package io.continual.iam.impl.common;

import io.continual.iam.IamDb;
import io.continual.iam.access.AccessControlList;
import io.continual.iam.access.AccessManager;
import io.continual.iam.access.AclUpdateListener;
import io.continual.iam.access.ProtectedResource;
import io.continual.iam.access.Resource;
import io.continual.iam.credentials.ApiKeyCredential;
import io.continual.iam.credentials.JwtCredential;
import io.continual.iam.credentials.UsernamePasswordCredential;
import io.continual.iam.exceptions.IamBadRequestException;
import io.continual.iam.exceptions.IamGroupDoesNotExist;
import io.continual.iam.exceptions.IamGroupExists;
import io.continual.iam.exceptions.IamIdentityDoesNotExist;
import io.continual.iam.exceptions.IamIdentityExists;
import io.continual.iam.exceptions.IamSvcException;
import io.continual.iam.identity.ApiKey;
import io.continual.iam.identity.Identity;
import io.continual.iam.identity.IdentityManager;
import io.continual.iam.impl.common.CommonJsonGroup;
import io.continual.iam.impl.common.CommonJsonIdentity;
import io.continual.iam.impl.common.jwt.JwtProducer;
import io.continual.iam.impl.common.jwt.JwtValidator;
import io.continual.iam.tags.TagManager;
import io.continual.util.data.OneWayHasher;
import io.continual.util.data.Sha1HmacSigner;
import io.continual.util.data.UniqueStringGenerator;
import io.continual.util.time.Clock;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Set;
import java.util.TreeSet;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/continual/iam/impl/common/CommonJsonDb.class */
public abstract class CommonJsonDb<I extends CommonJsonIdentity, G extends CommonJsonGroup> implements IdentityManager<I>, AccessManager<G>, TagManager, AclUpdateListener, IamDb<I, G> {
    public static final String kTagId = "tagId";
    public static final String kUserId = "userId";
    public static final String kTagType = "tagType";
    public static final String kExpireEpoch = "expireEpoch";
    public static final String kSecret = "secret";
    public static final String kAlias = "alias";
    public static final String kEnabled = "enabled";
    public static final String kPasswordBlock = "password";
    public static final String kPasswordSalt = "salt";
    public static final String kPasswordHash = "hash";
    public static final String kTagType_PasswordReset = "passwordReset";
    private static final String kKeyChars = "ABCDEFGHJIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
    private final AclFactory fAclFactory;
    private final JwtProducer fJwtTokenFactory;
    private final LinkedList<JwtValidator> fJwtValidators;
    static final int kSaltChars = 64;
    private static final Logger log = LoggerFactory.getLogger(CommonJsonDb.class);
    private static final boolean skAuthLogging = true;

    /* loaded from: input_file:io/continual/iam/impl/common/CommonJsonDb$AclFactory.class */
    public interface AclFactory {
        AccessControlList createDefaultAcl(AclUpdateListener aclUpdateListener);
    }

    /* loaded from: input_file:io/continual/iam/impl/common/CommonJsonDb$DefaultAclFactory.class */
    private static class DefaultAclFactory implements AclFactory {
        private DefaultAclFactory() {
        }

        @Override // io.continual.iam.impl.common.CommonJsonDb.AclFactory
        public AccessControlList createDefaultAcl(AclUpdateListener aclUpdateListener) {
            return AccessControlList.initialize(aclUpdateListener);
        }
    }

    @Override // io.continual.iam.identity.IdentityManager
    public boolean userExists(String str) throws IamSvcException {
        return null != loadUser(str);
    }

    @Override // io.continual.iam.identity.IdentityManager
    public boolean userOrAliasExists(String str) throws IamSvcException {
        return userExists(str) || aliasExists(str);
    }

    protected boolean aliasExists(String str) throws IamSvcException {
        return null != loadAliasObject(str);
    }

    @Override // io.continual.iam.identity.IdentityManager
    public I loadUser(String str) throws IamSvcException {
        JSONObject loadUserObject = loadUserObject(str);
        if (loadUserObject != null) {
            return instantiateIdentity(str, loadUserObject);
        }
        return null;
    }

