package org.sonatype.nexus.security.token;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import java.util.Optional;
import javax.annotation.Nullable;
import javax.inject.Inject;
import javax.inject.Provider;
import javax.servlet.http.HttpServletRequest;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.sonatype.nexus.security.UserPrincipalsHelper;
import org.sonatype.nexus.security.authc.NexusApiKeyAuthenticationToken;
import org.sonatype.nexus.security.authc.apikey.ApiKeyService;
import org.sonatype.nexus.security.user.UserNotFoundException;

/* loaded from: input_file:org/sonatype/nexus/security/token/BearerTokenRealm.class */
public abstract class BearerTokenRealm extends AuthenticatingRealm {
    public static final String IS_TOKEN_AUTH_KEY = String.valueOf(BearerTokenRealm.class.getName()) + ".IS_TOKEN";

    @VisibleForTesting
    static final String ANONYMOUS_USER = "anonymous";
    private final Logger log = LoggerFactory.getLogger(getClass());
    private final ApiKeyService keyStore;
    private final UserPrincipalsHelper principalsHelper;
    private final String format;
    private Provider<HttpServletRequest> requestProvider;

    protected BearerTokenRealm(ApiKeyService apiKeyService, UserPrincipalsHelper userPrincipalsHelper, String str) {
        this.keyStore = (ApiKeyService) Preconditions.checkNotNull(apiKeyService);
        this.principalsHelper = (UserPrincipalsHelper) Preconditions.checkNotNull(userPrincipalsHelper);
        this.format = (String) Preconditions.checkNotNull(str);
        setName(str);
        setAuthenticationCachingEnabled(true);
    }

    @Inject
    protected void setRequestProvider(Provider<HttpServletRequest> provider) {
        this.requestProvider = (Provider) Preconditions.checkNotNull(provider);
    }

    public boolean supports(AuthenticationToken authenticationToken) {
        return (authenticationToken instanceof NexusApiKeyAuthenticationToken) && this.format.equals(authenticationToken.getPrincipal());
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) {
        Preconditions.checkNotNull(authenticationToken);
        return (AuthenticationInfo) getPrincipals(authenticationToken).map(principalCollection -> {
            try {
                if (anonymousAndSupported(principalCollection) || this.principalsHelper.getUserStatus(principalCollection).isActive()) {
                    return new SimpleAuthenticationInfo(principalCollection, authenticationToken.getCredentials());
                }
                return null;
            } catch (UserNotFoundException e) {
                this.log.debug("Realm did not find user", (Throwable) e);
                this.keyStore.deleteApiKeys(principalCollection);
                return null;
            }
        }).orElse(null);
    }

    @Nullable
    protected Object getAuthenticationCacheKey(@Nullable AuthenticationToken authenticationToken) {
        if (authenticationToken != null) {
            return getPrincipals(authenticationToken).map((v0) -> {
                return v0.getPrimaryPrincipal();
            }).orElse(null);
        }
        return null;
    }

    protected void assertCredentialsMatch(AuthenticationToken authenticationToken, AuthenticationInfo authenticationInfo) throws AuthenticationException {
        super.assertCredentialsMatch(authenticationToken, authenticationInfo);
        this.requestProvider.get().setAttribute(IS_TOKEN_AUTH_KEY, Boolean.TRUE);
        getPrincipals(authenticationToken).map((v0) -> {
            return v0.getPrimaryPrincipal();
        }).ifPresent(obj -> {
            ((NexusApiKeyAuthenticationToken) authenticationToken).setPrincipal(obj);
        });
    }

    protected boolean isAnonymousSupported() {
        return false;
    }

    private Optional<PrincipalCollection> getPrincipals(AuthenticationToken authenticationToken) {
        return this.keyStore.getApiKeyByToken(this.format, (char[]) authenticationToken.getCredentials()).map((v0) -> {
            return v0.getPrincipals();
        });
    }

    private boolean anonymousAndSupported(PrincipalCollection principalCollection) {
        return "anonymous".equals(principalCollection.getPrimaryPrincipal()) && isAnonymousSupported();
    }
}
