package org.apache.isis.extensions.secman.delegated.shiro.realm;

import java.util.concurrent.Callable;
import java.util.function.Supplier;
import javax.inject.Inject;
import org.apache.isis.applib.services.iactnlayer.InteractionService;
import org.apache.isis.applib.services.inject.ServiceInjector;
import org.apache.isis.commons.internal.assertions._Assert;
import org.apache.isis.commons.internal.base._NullSafe;
import org.apache.isis.commons.internal.collections._Arrays;
import org.apache.isis.core.config.IsisConfiguration;
import org.apache.isis.extensions.secman.applib.user.dom.AccountType;
import org.apache.isis.extensions.secman.applib.user.dom.ApplicationUser;
import org.apache.isis.extensions.secman.applib.user.dom.ApplicationUserRepository;
import org.apache.isis.extensions.secman.delegated.shiro.util.ShiroUtils;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.CredentialsException;
import org.apache.shiro.authc.DisabledAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.transaction.PlatformTransactionManager;
import org.springframework.transaction.support.TransactionTemplate;

/* loaded from: input_file:org/apache/isis/extensions/secman/delegated/shiro/realm/IsisModuleExtSecmanShiroRealm.class */
public class IsisModuleExtSecmanShiroRealm extends AuthorizingRealm {
    private static final String SECMAN_UNLOCK_DELEGATED_USERS = "isis.ext.secman.unlockDelegatedUsers";

    @Inject
    protected ServiceInjector serviceInjector;

    @Inject
    protected InteractionService interactionService;

    @Inject
    protected PlatformTransactionManager txMan;

    @Inject
    protected IsisConfiguration config;
    private AuthenticatingRealm delegateAuthenticationRealm;
    private boolean autoCreateUser = true;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/isis/extensions/secman/delegated/shiro/realm/IsisModuleExtSecmanShiroRealm$CheckPasswordResult.class */
    public enum CheckPasswordResult {
        OK,
        BAD_PASSWORD,
        NO_PASSWORD_ENCRYPTION_SERVICE_CONFIGURED
    }

    public IsisModuleExtSecmanShiroRealm() {
        setPermissionResolver(new PermissionResolverForIsisShiroAuthorizor());
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        if (!(authenticationToken instanceof UsernamePasswordToken)) {
            throw new AuthenticationException();
        }
        UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
        String username = usernamePasswordToken.getUsername();
        usernamePasswordToken.getPassword();
        PrincipalForApplicationUser principal_fromAlreadyAuthenticatedSubjectIfApplicable = getPrincipal_fromAlreadyAuthenticatedSubjectIfApplicable(authenticationToken);
        if (principal_fromAlreadyAuthenticatedSubjectIfApplicable != null) {
            return AuthInfoForApplicationUser.of(principal_fromAlreadyAuthenticatedSubjectIfApplicable, getName(), authenticationToken.getCredentials());
        }
        PrincipalForApplicationUser lookupPrincipal_inApplicationUserRepository = lookupPrincipal_inApplicationUserRepository(username);
        boolean z = hasDelegateAuthenticationRealm() && isAutoCreateUser();
        if (lookupPrincipal_inApplicationUserRepository == null && z) {
            authenticateElseThrow_usingDelegatedMechanism(authenticationToken);
            PrincipalForApplicationUser createPrincipal_inApplicationUserRepository = createPrincipal_inApplicationUserRepository(username);
            _Assert.assertNotNull(createPrincipal_inApplicationUserRepository);
            if (!(this.config.getExtensions().getSecman().getDelegatedUsers().getAutoCreatePolicy() == IsisConfiguration.Extensions.Secman.DelegatedUsers.AutoCreatePolicy.AUTO_CREATE_AS_UNLOCKED)) {
                _Assert.assertTrue(createPrincipal_inApplicationUserRepository.isLocked(), "As configured in isis.ext.secman.unlockDelegatedUsers, auto-created user accounts are initially locked!");
                throw disabledAccountException(username);
            }
            lookupPrincipal_inApplicationUserRepository = createPrincipal_inApplicationUserRepository;
        }
        if (lookupPrincipal_inApplicationUserRepository == null) {
            throw credentialsException();
        }
        if (lookupPrincipal_inApplicationUserRepository.isLocked()) {
            throw disabledAccountException(lookupPrincipal_inApplicationUserRepository.getUsername());
        }
        if (lookupPrincipal_inApplicationUserRepository.getAccountType() == AccountType.DELEGATED) {
            authenticateElseThrow_usingDelegatedMechanism(authenticationToken);
        } else {
            switch (checkPassword(r0, lookupPrincipal_inApplicationUserRepository.getEncryptedPassword())) {
                case OK:
                    break;
                case BAD_PASSWORD:
                    throw credentialsException();
                case NO_PASSWORD_ENCRYPTION_SERVICE_CONFIGURED:
                    throw new AuthenticationException("No password encryption service is installed");
                default:
                    throw new AuthenticationException();
            }
        }
        return AuthInfoForApplicationUser.of(lookupPrincipal_inApplicationUserRepository, getName(), authenticationToken.getCredentials());
    }

