package org.sonatype.security;

import com.google.common.eventbus.Subscribe;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.enterprise.inject.Typed;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import net.sf.ehcache.CacheManager;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.cache.Cache;
import org.apache.shiro.cache.ehcache.EhCacheManager;
import org.apache.shiro.mgt.RealmSecurityManager;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Initializable;
import org.codehaus.plexus.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.sonatype.configuration.validation.InvalidConfigurationException;
import org.sonatype.security.authentication.AuthenticationException;
import org.sonatype.security.authorization.AuthorizationException;
import org.sonatype.security.authorization.AuthorizationManager;
import org.sonatype.security.authorization.NoSuchAuthorizationManagerException;
import org.sonatype.security.authorization.Privilege;
import org.sonatype.security.authorization.Role;
import org.sonatype.security.configuration.SecurityConfigurationManager;
import org.sonatype.security.email.NullSecurityEmailer;
import org.sonatype.security.email.SecurityEmailer;
import org.sonatype.security.events.AuthorizationConfigurationChanged;
import org.sonatype.security.events.SecurityConfigurationChanged;
import org.sonatype.security.events.UserPrincipalsExpired;
import org.sonatype.security.usermanagement.InvalidCredentialsException;
import org.sonatype.security.usermanagement.NoSuchUserManagerException;
import org.sonatype.security.usermanagement.PasswordGenerator;
import org.sonatype.security.usermanagement.RoleIdentifier;
import org.sonatype.security.usermanagement.RoleMappingUserManager;
import org.sonatype.security.usermanagement.User;
import org.sonatype.security.usermanagement.UserManager;
import org.sonatype.security.usermanagement.UserManagerFacade;
import org.sonatype.security.usermanagement.UserNotFoundException;
import org.sonatype.security.usermanagement.UserSearchCriteria;
import org.sonatype.security.usermanagement.UserStatus;
import org.sonatype.sisu.goodies.eventbus.EventBus;

@Singleton
@Typed({SecuritySystem.class})
@Named("default")
/* loaded from: input_file:WEB-INF/lib/nexus-security-2.14.10-01.jar:org/sonatype/security/DefaultSecuritySystem.class */
public class DefaultSecuritySystem implements SecuritySystem {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) DefaultSecuritySystem.class);
    private SecurityConfigurationManager securityConfiguration;
    private RealmSecurityManager securityManager;
    private CacheManager cacheManager;
    private UserManagerFacade userManagerFacade;
    private Map<String, Realm> realmMap;
    private Map<String, AuthorizationManager> authorizationManagers;
    private PasswordGenerator passwordGenerator;
    private EventBus eventBus;
    private List<SecurityEmailer> securityEmailers;
    private SecurityEmailer securityEmailer;
    private static final String ALL_ROLES_KEY = "all";
    private volatile boolean started;

    @Inject
    public DefaultSecuritySystem(List<SecurityEmailer> list, EventBus eventBus, PasswordGenerator passwordGenerator, Map<String, AuthorizationManager> map, Map<String, Realm> map2, SecurityConfigurationManager securityConfigurationManager, RealmSecurityManager realmSecurityManager, CacheManager cacheManager, UserManagerFacade userManagerFacade) {
        this.securityEmailers = list;
        this.eventBus = eventBus;
        this.passwordGenerator = passwordGenerator;
        this.authorizationManagers = map;
        this.realmMap = map2;
        this.securityConfiguration = securityConfigurationManager;
        this.securityManager = realmSecurityManager;
        this.cacheManager = cacheManager;
        this.eventBus.register(this);
        this.userManagerFacade = userManagerFacade;
        SecurityUtils.setSecurityManager(getSecurityManager());
        this.started = false;
    }

    @Override // org.sonatype.security.SecuritySystem
    public Subject login(AuthenticationToken authenticationToken) throws AuthenticationException {
        try {
            Subject subject = getSubject();
            subject.login(authenticationToken);
            return subject;
        } catch (org.apache.shiro.authc.AuthenticationException e) {
            throw new AuthenticationException(e.getMessage(), e);
        }
    }

