package com.dtolabs.rundeck.core.authorization;

import com.dtolabs.rundeck.core.authorization.Explanation;
import com.dtolabs.rundeck.core.authorization.providers.ContextDecision;
import com.dtolabs.rundeck.core.authorization.providers.ContextEvaluation;
import java.io.PrintStream;
import java.security.Principal;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import java.util.stream.Collectors;
import javax.security.auth.Subject;

/* loaded from: input_file:com/dtolabs/rundeck/core/authorization/RuleEvaluator.class */
public class RuleEvaluator implements AclRuleSetAuthorization {
    private final AclRuleSet rules;
    private final AclRuleSetSource source;
    private final AclSubjectCreator aclSubjectCreator;
    private Function<String, Predicate<String>> setContainsString;
    private Function<List, Predicate<String>> setContainsList;
    private Function<String, Predicate<String>> setSubsetString;
    private Function<List, Predicate<String>> setSubsetList;
    private static ConcurrentHashMap<String, Pattern> patternCache = new ConcurrentHashMap<>();

    /* loaded from: input_file:com/dtolabs/rundeck/core/authorization/RuleEvaluator$AclSubjectCreator.class */
    public interface AclSubjectCreator {
        AclSubject createFrom(Subject subject);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/dtolabs/rundeck/core/authorization/RuleEvaluator$RegexPredicate.class */
    public static class RegexPredicate implements Predicate<String> {
        Pattern regex;

        RegexPredicate(Pattern pattern) {
            this.regex = pattern;
        }

        @Override // java.util.function.Predicate
        public boolean test(String str) {
            return str != null && this.regex.matcher(str).matches();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/dtolabs/rundeck/core/authorization/RuleEvaluator$SetContainsPredicate.class */
    public static class SetContainsPredicate implements Predicate<String> {
        HashSet<String> items = new HashSet<>();

        SetContainsPredicate(List<String> list) {
            this.items.addAll(list);
        }

        SetContainsPredicate(String str) {
            this.items.add(str);
        }

        static boolean isSubset(String str, Set<String> set) {
            return set.containsAll(getCollection(str));
        }

        static boolean isSubset(Set<String> set, String str) {
            return getCollection(str).containsAll(set);
        }

        @Override // java.util.function.Predicate
        public boolean test(String str) {
            return isSubset(this.items, str);
        }

        static Set<String> getCollection(String str) {
            HashSet hashSet = new HashSet();
            for (String str2 : null != str ? str.split(",") : new String[0]) {
                hashSet.add(str2.trim());
            }
            return hashSet;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/dtolabs/rundeck/core/authorization/RuleEvaluator$SetSubsetPredicate.class */
    public static class SetSubsetPredicate extends SetContainsPredicate implements Predicate<String> {
        SetSubsetPredicate(List<String> list) {
            super(list);
        }

        SetSubsetPredicate(String str) {
            super(str);
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // com.dtolabs.rundeck.core.authorization.RuleEvaluator.SetContainsPredicate, java.util.function.Predicate
        public boolean test(String str) {
            if (str == null) {
                return true;
            }
            return isSubset(str, this.items);
        }
    }

    private RuleEvaluator(AclRuleSetSource aclRuleSetSource, AclSubjectCreator aclSubjectCreator) {
        this.setContainsString = new Function<String, Predicate<String>>() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.4
            @Override // java.util.function.Function
            public Predicate<String> apply(String str) {
                return new SetContainsPredicate(str);
            }
        };
        this.setContainsList = new Function<List, Predicate<String>>() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.5
            @Override // java.util.function.Function
            public Predicate<String> apply(List list) {
                return new SetContainsPredicate((List<String>) list);
            }
        };
        this.setSubsetString = new Function<String, Predicate<String>>() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.6
            @Override // java.util.function.Function
            public Predicate<String> apply(String str) {
                return new SetSubsetPredicate(str);
            }
        };
        this.setSubsetList = new Function<List, Predicate<String>>() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.7
            @Override // java.util.function.Function
            public Predicate<String> apply(List list) {
                return new SetSubsetPredicate((List<String>) list);
            }
        };
        this.source = aclRuleSetSource;
        this.rules = null;
        this.aclSubjectCreator = aclSubjectCreator;
    }

