package com.bazaarvoice.emodb.auth.apikey;

import com.bazaarvoice.emodb.auth.identity.AuthIdentityReader;
import com.bazaarvoice.emodb.auth.permissions.PermissionIDs;
import com.bazaarvoice.emodb.auth.permissions.PermissionReader;
import com.bazaarvoice.emodb.auth.shiro.AnonymousCredentialsMatcher;
import com.bazaarvoice.emodb.auth.shiro.AnonymousToken;
import com.bazaarvoice.emodb.auth.shiro.InvalidatableCacheManager;
import com.bazaarvoice.emodb.auth.shiro.PrincipalWithRoles;
import com.bazaarvoice.emodb.auth.shiro.RolePermissionSet;
import com.bazaarvoice.emodb.auth.shiro.SimpleRolePermissionSet;
import com.bazaarvoice.emodb.auth.shiro.ValidatingCacheManager;
import com.google.common.base.Objects;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.Set;
import javax.annotation.Nullable;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.credential.SimpleCredentialsMatcher;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.authz.permission.RolePermissionResolver;
import org.apache.shiro.cache.Cache;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/bazaarvoice/emodb/auth/apikey/ApiKeyRealm.class */
public class ApiKeyRealm extends AuthorizingRealm {
    private static final String DEFAULT_ROLES_CACHE_SUFFIX = ".rolesCache";
    private static final String DEFAULT_INTERNAL_AUTHORIZATION_CACHE_SUFFIX = ".internalAuthorizationCache";
    private final Logger _log;
    private final AuthIdentityReader<ApiKey> _authIdentityReader;
    private final PermissionReader _permissionReader;
    private final String _anonymousId;
    private final boolean _clearCaches;
    private final AuthorizationInfo _nullAuthorizationInfo;
    private Cache<String, RolePermissionSet> _rolesCache;
    private Cache<String, AuthorizationInfo> _internalAuthorizationCache;
    private String _rolesCacheName;
    private String _internalAuthorizationCacheName;

    public ApiKeyRealm(String str, CacheManager cacheManager, AuthIdentityReader<ApiKey> authIdentityReader, PermissionReader permissionReader, @Nullable String str2) {
        super(null, AnonymousCredentialsMatcher.anonymousOrMatchUsing(new SimpleCredentialsMatcher()));
        this._log = LoggerFactory.getLogger(getClass());
        this._nullAuthorizationInfo = new SimpleAuthorizationInfo(ImmutableSet.of());
        this._authIdentityReader = (AuthIdentityReader) Preconditions.checkNotNull(authIdentityReader, "authIdentityReader");
        this._permissionReader = (PermissionReader) Preconditions.checkNotNull(permissionReader, "permissionReader");
        this._anonymousId = str2;
        setName((String) Preconditions.checkNotNull(str, "name"));
        setAuthenticationTokenClass(ApiKeyAuthenticationToken.class);
        setPermissionResolver(permissionReader.getPermissionResolver());
        setRolePermissionResolver(createRolePermissionResolver());
        setCacheManager(prepareCacheManager(cacheManager));
        setAuthenticationCachingEnabled(true);
        setAuthorizationCachingEnabled(true);
        this._clearCaches = (cacheManager == null || (cacheManager instanceof InvalidatableCacheManager)) ? false : true;
        this._log.debug("Clearing of caches for realm {} is {}", str, this._clearCaches ? "enabled" : "disabled");
    }

