package com.dtolabs.rundeck.core.authorization;

import com.dtolabs.rundeck.core.authentication.Group;
import com.dtolabs.rundeck.core.authentication.Username;
import com.dtolabs.rundeck.core.authorization.Explanation;
import com.dtolabs.rundeck.core.authorization.providers.ContextDecision;
import com.dtolabs.rundeck.core.authorization.providers.ContextEvaluation;
import com.dtolabs.rundeck.core.authorization.providers.EnvironmentalContext;
import com.dtolabs.rundeck.core.utils.Converter;
import com.dtolabs.rundeck.core.utils.PairImpl;
import java.io.PrintStream;
import java.security.Principal;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import javax.security.auth.Subject;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.Predicate;
import org.apache.commons.collections.PredicateUtils;
import org.apache.log4j.Logger;

/* loaded from: input_file:WEB-INF/lib/rundeck-core-2.6.11.jar:com/dtolabs/rundeck/core/authorization/RuleEvaluator.class */
public class RuleEvaluator implements Authorization, AclRuleSetSource {
    private final AclRuleSet rules;
    private final AclRuleSetSource source;
    private static final Logger logger = Logger.getLogger(RuleEvaluator.class);
    private static ConcurrentHashMap<String, Pattern> patternCache = new ConcurrentHashMap<>();

    /* loaded from: input_file:WEB-INF/lib/rundeck-core-2.6.11.jar:com/dtolabs/rundeck/core/authorization/RuleEvaluator$MatchedContext.class */
    static class MatchedContext extends PairImpl<Boolean, ContextDecision> {
        MatchedContext(Boolean bool, ContextDecision contextDecision) {
            super(bool, contextDecision);
        }

        public Boolean isMatched() {
            return getFirst();
        }

        public ContextDecision getDecision() {
            return getSecond();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/rundeck-core-2.6.11.jar:com/dtolabs/rundeck/core/authorization/RuleEvaluator$RegexPredicate.class */
    public static class RegexPredicate implements Predicate {
        Pattern regex;

        RegexPredicate(Pattern pattern) {
            this.regex = pattern;
        }

        @Override // org.apache.commons.collections.Predicate
        public boolean evaluate(Object obj) {
            return (obj instanceof String) && this.regex.matcher((String) obj).matches();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/rundeck-core-2.6.11.jar:com/dtolabs/rundeck/core/authorization/RuleEvaluator$SetContainsPredicate.class */
    public static class SetContainsPredicate implements Predicate {
        HashSet<String> items;

        SetContainsPredicate(Object obj) {
            this.items = new HashSet<>();
            if (obj instanceof String) {
                this.items.add((String) obj);
            } else if (obj instanceof List) {
                this.items.addAll((List) obj);
            } else {
                this.items = null;
            }
        }

        @Override // org.apache.commons.collections.Predicate
        public boolean evaluate(Object obj) {
            Collection collection;
            if (null == this.items || null == obj) {
                return false;
            }
            if (obj instanceof String) {
                HashSet hashSet = new HashSet();
                for (String str : ((String) obj).split(",")) {
                    hashSet.add(str.trim());
                }
                collection = hashSet;
            } else {
                if (!(obj instanceof Collection)) {
                    return false;
                }
                collection = (Collection) obj;
            }
            return CollectionUtils.isSubCollection(this.items, collection);
        }
    }

    private RuleEvaluator(AclRuleSetSource aclRuleSetSource) {
        this.source = aclRuleSetSource;
        this.rules = null;
    }

    private RuleEvaluator(AclRuleSet aclRuleSet) {
        this.source = null;
        this.rules = aclRuleSet;
    }

    public static RuleEvaluator createRuleEvaluator(AclRuleSetSource aclRuleSetSource) {
        return new RuleEvaluator(aclRuleSetSource);
    }

    public static RuleEvaluator createRuleEvaluator(AclRuleSet aclRuleSet) {
        return new RuleEvaluator(aclRuleSet);
    }

    @Override // com.dtolabs.rundeck.core.authorization.Authorization
    public Decision evaluate(Map<String, String> map, Subject subject, String str, Set<Attribute> set) {
        return evaluate(map, subject, str, set, narrowContext(getRuleSet(), subjectFrom(subject), set));
    }

    public List<AclRule> narrowContext(AclRuleSet aclRuleSet, AclSubject aclSubject, Set<Attribute> set) {
        ArrayList arrayList = new ArrayList();
        for (AclRule aclRule : aclRuleSet.getRules()) {
            if (matchesContexts(aclRule, aclSubject, set)) {
                arrayList.add(aclRule);
            }
        }
        return arrayList;
    }

