package it.geosolutions.georepository;

import com.vividsolutions.jts.geom.Geometry;
import com.vividsolutions.jts.geom.MultiPolygon;
import it.geosolutions.georepo.core.model.LayerAttribute;
import it.geosolutions.georepo.core.model.enums.AccessType;
import it.geosolutions.georepo.core.model.enums.GrantType;
import it.geosolutions.georepo.services.RuleReaderService;
import it.geosolutions.georepo.services.dto.AccessInfo;
import it.geosolutions.georepo.services.dto.RuleFilter;
import java.io.IOException;
import java.net.InetAddress;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import org.geoserver.catalog.Catalog;
import org.geoserver.catalog.CoverageInfo;
import org.geoserver.catalog.FeatureTypeInfo;
import org.geoserver.catalog.LayerInfo;
import org.geoserver.catalog.ResourceInfo;
import org.geoserver.catalog.StyleInfo;
import org.geoserver.catalog.WMSLayerInfo;
import org.geoserver.catalog.WorkspaceInfo;
import org.geoserver.ows.Dispatcher;
import org.geoserver.ows.DispatcherCallback;
import org.geoserver.ows.Request;
import org.geoserver.ows.Response;
import org.geoserver.ows.util.KvpUtils;
import org.geoserver.platform.Operation;
import org.geoserver.platform.Service;
import org.geoserver.platform.ServiceException;
import org.geoserver.security.CatalogMode;
import org.geoserver.security.CoverageAccessLimits;
import org.geoserver.security.DataAccessLimits;
import org.geoserver.security.ResourceAccessManager;
import org.geoserver.security.VectorAccessLimits;
import org.geoserver.security.WMSAccessLimits;
import org.geoserver.security.WorkspaceAccessLimits;
import org.geoserver.wms.GetFeatureInfoRequest;
import org.geoserver.wms.GetLegendGraphicRequest;
import org.geoserver.wms.GetMapRequest;
import org.geoserver.wms.MapLayerInfo;
import org.geotools.factory.CommonFactoryFinder;
import org.geotools.factory.Hints;
import org.geotools.filter.text.cql2.CQLException;
import org.geotools.filter.text.ecql.ECQL;
import org.geotools.geometry.jts.JTS;
import org.geotools.referencing.CRS;
import org.geotools.util.Converters;
import org.geotools.util.logging.Logging;
import org.opengis.filter.Filter;
import org.opengis.filter.FilterFactory2;
import org.opengis.filter.IncludeFilter;
import org.opengis.filter.expression.PropertyName;
import org.opengis.filter.spatial.Intersects;
import org.opengis.parameter.GeneralParameterValue;
import org.opengis.referencing.crs.CoordinateReferenceSystem;
import org.springframework.security.Authentication;
import org.springframework.security.GrantedAuthority;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.providers.anonymous.AnonymousAuthenticationToken;

/* loaded from: input_file:it/geosolutions/georepository/GeorepositoryAccessManager.class */
public class GeorepositoryAccessManager implements ResourceAccessManager, DispatcherCallback {
    static final String ROOT_ROLE = "ROLE_ADMINISTRATOR";
    CatalogMode catalogMode = CatalogMode.HIDE;
    RuleReaderService rules;
    Catalog catalog;
    String instanceName;
    static final Logger LOGGER = Logging.getLogger(GeorepositoryAccessManager.class);
    static final FilterFactory2 FF = CommonFactoryFinder.getFilterFactory2((Hints) null);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:it/geosolutions/georepository/GeorepositoryAccessManager$PropertyAccessMode.class */
    public enum PropertyAccessMode {
        READ,
        WRITE
    }

    public GeorepositoryAccessManager(RuleReaderService ruleReaderService, Catalog catalog, String str) {
        this.rules = ruleReaderService;
        this.catalog = catalog;
        this.instanceName = str;
        LOGGER.log(Level.INFO, "Initializing the GeoRepository access manager with instance name {0}", str);
    }