    @Override // org.sonatype.security.SecuritySystem
    public AuthenticationInfo authenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
        try {
            return getSecurityManager().authenticate(authenticationToken);
        } catch (org.apache.shiro.authc.AuthenticationException e) {
            throw new AuthenticationException(e.getMessage(), e);
        }
    }

    @Override // org.sonatype.security.SecuritySystem
    public Subject getSubject() {
        return SecurityUtils.getSubject();
    }

    @Override // org.sonatype.security.SecuritySystem
    public void logout(Subject subject) {
        subject.logout();
    }

    @Override // org.sonatype.security.SecuritySystem
    public boolean isPermitted(PrincipalCollection principalCollection, String str) {
        return getSecurityManager().isPermitted(principalCollection, str);
    }

    @Override // org.sonatype.security.SecuritySystem
    public boolean[] isPermitted(PrincipalCollection principalCollection, List<String> list) {
        return getSecurityManager().isPermitted(principalCollection, (String[]) list.toArray(new String[list.size()]));
    }

    @Override // org.sonatype.security.SecuritySystem
    public void checkPermission(PrincipalCollection principalCollection, String str) throws AuthorizationException {
        try {
            getSecurityManager().checkPermission(principalCollection, str);
        } catch (org.apache.shiro.authz.AuthorizationException e) {
            throw new AuthorizationException(e.getMessage(), e);
        }
    }

    @Override // org.sonatype.security.SecuritySystem
    public void checkPermission(PrincipalCollection principalCollection, List<String> list) throws AuthorizationException {
        try {
            getSecurityManager().checkPermissions(principalCollection, (String[]) list.toArray(new String[list.size()]));
        } catch (org.apache.shiro.authz.AuthorizationException e) {
            throw new AuthorizationException(e.getMessage(), e);
        }
    }

    @Override // org.sonatype.security.SecuritySystem
    public boolean hasRole(PrincipalCollection principalCollection, String str) {
        return getSecurityManager().hasRole(principalCollection, str);
    }

    private Collection<Realm> getRealmsFromConfigSource() {
        ArrayList arrayList = new ArrayList();
        for (String str : this.securityConfiguration.getRealms()) {
            if (this.realmMap.containsKey(str)) {
                arrayList.add(this.realmMap.get(str));
            } else {
                logger.debug("Failed to look up realm as a component, trying reflection");
                try {
                    arrayList.add((Realm) getClass().getClassLoader().loadClass(str).newInstance());
                } catch (Exception e) {
                    logger.error("Unable to lookup security realms", (Throwable) e);
                }
            }
        }
        return arrayList;
    }

    @Override // org.sonatype.security.SecuritySystem
    public Set<Role> listRoles() {
        HashSet hashSet = new HashSet();
        Iterator<AuthorizationManager> it = this.authorizationManagers.values().iterator();
        while (it.hasNext()) {
            Set<Role> listRoles = it.next().listRoles();
            if (listRoles != null) {
                hashSet.addAll(listRoles);
            }
        }
        return hashSet;
    }

    @Override // org.sonatype.security.SecuritySystem
    public Set<Role> listRoles(String str) throws NoSuchAuthorizationManagerException {
        return ALL_ROLES_KEY.equalsIgnoreCase(str) ? listRoles() : getAuthorizationManager(str).listRoles();
    }

    @Override // org.sonatype.security.SecuritySystem
    public Set<Privilege> listPrivileges() {
        HashSet hashSet = new HashSet();
        Iterator<AuthorizationManager> it = this.authorizationManagers.values().iterator();
        while (it.hasNext()) {
            Set<Privilege> listPrivileges = it.next().listPrivileges();
            if (listPrivileges != null) {
                hashSet.addAll(listPrivileges);
            }
        }
        return hashSet;
    }

    @Override // org.sonatype.security.SecuritySystem
    public User addUser(User user) throws NoSuchUserManagerException, InvalidConfigurationException {
        return addUser(user, generatePassword());
    }

