package org.aldica.common.ignite.plugin;

import java.net.InetSocketAddress;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import org.apache.ignite.IgniteCheckedException;
import org.apache.ignite.cluster.ClusterNode;
import org.apache.ignite.internal.GridComponent;
import org.apache.ignite.internal.IgniteInternalFuture;
import org.apache.ignite.internal.processors.security.GridSecurityProcessor;
import org.apache.ignite.internal.processors.security.SecurityContext;
import org.apache.ignite.lang.IgniteFuture;
import org.apache.ignite.plugin.security.AuthenticationContext;
import org.apache.ignite.plugin.security.SecurityCredentials;
import org.apache.ignite.plugin.security.SecurityException;
import org.apache.ignite.plugin.security.SecurityPermission;
import org.apache.ignite.plugin.security.SecuritySubject;
import org.apache.ignite.plugin.security.SecuritySubjectType;
import org.apache.ignite.spi.IgniteNodeValidationResult;
import org.apache.ignite.spi.discovery.DiscoveryDataBag;
import org.apache.ignite.spi.discovery.tcp.internal.TcpDiscoveryNode;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/aldica/common/ignite/plugin/SimpleSecurityProcessor.class */
public class SimpleSecurityProcessor implements GridSecurityProcessor {
    private static final Logger LOGGER = LoggerFactory.getLogger(SimpleSecurityProcessor.class);
    protected final SimpleSecurityPluginConfiguration configuration;
    protected final Map<UUID, SecuritySubject> authenticatedSubjects = new HashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.aldica.common.ignite.plugin.SimpleSecurityProcessor$1, reason: invalid class name */
    /* loaded from: input_file:org/aldica/common/ignite/plugin/SimpleSecurityProcessor$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$ignite$plugin$security$SecuritySubjectType = new int[SecuritySubjectType.values().length];

        static {
            try {
                $SwitchMap$org$apache$ignite$plugin$security$SecuritySubjectType[SecuritySubjectType.REMOTE_CLIENT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$ignite$plugin$security$SecuritySubjectType[SecuritySubjectType.REMOTE_NODE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public SimpleSecurityProcessor(SimpleSecurityPluginConfiguration simpleSecurityPluginConfiguration) {
        if (simpleSecurityPluginConfiguration == null) {
            throw new IllegalStateException("No configuration for SimplePassphraseSecurityPlugin has been defined");
        }
        this.configuration = simpleSecurityPluginConfiguration;
        String nodeTierAttributeKey = simpleSecurityPluginConfiguration.getNodeTierAttributeKey();
        Collection<String> allowedNodeTierAttributeValues = simpleSecurityPluginConfiguration.getAllowedNodeTierAttributeValues();
        Collection<SecurityCredentials> allowedClientCredentials = this.configuration.getAllowedClientCredentials();
        Collection<SecurityCredentials> allowedNodeCredentials = this.configuration.getAllowedNodeCredentials();
        if (allowedClientCredentials == null || allowedClientCredentials.isEmpty()) {
            LOGGER.info("No allowed client credentials have been configured - no client will be allowed to connect");
        }
        if (allowedNodeCredentials == null || allowedNodeCredentials.isEmpty()) {
            LOGGER.warn("No allowed node credentials have been configured - no node will be allowed to connect");
        }
        if (nodeTierAttributeKey == null) {
            LOGGER.info("No node-tier attribute key name has been configured - any node is allowed to connect");
            return;
        }
        if (nodeTierAttributeKey.trim().isEmpty()) {
            LOGGER.warn("The node-tier attribute key was configured to an effectively empty string - any node is allowed to connect");
            simpleSecurityPluginConfiguration.setNodeTierAttributeKey(null);
            return;
        }
        simpleSecurityPluginConfiguration.setNodeTierAttributeKey(nodeTierAttributeKey.trim());
        if (allowedNodeTierAttributeValues == null) {
            LOGGER.info("No allowed values for the node-tier attribute have been configured - any node is allowed to connect");
        } else if (allowedNodeTierAttributeValues.isEmpty()) {
            LOGGER.warn("An empty list of allowed values for the node-tier attribute have been configured - no node will effectively be allowed to connect");
        }
    }

    public SecurityContext authenticateNode(ClusterNode clusterNode, SecurityCredentials securityCredentials) throws IgniteCheckedException {
        AuthenticationContext authenticationContext = new AuthenticationContext();
        authenticationContext.credentials(securityCredentials);
        authenticationContext.nodeAttributes(clusterNode.attributes());
        authenticationContext.subjectType(clusterNode.isClient() ? SecuritySubjectType.REMOTE_CLIENT : SecuritySubjectType.REMOTE_NODE);
        authenticationContext.subjectId(clusterNode.id());
        authenticationContext.address(new InetSocketAddress((String) clusterNode.addresses().iterator().next(), clusterNode instanceof TcpDiscoveryNode ? ((TcpDiscoveryNode) clusterNode).discoveryPort() : 0));
        return authenticate(authenticationContext);
    }

