package com.dtolabs.rundeck.core.authorization.providers;

import com.dtolabs.rundeck.core.authorization.AclRule;
import com.dtolabs.rundeck.core.authorization.AclRuleBuilder;
import com.dtolabs.rundeck.core.authorization.AclRuleSet;
import com.dtolabs.rundeck.core.authorization.AclRuleSetImpl;
import com.dtolabs.rundeck.core.authorization.AclRuleSetSource;
import com.dtolabs.rundeck.core.authorization.Attribute;
import com.dtolabs.rundeck.core.authorization.AuthorizationUtil;
import com.dtolabs.rundeck.core.authorization.BasicEnvironmentalContext;
import com.dtolabs.rundeck.core.authorization.Explanation;
import com.dtolabs.rundeck.core.authorization.ValidationSet;
import com.dtolabs.rundeck.core.utils.Converter;
import com.dtolabs.rundeck.core.utils.PairImpl;
import java.io.File;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.Predicate;
import org.apache.commons.collections.PredicateUtils;
import org.apache.log4j.Logger;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/rundeck-core-2.6.11.jar:com/dtolabs/rundeck/core/authorization/providers/YamlPolicy.class */
public final class YamlPolicy implements Policy, AclRuleSetSource {
    static final Logger logger = Logger.getLogger(YamlPolicy.class.getName());
    public static final String TYPE_PROPERTY = "type";
    public static final String FOR_SECTION = "for";
    public static final String JOB_TYPE = "job";
    public static final String ACTIONS_SECTION = "actions";
    public static final String CONTEXT_SECTION = "context";
    public static final String BY_SECTION = "by";
    public static final String ID_SECTION = "id";
    public static final String USERNAME_KEY = "username";
    public static final String GROUP_KEY = "group";
    private static final String DESCRIPTION_KEY = "description";
    public static final String PROJECT_CONTEXT = "project";
    public static final String APPLICATION_CONTEXT = "application";
    public Map policyInput;
    private Set<String> usernames;
    private Set<String> groups;
    private Set<Pattern> usernamePatterns;
    private Set<Pattern> groupPatterns;
    YamlAclContext aclContext;
    private YamlEnvironmentalContext environment;
    private Set<AclRule> rules;
    private String sourceIdent;
    private int sourceIndex;
    private ValidationSet validation;
    private List<String> allowed;
    private List<String> allowedContexts;
    private boolean envchecked;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/rundeck-core-2.6.11.jar:com/dtolabs/rundeck/core/authorization/providers/YamlPolicy$AclPolicySyntaxException.class */
    public static class AclPolicySyntaxException extends RuntimeException {
        AclPolicySyntaxException() {
        }

        AclPolicySyntaxException(String str) {
            super(str);
        }

        AclPolicySyntaxException(String str, Throwable th) {
            super(str, th);
        }

        AclPolicySyntaxException(Throwable th) {
            super(th);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/rundeck-core-2.6.11.jar:com/dtolabs/rundeck/core/authorization/providers/YamlPolicy$ContextMatcher.class */
    public interface ContextMatcher {
        MatchedContext includes(Map<String, String> map, String str);

        AclRule createRule(AclRuleBuilder aclRuleBuilder);
    }

    /* loaded from: input_file:WEB-INF/lib/rundeck-core-2.6.11.jar:com/dtolabs/rundeck/core/authorization/providers/YamlPolicy$MatchedContext.class */
    static class MatchedContext extends PairImpl<Boolean, ContextDecision> {
        MatchedContext(Boolean bool, ContextDecision contextDecision) {
            super(bool, contextDecision);
        }

        public Boolean isMatched() {
            return getFirst();
        }

        public ContextDecision getDecision() {
            return getSecond();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/rundeck-core-2.6.11.jar:com/dtolabs/rundeck/core/authorization/providers/YamlPolicy$RegexPredicate.class */
    public static class RegexPredicate implements Predicate {
        Pattern regex;

        RegexPredicate(Pattern pattern) {
            this.regex = pattern;
        }

        @Override // org.apache.commons.collections.Predicate
        public boolean evaluate(Object obj) {
            return (obj instanceof String) && this.regex.matcher((String) obj).matches();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/rundeck-core-2.6.11.jar:com/dtolabs/rundeck/core/authorization/providers/YamlPolicy$SetContainsPredicate.class */
    public static class SetContainsPredicate implements Predicate {
        HashSet<String> items;

        SetContainsPredicate(Object obj) {
            this.items = new HashSet<>();
            if (obj instanceof String) {
                this.items.add((String) obj);
            } else if (obj instanceof List) {
                this.items.addAll((List) obj);
            } else {
                this.items = null;
            }
        }

