package org.apache.nifi.registry.security.authorization.shell;

import java.io.IOException;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.registry.security.authorization.AuthorizerConfigurationContext;
import org.apache.nifi.registry.security.authorization.Group;
import org.apache.nifi.registry.security.authorization.User;
import org.apache.nifi.registry.security.authorization.UserAndGroups;
import org.apache.nifi.registry.security.authorization.UserGroupProvider;
import org.apache.nifi.registry.security.authorization.UserGroupProviderInitializationContext;
import org.apache.nifi.registry.security.authorization.exception.AuthorizationAccessException;
import org.apache.nifi.registry.security.exception.SecurityProviderCreationException;
import org.apache.nifi.registry.security.exception.SecurityProviderDestructionException;
import org.apache.nifi.registry.util.FormatUtils;
import org.apache.nifi.registry.util.PropertyValue;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/nifi-registry-framework-1.15.0.jar:org/apache/nifi/registry/security/authorization/shell/ShellUserGroupProvider.class */
public class ShellUserGroupProvider implements UserGroupProvider {
    private static final String OS_TYPE_ERROR = "Unsupported operating system.";
    private static final String SYS_CHECK_ERROR = "System check failed - cannot provide users and groups.";
    public static final String REFRESH_DELAY_PROPERTY = "Refresh Delay";
    private static final long MINIMUM_SYNC_INTERVAL_MILLISECONDS = 10000;
    public static final String EXCLUDE_USER_PROPERTY = "Exclude Users";
    public static final String EXCLUDE_GROUP_PROPERTY = "Exclude Groups";
    public static final String COMMAND_TIMEOUT_PROPERTY = "Command Timeout";
    private static final String DEFAULT_COMMAND_TIMEOUT = "60 seconds";
    private long fixedDelay;
    private Pattern excludeUsers;
    private Pattern excludeGroups;
    private int timeoutSeconds;
    private final ScheduledExecutorService scheduler = Executors.newScheduledThreadPool(2);
    private ShellCommandsProvider selectedShellCommands;
    private ShellRunner shellRunner;
    private static final Logger logger = LoggerFactory.getLogger(ShellUserGroupProvider.class);
    private static final Map<String, User> usersById = new HashMap();
    private static final Map<String, User> usersByName = new HashMap();
    private static final Map<String, Group> groupsById = new HashMap();

    public Set<User> getUsers() throws AuthorizationAccessException {
        HashSet hashSet;
        synchronized (usersById) {
            logger.debug("getUsers has user set of size: " + usersById.size());
            hashSet = new HashSet(usersById.values());
        }
        return hashSet;
    }

    public User getUser(String str) throws AuthorizationAccessException {
        User user;
        synchronized (usersById) {
            user = usersById.get(str);
        }
        if (user == null) {
            logger.debug("getUser (by id) user not found: " + str);
        } else {
            logger.debug("getUser (by id) found user: " + user + " for id: " + str);
        }
        return user;
    }

    public User getUserByIdentity(String str) throws AuthorizationAccessException {
        User user;
        synchronized (usersByName) {
            user = usersByName.get(str);
        }
        if (user == null) {
            refreshOneUser(this.selectedShellCommands.getUserByName(str), "Get Single User by Name");
            user = usersByName.get(str);
        }
        if (user == null) {
            logger.debug("getUser (by name) user not found: " + str);
        } else {
            logger.debug("getUser (by name) found user: " + user.getIdentity() + " for name: " + str);
        }
        return user;
    }

    public Set<Group> getGroups() throws AuthorizationAccessException {
        HashSet hashSet;
        synchronized (groupsById) {
            logger.debug("getGroups has group set of size: " + groupsById.size());
            hashSet = new HashSet(groupsById.values());
        }
        return hashSet;
    }

    public Group getGroup(String str) throws AuthorizationAccessException {
        Group group;
        synchronized (groupsById) {
            group = groupsById.get(str);
        }
        if (group == null) {
            refreshOneGroup(this.selectedShellCommands.getGroupById(str), "Get Single Group by Id");
            group = groupsById.get(str);
        }
        if (group == null) {
            logger.debug("getGroup (by id) group not found: " + str);
        } else {
            logger.debug("getGroup (by id) found group: " + group.getName() + " for id: " + str);
        }
        return group;
    }

