package org.geoserver.geofence;

import java.io.IOException;
import java.net.InetAddress;
import java.net.URL;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.StringUtils;
import org.geoserver.catalog.Catalog;
import org.geoserver.catalog.CatalogInfo;
import org.geoserver.catalog.CoverageInfo;
import org.geoserver.catalog.FeatureTypeInfo;
import org.geoserver.catalog.LayerGroupInfo;
import org.geoserver.catalog.LayerInfo;
import org.geoserver.catalog.Predicates;
import org.geoserver.catalog.ResourceInfo;
import org.geoserver.catalog.StyleInfo;
import org.geoserver.catalog.WMSLayerInfo;
import org.geoserver.catalog.WMTSLayerInfo;
import org.geoserver.catalog.WorkspaceInfo;
import org.geoserver.catalog.impl.LocalWorkspaceCatalog;
import org.geoserver.geofence.ContainerLimitResolver;
import org.geoserver.geofence.config.GeoFenceConfiguration;
import org.geoserver.geofence.config.GeoFenceConfigurationManager;
import org.geoserver.geofence.core.model.LayerAttribute;
import org.geoserver.geofence.core.model.enums.AccessType;
import org.geoserver.geofence.core.model.enums.GrantType;
import org.geoserver.geofence.services.RuleReaderService;
import org.geoserver.geofence.services.dto.AccessInfo;
import org.geoserver.geofence.services.dto.CatalogModeDTO;
import org.geoserver.geofence.services.dto.RuleFilter;
import org.geoserver.ows.Dispatcher;
import org.geoserver.ows.DispatcherCallback;
import org.geoserver.ows.Request;
import org.geoserver.ows.Response;
import org.geoserver.ows.util.KvpUtils;
import org.geoserver.platform.ExtensionPriority;
import org.geoserver.platform.Operation;
import org.geoserver.platform.Service;
import org.geoserver.platform.ServiceException;
import org.geoserver.security.AccessLimits;
import org.geoserver.security.CatalogMode;
import org.geoserver.security.CoverageAccessLimits;
import org.geoserver.security.DataAccessLimits;
import org.geoserver.security.LayerGroupAccessLimits;
import org.geoserver.security.ResourceAccessManager;
import org.geoserver.security.StyleAccessLimits;
import org.geoserver.security.VectorAccessLimits;
import org.geoserver.security.WMSAccessLimits;
import org.geoserver.security.WMTSAccessLimits;
import org.geoserver.security.WorkspaceAccessLimits;
import org.geoserver.security.impl.GeoServerRole;
import org.geoserver.security.impl.LayerGroupContainmentCache;
import org.geoserver.wms.GetFeatureInfoRequest;
import org.geoserver.wms.GetLegendGraphicRequest;
import org.geoserver.wms.GetMapRequest;
import org.geoserver.wms.MapLayerInfo;
import org.geoserver.wms.WMS;
import org.geoserver.wms.map.GetMapKvpRequestReader;
import org.geotools.factory.CommonFactoryFinder;
import org.geotools.filter.text.cql2.CQLException;
import org.geotools.filter.text.ecql.ECQL;
import org.geotools.util.Converters;
import org.geotools.util.factory.Hints;
import org.geotools.util.logging.Logging;
import org.locationtech.jts.geom.Geometry;
import org.locationtech.jts.geom.MultiPolygon;
import org.opengis.filter.Filter;
import org.opengis.filter.FilterFactory2;
import org.opengis.filter.IncludeFilter;
import org.opengis.filter.expression.PropertyName;
import org.opengis.parameter.GeneralParameterValue;
import org.opengis.referencing.crs.CoordinateReferenceSystem;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.context.request.RequestContextHolder;

/* loaded from: input_file:org/geoserver/geofence/GeofenceAccessManager.class */
public class GeofenceAccessManager implements ResourceAccessManager, DispatcherCallback, ExtensionPriority {
    static final String ROOT_ROLE = "ROLE_ADMINISTRATOR";
    RuleReaderService rules;
    Catalog catalog;
    private final GeoFenceConfigurationManager configurationManager;
    private LayerGroupContainmentCache groupsCache;
    private GeoFenceAreaHelper helper = new GeoFenceAreaHelper();
    private static final Logger LOGGER = Logging.getLogger(GeofenceAccessManager.class);
    static final FilterFactory2 FF = CommonFactoryFinder.getFilterFactory2((Hints) null);
    static final CatalogMode DEFAULT_CATALOG_MODE = CatalogMode.HIDE;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.geoserver.geofence.GeofenceAccessManager$1, reason: invalid class name */
    /* loaded from: input_file:org/geoserver/geofence/GeofenceAccessManager$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$geoserver$geofence$services$dto$CatalogModeDTO = new int[CatalogModeDTO.values().length];