        @Override // org.apache.commons.collections.Predicate
        public boolean evaluate(Object obj) {
            Collection collection;
            if (null == this.items || null == obj) {
                return false;
            }
            if (obj instanceof String) {
                HashSet hashSet = new HashSet();
                for (String str : ((String) obj).split(",")) {
                    hashSet.add(str.trim());
                }
                collection = hashSet;
            } else {
                if (!(obj instanceof Collection)) {
                    return false;
                }
                collection = (Collection) obj;
            }
            return CollectionUtils.isSubCollection(this.items, collection);
        }
    }

    /* loaded from: input_file:WEB-INF/lib/rundeck-core-2.6.11.jar:com/dtolabs/rundeck/core/authorization/providers/YamlPolicy$TypeContext.class */
    static class TypeContext implements AclContext {
        private final List<ContextMatcher> typeRules;

        public TypeContext(List<ContextMatcher> list) {
            this.typeRules = list;
        }

        @Override // com.dtolabs.rundeck.core.authorization.providers.AclContext
        public ContextDecision includes(Map<String, String> map, String str) {
            ArrayList arrayList = new ArrayList();
            boolean z = false;
            boolean z2 = false;
            Iterator<ContextMatcher> it = getTypeRules().iterator();
            while (it.hasNext()) {
                MatchedContext includes = it.next().includes(map, str);
                if (includes.isMatched().booleanValue()) {
                    ContextDecision decision = includes.getDecision();
                    if (decision.granted()) {
                        z = true;
                    }
                    if (Explanation.Code.REJECTED_DENIED == decision.getCode()) {
                        z2 = true;
                    }
                    arrayList.addAll(decision.getEvaluations());
                    if (!z2) {
                        Iterator<ContextEvaluation> it2 = decision.getEvaluations().iterator();
                        while (true) {
                            if (it2.hasNext()) {
                                if (Explanation.Code.REJECTED_DENIED == it2.next().id) {
                                    z2 = true;
                                    break;
                                }
                            }
                        }
                    }
                }
            }
            return new ContextDecision(z2 ? Explanation.Code.REJECTED_DENIED : z ? Explanation.Code.GRANTED : Explanation.Code.REJECTED, z && !z2, arrayList);
        }

        public List<ContextMatcher> getTypeRules() {
            return this.typeRules;
        }

        @Override // com.dtolabs.rundeck.core.authorization.providers.AclContext
        public Set<AclRule> createRules(AclRuleBuilder aclRuleBuilder) {
            HashSet hashSet = new HashSet();
            Iterator<ContextMatcher> it = this.typeRules.iterator();
            while (it.hasNext()) {
                hashSet.add(it.next().createRule(AclRuleBuilder.builder(aclRuleBuilder)));
            }
            return hashSet;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/rundeck-core-2.6.11.jar:com/dtolabs/rundeck/core/authorization/providers/YamlPolicy$TypeContextFactory.class */
    public interface TypeContextFactory {
        AclContext createAclContext(String str, List list);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/rundeck-core-2.6.11.jar:com/dtolabs/rundeck/core/authorization/providers/YamlPolicy$TypeRuleContextMatcher.class */
    public static class TypeRuleContextMatcher implements ContextMatcher {
        public static final String MATCH_SECTION = "match";
        public static final String EQUALS_SECTION = "equals";
        public static final String CONTAINS_SECTION = "contains";
        public static final String ALLOW_ACTIONS = "allow";
        public static final String DENY_ACTIONS = "deny";
        Map ruleSection;
        int index;
        YamlPolicy policy;
        ValidationSet validation;
        String type;
        private static ConcurrentHashMap<String, Pattern> patternCache = new ConcurrentHashMap<>();

        TypeRuleContextMatcher(String str, Map map, ValidationSet validationSet, int i, YamlPolicy yamlPolicy) {
            this.type = str;
            this.ruleSection = map;
            this.index = i;
            this.policy = yamlPolicy;
            this.validation = validationSet;
            validate(validationSet);
        }

