package org.neo4j.server.security.systemgraph;

import java.util.Map;
import java.util.regex.Pattern;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.DisabledAccountException;
import org.apache.shiro.authc.ExcessiveAttemptsException;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.credential.CredentialsMatcher;
import org.apache.shiro.authc.pam.UnsupportedTokenException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.neo4j.cypher.internal.security.FormatException;
import org.neo4j.cypher.internal.security.SecureHasher;
import org.neo4j.cypher.internal.security.SystemGraphCredential;
import org.neo4j.dbms.database.DatabaseContext;
import org.neo4j.dbms.database.DatabaseManager;
import org.neo4j.graphdb.GraphDatabaseService;
import org.neo4j.graphdb.Label;
import org.neo4j.graphdb.Node;
import org.neo4j.graphdb.NotFoundException;
import org.neo4j.graphdb.Transaction;
import org.neo4j.graphdb.security.AuthProviderFailedException;
import org.neo4j.internal.kernel.api.security.AuthenticationResult;
import org.neo4j.internal.kernel.api.security.LoginContext;
import org.neo4j.internal.kernel.api.security.SecurityContext;
import org.neo4j.kernel.api.exceptions.InvalidArgumentsException;
import org.neo4j.kernel.api.security.AuthManager;
import org.neo4j.kernel.api.security.AuthToken;
import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
import org.neo4j.kernel.database.DatabaseIdRepository;
import org.neo4j.kernel.impl.security.User;
import org.neo4j.server.security.auth.AuthenticationStrategy;
import org.neo4j.server.security.auth.BasicLoginContext;
import org.neo4j.server.security.auth.ListSnapshot;
import org.neo4j.server.security.auth.ShiroAuthToken;

/* loaded from: input_file:org/neo4j/server/security/systemgraph/BasicSystemGraphRealm.class */
public class BasicSystemGraphRealm extends AuthorizingRealm implements AuthManager, CredentialsMatcher {
    private final SecurityGraphInitializer systemGraphInitializer;
    private final DatabaseManager<?> databaseManager;
    private final SecureHasher secureHasher;
    private final AuthenticationStrategy authenticationStrategy;
    private final boolean authenticationEnabled;
    public static final String IS_SUSPENDED = "is_suspended";
    private static final Pattern usernamePattern = Pattern.compile("^[\\x21-\\x2B\\x2D-\\x39\\x3B-\\x7E]+$");

    /* renamed from: org.neo4j.server.security.systemgraph.BasicSystemGraphRealm$1, reason: invalid class name */
    /* loaded from: input_file:org/neo4j/server/security/systemgraph/BasicSystemGraphRealm$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$neo4j$internal$kernel$api$security$AuthenticationResult = new int[AuthenticationResult.values().length];

        static {
            try {
                $SwitchMap$org$neo4j$internal$kernel$api$security$AuthenticationResult[AuthenticationResult.SUCCESS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$neo4j$internal$kernel$api$security$AuthenticationResult[AuthenticationResult.PASSWORD_CHANGE_REQUIRED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$neo4j$internal$kernel$api$security$AuthenticationResult[AuthenticationResult.FAILURE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$neo4j$internal$kernel$api$security$AuthenticationResult[AuthenticationResult.TOO_MANY_ATTEMPTS.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public BasicSystemGraphRealm(SecurityGraphInitializer securityGraphInitializer, DatabaseManager<?> databaseManager, SecureHasher secureHasher, AuthenticationStrategy authenticationStrategy, boolean z) {
        this.systemGraphInitializer = securityGraphInitializer;
        this.databaseManager = databaseManager;
        this.secureHasher = secureHasher;
        this.authenticationStrategy = authenticationStrategy;
        this.authenticationEnabled = z;
        setAuthenticationCachingEnabled(true);
        setCredentialsMatcher(this);
    }

    public void start() throws Exception {
        this.systemGraphInitializer.initializeSecurityGraph();
    }

    public void stop() {
    }

    public void shutdown() {
    }

    public boolean supports(AuthenticationToken authenticationToken) {
        try {
            if (!(authenticationToken instanceof ShiroAuthToken)) {
                return false;
            }
            ShiroAuthToken shiroAuthToken = (ShiroAuthToken) authenticationToken;
            if (shiroAuthToken.getScheme().equals("basic")) {
                if (shiroAuthToken.supportsRealm("native")) {
                    return true;
                }
            }
            return false;
        } catch (InvalidAuthTokenException e) {
            return false;
        }
    }

    public AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        if (!this.authenticationEnabled) {
            return null;
        }
        ShiroAuthToken shiroAuthToken = (ShiroAuthToken) authenticationToken;
        try {
            String safeCast = AuthToken.safeCast("principal", shiroAuthToken.getAuthTokenMap());
            AuthToken.safeCastCredentials("credentials", shiroAuthToken.getAuthTokenMap());
            try {
                return new SystemGraphAuthenticationInfo(getUser(safeCast), getName());
            } catch (InvalidArgumentsException | FormatException e) {
                throw new UnknownAccountException();
            }
        } catch (InvalidAuthTokenException e2) {
            throw new UnsupportedTokenException(e2);
        }
    }