    private boolean matchesContexts(AclRule aclRule, AclSubject aclSubject, Set<Attribute> set) {
        System.currentTimeMillis();
        if (aclRule.getEnvironment() != null) {
            EnvironmentalContext environment = aclRule.getEnvironment();
            if (!environment.isValid()) {
                logger.warn(aclRule.toString() + ": Context section not valid: " + environment.toString());
            }
            if (!environment.matches(set)) {
                if (!logger.isDebugEnabled()) {
                    return false;
                }
                logger.debug(aclRule.toString() + ": environment not matched: " + environment.toString());
                return false;
            }
        } else if (null != set && set.size() > 0) {
            logger.debug(aclRule.toString() + ": empty environment not matched");
            return false;
        }
        if (aclSubject.getUsername() != null && aclRule.getUsername() != null) {
            if (aclSubject.getUsername().equals(aclRule.getUsername()) || matchesPattern(aclSubject.getUsername(), aclRule.getUsername())) {
                return true;
            }
            if (aclRule.getUsername() != null && logger.isDebugEnabled()) {
                logger.debug(aclRule.toString() + ": username not matched: " + aclRule.getUsername());
            }
        }
        if (aclSubject.getGroups().size() <= 0) {
            return false;
        }
        if (aclSubject.getGroups().contains(aclRule.getGroup()) || matchesAnyPatterns(aclSubject.getGroups(), aclRule.getGroup())) {
            return true;
        }
        if (aclSubject.getGroups().size() <= 0 || !logger.isDebugEnabled()) {
            return false;
        }
        logger.debug(aclRule.toString() + ": group not matched: " + aclRule.getGroup());
        return false;
    }

    private boolean matchesAnyPatterns(Set<String> set, String str) {
        try {
            Pattern compile = Pattern.compile(str);
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                if (compile.matcher(it.next().toString()).matches()) {
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            return false;
        }
    }

    private boolean matchesPattern(String str, String str2) {
        try {
            return Pattern.compile(str2).matcher(str).matches();
        } catch (PatternSyntaxException e) {
            return false;
        }
    }

    private AclSubject subjectFrom(Subject subject) {
        if (null == subject) {
            throw new NullPointerException("subject is null");
        }
        Set principals = subject.getPrincipals(Username.class);
        String name = principals.size() > 0 ? ((Username) principals.iterator().next()).getName() : null;
        Set principals2 = subject.getPrincipals(Group.class);
        final HashSet hashSet = new HashSet();
        if (principals2.size() > 0) {
            Iterator it = principals2.iterator();
            while (it.hasNext()) {
                hashSet.add(((Group) it.next()).getName());
            }
        }
        final String str = name;
        return new AclSubject() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.1
            @Override // com.dtolabs.rundeck.core.authorization.AclSubject
            public String getUsername() {
                return str;
            }

            @Override // com.dtolabs.rundeck.core.authorization.AclSubject
            public Set<String> getGroups() {
                return hashSet;
            }
        };
    }

    @Override // com.dtolabs.rundeck.core.authorization.Authorization
    public Set<Decision> evaluate(Set<Map<String, String>> set, Subject subject, Set<String> set2, Set<Attribute> set3) {
        HashSet hashSet = new HashSet();
        long j = 0;
        List<AclRule> narrowContext = narrowContext(getRuleSet(), subjectFrom(subject), set3);
        for (Map<String, String> map : set) {
            Iterator<String> it = set2.iterator();
            while (it.hasNext()) {
                Decision evaluate = evaluate(map, subject, it.next(), set3, narrowContext);
                j += evaluate.evaluationDuration();
                hashSet.add(evaluate);
            }
        }
        return hashSet;
    }

    private Decision evaluate(Map<String, String> map, Subject subject, String str, Set<Attribute> set, List<AclRule> list) {
        Decision internalEvaluate = internalEvaluate(map, subject, str, set, list);
        logger.info(MessageFormat.format("Evaluating {0} ({1}ms)", internalEvaluate, Long.valueOf(internalEvaluate.evaluationDuration())));
        return internalEvaluate;
    }

    private static Decision authorize(boolean z, final String str, final Explanation.Code code, Map<String, String> map, Subject subject, String str2, Set<Attribute> set, long j) {
        return createAuthorize(z, new Explanation() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.2
            @Override // com.dtolabs.rundeck.core.authorization.Explanation
            public Explanation.Code getCode() {
                return Explanation.Code.this;
            }

            @Override // com.dtolabs.rundeck.core.authorization.Explanation
            public void describe(PrintStream printStream) {
                printStream.println(toString());
            }

            public String toString() {
                return "\t" + str + " => " + Explanation.Code.this;
            }
        }, map, subject, str2, set, j);
    }

    static Decision createAuthorize(final boolean z, final Explanation explanation, final Map<String, String> map, final Subject subject, final String str, final Set<Attribute> set, final long j) {
        return new Decision() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.3
            private String representation;

            @Override // com.dtolabs.rundeck.core.authorization.Decision
            public boolean isAuthorized() {
                return z;
            }

