package org.gridgain.grid.kernal.managers.security.ent;

import java.net.InetSocketAddress;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.UUID;
import java.util.concurrent.Callable;
import org.gridgain.grid.GridException;
import org.gridgain.grid.GridFuture;
import org.gridgain.grid.GridNode;
import org.gridgain.grid.GridRuntimeException;
import org.gridgain.grid.cache.GridCacheEntry;
import org.gridgain.grid.events.GridAuthenticationEvent;
import org.gridgain.grid.events.GridAuthorizationEvent;
import org.gridgain.grid.events.GridEvent;
import org.gridgain.grid.events.GridEventType;
import org.gridgain.grid.kernal.GridKernalContext;
import org.gridgain.grid.kernal.GridNodeAttributes;
import org.gridgain.grid.kernal.managers.GridManagerAdapter;
import org.gridgain.grid.kernal.managers.eventstorage.GridLocalEventListener;
import org.gridgain.grid.kernal.managers.security.GridAllowAllPermissionSet;
import org.gridgain.grid.kernal.managers.security.GridSecurityContext;
import org.gridgain.grid.kernal.managers.security.GridSecurityManager;
import org.gridgain.grid.kernal.managers.security.GridSecuritySubjectAdapter;
import org.gridgain.grid.kernal.processors.cache.GridCacheProjectionEx;
import org.gridgain.grid.lang.GridClosure;
import org.gridgain.grid.lang.GridPredicate;
import org.gridgain.grid.product.GridProductVersion;
import org.gridgain.grid.security.GridSecurityCredentials;
import org.gridgain.grid.security.GridSecurityException;
import org.gridgain.grid.security.GridSecurityPermission;
import org.gridgain.grid.security.GridSecurityPermissionSet;
import org.gridgain.grid.security.GridSecuritySubject;
import org.gridgain.grid.security.GridSecuritySubjectType;
import org.gridgain.grid.spi.authentication.GridAuthenticationContext;
import org.gridgain.grid.spi.authentication.GridAuthenticationContextAdapter;
import org.gridgain.grid.spi.authentication.GridAuthenticationSpi;
import org.gridgain.grid.util.lang.GridPlainCallable;
import org.gridgain.grid.util.portable.GridPortableMarshaller;
import org.gridgain.grid.util.typedef.CI1;
import org.gridgain.grid.util.typedef.F;
import org.gridgain.grid.util.typedef.internal.U;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:org/gridgain/grid/kernal/managers/security/ent/GridEntSecurityManager.class */
public class GridEntSecurityManager extends GridManagerAdapter<GridAuthenticationSpi> implements GridSecurityManager {
    private static final int TOP_HISTORY_SEARCH_SIZE = 5;
    private static final GridProductVersion SUPPORTS_DECLARATIVE_SECURITY;
    private static final GridSecurityPermissionSet ALLOW_ALL;
    private GridAuthenticationHandler authHnd;
    private GridSecurityContext locNodeSecurityCtx;
    private GridCacheProjectionEx<GridSecuritySubjectKey, GridSecuritySubjectDescriptor> descCache;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* renamed from: org.gridgain.grid.kernal.managers.security.ent.GridEntSecurityManager$6, reason: invalid class name */
    /* loaded from: input_file:org/gridgain/grid/kernal/managers/security/ent/GridEntSecurityManager$6.class */
    static /* synthetic */ class AnonymousClass6 {
        static final /* synthetic */ int[] $SwitchMap$org$gridgain$grid$security$GridSecurityPermission = new int[GridSecurityPermission.values().length];

