package org.geoserver.geofence.containers;

import com.google.common.collect.ArrayListMultimap;
import com.google.common.collect.ListMultimap;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.function.Supplier;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.geoserver.catalog.LayerGroupInfo;
import org.geoserver.geofence.RuleFilterBuilder;
import org.geoserver.geofence.config.GeoFenceConfiguration;
import org.geoserver.geofence.core.model.enums.GrantType;
import org.geoserver.geofence.services.RuleReaderService;
import org.geoserver.geofence.services.dto.AccessInfo;
import org.geoserver.geofence.services.dto.CatalogModeDTO;
import org.geoserver.geofence.services.dto.RuleFilter;
import org.geoserver.geofence.util.AccessInfoUtils;
import org.geoserver.geofence.util.GeomHelper;
import org.geoserver.ows.Dispatcher;
import org.geoserver.ows.Request;
import org.geoserver.security.impl.LayerGroupContainmentCache;
import org.geotools.util.logging.Logging;
import org.locationtech.jts.geom.Geometry;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;

/* loaded from: input_file:org/geoserver/geofence/containers/ContainerLimitResolver.class */
public class ContainerLimitResolver {
    private RuleReaderService ruleService;
    private List<LayerGroupInfo> groupList;
    private Collection<LayerGroupContainmentCache.LayerGroupSummary> groupSummaries;
    private Authentication authentication;
    private String layer;
    private String workspace;
    private String callerIp;
    private GeoFenceConfiguration configuration;
    private static final Logger LOGGER = Logging.getLogger(ContainerLimitResolver.class);

    /* loaded from: input_file:org/geoserver/geofence/containers/ContainerLimitResolver$ProcessingResult.class */
    public static class ProcessingResult {
        private Geometry intersectArea;
        private Geometry clipArea;
        private CatalogModeDTO catalogModeDTO;

        public ProcessingResult(Geometry geometry, Geometry geometry2, CatalogModeDTO catalogModeDTO) {
            this.intersectArea = geometry;
            this.clipArea = geometry2;
            this.catalogModeDTO = catalogModeDTO;
        }

        public Geometry getIntersectArea() {
            return this.intersectArea;
        }

        public Geometry getClipArea() {
            return this.clipArea;
        }

        public CatalogModeDTO getCatalogModeDTO() {
            return this.catalogModeDTO;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void setIntersectArea(Geometry geometry) {
            this.intersectArea = geometry;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void setClipArea(Geometry geometry) {
            this.clipArea = geometry;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/geoserver/geofence/containers/ContainerLimitResolver$RestrictionType.class */
    public enum RestrictionType {
        GROUP_INTERSECT,
        GROUP_CLIP,
        GROUP_BOTH,
        LAYER_INTERSECT,
        LAYER_CLIP,
        LAYER_BOTH
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ContainerLimitResolver(List<LayerGroupInfo> list, RuleReaderService ruleReaderService, Authentication authentication, String str, String str2, String str3, GeoFenceConfiguration geoFenceConfiguration) {
        this(ruleReaderService, authentication, str, str2, str3, geoFenceConfiguration);
        this.groupList = list;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ContainerLimitResolver(Collection<LayerGroupContainmentCache.LayerGroupSummary> collection, RuleReaderService ruleReaderService, Authentication authentication, String str, String str2, String str3, GeoFenceConfiguration geoFenceConfiguration) {
        this(ruleReaderService, authentication, str, str2, str3, geoFenceConfiguration);
        this.groupSummaries = collection;
    }

    private ContainerLimitResolver(RuleReaderService ruleReaderService, Authentication authentication, String str, String str2, String str3, GeoFenceConfiguration geoFenceConfiguration) {
        this.ruleService = ruleReaderService;
        this.authentication = authentication;
        this.layer = str;
        this.workspace = str2;
        this.configuration = geoFenceConfiguration;
        this.callerIp = str3;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ProcessingResult resolveResourceInGroupLimits() {
        AccessInfo accessInfo;
        HashMap hashMap = new HashMap();
        for (GrantedAuthority grantedAuthority : this.authentication.getAuthorities()) {
            RuleFilter ruleFilterByRole = ruleFilterByRole(grantedAuthority, this.workspace, this.layer, this.callerIp);
            if (ruleFilterByRole != null && (accessInfo = this.ruleService.getAccessInfo(ruleFilterByRole)) != null && !isDeny(accessInfo)) {
                hashMap.put(grantedAuthority.getAuthority(), accessInfo);
            }
        }
        return unionAccesses(intersectAccesses(hashMap, collectContainersAccessInfoByRole()));
    }