            @Override // com.dtolabs.rundeck.core.authorization.Decision
            public Map<String, String> getResource() {
                return map;
            }

            @Override // com.dtolabs.rundeck.core.authorization.Decision
            public String getAction() {
                return str;
            }

            @Override // com.dtolabs.rundeck.core.authorization.Decision
            public Set<Attribute> getEnvironment() {
                return set;
            }

            @Override // com.dtolabs.rundeck.core.authorization.Decision
            public Subject getSubject() {
                return subject;
            }

            public String toString() {
                if (this.representation == null) {
                    StringBuilder sb = new StringBuilder();
                    sb.append("Decision for: ");
                    sb.append("res<");
                    Iterator it = map.entrySet().iterator();
                    while (it.hasNext()) {
                        Map.Entry entry = (Map.Entry) it.next();
                        sb.append((String) entry.getKey()).append(':').append((String) entry.getValue());
                        if (it.hasNext()) {
                            sb.append(", ");
                        }
                    }
                    sb.append("> subject<");
                    Iterator<Principal> it2 = subject.getPrincipals().iterator();
                    while (it2.hasNext()) {
                        Principal next = it2.next();
                        sb.append(next.getClass().getSimpleName());
                        sb.append(':');
                        sb.append(next.getName());
                        if (it2.hasNext()) {
                            sb.append(' ');
                        }
                    }
                    sb.append("> action<");
                    sb.append(str);
                    sb.append("> env<");
                    Iterator it3 = set.iterator();
                    while (it3.hasNext()) {
                        sb.append((Attribute) it3.next());
                        if (it3.hasNext()) {
                            sb.append(", ");
                        }
                    }
                    sb.append(">");
                    sb.append(": authorized: ");
                    sb.append(isAuthorized());
                    sb.append(": ");
                    sb.append(explanation.toString());
                    this.representation = sb.toString();
                }
                return this.representation;
            }

            @Override // com.dtolabs.rundeck.core.authorization.Decision
            public Explanation explain() {
                return explanation;
            }

            @Override // com.dtolabs.rundeck.core.authorization.Decision
            public long evaluationDuration() {
                return j;
            }
        };
    }

    private Decision internalEvaluate(Map<String, String> map, Subject subject, String str, Set<Attribute> set, List<AclRule> list) {
        long currentTimeMillis = System.currentTimeMillis();
        if (list.size() < 1) {
            return authorize(false, "No context matches subject or environment", Explanation.Code.REJECTED_NO_SUBJECT_OR_ENV_FOUND, map, subject, str, set, System.currentTimeMillis() - currentTimeMillis);
        }
        if (map == null) {
            throw new IllegalArgumentException("Resource does not identify any resource because it's an empty resource property or null.");
        }
        for (Map.Entry<String, String> entry : map.entrySet()) {
            if (entry.getKey() == null) {
                throw new IllegalArgumentException("Resource definition cannot contain null property name.");
            }
            if (entry.getValue() == null) {
                throw new IllegalArgumentException("Resource definition cannot contain null value.  Corresponding key: " + entry.getKey());
            }
        }
        if (subject == null) {
            throw new IllegalArgumentException("Invalid subject, subject is null.");
        }
        if (str == null || str.length() <= 0) {
            return authorize(false, "No action provided.", Explanation.Code.REJECTED_NO_ACTION_PROVIDED, map, subject, str, set, System.currentTimeMillis() - currentTimeMillis);
        }
        if (set == null) {
            set = Collections.emptySet();
        }
        ContextDecision contextDecision = null;
        ContextDecision contextDecision2 = null;
        boolean z = false;
        Iterator<AclRule> it = list.iterator();
        while (it.hasNext()) {
            ContextDecision ruleIncludesResourceAction = ruleIncludesResourceAction(it.next(), map, str);
            if (Explanation.Code.REJECTED_DENIED == ruleIncludesResourceAction.getCode()) {
                return createAuthorize(false, ruleIncludesResourceAction, map, subject, str, set, System.currentTimeMillis() - currentTimeMillis);
            }
            if (ruleIncludesResourceAction.granted()) {
                contextDecision = ruleIncludesResourceAction;
                z = true;
            }
            contextDecision2 = ruleIncludesResourceAction;
        }
        return z ? createAuthorize(true, contextDecision, map, subject, str, set, System.currentTimeMillis() - currentTimeMillis) : contextDecision2 == null ? authorize(false, "No resource or action matched.", Explanation.Code.REJECTED_NO_RESOURCE_OR_ACTION_MATCH, map, subject, str, set, System.currentTimeMillis() - currentTimeMillis) : createAuthorize(false, contextDecision2, map, subject, str, set, System.currentTimeMillis() - currentTimeMillis);
    }

