package net.thevpc.nuts.runtime.security;

import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Stack;
import java.util.concurrent.Callable;
import java.util.logging.Level;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import net.thevpc.nuts.NutsAddUserCommand;
import net.thevpc.nuts.NutsAuthenticationAgent;
import net.thevpc.nuts.NutsIllegalArgumentException;
import net.thevpc.nuts.NutsLogger;
import net.thevpc.nuts.NutsLoginException;
import net.thevpc.nuts.NutsRemoveUserCommand;
import net.thevpc.nuts.NutsSecurityException;
import net.thevpc.nuts.NutsSession;
import net.thevpc.nuts.NutsUpdateOptions;
import net.thevpc.nuts.NutsUpdateUserCommand;
import net.thevpc.nuts.NutsUser;
import net.thevpc.nuts.NutsUserConfig;
import net.thevpc.nuts.NutsWorkspaceEvent;
import net.thevpc.nuts.NutsWorkspaceListener;
import net.thevpc.nuts.NutsWorkspaceSecurityManager;
import net.thevpc.nuts.runtime.core.config.NutsWorkspaceConfigManagerExt;
import net.thevpc.nuts.runtime.log.NutsLogVerb;
import net.thevpc.nuts.runtime.main.DefaultNutsWorkspace;
import net.thevpc.nuts.runtime.main.config.ConfigEventType;
import net.thevpc.nuts.runtime.main.config.NutsWorkspaceConfigSecurity;
import net.thevpc.nuts.runtime.main.wscommands.DefaultNutsAddUserCommand;
import net.thevpc.nuts.runtime.main.wscommands.DefaultNutsRemoveUserCommand;
import net.thevpc.nuts.runtime.main.wscommands.DefaultNutsUpdateUserCommand;
import net.thevpc.nuts.runtime.util.CoreNutsUtils;
import net.thevpc.nuts.runtime.util.common.CorePlatformUtils;
import net.thevpc.nuts.runtime.util.common.CoreStringUtils;
import net.thevpc.nuts.runtime.util.io.CoreIOUtils;

/* loaded from: input_file:net/thevpc/nuts/runtime/security/DefaultNutsWorkspaceSecurityManager.class */
public class DefaultNutsWorkspaceSecurityManager implements NutsWorkspaceSecurityManager {
    public final NutsLogger LOG;
    private final DefaultNutsWorkspace ws;
    private final WrapperNutsAuthenticationAgent agent;
    private final ThreadLocal<Stack<LoginContext>> loginContextStack = new ThreadLocal<>();
    private final Map<String, NutsAuthorizations> authorizations = new HashMap();

    public DefaultNutsWorkspaceSecurityManager(DefaultNutsWorkspace defaultNutsWorkspace) {
        this.ws = defaultNutsWorkspace;
        this.LOG = defaultNutsWorkspace.log().of(DefaultNutsWorkspaceSecurityManager.class);
        this.agent = new WrapperNutsAuthenticationAgent(defaultNutsWorkspace, () -> {
            return defaultNutsWorkspace.env().toMap();
        }, str -> {
            return getAuthenticationAgent(str, defaultNutsWorkspace.createSession());
        });
        defaultNutsWorkspace.events().addWorkspaceListener(new NutsWorkspaceListener() { // from class: net.thevpc.nuts.runtime.security.DefaultNutsWorkspaceSecurityManager.1
            public void onConfigurationChanged(NutsWorkspaceEvent nutsWorkspaceEvent) {
                DefaultNutsWorkspaceSecurityManager.this.authorizations.clear();
            }
        });
    }

    public NutsWorkspaceSecurityManager login(final String str, final char[] cArr) {
        login(new CallbackHandler() { // from class: net.thevpc.nuts.runtime.security.DefaultNutsWorkspaceSecurityManager.2
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                for (Callback callback : callbackArr) {
                    if (callback instanceof NameCallback) {
                        ((NameCallback) callback).setName(str);
                    } else {
                        if (!(callback instanceof PasswordCallback)) {
                            throw new UnsupportedCallbackException(callback, "The submitted Callback is unsupported");
                        }
                        ((PasswordCallback) callback).setPassword(cArr);
                    }
                }
            }
        });
        return this;
    }

