package org.apache.hugegraph.auth;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import io.jsonwebtoken.Claims;
import jakarta.ws.rs.ForbiddenException;
import java.time.Duration;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.Callable;
import javax.security.sasl.AuthenticationException;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.hugegraph.HugeException;
import org.apache.hugegraph.HugeGraphParams;
import org.apache.hugegraph.auth.HugeAccess;
import org.apache.hugegraph.auth.HugeBelong;
import org.apache.hugegraph.auth.HugeGroup;
import org.apache.hugegraph.auth.HugeProject;
import org.apache.hugegraph.auth.HugeTarget;
import org.apache.hugegraph.auth.HugeUser;
import org.apache.hugegraph.auth.SchemaDefine;
import org.apache.hugegraph.backend.cache.Cache;
import org.apache.hugegraph.backend.cache.CacheManager;
import org.apache.hugegraph.backend.id.Id;
import org.apache.hugegraph.backend.id.IdGenerator;
import org.apache.hugegraph.config.AuthOptions;
import org.apache.hugegraph.config.HugeConfig;
import org.apache.hugegraph.type.define.Directions;
import org.apache.hugegraph.util.E;
import org.apache.hugegraph.util.LockUtil;
import org.apache.hugegraph.util.Log;
import org.apache.hugegraph.util.StringEncoding;
import org.slf4j.Logger;

/* loaded from: input_file:org/apache/hugegraph/auth/StandardAuthManager.class */
public class StandardAuthManager implements AuthManager {
    protected static final Logger LOG;
    private final HugeGraphParams graph;
    private final Cache<Id, HugeUser> usersCache;
    private final Cache<Id, String> pwdCache;
    private final Cache<Id, String> tokenCache;
    private final EntityManager<HugeUser> users;
    private final EntityManager<HugeGroup> groups;
    private final EntityManager<HugeTarget> targets;
    private final EntityManager<HugeProject> project;
    private final RelationshipManager<HugeBelong> belong;
    private final RelationshipManager<HugeAccess> access;
    private final TokenGenerator tokenGenerator;
    private final long tokenExpire;
    private Set<String> ipWhiteList;
    private Boolean ipWhiteListEnabled;
    static final /* synthetic */ boolean $assertionsDisabled;

    public StandardAuthManager(HugeGraphParams hugeGraphParams) {
        E.checkNotNull(hugeGraphParams, "graph");
        HugeConfig configuration = hugeGraphParams.configuration();
        long longValue = ((Long) configuration.get(AuthOptions.AUTH_CACHE_EXPIRE)).longValue();
        long longValue2 = ((Long) configuration.get(AuthOptions.AUTH_CACHE_CAPACITY)).longValue();
        this.tokenExpire = ((Long) configuration.get(AuthOptions.AUTH_TOKEN_EXPIRE)).longValue() * 1000;
        this.graph = hugeGraphParams;
        this.usersCache = cache("users", longValue2, longValue);
        this.pwdCache = cache("users_pwd", longValue2, longValue);
        this.tokenCache = cache("token", longValue2, longValue);
        this.users = new EntityManager<>(this.graph, HugeUser.P.USER, HugeUser::fromVertex);
        this.groups = new EntityManager<>(this.graph, HugeGroup.P.GROUP, HugeGroup::fromVertex);
        this.targets = new EntityManager<>(this.graph, HugeTarget.P.TARGET, HugeTarget::fromVertex);
        this.project = new EntityManager<>(this.graph, HugeProject.P.PROJECT, HugeProject::fromVertex);
        this.belong = new RelationshipManager<>(this.graph, HugeBelong.P.BELONG, HugeBelong::fromEdge);
        this.access = new RelationshipManager<>(this.graph, HugeAccess.P.ACCESS, HugeAccess::fromEdge);
        this.tokenGenerator = new TokenGenerator(configuration);
        this.ipWhiteList = new HashSet();
        this.ipWhiteListEnabled = false;
    }