    private CacheManager prepareCacheManager(CacheManager cacheManager) {
        return (cacheManager == null || !(cacheManager instanceof InvalidatableCacheManager)) ? cacheManager : new ValidatingCacheManager(cacheManager) { // from class: com.bazaarvoice.emodb.auth.apikey.ApiKeyRealm.1
            @Override // com.bazaarvoice.emodb.auth.shiro.ValidatingCacheManager
            @Nullable
            protected ValidatingCacheManager.CacheValidator<?, ?> getCacheValidatorForCache(String str) {
                String authenticationCacheName = ApiKeyRealm.this.getAuthenticationCacheName();
                if (authenticationCacheName != null && str.equals(authenticationCacheName)) {
                    return new ValidatingCacheManager.CacheValidator<Object, AuthenticationInfo>(Object.class, AuthenticationInfo.class) { // from class: com.bazaarvoice.emodb.auth.apikey.ApiKeyRealm.1.1
                        @Override // com.bazaarvoice.emodb.auth.shiro.ValidatingCacheManager.CacheValidator
                        public boolean isCurrentValue(Object obj, AuthenticationInfo authenticationInfo) {
                            String str2;
                            if (!AnonymousToken.isAnonymousPrincipal(obj)) {
                                str2 = (String) obj;
                            } else {
                                if (ApiKeyRealm.this._anonymousId == null) {
                                    return false;
                                }
                                str2 = ApiKeyRealm.this._anonymousId;
                            }
                            return Objects.equal(ApiKeyRealm.this.getUncachedAuthenticationInfoForKey(str2), authenticationInfo);
                        }
                    };
                }
                String authorizationCacheName = ApiKeyRealm.this.getAuthorizationCacheName();
                if (authorizationCacheName != null && str.equals(authorizationCacheName)) {
                    return new ValidatingCacheManager.CacheValidator<Object, AuthorizationInfo>(Object.class, AuthorizationInfo.class) { // from class: com.bazaarvoice.emodb.auth.apikey.ApiKeyRealm.1.2
                        @Override // com.bazaarvoice.emodb.auth.shiro.ValidatingCacheManager.CacheValidator
                        public boolean isCurrentValue(Object obj, AuthorizationInfo authorizationInfo) {
                            AuthorizationInfo uncachedAuthorizationInfoFromPrincipals = ApiKeyRealm.this.getUncachedAuthorizationInfoFromPrincipals((PrincipalCollection) obj);
                            return uncachedAuthorizationInfoFromPrincipals != null && uncachedAuthorizationInfoFromPrincipals.getRoles().equals(authorizationInfo.getRoles());
                        }
                    };
                }
                String internalAuthorizationCacheName = ApiKeyRealm.this.getInternalAuthorizationCacheName();
                if (internalAuthorizationCacheName != null && str.equals(internalAuthorizationCacheName)) {
                    return new ValidatingCacheManager.CacheValidator<String, AuthorizationInfo>(String.class, AuthorizationInfo.class) { // from class: com.bazaarvoice.emodb.auth.apikey.ApiKeyRealm.1.3
                        @Override // com.bazaarvoice.emodb.auth.shiro.ValidatingCacheManager.CacheValidator
                        public boolean isCurrentValue(String str2, AuthorizationInfo authorizationInfo) {
                            AuthorizationInfo uncachedAuthorizationInfoByInternalId = ApiKeyRealm.this.getUncachedAuthorizationInfoByInternalId(str2);
                            return uncachedAuthorizationInfoByInternalId != null && uncachedAuthorizationInfoByInternalId.getRoles().equals(authorizationInfo.getRoles());
                        }
                    };
                }
                String rolesCacheName = ApiKeyRealm.this.getRolesCacheName();
                if (rolesCacheName == null || !str.equals(rolesCacheName)) {
                    return null;
                }
                return new ValidatingCacheManager.CacheValidator<String, RolePermissionSet>(String.class, RolePermissionSet.class) { // from class: com.bazaarvoice.emodb.auth.apikey.ApiKeyRealm.1.4
                    @Override // com.bazaarvoice.emodb.auth.shiro.ValidatingCacheManager.CacheValidator
                    public boolean isCurrentValue(String str2, RolePermissionSet rolePermissionSet) {
                        return rolePermissionSet.permissions().equals(ApiKeyRealm.this._permissionReader.getPermissions(PermissionIDs.forRole(str2)));
                    }
                };
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.shiro.realm.AuthorizingRealm, org.apache.shiro.realm.AuthenticatingRealm
    public void onInit() {
        super.onInit();
        getAvailableRolesCache();
        getAvailableInternalAuthorizationCache();
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm, org.apache.shiro.realm.Realm
    public boolean supports(AuthenticationToken authenticationToken) {
        return super.supports(authenticationToken) || (this._anonymousId != null && AnonymousToken.isAnonymous(authenticationToken));
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        String principal;
        if (!AnonymousToken.isAnonymous(authenticationToken)) {
            principal = ((ApiKeyAuthenticationToken) authenticationToken).getPrincipal();
        } else {
            if (this._anonymousId == null) {
                return null;
            }
            principal = this._anonymousId;
        }
        return getUncachedAuthenticationInfoForKey(principal);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AuthenticationInfo getUncachedAuthenticationInfoForKey(String str) {
        ApiKey identity = this._authIdentityReader.getIdentity(str);
        if (identity == null) {
            return null;
        }
        return createAuthenticationInfo(identity);
    }