    public boolean setSecureMode(boolean z, char[] cArr, NutsUpdateOptions nutsUpdateOptions) {
        return z ? switchSecureMode(cArr, nutsUpdateOptions) : switchUnsecureMode(cArr, nutsUpdateOptions);
    }

    public boolean switchUnsecureMode(char[] cArr, NutsUpdateOptions nutsUpdateOptions) {
        NutsUpdateOptions validate = CoreNutsUtils.validate(nutsUpdateOptions, this.ws);
        if (cArr == null) {
            cArr = new char[0];
        }
        NutsUser findUser = findUser("admin");
        if (findUser == null || !findUser.hasCredentials()) {
            if (this.LOG.isLoggable(Level.CONFIG)) {
                this.LOG.with().level(Level.CONFIG).verb(NutsLogVerb.WARNING).log("admin user has no credentials. reset to default", new Object[0]);
            }
            NutsUserConfig user = NutsWorkspaceConfigManagerExt.of(this.ws.config()).getUser("admin");
            user.setCredentials(CoreStringUtils.chrToStr(createCredentials("admin".toCharArray(), false, null, validate.getSession())));
            NutsWorkspaceConfigManagerExt.of(this.ws.config()).setUser(user, validate);
        }
        char[] evalSHA1 = CoreIOUtils.evalSHA1(cArr);
        if (Arrays.equals(evalSHA1, cArr)) {
            Arrays.fill(evalSHA1, (char) 0);
            throw new NutsSecurityException(this.ws, "Invalid credentials");
        }
        Arrays.fill(evalSHA1, (char) 0);
        boolean z = false;
        if (isSecure()) {
            NutsWorkspaceConfigManagerExt.of(this.ws.config()).setSecure(false, validate);
            z = true;
        }
        return z;
    }

    public boolean switchSecureMode(char[] cArr, NutsUpdateOptions nutsUpdateOptions) {
        NutsUpdateOptions validate = CoreNutsUtils.validate(nutsUpdateOptions, this.ws);
        if (cArr == null) {
            cArr = new char[0];
        }
        boolean z = false;
        char[] evalSHA1 = CoreIOUtils.evalSHA1(cArr);
        if (Arrays.equals(evalSHA1, cArr)) {
            Arrays.fill(evalSHA1, (char) 0);
            throw new NutsSecurityException(this.ws, "Invalid credentials");
        }
        Arrays.fill(evalSHA1, (char) 0);
        if (!isSecure()) {
            NutsWorkspaceConfigManagerExt.of(this.ws.config()).setSecure(true, validate);
            z = true;
        }
        return z;
    }

    public boolean isAdmin() {
        return "admin".equals(getCurrentUsername());
    }

    public NutsWorkspaceSecurityManager logout() {
        Stack<LoginContext> stack = this.loginContextStack.get();
        if (stack == null || stack.isEmpty()) {
            throw new NutsLoginException(this.ws, "Not logged in");
        }
        try {
            stack.pop().logout();
            return this;
        } catch (LoginException e) {
            throw new NutsLoginException(this.ws, e);
        }
    }

    public NutsUser findUser(String str) {
        NutsUserConfig user = NutsWorkspaceConfigManagerExt.of(this.ws.config()).getUser(str);
        Stack stack = new Stack();
        if (user != null) {
            Stack stack2 = new Stack();
            stack2.push(str);
            Stack stack3 = new Stack();
            stack3.addAll(Arrays.asList(user.getGroups()));
            while (!stack3.empty()) {
                String str2 = (String) stack3.pop();
                stack2.add(str2);
                NutsUserConfig user2 = NutsWorkspaceConfigManagerExt.of(this.ws.config()).getUser(str2);
                if (user2 != null) {
                    stack.addAll(Arrays.asList(user2.getPermissions()));
                    for (String str3 : user2.getGroups()) {
                        if (!stack2.contains(str3)) {
                            stack3.push(str3);
                        }
                    }
                }
            }
        }
        if (user == null) {
            return null;
        }
        return new DefaultNutsUser(user, (String[]) stack.toArray(new String[0]));
    }

