package org.geoserver.security.impl;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import org.geoserver.catalog.Catalog;
import org.geoserver.catalog.CatalogInfo;
import org.geoserver.catalog.CoverageInfo;
import org.geoserver.catalog.FeatureTypeInfo;
import org.geoserver.catalog.LayerGroupInfo;
import org.geoserver.catalog.LayerInfo;
import org.geoserver.catalog.Predicates;
import org.geoserver.catalog.PublishedInfo;
import org.geoserver.catalog.ResourceInfo;
import org.geoserver.catalog.StyleInfo;
import org.geoserver.catalog.WMSLayerInfo;
import org.geoserver.catalog.WMTSLayerInfo;
import org.geoserver.catalog.WorkspaceInfo;
import org.geoserver.ows.Dispatcher;
import org.geoserver.ows.Request;
import org.geoserver.security.AccessMode;
import org.geoserver.security.AdminRequest;
import org.geoserver.security.CatalogMode;
import org.geoserver.security.CoverageAccessLimits;
import org.geoserver.security.DataAccessLimits;
import org.geoserver.security.GeoServerSecurityFilterChain;
import org.geoserver.security.InMemorySecurityFilter;
import org.geoserver.security.LayerGroupAccessLimits;
import org.geoserver.security.ResourceAccessManager;
import org.geoserver.security.StyleAccessLimits;
import org.geoserver.security.VectorAccessLimits;
import org.geoserver.security.WMSAccessLimits;
import org.geoserver.security.WMTSAccessLimits;
import org.geoserver.security.WorkspaceAccessLimits;
import org.geoserver.security.impl.LayerGroupContainmentCache;
import org.geoserver.security.password.GeoServerPasswordEncoder;
import org.geotools.util.logging.Logging;
import org.opengis.filter.Filter;
import org.springframework.security.core.Authentication;

/* loaded from: input_file:org/geoserver/security/impl/DefaultResourceAccessManager.class */
public class DefaultResourceAccessManager implements ResourceAccessManager {
    static final Logger LOGGER = Logging.getLogger(DefaultResourceAccessManager.class);
    SecureTreeNode root;
    DataAccessRuleDAO dao;
    Catalog rawCatalog;
    long lastLoaded = Long.MIN_VALUE;
    LayerGroupContainmentCache groupsCache;

    /* loaded from: input_file:org/geoserver/security/impl/DefaultResourceAccessManager$SecuredGroupSummary.class */
    static class SecuredGroupSummary extends LayerGroupContainmentCache.LayerGroupSummary {
        private SecureTreeNode node;

        SecuredGroupSummary(LayerGroupContainmentCache.LayerGroupSummary layerGroupSummary, SecureTreeNode secureTreeNode) {
            super(layerGroupSummary);
            this.node = secureTreeNode;
        }

        boolean canAccess(Authentication authentication, AccessMode accessMode) {
            return this.node == null || this.node.canAccess(authentication, accessMode);
        }

        public SecureTreeNode getNode() {
            return this.node;
        }
    }

    public DefaultResourceAccessManager(DataAccessRuleDAO dataAccessRuleDAO, Catalog catalog) {
        this.dao = dataAccessRuleDAO;
        this.rawCatalog = catalog;
        this.root = buildAuthorizationTree(dataAccessRuleDAO);
        this.groupsCache = new LayerGroupContainmentCache(catalog);
    }

    public CatalogMode getMode() {
        return this.dao.getMode();
    }

    public boolean canAccess(Authentication authentication, WorkspaceInfo workspaceInfo, AccessMode accessMode) {
        checkPropertyFile();
        SecureTreeNode deepestNode = this.root.getDeepestNode(workspaceInfo.getName());
        if (deepestNode.canAccess(authentication, accessMode)) {
            return true;
        }
        return accessMode == AccessMode.READ && canAccessChild(deepestNode, authentication, accessMode);
    }

    private boolean canAccessChild(SecureTreeNode secureTreeNode, Authentication authentication, AccessMode accessMode) {
        if (secureTreeNode.canAccess(authentication, accessMode)) {
            return true;
        }
        Iterator<SecureTreeNode> it = secureTreeNode.getChildren().values().iterator();
        while (it.hasNext()) {
            if (canAccessChild(it.next(), authentication, accessMode)) {
                return true;
            }
        }
        return false;
    }