    public boolean isGlobalNodeAuthentication() {
        return false;
    }

    public SecurityContext authenticate(AuthenticationContext authenticationContext) throws IgniteCheckedException {
        SecurityContext validateCredentials;
        if (authenticationContext.subjectType() == null) {
            throw new SecurityException("Unable to authenticate without subject type");
        }
        boolean z = false;
        switch (AnonymousClass1.$SwitchMap$org$apache$ignite$plugin$security$SecuritySubjectType[authenticationContext.subjectType().ordinal()]) {
            case 1:
                Collection<SecurityCredentials> allowedClientCredentials = this.configuration.getAllowedClientCredentials();
                if (allowedClientCredentials == null) {
                    LOGGER.info("Rejecting client {} ({}) as no allowed client credentials have been configured", authenticationContext.subjectId(), authenticationContext.address());
                    z = true;
                }
                validateCredentials = z ? null : validateCredentials(authenticationContext, allowedClientCredentials);
                break;
            case 2:
                Collection<SecurityCredentials> allowedNodeCredentials = this.configuration.getAllowedNodeCredentials();
                if (allowedNodeCredentials == null) {
                    LOGGER.info("Rejecting node {} ({}) as no allowed node credentials have been configured", authenticationContext.subjectId(), authenticationContext.address());
                    z = true;
                }
                String nodeTierAttributeKey = this.configuration.getNodeTierAttributeKey();
                Collection<String> allowedNodeTierAttributeValues = this.configuration.getAllowedNodeTierAttributeValues();
                if (nodeTierAttributeKey != null && allowedNodeTierAttributeValues != null) {
                    Object obj = authenticationContext.nodeAttributes().get(nodeTierAttributeKey);
                    if (!(obj instanceof String)) {
                        LOGGER.info("Rejecting node {} ({}) due to incompatible node-tier attribute value {}", new Object[]{authenticationContext.subjectId(), authenticationContext.address(), obj});
                        z = true;
                    } else if (!allowedNodeTierAttributeValues.contains(obj)) {
                        LOGGER.info("Rejecting node {} ({}) due to unallowed node-tier attribute value {}", new Object[]{authenticationContext.subjectId(), authenticationContext.address(), obj});
                        z = true;
                    }
                }
                validateCredentials = z ? null : validateCredentials(authenticationContext, allowedNodeCredentials);
                break;
            default:
                throw new SecurityException("Unsupported / unexpected subject type");
        }
        return validateCredentials;
    }

    public Collection<SecuritySubject> authenticatedSubjects() throws IgniteCheckedException {
        return new ArrayList(this.authenticatedSubjects.values());
    }

    public SecuritySubject authenticatedSubject(UUID uuid) throws IgniteCheckedException {
        return this.authenticatedSubjects.get(uuid);
    }

    public void start() throws IgniteCheckedException {
    }

    public void stop(boolean z) throws IgniteCheckedException {
    }

    public void onKernalStart(boolean z) throws IgniteCheckedException {
    }

    public void onKernalStop(boolean z) {
    }

    public void collectJoiningNodeData(DiscoveryDataBag discoveryDataBag) {
    }

    public void collectGridNodeData(DiscoveryDataBag discoveryDataBag) {
    }

    public void onGridDataReceived(DiscoveryDataBag.GridDiscoveryData gridDiscoveryData) {
    }

    public void onJoiningNodeDataReceived(DiscoveryDataBag.JoiningNodeDiscoveryData joiningNodeDiscoveryData) {
    }

    public void printMemoryStats() {
    }

    public IgniteNodeValidationResult validateNode(ClusterNode clusterNode) {
        return null;
    }

    public IgniteNodeValidationResult validateNode(ClusterNode clusterNode, DiscoveryDataBag.JoiningNodeDiscoveryData joiningNodeDiscoveryData) {
        return null;
    }

    public GridComponent.DiscoveryDataExchangeType discoveryDataType() {
        return GridComponent.DiscoveryDataExchangeType.PLUGIN;
    }

    public void onDisconnected(IgniteFuture<?> igniteFuture) throws IgniteCheckedException {
    }

    public IgniteInternalFuture<?> onReconnected(boolean z) throws IgniteCheckedException {
        return null;
    }

    public void authorize(String str, SecurityPermission securityPermission, SecurityContext securityContext) throws SecurityException {
    }

    public void onSessionExpired(UUID uuid) {
        this.authenticatedSubjects.remove(uuid);
    }

    public boolean enabled() {
        return true;
    }

    protected SecurityContext validateCredentials(AuthenticationContext authenticationContext, Collection<SecurityCredentials> collection) {
        NoopSecurityContext noopSecurityContext;
        if (collection.contains(authenticationContext.credentials())) {
            LOGGER.debug("Accepting {} ({}) as provided credentials match", authenticationContext.subjectId(), authenticationContext.address());
            SimpleSecuritySubject simpleSecuritySubject = new SimpleSecuritySubject(authenticationContext.subjectId(), authenticationContext.subjectType(), authenticationContext.credentials().getLogin(), authenticationContext.address(), new NoopSecurityPermissionSet());
            this.authenticatedSubjects.put(authenticationContext.subjectId(), simpleSecuritySubject);
            noopSecurityContext = new NoopSecurityContext(simpleSecuritySubject);
        } else {
            LOGGER.info("Rejecting {} ({}) as provided credentials do not match", authenticationContext.subjectId(), authenticationContext.address());
            noopSecurityContext = null;
        }
        return noopSecurityContext;
    }
}
