package org.sonatype.nexus.security.internal;

import com.google.common.base.Preconditions;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nullable;
import javax.crypto.Cipher;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.mgt.RealmSecurityManager;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.LifecycleUtils;
import org.sonatype.nexus.common.app.ManagedLifecycle;
import org.sonatype.nexus.common.event.EventManager;
import org.sonatype.nexus.common.stateguard.StateGuardLifecycleSupport;
import org.sonatype.nexus.common.text.Strings2;
import org.sonatype.nexus.security.SecurityHelper;
import org.sonatype.nexus.security.SecuritySystem;
import org.sonatype.nexus.security.UserIdHelper;
import org.sonatype.nexus.security.UserPrincipalsExpired;
import org.sonatype.nexus.security.anonymous.AnonymousConfiguration;
import org.sonatype.nexus.security.anonymous.AnonymousHelper;
import org.sonatype.nexus.security.anonymous.AnonymousManager;
import org.sonatype.nexus.security.authc.UserPasswordChanged;
import org.sonatype.nexus.security.authz.AuthorizationConfigurationChanged;
import org.sonatype.nexus.security.authz.AuthorizationManager;
import org.sonatype.nexus.security.authz.NoSuchAuthorizationManagerException;
import org.sonatype.nexus.security.privilege.Privilege;
import org.sonatype.nexus.security.realm.RealmManager;
import org.sonatype.nexus.security.role.Role;
import org.sonatype.nexus.security.role.RoleIdentifier;
import org.sonatype.nexus.security.user.InvalidCredentialsException;
import org.sonatype.nexus.security.user.NoSuchUserManagerException;
import org.sonatype.nexus.security.user.RoleMappingUserManager;
import org.sonatype.nexus.security.user.User;
import org.sonatype.nexus.security.user.UserManager;
import org.sonatype.nexus.security.user.UserNotFoundException;
import org.sonatype.nexus.security.user.UserSearchCriteria;

@Singleton
@ManagedLifecycle(phase = ManagedLifecycle.Phase.SECURITY)
@Named("default")
/* loaded from: input_file:org/sonatype/nexus/security/internal/DefaultSecuritySystem.class */
public class DefaultSecuritySystem extends StateGuardLifecycleSupport implements SecuritySystem {
    private static final String ALL_ROLES_KEY = "all";
    public static final String NEXUS_AUTHORIZING_REALM = "NexusAuthorizingRealm";
    public static final String NEXUS_AUTHENTICATING_REALM = "NexusAuthenticatingRealm";
    private final EventManager eventManager;
    private final RealmSecurityManager realmSecurityManager;
    private final RealmManager realmManager;
    private final AnonymousManager anonymousManager;
    private final Map<String, AuthorizationManager> authorizationManagers;
    private final Map<String, UserManager> userManagers;
    private final SecurityHelper securityHelper;

    @Inject
    public DefaultSecuritySystem(EventManager eventManager, RealmSecurityManager realmSecurityManager, RealmManager realmManager, AnonymousManager anonymousManager, Map<String, AuthorizationManager> map, Map<String, UserManager> map2, SecurityHelper securityHelper) {
        this.eventManager = (EventManager) Preconditions.checkNotNull(eventManager);
        this.realmSecurityManager = (RealmSecurityManager) Preconditions.checkNotNull(realmSecurityManager);
        this.realmManager = (RealmManager) Preconditions.checkNotNull(realmManager);
        this.anonymousManager = (AnonymousManager) Preconditions.checkNotNull(anonymousManager);
        this.authorizationManagers = (Map) Preconditions.checkNotNull(map);
        this.userManagers = (Map) Preconditions.checkNotNull(map2);
        this.securityHelper = (SecurityHelper) Preconditions.checkNotNull(securityHelper);
    }

    @Override // org.sonatype.nexus.common.stateguard.StateGuardLifecycleSupport
    protected void doStart() throws Exception {
        if (Cipher.getMaxAllowedKeyLength("AES") == Integer.MAX_VALUE) {
            this.log.info("Unlimited strength JCE policy detected");
        }
        SecurityUtils.setSecurityManager(this.realmSecurityManager);
        this.realmManager.start();
    }

