package org.dcache.gplazma;

import com.google.common.base.Preconditions;
import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import com.google.common.collect.Collections2;
import com.google.common.collect.Iterables;
import java.lang.reflect.Modifier;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArraySet;
import javax.security.auth.Subject;
import org.dcache.auth.LoginNamePrincipal;
import org.dcache.auth.Origin;
import org.dcache.auth.PasswordCredential;
import org.dcache.commons.util.NDC;
import org.dcache.gplazma.configuration.ConfigurationItem;
import org.dcache.gplazma.configuration.ConfigurationItemControl;
import org.dcache.gplazma.configuration.ConfigurationItemType;
import org.dcache.gplazma.configuration.ConfigurationLoadingStrategy;
import org.dcache.gplazma.configuration.parser.FactoryConfigurationException;
import org.dcache.gplazma.loader.CachingPluginLoaderDecorator;
import org.dcache.gplazma.loader.PluginFactory;
import org.dcache.gplazma.loader.PluginLoader;
import org.dcache.gplazma.loader.PluginLoadingException;
import org.dcache.gplazma.loader.XmlResourcePluginLoader;
import org.dcache.gplazma.monitor.CombinedLoginMonitor;
import org.dcache.gplazma.monitor.LoggingLoginMonitor;
import org.dcache.gplazma.monitor.LoginMonitor;
import org.dcache.gplazma.monitor.LoginResult;
import org.dcache.gplazma.monitor.LoginResultPrinter;
import org.dcache.gplazma.monitor.RecordingLoginMonitor;
import org.dcache.gplazma.plugins.GPlazmaAccountPlugin;
import org.dcache.gplazma.plugins.GPlazmaAuthenticationPlugin;
import org.dcache.gplazma.plugins.GPlazmaIdentityPlugin;
import org.dcache.gplazma.plugins.GPlazmaMappingPlugin;
import org.dcache.gplazma.plugins.GPlazmaPlugin;
import org.dcache.gplazma.plugins.GPlazmaSessionPlugin;
import org.dcache.gplazma.strategies.AccountStrategy;
import org.dcache.gplazma.strategies.AuthenticationStrategy;
import org.dcache.gplazma.strategies.GPlazmaPluginElement;
import org.dcache.gplazma.strategies.IdentityStrategy;
import org.dcache.gplazma.strategies.MappingStrategy;
import org.dcache.gplazma.strategies.SessionStrategy;
import org.dcache.gplazma.strategies.StrategyFactory;
import org.dcache.gplazma.validation.ValidationStrategy;
import org.dcache.gplazma.validation.ValidationStrategyFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/gplazma/GPlazma.class */
public class GPlazma {
    private static final Logger LOGGER = LoggerFactory.getLogger(GPlazma.class);
    private static final LoginMonitor LOGGING_LOGIN_MONITOR = new LoggingLoginMonitor();
    private static final Predicate<Object> IS_PUBLIC = new Predicate<Object>() { // from class: org.dcache.gplazma.GPlazma.1
        public boolean apply(Object obj) {
            return Modifier.isPublic(obj.getClass().getModifiers());
        }
    };
    private KnownFailedLogins _failedLogins;
    private Properties _globalProperties;
    private boolean _globalPropertiesHaveUpdated;
    private PluginLoader pluginLoader;
    private final PluginFactory _customPluginFactory;
    private GPlazmaInternalException _lastLoadPluginsProblem;
    private List<GPlazmaPluginElement<GPlazmaAuthenticationPlugin>> authenticationPluginElements;
    private List<GPlazmaPluginElement<GPlazmaMappingPlugin>> mappingPluginElements;
    private List<GPlazmaPluginElement<GPlazmaAccountPlugin>> accountPluginElements;
    private List<GPlazmaPluginElement<GPlazmaSessionPlugin>> sessionPluginElements;
    private List<GPlazmaPluginElement<GPlazmaIdentityPlugin>> identityPluginElements;
    private final ConfigurationLoadingStrategy configurationLoadingStrategy;
    private AuthenticationStrategy _authStrategy;
    private MappingStrategy _mapStrategy;
    private AccountStrategy _accountStrategy;
    private SessionStrategy _sessionStrategy;
    private ValidationStrategy validationStrategy;
    private IdentityStrategy identityStrategy;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/dcache/gplazma/GPlazma$KnownFailedLogins.class */
    public static class KnownFailedLogins {
        private final Set<Subject> _failedLogins;

        private KnownFailedLogins() {
            this._failedLogins = new CopyOnWriteArraySet();
        }