    public boolean doCredentialsMatch(AuthenticationToken authenticationToken, AuthenticationInfo authenticationInfo) {
        SystemGraphAuthenticationInfo systemGraphAuthenticationInfo = (SystemGraphAuthenticationInfo) authenticationInfo;
        User userRecord = systemGraphAuthenticationInfo.getUserRecord();
        try {
            AuthenticationResult authenticate = this.authenticationStrategy.authenticate(userRecord, AuthToken.safeCastCredentials("credentials", ((ShiroAuthToken) authenticationToken).getAuthTokenMap()));
            switch (AnonymousClass1.$SwitchMap$org$neo4j$internal$kernel$api$security$AuthenticationResult[authenticate.ordinal()]) {
                case ListSnapshot.FROM_PERSISTED /* 1 */:
                case 2:
                    if (userRecord.hasFlag(IS_SUSPENDED)) {
                        throw new DisabledAccountException("User '" + userRecord.name() + "' is suspended.");
                    }
                    if (userRecord.passwordChangeRequired()) {
                        authenticate = AuthenticationResult.PASSWORD_CHANGE_REQUIRED;
                    }
                    systemGraphAuthenticationInfo.setAuthenticationResult(authenticate);
                    return true;
                case 3:
                    throw new IncorrectCredentialsException();
                case 4:
                    throw new ExcessiveAttemptsException();
                default:
                    throw new AuthenticationException();
            }
        } catch (InvalidAuthTokenException e) {
            throw new UnsupportedTokenException(e);
        }
    }

    protected Object getAuthenticationCacheKey(AuthenticationToken authenticationToken) {
        Object principal = authenticationToken != null ? authenticationToken.getPrincipal() : null;
        return principal != null ? principal : "";
    }

    protected Object getAuthenticationCacheKey(PrincipalCollection principalCollection) {
        Object availablePrincipal = getAvailablePrincipal(principalCollection);
        return availablePrincipal == null ? "" : availablePrincipal;
    }

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        return null;
    }

    public User getUser(String str) throws InvalidArgumentsException, FormatException {
        InvalidArgumentsException invalidArgumentsException = new InvalidArgumentsException("User '" + str + "' does not exist.");
        try {
            Transaction beginTx = getSystemDb().beginTx();
            try {
                Node findNode = beginTx.findNode(Label.label("User"), "name", str);
                if (findNode == null) {
                    throw invalidArgumentsException;
                }
                SystemGraphCredential deserialize = SystemGraphCredential.deserialize((String) findNode.getProperty("credentials"), this.secureHasher);
                boolean booleanValue = ((Boolean) findNode.getProperty("passwordChangeRequired")).booleanValue();
                boolean booleanValue2 = ((Boolean) findNode.getProperty("suspended")).booleanValue();
                beginTx.commit();
                User.Builder withRequiredPasswordChange = new User.Builder(str, deserialize).withRequiredPasswordChange(booleanValue);
                User build = (booleanValue2 ? withRequiredPasswordChange.withFlag(IS_SUSPENDED) : withRequiredPasswordChange.withoutFlag(IS_SUSPENDED)).build();
                if (beginTx != null) {
                    beginTx.close();
                }
                return build;
            } finally {
            }
        } catch (NotFoundException e) {
            throw invalidArgumentsException;
        }
    }

    public static void assertValidUsername(String str) throws InvalidArgumentsException {
        if (str == null || str.isEmpty()) {
            throw new InvalidArgumentsException("The provided username is empty.");
        }
        if (!usernamePattern.matcher(str).matches()) {
            throw new InvalidArgumentsException("Username '" + str + "' contains illegal characters. Use ascii characters that are not ',', ':' or whitespaces.");
        }
    }

    public LoginContext login(Map<String, Object> map) throws InvalidAuthTokenException {
        try {
            assertValidScheme(map);
            String safeCast = AuthToken.safeCast("principal", map);
            byte[] safeCastCredentials = AuthToken.safeCastCredentials("credentials", map);
            try {
                User user = getUser(safeCast);
                AuthenticationResult authenticate = this.authenticationStrategy.authenticate(user, safeCastCredentials);
                if (authenticate == AuthenticationResult.SUCCESS && user.passwordChangeRequired()) {
                    authenticate = AuthenticationResult.PASSWORD_CHANGE_REQUIRED;
                }
                BasicLoginContext basicLoginContext = new BasicLoginContext(user, authenticate);
                AuthToken.clearCredentials(map);
                return basicLoginContext;
            } catch (InvalidArgumentsException | FormatException e) {
                BasicLoginContext basicLoginContext2 = new BasicLoginContext(null, AuthenticationResult.FAILURE);
                AuthToken.clearCredentials(map);
                return basicLoginContext2;
            }
        } catch (Throwable th) {
            AuthToken.clearCredentials(map);
            throw th;
        }
    }

    public void log(String str, SecurityContext securityContext) {
    }

    private void assertValidScheme(Map<String, Object> map) throws InvalidAuthTokenException {
        String safeCast = AuthToken.safeCast("scheme", map);
        if (safeCast.equals("none")) {
            throw AuthToken.invalidToken(", scheme 'none' is only allowed when auth is disabled.");
        }
        if (!safeCast.equals("basic")) {
            throw AuthToken.invalidToken(", scheme '" + safeCast + "' is not supported.");
        }
    }

    protected GraphDatabaseService getSystemDb() {
        return ((DatabaseContext) this.databaseManager.getDatabaseContext(DatabaseIdRepository.NAMED_SYSTEM_DATABASE_ID).orElseThrow(() -> {
            return new AuthProviderFailedException("No database called `system` was found.");
        })).databaseFacade();
    }
}
