package org.pentaho.platform.repository2.unified.jcr.jackrabbit.security;

import java.security.Principal;
import java.security.acl.Group;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.jcr.Session;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
import org.apache.jackrabbit.core.security.AnonymousPrincipal;
import org.apache.jackrabbit.core.security.UserPrincipal;
import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
import org.apache.jackrabbit.core.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.core.security.principal.PrincipalIteratorAdapter;
import org.apache.jackrabbit.core.security.principal.PrincipalProvider;
import org.pentaho.platform.api.engine.ICacheManager;
import org.pentaho.platform.api.engine.IConfiguration;
import org.pentaho.platform.api.engine.IPentahoSession;
import org.pentaho.platform.api.engine.ISystemConfig;
import org.pentaho.platform.api.engine.IUserRoleListService;
import org.pentaho.platform.engine.core.system.PentahoSystem;
import org.pentaho.platform.repository2.unified.jcr.JcrAclMetadataStrategy;
import org.pentaho.platform.repository2.unified.jcr.JcrTenantUtils;
import org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.messages.Messages;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.util.Assert;

/* loaded from: input_file:org/pentaho/platform/repository2/unified/jcr/jackrabbit/security/SpringSecurityPrincipalProvider.class */
public class SpringSecurityPrincipalProvider implements PrincipalProvider {
    public static final String ROLE_CACHE_REGION = "principalProviderRoleCache";
    public static final String USER_CACHE_REGION = "principalProviderUserCache";
    private ICacheManager cacheManager;
    private UserDetailsService userDetailsService;
    private IUserRoleListService userRoleListService;
    private String adminId;
    private AdminPrincipal adminPrincipal;
    private String anonymousId;
    private boolean skipUserVerification;
    private Log logger = LogFactory.getLog(SpringSecurityPrincipalProvider.class);
    private final AnonymousPrincipal anonymousPrincipal = new AnonymousPrincipal();
    final boolean ACCOUNT_NON_EXPIRED = true;
    final boolean CREDS_NON_EXPIRED = true;
    final boolean ACCOUNT_NON_LOCKED = true;
    private final String SKIP_USER_VERIFICATION_PROP_KEY = "skipUserVerificationOnPrincipalCreation";
    private final boolean SKIP_USER_VERIFICATION_DEFAULT_VALUE = true;
    private ISystemConfig systemConfig = (ISystemConfig) PentahoSystem.get(ISystemConfig.class);
    private final AtomicBoolean initialized = new AtomicBoolean(false);

    void setCacheManager(ICacheManager iCacheManager) {
        this.cacheManager = iCacheManager;
    }

    public void init(Properties properties) {
        synchronized (this.initialized) {
            if (this.initialized.get()) {
                throw new IllegalStateException(Messages.getInstance().getString("SpringSecurityPrincipalProvider.ERROR_0001_ALREADY_INITIALIZED"));
            }
        }
        this.adminId = properties.getProperty("adminId", "admin");
        this.adminPrincipal = new AdminPrincipal(this.adminId);
        if (this.logger.isTraceEnabled()) {
            this.logger.trace(String.format("using adminId [%s]", this.adminId));
        }
        this.anonymousId = properties.getProperty("anonymousId", "anonymous");
        if (this.logger.isTraceEnabled()) {
            this.logger.trace(String.format("using anonymousId [%s]", this.anonymousId));
        }
        this.cacheManager = PentahoSystem.getCacheManager((IPentahoSession) null);
        if (this.cacheManager != null) {
            if (!this.cacheManager.cacheEnabled(USER_CACHE_REGION)) {
                this.cacheManager.addCacheRegion(USER_CACHE_REGION);
            }
            if (!this.cacheManager.cacheEnabled(ROLE_CACHE_REGION)) {
                this.cacheManager.addCacheRegion(ROLE_CACHE_REGION);
            }
        }
        initSkipUserVerification(properties);
        this.initialized.set(true);
    }

    public void close() {
        checkInitialized();
        clearCaches();
        this.cacheManager = null;
        this.initialized.set(false);
    }

    public synchronized void clearCaches() {
        if (this.cacheManager != null) {
            this.cacheManager.clearRegionCache(ROLE_CACHE_REGION);
            this.cacheManager.clearRegionCache(USER_CACHE_REGION);
        }
    }

    public synchronized boolean canReadPrincipal(Session session, Principal principal) {
        checkInitialized();
        return true;
    }