    @Override // io.continual.iam.identity.IdentityManager
    public I loadUserOrAlias(String str) throws IamSvcException {
        I loadUser = loadUser(str);
        if (loadUser != null) {
            return loadUser;
        }
        JSONObject loadAliasObject = loadAliasObject(str);
        if (loadAliasObject == null) {
            return null;
        }
        String string = loadAliasObject.getString(kUserId);
        if (string != null) {
            return loadUser(string);
        }
        log.warn("Alias [" + str + "] record exists but doesn't contain " + kUserId + ".");
        return null;
    }

    @Override // io.continual.iam.identity.IdentityManager
    public I createUser(String str) throws IamSvcException, IamIdentityExists {
        if (userExists(str)) {
            throw new IamIdentityExists(str);
        }
        storeUserObject(str, createNewUser(str));
        return loadUser(str);
    }

    @Override // io.continual.iam.identity.IdentityManager
    public I createAnonymousUser() throws IamSvcException {
        try {
            return createUser(UniqueStringGenerator.create("continual iam json db"));
        } catch (IamIdentityExists e) {
            throw new IamSvcException("anonymous user exists... " + e.getMessage());
        }
    }

    @Override // io.continual.iam.identity.IdentityManager
    public void deleteUser(String str) throws IamSvcException {
        deleteUserObject(str);
    }

    @Override // io.continual.iam.identity.IdentityManager
    public boolean completePasswordReset(String str, String str2) throws IamSvcException {
        String userIdForTag = getUserIdForTag(str);
        if (userIdForTag == null) {
            return false;
        }
        I loadUser = loadUser(userIdForTag);
        if (loadUser == null) {
            authLog("Ignoring password reset completion on tag " + str + " for user [" + userIdForTag + "], who does not exist.");
            return false;
        }
        loadUser.setPassword(str2);
        deleteTagObject(str, userIdForTag, kTagType_PasswordReset);
        return true;
    }

    @Override // io.continual.iam.identity.IdentityManager
    public ApiKey loadApiKeyRecord(String str) throws IamSvcException {
        JSONObject loadApiKeyObject = loadApiKeyObject(str);
        if (loadApiKeyObject != null) {
            return instantiateApiKey(str, loadApiKeyObject);
        }
        return null;
    }

    @Override // io.continual.iam.identity.IdentityDb
    public String createJwtToken(Identity identity) throws IamSvcException {
        if (this.fJwtTokenFactory == null) {
            throw new IamSvcException("This identity manager does not have a JWT token factory.");
        }
        return this.fJwtTokenFactory.createJwtToken(identity);
    }

    @Override // io.continual.iam.identity.IdentityDb
    public I authenticate(ApiKeyCredential apiKeyCredential) throws IamSvcException {
        ApiKey loadApiKeyRecord = loadApiKeyRecord(apiKeyCredential.getApiKey());
        if (loadApiKeyRecord != null) {
            String sign = Sha1HmacSigner.sign(apiKeyCredential.getContent(), loadApiKeyRecord.getSecret());
            authLog("expecting [" + sign + "]; received [" + apiKeyCredential.getSignature() + "]. signed content [" + apiKeyCredential.getContent() + "].");
            if (sign.equals(apiKeyCredential.getSignature())) {
                authLog(loadApiKeyRecord.getUserId() + " authenticated via API key " + apiKeyCredential.getApiKey());
                return loadUser(loadApiKeyRecord.getUserId());
            }
        }
        authLog(apiKeyCredential.getApiKey() + " authentication failed");
        return null;
    }

    @Override // io.continual.iam.identity.IdentityDb
    public I authenticate(JwtCredential jwtCredential) throws IamSvcException {
        Iterator<JwtValidator> it = this.fJwtValidators.iterator();
        while (it.hasNext()) {
            if (it.next().validate(jwtCredential)) {
                return loadUser(jwtCredential.getSubject());
            }
        }
        return null;
    }

    @Override // io.continual.iam.identity.IdentityDb
    public void invalidateJwtToken(String str) throws IamSvcException {
        storeInvalidJwtToken(str);
    }