    private <V> Cache<Id, V> cache(String str, long j, long j2) {
        Cache<Id, V> cache = CacheManager.instance().cache(str + "-" + this.graph.name(), j);
        if (j2 > 0) {
            cache.expire(Duration.ofSeconds(j2).toMillis());
        } else {
            cache.expire(j2);
        }
        return cache;
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public void init() {
        invalidateUserCache();
        HugeUser.schema(this.graph).initSchemaIfNeeded();
        HugeGroup.schema(this.graph).initSchemaIfNeeded();
        HugeTarget.schema(this.graph).initSchemaIfNeeded();
        HugeBelong.schema(this.graph).initSchemaIfNeeded();
        HugeAccess.schema(this.graph).initSchemaIfNeeded();
        HugeProject.schema(this.graph).initSchemaIfNeeded();
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public boolean close() {
        return true;
    }

    private void invalidateUserCache() {
        this.usersCache.clear();
    }

    private void invalidatePasswordCache(Id id) {
        this.pwdCache.invalidate(id);
        this.tokenCache.clear();
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public Id createUser(HugeUser hugeUser) {
        invalidateUserCache();
        return this.users.add(hugeUser);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public Id updateUser(HugeUser hugeUser) {
        invalidateUserCache();
        invalidatePasswordCache(hugeUser.id());
        return this.users.update(hugeUser);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public HugeUser deleteUser(Id id) {
        invalidateUserCache();
        invalidatePasswordCache(id);
        return this.users.delete(id);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public HugeUser findUser(String str) {
        Id of = IdGenerator.of(str);
        HugeUser hugeUser = this.usersCache.get(of);
        if (hugeUser != null) {
            return hugeUser;
        }
        List<HugeUser> query = this.users.query(HugeUser.P.NAME, str, 2L);
        if (query.size() > 0) {
            if (!$assertionsDisabled && query.size() != 1) {
                throw new AssertionError();
            }
            hugeUser = query.get(0);
            this.usersCache.update(of, hugeUser);
        }
        return hugeUser;
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public HugeUser getUser(Id id) {
        return this.users.get(id);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public List<HugeUser> listUsers(List<Id> list) {
        return this.users.list(list);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public List<HugeUser> listAllUsers(long j) {
        return this.users.list(j);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public Id createGroup(HugeGroup hugeGroup) {
        invalidateUserCache();
        return this.groups.add(hugeGroup);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public Id updateGroup(HugeGroup hugeGroup) {
        invalidateUserCache();
        return this.groups.update(hugeGroup);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public HugeGroup deleteGroup(Id id) {
        invalidateUserCache();
        return this.groups.delete(id);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public HugeGroup getGroup(Id id) {
        return this.groups.get(id);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public List<HugeGroup> listGroups(List<Id> list) {
        return this.groups.list(list);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public List<HugeGroup> listAllGroups(long j) {
        return this.groups.list(j);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public Id createTarget(HugeTarget hugeTarget) {
        invalidateUserCache();
        return this.targets.add(hugeTarget);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public Id updateTarget(HugeTarget hugeTarget) {
        invalidateUserCache();
        return this.targets.update(hugeTarget);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public HugeTarget deleteTarget(Id id) {
        invalidateUserCache();
        return this.targets.delete(id);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public HugeTarget getTarget(Id id) {
        return this.targets.get(id);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public List<HugeTarget> listTargets(List<Id> list) {
        return this.targets.list(list);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public List<HugeTarget> listAllTargets(long j) {
        return this.targets.list(j);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public Id createBelong(HugeBelong hugeBelong) {
        invalidateUserCache();
        E.checkArgument(this.users.exists(hugeBelong.source()), "Not exists user '%s'", new Object[]{hugeBelong.source()});
        E.checkArgument(this.groups.exists(hugeBelong.target()), "Not exists group '%s'", new Object[]{hugeBelong.target()});
        return this.belong.add(hugeBelong);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public Id updateBelong(HugeBelong hugeBelong) {
