package com.bazaarvoice.emodb.web.auth;

import com.bazaarvoice.emodb.auth.AuthCacheRegistry;
import com.bazaarvoice.emodb.auth.AuthZooKeeper;
import com.bazaarvoice.emodb.auth.EmoSecurityManager;
import com.bazaarvoice.emodb.auth.InternalAuthorizer;
import com.bazaarvoice.emodb.auth.SecurityManagerBuilder;
import com.bazaarvoice.emodb.auth.apikey.ApiKey;
import com.bazaarvoice.emodb.auth.dropwizard.DropwizardAuthConfigurator;
import com.bazaarvoice.emodb.auth.identity.AuthIdentityManager;
import com.bazaarvoice.emodb.auth.identity.AuthIdentityReader;
import com.bazaarvoice.emodb.auth.identity.CacheManagingAuthIdentityManager;
import com.bazaarvoice.emodb.auth.identity.DeferringAuthIdentityManager;
import com.bazaarvoice.emodb.auth.identity.TableAuthIdentityManagerDAO;
import com.bazaarvoice.emodb.auth.permissions.CacheManagingPermissionManager;
import com.bazaarvoice.emodb.auth.permissions.DeferringPermissionManager;
import com.bazaarvoice.emodb.auth.permissions.PermissionIDs;
import com.bazaarvoice.emodb.auth.permissions.PermissionManager;
import com.bazaarvoice.emodb.auth.permissions.PermissionReader;
import com.bazaarvoice.emodb.auth.permissions.TablePermissionManagerDAO;
import com.bazaarvoice.emodb.auth.role.DataCenterSynchronizedRoleManager;
import com.bazaarvoice.emodb.auth.role.DeferringRoleManager;
import com.bazaarvoice.emodb.auth.role.Role;
import com.bazaarvoice.emodb.auth.role.RoleManager;
import com.bazaarvoice.emodb.auth.role.TableRoleManagerDAO;
import com.bazaarvoice.emodb.auth.shiro.GuavaCacheManager;
import com.bazaarvoice.emodb.auth.shiro.InvalidatableCacheManager;
import com.bazaarvoice.emodb.cachemgr.api.CacheRegistry;
import com.bazaarvoice.emodb.databus.ReplicationKey;
import com.bazaarvoice.emodb.databus.SystemInternalId;
import com.bazaarvoice.emodb.sor.api.DataStore;
import com.google.common.base.Optional;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
import com.google.common.hash.HashFunction;
import com.google.common.hash.Hashing;
import com.google.inject.Exposed;
import com.google.inject.Inject;
import com.google.inject.Key;
import com.google.inject.PrivateModule;
import com.google.inject.Provides;
import com.google.inject.Singleton;
import com.google.inject.TypeLiteral;
import com.google.inject.name.Named;
import java.lang.annotation.Annotation;
import java.util.ArrayList;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.cassandra.cql3.statements.KSPropDefs;
import org.apache.curator.framework.CuratorFramework;
import org.apache.shiro.authz.permission.PermissionResolver;
import org.apache.shiro.mgt.SecurityManager;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/bazaarvoice/emodb/web/auth/SecurityModule.class */
public class SecurityModule extends PrivateModule {
    private static final String REALM_NAME = "EmoDB";
    private static final String ANONYMOUS_KEY = "anonymous";
    private static final String ADMIN_INTERNAL_ID = "__admin";
    private static final String REPLICATION_INTERNAL_ID = "__replication";
    private static final String ANONYMOUS_INTERNAL_ID = "__anonymous";
    private static final String SYSTEM_INTERNAL_ID = "__system";