        private void validate(ValidationSet validationSet) {
            if (null == validationSet) {
                return;
            }
            if (this.ruleSection.containsKey("deny")) {
                HashSet<String> denyActions = getDenyActions();
                if (null == denyActions) {
                    validationSet.addError(this.policy.identify(), identify() + " Section 'deny:' expected a String or a sequence of Strings, but was a " + this.ruleSection.get("deny").getClass().getName());
                } else if (0 == denyActions.size()) {
                    YamlPolicy.logger.warn(this.policy.identify() + ": No actions defined in Deny section");
                    validationSet.addError(this.policy.identify(), identify() + " Section 'deny:' should not be empty.");
                }
            }
            if (this.ruleSection.containsKey("allow")) {
                HashSet<String> allowActions = getAllowActions();
                if (null == allowActions) {
                    validationSet.addError(this.policy.identify(), identify() + " Section 'allow:' expected a String or a sequence of Strings, but was a " + this.ruleSection.get("allow").getClass().getName());
                } else if (0 == allowActions.size()) {
                    YamlPolicy.logger.warn(this.policy.identify() + ": No actions defined in Deny section");
                    validationSet.addError(this.policy.identify(), identify() + " Section 'allow:' should not be empty.");
                }
            }
            if (!this.ruleSection.containsKey("allow") && !this.ruleSection.containsKey("deny")) {
                validationSet.addError(this.policy.identify(), identify() + " One of 'allow:' or 'deny:' must be present.");
            }
            Map map = null;
            String str = null;
            if (isRuleSectionContains()) {
                str = CONTAINS_SECTION;
                map = (Map) this.ruleSection.get(CONTAINS_SECTION);
            } else if (isRuleSectionMatch()) {
                str = "match";
                map = (Map) this.ruleSection.get("match");
            } else if (isRuleSectionEquals()) {
                str = "equals";
                map = (Map) this.ruleSection.get("equals");
            }
            if (map != null) {
                if (map.size() < 1) {
                    validationSet.addError(this.policy.identify(), identify() + " Section '" + str + ":' should not be empty.");
                } else if (str.equals(CONTAINS_SECTION) && (map.size() != 1 || !map.containsKey("tags"))) {
                    validationSet.addError(this.policy.identify(), identify() + " Section '" + CONTAINS_SECTION + ":' can only be applied to 'tags'.");
                }
                if (map.containsKey("allow") || map.containsKey("deny")) {
                    validationSet.addError(this.policy.identify(), identify() + " Section '" + str + ":' should not contain 'allow:' or 'deny:'.");
                }
            }
        }

        public String toString() {
            return (null != this.policy ? this.policy.identify() + " " : "") + identify();
        }

        private String identify() {
            return "Type rule 'for: { " + this.type + ": [...] }' entry at index [" + this.index + "]";
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Pattern patternForRegex(String str) {
            if (!patternCache.containsKey(str)) {
                Pattern pattern = null;
                try {
                    pattern = Pattern.compile(str);
                } catch (Exception e) {
                }
                if (null == pattern) {
                    pattern = Pattern.compile("^" + Pattern.quote(str) + "$");
                }
                patternCache.putIfAbsent(str, pattern);
            }
            return patternCache.get(str);
        }

        @Override // com.dtolabs.rundeck.core.authorization.providers.YamlPolicy.ContextMatcher
        public MatchedContext includes(Map<String, String> map, String str) {
            ArrayList arrayList = new ArrayList();
            return !matchesRuleSections(map, arrayList) ? new MatchedContext(false, new ContextDecision(Explanation.Code.REJECTED, false, arrayList)) : new MatchedContext(true, evaluateActions(str, arrayList));
        }

        @Override // com.dtolabs.rundeck.core.authorization.providers.YamlPolicy.ContextMatcher
        public AclRule createRule(AclRuleBuilder aclRuleBuilder) {
            Map<String, Object> map;
            AclRuleBuilder builder = AclRuleBuilder.builder(aclRuleBuilder);
            builder.sourceIdentityAppend("[rule: " + this.index + "]").allowActions(this.ruleSection.containsKey("allow") ? getAllowActions() : new HashSet<>()).denyActions(this.ruleSection.containsKey("deny") ? getDenyActions() : new HashSet<>());
            if (isRuleSectionMatch()) {
                builder.regexMatch(true);
                map = (Map) this.ruleSection.get("match");
            } else if (isRuleSectionContains()) {
                builder.containsMatch(true);
                map = (Map) this.ruleSection.get(CONTAINS_SECTION);
            } else if (isRuleSectionEquals()) {
                builder.equalsMatch(true);
                map = (Map) this.ruleSection.get("equals");
            } else {
                map = null;
            }
            builder.resource(map);
            return builder.build();
        }

        ContextDecision evaluateActions(String str, List<ContextEvaluation> list) {
            boolean z = false;
            if (this.ruleSection.containsKey("deny")) {
                HashSet<String> denyActions = getDenyActions();
                if (null == denyActions) {
                    list.add(new ContextEvaluation(Explanation.Code.REJECTED_CONTEXT_EVALUATION_ERROR, "Invalid action type."));
                } else if (0 == denyActions.size()) {
                    YamlPolicy.logger.warn(identify() + ": No actions defined in Deny section");
                } else if (denyActions.contains("*") || denyActions.contains(str)) {
                    list.add(new ContextEvaluation(Explanation.Code.REJECTED_DENIED, this + " for actions: " + denyActions));
                    z = true;
                }
            }
            if (z) {
                return new ContextDecision(Explanation.Code.REJECTED_DENIED, false, list);
            }
            boolean z2 = false;
            if (this.ruleSection.containsKey("allow")) {
                HashSet<String> allowActions = getAllowActions();
                if (null == allowActions) {
                    list.add(new ContextEvaluation(Explanation.Code.REJECTED_CONTEXT_EVALUATION_ERROR, "Invalid action type."));
                } else if (0 == allowActions.size()) {
                    YamlPolicy.logger.warn(identify() + ": No actions defined in Allow section");
                } else if (allowActions.contains("*") || allowActions.contains(str)) {
                    list.add(new ContextEvaluation(Explanation.Code.GRANTED_ACTIONS_AND_COMMANDS_MATCHED, this + " for actions: " + allowActions));
                    z2 = true;
                }
            }
            return z2 ? new ContextDecision(Explanation.Code.GRANTED_ACTIONS_AND_COMMANDS_MATCHED, true, list) : new ContextDecision(Explanation.Code.REJECTED, false, list);
        }