    @Override // org.sonatype.nexus.common.stateguard.StateGuardLifecycleSupport
    protected void doStop() throws Exception {
        this.realmManager.stop();
        LifecycleUtils.destroy(this.realmSecurityManager);
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public Subject getSubject() {
        return SecurityUtils.getSubject();
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public boolean isPermitted(PrincipalCollection principalCollection, String str) {
        return this.realmSecurityManager.isPermitted(principalCollection, str);
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public boolean[] isPermitted(PrincipalCollection principalCollection, List<String> list) {
        return this.realmSecurityManager.isPermitted(principalCollection, (String[]) list.toArray(new String[list.size()]));
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public void checkPermission(PrincipalCollection principalCollection, String str) {
        this.realmSecurityManager.checkPermission(principalCollection, str);
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public Set<Role> listRoles() {
        HashSet hashSet = new HashSet();
        Iterator<AuthorizationManager> it = this.authorizationManagers.values().iterator();
        while (it.hasNext()) {
            Set<Role> listRoles = it.next().listRoles();
            if (listRoles != null) {
                hashSet.addAll(listRoles);
            }
        }
        return hashSet;
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public Set<Role> listRoles(String str) throws NoSuchAuthorizationManagerException {
        return "all".equalsIgnoreCase(str) ? listRoles() : getAuthorizationManager(str).listRoles();
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public Set<Role> searchRoles(String str, String str2) throws NoSuchAuthorizationManagerException {
        return getAuthorizationManager(str).searchRoles(str2);
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public Set<Privilege> listPrivileges() {
        HashSet hashSet = new HashSet();
        Iterator<AuthorizationManager> it = this.authorizationManagers.values().iterator();
        while (it.hasNext()) {
            Set<Privilege> listPrivileges = it.next().listPrivileges();
            if (listPrivileges != null) {
                hashSet.addAll(listPrivileges);
            }
        }
        return hashSet;
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public User addUser(User user, String str) throws NoSuchUserManagerException {
        UserManager userManager = getUserManager(user.getSource());
        if (!userManager.supportsWrite()) {
            throw new RuntimeException("UserManager: " + userManager.getSource() + " does not support writing.");
        }
        userManager.addUser(user, str);
        for (UserManager userManager2 : getUserManagers()) {
            if (!userManager2.getSource().equals(user.getSource()) && RoleMappingUserManager.class.isInstance(userManager2)) {
                try {
                    ((RoleMappingUserManager) userManager2).setUsersRoles(user.getUserId(), user.getSource(), RoleIdentifier.getRoleIdentifiersForSource(user.getSource(), user.getRoles()));
                } catch (UserNotFoundException unused) {
                    this.log.debug("User '{}' is not managed by the user-manager: {}", user.getUserId(), userManager2.getSource());
                }
            }
        }
        return user;
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public User updateUser(User user) throws UserNotFoundException, NoSuchUserManagerException {
        UserManager userManager = getUserManager(user.getSource());
        if (!userManager.supportsWrite()) {
            throw new RuntimeException("UserManager: " + userManager.getSource() + " does not support writing.");
        }
        User user2 = userManager.getUser(user.getUserId());
        userManager.updateUser(user);
        if (user2.getStatus().isActive() && user.getStatus() != user2.getStatus()) {
            this.eventManager.post(new UserPrincipalsExpired(user.getUserId(), user.getSource()));
        }
        for (UserManager userManager2 : getUserManagers()) {
            if (!userManager2.getSource().equals(user.getSource()) && RoleMappingUserManager.class.isInstance(userManager2)) {
                try {
                    ((RoleMappingUserManager) userManager2).setUsersRoles(user.getUserId(), user.getSource(), RoleIdentifier.getRoleIdentifiersForSource(user.getSource(), user.getRoles()));
                } catch (UserNotFoundException unused) {
                    this.log.debug("User '{}' is not managed by the user-manager: {}", user.getUserId(), userManager2.getSource());
                }
            }
        }
        this.eventManager.post(new AuthorizationConfigurationChanged());
        return user;
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public void deleteUser(String str) throws UserNotFoundException {
        try {
            deleteUser(str, getUser(str).getSource());
        } catch (NoSuchUserManagerException e) {
            this.log.error("User manager returned user, but could not be found: {}", e.getMessage(), e);
            throw new IllegalStateException("User manager returned user, but could not be found: " + e.getMessage(), e);
        }
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public void deleteUser(String str, String str2) throws UserNotFoundException, NoSuchUserManagerException {
        Preconditions.checkNotNull(str, "User ID may not be null");
        Subject subject = getSubject();
        if (subject.getPrincipal() != null && str.equals(subject.getPrincipal().toString())) {
            throw new IllegalArgumentException("Can not delete currently signed in user");
        }
        AnonymousConfiguration configuration = this.anonymousManager.getConfiguration();
        if (configuration.isEnabled() && str.equals(configuration.getUserId())) {
            throw new IllegalArgumentException("Can not delete anonymous user");
        }
        getUserManager(str2).deleteUser(str);
        this.eventManager.post(new UserPrincipalsExpired(str, str2));
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public void setUsersRoles(String str, String str2, Set<RoleIdentifier> set) throws UserNotFoundException {
        boolean z = false;
        for (UserManager userManager : getUserManagers()) {
            if (RoleMappingUserManager.class.isInstance(userManager)) {
                try {
                    z = true;
                    ((RoleMappingUserManager) userManager).setUsersRoles(str, str2, RoleIdentifier.getRoleIdentifiersForSource(userManager.getSource(), set));
                } catch (UserNotFoundException unused) {
                    this.log.debug("User '{}' is not managed by the user-manager: {}", str, userManager.getSource());
                }
            }
        }
        if (!z) {
            throw new UserNotFoundException(str);
        }
        this.eventManager.post(new AuthorizationConfigurationChanged());
    }