    private RuleEvaluator(AclRuleSet aclRuleSet, AclSubjectCreator aclSubjectCreator) {
        this.setContainsString = new Function<String, Predicate<String>>() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.4
            @Override // java.util.function.Function
            public Predicate<String> apply(String str) {
                return new SetContainsPredicate(str);
            }
        };
        this.setContainsList = new Function<List, Predicate<String>>() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.5
            @Override // java.util.function.Function
            public Predicate<String> apply(List list) {
                return new SetContainsPredicate((List<String>) list);
            }
        };
        this.setSubsetString = new Function<String, Predicate<String>>() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.6
            @Override // java.util.function.Function
            public Predicate<String> apply(String str) {
                return new SetSubsetPredicate(str);
            }
        };
        this.setSubsetList = new Function<List, Predicate<String>>() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.7
            @Override // java.util.function.Function
            public Predicate<String> apply(List list) {
                return new SetSubsetPredicate((List<String>) list);
            }
        };
        this.source = null;
        this.rules = aclRuleSet;
        this.aclSubjectCreator = aclSubjectCreator;
    }

    public static RuleEvaluator createRuleEvaluator(AclRuleSetSource aclRuleSetSource, AclSubjectCreator aclSubjectCreator) {
        return new RuleEvaluator(aclRuleSetSource, aclSubjectCreator);
    }

    public static RuleEvaluator createRuleEvaluator(AclRuleSet aclRuleSet, AclSubjectCreator aclSubjectCreator) {
        return new RuleEvaluator(aclRuleSet, aclSubjectCreator);
    }

    @Override // com.dtolabs.rundeck.core.authorization.Authorization
    public Decision evaluate(Map<String, String> map, Subject subject, String str, Set<Attribute> set) {
        return evaluate(map, subject, str, set, narrowContext(getRuleSet(), this.aclSubjectCreator.createFrom(subject), set));
    }

    public static List<AclRule> narrowContext(AclRuleSet aclRuleSet, final AclSubject aclSubject, final Set<Attribute> set) {
        return (List) aclRuleSet.getRules().stream().filter(new Predicate<AclRule>() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.1
            @Override // java.util.function.Predicate
            public boolean test(AclRule aclRule) {
                return RuleEvaluator.matchesContexts(aclRule, AclSubject.this, set);
            }
        }).collect(Collectors.toList());
    }

    public static boolean matchesContexts(AclRule aclRule, AclSubject aclSubject, Set<Attribute> set) {
        if (aclRule.getEnvironment() != null) {
            if (!aclRule.getEnvironment().matches(set)) {
                return false;
            }
        } else if (null != set && set.size() > 0) {
            return false;
        }
        boolean isBy = aclRule.isBy();
        return (aclSubject.getUsername() == null || aclRule.getUsername() == null || !(aclSubject.getUsername().equals(aclRule.getUsername()) || matchesPattern(aclSubject.getUsername(), aclRule.getUsername()))) ? (aclSubject.getGroups() == null || aclSubject.getGroups().size() <= 0 || !(aclSubject.getGroups().contains(aclRule.getGroup()) || matchesAnyPatterns(aclSubject.getGroups(), aclRule.getGroup()))) ? (aclSubject.getUrn() == null || aclRule.getUrn() == null || !aclSubject.getUrn().equals(aclRule.getUrn())) ? (aclSubject.getUsername() == null || aclRule.getUrn() == null || !aclRule.getUrn().startsWith("user:") || !new StringBuilder().append("user:").append(aclSubject.getUsername()).toString().equals(aclRule.getUrn())) ? (aclSubject.getGroups() == null || aclRule.getUrn() == null || !aclRule.getUrn().startsWith("group:") || !((Set) aclSubject.getGroups().stream().map(str -> {
            return "group:" + str;
        }).collect(Collectors.toSet())).contains(aclRule.getUrn())) ? !isBy : isBy : isBy : isBy : isBy : isBy;
    }

    public static boolean matchesAnyPatterns(Collection<String> collection, String str) {
        try {
            Pattern compile = Pattern.compile(str);
            Iterator<String> it = collection.iterator();
            while (it.hasNext()) {
                if (compile.matcher(it.next().toString()).matches()) {
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            return false;
        }
    }

    private static boolean matchesPattern(String str, String str2) {
        try {
            return Pattern.compile(str2).matcher(str).matches();
        } catch (PatternSyntaxException e) {
            return false;
        }
    }

