package net.thevpc.nuts.runtime.standalone.security;

import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Stack;
import java.util.concurrent.Callable;
import java.util.logging.Level;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import net.thevpc.nuts.NutsAddUserCommand;
import net.thevpc.nuts.NutsAuthenticationAgent;
import net.thevpc.nuts.NutsIllegalArgumentException;
import net.thevpc.nuts.NutsLogVerb;
import net.thevpc.nuts.NutsLogger;
import net.thevpc.nuts.NutsLoggerOp;
import net.thevpc.nuts.NutsLoginException;
import net.thevpc.nuts.NutsMessage;
import net.thevpc.nuts.NutsRemoveUserCommand;
import net.thevpc.nuts.NutsSecurityException;
import net.thevpc.nuts.NutsSession;
import net.thevpc.nuts.NutsUpdateUserCommand;
import net.thevpc.nuts.NutsUser;
import net.thevpc.nuts.NutsUserConfig;
import net.thevpc.nuts.NutsUtilStrings;
import net.thevpc.nuts.NutsWorkspace;
import net.thevpc.nuts.NutsWorkspaceEvent;
import net.thevpc.nuts.NutsWorkspaceListener;
import net.thevpc.nuts.runtime.bundles.common.CorePlatformUtils;
import net.thevpc.nuts.runtime.core.config.NutsWorkspaceConfigManagerExt;
import net.thevpc.nuts.runtime.core.util.CoreIOUtils;
import net.thevpc.nuts.runtime.core.util.CoreStringUtils;
import net.thevpc.nuts.runtime.standalone.DefaultNutsWorkspace;
import net.thevpc.nuts.runtime.standalone.config.ConfigEventType;
import net.thevpc.nuts.runtime.standalone.config.DefaultNutsWorkspaceConfigModel;
import net.thevpc.nuts.runtime.standalone.config.NutsWorkspaceConfigSecurity;
import net.thevpc.nuts.runtime.standalone.wscommands.DefaultNutsAddUserCommand;
import net.thevpc.nuts.runtime.standalone.wscommands.DefaultNutsRemoveUserCommand;
import net.thevpc.nuts.runtime.standalone.wscommands.DefaultNutsUpdateUserCommand;

/* loaded from: input_file:net/thevpc/nuts/runtime/standalone/security/DefaultNutsWorkspaceSecurityModel.class */
public class DefaultNutsWorkspaceSecurityModel {
    private final DefaultNutsWorkspace ws;
    private final WrapperNutsAuthenticationAgent agent;
    private NutsLogger LOG;
    private final ThreadLocal<Stack<LoginContext>> loginContextStack = new ThreadLocal<>();
    private final Map<String, NutsAuthorizations> authorizations = new HashMap();

    /* loaded from: input_file:net/thevpc/nuts/runtime/standalone/security/DefaultNutsWorkspaceSecurityModel$ClearAuthOnWorkspaceChange.class */
    private class ClearAuthOnWorkspaceChange implements NutsWorkspaceListener {
        public ClearAuthOnWorkspaceChange() {
        }

        public void onConfigurationChanged(NutsWorkspaceEvent nutsWorkspaceEvent) {
            DefaultNutsWorkspaceSecurityModel.this.authorizations.clear();
        }
    }

    public DefaultNutsWorkspaceSecurityModel(DefaultNutsWorkspace defaultNutsWorkspace) {
        this.ws = defaultNutsWorkspace;
        this.agent = new WrapperNutsAuthenticationAgent(defaultNutsWorkspace, nutsSession -> {
            return defaultNutsWorkspace.env().setSession(nutsSession).getEnvMap();
        }, (str, nutsSession2) -> {
            return getAuthenticationAgent(str, nutsSession2);
        });
        defaultNutsWorkspace.events().addWorkspaceListener(new ClearAuthOnWorkspaceChange());
    }

    protected NutsLoggerOp _LOGOP(NutsSession nutsSession) {
        return _LOG(nutsSession).with().session(nutsSession);
    }

    protected NutsLogger _LOG(NutsSession nutsSession) {
        if (this.LOG == null) {
            this.LOG = this.ws.log().setSession(nutsSession).of(DefaultNutsWorkspaceSecurityModel.class);
        }
        return this.LOG;
    }