        static {
            try {
                $SwitchMap$org$geoserver$geofence$services$dto$CatalogModeDTO[CatalogModeDTO.CHALLENGE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$geoserver$geofence$services$dto$CatalogModeDTO[CatalogModeDTO.HIDE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$geoserver$geofence$services$dto$CatalogModeDTO[CatalogModeDTO.MIXED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/geoserver/geofence/GeofenceAccessManager$LayersParser.class */
    public static final class LayersParser extends GetMapKvpRequestReader {
        private static LayersParser singleton = null;

        public static LayersParser getInstance() {
            if (singleton == null) {
                singleton = new LayersParser();
            }
            return singleton;
        }

        private LayersParser() {
            super(WMS.get());
        }

        public List<Object> parseLayers(List<String> list, URL url, String str) {
            try {
                return super.parseLayers(list, url, str);
            } catch (Exception e) {
                throw new ServiceException("Error parsing requested layers.", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/geoserver/geofence/GeofenceAccessManager$PropertyAccessMode.class */
    public enum PropertyAccessMode {
        READ,
        WRITE
    }

    public GeofenceAccessManager(RuleReaderService ruleReaderService, Catalog catalog, GeoFenceConfigurationManager geoFenceConfigurationManager) {
        this.rules = ruleReaderService;
        this.catalog = new LocalWorkspaceCatalog(catalog);
        this.configurationManager = geoFenceConfigurationManager;
        this.groupsCache = new LayerGroupContainmentCache(catalog);
    }

    public void setGroupsCache(LayerGroupContainmentCache layerGroupContainmentCache) {
        this.groupsCache = layerGroupContainmentCache;
    }

    boolean isAdmin(Authentication authentication) {
        if (authentication.getAuthorities() == null) {
            return false;
        }
        Iterator it = authentication.getAuthorities().iterator();
        while (it.hasNext()) {
            String authority = ((GrantedAuthority) it.next()).getAuthority();
            if (ROOT_ROLE.equals(authority) || GeoServerRole.ADMIN_ROLE.getAuthority().equals(authority)) {
                return true;
            }
        }
        return false;
    }

    public WorkspaceAccessLimits getAccessLimits(Authentication authentication, WorkspaceInfo workspaceInfo) {
        LOGGER.log(Level.FINE, "Getting access limits for workspace {0}", workspaceInfo.getName());
        if (authentication == null || (authentication instanceof AnonymousAuthenticationToken)) {
            return new WorkspaceAccessLimits(DEFAULT_CATALOG_MODE, true, false);
        }
        if (isAdmin(authentication)) {
            LOGGER.log(Level.FINE, "Admin level access, returning full rights for workspace {0}", workspaceInfo.getName());
            return new WorkspaceAccessLimits(DEFAULT_CATALOG_MODE, true, true);
        }
        return new WorkspaceAccessLimits(DEFAULT_CATALOG_MODE, true, this.configurationManager.getConfiguration().isGrantWriteToWorkspacesToAuthenticatedUsers(), isWorkspaceAdmin(authentication, workspaceInfo.getName()));
    }

    private boolean isWorkspaceAdmin(Authentication authentication, String str) {
        RuleFilter ruleFilter;
        LOGGER.log(Level.FINE, "Getting admin auth for Workspace {0}", str);
        String userNameFromAuth = getUserNameFromAuth(authentication);
        if (null != userNameFromAuth) {
            ruleFilter = new RuleFilter(RuleFilter.SpecialFilterType.ANY);
            ruleFilter.setUser(userNameFromAuth);
        } else {
            ruleFilter = new RuleFilter(RuleFilter.SpecialFilterType.DEFAULT);
        }
        ruleFilter.setInstance(this.configurationManager.getConfiguration().getInstanceName());
        ruleFilter.setWorkspace(str);
        String retrieveCallerIpAddress = retrieveCallerIpAddress();
        if (retrieveCallerIpAddress != null) {
            ruleFilter.setSourceAddress(retrieveCallerIpAddress);
        } else {
            LOGGER.log(Level.WARNING, "No source IP address found");
            ruleFilter.setSourceAddress(RuleFilter.SpecialFilterType.DEFAULT);
        }
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "AdminAuth filter: {0}", ruleFilter);
        }
        AccessInfo adminAuthorization = this.rules.getAdminAuthorization(ruleFilter);
        LOGGER.log(Level.FINE, "Admin auth for User:{0} Workspace:{1}: {2}", new Object[]{authentication.getName(), str, Boolean.valueOf(adminAuthorization.getAdminRights())});
        return adminAuthorization.getAdminRights();
    }