        private static void addPrincipalsForPrivateCredentials(Set<Principal> set, Set<Object> set2) {
            PasswordCredential passwordCredential = (PasswordCredential) Iterables.getFirst(Iterables.filter(set2, PasswordCredential.class), (Object) null);
            if (passwordCredential != null) {
                set.add(new LoginNamePrincipal(passwordCredential.getUsername()));
            }
        }

        private static Subject storageSubjectFor(Subject subject) {
            Subject subject2 = new Subject();
            subject2.getPublicCredentials().addAll(subject.getPublicCredentials());
            subject2.getPrincipals().addAll(Collections2.filter(subject.getPrincipals(), Predicates.not(Predicates.instanceOf(Origin.class))));
            addPrincipalsForPrivateCredentials(subject2.getPrincipals(), subject.getPrivateCredentials());
            return subject2;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean has(Subject subject) {
            return this._failedLogins.contains(storageSubjectFor(subject));
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void add(Subject subject) {
            this._failedLogins.add(storageSubjectFor(subject));
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void remove(Subject subject) {
            this._failedLogins.remove(storageSubjectFor(subject));
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void clear() {
            this._failedLogins.clear();
        }
    }

    public GPlazma(ConfigurationLoadingStrategy configurationLoadingStrategy, Properties properties) {
        this(configurationLoadingStrategy, properties, null);
    }

    public GPlazma(ConfigurationLoadingStrategy configurationLoadingStrategy, Properties properties, PluginFactory pluginFactory) {
        this._failedLogins = new KnownFailedLogins();
        this.configurationLoadingStrategy = configurationLoadingStrategy;
        this._globalProperties = properties;
        this._customPluginFactory = pluginFactory;
        try {
            loadPlugins();
        } catch (GPlazmaInternalException e) {
        }
    }

    public LoginReply login(Subject subject) throws AuthenticationException {
        RecordingLoginMonitor recordingLoginMonitor = new RecordingLoginMonitor();
        try {
            LoginReply login = login(subject, CombinedLoginMonitor.of(recordingLoginMonitor, LOGGING_LOGIN_MONITOR));
            this._failedLogins.remove(subject);
            return login;
        } catch (AuthenticationException e) {
            if (!this._failedLogins.has(subject)) {
                this._failedLogins.add(subject);
                LoginResult result = recordingLoginMonitor.getResult();
                if (result.hasStarted()) {
                    LOGGER.warn("Login attempt failed; detailed explanation follows:\n{}", new LoginResultPrinter(result).print());
                } else {
                    LOGGER.warn("Login attempt failed: {}", e.getMessage());
                }
            }
            throw e;
        }
    }

    public LoginReply login(Subject subject, LoginMonitor loginMonitor) throws AuthenticationException {
        AuthenticationStrategy authenticationStrategy;
        MappingStrategy mappingStrategy;
        AccountStrategy accountStrategy;
        SessionStrategy sessionStrategy;
        Preconditions.checkNotNull(subject, "subject is null");
        synchronized (this.configurationLoadingStrategy) {
            try {
                checkPluginConfig();
                authenticationStrategy = this._authStrategy;
                mappingStrategy = this._mapStrategy;
                accountStrategy = this._accountStrategy;
                sessionStrategy = this._sessionStrategy;
            } catch (GPlazmaInternalException e) {
                throw new AuthenticationException("internal gPlazma error: " + e.getMessage());
            }
        }
        HashSet hashSet = new HashSet();
        doAuthPhase(authenticationStrategy, loginMonitor, subject, hashSet);
        doMapPhase(mappingStrategy, loginMonitor, hashSet);
        doAccountPhase(accountStrategy, loginMonitor, hashSet);
        Set<Object> doSessionPhase = doSessionPhase(sessionStrategy, loginMonitor, hashSet);
        Iterables.removeIf(hashSet, Predicates.not(IS_PUBLIC));
        return buildReply(loginMonitor, subject, hashSet, doSessionPhase);
    }

    private void doAuthPhase(AuthenticationStrategy authenticationStrategy, LoginMonitor loginMonitor, Subject subject, Set<Principal> set) throws AuthenticationException {
        Set<Object> publicCredentials = subject.getPublicCredentials();
        Set<Object> privateCredentials = subject.getPrivateCredentials();
        set.addAll(subject.getPrincipals());
        NDC.push("AUTH");
        LoginMonitor.Result result = LoginMonitor.Result.FAIL;
        try {
            loginMonitor.authBegins(publicCredentials, privateCredentials, set);
            authenticationStrategy.authenticate(loginMonitor, publicCredentials, privateCredentials, set);
            result = LoginMonitor.Result.SUCCESS;
            NDC.pop();
            loginMonitor.authEnds(set, result);
        } catch (Throwable th) {
            NDC.pop();
            loginMonitor.authEnds(set, result);
            throw th;
        }
    }