        static {
            try {
                $SwitchMap$org$gridgain$grid$security$GridSecurityPermission[GridSecurityPermission.CACHE_READ.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$gridgain$grid$security$GridSecurityPermission[GridSecurityPermission.CACHE_PUT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$gridgain$grid$security$GridSecurityPermission[GridSecurityPermission.CACHE_REMOVE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$gridgain$grid$security$GridSecurityPermission[GridSecurityPermission.TASK_EXECUTE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$gridgain$grid$security$GridSecurityPermission[GridSecurityPermission.TASK_CANCEL.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$gridgain$grid$security$GridSecurityPermission[GridSecurityPermission.EVENTS_DISABLE.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$gridgain$grid$security$GridSecurityPermission[GridSecurityPermission.EVENTS_ENABLE.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/gridgain/grid/kernal/managers/security/ent/GridEntSecurityManager$AddSubjectNode.class */
    public static class AddSubjectNode implements GridClosure<GridSecuritySubjectDescriptor, GridSecuritySubjectDescriptor> {
        private static final long serialVersionUID = 0;
        private GridSecuritySubject subj;
        private UUID nodeId;

        private AddSubjectNode(GridSecuritySubject gridSecuritySubject, UUID uuid) {
            this.subj = gridSecuritySubject;
            this.nodeId = uuid;
        }

        @Override // org.gridgain.grid.lang.GridClosure
        public GridSecuritySubjectDescriptor apply(GridSecuritySubjectDescriptor gridSecuritySubjectDescriptor) {
            if (gridSecuritySubjectDescriptor == null) {
                return new GridSecuritySubjectDescriptor(this.subj, Collections.singletonList(this.nodeId));
            }
            HashSet hashSet = new HashSet(gridSecuritySubjectDescriptor.activeNodes());
            hashSet.add(this.nodeId);
            return new GridSecuritySubjectDescriptor(gridSecuritySubjectDescriptor.subject(), hashSet);
        }
    }

    /* loaded from: input_file:org/gridgain/grid/kernal/managers/security/ent/GridEntSecurityManager$RemoveSubjectNode.class */
    private static class RemoveSubjectNode implements GridClosure<GridSecuritySubjectDescriptor, GridSecuritySubjectDescriptor> {
        private static final long serialVersionUID = 0;
        private UUID nodeId;

        private RemoveSubjectNode(UUID uuid) {
            this.nodeId = uuid;
        }

        @Override // org.gridgain.grid.lang.GridClosure
        public GridSecuritySubjectDescriptor apply(GridSecuritySubjectDescriptor gridSecuritySubjectDescriptor) {
            if (gridSecuritySubjectDescriptor == null) {
                return null;
            }
            HashSet hashSet = new HashSet(gridSecuritySubjectDescriptor.activeNodes());
            hashSet.remove(this.nodeId);
            if (hashSet.isEmpty()) {
                return null;
            }
            return new GridSecuritySubjectDescriptor(gridSecuritySubjectDescriptor.subject(), hashSet);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/gridgain/grid/kernal/managers/security/ent/GridEntSecurityManager$VerifySubjectNodes.class */
    public static class VerifySubjectNodes implements GridClosure<GridSecuritySubjectDescriptor, GridSecuritySubjectDescriptor> {
        private static final long serialVersionUID = 0;
        private Collection<UUID> topSnapshot;

        private VerifySubjectNodes(Collection<UUID> collection) {
            this.topSnapshot = collection;
        }

        @Override // org.gridgain.grid.lang.GridClosure
        public GridSecuritySubjectDescriptor apply(GridSecuritySubjectDescriptor gridSecuritySubjectDescriptor) {
            if (gridSecuritySubjectDescriptor == null) {
                return null;
            }
            HashSet hashSet = new HashSet();
            for (UUID uuid : gridSecuritySubjectDescriptor.activeNodes()) {
                if (this.topSnapshot.contains(uuid)) {
                    hashSet.add(uuid);
                }
            }
            if (hashSet.isEmpty()) {
                return null;
            }
            return new GridSecuritySubjectDescriptor(gridSecuritySubjectDescriptor.subject(), hashSet);
        }
    }

    public GridEntSecurityManager(GridKernalContext gridKernalContext) {
        super(gridKernalContext, gridKernalContext.config().getAuthenticationSpi());
    }

