfoEnabled()) {
                    return null;
                }
                this.log.info("Failed to authenticate (password is wrong): " + str2);
                return null;
            }
            str = this.staticRoles.get(userCredential.getRole());
        } else {
            if (!EnumSet.of(ClusterState.ACTIVE, ClusterState.ACTIVE_READ_ONLY).contains(this.ignite.cluster().state())) {
                if (!this.log.isDebugEnabled()) {
                    return null;
                }
                this.log.debug("Can not authenticate because the cluster is inactive.");
                return null;
            }
            if (!this.ignite.cacheNames().contains(SECURITY_ROLES_CACHE)) {
                this.log.warning("ignite-roles-cache cache does not exist. Caches - " + this.ignite.cacheNames());
                return null;
            }
            if (!this.ignite.cacheNames().contains(SECURITY_USERS_CACHE)) {
                this.log.warning("ignite-users-cache cache does not exist. Caches - " + this.ignite.cacheNames());
                return null;
            }
            UserCredential userCredential2 = (UserCredential) this.ignite.cache(SECURITY_USERS_CACHE).get((String) credentials.getLogin());
            if (userCredential2 == null || !AgentUtils.checkBcrypt(credentials.getPassword().toString(), userCredential2.getPassword())) {
                if (!this.log.isInfoEnabled()) {
                    return null;
                }
                this.log.info(credentials.getLogin() + " user does not exist in " + SECURITY_USERS_CACHE + " cache or your password is wrong");
                return null;
            }
            str = (String) this.ignite.cache(SECURITY_ROLES_CACHE).get(userCredential2.getRole());
            if (F.isEmpty(str)) {
                this.log.warning("There is no permission related with role - " + userCredential2.getRole() + " in " + SECURITY_ROLES_CACHE + " cache");
                return null;
            }
        }
        return new SecuritySubjectAdapter(authenticationContext.subjectId(), authenticationContext.subjectType(), authenticationContext.credentials().getLogin(), authenticationContext.address(), new GridSecurityPermissionSetJsonParser(str).parse(), authenticationContext.certificates());
    }

    public boolean isGlobalNodeAuthentication() {
        return false;
    }

    public void start() throws IgniteException {
        if (this.staticUsers.isEmpty()) {
            throw new IllegalStateException("Missing static users. Please set up the RoleBasedAuthenticator.staticUsers property");
        }
        Set set = (Set) this.staticUsers.values().stream().map((v0) -> {
            return v0.getRole();
        }).collect(Collectors.toSet());
        set.removeAll(this.staticRoles.keySet());
        if (!set.isEmpty()) {
            throw new IllegalStateException("Missing static roles: " + set + ". Please set up the RoleBasedAuthenticator.staticRoles property");
        }
    }

    public void stop() throws IgniteException {
    }

    public RoleBasedAuthenticator setStaticUsers(Map<String, UserCredential> map) {
        this.staticUsers = map;
        return this;
    }

    public RoleBasedAuthenticator setStaticRoles(Map<String, String> map) {
        this.staticRoles = map;
        return this;
    }

    static {
        $assertionsDisabled = !RoleBasedAuthenticator.class.desiredAssertionStatus();
    }
}