    private User findUser(String str, UserManager userManager, Set<String> set) throws UserNotFoundException {
        this.log.trace("Finding user: {} in user-manager: {}", str, userManager);
        User user = userManager.getUser(str, set);
        if (user == null) {
            throw new UserNotFoundException(str);
        }
        this.log.trace("Found user: {}", user);
        addOtherRolesToUser(user);
        return user;
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    @Nullable
    public User currentUser() throws UserNotFoundException {
        Subject subject = getSubject();
        if (subject.getPrincipal() == null) {
            return null;
        }
        String obj = subject.getPrincipal().toString();
        Optional findFirst = subject.getPrincipals().getRealmNames().stream().findFirst();
        try {
            if (findFirst.isPresent()) {
                return findUser(obj, getUserManagerByRealm((String) findFirst.get()), null);
            }
        } catch (NoSuchUserManagerException unused) {
            this.log.trace("User: '{}' of source: '{}' could not be found.", obj, findFirst.get());
        }
        return getUser(subject.getPrincipal().toString());
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public User getUser(String str) throws UserNotFoundException {
        this.log.trace("Finding user: {}", str);
        for (UserManager userManager : orderUserManagers()) {
            try {
                return findUser(str, userManager, null);
            } catch (UserNotFoundException e) {
                this.log.trace("User: '{}' was not found in: '{}'", str, userManager, e);
            }
        }
        this.log.trace("User not found: {}", str);
        throw new UserNotFoundException(str);
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public User getUser(String str, String str2) throws UserNotFoundException, NoSuchUserManagerException {
        return getUser(str, str2, null);
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public User getUser(String str, String str2, Set<String> set) throws UserNotFoundException, NoSuchUserManagerException {
        this.log.trace("Finding user: {} in source: {}", str, str2);
        return findUser(str, getUserManager(str2), set);
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public Set<User> listUsers() {
        HashSet hashSet = new HashSet();
        Iterator<UserManager> it = getUserManagers().iterator();
        while (it.hasNext()) {
            hashSet.addAll(it.next().listUsers());
        }
        Iterator it2 = hashSet.iterator();
        while (it2.hasNext()) {
            addOtherRolesToUser((User) it2.next());
        }
        return hashSet;
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public Set<User> searchUsers(UserSearchCriteria userSearchCriteria) {
        HashSet hashSet = new HashSet();
        if (Strings2.isBlank(userSearchCriteria.getSource())) {
            Iterator<UserManager> it = getUserManagers().iterator();
            while (it.hasNext()) {
                Set<User> searchUsers = it.next().searchUsers(userSearchCriteria);
                if (searchUsers != null) {
                    hashSet.addAll(searchUsers);
                }
            }
        } else {
            try {
                hashSet.addAll(getUserManager(userSearchCriteria.getSource()).searchUsers(userSearchCriteria));
            } catch (NoSuchUserManagerException e) {
                this.log.warn("UserManager: {} was not found.", userSearchCriteria.getSource(), e);
            }
        }
        Iterator it2 = hashSet.iterator();
        while (it2.hasNext()) {
            addOtherRolesToUser((User) it2.next());
        }
        return hashSet;
    }