    @Override // org.sonatype.security.SecuritySystem
    public User addUser(User user, String str) throws NoSuchUserManagerException, InvalidConfigurationException {
        if (str == null) {
            str = generatePassword();
        }
        UserManager userManager = this.userManagerFacade.getUserManager(user.getSource());
        if (!userManager.supportsWrite()) {
            throw new InvalidConfigurationException("UserManager: " + userManager.getSource() + " does not support writing.");
        }
        userManager.addUser(user, str);
        for (UserManager userManager2 : this.userManagerFacade.getUserManagers().values()) {
            if (!userManager2.getSource().equals(user.getSource()) && RoleMappingUserManager.class.isInstance(userManager2)) {
                try {
                    ((RoleMappingUserManager) userManager2).setUsersRoles(user.getUserId(), user.getSource(), RoleIdentifier.getRoleIdentifiersForSource(user.getSource(), user.getRoles()));
                } catch (UserNotFoundException e) {
                    logger.debug("User '" + user.getUserId() + "' is not managed by the usermanager: " + userManager2.getSource());
                }
            }
        }
        if (UserStatus.active.equals(user.getStatus())) {
            getSecurityEmailer().sendNewUserCreated(user.getEmailAddress(), user.getUserId(), str);
        }
        return user;
    }

    @Override // org.sonatype.security.SecuritySystem
    public User updateUser(User user) throws UserNotFoundException, NoSuchUserManagerException, InvalidConfigurationException {
        UserManager userManager = this.userManagerFacade.getUserManager(user.getSource());
        if (!userManager.supportsWrite()) {
            throw new InvalidConfigurationException("UserManager: " + userManager.getSource() + " does not support writing.");
        }
        userManager.updateUser(user);
        for (UserManager userManager2 : this.userManagerFacade.getUserManagers().values()) {
            if (!userManager2.getSource().equals(user.getSource()) && RoleMappingUserManager.class.isInstance(userManager2)) {
                try {
                    ((RoleMappingUserManager) userManager2).setUsersRoles(user.getUserId(), user.getSource(), RoleIdentifier.getRoleIdentifiersForSource(user.getSource(), user.getRoles()));
                } catch (UserNotFoundException e) {
                    logger.debug("User '" + user.getUserId() + "' is not managed by the usermanager: " + userManager2.getSource());
                }
            }
        }
        this.eventBus.post(new AuthorizationConfigurationChanged());
        return user;
    }

    @Override // org.sonatype.security.SecuritySystem
    public void deleteUser(String str) throws UserNotFoundException {
        try {
            deleteUser(str, getUser(str).getSource());
        } catch (NoSuchUserManagerException e) {
            logger.error("User manager returned user, but could not be found: " + e.getMessage(), (Throwable) e);
            throw new IllegalStateException("User manager returned user, but could not be found: " + e.getMessage(), e);
        }
    }

    @Override // org.sonatype.security.SecuritySystem
    public void deleteUser(String str, String str2) throws UserNotFoundException, NoSuchUserManagerException {
        this.userManagerFacade.getUserManager(str2).deleteUser(str);
        this.eventBus.post(new UserPrincipalsExpired(str, str2));
    }

    @Override // org.sonatype.security.SecuritySystem
    public Set<RoleIdentifier> getUsersRoles(String str, String str2) throws UserNotFoundException, NoSuchUserManagerException {
        return getUser(str, str2).getRoles();
    }

    @Override // org.sonatype.security.SecuritySystem
    public void setUsersRoles(String str, String str2, Set<RoleIdentifier> set) throws InvalidConfigurationException, UserNotFoundException {
        boolean z = false;
        for (UserManager userManager : this.userManagerFacade.getUserManagers().values()) {
            if (RoleMappingUserManager.class.isInstance(userManager)) {
                try {
                    z = true;
                    ((RoleMappingUserManager) userManager).setUsersRoles(str, str2, RoleIdentifier.getRoleIdentifiersForSource(userManager.getSource(), set));
                } catch (UserNotFoundException e) {
                    logger.debug("User '" + str + "' is not managed by the usermanager: " + userManager.getSource());
                }
            }
        }
        if (!z) {
            throw new UserNotFoundException(str);
        }
    }