    private ProcessingResult unionAccesses(ListMultimap<RestrictionType, ProcessingResult> listMultimap) {
        List<ProcessingResult> list = listMultimap.get(RestrictionType.GROUP_BOTH);
        List<ProcessingResult> list2 = listMultimap.get(RestrictionType.GROUP_INTERSECT);
        List<ProcessingResult> list3 = listMultimap.get(RestrictionType.GROUP_CLIP);
        List<ProcessingResult> list4 = listMultimap.get(RestrictionType.LAYER_BOTH);
        List<ProcessingResult> list5 = listMultimap.get(RestrictionType.LAYER_INTERSECT);
        List<ProcessingResult> list6 = listMultimap.get(RestrictionType.LAYER_CLIP);
        ProcessingResult enlargeGroupProcessingResult = enlargeGroupProcessingResult(list2);
        ProcessingResult enlargeGroupProcessingResult2 = enlargeGroupProcessingResult(list3);
        ProcessingResult enlargeGroupProcessingResult3 = enlargeGroupProcessingResult(list);
        ProcessingResult enlargeGroupProcessingResult4 = enlargeGroupProcessingResult(list5);
        ProcessingResult enlargeGroupProcessingResult5 = enlargeGroupProcessingResult(list6);
        ProcessingResult enlargeGroupProcessingResult6 = enlargeGroupProcessingResult(list4);
        Geometry geometry = null;
        Geometry geometry2 = null;
        CatalogModeDTO catalogModeDTO = null;
        if (enlargeGroupProcessingResult != null) {
            LOGGER.fine(() -> {
                return "Processing group areas with intersect type";
            });
            geometry = enlargeGroupProcessingResult.getIntersectArea();
            geometry2 = enlargeGroupProcessingResult.getClipArea();
            catalogModeDTO = AccessInfoUtils.getLarger(null, enlargeGroupProcessingResult.getCatalogModeDTO());
        }
        if (enlargeGroupProcessingResult2 != null) {
            LOGGER.fine(() -> {
                return "Processing group areas with clip type";
            });
            geometry2 = unionOrReturnIfNull(() -> {
                return enlargeGroupProcessingResult2.getClipArea();
            }, geometry2, false);
            geometry = unionOrReturnIfNull(() -> {
                return enlargeGroupProcessingResult2.getIntersectArea();
            }, geometry, false);
            catalogModeDTO = AccessInfoUtils.getLarger(catalogModeDTO, enlargeGroupProcessingResult2.getCatalogModeDTO());
        }
        if (enlargeGroupProcessingResult3 != null) {
            LOGGER.fine(() -> {
                return "Processing group areas with both intersects and clip types";
            });
            boolean z = this.groupSummaries != null;
            geometry = unionOrReturnIfNull(() -> {
                return enlargeGroupProcessingResult3.getIntersectArea();
            }, geometry, z);
            geometry2 = unionOrReturnIfNull(() -> {
                return enlargeGroupProcessingResult3.getClipArea();
            }, geometry2, z);
            catalogModeDTO = AccessInfoUtils.getLarger(catalogModeDTO, enlargeGroupProcessingResult3.getCatalogModeDTO());
        }
        if (enlargeGroupProcessingResult4 != null) {
            LOGGER.fine(() -> {
                return "Processing layer intersect areas if present";
            });
            geometry = unionOrReturnIfNull(() -> {
                return enlargeGroupProcessingResult4.getIntersectArea();
            }, geometry, false);
            catalogModeDTO = AccessInfoUtils.getLarger(catalogModeDTO, enlargeGroupProcessingResult4.getCatalogModeDTO());
        }
        if (enlargeGroupProcessingResult5 != null) {
            LOGGER.fine(() -> {
                return "Processing layer clip areas if present";
            });
            geometry2 = unionOrReturnIfNull(() -> {
                return enlargeGroupProcessingResult5.getClipArea();
            }, geometry2, false);
            catalogModeDTO = AccessInfoUtils.getLarger(catalogModeDTO, enlargeGroupProcessingResult5.getCatalogModeDTO());
        }
        if (enlargeGroupProcessingResult6 != null) {
            LOGGER.fine(() -> {
                return "Processing layer areas with both intersects and clip types";
            });
            geometry = unionOrReturnIfNull(() -> {
                return enlargeGroupProcessingResult6.getIntersectArea();
            }, geometry, false);
            geometry2 = unionOrReturnIfNull(() -> {
                return enlargeGroupProcessingResult6.getClipArea();
            }, geometry2, false);
            catalogModeDTO = AccessInfoUtils.getLarger(catalogModeDTO, enlargeGroupProcessingResult6.getCatalogModeDTO());
        }
        return new ProcessingResult(geometry, geometry2, catalogModeDTO);
    }

    private Geometry unionOrReturnIfNull(Supplier<Geometry> supplier, Geometry geometry, boolean z) {
        return geometry != null ? GeomHelper.reprojectAndUnion(supplier.get(), geometry, z) : supplier.get();
    }