    @Override // com.google.inject.PrivateModule
    protected void configure() {
        bind(HashFunction.class).annotatedWith(ApiKeyHashFunction.class).toInstance(Hashing.sha256());
        bind(ApiKeyEncryption.class).asEagerSingleton();
        bind(ApiKeyAdminTask.class).asEagerSingleton();
        bind(RoleAdminTask.class).asEagerSingleton();
        bind(RebuildMissingRolesTask.class).asEagerSingleton();
        bind(new TypeLiteral<Set<String>>() { // from class: com.bazaarvoice.emodb.web.auth.SecurityModule.1
        }).annotatedWith(ReservedRoles.class).toInstance(ImmutableSet.of(DefaultRoles.replication.toString(), DefaultRoles.anonymous.toString()));
        bind(PermissionResolver.class).to(EmoPermissionResolver.class).asEagerSingleton();
        bind(SecurityManager.class).to(EmoSecurityManager.class);
        bind(InternalAuthorizer.class).to(EmoSecurityManager.class);
        bind(new TypeLiteral<AuthIdentityReader<ApiKey>>() { // from class: com.bazaarvoice.emodb.web.auth.SecurityModule.3
        }).to(new TypeLiteral<AuthIdentityManager<ApiKey>>() { // from class: com.bazaarvoice.emodb.web.auth.SecurityModule.2
        });
        bind(PermissionReader.class).to(PermissionManager.class);
        bind(String.class).annotatedWith(SystemInternalId.class).toInstance(SYSTEM_INTERNAL_ID);
        expose(DropwizardAuthConfigurator.class);
        expose(Key.get(String.class, (Class<? extends Annotation>) ReplicationKey.class));
        expose(Key.get(String.class, (Class<? extends Annotation>) SystemInternalId.class));
        expose(PermissionResolver.class);
        expose(InternalAuthorizer.class);
    }

    @Singleton
    @Inject
    @Provides
    EmoSecurityManager provideSecurityManager(AuthIdentityReader<ApiKey> authIdentityReader, PermissionReader permissionReader, InvalidatableCacheManager invalidatableCacheManager, @Named("AnonymousKey") Optional<String> optional) {
        return SecurityManagerBuilder.create().withRealmName(REALM_NAME).withAuthIdentityReader(authIdentityReader).withPermissionReader(permissionReader).withAnonymousAccessAs(optional.orNull()).withCacheManager(invalidatableCacheManager).build();
    }

    @Singleton
    @Provides
    DropwizardAuthConfigurator provideDropwizardAuthConfigurator(SecurityManager securityManager) {
        return new DropwizardAuthConfigurator(securityManager);
    }

    @Singleton
    @Provides
    @ReplicationKey
    String provideReplicationKey(AuthorizationConfiguration authorizationConfiguration, ApiKeyEncryption apiKeyEncryption) {
        return configurationKeyAsPlaintext(authorizationConfiguration.getReplicationApiKey(), apiKeyEncryption, KSPropDefs.KW_REPLICATION);
    }

    @Singleton
    @Exposed
    @Provides
    @Named("AdminKey")
    String provideAdminKey(AuthorizationConfiguration authorizationConfiguration, ApiKeyEncryption apiKeyEncryption) {
        return configurationKeyAsPlaintext(authorizationConfiguration.getAdminApiKey(), apiKeyEncryption, "admin");
    }

    private String configurationKeyAsPlaintext(String str, ApiKeyEncryption apiKeyEncryption, String str2) {
        try {
            return apiKeyEncryption.decrypt(str);
        } catch (Exception e) {
            if (ApiKeyEncryption.isPotentiallyEncryptedApiKey(str)) {
                throw e;
            }
            LoggerFactory.getLogger("com.bazaarvoice.emodb.security").warn("Configuration key {} is stored in plaintext; anyone with access to config.yaml can see it!!!", str2);
            return str;
        }
    }

    @Named("AnonymousKey")
    @Singleton
    @Provides
    Optional<String> provideAnonymousKey(AuthorizationConfiguration authorizationConfiguration) {
        return authorizationConfiguration.isAllowAnonymousAccess() ? Optional.of("anonymous") : Optional.absent();
    }