    public UserAndGroups getUserAndGroups(String str) throws AuthorizationAccessException {
        final User userByIdentity = getUserByIdentity(str);
        logger.debug("Retrieved user {} for identity {}", new Object[]{userByIdentity, str});
        final HashSet hashSet = new HashSet();
        if (userByIdentity != null) {
            for (Group group : getGroups()) {
                if (group.getUsers().contains(userByIdentity.getIdentifier())) {
                    logger.debug("User {} belongs to group {}", new Object[]{userByIdentity.getIdentity(), group.getName()});
                    hashSet.add(group);
                }
            }
        }
        if (hashSet.isEmpty()) {
            logger.debug("User {} belongs to no groups", userByIdentity);
        }
        return new UserAndGroups() { // from class: org.apache.nifi.registry.security.authorization.shell.ShellUserGroupProvider.1
            public User getUser() {
                return userByIdentity;
            }

            public Set<Group> getGroups() {
                return hashSet;
            }
        };
    }

    public void initialize(UserGroupProviderInitializationContext userGroupProviderInitializationContext) throws SecurityProviderCreationException {
    }

    public void onConfigured(AuthorizerConfigurationContext authorizerConfigurationContext) throws SecurityProviderCreationException {
        logger.info("Configuring ShellUserGroupProvider");
        this.fixedDelay = getDelayProperty(authorizerConfigurationContext, REFRESH_DELAY_PROPERTY, "5 mins");
        this.timeoutSeconds = getTimeoutProperty(authorizerConfigurationContext, COMMAND_TIMEOUT_PROPERTY, DEFAULT_COMMAND_TIMEOUT);
        this.shellRunner = new ShellRunner(this.timeoutSeconds);
        logger.debug("Configured ShellRunner with command timeout of '{}' seconds", new Object[]{Integer.valueOf(this.timeoutSeconds)});
        ShellCommandsProvider commandsProvider = getCommandsProvider();
        if (commandsProvider == null) {
            commandsProvider = getCommandsProviderFromName(null);
            setCommandsProvider(commandsProvider);
        }
        try {
            this.shellRunner.runShell(commandsProvider.getSystemCheck());
            try {
                this.excludeGroups = Pattern.compile(getProperty(authorizerConfigurationContext, EXCLUDE_GROUP_PROPERTY, ""));
                this.excludeUsers = Pattern.compile(getProperty(authorizerConfigurationContext, EXCLUDE_USER_PROPERTY, ""));
                refreshUsersAndGroups();
                this.scheduler.scheduleWithFixedDelay(() -> {
                    try {
                        refreshUsersAndGroups();
                    } catch (Throwable th) {
                        logger.error("", th);
                    }
                }, this.fixedDelay, this.fixedDelay, TimeUnit.MILLISECONDS);
                logger.info("Completed configuration of ShellUserGroupProvider");
            } catch (PatternSyntaxException e) {
                throw new SecurityProviderCreationException(e);
            }
        } catch (Exception e2) {
            logger.error("initialize exception: " + e2 + " system check command: " + commandsProvider.getSystemCheck());
            throw new SecurityProviderCreationException(SYS_CHECK_ERROR, e2);
        }
    }

    private static ShellCommandsProvider getCommandsProviderFromName(String str) {
        ShellCommandsProvider osxShellCommands;
        if (str == null) {
            str = System.getProperty("os.name");
        }
        if (str.startsWith("Linux")) {
            logger.debug("Selected Linux command set.");
            osxShellCommands = new NssShellCommands();
        } else {
            if (!str.startsWith("Mac OS X")) {
                throw new SecurityProviderCreationException(OS_TYPE_ERROR);
            }
            logger.debug("Selected OSX command set.");
            osxShellCommands = new OsxShellCommands();
        }
        return osxShellCommands;
    }

    private String getProperty(AuthorizerConfigurationContext authorizerConfigurationContext, String str, String str2) {
        PropertyValue property = authorizerConfigurationContext.getProperty(str);
        return (property == null || !property.isSet()) ? str2 : property.getValue();
    }

    private long getDelayProperty(AuthorizerConfigurationContext authorizerConfigurationContext, String str, String str2) {
        PropertyValue property = authorizerConfigurationContext.getProperty(str);
        String value = property.isSet() ? property.getValue() : str2;
        try {
            long round = Math.round(FormatUtils.getPreciseTimeDuration(value, TimeUnit.MILLISECONDS));
            if (round < 10000) {
                throw new SecurityProviderCreationException(String.format("The %s '%s' is below the minimum value of '%d ms'", str, value, 10000L));
            }
            return round;
        } catch (IllegalArgumentException e) {
            throw new SecurityProviderCreationException(String.format("The %s '%s' is not a valid time interval.", str, value));
        }
    }

