package org.wso2.carbon.tomcat.ext.realms;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.realm.RealmBase;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.eclipse.equinox.internal.p2.metadata.expression.IExpressionConstants;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.registry.core.RegistryConstants;
import org.wso2.carbon.tomcat.ext.internal.CarbonRealmServiceHolder;
import org.wso2.carbon.tomcat.ext.saas.TenantSaaSRules;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/tomcat/ext/realms/CarbonTomcatRealm.class */
public class CarbonTomcatRealm extends RealmBase {
    private static Log log = LogFactory.getLog(CarbonTomcatRealm.class);
    private Map<String, TenantSaaSRules> tenantSaaSRulesMap = null;
    private boolean isSaaSEnabled = false;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/wso2/carbon/tomcat/ext/realms/CarbonTomcatRealm$GenericCarbonPrincipal.class */
    public static class GenericCarbonPrincipal extends GenericPrincipal {
        private String tenantDomain;

        public GenericCarbonPrincipal(String str) {
            super(str, null, getCarbonRoles(str));
            this.tenantDomain = null;
            this.tenantDomain = null;
            if (str.contains("@")) {
                this.tenantDomain = str.substring(str.indexOf(64) + 1);
            }
        }

        private static List<String> getCarbonRoles(String str) {
            try {
                String str2 = null;
                if (str.contains("@")) {
                    str2 = str.substring(str.indexOf(64) + 1);
                }
                RealmService realmService = CarbonRealmServiceHolder.getRealmService();
                return Arrays.asList(realmService.getTenantUserRealm(realmService.getTenantManager().getTenantId(str2)).getUserStoreManager().getRoleListOfUser(CarbonTomcatRealm.getTenantLessUserName(str)));
            } catch (UserStoreException e) {
                CarbonTomcatRealm.log.error("Error occurred while retrieving the roles of the user - " + str, e);
                return null;
            }
        }

        @Override // org.apache.catalina.realm.GenericPrincipal
        public String getPassword() {
            throw new IllegalStateException("When CarbonTomcatRealm is in operation this method Principal.getPassword() should never be called");
        }

        @Override // org.apache.catalina.realm.GenericPrincipal
        public boolean hasRole(String str) {
            try {
                int tenantId = CarbonRealmServiceHolder.getRealmService().getTenantManager().getTenantId(this.tenantDomain);
                int lastIndexOf = this.name.lastIndexOf(64);
                String[] roleListOfUser = CarbonRealmServiceHolder.getRealmService().getTenantUserRealm(tenantId).getUserStoreManager().getRoleListOfUser(lastIndexOf == -1 ? this.name : this.name.substring(0, lastIndexOf));
                Arrays.sort(roleListOfUser);
                return Arrays.binarySearch(roleListOfUser, str) > -1;
            } catch (UserStoreException e) {
                CarbonTomcatRealm.log.error("Cannot check role", e);
                return false;
            }
        }
    }