    @Override // org.sonatype.security.SecuritySystem
    public User getUser(String str) throws UserNotFoundException {
        for (UserManager userManager : orderUserManagers()) {
            try {
                return getUser(str, userManager.getSource());
            } catch (NoSuchUserManagerException e) {
                logger.warn("UserManager: '" + userManager.getSource() + "' was not found, but is in the list of UserManagers", (Throwable) e);
            } catch (UserNotFoundException e2) {
                logger.debug("User: '" + str + "' was not found in: '" + userManager.getSource() + "' ");
            }
        }
        throw new UserNotFoundException(str);
    }

    @Override // org.sonatype.security.SecuritySystem
    public User getUser(String str, String str2) throws UserNotFoundException, NoSuchUserManagerException {
        User user = this.userManagerFacade.getUserManager(str2).getUser(str);
        if (user == null) {
            throw new UserNotFoundException(str);
        }
        addOtherRolesToUser(user);
        return user;
    }

    @Override // org.sonatype.security.SecuritySystem
    public Set<User> listUsers() {
        HashSet hashSet = new HashSet();
        Iterator<UserManager> it = this.userManagerFacade.getUserManagers().values().iterator();
        while (it.hasNext()) {
            hashSet.addAll(it.next().listUsers());
        }
        Iterator it2 = hashSet.iterator();
        while (it2.hasNext()) {
            addOtherRolesToUser((User) it2.next());
        }
        return hashSet;
    }

    @Override // org.sonatype.security.SecuritySystem
    public Set<User> searchUsers(UserSearchCriteria userSearchCriteria) {
        HashSet hashSet = new HashSet();
        if (StringUtils.isEmpty(userSearchCriteria.getSource())) {
            Iterator<UserManager> it = this.userManagerFacade.getUserManagers().values().iterator();
            while (it.hasNext()) {
                Set<User> searchUsers = it.next().searchUsers(userSearchCriteria);
                if (searchUsers != null) {
                    hashSet.addAll(searchUsers);
                }
            }
        } else {
            try {
                hashSet.addAll(this.userManagerFacade.getUserManager(userSearchCriteria.getSource()).searchUsers(userSearchCriteria));
            } catch (NoSuchUserManagerException e) {
                logger.warn("UserManager: " + userSearchCriteria.getSource() + " was not found.", (Throwable) e);
            }
        }
        Iterator it2 = hashSet.iterator();
        while (it2.hasNext()) {
            addOtherRolesToUser((User) it2.next());
        }
        return hashSet;
    }

    private List<UserManager> orderUserManagers() {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList(this.userManagerFacade.getUserManagers().values());
        HashMap hashMap = new HashMap();
        for (UserManager userManager : this.userManagerFacade.getUserManagers().values()) {
            if (userManager.getAuthenticationRealmName() != null) {
                hashMap.put(userManager.getAuthenticationRealmName(), userManager);
            }
        }
        for (Realm realm : getSecurityManager().getRealms()) {
            if (hashMap.containsKey(realm.getName())) {
                UserManager userManager2 = (UserManager) hashMap.get(realm.getName());
                arrayList2.remove(userManager2);
                arrayList.add(userManager2);
            }
        }
        arrayList.addAll(arrayList2);
        return arrayList;
    }

    private void addOtherRolesToUser(User user) {
        for (UserManager userManager : this.userManagerFacade.getUserManagers().values()) {
            if (!userManager.getSource().equals(user.getSource()) && RoleMappingUserManager.class.isInstance(userManager)) {
                try {
                    Set<RoleIdentifier> usersRoles = ((RoleMappingUserManager) userManager).getUsersRoles(user.getUserId(), user.getSource());
                    if (usersRoles != null) {
                        user.addAllRoles(usersRoles);
                    }
                } catch (UserNotFoundException e) {
                    logger.debug("User '" + user.getUserId() + "' is not managed by the usermanager: " + userManager.getSource());
                }
            }
        }
    }

