package org.apache.ignite.internal.security.authentication;

import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.CompletableFuture;
import java.util.stream.Collectors;
import org.apache.ignite.configuration.NamedListView;
import org.apache.ignite.configuration.notifications.ConfigurationListener;
import org.apache.ignite.internal.event.AbstractEventProducer;
import org.apache.ignite.internal.eventlog.api.EventLog;
import org.apache.ignite.internal.eventlog.api.IgniteEvents;
import org.apache.ignite.internal.eventlog.event.EventUser;
import org.apache.ignite.internal.logger.IgniteLogger;
import org.apache.ignite.internal.logger.Loggers;
import org.apache.ignite.internal.manager.ComponentContext;
import org.apache.ignite.internal.security.authentication.configuration.AuthenticationView;
import org.apache.ignite.internal.security.authentication.event.AuthenticationEvent;
import org.apache.ignite.internal.security.authentication.event.AuthenticationEventParameters;
import org.apache.ignite.internal.security.authentication.event.AuthenticationProviderEventFactory;
import org.apache.ignite.internal.security.authentication.event.SecurityEnabledDisabledEventFactory;
import org.apache.ignite.internal.security.authentication.event.UserEventFactory;
import org.apache.ignite.internal.security.configuration.SecurityConfiguration;
import org.apache.ignite.internal.security.configuration.SecurityView;
import org.apache.ignite.internal.util.CompletableFutures;
import org.apache.ignite.security.exception.InvalidCredentialsException;
import org.apache.ignite.security.exception.UnsupportedAuthenticationTypeException;
import org.gridgain.internal.rbac.users.exception.UserNotFoundException;
import org.jetbrains.annotations.Nullable;
import org.jetbrains.annotations.TestOnly;

/* loaded from: input_file:org/apache/ignite/internal/security/authentication/AuthenticationManagerImpl.class */
public class AuthenticationManagerImpl extends AbstractEventProducer<AuthenticationEvent, AuthenticationEventParameters> implements AuthenticationManager {
    private static final IgniteLogger LOG = Loggers.forClass(AuthenticationManagerImpl.class);
    private final SecurityConfiguration securityConfiguration;
    private final ConfigurationListener<SecurityView> securityConfigurationListener;
    private final SecurityEnabledDisabledEventFactory securityEnabledDisabledEventFactory;
    private final UserEventFactory userEventFactory;
    private final AuthenticationProviderEventFactory providerEventFactory;

    @Nullable
    private volatile List<Authenticator> authenticators;
    private final EventLog eventLog;

    public AuthenticationManagerImpl(SecurityConfiguration securityConfiguration) {
        this(securityConfiguration, supplier -> {
        });
    }

    public AuthenticationManagerImpl(SecurityConfiguration securityConfiguration, EventLog eventLog) {
        this.securityConfiguration = securityConfiguration;
        this.eventLog = eventLog;
        this.securityConfigurationListener = configurationNotificationEvent -> {
            refreshProviders((SecurityView) configurationNotificationEvent.newValue());
            return CompletableFutures.nullCompletedFuture();
        };
        this.securityEnabledDisabledEventFactory = new SecurityEnabledDisabledEventFactory(this::fireEvent);
        this.userEventFactory = new UserEventFactory(this::fireEvent);
        this.providerEventFactory = new AuthenticationProviderEventFactory(securityConfiguration, this.userEventFactory, this::fireEvent);
    }

    public CompletableFuture<Void> startAsync(ComponentContext componentContext) {
        this.securityConfiguration.listen(this.securityConfigurationListener);
        this.securityConfiguration.enabled().listen(this.securityEnabledDisabledEventFactory);
        this.securityConfiguration.authentication().providers().listenElements(this.providerEventFactory);
        this.securityConfiguration.authentication().providers().get(AuthenticationUtils.findBasicProviderName((NamedListView) this.securityConfiguration.authentication().providers().value())).users().listenElements(this.userEventFactory);
        return CompletableFutures.nullCompletedFuture();
    }

    public CompletableFuture<Void> stopAsync(ComponentContext componentContext) {
        this.securityConfiguration.stopListen(this.securityConfigurationListener);
        this.securityConfiguration.enabled().stopListen(this.securityEnabledDisabledEventFactory);
        this.securityConfiguration.authentication().providers().stopListenElements(this.providerEventFactory);
        this.securityConfiguration.authentication().providers().get(AuthenticationUtils.findBasicProviderName((NamedListView) this.securityConfiguration.authentication().providers().value())).users().stopListenElements(this.userEventFactory);
        return CompletableFutures.nullCompletedFuture();
    }