    private ProcessingResult enlargeGroupProcessingResult(List<ProcessingResult> list) {
        Geometry reprojectAndUnion;
        if (list == null || list.isEmpty()) {
            return null;
        }
        CatalogModeDTO catalogModeDTO = null;
        Geometry geometry = null;
        Geometry geometry2 = null;
        boolean z = this.groupSummaries != null;
        for (int i = 0; i < list.size(); i++) {
            ProcessingResult processingResult = list.get(i);
            catalogModeDTO = AccessInfoUtils.getLarger(catalogModeDTO, processingResult.getCatalogModeDTO());
            Geometry intersectArea = processingResult.getIntersectArea();
            Geometry clipArea = processingResult.getClipArea();
            if (i == 0) {
                geometry = intersectArea;
                reprojectAndUnion = clipArea;
            } else {
                geometry = GeomHelper.reprojectAndUnion(geometry, intersectArea, z);
                reprojectAndUnion = GeomHelper.reprojectAndUnion(geometry2, clipArea, z);
            }
            geometry2 = reprojectAndUnion;
        }
        return new ProcessingResult(geometry, geometry2, catalogModeDTO);
    }

    private ListMultimap<RestrictionType, ProcessingResult> intersectAccesses(Map<String, AccessInfo> map, ListMultimap<String, AccessInfo> listMultimap) {
        ArrayListMultimap create = ArrayListMultimap.create();
        for (String str : map.keySet()) {
            intersectAccesses(map.get(str), listMultimap.get(str), create);
        }
        return create;
    }

    private void intersectAccesses(AccessInfo accessInfo, List<AccessInfo> list, ListMultimap<RestrictionType, ProcessingResult> listMultimap) {
        Geometry reprojectAndIntersect;
        Geometry parseWKT = GeomHelper.parseWKT(accessInfo.getAreaWkt());
        Geometry parseWKT2 = GeomHelper.parseWKT(accessInfo.getClipAreaWkt());
        CatalogModeDTO catalogMode = accessInfo.getCatalogMode();
        boolean z = false;
        boolean z2 = false;
        boolean z3 = this.groupSummaries != null;
        Geometry geometry = null;
        Geometry geometry2 = null;
        if (list != null && !list.isEmpty()) {
            for (int i = 0; i < list.size(); i++) {
                AccessInfo accessInfo2 = list.get(i);
                catalogMode = AccessInfoUtils.getStricter(catalogMode, accessInfo2.getCatalogMode());
                String areaWkt = accessInfo2.getAreaWkt();
                String clipAreaWkt = accessInfo2.getClipAreaWkt();
                if (!z) {
                    z = areaWkt != null;
                }
                if (!z2) {
                    z2 = clipAreaWkt != null;
                }
                Geometry parseWKT3 = GeomHelper.parseWKT(areaWkt);
                Geometry parseWKT4 = GeomHelper.parseWKT(clipAreaWkt);
                if (i == 0) {
                    geometry = parseWKT3;
                    reprojectAndIntersect = parseWKT4;
                } else {
                    geometry = GeomHelper.reprojectAndIntersect(geometry, parseWKT3, z3);
                    reprojectAndIntersect = GeomHelper.reprojectAndIntersect(geometry2, parseWKT4, z3);
                }
                geometry2 = reprojectAndIntersect;
            }
        }
        Geometry reprojectAndIntersect2 = GeomHelper.reprojectAndIntersect(parseWKT, geometry, false);
        Geometry reprojectAndIntersect3 = GeomHelper.reprojectAndIntersect(parseWKT2, geometry2, false);
        ProcessingResult processingResult = new ProcessingResult(reprojectAndIntersect2, reprojectAndIntersect3, catalogMode);
        if (z2 && z) {
            listMultimap.put(RestrictionType.GROUP_BOTH, processingResult);
            return;
        }
        if (z2) {
            listMultimap.put(RestrictionType.GROUP_CLIP, processingResult);
            return;
        }
        if (z) {
            listMultimap.put(RestrictionType.GROUP_INTERSECT, processingResult);
            return;
        }
        if (reprojectAndIntersect2 != null && reprojectAndIntersect3 != null) {
            listMultimap.put(RestrictionType.LAYER_BOTH, processingResult);
        } else if (reprojectAndIntersect2 != null) {
            listMultimap.put(RestrictionType.LAYER_INTERSECT, processingResult);
        } else if (reprojectAndIntersect3 != null) {
            listMultimap.put(RestrictionType.LAYER_CLIP, processingResult);
        }
    }

    private ListMultimap<String, AccessInfo> collectContainersAccessInfoByRole() {
        ArrayListMultimap create = ArrayListMultimap.create();
        if (this.groupSummaries == null) {
            collectGroupAccessInfoByRole(this.groupList, this.authentication, create);
        } else {
            collectGroupSummaryAccessInfoByRole(this.groupSummaries, this.authentication.getAuthorities(), create);
        }
        return create;
    }