    @Override // org.sonatype.security.SecuritySystem
    public AuthorizationManager getAuthorizationManager(String str) throws NoSuchAuthorizationManagerException {
        if (this.authorizationManagers.containsKey(str)) {
            return this.authorizationManagers.get(str);
        }
        throw new NoSuchAuthorizationManagerException("AuthorizationManager with source: '" + str + "' could not be found.");
    }

    @Override // org.sonatype.security.SecuritySystem
    public String getAnonymousUsername() {
        return this.securityConfiguration.getAnonymousUsername();
    }

    @Override // org.sonatype.security.SecuritySystem
    public boolean isAnonymousAccessEnabled() {
        return this.securityConfiguration.isAnonymousAccessEnabled();
    }

    @Override // org.sonatype.security.SecuritySystem
    public void changePassword(String str, String str2, String str3) throws UserNotFoundException, InvalidCredentialsException, InvalidConfigurationException {
        try {
            if (getSecurityManager().authenticate(new UsernamePasswordToken(str, str2)) == null) {
                throw new InvalidCredentialsException();
            }
            changePassword(str, str3);
        } catch (org.apache.shiro.authc.AuthenticationException e) {
            logger.debug("User failed to change password reason: " + e.getMessage(), (Throwable) e);
            throw new InvalidCredentialsException();
        }
    }

    @Override // org.sonatype.security.SecuritySystem
    public void changePassword(String str, String str2) throws UserNotFoundException, InvalidConfigurationException {
        User user = getUser(str);
        try {
            this.userManagerFacade.getUserManager(user.getSource()).changePassword(str, str2);
        } catch (NoSuchUserManagerException e) {
            logger.warn("User '" + str + "' with source: '" + user.getSource() + "' but could not find the UserManager for that source.");
        }
    }

    @Override // org.sonatype.security.SecuritySystem
    public void forgotPassword(String str, String str2) throws UserNotFoundException, InvalidConfigurationException {
        UserSearchCriteria userSearchCriteria = new UserSearchCriteria();
        userSearchCriteria.setEmail(str2);
        userSearchCriteria.setUserId(str);
        boolean z = false;
        Iterator<User> it = searchUsers(userSearchCriteria).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            User next = it.next();
            if (next.getUserId().equalsIgnoreCase(str.trim()) && next.getEmailAddress().equals(str2)) {
                z = true;
                break;
            }
        }
        if (!z) {
            throw new UserNotFoundException(str2);
        }
        resetPassword(str);
    }

    @Override // org.sonatype.security.SecuritySystem
    public void forgotUsername(String str) throws UserNotFoundException {
        UserSearchCriteria userSearchCriteria = new UserSearchCriteria();
        userSearchCriteria.setEmail(str);
        Set<User> searchUsers = searchUsers(userSearchCriteria);
        ArrayList arrayList = new ArrayList();
        for (User user : searchUsers) {
            if (!user.getUserId().equalsIgnoreCase(getAnonymousUsername()) && str.equalsIgnoreCase(user.getEmailAddress())) {
                arrayList.add(user.getUserId());
            }
        }
        if (arrayList.size() <= 0) {
            throw new UserNotFoundException(str);
        }
        getSecurityEmailer().sendForgotUsername(str, arrayList);
    }

    @Override // org.sonatype.security.SecuritySystem
    public void resetPassword(String str) throws UserNotFoundException, InvalidConfigurationException {
        String generatePassword = generatePassword();
        User user = getUser(str);
        changePassword(str, generatePassword);
        getSecurityEmailer().sendResetPassword(user.getEmailAddress(), generatePassword);
    }

    private String generatePassword() {
        return this.passwordGenerator.generatePassword(10, 10);
    }

    private SecurityEmailer getSecurityEmailer() {
        if (this.securityEmailer == null) {
            Iterator<SecurityEmailer> it = this.securityEmailers.iterator();
            if (it.hasNext()) {
                this.securityEmailer = it.next();
            } else {
                logger.error("Failed to find a SecurityEmailer");
                this.securityEmailer = new NullSecurityEmailer();
            }
        }
        return this.securityEmailer;
    }

