package org.apache.ignite3.internal.security.authentication;

import com.google.auto.service.AutoService;
import java.util.Collection;
import java.util.List;
import java.util.Set;
import org.apache.ignite3.configuration.ConfigurationModule;
import org.apache.ignite3.configuration.SuperRootChange;
import org.apache.ignite3.configuration.annotation.ConfigurationType;
import org.apache.ignite3.configuration.validation.Validator;
import org.apache.ignite3.internal.configuration.ClusterConfiguration;
import org.apache.ignite3.internal.security.authentication.basic.BasicAuthenticationProviderChange;
import org.apache.ignite3.internal.security.authentication.basic.BasicAuthenticationProviderConfigurationSchema;
import org.apache.ignite3.internal.security.authentication.basic.UserPasswordEncodingValidatorImpl;
import org.apache.ignite3.internal.security.authentication.basic.UserWithSystemRoleValidatorImpl;
import org.apache.ignite3.internal.security.authentication.configuration.validator.AuthenticationRolesValidatorImpl;
import org.apache.ignite3.internal.security.authentication.validator.AuthenticationProvidersValidatorImpl;
import org.apache.ignite3.internal.security.configuration.SecurityChange;
import org.apache.ignite3.internal.security.configuration.SecurityExtensionChange;
import org.apache.ignite3.internal.security.configuration.SecurityExtensionConfigurationSchema;
import org.gridgain.internal.rbac.configuration.AuthorizationConfigurationSchema;
import org.gridgain.internal.rbac.configuration.PrivilegeNameGenerator;
import org.gridgain.internal.rbac.configuration.PrivilegesValidatorImpl;
import org.gridgain.internal.rbac.privileges.Action;
import org.gridgain.internal.security.ldap.configuration.LdapAuthenticationProviderConfigurationSchema;
import org.gridgain.internal.security.ldap.configuration.validator.LdapUrlValidatorImpl;

@AutoService({ConfigurationModule.class})
/* loaded from: input_file:org/apache/ignite3/internal/security/authentication/SecurityConfigurationModule.class */
public class SecurityConfigurationModule implements ConfigurationModule {
    static final String DEFAULT_PROVIDER_NAME = "default";
    static final String DEFAULT_USERNAME = "ignite";
    static final String DEFAULT_PASSWORD = "ignite";

    @Override // org.apache.ignite3.configuration.ConfigurationModule
    public ConfigurationType type() {
        return ConfigurationType.DISTRIBUTED;
    }

    @Override // org.apache.ignite3.configuration.ConfigurationModule
    public Set<Validator<?, ?>> validators() {
        return Set.of(AuthenticationProvidersValidatorImpl.INSTANCE, LdapUrlValidatorImpl.INSTANCE, PrivilegesValidatorImpl.INSTANCE, AuthenticationRolesValidatorImpl.INSTANCE, UserWithSystemRoleValidatorImpl.INSTANCE, UserPasswordEncodingValidatorImpl.INSTANCE);
    }

    @Override // org.apache.ignite3.configuration.ConfigurationModule
    public Collection<Class<?>> schemaExtensions() {
        return List.of(SecurityExtensionConfigurationSchema.class);
    }

    @Override // org.apache.ignite3.configuration.ConfigurationModule
    public Collection<Class<?>> polymorphicSchemaExtensions() {
        return List.of(BasicAuthenticationProviderConfigurationSchema.class, LdapAuthenticationProviderConfigurationSchema.class);
    }

    @Override // org.apache.ignite3.configuration.ConfigurationModule
    public void patchConfigurationWithDynamicDefaults(SuperRootChange superRootChange) {
        SecurityChange changeSecurity = ((SecurityExtensionChange) superRootChange.changeRoot(ClusterConfiguration.KEY)).changeSecurity();
        changeSecurity.changeAuthorization().changeRoles(namedListChange -> {
            namedListChange.createOrUpdate(AuthorizationConfigurationSchema.SYSTEM_ROLE_NAME, roleChange -> {
                roleChange.changeDisplayName(AuthorizationConfigurationSchema.SYSTEM_ROLE_NAME).changePrivileges(namedListChange -> {
                    for (Action action : Action.values()) {
                        namedListChange.createOrUpdate(PrivilegeNameGenerator.privilegeName(action.name(), null), privilegeChange -> {
                            privilegeChange.changeAction(action.name());
                        });
                    }
                });
            });
        });
        changeSecurity.changeAuthentication().changeProviders(namedListChange2 -> {
            if (namedListChange2.isEmpty()) {
                namedListChange2.create("default", authenticationProviderChange -> {
                    ((BasicAuthenticationProviderChange) authenticationProviderChange.convert(BasicAuthenticationProviderChange.class)).changeUsers().create("ignite", basicUserChange -> {
                        basicUserChange.changeDisplayName("ignite").changePassword("ignite").changeRoles(AuthorizationConfigurationSchema.SYSTEM_ROLE_NAME);
                    });
                });
            }
        });
    }
}