    public void login(final String str, final char[] cArr, NutsSession nutsSession) {
        login(new CallbackHandler() { // from class: net.thevpc.nuts.runtime.standalone.security.DefaultNutsWorkspaceSecurityModel.1
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                for (Callback callback : callbackArr) {
                    if (callback instanceof NameCallback) {
                        ((NameCallback) callback).setName(str);
                    } else {
                        if (!(callback instanceof PasswordCallback)) {
                            throw new UnsupportedCallbackException(callback, "the submitted Callback is unsupported");
                        }
                        ((PasswordCallback) callback).setPassword(cArr);
                    }
                }
            }
        }, nutsSession);
    }

    public boolean setSecureMode(boolean z, char[] cArr, NutsSession nutsSession) {
        return z ? switchSecureMode(cArr, nutsSession) : switchUnsecureMode(cArr, nutsSession);
    }

    public boolean switchUnsecureMode(char[] cArr, NutsSession nutsSession) {
        if (cArr == null) {
            cArr = new char[0];
        }
        NutsUser findUser = findUser("admin", nutsSession);
        if (findUser == null || !findUser.hasCredentials()) {
            if (_LOG(nutsSession).isLoggable(Level.CONFIG)) {
                _LOGOP(nutsSession).level(Level.CONFIG).verb(NutsLogVerb.WARNING).log("admin user has no credentials. reset to default", new Object[0]);
            }
            NutsUserConfig user = NutsWorkspaceConfigManagerExt.of(this.ws.config()).getModel().getUser("admin", nutsSession);
            user.setCredentials(CoreStringUtils.chrToStr(createCredentials("admin".toCharArray(), false, null, nutsSession)));
            NutsWorkspaceConfigManagerExt.of(this.ws.config()).getModel().setUser(user, nutsSession);
        }
        char[] evalSHA1 = CoreIOUtils.evalSHA1(cArr);
        if (Arrays.equals(evalSHA1, cArr)) {
            Arrays.fill(evalSHA1, (char) 0);
            throw new NutsSecurityException(nutsSession, NutsMessage.plain("invalid credentials"));
        }
        Arrays.fill(evalSHA1, (char) 0);
        boolean z = false;
        if (isSecure(nutsSession)) {
            NutsWorkspaceConfigManagerExt.of(this.ws.config()).getModel().setSecure(false, nutsSession);
            z = true;
        }
        return z;
    }

    public boolean switchSecureMode(char[] cArr, NutsSession nutsSession) {
        if (cArr == null) {
            cArr = new char[0];
        }
        boolean z = false;
        char[] evalSHA1 = CoreIOUtils.evalSHA1(cArr);
        if (Arrays.equals(evalSHA1, cArr)) {
            Arrays.fill(evalSHA1, (char) 0);
            throw new NutsSecurityException(nutsSession, NutsMessage.plain("invalid credentials"));
        }
        Arrays.fill(evalSHA1, (char) 0);
        if (!isSecure(nutsSession)) {
            NutsWorkspaceConfigManagerExt.of(this.ws.config()).getModel().setSecure(true, nutsSession);
            z = true;
        }
        return z;
    }

    public boolean isAdmin(NutsSession nutsSession) {
        return "admin".equals(getCurrentUsername(nutsSession));
    }

    public void logout(NutsSession nutsSession) {
        Stack<LoginContext> stack = this.loginContextStack.get();
        if (stack == null || stack.isEmpty()) {
            throw new NutsLoginException(nutsSession, NutsMessage.cstyle("not logged in", new Object[0]));
        }
        try {
            stack.pop().logout();
        } catch (LoginException e) {
            throw new NutsLoginException(nutsSession, NutsMessage.plain("login failed"), e);
        }
    }

    public NutsUser findUser(String str, NutsSession nutsSession) {
        NutsUserConfig user = NutsWorkspaceConfigManagerExt.of(this.ws.config()).getModel().getUser(str, nutsSession);
        Stack stack = new Stack();
        if (user != null) {
            Stack stack2 = new Stack();
            stack2.push(str);
            Stack stack3 = new Stack();
            stack3.addAll(Arrays.asList(user.getGroups()));
            while (!stack3.empty()) {
                String str2 = (String) stack3.pop();
                stack2.add(str2);
                NutsUserConfig user2 = NutsWorkspaceConfigManagerExt.of(this.ws.config()).getModel().getUser(str2, nutsSession);
                if (user2 != null) {
                    stack.addAll(Arrays.asList(user2.getPermissions()));
                    for (String str3 : user2.getGroups()) {
                        if (!stack2.contains(str3)) {
                            stack3.push(str3);
                        }
                    }
                }
            }
        }
        if (user == null) {
            return null;
        }
        return new DefaultNutsUser(user, (String[]) stack.toArray(new String[0]));
    }