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        return (AuthorizationInfo) principalCollection.oneByType(PrincipalForApplicationUser.class);
    }

    private PrincipalForApplicationUser getPrincipal_fromAlreadyAuthenticatedSubjectIfApplicable(AuthenticationToken authenticationToken) {
        Subject subject;
        if (!ShiroUtils.isSingleRealm() || (subject = SecurityUtils.getSubject()) == null || !subject.isAuthenticated()) {
            return null;
        }
        Object principal = subject.getPrincipal();
        if (!(principal instanceof PrincipalForApplicationUser)) {
            return null;
        }
        PrincipalForApplicationUser principalForApplicationUser = (PrincipalForApplicationUser) principal;
        if (((UsernamePasswordToken) authenticationToken).getUsername().equals(principalForApplicationUser.getUsername())) {
            return principalForApplicationUser;
        }
        return null;
    }

    private DisabledAccountException disabledAccountException(String str) {
        return new DisabledAccountException(String.format("username='%s'", str));
    }

    private CredentialsException credentialsException() {
        return new CredentialsException("Unknown user/password combination") { // from class: org.apache.isis.extensions.secman.delegated.shiro.realm.IsisModuleExtSecmanShiroRealm.1
            private static final long serialVersionUID = 1;

            public StackTraceElement[] getStackTrace() {
                StackTraceElement[] stackTrace = super.getStackTrace();
                return _NullSafe.size(stackTrace) > 1 ? (StackTraceElement[]) _Arrays.subArray(super.getStackTrace(), 0, 1) : stackTrace;
            }
        };
    }

    private void authenticateElseThrow_usingDelegatedMechanism(AuthenticationToken authenticationToken) {
        AuthenticationInfo authenticationInfo = null;
        try {
            authenticationInfo = this.delegateAuthenticationRealm.getAuthenticationInfo(authenticationToken);
        } catch (AuthenticationException e) {
        }
        if (authenticationInfo == null) {
            throw credentialsException();
        }
    }

    private PrincipalForApplicationUser lookupPrincipal_inApplicationUserRepository(final String str) {
        return (PrincipalForApplicationUser) execute(new Supplier<PrincipalForApplicationUser>() { // from class: org.apache.isis.extensions.secman.delegated.shiro.realm.IsisModuleExtSecmanShiroRealm.2

            @Inject
            private ApplicationUserRepository applicationUserRepository;

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public PrincipalForApplicationUser get() {
                return PrincipalForApplicationUser.from((ApplicationUser) this.applicationUserRepository.findByUsername(str).orElse(null));
            }
        });
    }

    private PrincipalForApplicationUser createPrincipal_inApplicationUserRepository(final String str) {
        return (PrincipalForApplicationUser) execute(new Supplier<PrincipalForApplicationUser>() { // from class: org.apache.isis.extensions.secman.delegated.shiro.realm.IsisModuleExtSecmanShiroRealm.3

            @Inject
            private ApplicationUserRepository applicationUserRepository;

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public PrincipalForApplicationUser get() {
                return PrincipalForApplicationUser.from(this.applicationUserRepository.findOrCreateUserByUsername(str));
            }
        });
    }

    private CheckPasswordResult checkPassword(final char[] cArr, final String str) {
        return (CheckPasswordResult) execute(new Supplier<CheckPasswordResult>() { // from class: org.apache.isis.extensions.secman.delegated.shiro.realm.IsisModuleExtSecmanShiroRealm.4

            @Autowired(required = false)
            @Qualifier("secman")
            private PasswordEncoder passwordEncoder;

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public CheckPasswordResult get() {
                return this.passwordEncoder == null ? CheckPasswordResult.NO_PASSWORD_ENCRYPTION_SERVICE_CONFIGURED : this.passwordEncoder.matches(new String(cArr), str) ? CheckPasswordResult.OK : CheckPasswordResult.BAD_PASSWORD;
            }
        });
    }

    private boolean hasDelegateAuthenticationRealm() {
        return this.delegateAuthenticationRealm != null;
    }

    <V> V execute(final Supplier<V> supplier) {
        return (V) this.interactionService.callAnonymous(new Callable<V>() { // from class: org.apache.isis.extensions.secman.delegated.shiro.realm.IsisModuleExtSecmanShiroRealm.5
            @Override // java.util.concurrent.Callable
            public V call() {
                IsisModuleExtSecmanShiroRealm.this.serviceInjector.injectServicesInto(supplier);
                return (V) IsisModuleExtSecmanShiroRealm.this.doExecute(supplier);
            }
        });
    }

    <V> V doExecute(Supplier<V> supplier) {
        return (V) new TransactionTemplate(this.txMan).execute(transactionStatus -> {
            return supplier.get();
        });
    }

    public AuthenticatingRealm getDelegateAuthenticationRealm() {
        return this.delegateAuthenticationRealm;
    }

    public void setDelegateAuthenticationRealm(AuthenticatingRealm authenticatingRealm) {
        this.delegateAuthenticationRealm = authenticatingRealm;
    }

    public boolean isAutoCreateUser() {
        return this.autoCreateUser;
    }

    public void setAutoCreateUser(boolean z) {
        this.autoCreateUser = z;
    }
}