        invalidateUserCache();
        return this.belong.update(hugeBelong);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public HugeBelong deleteBelong(Id id) {
        invalidateUserCache();
        return this.belong.delete(id);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public HugeBelong getBelong(Id id) {
        return this.belong.get(id);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public List<HugeBelong> listBelong(List<Id> list) {
        return this.belong.list(list);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public List<HugeBelong> listAllBelong(long j) {
        return this.belong.list(j);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public List<HugeBelong> listBelongByUser(Id id, long j) {
        return this.belong.list(id, Directions.OUT, HugeBelong.P.BELONG, j);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public List<HugeBelong> listBelongByGroup(Id id, long j) {
        return this.belong.list(id, Directions.IN, HugeBelong.P.BELONG, j);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public Id createAccess(HugeAccess hugeAccess) {
        invalidateUserCache();
        E.checkArgument(this.groups.exists(hugeAccess.source()), "Not exists group '%s'", new Object[]{hugeAccess.source()});
        E.checkArgument(this.targets.exists(hugeAccess.target()), "Not exists target '%s'", new Object[]{hugeAccess.target()});
        return this.access.add(hugeAccess);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public Id updateAccess(HugeAccess hugeAccess) {
        invalidateUserCache();
        return this.access.update(hugeAccess);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public HugeAccess deleteAccess(Id id) {
        invalidateUserCache();
        return this.access.delete(id);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public HugeAccess getAccess(Id id) {
        return this.access.get(id);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public List<HugeAccess> listAccess(List<Id> list) {
        return this.access.list(list);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public List<HugeAccess> listAllAccess(long j) {
        return this.access.list(j);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public List<HugeAccess> listAccessByGroup(Id id, long j) {
        return this.access.list(id, Directions.OUT, HugeAccess.P.ACCESS, j);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public List<HugeAccess> listAccessByTarget(Id id, long j) {
        return this.access.list(id, Directions.IN, HugeAccess.P.ACCESS, j);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public Id createProject(HugeProject hugeProject) {
        E.checkArgument(!StringUtils.isEmpty(hugeProject.name()), "The name of project can't be null or empty", new Object[0]);
        return (Id) commit(() -> {
            if (hugeProject.adminGroupId() == null) {
                HugeGroup hugeGroup = new HugeGroup("admin_" + hugeProject.name());
                hugeGroup.creator(hugeProject.creator());
                hugeProject.adminGroupId(createGroup(hugeGroup));
            }
            if (hugeProject.opGroupId() == null) {
                HugeGroup hugeGroup2 = new HugeGroup("op_" + hugeProject.name());
                hugeGroup2.creator(hugeProject.creator());
                hugeProject.opGroupId(createGroup(hugeGroup2));
            }
            HugeTarget hugeTarget = new HugeTarget("project_res_" + hugeProject.name(), this.graph.name(), "localhost:8080", ImmutableList.of(new HugeResource(ResourceType.PROJECT, hugeProject.name(), null)));
            hugeTarget.creator(hugeProject.creator());
            Id add = this.targets.add(hugeTarget);
            hugeProject.targetId(add);
            Id adminGroupId = hugeProject.adminGroupId();
            Id opGroupId = hugeProject.opGroupId();
            HugeAccess hugeAccess = new HugeAccess(adminGroupId, add, HugePermission.WRITE);
            hugeAccess.creator(hugeProject.creator());
            HugeAccess hugeAccess2 = new HugeAccess(adminGroupId, add, HugePermission.READ);
            hugeAccess2.creator(hugeProject.creator());
            HugeAccess hugeAccess3 = new HugeAccess(opGroupId, add, HugePermission.READ);
            hugeAccess3.creator(hugeProject.creator());
            this.access.add(hugeAccess);
            this.access.add(hugeAccess2);
            this.access.add(hugeAccess3);
            return this.project.add(hugeProject);
        });
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public HugeProject deleteProject(Id id) {
        return (HugeProject) commit(() -> {
            LockUtil.Locks locks = new LockUtil.Locks(this.graph.name());
            try {
                locks.lockWrites(LockUtil.PROJECT_UPDATE, id);
                if (!CollectionUtils.isEmpty(this.project.get(id).graphs())) {
                    throw new ForbiddenException(String.format("Can't delete project '%s' that contains any graph, there are graphs bound to it", id));