    private void collectGroupSummaryAccessInfoByRole(Collection<LayerGroupContainmentCache.LayerGroupSummary> collection, Collection<? extends GrantedAuthority> collection2, ListMultimap<String, AccessInfo> listMultimap) {
        for (LayerGroupContainmentCache.LayerGroupSummary layerGroupSummary : collection) {
            if (!layerGroupSummary.getMode().equals(LayerGroupInfo.Mode.OPAQUE_CONTAINER)) {
                String name = layerGroupSummary.getName();
                String workspace = layerGroupSummary.getWorkspace();
                HashMap hashMap = new HashMap(collection2.size());
                for (GrantedAuthority grantedAuthority : collection2) {
                    RuleFilter ruleFilterByRole = ruleFilterByRole(grantedAuthority, workspace, name, this.callerIp);
                    if (ruleFilterByRole != null) {
                        AccessInfo accessInfo = this.ruleService.getAccessInfo(ruleFilterByRole);
                        if (!isDeny(accessInfo)) {
                            hashMap.put(grantedAuthority.getAuthority(), accessInfo);
                        }
                    }
                }
                hashMap.keySet().forEach(str -> {
                    listMultimap.put(str, (AccessInfo) hashMap.get(str));
                });
            }
        }
    }

    private void collectGroupAccessInfoByRole(List<LayerGroupInfo> list, Authentication authentication, ListMultimap<String, AccessInfo> listMultimap) {
        String str;
        Iterator<LayerGroupInfo> it = list.iterator();
        while (it.hasNext()) {
            String[] split = it.next().prefixedName().split(":");
            String str2 = null;
            if (split.length == 1) {
                str = split[0];
            } else {
                str2 = split[0];
                str = split[1];
            }
            if (!isUserAllowed(str, str2)) {
                addAccessInfoByRole(listMultimap, authentication.getAuthorities(), str, str2);
            }
        }
    }

    private boolean isUserAllowed(String str, String str2) {
        if (this.configuration.isUseRolesToFilter() && !this.configuration.getRoles().isEmpty()) {
            return false;
        }
        AccessInfo accessInfo = this.ruleService.getAccessInfo(new RuleFilterBuilder(this.configuration).withUser(this.authentication).withIpAddress(this.callerIp).withWorkspace(str2).withLayer(str).withRequest((Request) Dispatcher.REQUEST.get()).build());
        LOGGER.log(Level.FINE, () -> {
            return "User allowed for the entire layer group. No limit processing is needed.";
        });
        return isAllow(accessInfo) && accessInfo.getAreaWkt() == null && accessInfo.getClipAreaWkt() == null;
    }

    private void addAccessInfoByRole(ListMultimap<String, AccessInfo> listMultimap, Collection<? extends GrantedAuthority> collection, String str, String str2) {
        for (GrantedAuthority grantedAuthority : collection) {
            RuleFilter ruleFilterByRole = ruleFilterByRole(grantedAuthority, str2, str, this.callerIp);
            if (ruleFilterByRole != null) {
                listMultimap.put(grantedAuthority.getAuthority(), this.ruleService.getAccessInfo(ruleFilterByRole));
            }
        }
    }

    private boolean isAllow(AccessInfo accessInfo) {
        return accessInfo != null && accessInfo.getGrant().equals(GrantType.ALLOW);
    }

    private boolean isDeny(AccessInfo accessInfo) {
        return accessInfo != null && accessInfo.getGrant().equals(GrantType.DENY);
    }

    private RuleFilter ruleFilterByRole(GrantedAuthority grantedAuthority, String str, String str2, String str3) {
        RuleFilterBuilder ruleFilterBuilder = new RuleFilterBuilder(this.configuration);
        RuleFilterBuilder withRequest = ruleFilterBuilder.withLayer(str2).withWorkspace(str).withIpAddress(str3).withRequest((Request) Dispatcher.REQUEST.get());
        RuleFilter build = withRequest.build();
        if (filterIsInValid(withRequest, grantedAuthority.getAuthority())) {
            LOGGER.log(Level.FINE, () -> {
                return "Skipping layegroup limits resolution for role " + grantedAuthority.getAuthority() + " because not among allowed ones";
            });
            return null;
        }
        build.setUser(this.authentication.getName());
        build.setRole(grantedAuthority.getAuthority());
        return build;
    }

    private boolean filterIsInValid(RuleFilterBuilder ruleFilterBuilder, String str) {
        ruleFilterBuilder.withUser(this.authentication);
        return (!this.configuration.isUseRolesToFilter() || this.configuration.getRoles().isEmpty() || ruleFilterBuilder.getFilteredRoles().contains(str)) ? false : true;
    }
}
