package org.geonode.security;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Properties;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import java.util.logging.Level;
import java.util.logging.Logger;
import net.sf.json.JSONObject;
import net.sf.json.JSONSerializer;
import org.apache.commons.codec.binary.Base64;
import org.geonode.security.LayersGrantedAuthority;
import org.geoserver.catalog.ResourceInfo;
import org.geoserver.security.AccessMode;
import org.geoserver.security.impl.GeoServerRole;
import org.geoserver.security.impl.GeoServerUser;
import org.geotools.util.logging.Logging;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/classes/org/geonode/security/DefaultSecurityClient.class */
public class DefaultSecurityClient implements GeoNodeSecurityClient {
    static final Logger LOGGER = Logging.getLogger((Class<?>) DefaultSecurityClient.class);
    private final HTTPClient client;
    private String baseUrl;
    private Lock authLock = new ReentrantLock();
    private final AuthCache authCache = new AuthCache();

    public DefaultSecurityClient(String str, HTTPClient hTTPClient) {
        this.client = hTTPClient;
        this.baseUrl = str;
    }

    String getBaseUrl() {
        return this.baseUrl;
    }

    @Override // org.geonode.security.GeoNodeSecurityClient
    public Authentication authenticateCookie(String str) throws AuthenticationException, IOException {
        Assert.notNull(str);
        Authentication authentication = this.authCache.get(str);
        if (null == authentication) {
            this.authLock.lock();
            try {
                authentication = this.authCache.get(str);
                if (null == authentication) {
                    authentication = authenticate(str, "Cookie", "sessionid=" + str);
                    this.authCache.put(str, authentication);
                }
            } finally {
                this.authLock.unlock();
            }
        }
        return authentication;
    }

    @Override // org.geonode.security.GeoNodeSecurityClient
    public Authentication authenticateUserPwd(String str, String str2) throws AuthenticationException, IOException {
        return authenticate(str2, "Authorization", "Basic " + new String(Base64.encodeBase64((str + ":" + str2).getBytes())));
    }

    @Override // org.geonode.security.GeoNodeSecurityClient
    public Authentication authenticateAnonymous() throws AuthenticationException, IOException {
        Authentication authentication = this.authCache.get("__anonymous__");
        if (null == authentication) {
            this.authLock.lock();
            try {
                authentication = this.authCache.get("__anonymous__");
                if (null == authentication) {
                    authentication = authenticate(null, (String[]) null);
                    this.authCache.put("__anonymous__", authentication);
                }
            } finally {
                this.authLock.unlock();
            }
        }
        return authentication;
    }

    private Authentication authenticate(Object obj, String... strArr) throws AuthenticationException, IOException {
        String str = this.baseUrl + "layers/acls";
        if (LOGGER.isLoggable(Level.FINEST)) {
            LOGGER.finest("Authenticating with " + Arrays.toString(strArr));
        }
        String sendGET = this.client.sendGET(str, strArr);
        if (LOGGER.isLoggable(Level.FINEST)) {
            LOGGER.finest("Auth response: " + sendGET);
        }
        JSONObject jSONObject = (JSONObject) JSONSerializer.toJSON(sendGET);
        Authentication authentication = toAuthentication(obj, jSONObject);
        if (authentication instanceof UsernamePasswordAuthenticationToken) {
            GeoServerUser geoServerUser = new GeoServerUser(authentication.getPrincipal().toString());
            authentication = new GeoNodeSessionAuthToken(geoServerUser, authentication.getCredentials(), authentication.getAuthorities());
            Properties properties = geoServerUser.getProperties();
            properties.put("email", jSONObject.optString("email"));
            properties.put("fullname", jSONObject.optString("fullname"));
        }
        return authentication;
    }

    private Authentication toAuthentication(Object obj, JSONObject jSONObject) {
        AbstractAuthenticationToken usernamePasswordAuthenticationToken;
        ArrayList arrayList = new ArrayList();
        if (jSONObject.containsKey("ro")) {
            arrayList.add(new LayersGrantedAuthority(jSONObject.getJSONArray("ro"), LayersGrantedAuthority.LayerMode.READ_ONLY));
        }
        if (jSONObject.containsKey("rw")) {
            arrayList.add(new LayersGrantedAuthority(jSONObject.getJSONArray("rw"), LayersGrantedAuthority.LayerMode.READ_WRITE));
        }
        if (jSONObject.getBoolean("is_superuser")) {
            arrayList.add(GeoServerRole.ADMIN_ROLE);
        }
        if (jSONObject.getBoolean("is_anonymous")) {
            arrayList.add(GeoServerRole.ANONYMOUS_ROLE);
            usernamePasswordAuthenticationToken = new AnonymousAuthenticationToken("geonode", "anonymous", arrayList);
        } else {
            String string = jSONObject.containsKey("name") ? jSONObject.getString("name") : "";
            arrayList.add(GeoServerRole.AUTHENTICATED_ROLE);
            usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(string, obj, arrayList);
        }
        return usernamePasswordAuthenticationToken;
    }

    @Override // org.geonode.security.GeoNodeSecurityClient
    public boolean authorize(Authentication authentication, ResourceInfo resourceInfo, AccessMode accessMode) {
        return authorizeUsingAuthorities(authentication, resourceInfo, accessMode);
    }

    static boolean authorizeUsingAuthorities(Authentication authentication, ResourceInfo resourceInfo, AccessMode accessMode) {
        boolean contains = authentication.getAuthorities().contains(GeoServerRole.ADMIN_ROLE);
        if (!contains && authentication != null && authentication.getAuthorities() != null) {
            Iterator<? extends GrantedAuthority> it2 = authentication.getAuthorities().iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                GrantedAuthority next = it2.next();
                if (next instanceof LayersGrantedAuthority) {
                    LayersGrantedAuthority layersGrantedAuthority = (LayersGrantedAuthority) next;
                    if (accessMode == AccessMode.READ || (accessMode == AccessMode.WRITE && layersGrantedAuthority.getAccessMode() == LayersGrantedAuthority.LayerMode.READ_WRITE)) {
                        if (layersGrantedAuthority.getLayerNames().contains(resourceInfo.prefixedName())) {
                            contains = true;
                            break;
                        }
                    }
                }
            }
        }
        return contains;
    }
}