    public boolean canAccess(Authentication authentication, LayerInfo layerInfo, AccessMode accessMode, boolean z) {
        checkPropertyFile();
        if (layerInfo.getResource() != null) {
            return canAccess(authentication, layerInfo.getResource(), accessMode, z);
        }
        LOGGER.log(Level.FINE, "Layer " + layerInfo + " has no attached resource, assuming it's possible to access it");
        return true;
    }

    public boolean canAccess(Authentication authentication, ResourceInfo resourceInfo, AccessMode accessMode, boolean z) {
        checkPropertyFile();
        String name = resourceInfo.getName();
        try {
            SecureTreeNode deepestNode = this.root.getDeepestNode(resourceInfo.getStore().getWorkspace().getName(), name);
            int depth = deepestNode.getDepth();
            boolean canAccess = deepestNode.canAccess(authentication, accessMode);
            if (depth == SecureTreeNode.RESOURCE_DEPTH || !layerGroupContainmentCheckRequired()) {
                return canAccess;
            }
            Collection<LayerGroupContainmentCache.LayerGroupSummary> containerGroupsFor = this.groupsCache.getContainerGroupsFor(resourceInfo);
            if (containerGroupsFor.isEmpty()) {
                return canAccess;
            }
            List list = (List) containerGroupsFor.stream().filter(layerGroupSummary -> {
                LayerGroupInfo layerGroup = this.rawCatalog.getLayerGroup(layerGroupSummary.getId());
                if (layerGroup == null) {
                    return false;
                }
                SecureTreeNode nodeForGroup = getNodeForGroup(layerGroup);
                return (nodeForGroup != null && nodeForGroup.getDepth() > depth) || layerGroupSummary.getMode() == LayerGroupInfo.Mode.OPAQUE_CONTAINER;
            }).collect(Collectors.toList());
            if (!list.isEmpty()) {
                canAccess = list.stream().anyMatch(layerGroupSummary2 -> {
                    LayerGroupInfo layerGroup;
                    return !(z && layerGroupSummary2.getMode() == LayerGroupInfo.Mode.OPAQUE_CONTAINER) && (layerGroup = this.rawCatalog.getLayerGroup(layerGroupSummary2.getId())) != null && canAccess(authentication, layerGroup, z) && (!z || allowsAccessViaNonOpaqueGroup(layerGroup, resourceInfo));
                });
            }
            if (canAccess) {
                return true;
            }
            return containerGroupsFor.stream().anyMatch(layerGroupSummary3 -> {
                LayerGroupInfo layerGroup;
                return !(z && layerGroupSummary3.getMode() == LayerGroupInfo.Mode.OPAQUE_CONTAINER) && (layerGroup = this.rawCatalog.getLayerGroup(layerGroupSummary3.getId())) != null && getNodeForGroup(layerGroup) == null && canAccess(authentication, layerGroup, z) && (!z || allowsAccessViaNonOpaqueGroup(layerGroup, resourceInfo));
            });
        } catch (Exception e) {
            LOGGER.log(Level.FINE, "Errors occurred trying to gather workspace of resource " + name);
            return true;
        }
    }

    private boolean allowsAccessViaNonOpaqueGroup(LayerGroupInfo layerGroupInfo, ResourceInfo resourceInfo) {
        for (PublishedInfo publishedInfo : layerGroupInfo.getLayers()) {
            if (!(publishedInfo instanceof LayerInfo)) {
                LayerGroupInfo layerGroupInfo2 = (LayerGroupInfo) publishedInfo;
                if (layerGroupInfo2.getMode() != LayerGroupInfo.Mode.OPAQUE_CONTAINER && allowsAccessViaNonOpaqueGroup(layerGroupInfo2, resourceInfo)) {
                    return true;
                }
            } else if (resourceInfo.equals(((LayerInfo) publishedInfo).getResource())) {
                return true;
            }
        }
        return false;
    }

    private SecureTreeNode getNodeForGroup(LayerGroupInfo layerGroupInfo) {
        return layerGroupInfo.getWorkspace() == null ? this.root.getNode(layerGroupInfo.getName()) : this.root.getNode(getLayerGroupPath(layerGroupInfo));
    }

    private boolean layerGroupContainmentCheckRequired() {
        Request request = (Request) Dispatcher.REQUEST.get();
        if (request == null) {
            return false;
        }
        String service = request.getService();
        return "WMS".equalsIgnoreCase(service) || GeoServerSecurityFilterChain.GWC_CHAIN_NAME.equalsIgnoreCase(service);
    }

    void checkPropertyFile() {
        rebuildAuthorizationTree(false);
    }

    private void rebuildAuthorizationTree(boolean z) {
        long lastModified = this.dao.getLastModified();
        if (this.lastLoaded < lastModified || z) {
            this.root = buildAuthorizationTree(this.dao);
            this.lastLoaded = lastModified;
        }
    }