        private HashSet<String> getAllowActions() {
            HashSet<String> hashSet = new HashSet<>();
            Object obj = this.ruleSection.get("allow");
            if (obj instanceof String) {
                hashSet.add((String) obj);
            } else {
                if (!(obj instanceof List)) {
                    return null;
                }
                hashSet.addAll((List) obj);
            }
            return hashSet;
        }

        private HashSet<String> getDenyActions() {
            HashSet<String> hashSet = new HashSet<>();
            Object obj = this.ruleSection.get("deny");
            if (obj instanceof String) {
                hashSet.add((String) obj);
            } else {
                if (!(obj instanceof List)) {
                    return null;
                }
                hashSet.addAll((List) obj);
            }
            return hashSet;
        }

        boolean matchesRuleSections(Map<String, String> map, List<ContextEvaluation> list) {
            int i = 0;
            int i2 = 0;
            if (isRuleSectionMatch()) {
                i = 0 + 1;
                if (ruleMatchesMatchSection(map, this.ruleSection)) {
                    i2 = 0 + 1;
                } else {
                    list.add(new ContextEvaluation(Explanation.Code.REJECTED, "match section did not match"));
                }
            }
            if (isRuleSectionEquals()) {
                i++;
                if (ruleMatchesEqualsSection(map, this.ruleSection)) {
                    i2++;
                } else {
                    list.add(new ContextEvaluation(Explanation.Code.REJECTED, "equals section did not match"));
                }
            }
            if (isRuleSectionContains()) {
                i++;
                if (ruleMatchesContainsSection(map, this.ruleSection)) {
                    i2++;
                } else {
                    list.add(new ContextEvaluation(Explanation.Code.REJECTED, "contains section did not match"));
                }
            }
            return i2 == i;
        }

        private boolean isRuleSectionContains() {
            return this.ruleSection.containsKey(CONTAINS_SECTION);
        }

        private boolean isRuleSectionEquals() {
            return this.ruleSection.containsKey("equals");
        }

        private boolean isRuleSectionMatch() {
            return this.ruleSection.containsKey("match");
        }

        private boolean validRuleSection(Map map) {
            return null != map && map.size() > 0;
        }

        boolean ruleMatchesContainsSection(Map<String, String> map, Map map2) {
            Map map3 = (Map) map2.get(CONTAINS_SECTION);
            return validRuleSection(map3) && predicateMatchRules(map3, map, true, new Converter<String, Predicate>() { // from class: com.dtolabs.rundeck.core.authorization.providers.YamlPolicy.TypeRuleContextMatcher.1
                @Override // com.dtolabs.rundeck.core.utils.Converter
                public Predicate convert(String str) {
                    return new SetContainsPredicate(str);
                }
            });
        }

        boolean ruleMatchesEqualsSection(Map<String, String> map, Map map2) {
            Map map3 = (Map) map2.get("equals");
            return validRuleSection(map3) && predicateMatchRules(map3, map, false, new Converter<String, Predicate>() { // from class: com.dtolabs.rundeck.core.authorization.providers.YamlPolicy.TypeRuleContextMatcher.2
                @Override // com.dtolabs.rundeck.core.utils.Converter
                public Predicate convert(String str) {
                    return PredicateUtils.equalPredicate(str);
                }
            });
        }

        boolean ruleMatchesMatchSection(Map<String, String> map, Map map2) {
            Map map3 = (Map) map2.get("match");
            return validRuleSection(map3) && predicateMatchRules(map3, map, true, new Converter<String, Predicate>() { // from class: com.dtolabs.rundeck.core.authorization.providers.YamlPolicy.TypeRuleContextMatcher.3
                @Override // com.dtolabs.rundeck.core.utils.Converter
                public Predicate convert(String str) {
                    return new RegexPredicate(TypeRuleContextMatcher.this.patternForRegex(str));
                }
            });
        }

        boolean predicateMatchRules(Map map, Map<String, String> map2, boolean z, Converter<String, Predicate> converter) {
            for (Map.Entry entry : map.entrySet()) {
                if (!applyTest(map2, z, converter, (String) entry.getKey(), entry.getValue())) {
                    return false;
                }
            }
            return true;
        }