    @Override // io.continual.iam.identity.IdentityDb
    public I authenticate(UsernamePasswordCredential usernamePasswordCredential) throws IamSvcException {
        I loadUserOrAlias = loadUserOrAlias(usernamePasswordCredential.getUsername());
        if (loadUserOrAlias == null) {
            authLog("No such user " + usernamePasswordCredential.getUsername());
            return null;
        }
        if (!loadUserOrAlias.isEnabled()) {
            authLog("User " + usernamePasswordCredential.getUsername() + " is disabled.");
            return null;
        }
        String password = usernamePasswordCredential.getPassword();
        if (password == null) {
            authLog("User " + usernamePasswordCredential.getUsername() + " auth attempt without password.");
            return null;
        }
        String passwordSalt = loadUserOrAlias.getPasswordSalt();
        if (passwordSalt == null || passwordSalt.length() == 0) {
            authLog("User " + usernamePasswordCredential.getUsername() + " does not have a password.");
            return null;
        }
        String pbkdf2HashToString = OneWayHasher.pbkdf2HashToString(password, passwordSalt);
        String passwordHash = loadUserOrAlias.getPasswordHash();
        if (passwordHash != null && passwordHash.equals(pbkdf2HashToString)) {
            return loadUserOrAlias;
        }
        authLog("Password for " + usernamePasswordCredential.getUsername() + " doesn't match.");
        return null;
    }

    @Override // io.continual.iam.access.AccessManager
    public G createGroup(String str) throws IamSvcException {
        String uuid = UUID.randomUUID().toString();
        try {
            return createGroup(uuid, str);
        } catch (IamGroupExists e) {
            log.warn("UUID created randomly conflicted with an exist group name.");
            return loadGroup(uuid);
        }
    }

    @Override // io.continual.iam.access.AccessManager
    public G createGroup(String str, String str2) throws IamGroupExists, IamSvcException {
        if (loadGroup(str) != null) {
            throw new IamGroupExists(str);
        }
        storeGroupObject(str, createNewGroup(str, str2));
        return loadGroup(str);
    }

    @Override // io.continual.iam.access.AccessManager
    public void addUserToGroup(String str, String str2) throws IamIdentityDoesNotExist, IamSvcException, IamGroupDoesNotExist {
        I loadUserOrAlias = loadUserOrAlias(str2);
        if (loadUserOrAlias == null) {
            throw new IamIdentityDoesNotExist(str2);
        }
        G loadGroup = loadGroup(str);
        if (loadGroup == null) {
            throw new IamGroupDoesNotExist(str);
        }
        loadGroup.addUser(str2);
        loadUserOrAlias.addGroup(str);
        storeUserObject(str2, loadUserOrAlias.asJson());
    }

    @Override // io.continual.iam.access.AccessManager
    public void removeUserFromGroup(String str, String str2) throws IamSvcException, IamIdentityDoesNotExist, IamGroupDoesNotExist {
        I loadUserOrAlias = loadUserOrAlias(str2);
        if (loadUserOrAlias == null) {
            throw new IamIdentityDoesNotExist("User does not exist: " + str2);
        }
        G loadGroup = loadGroup(str);
        if (loadGroup == null) {
            throw new IamGroupDoesNotExist("Group does not exist: " + str);
        }
        loadGroup.removeUser(str2);
        loadUserOrAlias.removeGroup(str);
        storeUserObject(str2, loadUserOrAlias.asJson());
    }

    @Override // io.continual.iam.access.AccessManager
    public Set<String> getUsersGroups(String str) throws IamSvcException, IamIdentityDoesNotExist {
        I loadUserOrAlias = loadUserOrAlias(str);
        if (loadUserOrAlias == null) {
            throw new IamIdentityDoesNotExist(str);
        }
        return loadUserOrAlias.getGroupIds();
    }

    @Override // io.continual.iam.access.AccessManager
    public Set<String> getUsersInGroup(String str) throws IamGroupDoesNotExist, IamSvcException {
        G loadGroup = loadGroup(str);
        if (loadGroup == null) {
            throw new IamGroupDoesNotExist(str + " does not exist");
        }
        return loadGroup.getMembers();
    }