    public CompletableFuture<UserDetails> authenticateAsync(AuthenticationRequest<?, ?> authenticationRequest) {
        List<Authenticator> list = this.authenticators;
        return list != null ? authenticate(list.iterator(), authenticationRequest) : CompletableFuture.completedFuture(UserDetails.UNKNOWN);
    }

    private CompletableFuture<UserDetails> authenticate(Iterator<Authenticator> it, AuthenticationRequest<?, ?> authenticationRequest) {
        return !it.hasNext() ? CompletableFuture.failedFuture(new InvalidCredentialsException("Authentication failed")) : authenticate(it.next(), authenticationRequest).thenCompose(userDetails -> {
            return userDetails != null ? CompletableFuture.completedFuture(userDetails) : authenticate((Iterator<Authenticator>) it, (AuthenticationRequest<?, ?>) authenticationRequest);
        });
    }

    private CompletableFuture<UserDetails> authenticate(Authenticator authenticator, AuthenticationRequest<?, ?> authenticationRequest) {
        try {
            CompletableFuture authenticateAsync = authenticator.authenticateAsync(authenticationRequest);
            authenticateAsync.thenAccept(userDetails -> {
                if (userDetails != null) {
                    logUserAuthenticated(userDetails);
                }
            });
            return authenticateAsync.handle((userDetails2, th) -> {
                if (th == null) {
                    return userDetails2;
                }
                if (!(th instanceof InvalidCredentialsException) && !(th instanceof UnsupportedAuthenticationTypeException)) {
                    LOG.error("Unexpected exception during authentication", th);
                }
                logAuthenticationFailure(authenticationRequest);
                return null;
            });
        } catch (InvalidCredentialsException | UnsupportedAuthenticationTypeException | UserNotFoundException e) {
            logAuthenticationFailure(authenticationRequest);
            return CompletableFuture.completedFuture(null);
        } catch (Exception e2) {
            logAuthenticationFailure(authenticationRequest);
            LOG.error("Unexpected exception during authentication", e2);
            return CompletableFuture.completedFuture(null);
        }
    }

    private void logAuthenticationFailure(AuthenticationRequest<?, ?> authenticationRequest) {
        this.eventLog.log(() -> {
            return IgniteEvents.USER_AUTHENTICATION_FAILURE.builder().user(EventUser.system()).fields(Map.of("identity", tryGetUsernameOrUnknown(authenticationRequest))).build();
        });
    }

    private static String tryGetUsernameOrUnknown(AuthenticationRequest<?, ?> authenticationRequest) {
        return authenticationRequest instanceof UsernamePasswordRequest ? ((UsernamePasswordRequest) authenticationRequest).getIdentity() : "UNKNOWN_AUTHENTICATION_TYPE";
    }

    private void logUserAuthenticated(UserDetails userDetails) {
        this.eventLog.log(() -> {
            return IgniteEvents.USER_AUTHENTICATION_SUCCESS.create(EventUser.of(userDetails.username(), userDetails.providerName()));
        });
    }

    private void refreshProviders(@Nullable SecurityView securityView) {
        if (securityView != null) {
            try {
                if (securityView.enabled()) {
                    this.authenticators = providersFromAuthView(securityView.authentication());
                }
            } catch (Exception e) {
                LOG.error("Couldn't refresh authentication providers. Leaving the old settings", e);
                return;
            }
        }
        this.authenticators = null;
    }

    private static List<Authenticator> providersFromAuthView(AuthenticationView authenticationView) {
        return (List) authenticationView.providers().stream().sorted(Comparator.comparing(authenticationProviderView -> {
            return authenticationProviderView.name();
        })).map(AuthenticatorFactory::create).collect(Collectors.toList());
    }

    private CompletableFuture<Void> fireEvent(AuthenticationEventParameters authenticationEventParameters) {
        return fireEvent(authenticationEventParameters.type(), authenticationEventParameters);
    }

    public boolean authenticationEnabled() {
        return this.authenticators != null;
    }

    @TestOnly
    public void authenticators(List<Authenticator> list) {
        this.authenticators = list;
    }
}