        boolean applyTest(Map<String, String> map, boolean z, Converter<String, Predicate> converter, String str, Object obj) {
            ArrayList arrayList = new ArrayList();
            if (z && (obj instanceof List)) {
                Iterator it = ((List) obj).iterator();
                while (it.hasNext()) {
                    arrayList.add(converter.convert((String) it.next()));
                }
            } else {
                if (!(obj instanceof String)) {
                    YamlPolicy.logger.error(identify() + ": cannot evaluate unexpected type: " + obj.getClass().getName());
                    return false;
                }
                arrayList.add(converter.convert((String) obj));
            }
            return PredicateUtils.allPredicate(arrayList).evaluate(map.get(str));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/rundeck-core-2.6.11.jar:com/dtolabs/rundeck/core/authorization/providers/YamlPolicy$YamlAclContext.class */
    public static class YamlAclContext implements AclContext {
        Map policyDef;
        TypeContextFactory typeContextFactory;
        private Map forsection;
        private ValidationSet validation;
        static final ContextDecision NO_RESOURCE_TYPE_DECISION = new ContextDecision(Explanation.Code.REJECTED_NO_RESOURCE_TYPE, false, Collections.singletonList(new ContextEvaluation(Explanation.Code.REJECTED_NO_RESOURCE_TYPE, "Resource has no 'type'.")));
        private String description = "Not Evaluated: ";
        private final ConcurrentHashMap<String, AclContext> typeContexts = new ConcurrentHashMap<>();

        YamlAclContext(Map map, ValidationSet validationSet, TypeContextFactory typeContextFactory) {
            this.policyDef = map;
            this.typeContextFactory = typeContextFactory;
            this.validation = validationSet;
            initialize();
        }

        private void initialize() {
            new ArrayList();
            Object obj = this.policyDef.get("description");
            if (obj == null || !(obj instanceof String)) {
                throw new AclPolicySyntaxException("Policy is missing a description.");
            }
            this.description = (String) obj;
            Object obj2 = this.policyDef.get(YamlPolicy.FOR_SECTION);
            if (null == obj2) {
                throw new AclPolicySyntaxException("Required 'for:' section was not present.");
            }
            if (!(obj2 instanceof Map)) {
                throw new AclPolicySyntaxException("Expected 'for:' section to contain a map, but was [" + obj2.getClass().getName() + "].");
            }
            this.forsection = (Map) obj2;
            for (Object obj3 : this.forsection.keySet()) {
                if (!(obj3 instanceof String)) {
                    throw new AclPolicySyntaxException("Section 'for:' key '" + obj3 + ":' was not a string.");
                }
                String str = (String) obj3;
                Object obj4 = this.forsection.get(obj3);
                if (!(obj4 instanceof List)) {
                    throw new AclPolicySyntaxException("Expected 'for: { " + obj3 + ": <...> }' section to contain a List, but was [" + obj2.getClass().getName() + "].");
                }
                List list = (List) obj4;
                if (list.size() < 1) {
                    throw new AclPolicySyntaxException("Section 'for: { " + obj3 + ": [...] }' list should not be empty.");
                }
                this.typeContexts.putIfAbsent(str, createTypeContext(str, list));
            }
            if (this.forsection.size() < 1) {
                throw new AclPolicySyntaxException("Section 'for:' should not be empty.");
            }
        }

        public String toString() {
            return "Context: " + this.description;
        }

        private AclContext createTypeContext(String str, List list) {
            return this.typeContextFactory.createAclContext(str, list);
        }

        @Override // com.dtolabs.rundeck.core.authorization.providers.AclContext
        public Set<AclRule> createRules(AclRuleBuilder aclRuleBuilder) {
            HashSet hashSet = new HashSet();
            for (Map.Entry<String, AclContext> entry : this.typeContexts.entrySet()) {
                AclRuleBuilder builder = AclRuleBuilder.builder(aclRuleBuilder);
                String key = entry.getKey();
                builder.sourceIdentityAppend("[type:" + key + "]");
                builder.resourceType(key);
                hashSet.addAll(entry.getValue().createRules(builder));
            }
            return hashSet;
        }

        private static ContextDecision createNoRulesDecision(String str) {
            return new ContextDecision(Explanation.Code.REJECTED_NO_RULES_DECLARED, false, Collections.singletonList(new ContextEvaluation(Explanation.Code.REJECTED_NO_RULES_DECLARED, "Section for type '" + str + "' was not declared in " + YamlPolicy.FOR_SECTION + " section")));
        }