    @Override // io.continual.iam.access.AccessDb
    public G loadGroup(String str) throws IamSvcException {
        JSONObject loadGroupObject = loadGroupObject(str);
        if (loadGroupObject != null) {
            return instantiateGroup(str, loadGroupObject);
        }
        return null;
    }

    @Override // io.continual.iam.access.AccessDb
    public AccessControlList getAclFor(Resource resource) throws IamSvcException {
        if (resource instanceof ProtectedResource) {
            return ((ProtectedResource) resource).getAccessControlList();
        }
        final String id = resource.getId();
        AclUpdateListener aclUpdateListener = new AclUpdateListener() { // from class: io.continual.iam.impl.common.CommonJsonDb.1
            @Override // io.continual.iam.access.AclUpdateListener
            public void onAclUpdate(AccessControlList accessControlList) {
                try {
                    CommonJsonDb.this.storeAclObject(id, accessControlList.asJson());
                } catch (IamSvcException e) {
                    CommonJsonDb.log.warn("Couldn't store ACL: " + e.getMessage());
                }
            }
        };
        JSONObject loadAclObject = loadAclObject(resource.getId());
        if (loadAclObject != null) {
            return AccessControlList.deserialize(loadAclObject.toString(), aclUpdateListener);
        }
        if (this.fAclFactory != null) {
            return this.fAclFactory.createDefaultAcl(aclUpdateListener);
        }
        log.warn("No ACL factory established; returning null from getAclFor ( Resource res )");
        return null;
    }

    @Override // io.continual.iam.access.AclUpdateListener
    public void onAclUpdate(AccessControlList accessControlList) {
    }

    @Override // io.continual.iam.access.AccessDb
    public boolean canUser(String str, Resource resource, String str2) throws IamSvcException {
        AccessControlList aclFor = getAclFor(resource);
        if (aclFor == null) {
            return true;
        }
        return aclFor.canUser(str, loadUserOrAlias(str).getGroupIds(), str2);
    }

    @Override // io.continual.iam.tags.TagManager
    public String createTag(String str, String str2, long j, TimeUnit timeUnit, String str3) throws IamSvcException {
        removeMatchingTag(str, str2);
        String createUrlKey = UniqueStringGenerator.createUrlKey(str3);
        storeTagObject(createUrlKey, str, str2, new JSONObject().put(kTagId, createUrlKey).put(kUserId, str).put(kTagType, str2).put(kExpireEpoch, (Clock.now() + TimeUnit.MILLISECONDS.convert(j, timeUnit)) / 1000));
        return createUrlKey;
    }

    @Override // io.continual.iam.tags.TagManager
    public String getUserIdForTag(String str) throws IamSvcException {
        JSONObject loadTagObject = loadTagObject(str, false);
        if (loadTagObject == null) {
            return null;
        }
        return loadTagObject.getString(kUserId);
    }

    @Override // io.continual.iam.tags.TagManager
    public void removeMatchingTag(String str, String str2) throws IamSvcException {
        String str3 = null;
        JSONObject loadTagObject = loadTagObject(str, str2, true);
        if (loadTagObject != null) {
            str3 = loadTagObject.getString(kTagId);
        }
        if (str3 != null) {
            deleteTagObject(str3, str, str2);
        }
    }

    @Override // io.continual.iam.identity.IdentityManager
    public void addAlias(String str, String str2) throws IamSvcException, IamBadRequestException {
        storeAliasObject(str2, new JSONObject().put(kAlias, str2).put(kUserId, str));
    }

    @Override // io.continual.iam.identity.IdentityManager
    public void removeAlias(String str) throws IamBadRequestException, IamSvcException {
        deleteAliasObject(str);
    }