    private void doMapPhase(MappingStrategy mappingStrategy, LoginMonitor loginMonitor, Set<Principal> set) throws AuthenticationException {
        NDC.push("MAP");
        LoginMonitor.Result result = LoginMonitor.Result.FAIL;
        try {
            loginMonitor.mapBegins(set);
            mappingStrategy.map(loginMonitor, set);
            result = LoginMonitor.Result.SUCCESS;
            NDC.pop();
            loginMonitor.mapEnds(set, result);
        } catch (Throwable th) {
            NDC.pop();
            loginMonitor.mapEnds(set, result);
            throw th;
        }
    }

    private void doAccountPhase(AccountStrategy accountStrategy, LoginMonitor loginMonitor, Set<Principal> set) throws AuthenticationException {
        NDC.push("ACCOUNT");
        LoginMonitor.Result result = LoginMonitor.Result.FAIL;
        try {
            loginMonitor.accountBegins(set);
            accountStrategy.account(loginMonitor, set);
            result = LoginMonitor.Result.SUCCESS;
            NDC.pop();
            loginMonitor.accountEnds(set, result);
        } catch (Throwable th) {
            NDC.pop();
            loginMonitor.accountEnds(set, result);
            throw th;
        }
    }

    private Set<Object> doSessionPhase(SessionStrategy sessionStrategy, LoginMonitor loginMonitor, Set<Principal> set) throws AuthenticationException {
        HashSet hashSet = new HashSet();
        NDC.push("SESSION");
        LoginMonitor.Result result = LoginMonitor.Result.FAIL;
        try {
            loginMonitor.sessionBegins(set);
            sessionStrategy.session(loginMonitor, set, hashSet);
            result = LoginMonitor.Result.SUCCESS;
            NDC.pop();
            loginMonitor.sessionEnds(set, hashSet, result);
            return hashSet;
        } catch (Throwable th) {
            NDC.pop();
            loginMonitor.sessionEnds(set, hashSet, result);
            throw th;
        }
    }

    public LoginReply buildReply(LoginMonitor loginMonitor, Subject subject, Set<Principal> set, Set<Object> set2) throws AuthenticationException {
        Set<Object> publicCredentials = subject.getPublicCredentials();
        Set<Object> privateCredentials = subject.getPrivateCredentials();
        LoginReply loginReply = new LoginReply();
        loginReply.setSubject(new Subject(false, set, publicCredentials, privateCredentials));
        loginReply.setSessionAttributes(set2);
        LoginMonitor.Result result = LoginMonitor.Result.FAIL;
        String str = null;
        NDC.push("VALIDATION");
        try {
            try {
                this.validationStrategy.validate(loginReply);
                result = LoginMonitor.Result.SUCCESS;
                NDC.pop();
                loginMonitor.validationResult(result, null);
                return loginReply;
            } catch (AuthenticationException e) {
                str = e.getMessage();
                throw e;
            }
        } catch (Throwable th) {
            NDC.pop();
            loginMonitor.validationResult(result, str);
            throw th;
        }
    }

    public Principal map(Principal principal) throws NoSuchPrincipalException {
        try {
            return getIdentityStrategy().map(principal);
        } catch (GPlazmaInternalException e) {
            throw new NoSuchPrincipalException("internal gPlazma error: " + e.getMessage());
        }
    }

    public Set<Principal> reverseMap(Principal principal) throws NoSuchPrincipalException {
        try {
            return getIdentityStrategy().reverseMap(principal);
        } catch (GPlazmaInternalException e) {
            throw new NoSuchPrincipalException("internal gPlazma error: " + e.getMessage());
        }
    }

    private IdentityStrategy getIdentityStrategy() throws GPlazmaInternalException {
        IdentityStrategy identityStrategy;
        synchronized (this.configurationLoadingStrategy) {
            checkPluginConfig();
            identityStrategy = this.identityStrategy;
        }
        return identityStrategy;
    }