    @Override // com.dtolabs.rundeck.core.authorization.Authorization
    public Set<Decision> evaluate(Set<Map<String, String>> set, Subject subject, Set<String> set2, Set<Attribute> set3) {
        HashSet hashSet = new HashSet();
        long j = 0;
        List<AclRule> narrowContext = narrowContext(getRuleSet(), this.aclSubjectCreator.createFrom(subject), set3);
        for (Map<String, String> map : set) {
            Iterator<String> it = set2.iterator();
            while (it.hasNext()) {
                Decision internalEvaluate = internalEvaluate(map, subject, it.next(), set3, narrowContext);
                j += internalEvaluate.evaluationDuration();
                hashSet.add(internalEvaluate);
                if (internalEvaluate.isAuthorized()) {
                }
            }
        }
        return hashSet;
    }

    private Decision evaluate(Map<String, String> map, Subject subject, String str, Set<Attribute> set, List<AclRule> list) {
        return internalEvaluate(map, subject, str, set, list);
    }

    private static Decision authorize(boolean z, final String str, final Explanation.Code code, Map<String, String> map, Subject subject, String str2, Set<Attribute> set, long j) {
        return createAuthorize(z, new Explanation() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.2
            @Override // com.dtolabs.rundeck.core.authorization.Explanation
            public Explanation.Code getCode() {
                return Explanation.Code.this;
            }

            @Override // com.dtolabs.rundeck.core.authorization.Explanation
            public void describe(PrintStream printStream) {
                printStream.println(toString());
            }

            public String toString() {
                return "\t" + str + " => " + Explanation.Code.this;
            }
        }, map, subject, str2, set, j);
    }

    static Decision createAuthorize(final boolean z, final Explanation explanation, final Map<String, String> map, final Subject subject, final String str, final Set<Attribute> set, final long j) {
        return new Decision() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.3
            private String representation;

            @Override // com.dtolabs.rundeck.core.authorization.Decision
            public boolean isAuthorized() {
                return z;
            }

            @Override // com.dtolabs.rundeck.core.authorization.Decision
            public Map<String, String> getResource() {
                return map;
            }

            @Override // com.dtolabs.rundeck.core.authorization.Decision
            public String getAction() {
                return str;
            }

            @Override // com.dtolabs.rundeck.core.authorization.Decision
            public Set<Attribute> getEnvironment() {
                return set;
            }

            @Override // com.dtolabs.rundeck.core.authorization.Decision
            public Subject getSubject() {
                return subject;
            }

            public String toString() {
                if (this.representation == null) {
                    StringBuilder sb = new StringBuilder();
                    sb.append("Decision for: ");
                    sb.append("res<");
                    Iterator it = map.entrySet().iterator();
                    while (it.hasNext()) {
                        Map.Entry entry = (Map.Entry) it.next();
                        sb.append((String) entry.getKey()).append(':').append((String) entry.getValue());
                        if (it.hasNext()) {
                            sb.append(", ");
                        }
                    }
                    sb.append("> subject<");
                    Iterator<Principal> it2 = subject.getPrincipals().iterator();
                    while (it2.hasNext()) {
                        Principal next = it2.next();
                        sb.append(next.getClass().getSimpleName());
                        sb.append(':');
                        sb.append(next.getName());
                        if (it2.hasNext()) {
                            sb.append(' ');
                        }
                    }
                    sb.append("> action<");
                    sb.append(str);
                    sb.append("> env<");
                    Iterator it3 = set.iterator();
                    while (it3.hasNext()) {
                        sb.append((Attribute) it3.next());
                        if (it3.hasNext()) {
                            sb.append(", ");
                        }
                    }
                    sb.append(">");
                    sb.append(": authorized: ");
                    sb.append(isAuthorized());
                    sb.append(": ");
                    sb.append(explanation.toString());
                    this.representation = sb.toString();
                }
                return this.representation;
            }