    private ApiKeyAuthenticationInfo createAuthenticationInfo(ApiKey apiKey) {
        return new ApiKeyAuthenticationInfo(apiKey, getName());
    }

    @Override // org.apache.shiro.realm.AuthorizingRealm
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        AuthorizationInfo uncachedAuthorizationInfoFromPrincipals = getUncachedAuthorizationInfoFromPrincipals(principalCollection);
        Cache<String, AuthorizationInfo> availableInternalAuthorizationCache = getAvailableInternalAuthorizationCache();
        if (availableInternalAuthorizationCache != null) {
            for (PrincipalWithRoles principalWithRoles : getPrincipalsFromPrincipalCollection(principalCollection)) {
                if (availableInternalAuthorizationCache.get(principalWithRoles.getInternalId()) == null) {
                    cacheAuthorizationInfoByInternalId(principalWithRoles.getInternalId(), uncachedAuthorizationInfoFromPrincipals);
                }
            }
        }
        return uncachedAuthorizationInfoFromPrincipals;
    }

    private Collection<PrincipalWithRoles> getPrincipalsFromPrincipalCollection(PrincipalCollection principalCollection) {
        return principalCollection.fromRealm(getName());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AuthorizationInfo getUncachedAuthorizationInfoFromPrincipals(PrincipalCollection principalCollection) {
        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
        Iterator<PrincipalWithRoles> it2 = getPrincipalsFromPrincipalCollection(principalCollection).iterator();
        while (it2.hasNext()) {
            simpleAuthorizationInfo.addRoles(it2.next().getRoles());
        }
        return simpleAuthorizationInfo;
    }

    @Override // org.apache.shiro.realm.AuthorizingRealm, org.apache.shiro.realm.AuthenticatingRealm, org.apache.shiro.realm.CachingRealm, org.apache.shiro.util.Nameable
    public void setName(String str) {
        super.setName(str);
        this._rolesCacheName = str + DEFAULT_ROLES_CACHE_SUFFIX;
        this._internalAuthorizationCacheName = str + DEFAULT_INTERNAL_AUTHORIZATION_CACHE_SUFFIX;
    }

    public String getRolesCacheName() {
        return this._rolesCacheName;
    }

    public void setInternalAuthorizationCacheName(String str) {
        this._internalAuthorizationCacheName = str + DEFAULT_INTERNAL_AUTHORIZATION_CACHE_SUFFIX;
        getAvailableInternalAuthorizationCache();
    }

    public String getInternalAuthorizationCacheName() {
        return this._internalAuthorizationCacheName;
    }

    protected Cache<String, RolePermissionSet> getAvailableRolesCache() {
        if (getCacheManager() == null) {
            return null;
        }
        if (this._rolesCache == null) {
            this._rolesCache = getCacheManager().getCache(getRolesCacheName());
        }
        return this._rolesCache;
    }

    public Cache<String, AuthorizationInfo> getInternalAuthorizationCache() {
        return this._internalAuthorizationCache;
    }

    protected Cache<String, AuthorizationInfo> getAvailableInternalAuthorizationCache() {
        if (getCacheManager() == null) {
            return null;
        }
        if (this._internalAuthorizationCache == null) {
            this._internalAuthorizationCache = getCacheManager().getCache(getInternalAuthorizationCacheName());
        }
        return this._internalAuthorizationCache;
    }

    private RolePermissionResolver createRolePermissionResolver() {
        return new RolePermissionResolver() { // from class: com.bazaarvoice.emodb.auth.apikey.ApiKeyRealm.2
            @Override // org.apache.shiro.authz.permission.RolePermissionResolver
            public Collection<Permission> resolvePermissionsInRole(String str) {
                return ApiKeyRealm.this.getRolePermissions(str);
            }
        };
    }