    public NutsUser[] findUsers(NutsSession nutsSession) {
        ArrayList arrayList = new ArrayList();
        for (NutsUserConfig nutsUserConfig : NutsWorkspaceConfigManagerExt.of(this.ws.config()).getModel().getUsers(nutsSession)) {
            arrayList.add(findUser(nutsUserConfig.getUser(), nutsSession));
        }
        return (NutsUser[]) arrayList.toArray(new NutsUser[0]);
    }

    public NutsAddUserCommand addUser(String str, NutsSession nutsSession) {
        return new DefaultNutsAddUserCommand(this.ws).m320setUsername(str).setSession(nutsSession);
    }

    public NutsUpdateUserCommand updateUser(String str, NutsSession nutsSession) {
        return new DefaultNutsUpdateUserCommand(this.ws).setUsername(str).setSession(nutsSession);
    }

    public NutsRemoveUserCommand removeUser(String str, NutsSession nutsSession) {
        return new DefaultNutsRemoveUserCommand(this.ws).setUsername(str).setSession(nutsSession);
    }

    public void checkAllowed(String str, String str2, NutsSession nutsSession) {
        if (isAllowed(str, nutsSession)) {
            return;
        }
        if (!NutsUtilStrings.isBlank(str2)) {
            throw new NutsSecurityException(nutsSession, NutsMessage.cstyle("%s : %s not allowed!", new Object[]{str2, str}));
        }
        throw new NutsSecurityException(nutsSession, NutsMessage.cstyle("%s not allowed!", new Object[]{str}));
    }

    private NutsAuthorizations getAuthorizations(String str, NutsSession nutsSession) {
        NutsAuthorizations nutsAuthorizations;
        NutsAuthorizations nutsAuthorizations2 = this.authorizations.get(str);
        if (nutsAuthorizations2 != null) {
            return nutsAuthorizations2;
        }
        NutsUserConfig user = NutsWorkspaceConfigManagerExt.of(this.ws.config()).getModel().getUser(str, nutsSession);
        if (user != null) {
            String[] permissions = user.getPermissions();
            nutsAuthorizations = new NutsAuthorizations(Arrays.asList(permissions == null ? new String[0] : permissions));
            this.authorizations.put(str, nutsAuthorizations);
        } else {
            nutsAuthorizations = new NutsAuthorizations(Collections.emptyList());
        }
        return nutsAuthorizations;
    }

    public boolean isAllowed(String str, NutsSession nutsSession) {
        if (!isSecure(nutsSession)) {
            return true;
        }
        String currentUsername = getCurrentUsername(nutsSession);
        if (NutsUtilStrings.isBlank(currentUsername)) {
            return false;
        }
        if ("admin".equals(currentUsername)) {
            return true;
        }
        Stack stack = new Stack();
        HashSet hashSet = new HashSet();
        hashSet.add(currentUsername);
        stack.push(currentUsername);
        while (!stack.isEmpty()) {
            String str2 = (String) stack.pop();
            Boolean explicitAccept = getAuthorizations(str2, nutsSession).explicitAccept(str);
            if (explicitAccept != null) {
                return explicitAccept.booleanValue();
            }
            NutsUserConfig user = NutsWorkspaceConfigManagerExt.of(this.ws.config()).getModel().getUser(str2, nutsSession);
            if (user != null) {
                for (String str3 : user.getGroups()) {
                    if (!hashSet.contains(str3)) {
                        hashSet.add(str3);
                        stack.push(str3);
                    }
                }
            }
        }
        return false;
    }

    public String[] getCurrentLoginStack(NutsSession nutsSession) {
        ArrayList arrayList = new ArrayList();
        Stack<LoginContext> stack = this.loginContextStack.get();
        if (stack != null) {
            Iterator<LoginContext> it = stack.iterator();
            while (it.hasNext()) {
                Subject subject = it.next().getSubject();
                if (subject != null) {
                    Iterator<Principal> it2 = subject.getPrincipals().iterator();
                    if (it2.hasNext()) {
                        arrayList.add(it2.next().getName());
                    }
                }
            }
        }
        if (arrayList.isEmpty()) {
            if (this.ws.isInitializing()) {
                arrayList.add("admin");
            } else {
                arrayList.add("anonymous");
            }
        }
        return (String[]) arrayList.toArray(new String[0]);
    }

