package org.graylog2.security.realm;

import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.eventbus.EventBus;
import com.google.common.eventbus.Subscribe;
import java.util.Optional;
import javax.inject.Inject;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.graylog.grn.GRN;
import org.graylog.grn.GRNRegistry;
import org.graylog.grn.GRNTypes;
import org.graylog.plugins.sidecar.rest.models.ConfigurationVariable;
import org.graylog.security.PermissionAndRoleResolver;
import org.graylog2.plugin.database.users.User;
import org.graylog2.security.MongoDbAuthorizationCacheManager;
import org.graylog2.shared.rest.RequestIdFilter;
import org.graylog2.shared.security.ShiroRequestHeadersBinder;
import org.graylog2.shared.users.UserService;
import org.graylog2.users.events.UserChangedEvent;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog2/security/realm/MongoDbAuthorizationRealm.class */
public class MongoDbAuthorizationRealm extends AuthorizingRealm {
    public static final String NAME = "mongodb-authorization-realm";
    private static final Logger LOG = LoggerFactory.getLogger(MongoDbAuthorizationRealm.class);
    private final UserService userService;
    private final PermissionAndRoleResolver permissionAndRoleResolver;
    private final GRNRegistry grnRegistry;

    @Inject
    MongoDbAuthorizationRealm(UserService userService, MongoDbAuthorizationCacheManager mongoDbAuthorizationCacheManager, PermissionAndRoleResolver permissionAndRoleResolver, GRNRegistry gRNRegistry, EventBus eventBus) {
        this.userService = userService;
        this.permissionAndRoleResolver = permissionAndRoleResolver;
        this.grnRegistry = gRNRegistry;
        setCachingEnabled(true);
        setCacheManager(mongoDbAuthorizationCacheManager);
        eventBus.register(this);
    }

    protected Object getAuthorizationCacheKey(PrincipalCollection principalCollection) {
        Optional<String> headerFromThreadContext = ShiroRequestHeadersBinder.getHeaderFromThreadContext(RequestIdFilter.X_REQUEST_ID);
        if (headerFromThreadContext.isPresent()) {
            return ImmutableSet.builder().addAll(principalCollection).add(headerFromThreadContext.get()).build();
        }
        LOG.warn("Could not find X-Request-Id header. This is not supposed to happen.");
        return principalCollection.asSet();
    }

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        LOG.debug("Retrieving authorization information for: {}", principalCollection);
        GRN orElseGet = getUserPrincipal(principalCollection).orElseGet(() -> {
            return getGRNPrincipal(principalCollection).orElse(null);
        });
        if (orElseGet == null) {
            return new SimpleAuthorizationInfo();
        }
        LOG.debug("GRN principal: {}", orElseGet);
        ImmutableSet.Builder builder = ImmutableSet.builder();
        ImmutableSet.Builder builder2 = ImmutableSet.builder();
        builder.addAll(this.permissionAndRoleResolver.resolvePermissionsForPrincipal(orElseGet));
        builder2.addAll(this.permissionAndRoleResolver.resolveRolesForPrincipal(orElseGet));
        if (GRNTypes.USER.equals(orElseGet.grnType())) {
            User loadById = this.userService.loadById(orElseGet.entity());
            if (loadById != null) {
                builder.addAll(loadById.getObjectPermissions());
                builder2.addAll(loadById.getRoleIds());
            } else {
                LOG.warn("User <{}> not found for permission and role resolving", orElseGet);
            }
        }
        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
        simpleAuthorizationInfo.setObjectPermissions(builder.build());
        simpleAuthorizationInfo.setRoles(builder2.build());
        if (LOG.isDebugEnabled()) {
            LOG.debug("Authorization info for {} - permissions: {}", orElseGet, simpleAuthorizationInfo.getObjectPermissions());
            LOG.debug("Authorization info for {} - roles: {}", orElseGet, simpleAuthorizationInfo.getRoles());
        }
        return simpleAuthorizationInfo;
    }

    private Optional<GRN> getUserPrincipal(PrincipalCollection principalCollection) {
        String str = (String) Iterables.getFirst(principalCollection.byType(String.class), (Object) null);
        return StringUtils.isBlank(str) ? Optional.empty() : Optional.of(this.grnRegistry.newGRN(ConfigurationVariable.VARIABLE_PREFIX, str));
    }

    private Optional<GRN> getGRNPrincipal(PrincipalCollection principalCollection) {
        GRN grn = (GRN) Iterables.getFirst(principalCollection.byType(GRN.class), (Object) null);
        return grn == null ? Optional.empty() : Optional.of(grn);
    }

    public boolean supports(AuthenticationToken authenticationToken) {
        return false;
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        return null;
    }

    @Subscribe
    public void handleUserSave(UserChangedEvent userChangedEvent) {
        getAuthorizationCache().clear();
    }
}
