package org.geonode.security;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import java.io.IOException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.sql.DataSource;
import net.sf.json.JSONObject;
import net.sf.json.JSONSerializer;
import org.apache.commons.codec.binary.Base64;
import org.geoserver.catalog.ResourceInfo;
import org.geoserver.security.AccessMode;
import org.geoserver.security.impl.GeoServerRole;
import org.geoserver.security.impl.GeoServerUser;
import org.geotools.util.logging.Logging;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.transaction.interceptor.RuleBasedTransactionAttribute;

/* loaded from: input_file:WEB-INF/classes/org/geonode/security/DatabaseSecurityClient.class */
public class DatabaseSecurityClient implements GeoNodeSecurityClient {
    private static final String GEONODE_COOKIE_NAME = "sessionid";
    private final DataSource dataSource;
    private final HTTPClient client;
    private final String baseUrl;
    private final byte ACCESS_UNKNOWN = 0;
    private final byte ACCESS_DENIED = 1;
    private final byte ACCESS_READ = 2;
    private final byte ACCESS_WRITE = 3;
    private final Logger LOGGER = Logging.getLogger((Class<?>) DefaultSecurityClient.class);
    private final AnonymousAuthenticationToken ANONYMOUS = new AnonymousAuthenticationToken("geonode", "anonymous", Collections.singletonList(GeoServerRole.ANONYMOUS_ROLE));
    private final Collection<? extends GrantedAuthority> ADMIN_AUTHORITY = Arrays.asList(GeoServerRole.ADMIN_ROLE, GeoServerRole.AUTHENTICATED_ROLE);
    private final Cache<String, Authentication> authenticationCache = CacheBuilder.newBuilder().maximumSize(100).expireAfterWrite(1, TimeUnit.DAYS).build();
    private final Cache<AuthorizationKey, Byte> authorizationCache = CacheBuilder.newBuilder().maximumSize(10000).expireAfterAccess(1, TimeUnit.MINUTES).build();

    /* loaded from: input_file:WEB-INF/classes/org/geonode/security/DatabaseSecurityClient$AuthorizationKey.class */
    private static final class AuthorizationKey {
        private final String user;
        private final String layer;

        AuthorizationKey(String str, String str2) {
            this.user = str.intern();
            this.layer = str2.intern();
        }

        public int hashCode() {
            return this.user.hashCode() ^ this.layer.hashCode();
        }

        public boolean equals(Object obj) {
            AuthorizationKey authorizationKey = (AuthorizationKey) obj;
            return authorizationKey.user.equals(this.user) && authorizationKey.layer.equals(this.layer);
        }
    }

    public DatabaseSecurityClient(DataSource dataSource, String str, HTTPClient hTTPClient) {
        this.dataSource = dataSource;
        this.baseUrl = str;
        this.client = hTTPClient;
    }

    @Override // org.geonode.security.GeoNodeSecurityClient
    public Authentication authenticateCookie(String str) throws AuthenticationException, IOException {
        Authentication ifPresent = this.authenticationCache.getIfPresent(str);
        if (ifPresent == null) {
            ifPresent = authenticate(str, "Cookie", "sessionid=" + str);
            this.authenticationCache.put(str, ifPresent);
        }
        return ifPresent;
    }

    @Override // org.geonode.security.GeoNodeSecurityClient
    public Authentication authenticateAnonymous() throws AuthenticationException, IOException {
        return this.ANONYMOUS;
    }

    @Override // org.geonode.security.GeoNodeSecurityClient
    public Authentication authenticateUserPwd(String str, String str2) throws AuthenticationException, IOException {
        String str3 = str + ":" + str2;
        Authentication ifPresent = this.authenticationCache.getIfPresent(str3);
        if (ifPresent == null) {
            ifPresent = authenticate(str2, "Authorization", "Basic " + new String(Base64.encodeBase64((str + ":" + str2).getBytes())));
            this.authenticationCache.put(str3, ifPresent);
        }
        return ifPresent;
    }

    private Authentication authenticate(Object obj, String... strArr) throws AuthenticationException, IOException {
        String str = this.baseUrl + "layers/resolve_user";
        if (this.LOGGER.isLoggable(Level.FINEST)) {
            this.LOGGER.finest("Authenticating with " + Arrays.toString(strArr));
        }
        String sendGET = this.client.sendGET(str, strArr);
        if (this.LOGGER.isLoggable(Level.FINEST)) {
            this.LOGGER.finest("Auth response: " + sendGET);
        }
        return toAuthentication(obj, (JSONObject) JSONSerializer.toJSON(sendGET));
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Authentication toAuthentication(Object obj, JSONObject jSONObject) {
        AbstractAuthenticationToken usernamePasswordAuthenticationToken;
        Object obj2 = jSONObject.get("user");
        if (obj2 instanceof JSONObject) {
            usernamePasswordAuthenticationToken = jSONObject.getBoolean("geoserver") ? new PreAuthenticatedAuthenticationToken("geoserver", "geoserver", this.ADMIN_AUTHORITY) : this.ANONYMOUS;
        } else {
            Collection collection = jSONObject.getBoolean("superuser") ? this.ADMIN_AUTHORITY : Collections.EMPTY_LIST;
            GeoServerUser geoServerUser = new GeoServerUser(obj2.toString());
            Properties properties = geoServerUser.getProperties();
            properties.put("email", jSONObject.optString("email"));
            properties.put("fullname", jSONObject.optString("fullname"));
            usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(geoServerUser, obj, collection);
        }
        return usernamePasswordAuthenticationToken;
    }