    String getSourceAddress(HttpServletRequest httpServletRequest) {
        try {
            if (httpServletRequest == null) {
                LOGGER.log(Level.WARNING, "No HTTP connection available.");
                return null;
            }
            String header = httpServletRequest.getHeader("X-Forwarded-For");
            return header != null ? InetAddress.getByName(header.split(", ")[0]).getHostAddress() : httpServletRequest.getRemoteAddr().replaceAll("[\\[\\]]", "");
        } catch (Exception e) {
            LOGGER.log(Level.INFO, "Failed to get remote address", (Throwable) e);
            return null;
        }
    }

    private String retrieveCallerIpAddress() {
        Request request = (Request) Dispatcher.REQUEST.get();
        if (request != null) {
            String sourceAddress = getSourceAddress(request.getHttpRequest());
            if (sourceAddress == null) {
                LOGGER.log(Level.WARNING, "Could not retrieve source address from OWSRequest");
            }
            return sourceAddress;
        }
        try {
            String sourceAddress2 = getSourceAddress(RequestContextHolder.currentRequestAttributes().getRequest());
            if (sourceAddress2 == null) {
                LOGGER.log(Level.WARNING, "Could not retrieve source address with Spring Request");
            }
            return sourceAddress2;
        } catch (IllegalStateException e) {
            LOGGER.log(Level.WARNING, "Error retrieving source address with Spring Request: " + e.getMessage());
            return null;
        }
    }

    public StyleAccessLimits getAccessLimits(Authentication authentication, StyleInfo styleInfo) {
        LOGGER.fine("Not limiting styles");
        return null;
    }

    public LayerGroupAccessLimits getAccessLimits(Authentication authentication, LayerGroupInfo layerGroupInfo) {
        return getAccessLimits(authentication, layerGroupInfo, Collections.emptyList());
    }

    public DataAccessLimits getAccessLimits(Authentication authentication, LayerInfo layerInfo) {
        LOGGER.log(Level.FINE, "Getting access limits for Layer {0}", layerInfo.getName());
        return getAccessLimits(authentication, layerInfo, Collections.emptyList());
    }

    public DataAccessLimits getAccessLimits(Authentication authentication, ResourceInfo resourceInfo) {
        LOGGER.log(Level.FINE, "Getting access limits for Resource {0}", resourceInfo.getName());
        return getAccessLimits(authentication, resourceInfo, resourceInfo.getName(), resourceInfo.getStore().getWorkspace().getName(), Collections.emptyList());
    }

    public DataAccessLimits getAccessLimits(Authentication authentication, LayerInfo layerInfo, List<LayerGroupInfo> list) {
        return getAccessLimits(authentication, layerInfo, layerInfo.getName(), layerInfo.getResource().getStore().getWorkspace().getName(), list);
    }

    public LayerGroupAccessLimits getAccessLimits(Authentication authentication, LayerGroupInfo layerGroupInfo, List<LayerGroupInfo> list) {
        WorkspaceInfo workspace = layerGroupInfo.getWorkspace();
        return getAccessLimits(authentication, layerGroupInfo, layerGroupInfo.getName(), workspace != null ? workspace.getName() : null, list);
    }

    private AccessLimits getAccessLimits(Authentication authentication, CatalogInfo catalogInfo, String str, String str2, List<LayerGroupInfo> list) {
        if (authentication != null && !(authentication instanceof AnonymousAuthenticationToken) && isAdmin(authentication)) {
            LOGGER.log(Level.FINE, "Admin level access, returning full rights for layer {0}", str);
            return buildAdminAccessLimits(catalogInfo);
        }
        String retrieveCallerIpAddress = retrieveCallerIpAddress();
        AccessInfo accessInfo = this.rules.getAccessInfo(buildRuleFilter(str2, str, authentication, retrieveCallerIpAddress));
        if (accessInfo == null) {
            accessInfo = AccessInfo.DENY_ALL;
        }
        Request request = (Request) Dispatcher.REQUEST.get();
        String service = request != null ? request.getService() : null;
        boolean z = service != null && service.equalsIgnoreCase("WMS");
        boolean z2 = list == null || list.isEmpty();
        ContainerLimitResolver.ProcessingResult processingResult = null;
        if (z2 && z) {
            Collection<LayerGroupContainmentCache.LayerGroupSummary> groupSummary = getGroupSummary(catalogInfo);
            if (groupSummary != null && !groupSummary.isEmpty()) {
                boolean allOpaque = allOpaque(groupSummary);
                if (allOpaque) {
                    accessInfo.setGrant(GrantType.DENY);
                }
                if (!groupSummary.stream().anyMatch(layerGroupSummary -> {
                    return layerGroupSummary.getMode().equals(LayerGroupInfo.Mode.SINGLE);
                }) && !allOpaque) {
                    processingResult = getContainerResolverResult(catalogInfo, str, str2, this.configurationManager.getConfiguration(), retrieveCallerIpAddress, authentication, null, groupSummary);
                }
            }
        } else if (!z2 && list != null && !list.isEmpty()) {
            processingResult = getContainerResolverResult(catalogInfo, str, str2, this.configurationManager.getConfiguration(), retrieveCallerIpAddress, authentication, list, null);
        }
        AccessLimits buildLayerGroupAccessLimits = catalogInfo instanceof LayerGroupInfo ? buildLayerGroupAccessLimits(accessInfo) : catalogInfo instanceof ResourceInfo ? buildResourceAccessLimits((ResourceInfo) catalogInfo, accessInfo, processingResult) : buildResourceAccessLimits(((LayerInfo) catalogInfo).getResource(), accessInfo, processingResult);
        LOGGER.log(Level.FINE, "Returning {0} for layer {1} and user {2}", new Object[]{buildLayerGroupAccessLimits, str, getUserNameFromAuth(authentication)});
        return buildLayerGroupAccessLimits;
    }