    public NutsUser[] findUsers(NutsSession nutsSession) {
        ArrayList arrayList = new ArrayList();
        for (NutsUserConfig nutsUserConfig : NutsWorkspaceConfigManagerExt.of(this.ws.config()).getUsers()) {
            arrayList.add(findUser(nutsUserConfig.getUser()));
        }
        return (NutsUser[]) arrayList.toArray(new NutsUser[0]);
    }

    public NutsAddUserCommand addUser(String str) {
        return new DefaultNutsAddUserCommand(this.ws).m226setUsername(str);
    }

    public NutsUpdateUserCommand updateUser(String str) {
        return new DefaultNutsUpdateUserCommand(this.ws).username(str);
    }

    public NutsRemoveUserCommand removeUser(String str) {
        return new DefaultNutsRemoveUserCommand(this.ws).username(str);
    }

    public NutsWorkspaceSecurityManager checkAllowed(String str, String str2) {
        if (isAllowed(str)) {
            return this;
        }
        if (CoreStringUtils.isBlank(str2)) {
            throw new NutsSecurityException(this.ws, str + " not allowed!");
        }
        throw new NutsSecurityException(this.ws, str2 + ": " + str + " not allowed!");
    }

    private NutsAuthorizations getAuthorizations(String str) {
        NutsAuthorizations nutsAuthorizations;
        NutsAuthorizations nutsAuthorizations2 = this.authorizations.get(str);
        if (nutsAuthorizations2 != null) {
            return nutsAuthorizations2;
        }
        NutsUserConfig user = NutsWorkspaceConfigManagerExt.of(this.ws.config()).getUser(str);
        if (user != null) {
            String[] permissions = user.getPermissions();
            nutsAuthorizations = new NutsAuthorizations(Arrays.asList(permissions == null ? new String[0] : permissions));
            this.authorizations.put(str, nutsAuthorizations);
        } else {
            nutsAuthorizations = new NutsAuthorizations(Collections.emptyList());
        }
        return nutsAuthorizations;
    }

    public boolean isAllowed(String str) {
        if (!isSecure()) {
            return true;
        }
        String currentUsername = getCurrentUsername();
        if (CoreStringUtils.isBlank(currentUsername)) {
            return false;
        }
        if ("admin".equals(currentUsername)) {
            return true;
        }
        Stack stack = new Stack();
        HashSet hashSet = new HashSet();
        hashSet.add(currentUsername);
        stack.push(currentUsername);
        while (!stack.isEmpty()) {
            String str2 = (String) stack.pop();
            Boolean explicitAccept = getAuthorizations(str2).explicitAccept(str);
            if (explicitAccept != null) {
                return explicitAccept.booleanValue();
            }
            NutsUserConfig user = NutsWorkspaceConfigManagerExt.of(this.ws.config()).getUser(str2);
            if (user != null) {
                for (String str3 : user.getGroups()) {
                    if (!hashSet.contains(str3)) {
                        hashSet.add(str3);
                        stack.push(str3);
                    }
                }
            }
        }
        return false;
    }

    public String[] getCurrentLoginStack() {
        ArrayList arrayList = new ArrayList();
        Stack<LoginContext> stack = this.loginContextStack.get();
        if (stack != null) {
            Iterator<LoginContext> it = stack.iterator();
            while (it.hasNext()) {
                Subject subject = it.next().getSubject();
                if (subject != null) {
                    Iterator<Principal> it2 = subject.getPrincipals().iterator();
                    if (it2.hasNext()) {
                        arrayList.add(it2.next().getName());
                    }
                }
            }
        }
        if (arrayList.isEmpty()) {
            if (this.ws.isInitializing()) {
                arrayList.add("admin");
            } else {
                arrayList.add("anonymous");
            }
        }
        return (String[]) arrayList.toArray(new String[0]);
    }