    boolean isAdmin(Authentication authentication) {
        if (authentication.getAuthorities() == null) {
            return false;
        }
        for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
            if (ROOT_ROLE.equals(grantedAuthority.getAuthority())) {
                return true;
            }
        }
        return false;
    }

    public WorkspaceAccessLimits getAccessLimits(Authentication authentication, WorkspaceInfo workspaceInfo) {
        LOGGER.log(Level.FINE, "Getting access limits for workspace {0}", workspaceInfo.getName());
        String str = null;
        if (authentication != null && !(authentication instanceof AnonymousAuthenticationToken)) {
            if (isAdmin(authentication)) {
                LOGGER.log(Level.FINE, "Admin level access, returning full rights for workspace {0}" + workspaceInfo.getName());
                return buildAccessLimits(workspaceInfo, AccessInfo.ALLOW_ALL);
            }
            str = authentication.getName();
        }
        String str2 = null;
        String str3 = null;
        Request request = (Request) Dispatcher.REQUEST.get();
        if (request != null) {
            str2 = request.getService();
            str3 = request.getRequest();
        }
        RuleFilter ruleFilter = new RuleFilter(RuleFilter.SpecialFilterType.ANY);
        if (str == null) {
            ruleFilter.setUser(RuleFilter.SpecialFilterType.DEFAULT);
        } else {
            ruleFilter.setUser(str);
        }
        ruleFilter.setInstance(this.instanceName);
        if (str2 != null) {
            if ("*".equals(str2)) {
                ruleFilter.setService(RuleFilter.SpecialFilterType.ANY);
            } else {
                ruleFilter.setService(str2);
            }
        }
        if (str3 != null) {
            if ("*".equals(str3)) {
                ruleFilter.setRequest(RuleFilter.SpecialFilterType.ANY);
            } else {
                ruleFilter.setRequest(str3);
            }
        }
        ruleFilter.setWorkspace(workspaceInfo.getName());
        ruleFilter.setSourceAddress(getSourceAddress(request));
        AccessInfo accessInfo = this.rules.getAccessInfo(ruleFilter);
        if (accessInfo == null) {
            accessInfo = AccessInfo.DENY_ALL;
        }
        WorkspaceAccessLimits buildAccessLimits = buildAccessLimits(workspaceInfo, accessInfo);
        LOGGER.log(Level.SEVERE, "Returning {0} for workspace {1} and user {2}", new Object[]{buildAccessLimits, workspaceInfo.getName(), str});
        return buildAccessLimits;
    }

    InetAddress getSourceAddress(Request request) {
        if (request == null) {
            return null;
        }
        try {
            HttpServletRequest httpRequest = request.getHttpRequest();
            String header = httpRequest.getHeader("X-Forwarded-For");
            return header != null ? InetAddress.getByName(header.split(", ")[0]) : InetAddress.getByName(httpRequest.getRemoteAddr());
        } catch (Exception e) {
            LOGGER.log(Level.INFO, "Failed to get remote address", (Throwable) e);
            return null;
        }
    }

    private WorkspaceAccessLimits buildAccessLimits(WorkspaceInfo workspaceInfo, AccessInfo accessInfo) {
        if (accessInfo == null) {
            return new WorkspaceAccessLimits(this.catalogMode, true, true);
        }
        return new WorkspaceAccessLimits(this.catalogMode, accessInfo.getGrant() == GrantType.ALLOW, accessInfo.getGrant() == GrantType.ALLOW);
    }

    public DataAccessLimits getAccessLimits(Authentication authentication, LayerInfo layerInfo) {
        return getAccessLimits(authentication, layerInfo.getResource());
    }