    @Override // io.continual.iam.identity.IdentityManager
    public Collection<String> getAliasesFor(String str) throws IamSvcException, IamIdentityDoesNotExist {
        return new TreeSet(loadAliasesForUser(str));
    }

    public CommonJsonDb<I, G> addJwtValidator(JwtValidator jwtValidator) {
        this.fJwtValidators.add(jwtValidator);
        return this;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CommonJsonDb() {
        this(null, null);
    }

    protected CommonJsonDb(AclFactory aclFactory, JwtProducer jwtProducer) {
        this.fAclFactory = aclFactory == null ? new DefaultAclFactory() : aclFactory;
        this.fJwtTokenFactory = jwtProducer;
        this.fJwtValidators = new LinkedList<>();
        if (this.fJwtTokenFactory != null) {
            this.fJwtValidators.add(this.fJwtTokenFactory);
        }
    }

    public String getAppNonce() {
        return "my app didn't register a nonce";
    }

    public ApiKey createApiKey(String str) throws IamIdentityDoesNotExist, IamSvcException, IamBadRequestException {
        if (str == null) {
            throw new IamBadRequestException("A valid user ID is required to create an API key.");
        }
        String appNonce = getAppNonce();
        String generateKey = generateKey(16, appNonce);
        storeApiKeyObject(generateKey, createApiKeyObject(str, generateKey, generateKey(24, appNonce)));
        return instantiateApiKey(generateKey, loadApiKeyObject(generateKey));
    }

    protected abstract JSONObject createNewUser(String str);

    /* JADX INFO: Access modifiers changed from: protected */
    public abstract JSONObject loadUserObject(String str) throws IamSvcException;

    /* JADX INFO: Access modifiers changed from: protected */
    public abstract void storeUserObject(String str, JSONObject jSONObject) throws IamSvcException;

    protected abstract void deleteUserObject(String str) throws IamSvcException;

    protected abstract I instantiateIdentity(String str, JSONObject jSONObject);

    protected abstract JSONObject createNewGroup(String str, String str2);

    /* JADX INFO: Access modifiers changed from: protected */
    public abstract JSONObject loadGroupObject(String str) throws IamSvcException;

    /* JADX INFO: Access modifiers changed from: protected */
    public abstract void storeGroupObject(String str, JSONObject jSONObject) throws IamSvcException;

    protected abstract void deleteGroupObject(String str) throws IamSvcException;

    protected abstract G instantiateGroup(String str, JSONObject jSONObject);

    protected abstract JSONObject createApiKeyObject(String str, String str2, String str3);

    protected abstract JSONObject loadApiKeyObject(String str) throws IamSvcException;

    protected abstract void storeApiKeyObject(String str, JSONObject jSONObject) throws IamSvcException, IamIdentityDoesNotExist, IamBadRequestException;

    /* JADX INFO: Access modifiers changed from: protected */
    public abstract void deleteApiKeyObject(String str) throws IamSvcException;

    protected abstract ApiKey instantiateApiKey(String str, JSONObject jSONObject);

    /* JADX INFO: Access modifiers changed from: protected */
    public abstract Collection<String> loadApiKeysForUser(String str) throws IamSvcException, IamIdentityDoesNotExist;

    protected abstract JSONObject loadAclObject(String str) throws IamSvcException;

    protected abstract void storeAclObject(String str, JSONObject jSONObject) throws IamSvcException;

    protected abstract void deleteAclObject(String str) throws IamSvcException;

    protected abstract JSONObject loadTagObject(String str, boolean z) throws IamSvcException;

    protected abstract JSONObject loadTagObject(String str, String str2, boolean z) throws IamSvcException;

    protected abstract void storeTagObject(String str, String str2, String str3, JSONObject jSONObject) throws IamSvcException;

    protected abstract void deleteTagObject(String str, String str2, String str3) throws IamSvcException;

    protected abstract JSONObject loadAliasObject(String str) throws IamSvcException;

    protected abstract void storeAliasObject(String str, JSONObject jSONObject) throws IamSvcException, IamBadRequestException;

    protected abstract void deleteAliasObject(String str) throws IamSvcException;

    protected abstract Collection<String> loadAliasesForUser(String str) throws IamSvcException, IamIdentityDoesNotExist;

    protected abstract void storeInvalidJwtToken(String str) throws IamSvcException;

    protected abstract boolean isInvalidJwtToken(String str) throws IamSvcException;

    public static String generateKey(int i, String str) {
        return UniqueStringGenerator.createKeyUsingAlphabet(str, kKeyChars, i);
    }

    private static void authLog(String str) {
        log.info(str);
    }
}