    private boolean allOpaque(Collection<LayerGroupContainmentCache.LayerGroupSummary> collection) {
        LayerGroupInfo.Mode mode = LayerGroupInfo.Mode.OPAQUE_CONTAINER;
        return collection.stream().allMatch(layerGroupSummary -> {
            return layerGroupSummary.getMode().equals(mode);
        });
    }

    private AccessLimits buildAdminAccessLimits(CatalogInfo catalogInfo) {
        return catalogInfo instanceof LayerGroupInfo ? buildLayerGroupAccessLimits(AccessInfo.ALLOW_ALL) : catalogInfo instanceof ResourceInfo ? buildResourceAccessLimits((ResourceInfo) catalogInfo, AccessInfo.ALLOW_ALL, null) : buildResourceAccessLimits(((LayerInfo) catalogInfo).getResource(), AccessInfo.ALLOW_ALL, null);
    }

    private String getUserNameFromAuth(Authentication authentication) {
        String name = authentication != null ? authentication.getName() : null;
        if (name != null && name.isEmpty()) {
            name = null;
        }
        return name;
    }

    private Collection<LayerGroupContainmentCache.LayerGroupSummary> getGroupSummary(Object obj) {
        return obj instanceof ResourceInfo ? this.groupsCache.getContainerGroupsFor((ResourceInfo) obj) : obj instanceof LayerInfo ? this.groupsCache.getContainerGroupsFor(((LayerInfo) obj).getResource()) : this.groupsCache.getContainerGroupsFor((LayerGroupInfo) obj);
    }

    private void setRuleFilterUserAndRole(Authentication authentication, RuleFilter ruleFilter) {
        if (authentication == null) {
            LOGGER.log(Level.WARNING, "No user given");
            ruleFilter.setUser(RuleFilter.SpecialFilterType.DEFAULT);
            return;
        }
        GeoFenceConfiguration configuration = this.configurationManager.getConfiguration();
        if (configuration.isUseRolesToFilter()) {
            if (configuration.getRoles().isEmpty()) {
                LOGGER.log(Level.WARNING, "Role filtering requested, but no roles provided. Will only use user authorizations");
            }
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Authorizations found for user {0}: {1}", new Object[]{authentication.getName(), (String) authentication.getAuthorities().stream().map(grantedAuthority -> {
                    return grantedAuthority.getAuthority();
                }).collect(Collectors.joining(",", "[", "]"))});
                LOGGER.log(Level.FINE, "Authorizations allowed: {0}", new Object[]{(String) configuration.getRoles().stream().collect(Collectors.joining(",", "[", "]"))});
            }
        }
        if (configuration.isUseRolesToFilter() && !configuration.getRoles().isEmpty()) {
            boolean contains = configuration.getRoles().contains("*");
            Set set = (Set) configuration.getRoles().stream().filter(str -> {
                return str.startsWith("-");
            }).map(str2 -> {
                return str2.substring(1);
            }).collect(Collectors.toSet());
            ArrayList arrayList = new ArrayList();
            Iterator it = authentication.getAuthorities().iterator();
            while (it.hasNext()) {
                String authority = ((GrantedAuthority) it.next()).getAuthority();
                if ((contains || configuration.getRoles().contains(authority)) && !set.contains(authority)) {
                    arrayList.add(authority);
                }
            }
            if (arrayList.isEmpty()) {
                arrayList.add("UNKNOWN");
            }
            String join = String.join(",", arrayList);
            LOGGER.log(Level.FINE, "Setting role for filter: {0}", new Object[]{join});
            ruleFilter.setRole(join);
        }
        String name = authentication.getName();
        if (StringUtils.isEmpty(name)) {
            LOGGER.log(Level.WARNING, "Username is null for user: {0}", new Object[]{authentication});
            ruleFilter.setUser(RuleFilter.SpecialFilterType.DEFAULT);
        } else {
            LOGGER.log(Level.FINE, "Setting user for filter: {0}", new Object[]{name});
            ruleFilter.setUser(name);
        }
    }

