package com.terracotta.management.security.shiro.realm;

import com.terracotta.management.security.IACredentials;
import com.terracotta.management.security.IdentityAssertionServiceClient;
import com.terracotta.management.security.InvalidIAInteractionException;
import com.terracotta.management.security.shiro.IdentityAssertionToken;
import com.terracotta.management.user.UserInfo;
import com.terracotta.management.user.UserRole;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Set;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.apache.shiro.util.CollectionUtils;
import org.apache.shiro.util.StringUtils;
import org.terracotta.management.ServiceLocator;

/* loaded from: input_file:WEB-INF/lib/security-REST-1.0.4.jar:com/terracotta/management/security/shiro/realm/TCIdentityAssertionRealm.class */
public final class TCIdentityAssertionRealm extends AuthorizingRealm {
    private static final String OPERATOR_PERM = "api:read";
    private static final Collection<String> ADMIN_PERMS = Arrays.asList("api:update", "api:create", "api:delete");
    private final IdentityAssertionServiceClient iaClient = (IdentityAssertionServiceClient) ServiceLocator.locate(IdentityAssertionServiceClient.class);

    public TCIdentityAssertionRealm() throws URISyntaxException, MalformedURLException {
        setAuthenticationTokenClass(IdentityAssertionToken.class);
        setCachingEnabled(false);
        setAuthenticationCachingEnabled(false);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.shiro.realm.AuthorizingRealm, org.apache.shiro.realm.AuthenticatingRealm
    public void onInit() {
        super.onInit();
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        if (authenticationToken == null) {
            return null;
        }
        IdentityAssertionToken identityAssertionToken = (IdentityAssertionToken) authenticationToken;
        IACredentials iACredentials = (IACredentials) identityAssertionToken.getCredentials();
        if (!StringUtils.hasText(iACredentials.getIdentityToken())) {
            return null;
        }
        try {
            UserInfo retreiveUserDetail = this.iaClient.retreiveUserDetail(iACredentials);
            identityAssertionToken.setPrincipal(retreiveUserDetail.getUsername());
            return new SimpleAuthenticationInfo(new SimplePrincipalCollection((Collection) CollectionUtils.asList(retreiveUserDetail.getUsername(), retreiveUserDetail.getRoles()), getName()), iACredentials);
        } catch (InvalidIAInteractionException e) {
            throw new AuthenticationException(e);
        }
    }

    @Override // org.apache.shiro.realm.AuthorizingRealm
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        Set<UserRole> set = (Set) ((SimplePrincipalCollection) principalCollection).asList().get(1);
        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
        for (UserRole userRole : set) {
            simpleAuthorizationInfo.addRole(userRole.toString());
            if (userRole == UserRole.ADMIN) {
                simpleAuthorizationInfo.addStringPermissions(ADMIN_PERMS);
            } else if (userRole == UserRole.OPERATOR) {
                simpleAuthorizationInfo.addStringPermission(OPERATOR_PERM);
            }
        }
        return simpleAuthorizationInfo;
    }
}