    @Override // org.gridgain.grid.kernal.GridComponent
    public void start() throws GridException {
        this.authHnd = new GridAuthenticationHandler(getSpis());
        startSpi();
        if (this.log.isDebugEnabled()) {
            this.log.debug(startInfo());
        }
    }

    @Override // org.gridgain.grid.kernal.GridComponent
    public void stop(boolean z) throws GridException {
        stopSpi();
        if (this.log.isDebugEnabled()) {
            this.log.debug(stopInfo());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.gridgain.grid.kernal.managers.GridManagerAdapter
    public void onKernalStart0() throws GridException {
        super.onKernalStart0();
        if (securityEnabled() && !this.ctx.isDaemon()) {
            this.ctx.event().addLocalEventListener(new GridLocalEventListener() { // from class: org.gridgain.grid.kernal.managers.security.ent.GridEntSecurityManager.1
                @Override // org.gridgain.grid.kernal.managers.eventstorage.GridLocalEventListener
                public void onEvent(GridEvent gridEvent) {
                    GridEntSecurityManager.this.checkDescriptorsCache();
                }
            }, 12, 11);
            this.descCache = this.ctx.cache().utilityCache(GridSecuritySubjectKey.class, GridSecuritySubjectDescriptor.class);
            if (!$assertionsDisabled && this.descCache == null) {
                throw new AssertionError("Security system cache is missing");
            }
            checkRemoteNodesVersion();
        }
        this.locNodeSecurityCtx = nodeSecurityContext(this.ctx.discovery().localNode());
    }

    @Override // org.gridgain.grid.kernal.managers.security.GridSecurityManager
    public boolean securityEnabled() {
        return U.securityEnabled(this.ctx.config());
    }

    @Override // org.gridgain.grid.kernal.managers.security.GridSecurityManager
    public GridSecurityContext authenticateNode(GridNode gridNode, GridSecurityCredentials gridSecurityCredentials) throws GridException {
        GridAuthenticationContextAdapter gridAuthenticationContextAdapter = new GridAuthenticationContextAdapter();
        gridAuthenticationContextAdapter.subjectType(GridSecuritySubjectType.REMOTE_NODE);
        gridAuthenticationContextAdapter.subjectId(gridNode.id());
        gridAuthenticationContextAdapter.credentials(gridSecurityCredentials);
        gridAuthenticationContextAdapter.address(new InetSocketAddress((String) F.first(gridNode.addresses()), 0));
        return authenticate(gridAuthenticationContextAdapter);
    }

    @Override // org.gridgain.grid.kernal.managers.security.GridSecurityManager
    public GridSecurityContext authenticate(GridAuthenticationContext gridAuthenticationContext) throws GridException {
        if (!$assertionsDisabled && this.authHnd == null) {
            throw new AssertionError();
        }
        GridSecuritySubject gridSecuritySubject = null;
        try {
            gridSecuritySubject = this.authHnd.authenticate(gridAuthenticationContext);
            Object login = gridAuthenticationContext.credentials() == null ? null : gridAuthenticationContext.credentials().getLogin();
            if (gridSecuritySubject != null) {
                if (gridAuthenticationContext.subjectType() == GridSecuritySubjectType.REMOTE_CLIENT) {
                    addToCache(gridSecuritySubject);
                }
                if (this.ctx.event().isRecordable(GridEventType.EVT_AUTHENTICATION_SUCCEEDED)) {
                    recordAuthenticationEvent(GridEventType.EVT_AUTHENTICATION_SUCCEEDED, gridAuthenticationContext.subjectType(), gridAuthenticationContext.subjectId(), login);
                }
            } else if (this.ctx.event().isRecordable(GridEventType.EVT_AUTHENTICATION_FAILED)) {
                recordAuthenticationEvent(GridEventType.EVT_AUTHENTICATION_FAILED, gridAuthenticationContext.subjectType(), gridAuthenticationContext.subjectId(), login);
            }
            if (gridSecuritySubject == null) {
                return null;
            }
            return new GridSecurityContext(gridSecuritySubject);
        } catch (Throwable th) {
            Object login2 = gridAuthenticationContext.credentials() == null ? null : gridAuthenticationContext.credentials().getLogin();
            if (gridSecuritySubject != null) {
                if (gridAuthenticationContext.subjectType() == GridSecuritySubjectType.REMOTE_CLIENT) {
                    addToCache(gridSecuritySubject);
                }
                if (this.ctx.event().isRecordable(GridEventType.EVT_AUTHENTICATION_SUCCEEDED)) {
                    recordAuthenticationEvent(GridEventType.EVT_AUTHENTICATION_SUCCEEDED, gridAuthenticationContext.subjectType(), gridAuthenticationContext.subjectId(), login2);
                }
            } else if (this.ctx.event().isRecordable(GridEventType.EVT_AUTHENTICATION_FAILED)) {
                recordAuthenticationEvent(GridEventType.EVT_AUTHENTICATION_FAILED, gridAuthenticationContext.subjectType(), gridAuthenticationContext.subjectId(), login2);
            }
            throw th;
        }
    }