    public boolean getEnableSaaS() {
        return this.isSaaSEnabled;
    }

    public void setEnableSaaS(boolean z) {
        this.isSaaSEnabled = z;
    }

    public Map getSaasRules() {
        return this.tenantSaaSRulesMap;
    }

    public void setSaasRules(String str) {
        this.tenantSaaSRulesMap = getProcessedSaaSRules(str);
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected String getName() {
        return getClass().getSimpleName();
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected String getPassword(String str) {
        throw new IllegalStateException("When CarbonTomcatRealm is in operation this method getPassword(String) should never be called");
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8) {
        throw new IllegalStateException("Carbon doesn't use MD5 hashes. Can't do digest authentication");
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(String str, String str2) {
        String tenantDomain = MultitenantUtils.getTenantDomain(str);
        String tenantLessUserName = getTenantLessUserName(str);
        if ("carbon.super".equals(tenantDomain)) {
            str = str + "@carbon.super";
        }
        try {
            RealmService realmService = CarbonRealmServiceHolder.getRealmService();
            int tenantId = realmService.getTenantManager().getTenantId(tenantDomain);
            if (tenantId == -1) {
                return null;
            }
            if (!checkSaasAccess(tenantDomain, tenantLessUserName, realmService.getTenantUserRealm(tenantId).getUserStoreManager().getRoleListOfUser(tenantLessUserName))) {
                String tenantDomain2 = CarbonContext.getThreadLocalCarbonContext().getTenantDomain();
                if (tenantDomain != null && !tenantDomain.equals(tenantDomain2)) {
                    if (tenantDomain2.trim().length() == 0) {
                        tenantDomain2 = "0";
                    }
                    log.warn("Illegal access attempt by " + str + " to secured resource hosted by tenant " + tenantDomain2);
                    return null;
                }
            }
            if (!realmService.getTenantUserRealm(tenantId).getUserStoreManager().authenticate(tenantLessUserName, str2)) {
                return null;
            }
            PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(tenantLessUserName);
            return getPrincipal(str);
        } catch (UserStoreException e) {
            throw new RuntimeException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getTenantLessUserName(String str) {
        return str.lastIndexOf(64) > -1 ? str.substring(0, str.lastIndexOf(64)) : str;
    }

    private Map<String, TenantSaaSRules> getProcessedSaaSRules(String str) {
        String[] split = str.replaceAll("\\s", "").split(RegistryConstants.URL_SEPARATOR);
        HashMap hashMap = new HashMap();
        for (String str2 : split) {
            String[] split2 = str2.split(":");
            String str3 = split2[0];
            TenantSaaSRules tenantSaaSRules = new TenantSaaSRules();
            ArrayList<String> arrayList = null;
            ArrayList<String> arrayList2 = null;
            if (split2.length > 1) {
                tenantSaaSRules.setTenant(str3);
                for (int i = 1; i < split2.length; i++) {
                    String[] split3 = split2[i].split(IExpressionConstants.OPERATOR_ASSIGN);
                    if ("users".equals(split3[0]) && split3.length == 2) {
                        arrayList = new ArrayList<>();
                        arrayList.addAll(Arrays.asList(split3[1].split(",")));
                    } else if ("roles".equals(split3[0]) && split3.length == 2) {
                        arrayList2 = new ArrayList<>();
                        arrayList2.addAll(Arrays.asList(split3[1].split(",")));
                    }
                }
            }
            if (arrayList != null) {
                tenantSaaSRules.setUsers(arrayList);
            }
            if (arrayList2 != null) {
                tenantSaaSRules.setRoles(arrayList2);
            }
            hashMap.put(str3, tenantSaaSRules);
        }
        return hashMap;
    }

    private boolean checkSaasAccess(String str, String str2, String[] strArr) {
        if (!this.isSaaSEnabled) {
            return false;
        }
        Set<String> keySet = this.tenantSaaSRulesMap.keySet();
        List<String> asList = Arrays.asList(strArr);
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        if (str2 == null || str == null || keySet.contains("!".concat(str))) {
            return false;
        }
        if (keySet.contains(str)) {
            TenantSaaSRules tenantSaaSRules = this.tenantSaaSRulesMap.get(str);
            ArrayList<String> users = tenantSaaSRules.getUsers();
            ArrayList<String> roles = tenantSaaSRules.getRoles();
            if (users != null && users.contains("!".concat(str2))) {
                return false;
            }
            if (roles != null) {
                boolean z4 = false;
                for (String str3 : asList) {
                    if (roles.contains("!".concat(str3))) {
                        return false;
                    }
                    if (roles.contains(str3)) {
                        z4 = true;
                    }
                }
                if (z4 || roles.contains("*")) {
                    z2 = true;
                }
            } else if (users != null && (users.contains(str2) || users.contains("*"))) {
                z = true;
            }
        } else if ((keySet.contains(str) && !this.tenantSaaSRulesMap.get(str).isTenantRulesDefined()) || keySet.contains("*")) {
            z3 = true;
        }
        return z || z3 || z2;
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected Principal getPrincipal(String str) {
        return new GenericCarbonPrincipal(str);
    }
}