    private int getTimeoutProperty(AuthorizerConfigurationContext authorizerConfigurationContext, String str, String str2) {
        PropertyValue property = authorizerConfigurationContext.getProperty(str);
        String value = property.isSet() ? property.getValue() : str2;
        try {
            return Math.toIntExact(Math.round(FormatUtils.getPreciseTimeDuration(value, TimeUnit.SECONDS)));
        } catch (IllegalArgumentException e) {
            throw new SecurityProviderCreationException(String.format("The %s '%s' is not a valid time interval.", str, value));
        }
    }

    public void preDestruction() throws SecurityProviderDestructionException {
        try {
            this.scheduler.shutdownNow();
        } catch (Exception e) {
            logger.warn("Error shutting down refresh scheduler: " + e.getMessage(), e);
        }
        try {
            this.shellRunner.shutdown();
        } catch (Exception e2) {
            logger.warn("Error shutting down ShellRunner: " + e2.getMessage(), e2);
        }
    }

    public ShellCommandsProvider getCommandsProvider() {
        return this.selectedShellCommands;
    }

    public void setCommandsProvider(ShellCommandsProvider shellCommandsProvider) {
        this.selectedShellCommands = shellCommandsProvider;
    }

    private void refreshOneUser(String str, String str2) {
        if (str == null) {
            logger.info("Get Single User not supported on this system.");
            return;
        }
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        try {
            rebuildUsers(this.shellRunner.runShell(str, str2), hashMap, hashMap2, new HashMap());
        } catch (IOException e) {
            logger.error("refreshOneUser shell exception: " + e);
        }
        if (hashMap.size() > 0) {
            synchronized (usersById) {
                usersById.putAll(hashMap);
            }
        }
        if (hashMap2.size() > 0) {
            synchronized (usersByName) {
                usersByName.putAll(hashMap2);
            }
        }
    }

    private void refreshOneGroup(String str, String str2) {
        if (str == null) {
            logger.info("Get Single Group not supported on this system.");
            return;
        }
        HashMap hashMap = new HashMap();
        try {
            rebuildGroups(this.shellRunner.runShell(str, str2), hashMap);
        } catch (IOException e) {
            logger.error("refreshOneGroup shell exception: " + e);
        }
        if (hashMap.size() > 0) {
            synchronized (groupsById) {
                groupsById.putAll(hashMap);
            }
        }
    }

    private void refreshUsersAndGroups() {
        long currentTimeMillis = System.currentTimeMillis();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        HashMap hashMap3 = new HashMap();
        HashMap hashMap4 = new HashMap();
        try {
            List<String> runShell = this.shellRunner.runShell(this.selectedShellCommands.getUsersList(), "Get Users List");
            List<String> runShell2 = this.shellRunner.runShell(this.selectedShellCommands.getGroupsList(), "Get Groups List");
            rebuildUsers(runShell, hashMap, hashMap2, hashMap3);
            rebuildGroups(runShell2, hashMap4);
            reconcilePrimaryGroups(hashMap3, hashMap4);
            synchronized (usersById) {
                usersById.clear();
                usersById.putAll(hashMap);
                if (logger.isTraceEnabled()) {
                    logger.trace("=== Users by id...");
                    TreeSet treeSet = new TreeSet(Comparator.comparing((v0) -> {
                        return v0.getIdentity();
                    }));
                    treeSet.addAll(usersById.values());
                    treeSet.forEach(user -> {
                        logger.trace("=== " + user.toString());
                    });
                }
            }
            synchronized (usersByName) {
                usersByName.clear();
                usersByName.putAll(hashMap2);
                logger.debug("users now size: " + usersByName.size());
            }
            synchronized (groupsById) {
                groupsById.clear();
                groupsById.putAll(hashMap4);
                logger.debug("groups now size: " + groupsById.size());
                if (logger.isTraceEnabled()) {
                    logger.trace("=== Groups by id...");
                    TreeSet treeSet2 = new TreeSet(Comparator.comparing((v0) -> {
                        return v0.getName();
                    }));
                    treeSet2.addAll(groupsById.values());
                    treeSet2.forEach(group -> {
                        logger.trace("=== " + group.toString());
                    });
                }
            }
            logger.info("Refreshed users and groups, took {} seconds", Long.valueOf((System.currentTimeMillis() - currentTimeMillis) / 1000));
        } catch (IOException e) {
            logger.error("refreshUsersAndGroups shell exception: " + e);
        }
    }

