package info.elexis.server.core.security;

import info.elexis.server.core.common.security.ESAuthorizingRealm;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.credential.CredentialsMatcher;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {})
/* loaded from: input_file:info/elexis/server/core/security/ElexisServerCompositeRealm.class */
public class ElexisServerCompositeRealm extends AuthorizingRealm {
    private static Logger log = LoggerFactory.getLogger(ElexisServerCompositeRealm.class);
    private static Map<String, ESAuthorizingRealm> realms = Collections.synchronizedMap(new HashMap());
    private static final CredentialsMatcher credentialsMatcher = new CredentialsMatcher() { // from class: info.elexis.server.core.security.ElexisServerCompositeRealm.1
        public boolean doCredentialsMatch(AuthenticationToken authenticationToken, AuthenticationInfo authenticationInfo) {
            Set realmNames = authenticationInfo.getPrincipals().getRealmNames();
            if (realmNames.size() != 1) {
                ElexisServerCompositeRealm.log.warn("AuthenticationInfo does not match against single realm [{}]", realmNames);
                return false;
            }
            ESAuthorizingRealm eSAuthorizingRealm = (ESAuthorizingRealm) ElexisServerCompositeRealm.realms.get(realmNames.iterator().next());
            if (eSAuthorizingRealm == null) {
                return false;
            }
            boolean doCredentialsMatch = eSAuthorizingRealm.getCredentialsMatcher().doCredentialsMatch(authenticationToken, authenticationInfo);
            if (!doCredentialsMatch) {
                ElexisServerCompositeRealm.log.warn("Invalid login attempt by userId or token [{}] in realm [{}]", authenticationToken.getPrincipal(), eSAuthorizingRealm.getName());
            }
            return doCredentialsMatch;
        }
    };

    @Reference(service = ESAuthorizingRealm.class, cardinality = ReferenceCardinality.AT_LEAST_ONE, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    protected synchronized void bind(ESAuthorizingRealm eSAuthorizingRealm) {
        log.info("Binding realm [{}] as [{}]", eSAuthorizingRealm.getClass().getName(), eSAuthorizingRealm.getName());
        realms.put(eSAuthorizingRealm.getName(), eSAuthorizingRealm);
    }

    protected synchronized void unbind(ESAuthorizingRealm eSAuthorizingRealm) {
        log.info("Unbinding realm [{}]", eSAuthorizingRealm.getClass().getName());
        realms.remove(eSAuthorizingRealm.getName());
    }

    public ElexisServerCompositeRealm() {
        super(credentialsMatcher);
    }

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        if (principalCollection == null) {
            throw new AuthorizationException("PrincipalCollection method argument cannot be null.");
        }
        Set realmNames = principalCollection.getRealmNames();
        if (realmNames.size() != 1) {
            log.warn("AuthenticationInfo does not match against single realm [{}]", realmNames);
            return null;
        }
        ESAuthorizingRealm eSAuthorizingRealm = realms.get(realmNames.iterator().next());
        if (eSAuthorizingRealm != null) {
            return eSAuthorizingRealm.doGetAuthorizationInfo(principalCollection);
        }
        return null;
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        AuthenticationInfo doGetAuthenticationInfo;
        try {
            for (ESAuthorizingRealm eSAuthorizingRealm : realms.values()) {
                if (eSAuthorizingRealm.supports(authenticationToken) && (doGetAuthenticationInfo = eSAuthorizingRealm.doGetAuthenticationInfo(authenticationToken)) != null) {
                    return doGetAuthenticationInfo;
                }
            }
            log.warn("Invalid login attempt for userId [{}] no realm entry found.", authenticationToken.getPrincipal());
            return null;
        } catch (AuthenticationException e) {
            log.warn("AuthenticationException", e);
            throw e;
        }
    }

    public boolean supports(AuthenticationToken authenticationToken) {
        return true;
    }
}