        @Override // com.dtolabs.rundeck.core.authorization.providers.AclContext
        public ContextDecision includes(Map<String, String> map, String str) {
            String str2 = map.get("type");
            if (null == str2) {
                return NO_RESOURCE_TYPE_DECISION;
            }
            AclContext aclContext = this.typeContexts.get(str2);
            return null == aclContext ? createNoRulesDecision(str2) : aclContext.includes(map, str);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/rundeck-core-2.6.11.jar:com/dtolabs/rundeck/core/authorization/providers/YamlPolicy$YamlEnvironmentalContext.class */
    public static class YamlEnvironmentalContext implements EnvironmentalContext {
        private boolean valid;
        private String validation;
        private String description;
        private static Comparator<Attribute> comparator = new Comparator<Attribute>() { // from class: com.dtolabs.rundeck.core.authorization.providers.YamlPolicy.YamlEnvironmentalContext.1
            @Override // java.util.Comparator
            public int compare(Attribute attribute, Attribute attribute2) {
                int compareTo = attribute.property.compareTo(attribute2.property);
                return compareTo == 0 ? attribute.value.compareTo(attribute2.value) : compareTo;
            }
        };
        Map<URI, String> matcher = new HashMap();
        Map<URI, Pattern> matcherRegex = new HashMap();
        private HashMap<String, Boolean> memoize = new HashMap<>();

        EnvironmentalContext toBasic() {
            if (this.matcherRegex.size() != 1 && this.matcher.size() != 1) {
                throw new IllegalStateException("Expected environmental context to contain only one entry");
            }
            if (this.matcherRegex.size() == 1) {
                Map.Entry<URI, Pattern> next = this.matcherRegex.entrySet().iterator().next();
                return BasicEnvironmentalContext.patternContextFor(next.getKey().toString().substring(EnvironmentalContext.URI_BASE.length()), next.getValue().toString());
            }
            Map.Entry<URI, String> next2 = this.matcher.entrySet().iterator().next();
            URI key = next2.getKey();
            return BasicEnvironmentalContext.staticContextFor(key.toString().substring(EnvironmentalContext.URI_BASE.length()), next2.getValue());
        }

        YamlEnvironmentalContext(String str, Set<Attribute> set) {
            this.valid = false;
            for (Attribute attribute : set) {
                if (attribute.getProperty().toString().startsWith(str)) {
                    URI property = attribute.getProperty();
                    String value = attribute.getValue();
                    this.matcher.put(property, value);
                    try {
                        this.matcherRegex.put(property, Pattern.compile(value));
                    } catch (PatternSyntaxException e) {
                    }
                }
            }
            this.valid = this.matcher.size() >= 1;
            this.description = "YamlEnvironmentalContext{" + (this.valid ? ", valid=" + this.valid + ", context='" + this.matcher + "'}" : ", valid=" + this.valid + ", validation='" + getValidation() + "'}");
        }

        YamlEnvironmentalContext(String str, Map map) {
            this.valid = false;
            boolean z = false;
            ArrayList arrayList = new ArrayList();
            for (Map.Entry entry : map.entrySet()) {
                if (entry.getKey() instanceof String) {
                    try {
                        URI uri = new URI(str + ((String) entry.getKey()));
                        if (entry.getValue() instanceof String) {
                            String str2 = (String) entry.getValue();
                            this.matcher.put(uri, str2);
                            try {
                                this.matcherRegex.put(uri, Pattern.compile(str2));
                            } catch (PatternSyntaxException e) {
                            }
                        } else {
                            arrayList.add("Context section: " + entry.getKey() + ": expected 'String', saw: " + entry.getValue().getClass().getName());
                            z = true;
                        }
                    } catch (URISyntaxException e2) {
                        arrayList.add("Context section: " + entry.getKey() + ": invalid URI: " + e2.getMessage());
                        z = true;
                    }
                } else {
                    arrayList.add("Context section key expected 'String', saw: " + entry.getKey().getClass().getName());
                    z = true;
                }
            }
            if (arrayList.size() > 0) {
                StringBuffer stringBuffer = new StringBuffer();
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    String str3 = (String) it.next();
                    if (stringBuffer.length() > 0) {
                        stringBuffer.append("; ");
                    }
                    stringBuffer.append(str3);
                }
                this.validation = stringBuffer.toString();
            }
            this.valid = !z && this.matcher.size() >= 1;
            this.description = "YamlEnvironmentalContext{" + (this.valid ? ", valid=" + this.valid + ", context='" + this.matcher + "'}" : ", valid=" + this.valid + ", validation='" + getValidation() + "'}");
        }