    @Override // org.gridgain.grid.kernal.managers.security.GridSecurityManager
    public Collection<GridSecuritySubject> authenticatedSubjects() throws GridException {
        if (!securityEnabled()) {
            return Collections.emptyList();
        }
        Collection<GridNode> nodes = this.ctx.discovery().nodes(this.ctx.discovery().topologyVersion());
        ArrayList arrayList = new ArrayList(nodes.size());
        Iterator<GridNode> it = nodes.iterator();
        while (it.hasNext()) {
            arrayList.add(nodeSecurityContext(it.next()).subject());
        }
        Iterator<GridCacheEntry<GridSecuritySubjectKey, GridSecuritySubjectDescriptor>> it2 = this.descCache.entrySetx(new GridPredicate[0]).iterator();
        while (it2.hasNext()) {
            arrayList.add(it2.next().getValue().subject());
        }
        return arrayList;
    }

    @Override // org.gridgain.grid.kernal.managers.security.GridSecurityManager
    public GridSecuritySubject authenticatedSubject(UUID uuid) throws GridException {
        if (!securityEnabled()) {
            return null;
        }
        GridNode node = this.ctx.discovery().node(uuid);
        if (node != null) {
            return nodeSecurityContext(node).subject();
        }
        GridSecuritySubjectDescriptor gridSecuritySubjectDescriptor = this.descCache.get(new GridSecuritySubjectKey(uuid));
        if (gridSecuritySubjectDescriptor != null) {
            return gridSecuritySubjectDescriptor.subject();
        }
        long j = this.ctx.discovery().topologyVersion();
        long j2 = j;
        while (true) {
            long j3 = j2 - 1;
            if (j3 <= 1 || j - j3 <= 5) {
                return null;
            }
            for (GridNode gridNode : this.ctx.discovery().topology(j3)) {
                if (gridNode.id().equals(uuid)) {
                    return nodeSecurityContext(gridNode).subject();
                }
            }
            j2 = j3;
        }
    }