    public DataAccessLimits getAccessLimits(Authentication authentication, ResourceInfo resourceInfo) {
        String str = null;
        if (authentication != null && !(authentication instanceof AnonymousAuthenticationToken)) {
            if (isAdmin(authentication)) {
                LOGGER.log(Level.FINE, "Admin level access, returning full rights for layer {0}" + resourceInfo.getPrefixedName());
                return buildAccessLimits(resourceInfo, AccessInfo.ALLOW_ALL);
            }
            str = authentication.getName();
        }
        String str2 = "*";
        String str3 = "*";
        Request request = (Request) Dispatcher.REQUEST.get();
        if (request != null) {
            str2 = request.getService();
            str3 = request.getRequest();
        }
        String name = resourceInfo.getName();
        String name2 = resourceInfo.getStore().getWorkspace().getName();
        RuleFilter ruleFilter = new RuleFilter(RuleFilter.SpecialFilterType.ANY);
        if (str == null) {
            ruleFilter.setUser(RuleFilter.SpecialFilterType.DEFAULT);
        } else {
            ruleFilter.setUser(str);
        }
        ruleFilter.setInstance(this.instanceName);
        if (str2 != null) {
            if ("*".equals(str2)) {
                ruleFilter.setService(RuleFilter.SpecialFilterType.ANY);
            } else {
                ruleFilter.setService(str2);
            }
        }
        if (str3 != null) {
            if ("*".equals(str3)) {
                ruleFilter.setRequest(RuleFilter.SpecialFilterType.ANY);
            } else {
                ruleFilter.setRequest(str3);
            }
        }
        ruleFilter.setWorkspace(name2);
        ruleFilter.setLayer(name);
        ruleFilter.setSourceAddress(getSourceAddress(request));
        AccessInfo accessInfo = this.rules.getAccessInfo(ruleFilter);
        if (accessInfo == null) {
            accessInfo = AccessInfo.DENY_ALL;
        }
        DataAccessLimits buildAccessLimits = buildAccessLimits(resourceInfo, accessInfo);
        LOGGER.log(Level.FINE, "Returning {0} for layer {1} and user {2}", new Object[]{buildAccessLimits, resourceInfo.getPrefixedName(), str});
        return buildAccessLimits;
    }

    DataAccessLimits buildAccessLimits(ResourceInfo resourceInfo, AccessInfo accessInfo) {
        IncludeFilter includeFilter = accessInfo.getGrant() == GrantType.ALLOW ? Filter.INCLUDE : Filter.EXCLUDE;
        IncludeFilter includeFilter2 = accessInfo.getGrant() == GrantType.ALLOW ? Filter.INCLUDE : Filter.EXCLUDE;
        try {
            if (accessInfo.getCqlFilterRead() != null) {
                includeFilter = ECQL.toFilter(accessInfo.getCqlFilterRead());
            }
            if (accessInfo.getCqlFilterWrite() != null) {
                includeFilter2 = ECQL.toFilter(accessInfo.getCqlFilterWrite());
            }
            List<PropertyName> propertyNames = toPropertyNames(accessInfo.getAttributes(), PropertyAccessMode.READ);
            List<PropertyName> propertyNames2 = toPropertyNames(accessInfo.getAttributes(), PropertyAccessMode.WRITE);
            Geometry area = accessInfo.getArea();
            if (area != null && area.getSRID() > 0) {
                try {
                    CoordinateReferenceSystem decode = CRS.decode("EPSG:" + area.getSRID());
                    CoordinateReferenceSystem crs = resourceInfo.getCRS();
                    if (crs != null && !CRS.equalsIgnoreMetadata(decode, crs)) {
                        area = JTS.transform(area, CRS.findMathTransform(decode, crs, true));
                        accessInfo.setArea(area);
                    }
                } catch (Exception e) {
                    throw new RuntimeException("Failed to reproject the restricted area to the layer's native SRS", e);
                }
            }
            if (resourceInfo instanceof FeatureTypeInfo) {
                if (area != null) {
                    Intersects intersects = FF.intersects(FF.property(""), FF.literal(area));
                    includeFilter = mergeFilter(includeFilter, intersects);
                    includeFilter2 = mergeFilter(includeFilter2, intersects);
                }
                return new VectorAccessLimits(this.catalogMode, propertyNames, includeFilter, propertyNames2, includeFilter2);
            }
            if (resourceInfo instanceof CoverageInfo) {
                return new CoverageAccessLimits(this.catalogMode, includeFilter, buildRasterFilter(accessInfo), (GeneralParameterValue[]) null);
            }
            if (resourceInfo instanceof WMSLayerInfo) {
                return new WMSAccessLimits(this.catalogMode, includeFilter, buildRasterFilter(accessInfo), true);
            }
            throw new IllegalArgumentException("Don't know how to handle resource " + resourceInfo);
        } catch (CQLException e2) {
            throw new IllegalArgumentException("Invalid cql filter found: " + e2.getMessage(), e2);
        }
    }

