package com.gemstone.gemfire.internal.security;

import com.gemstone.gemfire.internal.ClassLoadUtil;
import com.gemstone.gemfire.internal.logging.LogService;
import com.gemstone.gemfire.internal.security.shiro.CustomAuthRealm;
import com.gemstone.gemfire.internal.security.shiro.ShiroPrincipal;
import com.gemstone.gemfire.management.internal.security.ResourceOperation;
import com.gemstone.gemfire.security.AuthenticationFailedException;
import com.gemstone.gemfire.security.GemFireSecurityException;
import com.gemstone.gemfire.security.NotAuthorizedException;
import java.security.AccessController;
import java.security.Principal;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.Callable;
import org.apache.commons.lang.StringUtils;
import org.apache.geode.security.GeodePermission;
import org.apache.geode.security.PostProcessor;
import org.apache.geode.security.SecurityManager;
import org.apache.logging.log4j.Logger;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.ShiroException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.Ini;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.subject.support.SubjectThreadState;
import org.apache.shiro.util.ThreadContext;
import org.apache.shiro.util.ThreadState;

/* loaded from: input_file:com/gemstone/gemfire/internal/security/GeodeSecurityUtil.class */
public class GeodeSecurityUtil {
    private static Logger logger = LogService.getLogger();
    private static PostProcessor postProcessor;
    private static SecurityManager securityManager;
    private static boolean isIntegratedSecurity;
    private static boolean isClientAuthenticator;
    private static boolean isPeerAuthenticator;

    public static Subject getSubject() {
        if (!isIntegratedSecurity) {
            return null;
        }
        javax.security.auth.Subject subject = javax.security.auth.Subject.getSubject(AccessController.getContext());
        if (subject != null) {
            Set principals = subject.getPrincipals(ShiroPrincipal.class);
            if (principals.size() > 0) {
                Subject subject2 = ((ShiroPrincipal) principals.iterator().next()).getSubject();
                ThreadContext.bind(subject2);
                return subject2;
            }
        }
        Subject subject3 = SecurityUtils.getSubject();
        if (subject3 == null || subject3.getPrincipal() == null) {
            throw new GemFireSecurityException("Error: Anonymous User");
        }
        return subject3;
    }

    public static Subject login(String str, String str2) {
        if (!isIntegratedSecurity) {
            return null;
        }
        ThreadContext.remove();
        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken(str, str2);
        try {
            logger.info("Logging in " + str);
            subject.login(usernamePasswordToken);
            return subject;
        } catch (ShiroException e) {
            logger.info(e.getMessage(), e);
            throw new AuthenticationFailedException("Authentication error. Please check your username/password.", e);
        }
    }

    public static void logout() {
        Subject subject = getSubject();
        if (subject == null) {
            return;
        }
        try {
            logger.info("Logging out " + subject.getPrincipal());
            subject.logout();
            ThreadContext.remove();
        } catch (ShiroException e) {
            logger.info(e.getMessage(), e);
            throw new GemFireSecurityException(e.getMessage(), e);
        }
    }

    public static Callable associateWith(Callable callable) {
        Subject subject = getSubject();
        return subject == null ? callable : subject.associateWith(callable);
    }

    public static ThreadState bindSubject(Subject subject) {
        if (subject == null) {
            return null;
        }
        SubjectThreadState subjectThreadState = new SubjectThreadState(subject);
        subjectThreadState.bind();
        return subjectThreadState;
    }

    public static void authorize(ResourceOperation resourceOperation) {
        if (resourceOperation == null) {
            return;
        }
        authorize(resourceOperation.resource().name(), resourceOperation.operation().name(), null);
    }

    public static void authorizeClusterManage() {
        authorize("CLUSTER", "MANAGE");
    }

    public static void authorizeClusterWrite() {
        authorize("CLUSTER", "WRITE");
    }

    public static void authorizeClusterRead() {
        authorize("CLUSTER", "READ");
    }

    public static void authorizeDataManage() {
        authorize("DATA", "MANAGE");
    }

    public static void authorizeDataWrite() {
        authorize("DATA", "WRITE");
    }

    public static void authorizeDataRead() {
        authorize("DATA", "READ");
    }

    public static void authorizeRegionManage(String str) {
        authorize("DATA", "MANAGE", str);
    }

    public static void authorizeRegionManage(String str, String str2) {
        authorize("DATA", "MANAGE", str, str2);
    }

    public static void authorizeRegionWrite(String str) {
        authorize("DATA", "WRITE", str);
    }

    public static void authorizeRegionWrite(String str, String str2) {
        authorize("DATA", "WRITE", str, str2);
    }

    public static void authorizeRegionRead(String str) {
        authorize("DATA", "READ", str);
    }

    public static void authorizeRegionRead(String str, String str2) {
        authorize("DATA", "READ", str, str2);
    }

    public static void authorize(String str, String str2) {
        authorize(str, str2, null);
    }

    private static void authorize(String str, String str2, String str3) {
        authorize(str, str2, str3, null);
    }

    private static void authorize(String str, String str2, String str3, String str4) {
        authorize(new GeodePermission(str, str2, StringUtils.stripStart(str3, "/"), str4));
    }