    @Override // org.sonatype.security.SecuritySystem
    public List<String> getRealms() {
        return new ArrayList(this.securityConfiguration.getRealms());
    }

    @Override // org.sonatype.security.SecuritySystem
    public void setRealms(List<String> list) throws InvalidConfigurationException {
        this.securityConfiguration.setRealms(list);
        this.securityConfiguration.save();
        setSecurityManagerRealms();
    }

    @Override // org.sonatype.security.SecuritySystem
    public void setAnonymousAccessEnabled(boolean z) {
        this.securityConfiguration.setAnonymousAccessEnabled(z);
        this.securityConfiguration.save();
    }

    @Override // org.sonatype.security.SecuritySystem
    public void setAnonymousUsername(String str) throws InvalidConfigurationException {
        this.securityConfiguration.setAnonymousUsername(str);
        this.securityConfiguration.save();
    }

    @Override // org.sonatype.security.SecuritySystem
    public String getAnonymousPassword() {
        return this.securityConfiguration.getAnonymousPassword();
    }

    @Override // org.sonatype.security.SecuritySystem
    public void setAnonymousPassword(String str) throws InvalidConfigurationException {
        this.securityConfiguration.setAnonymousPassword(str);
        this.securityConfiguration.save();
    }

    @Override // org.sonatype.security.SecuritySystem
    public synchronized void start() {
        if (this.started) {
            throw new IllegalStateException(getClass().getName() + " was already started, same instance is not re-startable!");
        }
        this.securityConfiguration.clearCache();
        EhCacheManager ehCacheManager = new EhCacheManager();
        ehCacheManager.setCacheManager(this.cacheManager);
        getSecurityManager().setCacheManager(ehCacheManager);
        if (Initializable.class.isInstance(getSecurityManager())) {
            ((Initializable) getSecurityManager()).init();
        }
        setSecurityManagerRealms();
        this.started = true;
    }

    @Override // org.sonatype.security.SecuritySystem
    public synchronized void stop() {
        if (getSecurityManager().getRealms() != null) {
            for (Realm realm : getSecurityManager().getRealms()) {
                if (AuthenticatingRealm.class.isInstance(realm)) {
                    ((AuthenticatingRealm) realm).setAuthenticationCache(null);
                }
                if (AuthorizingRealm.class.isInstance(realm)) {
                    ((AuthorizingRealm) realm).setAuthorizationCache(null);
                }
            }
        }
        getSecurityManager().destroy();
    }

    private void setSecurityManagerRealms() {
        getSecurityManager().setRealms(new ArrayList(getRealmsFromConfigSource()));
    }

    private void clearRealmCaches() {
        Cache<Object, AuthorizationInfo> authorizationCache;
        if (getSecurityManager().getRealms() != null) {
            for (Realm realm : getSecurityManager().getRealms()) {
                if (AuthorizingRealm.class.isInstance(realm) && (authorizationCache = ((AuthorizingRealm) realm).getAuthorizationCache()) != null) {
                    authorizationCache.clear();
                }
            }
        }
    }

    @Subscribe
    public void onEvent(AuthorizationConfigurationChanged authorizationConfigurationChanged) {
        clearRealmCaches();
    }

    @Subscribe
    public void onEvent(SecurityConfigurationChanged securityConfigurationChanged) {
        clearRealmCaches();
        this.securityConfiguration.clearCache();
        setSecurityManagerRealms();
    }

    @Override // org.sonatype.security.SecuritySystem
    public RealmSecurityManager getSecurityManager() {
        return this.securityManager;
    }
}
