package org.apache.causeway.security.shiro.authentication;

import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.stream.Stream;
import javax.annotation.Priority;
import javax.inject.Inject;
import javax.inject.Named;
import org.apache.causeway.applib.services.iactnlayer.InteractionContext;
import org.apache.causeway.applib.services.user.UserMemento;
import org.apache.causeway.commons.internal.collections._Sets;
import org.apache.causeway.core.config.CausewayConfiguration;
import org.apache.causeway.core.security.authentication.AuthenticationRequest;
import org.apache.causeway.core.security.authentication.AuthenticationRequestPassword;
import org.apache.causeway.core.security.authentication.Authenticator;
import org.apache.causeway.security.shiro.context.ShiroSecurityContext;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.CredentialsException;
import org.apache.shiro.authc.ExcessiveAttemptsException;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.mgt.RealmSecurityManager;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Service;

@Service
@Named("causeway.security.AuthenticatorShiro")
@Priority(536870911)
@Qualifier("Shiro")
/* loaded from: input_file:org/apache/causeway/security/shiro/authentication/AuthenticatorShiro.class */
public class AuthenticatorShiro implements Authenticator {
    private static final Logger log = LogManager.getLogger(AuthenticatorShiro.class);
    private final CausewayConfiguration configuration;
    private final boolean autoLogout;

    @Inject
    public AuthenticatorShiro(CausewayConfiguration causewayConfiguration) {
        this.configuration = causewayConfiguration;
        this.autoLogout = this.configuration.getSecurity().getShiro().isAutoLogoutIfAlreadyAuthenticated();
    }

    public final boolean canAuthenticate(Class<? extends AuthenticationRequest> cls) {
        if (getSecurityManager() == null) {
            return false;
        }
        return AuthenticationRequestPassword.class.isAssignableFrom(cls);
    }

    public InteractionContext authenticate(AuthenticationRequest authenticationRequest, String str) {
        if (getSecurityManager() == null) {
            return null;
        }
        AuthenticationToken asAuthenticationToken = asAuthenticationToken(authenticationRequest);
        Subject subject = SecurityUtils.getSubject();
        if (subject.isAuthenticated()) {
            if (!this.autoLogout) {
                return authenticationFor(authenticationRequest, str, asAuthenticationToken, subject);
            }
            subject.logout();
        }
        try {
            subject.login(asAuthenticationToken);
            return authenticationFor(authenticationRequest, str, asAuthenticationToken, subject);
        } catch (AuthenticationException e) {
            log.error("Unable to authenticate", e);
            return null;
        } catch (IncorrectCredentialsException e2) {
            log.info("Incorrect credentials for user: {}", authenticationRequest.getName());
            return null;
        } catch (LockedAccountException e3) {
            log.info("Locked account for user: {}", authenticationRequest.getName());
            return null;
        } catch (CredentialsException e4) {
            log.info("Unable to authenticate", e4);
            return null;
        } catch (ExcessiveAttemptsException e5) {
            log.info("Excessive attempts for user: {}", authenticationRequest.getName());
            return null;
        } catch (UnknownAccountException e6) {
            log.info("Unknown account: {}", authenticationRequest.getName());
            return null;
        }
    }

    public void logout() {
        Subject subject = SecurityUtils.getSubject();
        if (subject.isAuthenticated()) {
            subject.logout();
        }
    }

    InteractionContext authenticationFor(AuthenticationRequest authenticationRequest, String str, AuthenticationToken authenticationToken, Subject subject) {
        return InteractionContext.ofUserWithSystemDefaults(UserMemento.ofNameAndRoleNames(authenticationRequest.getName(), Stream.concat(streamRoles(subject, authenticationToken), authenticationRequest.streamRoles())).withAuthenticationCode(str));
    }

    protected Stream<String> streamRoles(Subject subject, AuthenticationToken authenticationToken) {
        HashSet newHashSet = _Sets.newHashSet();
        RealmSecurityManager securityManager = getSecurityManager();
        if (securityManager == null) {
            return Stream.empty();
        }
        Set<String> realmNamesOf = realmNamesOf(subject);
        for (Realm realm : securityManager.getRealms()) {
            if (realmNamesOf.contains(realm.getName())) {
                AuthorizationInfo authenticationInfo = realm.getAuthenticationInfo(authenticationToken);
                if (authenticationInfo instanceof AuthorizationInfo) {
                    Iterator it = authenticationInfo.getRoles().iterator();
                    while (it.hasNext()) {
                        newHashSet.add(realm.getName() + ":" + ((String) it.next()));
                    }
                }
            }
        }
        return newHashSet.stream();
    }

    private static Set<String> realmNamesOf(Subject subject) {
        PrincipalCollection principals = subject.getPrincipals();
        return principals != null ? principals.getRealmNames() : Collections.emptySet();
    }

    private static AuthenticationToken asAuthenticationToken(AuthenticationRequest authenticationRequest) {
        AuthenticationRequestPassword authenticationRequestPassword = (AuthenticationRequestPassword) authenticationRequest;
        return new UsernamePasswordToken(authenticationRequestPassword.getName(), authenticationRequestPassword.getPassword());
    }

    protected RealmSecurityManager getSecurityManager() {
        return ShiroSecurityContext.getSecurityManager();
    }
}