    public static void authorize(GeodePermission geodePermission) {
        Subject subject = getSubject();
        if (subject == null || geodePermission == null) {
            return;
        }
        if (geodePermission.getResource() == GeodePermission.Resource.NULL && geodePermission.getOperation() == GeodePermission.Operation.NULL) {
            return;
        }
        try {
            subject.checkPermission(geodePermission);
        } catch (ShiroException e) {
            String str = subject.getPrincipal() + " not authorized for " + geodePermission;
            logger.info(str);
            throw new NotAuthorizedException(str, (Throwable) e);
        }
    }

    public static void initSecurity(Properties properties) {
        if (properties == null) {
            return;
        }
        String property = properties.getProperty("security-shiro-init");
        String property2 = properties.getProperty("security-manager");
        String property3 = properties.getProperty("security-client-authenticator");
        String property4 = properties.getProperty("security-peer-authenticator");
        if (!StringUtils.isBlank(property)) {
            IniSecurityManagerFactory iniSecurityManagerFactory = new IniSecurityManagerFactory("classpath:" + property);
            Ini.Section addSection = iniSecurityManagerFactory.getIni().addSection("main");
            addSection.put("geodePermissionResolver", "com.gemstone.gemfire.internal.security.shiro.GeodePermissionResolver");
            if (!addSection.containsKey("iniRealm.permissionResolver")) {
                addSection.put("iniRealm.permissionResolver", "$geodePermissionResolver");
            }
            SecurityUtils.setSecurityManager((org.apache.shiro.mgt.SecurityManager) iniSecurityManagerFactory.getInstance());
            isIntegratedSecurity = true;
        } else if (!StringUtils.isBlank(property2)) {
            securityManager = (SecurityManager) getObjectOfTypeFromClassName(property2, SecurityManager.class);
            securityManager.init(properties);
            SecurityUtils.setSecurityManager(new DefaultSecurityManager(new CustomAuthRealm(securityManager)));
            isIntegratedSecurity = true;
        } else if (!StringUtils.isBlank(property3)) {
            isClientAuthenticator = true;
        } else if (StringUtils.isBlank(property4)) {
            isIntegratedSecurity = false;
            isClientAuthenticator = false;
            isPeerAuthenticator = false;
        } else {
            isPeerAuthenticator = true;
        }
        String property5 = properties.getProperty("security-post-processor");
        if (StringUtils.isBlank(property5)) {
            postProcessor = null;
        } else {
            postProcessor = (PostProcessor) getObjectOfTypeFromClassName(property5, PostProcessor.class);
            postProcessor.init(properties);
        }
    }

    public static void close() {
        if (securityManager != null) {
            securityManager.close();
            securityManager = null;
        }
        if (postProcessor != null) {
            postProcessor.close();
            postProcessor = null;
        }
        ThreadContext.remove();
        isIntegratedSecurity = false;
        isClientAuthenticator = false;
        isPeerAuthenticator = false;
    }

    public static boolean needPostProcess() {
        return isIntegratedSecurity && postProcessor != null;
    }

    public static Object postProcess(String str, Object obj, Object obj2) {
        Subject subject;
        if (postProcessor != null && (subject = getSubject()) != null) {
            return postProcessor.processRegionValue((Principal) subject.getPrincipal(), StringUtils.stripStart(str, "/"), obj, obj2);
        }
        return obj2;
    }

    public static <T> T getObjectOfTypeFromClassName(String str, Class<T> cls) {
        try {
            Class<?> classFromName = ClassLoadUtil.classFromName(str);
            if (!cls.isAssignableFrom(classFromName)) {
                throw new GemFireSecurityException("Instance could not be obtained. Expecting a " + cls.getName() + " class.");
            }
            try {
                return (T) classFromName.newInstance();
            } catch (Exception e) {
                throw new GemFireSecurityException("Instance could not be obtained. Error instantiating " + classFromName.getName(), e);
            }
        } catch (Exception e2) {
            throw new GemFireSecurityException("Instance could not be obtained, " + e2.toString(), e2);
        }
    }

    public static <T> T getObjectOfTypeFromFactoryMethod(String str, Class<T> cls) {
        try {
            T t = (T) ClassLoadUtil.methodFromName(str).invoke(null, (Object[]) null);
            if (t == null) {
                throw new GemFireSecurityException("Instance could not be obtained from " + str);
            }
            return t;
        } catch (Exception e) {
            throw new GemFireSecurityException("Instance could not be obtained from " + str, e);
        }
    }

    public static <T> T getObjectOfType(String str, Class<T> cls) {
        Object objectOfTypeFromFactoryMethod;
        try {
            objectOfTypeFromFactoryMethod = getObjectOfTypeFromClassName(str, cls);
        } catch (Exception e) {
            objectOfTypeFromFactoryMethod = getObjectOfTypeFromFactoryMethod(str, cls);
        }
        return (T) objectOfTypeFromFactoryMethod;
    }

    public static SecurityManager getSecurityManager() {
        return securityManager;
    }

    public static boolean isClientSecurityRequired() {
        return isClientAuthenticator || isIntegratedSecurity;
    }

    public static boolean isPeerSecurityRequired() {
        return isPeerAuthenticator || isIntegratedSecurity;
    }

    public static boolean isIntegratedSecurity() {
        return isIntegratedSecurity;
    }
}