    private void rebuildUsers(List<String> list, Map<String, User> map, Map<String, User> map2, Map<String, User> map3) {
        list.forEach(str -> {
            logger.trace("Processing user: {}", new Object[]{str});
            String[] split = str.split(":");
            if (split.length <= 2) {
                logger.warn("Unexpected record format.  Expected 3 or more colon separated values per line.");
                return;
            }
            String str = split[0];
            String str2 = split[1];
            String str3 = split[2];
            if (StringUtils.isBlank(str2) || StringUtils.isBlank(str) || this.excludeUsers.matcher(str).matches()) {
                logger.warn("Null, empty, or skipped user name: " + str + " or id: " + str2);
                return;
            }
            User build = new User.Builder().identity(str).identifierGenerateFromSeed(getUserIdentifierSeed(str)).build();
            map.put(build.getIdentifier(), build);
            map2.put(str, build);
            logger.debug("Refreshed user {}", new Object[]{build});
            if (StringUtils.isBlank(str3)) {
                logger.warn("Null or empty primary group id for: " + str);
                return;
            }
            Group build2 = new Group.Builder().name(str3).identifierGenerateFromSeed(getGroupIdentifierSeed(str3)).build();
            map3.put(build2.getIdentifier(), build);
            logger.debug("Associated primary group {} with user {}", new Object[]{build2.getIdentifier(), str});
        });
    }

    private void rebuildGroups(List<String> list, Map<String, Group> map) {
        list.forEach(str -> {
            logger.trace("Processing group: {}", new Object[]{str});
            String[] split = str.split(":");
            if (split.length <= 1) {
                logger.warn("Unexpected record format.  Expected 1 or more comma separated values.");
                return;
            }
            HashSet hashSet = new HashSet();
            String str = split[0];
            String str2 = split[1];
            try {
                List<String> runShell = this.shellRunner.runShell(this.selectedShellCommands.getGroupMembers(str));
                if (runShell.isEmpty()) {
                    logger.debug("list membership returned zero lines.");
                } else {
                    String str3 = runShell.get(0);
                    if (StringUtils.isBlank(str3)) {
                        logger.debug("list membership returned no members");
                    } else {
                        for (String str4 : str3.split(",")) {
                            if (!StringUtils.isBlank(str4)) {
                                User build = new User.Builder().identity(str4).identifierGenerateFromSeed(getUserIdentifierSeed(str4)).build();
                                hashSet.add(build.getIdentifier());
                                logger.debug("Added temp user {} for group {}", new Object[]{build, str});
                            }
                        }
                    }
                }
                if (runShell.size() > 1) {
                    logger.error("list membership returned too many lines, only used the first.");
                }
            } catch (IOException e) {
                logger.error("list membership shell exception: " + e);
            }
            if (StringUtils.isBlank(str2) || StringUtils.isBlank(str) || this.excludeGroups.matcher(str).matches()) {
                logger.warn("Null, empty, or skipped group name: " + str + " or id: " + str2);
                return;
            }
            Group build2 = new Group.Builder().name(str).identifierGenerateFromSeed(getGroupIdentifierSeed(str2)).addUsers(hashSet).build();
            map.put(build2.getIdentifier(), build2);
            logger.debug("Refreshed group {}", new Object[]{build2});
        });
    }

    private void reconcilePrimaryGroups(Map<String, User> map, Map<String, Group> map2) {
        map.forEach((str, user) -> {
            Group group = (Group) map2.get(str);
            if (group == null) {
                logger.warn("Primary group {} not found for {}", new Object[]{str, user.getIdentity()});
                return;
            }
            if (this.excludeGroups.matcher(group.getName()).matches()) {
                logger.debug("Primary group {} excluded from matcher for {}", new Object[]{group.getName(), user.getIdentity()});
                return;
            }
            Set users = group.getUsers();
            if (users.contains(user.getIdentifier())) {
                logger.debug("Primary group {} already contains user {}", new Object[]{group, user});
                return;
            }
            HashSet hashSet = new HashSet(users);
            hashSet.add(user.getIdentifier());
            Group build = new Group.Builder().identifier(group.getIdentifier()).name(group.getName()).addUsers(hashSet).build();
            map2.put(build.getIdentifier(), build);
            logger.debug("Added user {} to primary group {}", new Object[]{user, build});
        });
    }

    private String getUserIdentifierSeed(String str) {
        return str + "-user";
    }

    private String getGroupIdentifierSeed(String str) {
        return str + "-group";
    }

    public long getRefreshDelay() {
        return this.fixedDelay;
    }

    void clearCaches() {
        synchronized (usersById) {
            usersById.clear();
        }
        synchronized (usersByName) {
            usersByName.clear();
        }
        synchronized (groupsById) {
            groupsById.clear();
        }
    }

    public int userCacheSize() {
        return usersById.size();
    }

    public int groupCacheSize() {
        return groupsById.size();
    }
}