            @Override // com.dtolabs.rundeck.core.authorization.Decision
            public Explanation explain() {
                return explanation;
            }

            @Override // com.dtolabs.rundeck.core.authorization.Decision
            public long evaluationDuration() {
                return j;
            }
        };
    }

    private Decision internalEvaluate(Map<String, String> map, Subject subject, String str, Set<Attribute> set, List<AclRule> list) {
        long currentTimeMillis = System.currentTimeMillis();
        if (list.size() < 1) {
            return authorize(false, "No context matches subject or environment", Explanation.Code.REJECTED_NO_SUBJECT_OR_ENV_FOUND, map, subject, str, set, System.currentTimeMillis() - currentTimeMillis);
        }
        if (map == null) {
            throw new IllegalArgumentException("Resource does not identify any resource because it's an empty resource property or null.");
        }
        for (Map.Entry<String, String> entry : map.entrySet()) {
            if (entry.getKey() == null) {
                throw new IllegalArgumentException("Resource definition cannot contain null property name.");
            }
            if (entry.getValue() == null) {
                throw new IllegalArgumentException("Resource definition cannot contain null value.  Corresponding key: " + entry.getKey());
            }
        }
        if (subject == null) {
            throw new IllegalArgumentException("Invalid subject, subject is null.");
        }
        if (str == null || str.length() <= 0) {
            return authorize(false, "No action provided.", Explanation.Code.REJECTED_NO_ACTION_PROVIDED, map, subject, str, set, System.currentTimeMillis() - currentTimeMillis);
        }
        if (set == null) {
            set = Collections.emptySet();
        }
        ContextDecision contextDecision = null;
        ContextDecision contextDecision2 = null;
        boolean z = false;
        Iterator<AclRule> it = list.iterator();
        while (it.hasNext()) {
            ContextDecision ruleIncludesResourceAction = ruleIncludesResourceAction(it.next(), map, str);
            if (Explanation.Code.REJECTED_DENIED == ruleIncludesResourceAction.getCode()) {
                return createAuthorize(false, ruleIncludesResourceAction, map, subject, str, set, System.currentTimeMillis() - currentTimeMillis);
            }
            if (ruleIncludesResourceAction.granted()) {
                contextDecision = ruleIncludesResourceAction;
                z = true;
            }
            contextDecision2 = ruleIncludesResourceAction;
        }
        return z ? createAuthorize(true, contextDecision, map, subject, str, set, System.currentTimeMillis() - currentTimeMillis) : contextDecision2 == null ? authorize(false, "No resource or action matched.", Explanation.Code.REJECTED_NO_RESOURCE_OR_ACTION_MATCH, map, subject, str, set, System.currentTimeMillis() - currentTimeMillis) : createAuthorize(false, contextDecision2, map, subject, str, set, System.currentTimeMillis() - currentTimeMillis);
    }

    @Override // com.dtolabs.rundeck.core.authorization.AclRuleSetSource
    public AclRuleSet getRuleSet() {
        return null != this.source ? this.source.getRuleSet() : this.rules;
    }

    private ContextDecision ruleIncludesResourceAction(AclRule aclRule, Map<String, String> map, String str) {
        ArrayList arrayList = new ArrayList();
        Explanation.Code includes = includes(aclRule, map, str);
        arrayList.add(new ContextEvaluation(includes, MessageFormat.format("{0} {1} for action {2}", aclRule, includes, str)));
        return new ContextDecision(includes, Explanation.Code.GRANTED == includes, arrayList);
    }

    public Explanation.Code includes(AclRule aclRule, Map<String, String> map, String str) {
        String str2;
        if (aclRule.getResourceType() != null && (null == (str2 = map.get(AuthorizationUtil.TYPE_FIELD)) || !aclRule.getResourceType().equals(str2))) {
            return Explanation.Code.REJECTED;
        }
        boolean z = true;
        boolean z2 = false;
        if (aclRule.isRegexMatch()) {
            z2 = true;
            z = true & ruleMatchesMatchSection(map, aclRule);
        }
        if (aclRule.isEqualsMatch()) {
            z2 = true;
            z &= ruleMatchesEqualsSection(map, aclRule);
        }
        if (aclRule.isContainsMatch()) {
            z2 = true;
            z &= ruleMatchesContainsSection(map, aclRule);
        }
        if (aclRule.isSubsetMatch()) {
            z2 = true;
            z &= ruleMatchesSubsetSection(map, aclRule);
        }
        if (z2 && !z) {
            return Explanation.Code.REJECTED;
        }
        return allowOrDenyAction(aclRule, str);
    }