    @Named("dao")
    @Singleton
    @Provides
    AuthIdentityManager<ApiKey> provideAuthIdentityManagerDAO(AuthorizationConfiguration authorizationConfiguration, DataStore dataStore, @ApiKeyHashFunction HashFunction hashFunction) {
        return new TableAuthIdentityManagerDAO(ApiKey.class, dataStore, authorizationConfiguration.getIdentityTable(), authorizationConfiguration.getInternalIdIndexTable(), authorizationConfiguration.getTablePlacement(), hashFunction);
    }

    @Singleton
    @Inject
    @Provides
    AuthIdentityManager<ApiKey> provideAuthIdentityManager(@ReplicationKey String str, InvalidatableCacheManager invalidatableCacheManager, @Named("AdminKey") String str2, @Named("AnonymousKey") Optional<String> optional, @Named("dao") AuthIdentityManager<ApiKey> authIdentityManager) {
        ImmutableList.Builder builder = ImmutableList.builder();
        builder.add((Object[]) new ApiKey[]{new ApiKey(str, REPLICATION_INTERNAL_ID, ImmutableSet.of(DefaultRoles.replication.toString())), new ApiKey(str2, ADMIN_INTERNAL_ID, ImmutableSet.of(DefaultRoles.admin.toString()))});
        if (optional.isPresent()) {
            builder.add((ImmutableList.Builder) new ApiKey(optional.get(), ANONYMOUS_INTERNAL_ID, ImmutableSet.of(DefaultRoles.anonymous.toString())));
        }
        return new CacheManagingAuthIdentityManager(new DeferringAuthIdentityManager(authIdentityManager, builder.build()), invalidatableCacheManager);
    }

    @Named("dao")
    @Singleton
    @Provides
    PermissionManager providePermissionManagerDAO(AuthorizationConfiguration authorizationConfiguration, PermissionResolver permissionResolver, DataStore dataStore) {
        return new TablePermissionManagerDAO(permissionResolver, dataStore, authorizationConfiguration.getPermissionsTable(), authorizationConfiguration.getTablePlacement());
    }

    @Singleton
    @Inject
    @Provides
    InvalidatableCacheManager provideCacheManager(@AuthCacheRegistry CacheRegistry cacheRegistry) {
        return new GuavaCacheManager(cacheRegistry);
    }

    @Singleton
    @Provides
    PermissionManager providePermissionManager(@Named("dao") PermissionManager permissionManager, InvalidatableCacheManager invalidatableCacheManager, PermissionResolver permissionResolver) {
        ImmutableMap.Builder builder = ImmutableMap.builder();
        for (DefaultRoles defaultRoles : DefaultRoles.values()) {
            Stream<String> stream = defaultRoles.getPermissions().stream();
            permissionResolver.getClass();
            builder.put(PermissionIDs.forRole(defaultRoles.toString()), (Set) stream.map(permissionResolver::resolvePermission).collect(Collectors.toSet()));
        }
        return new CacheManagingPermissionManager(new DeferringPermissionManager(permissionManager, builder.build()), invalidatableCacheManager);
    }

    @Named("dao")
    @Singleton
    @Provides
    RoleManager provideRoleManagerDAO(AuthorizationConfiguration authorizationConfiguration, DataStore dataStore, PermissionManager permissionManager) {
        return new TableRoleManagerDAO(dataStore, authorizationConfiguration.getRoleTable(), authorizationConfiguration.getRoleGroupTable(), authorizationConfiguration.getTablePlacement(), permissionManager);
    }

    @Named("withDefaults")
    @Singleton
    @Provides
    RoleManager provideRoleManagerWithDefaultRoles(@Named("dao") RoleManager roleManager) {
        ArrayList newArrayList = Lists.newArrayList();
        for (DefaultRoles defaultRoles : DefaultRoles.values()) {
            newArrayList.add(new Role(null, defaultRoles.name(), defaultRoles.name(), "Reserved role"));
        }
        return new DeferringRoleManager(roleManager, newArrayList);
    }

    @Singleton
    @Provides
    RoleManager provideRoleManager(@Named("withDefaults") RoleManager roleManager, @AuthZooKeeper CuratorFramework curatorFramework) {
        return new DataCenterSynchronizedRoleManager(roleManager, curatorFramework);
    }
}
