package org.opendaylight.aaa.shiro.realm;

import com.google.common.collect.Iterables;
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import java.util.Collection;
import java.util.HashSet;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ExecutionException;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.Destroyable;
import org.opendaylight.aaa.api.password.service.PasswordHashService;
import org.opendaylight.aaa.api.shiro.principal.ODLPrincipal;
import org.opendaylight.aaa.shiro.principal.ODLPrincipalImpl;
import org.opendaylight.aaa.shiro.realm.util.TokenUtils;
import org.opendaylight.aaa.shiro.realm.util.http.header.HeaderUtils;
import org.opendaylight.aaa.shiro.web.env.ThreadLocals;
import org.opendaylight.mdsal.binding.api.DataBroker;
import org.opendaylight.mdsal.binding.api.DataTreeIdentifier;
import org.opendaylight.mdsal.binding.api.DataTreeModification;
import org.opendaylight.mdsal.binding.api.ReadTransaction;
import org.opendaylight.mdsal.common.api.LogicalDatastoreType;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.Authentication;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.Grant;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.authentication.Roles;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.authentication.users.Users;
import org.opendaylight.yangtools.concepts.ListenerRegistration;
import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/opendaylight/aaa/shiro/realm/MdsalRealm.class */
public class MdsalRealm extends AuthorizingRealm implements Destroyable {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) MdsalRealm.class);
    private static final DataTreeIdentifier<Authentication> AUTH_TREE_ID = DataTreeIdentifier.create(LogicalDatastoreType.CONFIGURATION, InstanceIdentifier.create(Authentication.class));
    private final PasswordHashService passwordHashService = (PasswordHashService) Objects.requireNonNull(ThreadLocals.PASSWORD_HASH_SERVICE_TL.get());
    private final ListenerRegistration<?> reg;
    private volatile ListenableFuture<Optional<Authentication>> authentication;

    public MdsalRealm() {
        DataBroker dataBroker = (DataBroker) Objects.requireNonNull(ThreadLocals.DATABROKER_TL.get());
        ReadTransaction newReadOnlyTransaction = dataBroker.newReadOnlyTransaction();
        try {
            this.authentication = newReadOnlyTransaction.read(AUTH_TREE_ID.getDatastoreType(), AUTH_TREE_ID.getRootIdentifier());
            if (newReadOnlyTransaction != null) {
                newReadOnlyTransaction.close();
            }
            this.reg = dataBroker.registerDataTreeChangeListener(AUTH_TREE_ID, this::onAuthenticationChanged);
            LOG.info("MdsalRealm created");
        } catch (Throwable th) {
            if (newReadOnlyTransaction != null) {
                try {
                    newReadOnlyTransaction.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void onAuthenticationChanged(Collection<DataTreeModification<Authentication>> collection) {
        Authentication dataAfter = ((DataTreeModification) Iterables.getLast(collection)).getRootNode().getDataAfter();
        LOG.debug("Updating authentication information to {}", dataAfter);
        this.authentication = Futures.immediateFuture(Optional.ofNullable(dataAfter));
    }

    @Override // org.apache.shiro.realm.AuthorizingRealm
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        Roles roles;
        HashSet hashSet = new HashSet();
        ODLPrincipal oDLPrincipal = (ODLPrincipal) principalCollection.getPrimaryPrincipal();
        Optional<Authentication> authenticationContainer = getAuthenticationContainer();
        if (authenticationContainer.isPresent()) {
            Authentication authentication = authenticationContainer.get();
            for (Grant grant : authentication.getGrants().nonnullGrants().values()) {
                if (grant.getUserid().equals(oDLPrincipal.getUserId()) && (roles = authentication.getRoles()) != null) {
                    for (org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.authentication.roles.Roles roles2 : roles.nonnullRoles().values()) {
                        if (roles2.getRoleid().equals(grant.getRoleid())) {
                            hashSet.add(roles2.getRoleid());
                        }
                    }
                }
            }
        }
        return new SimpleAuthorizationInfo(hashSet);
    }

    private Optional<Authentication> getAuthenticationContainer() {
        try {
            return this.authentication.get();
        } catch (InterruptedException | ExecutionException e) {
            LOG.error("Couldn't access authentication container", e);
            return Optional.empty();
        }
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        String extractUsername = TokenUtils.extractUsername(authenticationToken);
        Optional<Authentication> authenticationContainer = getAuthenticationContainer();
        if (authenticationContainer.isPresent()) {
            for (Users users : authenticationContainer.get().getUsers().nonnullUsers().values()) {
                String extractUsername2 = HeaderUtils.extractUsername(extractUsername);
                String extractDomain = HeaderUtils.extractDomain(extractUsername);
                String format = String.format("%s@%s", extractUsername2, extractDomain);
                boolean booleanValue = users.isEnabled().booleanValue();
                if (!booleanValue) {
                    LOG.trace("userId={} is skipped because it is disabled", users.getUserid());
                }
                if (booleanValue && users.getUserid().equals(format)) {
                    String extractPassword = TokenUtils.extractPassword(authenticationToken);
                    if (this.passwordHashService.passwordsMatch(extractPassword, users.getPassword(), users.getSalt())) {
                        return new SimpleAuthenticationInfo(ODLPrincipalImpl.createODLPrincipal(extractUsername2, extractDomain, format), extractPassword, getName());
                    }
                }
            }
        }
        LOG.debug("Couldn't access the authentication container");
        throw new AuthenticationException(String.format("Couldn't authenticate %s", extractUsername));
    }

    @Override // org.apache.shiro.util.Destroyable
    public void destroy() {
        this.reg.close();
    }
}