    SecureTreeNode buildAuthorizationTree(DataAccessRuleDAO dataAccessRuleDAO) {
        SecureTreeNode secureTreeNode;
        SecureTreeNode secureTreeNode2 = new SecureTreeNode();
        for (DataAccessRule dataAccessRule : dataAccessRuleDAO.getRules()) {
            String root = dataAccessRule.getRoot();
            String layer = dataAccessRule.getLayer();
            AccessMode accessMode = dataAccessRule.getAccessMode();
            if ("*".equals(root)) {
                secureTreeNode = secureTreeNode2;
            } else {
                SecureTreeNode child = secureTreeNode2.getChild(root);
                if (child == null) {
                    child = secureTreeNode2.addChild(root);
                }
                if ("*".equals(layer)) {
                    secureTreeNode = child;
                } else if (dataAccessRule.isGlobalGroupRule()) {
                    secureTreeNode = child;
                } else {
                    SecureTreeNode child2 = child.getChild(layer);
                    if (child2 == null) {
                        child2 = child.addChild(layer);
                    }
                    secureTreeNode = child2;
                }
            }
            if (secureTreeNode.getAuthorizedRoles(accessMode) != null && secureTreeNode.getAuthorizedRoles(accessMode).size() > 0 && secureTreeNode != secureTreeNode2) {
                LOGGER.warning("Rule " + dataAccessRule + " is overriding another rule targetting the same resource");
            }
            secureTreeNode.setAuthorizedRoles(accessMode, dataAccessRule.getRoles());
        }
        return secureTreeNode2;
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.geoserver.security.ResourceAccessManager
    public DataAccessLimits getAccessLimits(Authentication authentication, LayerInfo layerInfo, List<LayerGroupInfo> list) {
        boolean z = list == null || list.isEmpty();
        boolean canAccess = canAccess(authentication, layerInfo, AccessMode.READ, z);
        boolean canAccess2 = canAccess(authentication, layerInfo, AccessMode.WRITE, z);
        return buildLimits(layerInfo.getResource().getClass(), canAccess ? Filter.INCLUDE : Filter.EXCLUDE, canAccess2 ? Filter.INCLUDE : Filter.EXCLUDE);
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.geoserver.security.ResourceAccessManager
    public DataAccessLimits getAccessLimits(Authentication authentication, ResourceInfo resourceInfo) {
        boolean canAccess = canAccess(authentication, resourceInfo, AccessMode.READ, true);
        boolean canAccess2 = canAccess(authentication, resourceInfo, AccessMode.WRITE, true);
        return buildLimits(resourceInfo.getClass(), canAccess ? Filter.INCLUDE : Filter.EXCLUDE, canAccess2 ? Filter.INCLUDE : Filter.EXCLUDE);
    }

    DataAccessLimits buildLimits(Class<? extends ResourceInfo> cls, Filter filter, Filter filter2) {
        CatalogMode mode = getMode();
        if ((filter == null || filter == Filter.INCLUDE) && (filter2 == null || filter2 == Filter.INCLUDE || WMSLayerInfo.class.isAssignableFrom(cls) || WMTSLayerInfo.class.isAssignableFrom(cls) || CoverageInfo.class.isAssignableFrom(cls))) {
            return null;
        }
        if (FeatureTypeInfo.class.isAssignableFrom(cls)) {
            return new VectorAccessLimits(mode, null, filter, null, filter2);
        }
        if (CoverageInfo.class.isAssignableFrom(cls)) {
            return new CoverageAccessLimits(mode, filter, null, null);
        }
        if (WMSLayerInfo.class.isAssignableFrom(cls)) {
            return new WMSAccessLimits(mode, filter, null, true);
        }
        if (WMTSLayerInfo.class.isAssignableFrom(cls)) {
            return new WMTSAccessLimits(mode, filter, null);
        }
        LOGGER.log(Level.INFO, "Warning, adapting to generic access limits for unrecognized resource type " + cls);
        return new DataAccessLimits(mode, filter);
    }