    AccessLimits buildResourceAccessLimits(ResourceInfo resourceInfo, AccessInfo accessInfo, ContainerLimitResolver.ProcessingResult processingResult) {
        Geometry reprojectGeometry;
        Geometry reprojectGeometry2;
        VectorAccessLimits wMTSAccessLimits;
        GrantType grant = accessInfo.getGrant();
        boolean z = grant == GrantType.ALLOW || grant == GrantType.LIMIT;
        IncludeFilter includeFilter = z ? Filter.INCLUDE : Filter.EXCLUDE;
        IncludeFilter includeFilter2 = z ? Filter.INCLUDE : Filter.EXCLUDE;
        try {
            if (accessInfo.getCqlFilterRead() != null) {
                includeFilter = ECQL.toFilter(accessInfo.getCqlFilterRead());
            }
            if (accessInfo.getCqlFilterWrite() != null) {
                includeFilter2 = ECQL.toFilter(accessInfo.getCqlFilterWrite());
            }
            List<PropertyName> propertyNames = toPropertyNames(accessInfo.getAttributes(), PropertyAccessMode.READ);
            List<PropertyName> propertyNames2 = toPropertyNames(accessInfo.getAttributes(), PropertyAccessMode.WRITE);
            if (processingResult != null) {
                reprojectGeometry = processingResult.getIntersectArea();
                reprojectGeometry2 = processingResult.getClipArea();
            } else {
                CoordinateReferenceSystem cRSFromInfo = this.helper.getCRSFromInfo(resourceInfo);
                reprojectGeometry = this.helper.reprojectGeometry(this.helper.parseAllowedArea(accessInfo.getAreaWkt()), cRSFromInfo);
                reprojectGeometry2 = this.helper.reprojectGeometry(this.helper.parseAllowedArea(accessInfo.getClipAreaWkt()), cRSFromInfo);
            }
            CatalogMode catalogMode = getCatalogMode(accessInfo, processingResult);
            LOGGER.log(Level.FINE, "Returning mode {0} for resource {1}", new Object[]{catalogMode, resourceInfo});
            if (resourceInfo instanceof FeatureTypeInfo) {
                if (reprojectGeometry != null) {
                    Filter intersects = FF.intersects(FF.property(""), FF.literal(reprojectGeometry));
                    if (reprojectGeometry2 != null) {
                        intersects = FF.or(intersects, FF.intersects(FF.property(""), FF.literal(reprojectGeometry2)));
                    }
                    includeFilter = mergeFilter(includeFilter, intersects);
                    includeFilter2 = mergeFilter(includeFilter2, intersects);
                }
                wMTSAccessLimits = new VectorAccessLimits(catalogMode, propertyNames, includeFilter, propertyNames2, includeFilter2);
                if (reprojectGeometry2 != null) {
                    wMTSAccessLimits.setClipVectorFilter(reprojectGeometry2);
                }
                if (reprojectGeometry != null) {
                    wMTSAccessLimits.setIntersectVectorFilter(reprojectGeometry);
                }
            } else if (resourceInfo instanceof CoverageInfo) {
                Geometry geometry = null;
                if (reprojectGeometry2 != null && reprojectGeometry != null) {
                    geometry = reprojectGeometry2.union(reprojectGeometry);
                } else if (reprojectGeometry != null) {
                    geometry = reprojectGeometry;
                } else if (reprojectGeometry2 != null) {
                    geometry = reprojectGeometry2;
                }
                wMTSAccessLimits = new CoverageAccessLimits(catalogMode, includeFilter, toMultiPoly(geometry), (GeneralParameterValue[]) null);
            } else if (resourceInfo instanceof WMSLayerInfo) {
                wMTSAccessLimits = new WMSAccessLimits(catalogMode, includeFilter, toMultiPoly(reprojectGeometry), true);
            } else {
                if (!(resourceInfo instanceof WMTSLayerInfo)) {
                    throw new IllegalArgumentException("Don't know how to handle resource " + resourceInfo);
                }
                wMTSAccessLimits = new WMTSAccessLimits(catalogMode, includeFilter, toMultiPoly(reprojectGeometry));
            }
            return wMTSAccessLimits;
        } catch (CQLException e) {
            throw new IllegalArgumentException("Invalid cql filter found: " + e.getMessage(), e);
        }
    }