    @Override // org.gridgain.grid.kernal.managers.security.GridSecurityManager
    public void authorize(String str, GridSecurityPermission gridSecurityPermission, @Nullable GridSecurityContext gridSecurityContext) throws GridSecurityException {
        boolean systemOperationAllowed;
        if (securityEnabled()) {
            if (gridSecurityContext == null) {
                try {
                    gridSecurityContext = this.locNodeSecurityCtx;
                } catch (GridException e) {
                    throw new GridRuntimeException("Failed to get local node security context.", e);
                }
            }
            if (gridSecurityContext == null) {
                gridSecurityContext = nodeSecurityContext(this.ctx.discovery().localNode());
            }
            if (!$assertionsDisabled && gridSecurityContext == null) {
                throw new AssertionError();
            }
            switch (AnonymousClass6.$SwitchMap$org$gridgain$grid$security$GridSecurityPermission[gridSecurityPermission.ordinal()]) {
                case 1:
                case 2:
                case 3:
                    systemOperationAllowed = gridSecurityContext.cacheOperationAllowed(str, gridSecurityPermission);
                    break;
                case 4:
                case 5:
                    systemOperationAllowed = gridSecurityContext.taskOperationAllowed(str, gridSecurityPermission);
                    break;
                case GridPortableMarshaller.DOUBLE /* 6 */:
                case GridPortableMarshaller.CHAR /* 7 */:
                    systemOperationAllowed = gridSecurityContext.systemOperationAllowed(gridSecurityPermission);
                    break;
                default:
                    throw new IllegalStateException("Invalid security permission: " + gridSecurityPermission);
            }
            GridSecuritySubject subject = gridSecurityContext.subject();
            if (systemOperationAllowed) {
                recordAutorizationEvent(128, gridSecurityPermission, subject);
            } else {
                recordAutorizationEvent(GridEventType.EVT_AUTHORIZATION_FAILED, gridSecurityPermission, subject);
                throw new GridSecurityException("Authorization failed [perm=" + gridSecurityPermission + ", name=" + str + ", subject=" + subject + ']');
            }
        }
    }

    @Override // org.gridgain.grid.kernal.managers.security.GridSecurityManager
    public void onSessionExpired(final UUID uuid) {
        if (securityEnabled()) {
            this.descCache.transformAsync(new GridSecuritySubjectKey(uuid), new RemoveSubjectNode(this.ctx.localNodeId())).listenAsync(new CI1<GridFuture<?>>() { // from class: org.gridgain.grid.kernal.managers.security.ent.GridEntSecurityManager.2
                @Override // org.gridgain.grid.lang.GridInClosure
                public void apply(GridFuture<?> gridFuture) {
                    try {
                        gridFuture.get();
                    } catch (GridException e) {
                        U.error(GridEntSecurityManager.this.log, "Failed to update security subject cache: " + uuid, e);
                    }
                }
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void checkDescriptorsCache() {
        long j = Long.MAX_VALUE;
        final Collection<GridNode> nodes = this.ctx.discovery().nodes(this.ctx.discovery().topologyVersion());
        Iterator<GridNode> it = nodes.iterator();
        while (it.hasNext()) {
            j = Math.min(it.next().order(), j);
        }
        if (this.ctx.discovery().localNode().order() == j) {
            this.ctx.closure().callLocalSafe((Callable) new GridPlainCallable<Object>() { // from class: org.gridgain.grid.kernal.managers.security.ent.GridEntSecurityManager.3
                @Override // java.util.concurrent.Callable
                public Object call() throws Exception {
                    GridEntSecurityManager.this.verifyDescriptorsCache(nodes);
                    return null;
                }
            }, false);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Multi-variable type inference failed */
    public void verifyDescriptorsCache(Collection<GridNode> collection) {
        ArrayList arrayList = new ArrayList(F.viewReadOnly(collection, F.node2id(), new GridPredicate[0]));
        Iterator it = this.descCache.iterator();
        while (it.hasNext()) {
            GridCacheEntry gridCacheEntry = (GridCacheEntry) it.next();
            final UUID subjectId = ((GridSecuritySubjectKey) gridCacheEntry.getKey()).subjectId();
            this.descCache.transformAsync(gridCacheEntry.getKey(), new VerifySubjectNodes(arrayList)).listenAsync(new CI1<GridFuture<?>>() { // from class: org.gridgain.grid.kernal.managers.security.ent.GridEntSecurityManager.4
                @Override // org.gridgain.grid.lang.GridInClosure
                public void apply(GridFuture<?> gridFuture) {
                    try {
                        gridFuture.get();
                    } catch (GridException e) {
                        U.error(GridEntSecurityManager.this.log, "Failed to update descriptors cache for key: " + subjectId, e);
                    }
                }
            });
        }
    }