    @Override // org.geoserver.security.ResourceAccessManager
    public WorkspaceAccessLimits getAccessLimits(Authentication authentication, WorkspaceInfo workspaceInfo) {
        boolean canAccess = canAccess(authentication, workspaceInfo, AccessMode.READ);
        boolean canAccess2 = canAccess(authentication, workspaceInfo, AccessMode.WRITE);
        boolean canAccess3 = canAccess(authentication, workspaceInfo, AccessMode.ADMIN);
        CatalogMode mode = getMode();
        if (canAccess && canAccess2 && AdminRequest.get() == null) {
            return null;
        }
        return new WorkspaceAccessLimits(mode, canAccess, canAccess2, canAccess3);
    }

    @Override // org.geoserver.security.ResourceAccessManager
    public StyleAccessLimits getAccessLimits(Authentication authentication, StyleInfo styleInfo) {
        return null;
    }

    @Override // org.geoserver.security.ResourceAccessManager
    public LayerGroupAccessLimits getAccessLimits(Authentication authentication, LayerGroupInfo layerGroupInfo, List<LayerGroupInfo> list) {
        if (canAccess(authentication, layerGroupInfo, list == null || list.isEmpty())) {
            return null;
        }
        return new LayerGroupAccessLimits(getMode());
    }

    private boolean canAccess(Authentication authentication, LayerGroupInfo layerGroupInfo, boolean z) {
        boolean anyMatch;
        SecureTreeNode deepestNode = this.root.getDeepestNode(getLayerGroupPath(layerGroupInfo));
        boolean canAccess = deepestNode.canAccess(authentication, AccessMode.READ);
        if (deepestNode == null || canAccess) {
            Collection<LayerGroupContainmentCache.LayerGroupSummary> containerGroupsFor = this.groupsCache.getContainerGroupsFor(layerGroupInfo);
            anyMatch = containerGroupsFor.isEmpty() ? true : containerGroupsFor.stream().anyMatch(layerGroupSummary -> {
                LayerGroupInfo layerGroup;
                return ((z && layerGroupSummary.getMode() == LayerGroupInfo.Mode.OPAQUE_CONTAINER) || (layerGroup = this.rawCatalog.getLayerGroup(layerGroupSummary.getId())) == null || !canAccess(authentication, layerGroup, z)) ? false : true;
            });
        } else {
            anyMatch = false;
        }
        return anyMatch;
    }

    private String[] getLayerGroupPath(LayerGroupInfo layerGroupInfo) {
        return layerGroupInfo.getWorkspace() == null ? new String[]{layerGroupInfo.getName()} : new String[]{layerGroupInfo.getWorkspace().getName(), layerGroupInfo.getName()};
    }