    AccessLimits buildLayerGroupAccessLimits(AccessInfo accessInfo) {
        GrantType grant = accessInfo.getGrant();
        if (grant.equals(GrantType.ALLOW) || grant.equals(GrantType.LIMIT)) {
            return null;
        }
        return new LayerGroupAccessLimits(convert(accessInfo.getCatalogMode()));
    }

    private ContainerLimitResolver.ProcessingResult getContainerResolverResult(CatalogInfo catalogInfo, String str, String str2, GeoFenceConfiguration geoFenceConfiguration, String str3, Authentication authentication, List<LayerGroupInfo> list, Collection<LayerGroupContainmentCache.LayerGroupSummary> collection) {
        ContainerLimitResolver.ProcessingResult resolveResourceInGroupLimits = (collection != null ? new ContainerLimitResolver(collection, this.rules, authentication, str, str2, str3, geoFenceConfiguration) : new ContainerLimitResolver(list, this.rules, authentication, str, str2, str3, geoFenceConfiguration)).resolveResourceInGroupLimits();
        Geometry intersectArea = resolveResourceInGroupLimits.getIntersectArea();
        Geometry clipArea = resolveResourceInGroupLimits.getClipArea();
        CoordinateReferenceSystem cRSFromInfo = this.helper.getCRSFromInfo(catalogInfo);
        if (intersectArea != null) {
            resolveResourceInGroupLimits.setIntersectArea(this.helper.reprojectGeometry(intersectArea, cRSFromInfo));
        }
        if (clipArea != null) {
            resolveResourceInGroupLimits.setClipArea(this.helper.reprojectGeometry(clipArea, cRSFromInfo));
        }
        return resolveResourceInGroupLimits;
    }

    private CatalogMode getCatalogMode(AccessInfo accessInfo, ContainerLimitResolver.ProcessingResult processingResult) {
        CatalogModeDTO catalogModeDTO = processingResult != null ? processingResult.getCatalogModeDTO() : accessInfo.getCatalogMode();
        CatalogMode catalogMode = DEFAULT_CATALOG_MODE;
        if (catalogModeDTO != null) {
            switch (AnonymousClass1.$SwitchMap$org$geoserver$geofence$services$dto$CatalogModeDTO[catalogModeDTO.ordinal()]) {
                case 1:
                    catalogMode = CatalogMode.CHALLENGE;
                    break;
                case 2:
                    catalogMode = CatalogMode.HIDE;
                    break;
                case 3:
                    catalogMode = CatalogMode.MIXED;
                    break;
            }
        }
        return catalogMode;
    }

    private CatalogMode convert(CatalogModeDTO catalogModeDTO) {
        CatalogMode catalogMode = DEFAULT_CATALOG_MODE;
        if (catalogModeDTO != null) {
            switch (AnonymousClass1.$SwitchMap$org$geoserver$geofence$services$dto$CatalogModeDTO[catalogModeDTO.ordinal()]) {
                case 1:
                    catalogMode = CatalogMode.CHALLENGE;
                    break;
                case 2:
                    catalogMode = CatalogMode.HIDE;
                    break;
                case 3:
                    catalogMode = CatalogMode.MIXED;
                    break;
            }
        }
        return catalogMode;
    }

    private RuleFilter buildRuleFilter(String str, String str2, Authentication authentication, String str3) {
        return new RuleFilterBuilder(this.configurationManager.getConfiguration()).withRequest((Request) Dispatcher.REQUEST.get()).withIpAddress(str3).withWorkspace(str).withLayer(str2).withUser(authentication).build();
    }

    private MultiPolygon toMultiPoly(Geometry geometry) {
        MultiPolygon multiPolygon = null;
        if (geometry != null) {
            multiPolygon = (MultiPolygon) Converters.convert(geometry, MultiPolygon.class);
            if (multiPolygon == null) {
                throw new RuntimeException("Error applying security rules, cannot convert the Geofence area restriction " + geometry.toText() + " to a multi-polygon");
            }
        }
        return multiPolygon;
    }

    private Filter mergeFilter(Filter filter, Filter filter2) {
        return (filter == null || filter == Filter.INCLUDE) ? filter2 : filter == Filter.EXCLUDE ? filter : FF.and(filter, filter2);
    }

    private List<PropertyName> toPropertyNames(Set<LayerAttribute> set, PropertyAccessMode propertyAccessMode) {
        if (set == null || set.isEmpty()) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (LayerAttribute layerAttribute : set) {
            if (layerAttribute.getAccess() == AccessType.READWRITE || (propertyAccessMode == PropertyAccessMode.READ && layerAttribute.getAccess() == AccessType.READONLY)) {
                arrayList.add(FF.property(layerAttribute.getName()));
            }
        }
        return arrayList;
    }