    private MultiPolygon buildRasterFilter(AccessInfo accessInfo) {
        MultiPolygon multiPolygon = null;
        if (accessInfo.getArea() != null) {
            multiPolygon = (MultiPolygon) Converters.convert(accessInfo.getArea(), MultiPolygon.class);
            if (multiPolygon == null) {
                throw new RuntimeException("Error applying security rules, cannot convert the GeoRepository area restriction " + accessInfo.getArea() + " to a multi-polygon");
            }
        }
        return multiPolygon;
    }

    private Filter mergeFilter(Filter filter, Filter filter2) {
        return (filter == null || filter == Filter.INCLUDE) ? filter2 : filter == Filter.EXCLUDE ? filter : FF.and(filter, filter2);
    }

    private List<PropertyName> toPropertyNames(Set<LayerAttribute> set, PropertyAccessMode propertyAccessMode) {
        if (set == null || set.size() == 0) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (LayerAttribute layerAttribute : set) {
            if (layerAttribute.getAccess() == AccessType.READWRITE || (propertyAccessMode == PropertyAccessMode.READ && layerAttribute.getAccess() == AccessType.READONLY)) {
                arrayList.add(FF.property(layerAttribute.getName()));
            }
        }
        return arrayList;
    }

    public void finished(Request request) {
    }

    public Request init(Request request) {
        return request;
    }

    public Operation operationDispatched(Request request, Operation operation) {
        GetMapRequest getMapRequest;
        String service = request.getService();
        String request2 = request.getRequest();
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        String str = null;
        if (authentication != null && !(authentication instanceof AnonymousAuthenticationToken)) {
            if (isAdmin(authentication)) {
                LOGGER.log(Level.FINE, "Admin level access, no applying default style for this request");
                return operation;
            }
            str = authentication.getName();
        }
        if (request2 != null && "WMS".equalsIgnoreCase(service) && ("GetMap".equalsIgnoreCase(request2) || "GetFeatureInfo".equalsIgnoreCase(request2))) {
            Object obj = operation.getParameters()[0];
            if (obj instanceof GetMapRequest) {
                getMapRequest = (GetMapRequest) obj;
            } else {
                if (!(obj instanceof GetFeatureInfoRequest)) {
                    throw new ServiceException("Unrecognized request object: " + obj);
                }
                getMapRequest = ((GetFeatureInfoRequest) obj).getGetMapRequest();
            }
            overrideGetMapRequest(request, service, request2, str, getMapRequest);
        } else if (request2 != null && "WMS".equalsIgnoreCase(service) && "GetLegendGraphic".equalsIgnoreCase(request2)) {
            overrideGetLegendGraphicRequest(request, operation, service, request2, str);
        }
        return operation;
    }