    @Override // org.geoserver.security.ResourceAccessManager
    public Filter getSecurityFilter(Authentication authentication, Class<? extends CatalogInfo> cls) {
        if (getMode() == CatalogMode.CHALLENGE) {
            return InMemorySecurityFilter.buildUserAccessFilter(this, authentication);
        }
        if (WorkspaceInfo.class.isAssignableFrom(cls)) {
            boolean canAccess = canAccess(authentication, this.root);
            ArrayList arrayList = new ArrayList();
            for (Map.Entry<String, SecureTreeNode> entry : this.root.getChildren().entrySet()) {
                String key = entry.getKey();
                if (canAccess(authentication, entry.getValue()) != canAccess) {
                    if (canAccess) {
                        arrayList.add(Predicates.notEqual("name", key));
                    } else {
                        arrayList.add(Predicates.equal("name", key));
                    }
                }
            }
            return arrayList.isEmpty() ? canAccess ? Filter.INCLUDE : Filter.EXCLUDE : canAccess ? Predicates.and(arrayList) : Predicates.or(arrayList);
        }
        if (!PublishedInfo.class.isAssignableFrom(cls) && !ResourceInfo.class.isAssignableFrom(cls) && !CoverageInfo.class.isAssignableFrom(cls)) {
            if (!StyleInfo.class.isAssignableFrom(cls) && !LayerGroupInfo.class.isAssignableFrom(cls)) {
                return InMemorySecurityFilter.buildUserAccessFilter(this, authentication);
            }
            boolean canAccess2 = canAccess(authentication, this.root);
            ArrayList arrayList2 = new ArrayList();
            for (Map.Entry<String, SecureTreeNode> entry2 : this.root.getChildren().entrySet()) {
                String key2 = entry2.getKey();
                if (canAccess(authentication, entry2.getValue()) != canAccess2) {
                    if (canAccess2) {
                        arrayList2.add(Predicates.notEqual("workspace.name", key2));
                    } else {
                        arrayList2.add(Predicates.equal("workspace.name", key2));
                    }
                }
            }
            return arrayList2.isEmpty() ? canAccess2 ? Filter.INCLUDE : Filter.EXCLUDE : canAccess2 ? Predicates.and(arrayList2) : Predicates.or(arrayList2);
        }
        boolean canAccess3 = canAccess(authentication, this.root);
        ArrayList arrayList3 = new ArrayList();
        String str = LayerGroupInfo.class.isAssignableFrom(cls) ? "workspace.name" : PublishedInfo.class.isAssignableFrom(cls) ? "resource.store.workspace.name" : "store.workspace.name";
        for (Map.Entry<String, SecureTreeNode> entry3 : this.root.getChildren().entrySet()) {
            String key3 = entry3.getKey();
            SecureTreeNode value = entry3.getValue();
            boolean canAccess4 = canAccess(authentication, value);
            ArrayList arrayList4 = new ArrayList();
            for (Map.Entry<String, SecureTreeNode> entry4 : value.getChildren().entrySet()) {
                String key4 = entry4.getKey();
                SecureTreeNode value2 = entry4.getValue();
                String str2 = key3 + GeoServerPasswordEncoder.PREFIX_DELIMTER + key4;
                Filter typeFilter = getTypeFilter(str2, cls);
                if (typeFilter != null && canAccess(authentication, value2) != canAccess4) {
                    if (canAccess4) {
                        arrayList4.add(Predicates.not(Predicates.and(typeFilter, Predicates.equal("prefixedName", str2))));
                    } else {
                        arrayList4.add(Predicates.and(typeFilter, Predicates.equal("prefixedName", str2)));
                    }
                }
            }
            Filter filter = null;
            if (canAccess3 && !canAccess4) {
                filter = Predicates.notEqual(str, key3);
            } else if (!canAccess3 && canAccess4) {
                filter = Predicates.equal(str, key3);
            }
            if (!arrayList4.isEmpty()) {
                if (filter != null) {
                    arrayList4.add(filter);
                }
                arrayList3.add(canAccess4 ? Predicates.and(arrayList4) : Predicates.or(arrayList4));
            } else if (filter != null) {
                arrayList3.add(filter);
            }
        }
        return arrayList3.isEmpty() ? canAccess3 ? Filter.INCLUDE : Filter.EXCLUDE : canAccess3 ? Predicates.and(arrayList3) : Predicates.or(arrayList3);
    }

    private Filter getTypeFilter(String str, Class<?> cls) {
        if (this.rawCatalog.getLayerByName(str) != null) {
            return cls.equals(PublishedInfo.class) ? Predicates.isInstanceOf(LayerInfo.class) : Predicates.isInstanceOf(cls);
        }
        if (this.rawCatalog.getLayerGroupByName(str) != null) {
            return Predicates.isInstanceOf(LayerGroupInfo.class);
        }
        return null;
    }

    private boolean canAccess(Authentication authentication, SecureTreeNode secureTreeNode) {
        boolean canAccess = secureTreeNode.canAccess(authentication, AccessMode.READ);
        return (!canAccess || AdminRequest.get() == null) ? canAccess : secureTreeNode.canAccess(authentication, AccessMode.ADMIN);
    }

    @Override // org.geoserver.security.ResourceAccessManager
    public DataAccessLimits getAccessLimits(Authentication authentication, LayerInfo layerInfo) {
        return getAccessLimits(authentication, layerInfo, Collections.emptyList());
    }

    @Override // org.geoserver.security.ResourceAccessManager
    public LayerGroupAccessLimits getAccessLimits(Authentication authentication, LayerGroupInfo layerGroupInfo) {
        return getAccessLimits(authentication, layerGroupInfo, Collections.emptyList());
    }
}