    @Override // com.dtolabs.rundeck.core.authorization.AclRuleSetSource
    public AclRuleSet getRuleSet() {
        return null != this.source ? this.source.getRuleSet() : this.rules;
    }

    private ContextDecision ruleIncludesResourceAction(AclRule aclRule, Map<String, String> map, String str) {
        ArrayList arrayList = new ArrayList();
        Explanation.Code includes = includes(aclRule, map, str);
        arrayList.add(new ContextEvaluation(includes, MessageFormat.format("{0} {1} for action {2}", aclRule, includes, str)));
        return new ContextDecision(includes, Explanation.Code.GRANTED == includes, arrayList);
    }

    public Explanation.Code includes(AclRule aclRule, Map<String, String> map, String str) {
        String str2;
        if (aclRule.getResourceType() != null && (null == (str2 = map.get("type")) || !aclRule.getResourceType().equals(str2))) {
            return Explanation.Code.REJECTED;
        }
        if (aclRule.isRegexMatch()) {
            return ruleMatchesMatchSection(map, aclRule) ? allowOrDenyAction(aclRule, str) : Explanation.Code.REJECTED;
        }
        if (aclRule.isEqualsMatch()) {
            return ruleMatchesEqualsSection(map, aclRule) ? allowOrDenyAction(aclRule, str) : Explanation.Code.REJECTED;
        }
        if (aclRule.isContainsMatch() && !ruleMatchesContainsSection(map, aclRule)) {
            return Explanation.Code.REJECTED;
        }
        return allowOrDenyAction(aclRule, str);
    }

    private Explanation.Code allowOrDenyAction(AclRule aclRule, String str) {
        return (aclRule.getDenyActions().contains(str) || aclRule.getDenyActions().contains("*")) ? Explanation.Code.REJECTED_DENIED : (aclRule.getAllowActions().contains(str) || aclRule.getAllowActions().contains("*")) ? Explanation.Code.GRANTED : Explanation.Code.REJECTED;
    }

    boolean ruleMatchesContainsSection(Map<String, String> map, AclRule aclRule) {
        return validRuleSection(aclRule.getResource()) && predicateMatchRules(aclRule, map, true, new Converter<String, Predicate>() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.4
            @Override // com.dtolabs.rundeck.core.utils.Converter
            public Predicate convert(String str) {
                return new SetContainsPredicate(str);
            }
        });
    }

    boolean ruleMatchesEqualsSection(Map<String, String> map, AclRule aclRule) {
        return validRuleSection(aclRule.getResource()) && predicateMatchRules(aclRule, map, false, new Converter<String, Predicate>() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.5
            @Override // com.dtolabs.rundeck.core.utils.Converter
            public Predicate convert(String str) {
                return PredicateUtils.equalPredicate(str);
            }
        });
    }

    private boolean validRuleSection(Map map) {
        return null != map && map.size() > 0;
    }

    boolean ruleMatchesMatchSection(Map<String, String> map, AclRule aclRule) {
        return validRuleSection(aclRule.getResource()) && predicateMatchRules(aclRule, map, true, new Converter<String, Predicate>() { // from class: com.dtolabs.rundeck.core.authorization.RuleEvaluator.6
            @Override // com.dtolabs.rundeck.core.utils.Converter
            public Predicate convert(String str) {
                return new RegexPredicate(RuleEvaluator.this.patternForRegex(str));
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Pattern patternForRegex(String str) {
        if (!patternCache.containsKey(str)) {
            Pattern pattern = null;
            try {
                pattern = Pattern.compile(str);
            } catch (Exception e) {
            }
            if (null == pattern) {
                pattern = Pattern.compile("^" + Pattern.quote(str) + "$");
            }
            patternCache.putIfAbsent(str, pattern);
        }
        return patternCache.get(str);
    }

    boolean predicateMatchRules(AclRule aclRule, Map<String, String> map, boolean z, Converter<String, Predicate> converter) {
        for (Map.Entry<String, Object> entry : aclRule.getResource().entrySet()) {
            if (!applyTest(aclRule, map, z, converter, entry.getKey(), entry.getValue())) {
                return false;
            }
        }
        return true;
    }

    boolean applyTest(AclRule aclRule, Map<String, String> map, boolean z, Converter<String, Predicate> converter, String str, Object obj) {
        ArrayList arrayList = new ArrayList();
        if (z && (obj instanceof List)) {
            Iterator it = ((List) obj).iterator();
            while (it.hasNext()) {
                arrayList.add(converter.convert((String) it.next()));
            }
        } else {
            if (!(obj instanceof String)) {
                logger.error(aclRule.getSourceIdentity() + ": cannot evaluate unexpected type: " + obj.getClass().getName());
                return false;
            }
            arrayList.add(converter.convert((String) obj));
        }
        return PredicateUtils.allPredicate(arrayList).evaluate(map.get(str));
    }
}