    public String getCurrentUsername(NutsSession nutsSession) {
        if (this.ws.isInitializing()) {
            return "admin";
        }
        Subject loginSubject = getLoginSubject();
        if (loginSubject == null) {
            return "anonymous";
        }
        Iterator<Principal> it = loginSubject.getPrincipals().iterator();
        while (it.hasNext()) {
            String name = it.next().getName();
            if (!NutsUtilStrings.isBlank(name) && !NutsUtilStrings.isBlank(name)) {
                return name;
            }
        }
        return "anonymous";
    }

    private Subject getLoginSubject() {
        LoginContext loginContext = getLoginContext();
        if (loginContext == null) {
            return null;
        }
        return loginContext.getSubject();
    }

    public void login(final CallbackHandler callbackHandler, NutsSession nutsSession) {
        NutsWorkspaceLoginModule.configure(this.ws);
        try {
            LoginContext loginContext = (LoginContext) CorePlatformUtils.runWithinLoader(new Callable<LoginContext>() { // from class: net.thevpc.nuts.runtime.standalone.security.DefaultNutsWorkspaceSecurityModel.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public LoginContext call() throws Exception {
                    return new LoginContext("nuts", callbackHandler);
                }
            }, NutsWorkspaceLoginModule.class.getClassLoader(), nutsSession);
            loginContext.login();
            Stack<LoginContext> stack = this.loginContextStack.get();
            if (stack == null) {
                stack = new Stack<>();
                this.loginContextStack.set(stack);
            }
            stack.push(loginContext);
        } catch (LoginException e) {
            throw new NutsLoginException(nutsSession, NutsMessage.plain("login failed"), e);
        }
    }

    private LoginContext getLoginContext() {
        Stack<LoginContext> stack = this.loginContextStack.get();
        if (stack == null || stack.isEmpty()) {
            return null;
        }
        return stack.peek();
    }

    public NutsAuthenticationAgent getAuthenticationAgent(String str, NutsSession nutsSession) {
        String trim = NutsUtilStrings.trim(str);
        if (NutsUtilStrings.isBlank(trim)) {
            trim = NutsWorkspaceConfigManagerExt.of(this.ws.config()).getModel().getStoredConfigSecurity().getAuthenticationAgent();
        }
        return NutsWorkspaceConfigManagerExt.of(this.ws.config()).getModel().createAuthenticationAgent(trim, nutsSession);
    }

    public void setAuthenticationAgent(String str, NutsSession nutsSession) {
        DefaultNutsWorkspaceConfigModel model = NutsWorkspaceConfigManagerExt.of(this.ws.config()).getModel();
        if (model.createAuthenticationAgent(str, nutsSession) == null) {
            throw new NutsIllegalArgumentException(nutsSession, NutsMessage.cstyle("unsupported Authentication Agent %s", new Object[]{str}));
        }
        NutsWorkspaceConfigSecurity storedConfigSecurity = model.getStoredConfigSecurity();
        if (Objects.equals(storedConfigSecurity.getAuthenticationAgent(), str)) {
            return;
        }
        storedConfigSecurity.setAuthenticationAgent(str);
        model.fireConfigurationChanged("authentication-agent", nutsSession, ConfigEventType.SECURITY);
    }

    public boolean isSecure(NutsSession nutsSession) {
        return NutsWorkspaceConfigManagerExt.of(this.ws.config()).getModel().getStoredConfigSecurity().isSecure();
    }

    public void checkCredentials(char[] cArr, char[] cArr2, NutsSession nutsSession) throws NutsSecurityException {
        this.agent.checkCredentials(cArr, cArr2, nutsSession);
    }

    public char[] getCredentials(char[] cArr, NutsSession nutsSession) {
        return this.agent.getCredentials(cArr, nutsSession);
    }

    public boolean removeCredentials(char[] cArr, NutsSession nutsSession) {
        return this.agent.removeCredentials(cArr, nutsSession);
    }

    public char[] createCredentials(char[] cArr, boolean z, char[] cArr2, NutsSession nutsSession) {
        return this.agent.createCredentials(cArr, z, cArr2, nutsSession);
    }

    public NutsWorkspace getWorkspace() {
        return this.ws;
    }
}