    public synchronized Principal getPrincipal(String str) {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("principalName: [" + str + "]");
        }
        checkInitialized();
        Assert.notNull(str);
        if (JcrAclMetadataStrategy.AclMetadataPrincipal.isAclMetadataPrincipal(str)) {
            return new JcrAclMetadataStrategy.AclMetadataPrincipal(str);
        }
        if (this.adminId.equals(str)) {
            return this.adminPrincipal;
        }
        if (this.anonymousId.equals(str)) {
            return this.anonymousPrincipal;
        }
        if (EveryonePrincipal.getInstance().getName().equals(str)) {
            return EveryonePrincipal.getInstance();
        }
        if (JcrTenantUtils.isTenantedUser(str)) {
            if (this.cacheManager != null) {
                Principal principal = (Principal) this.cacheManager.getFromRegionCache(USER_CACHE_REGION, JcrTenantUtils.getTenantedUser(str));
                if (principal != null) {
                    if (this.logger.isTraceEnabled()) {
                        this.logger.trace("user " + str + " found in cache");
                    }
                    return principal;
                }
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("user " + str + " not found in cache");
                }
            } else if (this.logger.isTraceEnabled()) {
                this.logger.trace(" Cache is not available. Will create a principal for user [" + str + ']');
            }
            if (!this.skipUserVerification && internalGetUserDetails(str) == null) {
                return null;
            }
            UserPrincipal userPrincipal = new UserPrincipal(str);
            if (this.cacheManager != null) {
                this.cacheManager.putInRegionCache(USER_CACHE_REGION, str, userPrincipal);
            }
            return userPrincipal;
        }
        if (!JcrTenantUtils.isTenatedRole(str)) {
            return null;
        }
        if (this.cacheManager != null) {
            Principal principal2 = (Principal) this.cacheManager.getFromRegionCache(ROLE_CACHE_REGION, JcrTenantUtils.getTenantedRole(str));
            if (principal2 != null) {
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("role " + str + " found in cache");
                }
                return principal2;
            }
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("role " + str + " not found in cache");
            }
        } else if (this.logger.isTraceEnabled()) {
            this.logger.trace(" Cache is not available. Will create a principal for role [" + str + ']');
        }
        SpringSecurityRolePrincipal createSpringSecurityRolePrincipal = createSpringSecurityRolePrincipal(str);
        if (this.cacheManager != null) {
            this.cacheManager.putInRegionCache(ROLE_CACHE_REGION, str, createSpringSecurityRolePrincipal);
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("assuming " + str + " is a role");
        }
        return createSpringSecurityRolePrincipal;
    }

    public PrincipalIterator getGroupMembership(Principal principal) {
        checkInitialized();
        Assert.notNull(principal);
        HashSet hashSet = new HashSet();
        if (!(principal instanceof AnonymousPrincipal) && !(principal instanceof EveryonePrincipal)) {
            if (!(principal instanceof Group) && !(principal instanceof AdminPrincipal) && !(principal instanceof JcrAclMetadataStrategy.AclMetadataPrincipal)) {
                UserDetails internalGetUserDetails = internalGetUserDetails(principal.getName());
                if (internalGetUserDetails == null) {
                    return new PrincipalIteratorAdapter(hashSet);
                }
                Iterator it = internalGetUserDetails.getAuthorities().iterator();
                while (it.hasNext()) {
                    String authority = ((GrantedAuthority) it.next()).getAuthority();
                    Principal principal2 = this.cacheManager == null ? null : (Principal) this.cacheManager.getFromRegionCache(ROLE_CACHE_REGION, authority);
                    if (principal2 != null) {
                        hashSet.add(principal2);
                    } else {
                        hashSet.add(createSpringSecurityRolePrincipal(authority));
                    }
                }
            }
            hashSet.add(EveryonePrincipal.getInstance());
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("group membership for principal=" + principal + " is " + hashSet);
            }
            return new PrincipalIteratorAdapter(hashSet);
        }
        return PrincipalIteratorAdapter.EMPTY;
    }