        @Override // com.dtolabs.rundeck.core.authorization.providers.EnvironmentalContext
        public boolean matches(Set<Attribute> set) {
            return memo(set);
        }

        private boolean memo(Set<Attribute> set) {
            String ident = ident(set);
            Boolean bool = this.memoize.get(ident);
            if (null == bool) {
                bool = Boolean.valueOf(evaluateMatches(set));
                this.memoize.put(ident, bool);
            }
            return bool.booleanValue();
        }

        private String ident(Set<Attribute> set) {
            StringBuilder sb = new StringBuilder();
            TreeSet treeSet = new TreeSet(comparator);
            treeSet.addAll(set);
            Iterator it = treeSet.iterator();
            while (it.hasNext()) {
                sb.append(((Attribute) it.next()).hashCode());
                sb.append("/");
            }
            return sb.toString();
        }

        private boolean evaluateMatches(Set<Attribute> set) {
            HashSet hashSet = new HashSet();
            for (Attribute attribute : set) {
                Pattern pattern = this.matcherRegex.get(attribute.property);
                String str = this.matcher.get(attribute.property);
                if (null != str && str.equals(attribute.value)) {
                    hashSet.add(attribute.property);
                } else if (null != pattern && pattern.matcher(attribute.value).matches()) {
                    hashSet.add(attribute.property);
                }
            }
            return this.valid && hashSet.size() == this.matcher.keySet().size();
        }

        @Override // com.dtolabs.rundeck.core.authorization.providers.EnvironmentalContext
        public boolean isValid() {
            return this.valid;
        }

        public String toString() {
            return this.description;
        }

        public String getValidation() {
            return this.validation;
        }
    }

    private YamlPolicy(Set<Attribute> set, Map map, String str, int i, ValidationSet validationSet) {
        this.usernames = new HashSet();
        this.groups = new HashSet();
        this.usernamePatterns = new HashSet();
        this.groupPatterns = new HashSet();
        this.rules = new HashSet();
        this.allowed = Arrays.asList(BY_SECTION, "id", FOR_SECTION, "context", "description");
        this.allowedContexts = Arrays.asList("project", "application");
        this.policyInput = map;
        this.sourceIdent = str;
        this.sourceIndex = i;
        this.validation = validationSet;
        parseByClause();
        createAclContext();
        parseEnvironment(set);
        validate();
        enumerateRules();
    }

    private void validate() {
        HashSet hashSet = new HashSet(this.policyInput.keySet());
        hashSet.removeAll(this.allowed);
        if (hashSet.size() != 0) {
            throw new AclPolicySyntaxException("Policy contains invalid keys: " + hashSet + ", allowed keys: " + this.allowed);
        }
    }

    static YamlPolicy createYamlPolicy(Map map, String str, int i, ValidationSet validationSet) {
        return new YamlPolicy(null, map, str, i, validationSet);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static YamlPolicy createYamlPolicy(Set<Attribute> set, Map map, String str, int i, ValidationSet validationSet) {
        return new YamlPolicy(set, map, str, i, validationSet);
    }

    private void enumerateRules() {
        if (null == this.environment) {
            return;
        }
        AclRuleBuilder sourceIdentity = AclRuleBuilder.builder().environment(this.environment.toBasic()).description(this.policyInput.containsKey("description") ? this.policyInput.get("description").toString() : null).sourceIdentity(this.sourceIdent);
        Iterator<String> it = this.usernames.iterator();
        while (it.hasNext()) {
            this.rules.addAll(this.aclContext.createRules(AclRuleBuilder.builder(sourceIdentity).username(it.next())));
        }
        Iterator<String> it2 = this.groups.iterator();
        while (it2.hasNext()) {
            this.rules.addAll(this.aclContext.createRules(AclRuleBuilder.builder(sourceIdentity).group(it2.next())));
        }
    }

    YamlPolicy(Map map, File file, int i, ValidationSet validationSet) {
        this(null, map, file.getAbsolutePath(), i, validationSet);
    }

    String identify() {
        return null != this.policyInput.get("id") ? this.policyInput.get("id").toString() : null != this.sourceIdent ? this.sourceIdent : "(unknown source)";
    }

    @Override // com.dtolabs.rundeck.core.authorization.AclRuleSetSource
    public AclRuleSet getRuleSet() {
        return new AclRuleSetImpl(this.rules);
    }

    @Override // com.dtolabs.rundeck.core.authorization.providers.Policy
    public Set<String> getUsernames() {
        return this.usernames;
    }

    @Override // com.dtolabs.rundeck.core.authorization.providers.Policy
    public EnvironmentalContext getEnvironment() {
        return this.environment;
    }

    private void parseEnvironment(Set<Attribute> set) {
        Object obj = this.policyInput.get("context");
        if (null != set) {
            if (null != obj) {
                throw new AclPolicySyntaxException("Context section should not be specified, it is already set to: " + AuthorizationUtil.contextAsString(set));
            }
            this.environment = new YamlEnvironmentalContext(EnvironmentalContext.URI_BASE, set);
        } else {
            if (null == obj || !(obj instanceof Map)) {
                throw new AclPolicySyntaxException(null == obj ? "Required 'context:' section was not present." : "Context section is not valid: expected a Map, but it was: " + obj.getClass().getName());
            }
            Map map = (Map) obj;
            this.environment = new YamlEnvironmentalContext(EnvironmentalContext.URI_BASE, map);
            if (!this.environment.isValid()) {
                throw new AclPolicySyntaxException("Context section is not valid: " + obj + this.environment.getValidation());
            }
            if (map.size() != 1) {
                throw new AclPolicySyntaxException("Context section is not valid: " + obj + ", it should have only one entry: 'application:' or 'project:'");
            }
            if (!this.allowedContexts.containsAll(map.keySet())) {
                throw new AclPolicySyntaxException("Context section is not valid: " + obj + ", it should contain only 'application:' or 'project:'");
            }
        }
    }