    private Explanation.Code allowOrDenyAction(AclRule aclRule, String str) {
        return (aclRule.getDenyActions().contains(str) || aclRule.getDenyActions().contains("*")) ? Explanation.Code.REJECTED_DENIED : (aclRule.getAllowActions().contains(str) || aclRule.getAllowActions().contains("*")) ? Explanation.Code.GRANTED : Explanation.Code.REJECTED;
    }

    boolean ruleMatchesContainsSection(Map<String, String> map, AclRule aclRule) {
        return validRuleSection(aclRule.getContainsResource()) && predicateMatchRules(map, this.setContainsString, this.setContainsList, aclRule.getContainsResource(), aclRule.getSourceIdentity());
    }

    boolean ruleMatchesSubsetSection(Map<String, String> map, AclRule aclRule) {
        return validRuleSection(aclRule.getSubsetResource()) && predicateMatchRules(map, this.setSubsetString, this.setSubsetList, aclRule.getSubsetResource(), aclRule.getSourceIdentity());
    }

    boolean ruleMatchesEqualsSection(Map<String, String> map, AclRule aclRule) {
        return validRuleSection(aclRule.getEqualsResource()) && predicateMatchRules(map, new Function<String, Predicate<String>>() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.8
            @Override // java.util.function.Function
            public Predicate<String> apply(final String str) {
                return new Predicate<String>() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.8.1
                    @Override // java.util.function.Predicate
                    public boolean test(String str2) {
                        return str.equals(str2);
                    }
                };
            }
        }, null, aclRule.getEqualsResource(), aclRule.getSourceIdentity());
    }

    private boolean validRuleSection(Map map) {
        return null != map && map.size() > 0;
    }

    boolean ruleMatchesMatchSection(Map<String, String> map, AclRule aclRule) {
        return validRuleSection(aclRule.getRegexResource()) && predicateMatchRules(map, new Function<String, Predicate<String>>() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.9
            @Override // java.util.function.Function
            public Predicate<String> apply(String str) {
                return new RegexPredicate(RuleEvaluator.this.patternForRegex(str));
            }
        }, null, aclRule.getRegexResource(), aclRule.getSourceIdentity());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Pattern patternForRegex(String str) {
        if (!patternCache.containsKey(str)) {
            Pattern pattern = null;
            try {
                pattern = Pattern.compile(str);
            } catch (Exception e) {
            }
            if (null == pattern) {
                pattern = Pattern.compile("^" + Pattern.quote(str) + "$");
            }
            patternCache.putIfAbsent(str, pattern);
        }
        return patternCache.get(str);
    }

    boolean predicateMatchRules(Map<String, String> map, Function<String, Predicate<String>> function, Function<List, Predicate<String>> function2, Map<String, Object> map2, String str) {
        for (Map.Entry<String, Object> entry : map2.entrySet()) {
            if (!applyTest(map, function, entry.getKey(), entry.getValue(), function2, str)) {
                return false;
            }
        }
        return true;
    }

    boolean applyTest(Map<String, String> map, Function<String, Predicate<String>> function, String str, Object obj, Function<List, Predicate<String>> function2, String str2) {
        ArrayList arrayList = new ArrayList();
        if (function2 != null && (obj instanceof List)) {
            arrayList.add(function2.apply((List) obj));
        } else {
            if (!(obj instanceof String)) {
                if (obj != null) {
                }
                return false;
            }
            arrayList.add(function.apply((String) obj));
        }
        final String str3 = map.get(str);
        return arrayList.stream().allMatch(new Predicate<Predicate<String>>() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.10
            @Override // java.util.function.Predicate
            public boolean test(Predicate<String> predicate) {
                return predicate.test(str3);
            }
        });
    }
}