    protected UserDetails internalGetUserDetails(String str) {
        ArrayList arrayList;
        if (str != null && str.equals("administrators")) {
            return null;
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication != null) {
            Object principal = authentication.getPrincipal();
            if ((principal instanceof UserDetails) && str.equals(((UserDetails) principal).getUsername())) {
                return (UserDetails) principal;
            }
        }
        UserDetails userDetails = null;
        ArrayList arrayList2 = null;
        UserDetails userDetails2 = null;
        if (getUserDetailsService() != null) {
            try {
                userDetails = getUserDetailsService().loadUserByUsername(str);
                if (authentication == null || authentication.getAuthorities() == null || authentication.getAuthorities().size() == 0) {
                    if (this.logger.isTraceEnabled()) {
                        this.logger.trace("Authentication object from SecurityContextHolder is null, so getting the roles for [ " + userDetails.getUsername() + " ]  from IUserRoleListService ");
                    }
                    List rolesForUser = getUserRoleListService().getRolesForUser(JcrTenantUtils.getCurrentTenant(), str);
                    arrayList = new ArrayList(rolesForUser.size());
                    Iterator it = rolesForUser.iterator();
                    while (it.hasNext()) {
                        arrayList.add(new SimpleGrantedAuthority((String) it.next()));
                    }
                } else {
                    arrayList = new ArrayList(authentication.getAuthorities().size());
                    arrayList.addAll(authentication.getAuthorities());
                }
                arrayList2 = new ArrayList(arrayList.size());
                Iterator it2 = arrayList.iterator();
                while (it2.hasNext()) {
                    String authority = ((GrantedAuthority) it2.next()).getAuthority();
                    String tenantedRole = JcrTenantUtils.getTenantedRole(authority);
                    if (this.cacheManager != null && this.cacheManager.getFromRegionCache(ROLE_CACHE_REGION, authority) == null) {
                        this.cacheManager.putInRegionCache(ROLE_CACHE_REGION, authority, new SpringSecurityRolePrincipal(tenantedRole));
                    }
                    arrayList2.add(new SimpleGrantedAuthority(tenantedRole));
                }
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("found user in back-end " + userDetails.getUsername());
                }
            } catch (UsernameNotFoundException e) {
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("username " + str + " not in cache or back-end; returning null");
                }
            }
            if (userDetails != null) {
                if (arrayList2 == null || arrayList2.size() <= 0) {
                    this.logger.trace("Authorities are null, so creating an empty Auth array ==  " + userDetails.getUsername());
                    arrayList2 = new ArrayList();
                }
                userDetails2 = new User(userDetails.getUsername(), userDetails.getPassword() != null ? userDetails.getPassword() : "", userDetails.isEnabled(), true, true, true, arrayList2);
            }
        }
        return userDetails2;
    }

    protected void checkInitialized() {
        synchronized (this.initialized) {
            if (!this.initialized.get()) {
                throw new IllegalStateException(Messages.getInstance().getString("SpringSecurityPrincipalProvider.ERROR_0003_NOT_INITIALIZED"));
            }
        }
    }

    public PrincipalIterator findPrincipals(String str) {
        throw new UnsupportedOperationException();
    }

    public PrincipalIterator findPrincipals(String str, int i) {
        throw new UnsupportedOperationException();
    }

    public PrincipalIterator getPrincipals(int i) {
        throw new UnsupportedOperationException();
    }

    protected UserDetailsService getUserDetailsService() {
        if (null != this.userDetailsService) {
            return this.userDetailsService;
        }
        if (!PentahoSystem.getInitializedOK()) {
            return null;
        }
        this.userDetailsService = (UserDetailsService) PentahoSystem.get(UserDetailsService.class);
        return this.userDetailsService;
    }

    protected IUserRoleListService getUserRoleListService() {
        if (null != this.userRoleListService) {
            return this.userRoleListService;
        }
        if (!PentahoSystem.getInitializedOK()) {
            return null;
        }
        this.userRoleListService = (IUserRoleListService) PentahoSystem.get(IUserRoleListService.class);
        return this.userRoleListService;
    }

    private SpringSecurityRolePrincipal createSpringSecurityRolePrincipal(String str) {
        return new SpringSecurityRolePrincipal(JcrTenantUtils.getTenantedRole(str));
    }

    private void initSkipUserVerification(Properties properties) {
        this.skipUserVerification = true;
        if (properties != null && properties.containsKey("skipUserVerificationOnPrincipalCreation") && !properties.getProperty("skipUserVerificationOnPrincipalCreation").isEmpty()) {
            this.skipUserVerification = Boolean.valueOf(properties.getProperty("skipUserVerificationOnPrincipalCreation", String.valueOf(true))).booleanValue();
        } else if (this.systemConfig != null) {
            try {
                IConfiguration configuration = this.systemConfig.getConfiguration("security");
                if (configuration != null && configuration.getProperties().containsKey("skipUserVerificationOnPrincipalCreation") && !configuration.getProperties().getProperty("skipUserVerificationOnPrincipalCreation").isEmpty()) {
                    this.skipUserVerification = Boolean.valueOf(configuration.getProperties().getProperty("skipUserVerificationOnPrincipalCreation", String.valueOf(true))).booleanValue();
                }
            } catch (Exception e) {
                this.logger.error(e);
            }
        }
        this.logger.info("Property 'skipUserVerificationOnPrincipalCreation' is '" + this.skipUserVerification + "'");
    }
}
