package org.opendaylight.aaa.shiro.realm;

import com.google.common.base.Strings;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.opendaylight.aaa.api.Authentication;
import org.opendaylight.aaa.api.AuthenticationService;
import org.opendaylight.aaa.api.TokenAuth;
import org.opendaylight.aaa.api.TokenStore;
import org.opendaylight.aaa.api.shiro.principal.ODLPrincipal;
import org.opendaylight.aaa.shiro.principal.ODLPrincipalImpl;
import org.opendaylight.aaa.shiro.realm.util.TokenUtils;
import org.opendaylight.aaa.shiro.realm.util.http.header.HeaderUtils;
import org.opendaylight.aaa.shiro.tokenauthrealm.auth.TokenAuthenticators;
import org.opendaylight.aaa.shiro.web.env.ThreadLocals;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/opendaylight/aaa/shiro/realm/TokenAuthRealm.class */
public class TokenAuthRealm extends AuthorizingRealm {
    private static final String TOKEN_AUTH_REALM_DEFAULT_NAME = "TokenAuthRealm";
    private static final String AUTHENTICATION_SERVICE_UNAVAILABLE_MESSAGE = "{\"error\":\"Authentication service unavailable\"}";
    private static final String FATAL_ERROR_DECODING_CREDENTIALS = "{\"error\":\"Unable to decode credentials\"}";
    private static final String FATAL_ERROR_BASIC_AUTH_ONLY = "{\"error\":\"Only basic authentication is supported by TokenAuthRealm\"}";
    private static final String UNABLE_TO_AUTHENTICATE = "{\"error\":\"Could not authenticate\"}";
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) TokenAuthRealm.class);
    private final AuthenticationService authenticationService;
    private final TokenStore tokenStore;
    private final TokenAuthenticators tokenAuthenticators;

    public TokenAuthRealm() {
        super.setName(TOKEN_AUTH_REALM_DEFAULT_NAME);
        this.authenticationService = (AuthenticationService) Objects.requireNonNull(ThreadLocals.AUTH_SETVICE_TL.get());
        this.tokenStore = ThreadLocals.TOKEN_STORE_TL.get();
        this.tokenAuthenticators = (TokenAuthenticators) Objects.requireNonNull(ThreadLocals.TOKEN_AUTHENICATORS_TL.get());
    }

    @Override // org.apache.shiro.realm.AuthorizingRealm
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        try {
            return new SimpleAuthorizationInfo(((ODLPrincipal) principalCollection.getPrimaryPrincipal()).getRoles());
        } catch (ClassCastException e) {
            LOG.error("Couldn't decode authorization request", (Throwable) e);
            return new SimpleAuthorizationInfo();
        }
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        try {
            String extractUsername = TokenUtils.extractUsername(authenticationToken);
            String extractUsername2 = HeaderUtils.extractUsername(extractUsername);
            String extractDomain = HeaderUtils.extractDomain(extractUsername);
            String extractPassword = TokenUtils.extractPassword(authenticationToken);
            if (!Strings.isNullOrEmpty(extractPassword)) {
                Map<String, List<String>> formHeaders = HeaderUtils.formHeaders(extractUsername2, extractPassword, extractDomain);
                for (TokenAuth tokenAuth : this.tokenAuthenticators.getTokenAuthCollection()) {
                    try {
                        LOG.debug("Authentication attempt using {}", tokenAuth.getClass().getName());
                        Authentication validate = tokenAuth.validate(formHeaders);
                        if (validate != null) {
                            LOG.debug("Authentication attempt successful");
                            this.authenticationService.set(validate);
                            return new SimpleAuthenticationInfo(ODLPrincipalImpl.createODLPrincipal(validate), extractPassword.toCharArray(), getName());
                        }
                    } catch (AuthenticationException e) {
                        LOG.debug("Authentication attempt unsuccessful");
                        throw new AuthenticationException(UNABLE_TO_AUTHENTICATE, e);
                    }
                }
            }
            try {
                return new SimpleAuthenticationInfo(ODLPrincipalImpl.createODLPrincipal(validate(TokenUtils.extractUsername(authenticationToken))), "", getName());
            } catch (AuthenticationException e2) {
                LOG.debug("Unknown OAuth2 Token Access Request", (Throwable) e2);
                LOG.debug("Authentication failed: exhausted TokenAuth resources");
                return null;
            }
        } catch (ClassCastException e3) {
            throw new AuthenticationException(FATAL_ERROR_BASIC_AUTH_ONLY, e3);
        } catch (NullPointerException e4) {
            throw new AuthenticationException(FATAL_ERROR_DECODING_CREDENTIALS, e4);
        }
    }

    private Authentication validate(String str) {
        if (this.tokenStore == null) {
            throw new AuthenticationException("Token store not available, could not validate the token " + str);
        }
        Authentication authentication = this.tokenStore.get(str);
        if (authentication == null) {
            throw new AuthenticationException("Could not validate the token " + str);
        }
        this.authenticationService.set(authentication);
        return authentication;
    }
}