    private List<UserManager> orderUserManagers() {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList(getUserManagers());
        HashMap hashMap = new HashMap();
        for (UserManager userManager : getUserManagers()) {
            if (userManager.getAuthenticationRealmName() != null) {
                hashMap.put(userManager.getAuthenticationRealmName(), userManager);
            }
        }
        for (Realm realm : this.realmSecurityManager.getRealms()) {
            if (hashMap.containsKey(realm.getName())) {
                UserManager userManager2 = (UserManager) hashMap.get(realm.getName());
                arrayList2.remove(userManager2);
                arrayList.add(userManager2);
            }
        }
        arrayList.addAll(arrayList2);
        return arrayList;
    }

    private void addOtherRolesToUser(User user) {
        for (UserManager userManager : getUserManagers()) {
            if (!userManager.getSource().equals(user.getSource()) && RoleMappingUserManager.class.isInstance(userManager)) {
                try {
                    Set<RoleIdentifier> usersRoles = ((RoleMappingUserManager) userManager).getUsersRoles(user.getUserId(), user.getSource());
                    if (usersRoles != null) {
                        user.addAllRoles(usersRoles);
                    }
                } catch (UserNotFoundException unused) {
                    this.log.debug("User '{}' is not managed by the user-manager: {}", user.getUserId(), userManager.getSource());
                }
            }
        }
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public AuthorizationManager getAuthorizationManager(String str) throws NoSuchAuthorizationManagerException {
        if (this.authorizationManagers.containsKey(str)) {
            return this.authorizationManagers.get(str);
        }
        throw new NoSuchAuthorizationManagerException(str);
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public void changePassword(String str, String str2, String str3) throws UserNotFoundException, InvalidCredentialsException {
        try {
            if (this.realmSecurityManager.authenticate(new UsernamePasswordToken(str, str2)) == null) {
                throw new InvalidCredentialsException();
            }
            changePassword(str, str3);
        } catch (AuthenticationException e) {
            this.log.debug("User failed to change password reason: " + e.getMessage(), e);
            throw new InvalidCredentialsException();
        }
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public void changePassword(String str, String str2) throws UserNotFoundException {
        changePassword(str, str2, true);
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public void changePassword(String str, String str2, boolean z) throws UserNotFoundException {
        requirePermissionToChangeUserPassword(str);
        User user = getUser(str);
        try {
            getUserManager(user.getSource()).changePassword(str, str2);
        } catch (NoSuchUserManagerException unused) {
            this.log.warn("User '{}' with source: '{}' but could not find the user-manager for that source.", str, user.getSource());
        }
        this.eventManager.post(new UserPasswordChanged(str, z));
    }

    public void requirePermissionToChangeUserPassword(String str) {
        if (!isPermittedToChangeUserPassword(str)) {
            throw new AuthorizationException(String.format("%s is not permitted to change the password for %s", UserIdHelper.get(), str));
        }
    }

    public boolean isPermittedToChangeUserPassword(String str) {
        return UserIdHelper.get().equals(str) || this.securityHelper.isAllPermitted();
    }

    private Collection<UserManager> getUserManagers() {
        return this.userManagers.values();
    }

    private UserManager getUserManagerByRealm(String str) throws NoSuchUserManagerException {
        return this.userManagers.values().stream().filter(userManager -> {
            return str.equalsIgnoreCase(userManager.getAuthenticationRealmName());
        }).findFirst().orElseThrow(() -> {
            return new NoSuchUserManagerException(str);
        });
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public UserManager getUserManager(String str) throws NoSuchUserManagerException {
        if (this.userManagers.containsKey(str)) {
            return this.userManagers.get(str);
        }
        throw new NoSuchUserManagerException(str);
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public List<String> listSources() {
        return (List) this.authorizationManagers.keySet().stream().sorted().collect(Collectors.toList());
    }

    @Override // org.sonatype.nexus.security.SecuritySystem
    public boolean isValidRealm(String str) {
        return !str.isEmpty() && getAllRealmIds().stream().anyMatch(str2 -> {
            return str2.equals(str);
        });
    }

    private List<String> getAllRealmIds() {
        List<String> authenticationRealms = AnonymousHelper.getAuthenticationRealms(new ArrayList(this.userManagers.values()));
        Stream<R> map = this.realmManager.getAvailableRealms(true).stream().map((v0) -> {
            return v0.getId();
        });
        authenticationRealms.getClass();
        return (List) map.filter((v1) -> {
            return r1.contains(v1);
        }).map(str -> {
            return str.equals("NexusAuthorizingRealm") ? "NexusAuthenticatingRealm" : str;
        }).collect(Collectors.toList());
    }
}
