package org.apache.geode.internal.security;

import java.io.IOException;
import java.security.AccessController;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.Callable;
import org.apache.commons.lang.SerializationException;
import org.apache.commons.lang.StringUtils;
import org.apache.geode.GemFireIOException;
import org.apache.geode.internal.cache.EntryEventImpl;
import org.apache.geode.internal.logging.LogService;
import org.apache.geode.internal.security.shiro.GeodeAuthenticationToken;
import org.apache.geode.internal.security.shiro.SecurityManagerProvider;
import org.apache.geode.internal.security.shiro.ShiroPrincipal;
import org.apache.geode.internal.util.BlobHelper;
import org.apache.geode.security.AuthenticationFailedException;
import org.apache.geode.security.AuthenticationRequiredException;
import org.apache.geode.security.GemFireSecurityException;
import org.apache.geode.security.NotAuthorizedException;
import org.apache.geode.security.PostProcessor;
import org.apache.geode.security.ResourcePermission;
import org.apache.geode.security.SecurityManager;
import org.apache.logging.log4j.Logger;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.ShiroException;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.subject.support.SubjectThreadState;
import org.apache.shiro.util.ThreadContext;
import org.apache.shiro.util.ThreadState;

/* loaded from: input_file:org/apache/geode/internal/security/IntegratedSecurityService.class */
public class IntegratedSecurityService implements SecurityService {
    private static Logger logger;
    public static final String CREDENTIALS_SESSION_ATTRIBUTE = "credentials";
    private final PostProcessor postProcessor;
    private final SecurityManager securityManager;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public IntegratedSecurityService(SecurityManagerProvider securityManagerProvider, PostProcessor postProcessor) {
        if (!$assertionsDisabled && securityManagerProvider.getShiroSecurityManager() == null) {
            throw new AssertionError();
        }
        SecurityUtils.setSecurityManager(securityManagerProvider.getShiroSecurityManager());
        this.securityManager = securityManagerProvider.getSecurityManager();
        this.postProcessor = postProcessor;
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public PostProcessor getPostProcessor() {
        return this.postProcessor;
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public SecurityManager getSecurityManager() {
        return this.securityManager;
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public Subject getSubject() {
        javax.security.auth.Subject subject = javax.security.auth.Subject.getSubject(AccessController.getContext());
        if (subject != null) {
            Set principals = subject.getPrincipals(ShiroPrincipal.class);
            if (!principals.isEmpty()) {
                Subject subject2 = ((ShiroPrincipal) principals.iterator().next()).getSubject();
                ThreadContext.bind(subject2);
                return subject2;
            }
        }
        Subject subject3 = SecurityUtils.getSubject();
        if (subject3 == null || subject3.getPrincipal() == null) {
            throw new AuthenticationRequiredException("Failed to find the authenticated user.");
        }
        return subject3;
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public Subject login(Properties properties) {
        if (properties == null) {
            throw new AuthenticationRequiredException("credentials are null");
        }
        ThreadContext.remove();
        Subject subject = SecurityUtils.getSubject();
        GeodeAuthenticationToken geodeAuthenticationToken = new GeodeAuthenticationToken(properties);
        try {
            logger.debug("Logging in " + geodeAuthenticationToken.getPrincipal());
            subject.login(geodeAuthenticationToken);
            subject.getSession().setAttribute(CREDENTIALS_SESSION_ATTRIBUTE, properties);
            return subject;
        } catch (ShiroException e) {
            logger.info("error logging in: " + geodeAuthenticationToken.getPrincipal());
            throw new AuthenticationFailedException("Authentication error. Please check your credentials.", e);
        }
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public void logout() {
        Subject subject = getSubject();
        try {
            logger.debug("Logging out " + subject.getPrincipal());
            subject.logout();
            ThreadContext.remove();
        } catch (ShiroException e) {
            logger.info("error logging out: " + subject.getPrincipal());
            throw new GemFireSecurityException(e.getMessage(), e);
        }
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public Callable associateWith(Callable callable) {
        return getSubject().associateWith(callable);
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public ThreadState bindSubject(Subject subject) {
        if (subject == null) {
            throw new AuthenticationRequiredException("Failed to find the authenticated user.");
        }
        SubjectThreadState subjectThreadState = new SubjectThreadState(subject);
        subjectThreadState.bind();
        return subjectThreadState;
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public void authorize(ResourcePermission.Resource resource, ResourcePermission.Operation operation) {
        authorize(resource, operation, ResourcePermission.Target.ALL, ResourcePermission.ALL);
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public void authorize(ResourcePermission.Resource resource, ResourcePermission.Operation operation, ResourcePermission.Target target) {
        authorize(resource, operation, target, ResourcePermission.ALL);
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public void authorize(ResourcePermission.Resource resource, ResourcePermission.Operation operation, String str) {
        authorize(resource, operation, str, ResourcePermission.ALL);
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public void authorize(ResourcePermission.Resource resource, ResourcePermission.Operation operation, ResourcePermission.Target target, String str) {
        authorize(new ResourcePermission(resource, operation, target, str));
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public void authorize(ResourcePermission.Resource resource, ResourcePermission.Operation operation, String str, String str2) {
        authorize(new ResourcePermission(resource, operation, str, str2));
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public void authorize(ResourcePermission resourcePermission) {
        if (resourcePermission == null) {
            return;
        }
        if (resourcePermission.getResource() == ResourcePermission.Resource.NULL && resourcePermission.getOperation() == ResourcePermission.Operation.NULL) {
            return;
        }
        Subject subject = getSubject();
        try {
            subject.checkPermission(resourcePermission);
        } catch (ShiroException e) {
            String str = subject.getPrincipal() + " not authorized for " + resourcePermission;
            logger.info("NotAuthorizedException: {}", str);
            throw new NotAuthorizedException(str, (Throwable) e);
        }
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public void close() {
        if (this.securityManager != null) {
            this.securityManager.close();
        }
        if (this.postProcessor != null) {
            this.postProcessor.close();
        }
        ThreadContext.remove();
        SecurityUtils.setSecurityManager((org.apache.shiro.mgt.SecurityManager) null);
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public boolean needPostProcess() {
        return this.postProcessor != null;
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public Object postProcess(String str, Object obj, Object obj2, boolean z) {
        return postProcess(null, str, obj, obj2, z);
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public Object postProcess(Object obj, String str, Object obj2, Object obj3, boolean z) {
        Object processRegionValue;
        if (!needPostProcess()) {
            return obj3;
        }
        if (obj == null) {
            obj = getSubject().getPrincipal();
        }
        String stripStart = StringUtils.stripStart(str, "/");
        if (z && (obj3 instanceof byte[])) {
            try {
                processRegionValue = BlobHelper.serializeToBlob(this.postProcessor.processRegionValue(obj, stripStart, obj2, EntryEventImpl.deserialize((byte[]) obj3)));
            } catch (IOException | SerializationException e) {
                throw new GemFireIOException("Exception de/serializing entry value", e);
            }
        } else {
            processRegionValue = this.postProcessor.processRegionValue(obj, stripStart, obj2, obj3);
        }
        return processRegionValue;
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public boolean isIntegratedSecurity() {
        return true;
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public boolean isClientSecurityRequired() {
        return true;
    }

    @Override // org.apache.geode.internal.security.SecurityService
    public boolean isPeerSecurityRequired() {
        return true;
    }

    static {
        $assertionsDisabled = !IntegratedSecurityService.class.desiredAssertionStatus();
        logger = LogService.getLogger(LogService.SECURITY_LOGGER_NAME);
    }
}
