package com.neo4j.gds.arrow.server.auth;

import com.neo4j.gds.arrow.core.exceptions.Exceptions;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Consumer;
import org.neo4j.gds.compat.GraphDatabaseApiProxy;
import org.neo4j.graphdb.GraphDatabaseService;
import org.neo4j.internal.kernel.api.security.AdminActionOnResource;
import org.neo4j.internal.kernel.api.security.LoginContext;
import org.neo4j.internal.kernel.api.security.PrivilegeAction;
import org.neo4j.internal.kernel.api.security.SecurityContext;
import org.neo4j.internal.kernel.api.security.UserSegment;
import org.neo4j.kernel.impl.coreapi.InternalTransaction;
import org.neo4j.logging.Log;

/* loaded from: input_file:com/neo4j/gds/arrow/server/auth/DatabaseUserPrivileges.class */
final class DatabaseUserPrivileges implements UserPrivileges {
    private final GraphDatabaseService systemDb;
    private final Log log;
    private final Map<String, LoginContext> userLoginContexts = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    public DatabaseUserPrivileges(GraphDatabaseService graphDatabaseService, Log log) {
        this.systemDb = graphDatabaseService;
        this.log = log;
    }

    @Override // com.neo4j.gds.arrow.server.auth.UserPrivileges
    public void registerUser(String str, LoginContext loginContext) {
        this.log.debug("Registering login context for user %s", new Object[]{str});
        this.userLoginContexts.put(str, loginContext);
    }

    @Override // com.neo4j.gds.arrow.server.auth.UserPrivileges
    public void assertDatabaseCreationIsAllowed(String str) {
        LoginContext loginContext = this.userLoginContexts.get(str);
        if (loginContext == null) {
            throw Exceptions.unauthenticatedUser(str);
        }
        accessSecurityContext(this.systemDb, loginContext, securityContext -> {
            if (!securityContext.allowsAdminAction(new AdminActionOnResource(PrivilegeAction.CREATE_DATABASE, AdminActionOnResource.DatabaseScope.ALL, new UserSegment(str))).allowsAccess()) {
                throw Exceptions.permissionDenied(PrivilegeAction.CREATE_DATABASE, "DBMS", str, securityContext.roles());
            }
        });
    }

    @Override // com.neo4j.gds.arrow.server.auth.UserPrivileges
    public void assertDatabaseIsAccessible(String str, GraphDatabaseService graphDatabaseService) {
        LoginContext loginContext = this.userLoginContexts.get(str);
        if (loginContext == null) {
            throw Exceptions.unauthenticatedUser(str);
        }
        try {
            accessSecurityContext(graphDatabaseService, loginContext, securityContext -> {
            });
        } catch (Exception e) {
            throw Exceptions.permissionDenied(e.getMessage());
        }
    }

    @Override // com.neo4j.gds.arrow.server.auth.GdsBearerTokenAuthenticator.RemovalListener
    public void onRemoval(String str) {
        this.log.debug("Removing login context for user %s", new Object[]{str});
        this.userLoginContexts.remove(str);
    }

    private static void accessSecurityContext(GraphDatabaseService graphDatabaseService, LoginContext loginContext, Consumer<SecurityContext> consumer) {
        InternalTransaction beginTransaction = GraphDatabaseApiProxy.beginTransaction(graphDatabaseService, loginContext);
        try {
            consumer.accept(beginTransaction.securityContext());
            if (beginTransaction != null) {
                beginTransaction.close();
            }
        } catch (Throwable th) {
            if (beginTransaction != null) {
                try {
                    beginTransaction.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