    protected Collection<Permission> getRolePermissions(String str) {
        if (str == null) {
            return null;
        }
        Cache<String, RolePermissionSet> availableRolesCache = getAvailableRolesCache();
        if (availableRolesCache == null) {
            return this._permissionReader.getPermissions(PermissionIDs.forRole(str));
        }
        RolePermissionSet rolePermissionSet = availableRolesCache.get(str);
        if (rolePermissionSet == null) {
            rolePermissionSet = new SimpleRolePermissionSet(this._permissionReader.getPermissions(PermissionIDs.forRole(str)));
            availableRolesCache.put(str, rolePermissionSet);
        }
        return rolePermissionSet.permissions();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.shiro.realm.AuthenticatingRealm
    public void clearCachedAuthenticationInfo(PrincipalCollection principalCollection) {
        if (this._clearCaches) {
            super.clearCachedAuthenticationInfo(principalCollection);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.shiro.realm.AuthorizingRealm
    public void clearCachedAuthorizationInfo(PrincipalCollection principalCollection) {
        if (this._clearCaches) {
            super.clearCachedAuthorizationInfo(principalCollection);
        }
    }

    @Nullable
    private AuthorizationInfo getAuthorizationInfoByInternalId(String str) {
        AuthorizationInfo authorizationInfo;
        Cache<String, AuthorizationInfo> availableInternalAuthorizationCache = getAvailableInternalAuthorizationCache();
        if (availableInternalAuthorizationCache == null || (authorizationInfo = availableInternalAuthorizationCache.get(str)) == null) {
            AuthorizationInfo uncachedAuthorizationInfoByInternalId = getUncachedAuthorizationInfoByInternalId(str);
            cacheAuthorizationInfoByInternalId(str, uncachedAuthorizationInfoByInternalId);
            return uncachedAuthorizationInfoByInternalId;
        }
        if (authorizationInfo != this._nullAuthorizationInfo) {
            this._log.debug("Authorization info found cached for internal id {}", str);
            return authorizationInfo;
        }
        this._log.debug("Authorization info previously cached as not found for internal id {}", str);
        return null;
    }

    private void cacheAuthorizationInfoByInternalId(String str, AuthorizationInfo authorizationInfo) {
        Cache<String, AuthorizationInfo> availableInternalAuthorizationCache = getAvailableInternalAuthorizationCache();
        if (availableInternalAuthorizationCache != null) {
            availableInternalAuthorizationCache.put(str, authorizationInfo);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AuthorizationInfo getUncachedAuthorizationInfoByInternalId(String str) {
        Set<String> rolesByInternalId = this._authIdentityReader.getRolesByInternalId(str);
        if (rolesByInternalId != null) {
            return new SimpleAuthorizationInfo(ImmutableSet.copyOf((Collection) rolesByInternalId));
        }
        this._log.debug("Authorization info requested for non-existent internal id {}", str);
        return this._nullAuthorizationInfo;
    }

    public boolean hasPermissionByInternalId(String str, String str2) {
        return hasPermissionByInternalId(str, getPermissionResolver().resolvePermission(str2));
    }

    public boolean hasPermissionByInternalId(String str, Permission permission) {
        return hasPermissionsByInternalId(str, ImmutableList.of(permission));
    }

    public boolean hasPermissionsByInternalId(String str, String... strArr) {
        ArrayList newArrayListWithCapacity = Lists.newArrayListWithCapacity(strArr.length);
        for (String str2 : strArr) {
            newArrayListWithCapacity.add(getPermissionResolver().resolvePermission(str2));
        }
        return hasPermissionsByInternalId(str, newArrayListWithCapacity);
    }

    public boolean hasPermissionsByInternalId(String str, Permission... permissionArr) {
        return hasPermissionsByInternalId(str, Arrays.asList(permissionArr));
    }

    public boolean hasPermissionsByInternalId(String str, Collection<Permission> collection) {
        AuthorizationInfo authorizationInfoByInternalId = getAuthorizationInfoByInternalId(str);
        return authorizationInfoByInternalId != null && isPermittedAll(collection, authorizationInfoByInternalId);
    }
}