    void overrideGetLegendGraphicRequest(Request request, Operation operation, String str, String str2, String str3) {
        ResourceInfo resource = this.catalog.getLayerByName((String) request.getKvp().get("LAYER")).getResource();
        RuleFilter ruleFilter = new RuleFilter(RuleFilter.SpecialFilterType.ANY);
        ruleFilter.setUser(str3);
        ruleFilter.setInstance(this.instanceName);
        ruleFilter.setService(str);
        ruleFilter.setRequest(str2);
        ruleFilter.setWorkspace(resource.getStore().getWorkspace().getName());
        ruleFilter.setLayer(resource.getName());
        AccessInfo accessInfo = this.rules.getAccessInfo(ruleFilter);
        GetLegendGraphicRequest getLegendGraphicRequest = (GetLegendGraphicRequest) operation.getParameters()[0];
        String str4 = (String) request.getKvp().get("STYLE");
        if (str4 != null) {
            checkStyleAllowed(accessInfo, str4);
            return;
        }
        if (accessInfo.getDefaultStyle() != null) {
            try {
                StyleInfo styleByName = this.catalog.getStyleByName(accessInfo.getDefaultStyle());
                if (styleByName == null) {
                    throw new ServiceException("Could not find default style suggested by GeoRepository: " + accessInfo.getDefaultStyle());
                }
                getLegendGraphicRequest.setStyle(styleByName.getStyle());
            } catch (IOException e) {
                throw new ServiceException("Unable to load the style suggested by GeoRepository: " + accessInfo.getDefaultStyle(), e);
            }
        }
    }

    private void overrideGetMapRequest(Request request, String str, String str2, String str3, GetMapRequest getMapRequest) {
        if (getMapRequest.getSld() != null || getMapRequest.getSldBody() != null) {
            throw new ServiceException("Dynamic style usage is forbidden");
        }
        if (request.getKvp().get("layers") == null) {
            throw new ServiceException("GetMap POST requests are forbidden");
        }
        String str4 = (String) request.getRawKvp().get("STYLES");
        ArrayList arrayList = new ArrayList();
        if (str4 != null) {
            arrayList.addAll(KvpUtils.readFlat(str4));
        }
        List layers = getMapRequest.getLayers();
        for (int i = 0; i < layers.size(); i++) {
            ResourceInfo resource = ((MapLayerInfo) layers.get(i)).getResource();
            if (resource == null) {
                throw new ServiceException("Remote layers are not allowed");
            }
            RuleFilter ruleFilter = new RuleFilter(RuleFilter.SpecialFilterType.ANY);
            ruleFilter.setUser(str3);
            ruleFilter.setInstance(this.instanceName);
            ruleFilter.setService(str);
            ruleFilter.setRequest(str2);
            ruleFilter.setWorkspace(resource.getStore().getWorkspace().getName());
            ruleFilter.setLayer(resource.getName());
            AccessInfo accessInfo = this.rules.getAccessInfo(ruleFilter);
            String str5 = arrayList.size() > 0 ? (String) arrayList.get(i) : null;
            if (str5 != null || accessInfo.getDefaultStyle() == null) {
                checkStyleAllowed(accessInfo, str5);
            } else {
                try {
                    StyleInfo styleByName = this.catalog.getStyleByName(accessInfo.getDefaultStyle());
                    if (styleByName == null) {
                        throw new ServiceException("Could not find default style suggested by GeoRepository: " + accessInfo.getDefaultStyle());
                    }
                    getMapRequest.getStyles().set(i, styleByName.getStyle());
                } catch (IOException e) {
                    throw new ServiceException("Unable to load the style suggested by GeoRepository: " + accessInfo.getDefaultStyle(), e);
                }
            }
        }
    }

    private void checkStyleAllowed(AccessInfo accessInfo, String str) {
        HashSet hashSet = new HashSet();
        if (accessInfo.getDefaultStyle() != null) {
            hashSet.add(accessInfo.getDefaultStyle());
        }
        if (accessInfo.getAllowedStyles() != null) {
            hashSet.addAll(accessInfo.getAllowedStyles());
        }
        if (hashSet.size() > 0 && !hashSet.contains(str)) {
            throw new ServiceException("The '" + str + "' style is not available on this layer");
        }
    }

    public Object operationExecuted(Request request, Operation operation, Object obj) {
        return obj;
    }

    public Response responseDispatched(Request request, Operation operation, Object obj, Response response) {
        return response;
    }

    public Service serviceDispatched(Request request, Service service) throws ServiceException {
        return service;
    }
}