    String authorize(String str, String str2) {
        Connection connection = null;
        PreparedStatement preparedStatement = null;
        String str3 = null;
        try {
            connection = this.dataSource.getConnection();
        } catch (SQLException e) {
            this.LOGGER.log(Level.SEVERE, "Error opening auth db connection", (Throwable) e);
        }
        if (connection != null) {
            try {
                preparedStatement = connection.prepareStatement("select * from geonode_authorize_layer(?,?)");
                preparedStatement.setString(1, str);
                preparedStatement.setString(2, str2);
            } catch (SQLException e2) {
                this.LOGGER.log(Level.SEVERE, "Error preparing auth statement", (Throwable) e2);
            }
        }
        if (preparedStatement != null) {
            try {
                ResultSet executeQuery = preparedStatement.executeQuery();
                if (executeQuery.next()) {
                    str3 = executeQuery.getString(1);
                } else {
                    this.LOGGER.log(Level.SEVERE, "Expected a result, got none");
                }
            } catch (SQLException e3) {
                this.LOGGER.log(Level.SEVERE, "Error getting results", (Throwable) e3);
            }
        }
        if (connection != null) {
            try {
                connection.close();
            } catch (SQLException e4) {
                this.LOGGER.log(Level.WARNING, "Error closing connection", (Throwable) e4);
            }
        }
        if (preparedStatement != null) {
            try {
                preparedStatement.close();
            } catch (SQLException e5) {
                this.LOGGER.log(Level.WARNING, "Error closing statement", (Throwable) e5);
            }
        }
        return str3;
    }

    @Override // org.geonode.security.GeoNodeSecurityClient
    public boolean authorize(Authentication authentication, ResourceInfo resourceInfo, AccessMode accessMode) {
        AuthorizationKey authorizationKey = new AuthorizationKey(authentication.getName(), resourceInfo.prefixedName());
        Byte ifPresent = this.authorizationCache.getIfPresent(authorizationKey);
        if (ifPresent == null) {
            ifPresent = computeBits(authentication, resourceInfo, accessMode);
            this.authorizationCache.put(authorizationKey, ifPresent);
        }
        boolean z = false;
        switch (ifPresent.byteValue()) {
            case 0:
            case 1:
                break;
            case 2:
                z = accessMode == AccessMode.READ;
                break;
            case 3:
                z = true;
                break;
            default:
                throw new RuntimeException("Unknown authorization bits : " + ifPresent);
        }
        return z;
    }

    private Byte computeBits(Authentication authentication, ResourceInfo resourceInfo, AccessMode accessMode) {
        String name = authentication.getName();
        if ("".equals(authentication.getCredentials())) {
            name = null;
        }
        String authorize = authorize(name, resourceInfo.prefixedName());
        boolean isLoggable = this.LOGGER.isLoggable(Level.FINE);
        byte b = 1;
        if (authorize != null) {
            String[] split = authorize.split(RuleBasedTransactionAttribute.PREFIX_ROLLBACK_RULE);
            if (split.length != 1) {
                boolean equals = "ro".equals(split[1]);
                boolean equals2 = "rw".equals(split[1]);
                if (!equals && !equals2) {
                    throw new RuntimeException("auth protocol failure, expected ro or rw, got " + split[1]);
                }
                b = equals ? (byte) 2 : (byte) 3;
                if (isLoggable) {
                    this.LOGGER.log(Level.FINE, "authorized {0} to {1} for {2} : {3},{4}", new Object[]{authentication.getName(), resourceInfo.prefixedName(), accessMode, authorize, Byte.valueOf(b)});
                }
            } else if (!"nf".equals(split[0])) {
                this.LOGGER.log(Level.WARNING, "unknown access {0} : {1}", new Object[]{authentication.getName(), authorize});
                b = 0;
            } else if (isLoggable) {
                this.LOGGER.log(Level.FINE, "rejecting {0} : {1}", new Object[]{authentication.getName(), authorize});
            }
        }
        return Byte.valueOf(b);
    }
}