    private void loadPlugins() throws GPlazmaInternalException {
        LOGGER.debug("reloading plugins");
        this.pluginLoader = new CachingPluginLoaderDecorator(XmlResourcePluginLoader.newPluginLoader());
        if (this._customPluginFactory != null) {
            this.pluginLoader.setPluginFactory(this._customPluginFactory);
        }
        this.pluginLoader.init();
        resetPlugins();
        try {
            for (ConfigurationItem configurationItem : this.configurationLoadingStrategy.load().getConfigurationItemList()) {
                String pluginName = configurationItem.getPluginName();
                Properties pluginConfiguration = configurationItem.getPluginConfiguration();
                Properties properties = new Properties(this._globalProperties);
                properties.putAll(pluginConfiguration);
                try {
                    classifyPlugin(configurationItem.getType(), this.pluginLoader.newPluginByName(pluginName, properties), pluginName, configurationItem.getControl());
                } catch (PluginLoadingException e) {
                    throw new PluginLoadingException("failed to create " + pluginName + ": " + e.getMessage(), e);
                }
            }
            initStrategies();
            if (isPreviousLoadPluginsProblematic()) {
                LOGGER.warn("gPlazma configuration successfully loaded");
                this._lastLoadPluginsProblem = null;
            }
        } catch (GPlazmaInternalException e2) {
            LOGGER.error(e2.getMessage());
            this._lastLoadPluginsProblem = e2;
            throw e2;
        }
    }

    private void resetPlugins() {
        this.authenticationPluginElements = new ArrayList();
        this.mappingPluginElements = new ArrayList();
        this.accountPluginElements = new ArrayList();
        this.sessionPluginElements = new ArrayList();
        this.identityPluginElements = new ArrayList();
    }

    private void initStrategies() throws FactoryConfigurationException {
        StrategyFactory strategyFactory = StrategyFactory.getInstance();
        this._authStrategy = strategyFactory.newAuthenticationStrategy();
        this._authStrategy.setPlugins(this.authenticationPluginElements);
        this._mapStrategy = strategyFactory.newMappingStrategy();
        this._mapStrategy.setPlugins(this.mappingPluginElements);
        this._accountStrategy = strategyFactory.newAccountStrategy();
        this._accountStrategy.setPlugins(this.accountPluginElements);
        this._sessionStrategy = strategyFactory.newSessionStrategy();
        this._sessionStrategy.setPlugins(this.sessionPluginElements);
        this.identityStrategy = strategyFactory.newIdentityStrategy();
        this.identityStrategy.setPlugins(this.identityPluginElements);
        this.validationStrategy = ValidationStrategyFactory.getInstance().newValidationStrategy();
    }

    private void checkPluginConfig() throws GPlazmaInternalException {
        if (this._globalPropertiesHaveUpdated || this.configurationLoadingStrategy.hasUpdated()) {
            this._globalPropertiesHaveUpdated = false;
            this._failedLogins.clear();
            loadPlugins();
        }
        if (isPreviousLoadPluginsProblematic()) {
            throw this._lastLoadPluginsProblem;
        }
    }

    private boolean isPreviousLoadPluginsProblematic() {
        return this._lastLoadPluginsProblem != null;
    }

    private void classifyPlugin(ConfigurationItemType configurationItemType, GPlazmaPlugin gPlazmaPlugin, String str, ConfigurationItemControl configurationItemControl) throws PluginLoadingException {
        if (!configurationItemType.getType().isAssignableFrom(gPlazmaPlugin.getClass())) {
            throw new PluginLoadingException("plugin " + str + " (java class  " + gPlazmaPlugin.getClass().getCanonicalName() + ") does not support being loaded as type " + configurationItemType);
        }
        switch (configurationItemType) {
            case AUTHENTICATION:
                storePluginElement(gPlazmaPlugin, str, configurationItemControl, this.authenticationPluginElements);
                return;
            case MAPPING:
                storePluginElement(gPlazmaPlugin, str, configurationItemControl, this.mappingPluginElements);
                return;
            case ACCOUNT:
                storePluginElement(gPlazmaPlugin, str, configurationItemControl, this.accountPluginElements);
                return;
            case SESSION:
                storePluginElement(gPlazmaPlugin, str, configurationItemControl, this.sessionPluginElements);
                return;
            case IDENTITY:
                storePluginElement(gPlazmaPlugin, str, configurationItemControl, this.identityPluginElements);
                return;
            default:
                throw new PluginLoadingException("unknown plugin type " + configurationItemType);
        }
    }

    private static <T extends GPlazmaPlugin> void storePluginElement(GPlazmaPlugin gPlazmaPlugin, String str, ConfigurationItemControl configurationItemControl, List<GPlazmaPluginElement<T>> list) {
        list.add(new GPlazmaPluginElement<>(gPlazmaPlugin, str, configurationItemControl));
    }
}