    public void finished(Request request) {
    }

    public Request init(Request request) {
        return request;
    }

    public Operation operationDispatched(Request request, Operation operation) {
        GetMapRequest getMapRequest;
        String service = request.getService();
        String request2 = request.getRequest();
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication != null && !(authentication instanceof AnonymousAuthenticationToken)) {
            if (isAdmin(authentication)) {
                LOGGER.log(Level.FINE, "Admin level access, not applying default style for this request");
                return operation;
            }
            String name = authentication.getName();
            if (name == null || name.isEmpty()) {
            }
        }
        if (request2 != null && "WMS".equalsIgnoreCase(service) && ("GetMap".equalsIgnoreCase(request2) || "GetFeatureInfo".equalsIgnoreCase(request2))) {
            Object obj = operation.getParameters()[0];
            if (obj instanceof GetMapRequest) {
                getMapRequest = (GetMapRequest) obj;
            } else {
                if (!(obj instanceof GetFeatureInfoRequest)) {
                    throw new ServiceException("Unrecognized request object: " + obj);
                }
                getMapRequest = ((GetFeatureInfoRequest) obj).getGetMapRequest();
            }
            overrideGetMapRequest(request, service, request2, authentication, getMapRequest);
        } else if (request2 != null && "WMS".equalsIgnoreCase(service) && "GetLegendGraphic".equalsIgnoreCase(request2)) {
            overrideGetLegendGraphicRequest(request, operation, service, request2, authentication);
        }
        return operation;
    }

    void overrideGetLegendGraphicRequest(Request request, Operation operation, String str, String str2, Authentication authentication) {
        String str3 = (String) request.getKvp().get("LAYER");
        String str4 = (String) request.getKvp().get("STYLE");
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        LayerInfo layerByName = this.catalog.getLayerByName(str3);
        if (layerByName == null) {
            LayerGroupInfo layerGroupByName = this.catalog.getLayerGroupByName(str3);
            if (layerGroupByName != null) {
                arrayList2.addAll(str4 == null || "".equals(str4) ? layerGroupByName.layers() : layerGroupByName.layers(str4));
                addGroupStyles(layerGroupByName, arrayList, str4);
            }
        } else {
            arrayList2.add(layerByName);
            arrayList.add(str4);
        }
        GetLegendGraphicRequest getLegendGraphicRequest = (GetLegendGraphicRequest) operation.getParameters()[0];
        for (int i = 0; i < arrayList2.size(); i++) {
            ResourceInfo resource = ((LayerInfo) arrayList2.get(i)).getResource();
            RuleFilter ruleFilter = new RuleFilter(RuleFilter.SpecialFilterType.ANY);
            setRuleFilterUserAndRole(authentication, ruleFilter);
            ruleFilter.setInstance(this.configurationManager.getConfiguration().getInstanceName());
            ruleFilter.setService(str);
            ruleFilter.setRequest(str2);
            ruleFilter.setWorkspace(resource.getStore().getWorkspace().getName());
            ruleFilter.setLayer(resource.getName());
            LOGGER.log(Level.FINE, "Getting access limits for getLegendGraphic", ruleFilter);
            AccessInfo accessInfo = this.rules.getAccessInfo(ruleFilter);
            String str5 = arrayList.get(i);
            if (str5 != null) {
                checkStyleAllowed(accessInfo, str5);
            } else if (accessInfo.getDefaultStyle() != null) {
                try {
                    StyleInfo styleByName = this.catalog.getStyleByName(accessInfo.getDefaultStyle());
                    if (styleByName == null) {
                        throw new ServiceException("Could not find default style suggested by GeoRepository: " + accessInfo.getDefaultStyle());
                    }
                    getLegendGraphicRequest.setStyle(styleByName.getStyle());
                } catch (IOException e) {
                    throw new ServiceException("Unable to load the style suggested by GeoRepository: " + accessInfo.getDefaultStyle(), e);
                }
            } else {
                continue;
            }
        }
    }