    private void addToCache(final GridSecuritySubject gridSecuritySubject) {
        if (securityEnabled()) {
            this.descCache.transformAsync(new GridSecuritySubjectKey(gridSecuritySubject.id()), new AddSubjectNode(gridSecuritySubject, this.ctx.localNodeId())).listenAsync(new CI1<GridFuture<?>>() { // from class: org.gridgain.grid.kernal.managers.security.ent.GridEntSecurityManager.5
                @Override // org.gridgain.grid.lang.GridInClosure
                public void apply(GridFuture<?> gridFuture) {
                    try {
                        gridFuture.get();
                    } catch (GridException e) {
                        U.error(GridEntSecurityManager.this.log, "Failed to update security subject cache: " + gridSecuritySubject, e);
                    }
                }
            });
        }
    }

    private void checkRemoteNodesVersion() throws GridException {
        for (GridNode gridNode : this.ctx.discovery().remoteNodes()) {
            if (gridNode.version().compareTo(SUPPORTS_DECLARATIVE_SECURITY) < 0) {
                throw new GridException("Rolling updates with security enabled are not supported for GridGain versions 6.1.2 and below [rmtNodeId=" + gridNode.id() + ", rmtNodeVer=" + gridNode.version() + ']');
            }
        }
    }

    private void recordAuthenticationEvent(int i, GridSecuritySubjectType gridSecuritySubjectType, UUID uuid, Object obj) {
        String str;
        if (this.ctx.event().isRecordable(i)) {
            if (i == 111) {
                str = "Authentication procedure succeeded.";
            } else {
                if (!$assertionsDisabled && i != 112) {
                    throw new AssertionError();
                }
                str = "Authentication procedure failed.";
            }
            this.ctx.event().record(new GridAuthenticationEvent(this.ctx.discovery().localNode(), str, i, gridSecuritySubjectType, uuid, obj));
        }
    }

    private void recordAutorizationEvent(int i, GridSecurityPermission gridSecurityPermission, GridSecuritySubject gridSecuritySubject) {
        String str;
        if (this.ctx.event().isRecordable(i)) {
            if (i == 128) {
                str = "Authorization procedure succeeded.";
            } else {
                if (!$assertionsDisabled && i != 129) {
                    throw new AssertionError();
                }
                str = "Authorization procedure failed.";
            }
            this.ctx.event().record(new GridAuthorizationEvent(this.ctx.discovery().localNode(), str, i, gridSecurityPermission, gridSecuritySubject));
        }
    }

    private GridSecurityContext nodeSecurityContext(GridNode gridNode) throws GridException {
        byte[] bArr = (byte[]) gridNode.attribute(GridNodeAttributes.ATTR_SECURITY_SUBJECT);
        if (bArr != null) {
            return (GridSecurityContext) this.ctx.config().getMarshaller().unmarshal(bArr, (ClassLoader) null);
        }
        GridSecuritySubjectAdapter gridSecuritySubjectAdapter = new GridSecuritySubjectAdapter(GridSecuritySubjectType.REMOTE_NODE, gridNode.id());
        gridSecuritySubjectAdapter.address(new InetSocketAddress((String) F.first(gridNode.addresses()), 0));
        gridSecuritySubjectAdapter.permissions(ALLOW_ALL);
        return new GridSecurityContext(gridSecuritySubjectAdapter);
    }

    static {
        $assertionsDisabled = !GridEntSecurityManager.class.desiredAssertionStatus();
        SUPPORTS_DECLARATIVE_SECURITY = GridProductVersion.fromString("6.1.5");
        ALLOW_ALL = new GridAllowAllPermissionSet();
    }
}