    public String getCurrentUsername() {
        if (this.ws.isInitializing()) {
            return "admin";
        }
        Subject loginSubject = getLoginSubject();
        if (loginSubject == null) {
            return "anonymous";
        }
        Iterator<Principal> it = loginSubject.getPrincipals().iterator();
        while (it.hasNext()) {
            String name = it.next().getName();
            if (!CoreStringUtils.isBlank(name) && !CoreStringUtils.isBlank(name)) {
                return name;
            }
        }
        return "anonymous";
    }

    private Subject getLoginSubject() {
        LoginContext loginContext = getLoginContext();
        if (loginContext == null) {
            return null;
        }
        return loginContext.getSubject();
    }

    public NutsWorkspaceSecurityManager login(final CallbackHandler callbackHandler) {
        NutsWorkspaceLoginModule.configure(this.ws);
        try {
            LoginContext loginContext = (LoginContext) CorePlatformUtils.runWithinLoader(new Callable<LoginContext>() { // from class: net.thevpc.nuts.runtime.security.DefaultNutsWorkspaceSecurityManager.3
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public LoginContext call() throws Exception {
                    return new LoginContext("nuts", callbackHandler);
                }
            }, NutsWorkspaceLoginModule.class.getClassLoader());
            loginContext.login();
            Stack<LoginContext> stack = this.loginContextStack.get();
            if (stack == null) {
                stack = new Stack<>();
                this.loginContextStack.set(stack);
            }
            stack.push(loginContext);
            return this;
        } catch (LoginException e) {
            throw new NutsLoginException(this.ws, e);
        }
    }

    private LoginContext getLoginContext() {
        Stack<LoginContext> stack = this.loginContextStack.get();
        if (stack == null || stack.isEmpty()) {
            return null;
        }
        return stack.peek();
    }

    public NutsAuthenticationAgent getAuthenticationAgent(String str, NutsSession nutsSession) {
        String trim = CoreStringUtils.trim(str);
        if (CoreStringUtils.isBlank(trim)) {
            trim = NutsWorkspaceConfigManagerExt.of(this.ws.config()).getStoredConfigSecurity().getAuthenticationAgent();
        }
        return NutsWorkspaceConfigManagerExt.of(this.ws.config()).createAuthenticationAgent(trim, nutsSession);
    }

    public NutsWorkspaceSecurityManager setAuthenticationAgent(String str, NutsUpdateOptions nutsUpdateOptions) {
        NutsUpdateOptions validate = CoreNutsUtils.validate(nutsUpdateOptions, this.ws);
        NutsWorkspaceConfigManagerExt of = NutsWorkspaceConfigManagerExt.of(this.ws.config());
        if (of.createAuthenticationAgent(str, validate.getSession()) == null) {
            throw new NutsIllegalArgumentException(this.ws, "Unsupported Authentication Agent " + str);
        }
        NutsWorkspaceConfigSecurity storedConfigSecurity = of.getStoredConfigSecurity();
        if (!Objects.equals(storedConfigSecurity.getAuthenticationAgent(), str)) {
            storedConfigSecurity.setAuthenticationAgent(str);
            of.fireConfigurationChanged("authentication-agent", validate.getSession(), ConfigEventType.SECURITY);
        }
        return this;
    }

    public boolean isSecure() {
        return NutsWorkspaceConfigManagerExt.of(this.ws.config()).getStoredConfigSecurity().isSecure();
    }

    public String currentUsername() {
        return getCurrentUsername();
    }

    public String[] currentLoginStack() {
        return getCurrentLoginStack();
    }

    public void checkCredentials(char[] cArr, char[] cArr2, NutsSession nutsSession) throws NutsSecurityException {
        this.agent.checkCredentials(cArr, cArr2, nutsSession);
    }

    public char[] getCredentials(char[] cArr, NutsSession nutsSession) {
        return this.agent.getCredentials(cArr, nutsSession);
    }

    public boolean removeCredentials(char[] cArr, NutsSession nutsSession) {
        return this.agent.removeCredentials(cArr, nutsSession);
    }

    public char[] createCredentials(char[] cArr, boolean z, char[] cArr2, NutsSession nutsSession) {
        return this.agent.createCredentials(cArr, z, cArr2, nutsSession);
    }
}