    void overrideGetMapRequest(Request request, String str, String str2, Authentication authentication, GetMapRequest getMapRequest) {
        if (request.getKvp().get("layers") == null && request.getKvp().get("sld") == null && request.getKvp().get("sld_body") == null) {
            throw new ServiceException("GetMap POST requests are forbidden");
        }
        List<String> requestedStyles = getRequestedStyles(request, getMapRequest);
        List layers = getMapRequest.getLayers();
        for (int i = 0; i < layers.size(); i++) {
            MapLayerInfo mapLayerInfo = (MapLayerInfo) layers.get(i);
            ResourceInfo resourceInfo = null;
            if (mapLayerInfo.getType() == MapLayerInfo.TYPE_VECTOR || mapLayerInfo.getType() == MapLayerInfo.TYPE_RASTER) {
                resourceInfo = mapLayerInfo.getResource();
            } else if (!this.configurationManager.getConfiguration().isAllowRemoteAndInlineLayers()) {
                throw new ServiceException("Remote layers are not allowed");
            }
            RuleFilter ruleFilter = new RuleFilter(RuleFilter.SpecialFilterType.ANY);
            setRuleFilterUserAndRole(authentication, ruleFilter);
            ruleFilter.setInstance(this.configurationManager.getConfiguration().getInstanceName());
            ruleFilter.setService(str);
            ruleFilter.setRequest(str2);
            if (resourceInfo != null) {
                ruleFilter.setWorkspace(resourceInfo.getStore().getWorkspace().getName());
                ruleFilter.setLayer(resourceInfo.getName());
            } else {
                ruleFilter.setWorkspace(RuleFilter.SpecialFilterType.ANY);
                ruleFilter.setLayer(RuleFilter.SpecialFilterType.ANY);
            }
            LOGGER.log(Level.FINE, "Getting access limits for getMap", ruleFilter);
            AccessInfo accessInfo = this.rules.getAccessInfo(ruleFilter);
            String str3 = requestedStyles.get(i);
            if (str3 != null) {
                checkStyleAllowed(accessInfo, str3);
            } else if (accessInfo.getDefaultStyle() != null) {
                try {
                    StyleInfo styleByName = this.catalog.getStyleByName(accessInfo.getDefaultStyle());
                    if (styleByName == null) {
                        throw new ServiceException("Could not find default style suggested by Geofence: " + accessInfo.getDefaultStyle());
                    }
                    getMapRequest.getStyles().set(i, styleByName.getStyle());
                } catch (IOException e) {
                    throw new ServiceException("Unable to load the style suggested by Geofence: " + accessInfo.getDefaultStyle(), e);
                }
            } else {
                continue;
            }
        }
    }

    private void checkStyleAllowed(AccessInfo accessInfo, String str) {
        HashSet hashSet = new HashSet();
        if (accessInfo.getDefaultStyle() != null) {
            hashSet.add(accessInfo.getDefaultStyle());
        }
        if (accessInfo.getAllowedStyles() != null) {
            hashSet.addAll(accessInfo.getAllowedStyles());
        }
        if (!hashSet.isEmpty() && !hashSet.contains(str)) {
            throw new ServiceException("The '" + str + "' style is not available on this layer");
        }
    }

    public Filter getSecurityFilter(Authentication authentication, Class<? extends CatalogInfo> cls) {
        return Predicates.acceptAll();
    }

    public Object operationExecuted(Request request, Operation operation, Object obj) {
        return obj;
    }

    public Response responseDispatched(Request request, Operation operation, Object obj, Response response) {
        return response;
    }

    public Service serviceDispatched(Request request, Service service) throws ServiceException {
        return service;
    }

    private List<String> getRequestedStyles(Request request, GetMapRequest getMapRequest) {
        ArrayList arrayList = new ArrayList();
        int i = 0;
        List<String> parseStylesParameter = parseStylesParameter(request);
        for (Object obj : parseLayersParameter(request, getMapRequest)) {
            boolean z = i >= parseStylesParameter.size();
            if (obj instanceof LayerGroupInfo) {
                addGroupStyles((LayerGroupInfo) obj, arrayList, z ? null : parseStylesParameter.get(i));
            } else if (z) {
                arrayList.add(null);
            } else {
                arrayList.add(parseStylesParameter.get(i));
            }
            i++;
        }
        return arrayList;
    }

    private void addGroupStyles(LayerGroupInfo layerGroupInfo, List<String> list, String str) {
        list.addAll((Collection) ((str == null || "".equals(str)) ? layerGroupInfo.styles() : layerGroupInfo.styles(str)).stream().map(styleInfo -> {
            if (styleInfo != null) {
                return styleInfo.prefixedName();
            }
            return null;
        }).collect(Collectors.toList()));
    }

    private List<Object> parseLayersParameter(Request request, GetMapRequest getMapRequest) {
        String str = (String) request.getRawKvp().get("LAYERS");
        if (str == null) {
            return new ArrayList();
        }
        return LayersParser.getInstance().parseLayers(KvpUtils.readFlat(str), getMapRequest.getRemoteOwsURL(), getMapRequest.getRemoteOwsType());
    }

    private List<String> parseStylesParameter(Request request) {
        String str = (String) request.getRawKvp().get("STYLES");
        return str != null ? KvpUtils.readFlat(str) : new ArrayList();
    }

    public int getPriority() {
        return 100;
    }
}