    @Override // com.dtolabs.rundeck.core.authorization.providers.Policy
    public Set<Pattern> getUsernamePatterns() {
        return this.usernamePatterns;
    }

    @Override // com.dtolabs.rundeck.core.authorization.providers.Policy
    public Set<Pattern> getGroupPatterns() {
        return this.groupPatterns;
    }

    @Override // com.dtolabs.rundeck.core.authorization.providers.Policy
    public Set<String> getGroups() {
        return this.groups;
    }

    @Override // com.dtolabs.rundeck.core.authorization.providers.Policy
    public AclContext getContext() {
        return this.aclContext;
    }

    private void createAclContext() {
        this.aclContext = new YamlAclContext(this.policyInput, this.validation, new TypeContextFactory() { // from class: com.dtolabs.rundeck.core.authorization.providers.YamlPolicy.1
            @Override // com.dtolabs.rundeck.core.authorization.providers.YamlPolicy.TypeContextFactory
            public AclContext createAclContext(String str, List list) {
                return new TypeContext(YamlPolicy.this.createTypeRules(str, list));
            }
        });
    }

    List<ContextMatcher> createTypeRules(String str, List list) {
        ArrayList arrayList = new ArrayList();
        int i = 1;
        for (Object obj : list) {
            if (!(obj instanceof Map)) {
                throw new AclPolicySyntaxException("Type rule 'for: { " + str + ": [...] }'' entry at index [" + i + "] expected a Map but saw: " + obj.getClass().getName());
            }
            arrayList.add(createTypeRuleContext(str, (Map) obj, i));
            i++;
        }
        return arrayList;
    }

    ContextMatcher createTypeRuleContext(String str, Map map, int i) {
        return new TypeRuleContextMatcher(str, map, this.validation, i, this);
    }

    private void parseByClause() {
        Object obj = this.policyInput.get(BY_SECTION);
        if (obj == null) {
            throw new AclPolicySyntaxException("Required 'by:' section was not present.");
        }
        if (!(obj instanceof Map)) {
            throw new AclPolicySyntaxException("Section 'by:' should be a Map, but it was: " + obj.getClass().getName());
        }
        Map map = (Map) obj;
        Object obj2 = map.get("username");
        Object obj3 = map.get("group");
        if (null != obj2) {
            if (obj2 instanceof String) {
                addUsername((String) obj2);
            } else {
                if (!(obj2 instanceof Collection)) {
                    throw new AclPolicySyntaxException("Section 'username:' should be a list or a String, but it was: " + obj2.getClass().getName());
                }
                for (Object obj4 : (Collection) obj2) {
                    if (!(obj4 instanceof String)) {
                        throw new AclPolicySyntaxException("Section 'username:' should contain only Strings, but saw a: " + obj4.getClass().getName());
                    }
                    addUsername((String) obj4);
                }
            }
        }
        if (null != obj3) {
            if (obj3 instanceof String) {
                addGroup((String) obj3);
            } else {
                if (!(obj3 instanceof Collection)) {
                    throw new AclPolicySyntaxException("Section 'group:' should be a list or a String, but it was: " + obj3.getClass().getName());
                }
                for (Object obj5 : (Collection) obj3) {
                    if (!(obj5 instanceof String)) {
                        throw new AclPolicySyntaxException("Section 'group:' should contain only Strings, but saw a: " + obj5.getClass().getName());
                    }
                    addGroup((String) obj5);
                }
            }
        }
        if (this.groups.size() >= 1 || this.usernames.size() >= 1 || null == this.validation) {
            return;
        }
        this.validation.addError(this.sourceIdent, "Section 'by:' is not valid: " + map + " it must contain 'group:' and/or 'username:'");
    }

    private void addGroup(String str) {
        try {
            getGroupPatterns().add(Pattern.compile(str));
        } catch (PatternSyntaxException e) {
        }
        this.groups.add(str);
    }

    private void addUsername(String str) {
        try {
            getUsernamePatterns().add(Pattern.compile(str));
        } catch (PatternSyntaxException e) {
        }
        this.usernames.add(str);
    }

    public String toString() {
        StringBuffer stringBuffer = new StringBuffer("YamlPolicy[id:");
        stringBuffer.append(identify()).append(", groups:");
        Iterator<String> it = getGroups().iterator();
        while (it.hasNext()) {
            stringBuffer.append(it.next()).append(" ");
        }
        stringBuffer.append("]");
        return stringBuffer.toString();
    }
}