                }
                HugeProject delete = this.project.delete(id);
                E.checkArgumentNotNull(delete, "Failed to delete the project '%s'", new Object[]{id});
                E.checkArgumentNotNull(delete.adminGroupId(), "Failed to delete the project '%s',the admin group of project can't be null", new Object[]{id});
                E.checkArgumentNotNull(delete.opGroupId(), "Failed to delete the project '%s',the op group of project can't be null", new Object[]{id});
                E.checkArgumentNotNull(delete.targetId(), "Failed to delete the project '%s', the target resource of project can't be null", new Object[]{id});
                this.groups.delete(delete.adminGroupId());
                this.groups.delete(delete.opGroupId());
                this.targets.delete(delete.targetId());
                locks.unlock();
                return delete;
            } catch (Throwable th) {
                locks.unlock();
                throw th;
            }
        });
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public Id updateProject(HugeProject hugeProject) {
        return this.project.update(hugeProject);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public Id projectAddGraphs(Id id, Set<String> set) {
        E.checkArgument(!CollectionUtils.isEmpty(set), "Failed to add graphs to project '%s', the graphs parameter can't be empty", new Object[]{id});
        LockUtil.Locks locks = new LockUtil.Locks(this.graph.name());
        try {
            locks.lockWrites(LockUtil.PROJECT_UPDATE, id);
            HugeProject hugeProject = this.project.get(id);
            HashSet hashSet = new HashSet(hugeProject.graphs());
            int size = hashSet.size();
            hashSet.addAll(set);
            if (hashSet.size() == size) {
                return id;
            }
            hugeProject.graphs(hashSet);
            Id update = this.project.update(hugeProject);
            locks.unlock();
            return update;
        } finally {
            locks.unlock();
        }
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public Id projectRemoveGraphs(Id id, Set<String> set) {
        E.checkArgumentNotNull(id, "Failed to remove graphs, the project id parameter can't be null", new Object[0]);
        E.checkArgument(!CollectionUtils.isEmpty(set), "Failed to delete graphs from the project '%s', the graphs parameter can't be null or empty", new Object[]{id});
        LockUtil.Locks locks = new LockUtil.Locks(this.graph.name());
        try {
            locks.lockWrites(LockUtil.PROJECT_UPDATE, id);
            HugeProject hugeProject = this.project.get(id);
            HashSet hashSet = new HashSet(hugeProject.graphs());
            int size = hashSet.size();
            hashSet.removeAll(set);
            if (hashSet.size() == size) {
                return id;
            }
            hugeProject.graphs(hashSet);
            Id update = this.project.update(hugeProject);
            locks.unlock();
            return update;
        } finally {
            locks.unlock();
        }
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public HugeProject getProject(Id id) {
        return this.project.get(id);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public List<HugeProject> listAllProject(long j) {
        return this.project.list(j);
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public HugeUser matchUser(String str, String str2) {
        E.checkArgumentNotNull(str, "User name can't be null", new Object[0]);
        E.checkArgumentNotNull(str2, "User password can't be null", new Object[0]);
        HugeUser findUser = findUser(str);
        if (findUser == null) {
            return null;
        }
        if (str2.equals(this.pwdCache.get(findUser.id()))) {
            return findUser;
        }
        if (!StringEncoding.checkPassword(str2, findUser.password())) {
            return null;
        }
        this.pwdCache.update(findUser.id(), str2);
        return findUser;
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public RolePermission rolePermission(SchemaDefine.AuthElement authElement) {
        if (authElement instanceof HugeUser) {
            return rolePermission((HugeUser) authElement);
        }
        if (authElement instanceof HugeTarget) {
            return rolePermission((HugeTarget) authElement);
        }
        ArrayList arrayList = new ArrayList();
        if (authElement instanceof HugeBelong) {
            arrayList.addAll(listAccessByGroup(((HugeBelong) authElement).target(), -1L));
        } else if (authElement instanceof HugeGroup) {
            arrayList.addAll(listAccessByGroup(((HugeGroup) authElement).id(), -1L));
        } else if (authElement instanceof HugeAccess) {
            arrayList.add((HugeAccess) authElement);
        } else {
            E.checkArgument(false, "Invalid type for role permission: %s", new Object[]{authElement});
        }
        return rolePermission(arrayList);
    }

