package com.manydesigns.portofino.shiro;

import com.manydesigns.elements.reflection.ClassAccessor;
import com.manydesigns.elements.reflection.JavaClassAccessor;
import com.manydesigns.portofino.di.Inject;
import com.manydesigns.portofino.logic.SecurityLogic;
import com.manydesigns.portofino.modules.BaseModule;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.impl.Base64Codec;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
import java.security.Key;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.Set;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.configuration.Configuration;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.credential.PasswordMatcher;
import org.apache.shiro.authc.credential.PasswordService;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.crypto.hash.HashService;
import org.apache.shiro.crypto.hash.format.HashFormat;
import org.apache.shiro.lang.codec.Base64;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.jetbrains.annotations.NotNull;
import org.joda.time.DateTime;

/* loaded from: input_file:WEB-INF/lib/portofino-pageactions-4.2.13-SNAPSHOT.jar:com/manydesigns/portofino/shiro/AbstractPortofinoRealm.class */
public abstract class AbstractPortofinoRealm extends AuthorizingRealm implements PortofinoRealm {
    public static final String copyright = "Copyright (C) 2005-2025 ManyDesigns srl";

    @Inject(BaseModule.PORTOFINO_CONFIGURATION)
    protected Configuration portofinoConfiguration;
    protected PasswordService passwordService;
    protected boolean legacyHashing;

    protected AbstractPortofinoRealm() {
        this.legacyHashing = false;
        setup(new PlaintextHashService(), new PlaintextHashFormat());
        this.legacyHashing = true;
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm, org.apache.shiro.realm.Realm
    public boolean supports(AuthenticationToken authenticationToken) {
        return (authenticationToken instanceof JSONWebToken) || super.supports(authenticationToken);
    }

    public AuthenticationInfo loadAuthenticationInfo(JSONWebToken jSONWebToken) {
        try {
            Claims body = Jwts.parser().setSigningKey(getJWTKey()).parseClaimsJws(jSONWebToken.getPrincipal()).getBody();
            String credentials = this.legacyHashing ? jSONWebToken.getCredentials() : encryptPassword(jSONWebToken.getCredentials());
            try {
                ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(Base64.decode((String) body.get("serialized-principal"))));
                Object readObject = objectInputStream.readObject();
                objectInputStream.close();
                return new SimpleAuthenticationInfo(readObject, credentials, getName());
            } catch (Exception e) {
                throw new AuthenticationException(e);
            }
        } catch (JwtException e2) {
            throw new AuthenticationException(e2);
        }
    }

    @Override // com.manydesigns.portofino.shiro.PortofinoRealm
    public String generateWebToken(Object obj) {
        Key jWTKey = getJWTKey();
        HashMap hashMap = new HashMap();
        hashMap.put("principal", obj);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
            objectOutputStream.writeObject(obj);
            objectOutputStream.close();
            hashMap.put("serialized-principal", byteArrayOutputStream.toByteArray());
            return Jwts.builder().setClaims(hashMap).setExpiration(new DateTime().plusDays(1).toDate()).signWith(SignatureAlgorithm.HS512, jWTKey).compact();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @NotNull
    protected Key getJWTKey() {
        return new SecretKeySpec(Base64Codec.BASE64.decode(this.portofinoConfiguration.getString("jwt.secret")), SignatureAlgorithm.HS512.getJcaName());
    }

    @Override // org.apache.shiro.realm.AuthorizingRealm
    public AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        Set<String> groups = getGroups(principalCollection.getPrimaryPrincipal());
        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo(groups);
        if (groups.contains(SecurityLogic.getAdministratorsGroup(this.portofinoConfiguration))) {
            simpleAuthorizationInfo.addStringPermission("*");
        }
        simpleAuthorizationInfo.setObjectPermissions(Collections.singleton(new GroupPermission(groups)));
        return simpleAuthorizationInfo;
    }

    protected Collection<String> loadAuthorizationInfo(Serializable serializable) {
        return Collections.emptySet();
    }

    @Override // com.manydesigns.portofino.shiro.PortofinoRealm
    public Set<String> getGroups() {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        linkedHashSet.add(SecurityLogic.getAllGroup(this.portofinoConfiguration));
        linkedHashSet.add(SecurityLogic.getAnonymousGroup(this.portofinoConfiguration));
        linkedHashSet.add(SecurityLogic.getRegisteredGroup(this.portofinoConfiguration));
        linkedHashSet.add(SecurityLogic.getAdministratorsGroup(this.portofinoConfiguration));
        return linkedHashSet;
    }

    @Override // com.manydesigns.portofino.shiro.PortofinoRealm
    @NotNull
    public Set<String> getGroups(Object obj) {
        HashSet hashSet = new HashSet();
        hashSet.add(SecurityLogic.getAllGroup(this.portofinoConfiguration));
        if (obj == null) {
            hashSet.add(SecurityLogic.getAnonymousGroup(this.portofinoConfiguration));
        } else {
            if (!(obj instanceof Serializable)) {
                throw new AuthorizationException("Invalid principal: " + obj);
            }
            hashSet.add(SecurityLogic.getRegisteredGroup(this.portofinoConfiguration));
            hashSet.addAll(loadAuthorizationInfo((Serializable) obj));
        }
        return hashSet;
    }

    @Override // com.manydesigns.portofino.shiro.PortofinoRealm
    public Serializable getUserById(String str) {
        throw new UnsupportedOperationException();
    }

    @Override // com.manydesigns.portofino.shiro.PortofinoRealm
    public Serializable getUserByEmail(String str) {
        throw new UnsupportedOperationException();
    }

    @Override // com.manydesigns.portofino.shiro.PortofinoRealm
    public ClassAccessor getSelfRegisteredUserClassAccessor() {
        return JavaClassAccessor.getClassAccessor(User.class);
    }

    @Override // com.manydesigns.portofino.shiro.PortofinoRealm
    public String getUserPrettyName(Serializable serializable) {
        return serializable.toString();
    }

    @Override // com.manydesigns.portofino.shiro.PortofinoRealm
    public void verifyUser(Serializable serializable) {
        throw new UnsupportedOperationException();
    }

    @Override // com.manydesigns.portofino.shiro.PortofinoRealm
    public void changePassword(Serializable serializable, String str, String str2) {
        throw new UnsupportedOperationException();
    }

    @Override // com.manydesigns.portofino.shiro.PortofinoRealm
    public String generateOneTimeToken(Serializable serializable) {
        throw new UnsupportedOperationException();
    }

    @Override // com.manydesigns.portofino.shiro.PortofinoRealm
    public String saveSelfRegisteredUser(Object obj) {
        throw new UnsupportedOperationException();
    }

    protected void setup(HashService hashService, HashFormat hashFormat) {
        PortofinoPasswordService portofinoPasswordService = new PortofinoPasswordService();
        portofinoPasswordService.setHashService(hashService);
        portofinoPasswordService.setHashFormat(hashFormat);
        PasswordMatcher passwordMatcher = new PasswordMatcher();
        passwordMatcher.setPasswordService(portofinoPasswordService);
        setCredentialsMatcher(passwordMatcher);
        this.passwordService = portofinoPasswordService;
        this.legacyHashing = false;
    }
}