    private RolePermission rolePermission(HugeUser hugeUser) {
        if (hugeUser.role() != null) {
            return hugeUser.role();
        }
        ArrayList arrayList = new ArrayList();
        Iterator<HugeBelong> it = listBelongByUser(hugeUser.id(), -1L).iterator();
        while (it.hasNext()) {
            arrayList.addAll(listAccessByGroup(it.next().target(), -1L));
        }
        RolePermission rolePermission = rolePermission(arrayList);
        hugeUser.role(rolePermission);
        return rolePermission;
    }

    private RolePermission rolePermission(List<HugeAccess> list) {
        RolePermission rolePermission = new RolePermission();
        for (HugeAccess hugeAccess : list) {
            HugePermission permission = hugeAccess.permission();
            HugeTarget target = getTarget(hugeAccess.target());
            rolePermission.add(target.graph(), permission, target.resources());
        }
        return rolePermission;
    }

    private RolePermission rolePermission(HugeTarget hugeTarget) {
        RolePermission rolePermission = new RolePermission();
        rolePermission.add(hugeTarget.graph(), HugePermission.READ, hugeTarget.resources());
        return rolePermission;
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public String loginUser(String str, String str2) throws AuthenticationException {
        HugeUser matchUser = matchUser(str, str2);
        if (matchUser == null) {
            throw new AuthenticationException("Incorrect username or password");
        }
        String create = this.tokenGenerator.create(ImmutableMap.of(AuthConstant.TOKEN_USER_NAME, str, AuthConstant.TOKEN_USER_ID, matchUser.id.asString()), this.tokenExpire);
        this.tokenCache.update(IdGenerator.of(create), str);
        return create;
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public void logoutUser(String str) {
        this.tokenCache.invalidate(IdGenerator.of(str));
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public UserWithRole validateUser(String str, String str2) {
        HugeUser matchUser = matchUser(str, str2);
        return matchUser == null ? new UserWithRole(str) : new UserWithRole(matchUser.id, str, rolePermission(matchUser));
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public UserWithRole validateUser(String str) {
        String str2 = this.tokenCache.get(IdGenerator.of(str));
        Claims claims = null;
        boolean z = false;
        if (str2 == null) {
            try {
                claims = this.tokenGenerator.verify(str);
                str2 = (String) claims.get(AuthConstant.TOKEN_USER_NAME);
                z = true;
            } catch (Throwable th) {
                LOG.error(String.format("Failed to verify token:[ %s ], cause:", str), th);
                return new UserWithRole("");
            }
        }
        HugeUser findUser = findUser(str2);
        if (findUser == null) {
            return new UserWithRole(str2);
        }
        if (z) {
            this.tokenCache.update(IdGenerator.of(str), str2, Math.negateExact(this.tokenCache.expire() - (claims.getExpiration().getTime() - System.currentTimeMillis())));
        }
        return new UserWithRole(findUser.id(), str2, rolePermission(findUser));
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public Set<String> listWhiteIPs() {
        return this.ipWhiteList;
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public void setWhiteIPs(Set<String> set) {
        this.ipWhiteList = set;
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public boolean getWhiteIpStatus() {
        return this.ipWhiteListEnabled.booleanValue();
    }

    @Override // org.apache.hugegraph.auth.AuthManager
    public void enabledWhiteIpList(boolean z) {
        this.ipWhiteListEnabled = Boolean.valueOf(z);
    }

    public static boolean isLocal(AuthManager authManager) {
        return authManager instanceof StandardAuthManager;
    }

    public <R> R commit(Callable<R> callable) {
        this.groups.autoCommit(false);
        this.access.autoCommit(false);
        this.targets.autoCommit(false);
        this.project.autoCommit(false);
        this.belong.autoCommit(false);
        this.users.autoCommit(false);
        try {
            R call = callable.call();
            this.graph.systemTransaction().commit();
            return call;
        } catch (Throwable th) {
            this.groups.autoCommit(true);
            this.access.autoCommit(true);
            this.targets.autoCommit(true);
            this.project.autoCommit(true);
            this.belong.autoCommit(true);
            this.users.autoCommit(true);
            try {
                this.graph.systemTransaction().rollback();
            } catch (Throwable th2) {
                LOG.error("Failed to rollback transaction: {}", th2.getMessage(), th2);
            }
            if (th instanceof HugeException) {
                throw ((HugeException) th);
            }
            throw new HugeException("Failed to commit transaction: %s", th.getMessage(), th);
        }
    }

    static {
        $assertionsDisabled = !StandardAuthManager.class.desiredAssertionStatus();
        LOG = Log.logger(StandardAuthManager.class);
    }
}
