package org.geoserver.geofence.services;

import com.googlecode.genericdao.search.Filter;
import com.googlecode.genericdao.search.Search;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
import org.geoserver.geofence.core.dao.AdminRuleDAO;
import org.geoserver.geofence.core.dao.LayerDetailsDAO;
import org.geoserver.geofence.core.dao.RuleDAO;
import org.geoserver.geofence.core.model.AdminRule;
import org.geoserver.geofence.core.model.LayerAttribute;
import org.geoserver.geofence.core.model.LayerDetails;
import org.geoserver.geofence.core.model.Rule;
import org.geoserver.geofence.core.model.RuleLimits;
import org.geoserver.geofence.core.model.enums.AccessType;
import org.geoserver.geofence.core.model.enums.AdminGrantType;
import org.geoserver.geofence.core.model.enums.CatalogMode;
import org.geoserver.geofence.core.model.enums.GrantType;
import org.geoserver.geofence.services.dto.AccessInfo;
import org.geoserver.geofence.services.dto.AuthUser;
import org.geoserver.geofence.services.dto.RuleFilter;
import org.geoserver.geofence.services.dto.ShortRule;
import org.geoserver.geofence.services.exception.BadRequestServiceEx;
import org.geoserver.geofence.services.util.AccessInfoInternal;
import org.geoserver.geofence.services.util.FilterUtils;
import org.geoserver.geofence.spi.UserResolver;
import org.locationtech.jts.geom.Geometry;

/* loaded from: input_file:org/geoserver/geofence/services/RuleReaderServiceImpl.class */
public class RuleReaderServiceImpl implements RuleReaderService {
    private static final Logger LOGGER = LogManager.getLogger(RuleReaderServiceImpl.class);
    private RuleDAO ruleDAO;
    private AdminRuleDAO adminRuleDAO;
    private LayerDetailsDAO detailsDAO;
    private UserResolver userResolver;
    private AuthorizationService authorizationService;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.geoserver.geofence.services.RuleReaderServiceImpl$1, reason: invalid class name */
    /* loaded from: input_file:org/geoserver/geofence/services/RuleReaderServiceImpl$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$geoserver$geofence$core$model$enums$GrantType;
        static final /* synthetic */ int[] $SwitchMap$org$geoserver$geofence$services$dto$RuleFilter$FilterType = new int[RuleFilter.FilterType.values().length];

        static {
            try {
                $SwitchMap$org$geoserver$geofence$services$dto$RuleFilter$FilterType[RuleFilter.FilterType.NAMEVALUE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$geoserver$geofence$services$dto$RuleFilter$FilterType[RuleFilter.FilterType.DEFAULT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$geoserver$geofence$services$dto$RuleFilter$FilterType[RuleFilter.FilterType.ANY.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$geoserver$geofence$services$dto$RuleFilter$FilterType[RuleFilter.FilterType.IDVALUE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            $SwitchMap$org$geoserver$geofence$core$model$enums$GrantType = new int[GrantType.values().length];
            try {
                $SwitchMap$org$geoserver$geofence$core$model$enums$GrantType[GrantType.LIMIT.ordinal()] = 1;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$geoserver$geofence$core$model$enums$GrantType[GrantType.DENY.ordinal()] = 2;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$geoserver$geofence$core$model$enums$GrantType[GrantType.ALLOW.ordinal()] = 3;
            } catch (NoSuchFieldError e7) {
            }
        }
    }

    @Deprecated
    public List<ShortRule> getMatchingRules(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8) {
        return getMatchingRules(new RuleFilter(str, str2, str3, str4, str5, str6, str7, str8));
    }

    public List<ShortRule> getMatchingRules(RuleFilter ruleFilter) {
        Map<String, List<Rule>> rules = getRules(ruleFilter);
        TreeMap treeMap = new TreeMap();
        Iterator<List<Rule>> it = rules.values().iterator();
        while (it.hasNext()) {
            for (Rule rule : it.next()) {
                treeMap.put(Long.valueOf(rule.getPriority()), rule);
            }
        }
        LOGGER.warn(treeMap.size() + " matching rules for filter " + ruleFilter);
        ArrayList arrayList = new ArrayList();
        for (Rule rule2 : treeMap.values()) {
            LOGGER.warn(" -- " + rule2);
            arrayList.add(rule2);
        }
        return convertToShortList(arrayList);
    }

    @Deprecated
    public AccessInfo getAccessInfo(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8) {
        return getAccessInfo(new RuleFilter(str, str2, str3, str4, str5, str6, str7, str8));
    }

    public AccessInfo getAccessInfo(RuleFilter ruleFilter) {
        AccessInfo accessInfo;
        LOGGER.info("Requesting access for " + ruleFilter);
        AccessInfoInternal accessInfoInternal = null;
        for (Map.Entry<String, List<Rule>> entry : getRules(ruleFilter).entrySet()) {
            String key = entry.getKey();
            AccessInfoInternal resolveRuleset = resolveRuleset(entry.getValue());
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Filter " + ruleFilter + " on role " + key + " has access " + resolveRuleset);
            }
            accessInfoInternal = enlargeAccessInfo(accessInfoInternal, resolveRuleset);
        }
        if (accessInfoInternal == null) {
            LOGGER.warn("No access for filter " + ruleFilter);
            accessInfo = new AccessInfo(GrantType.DENY);
        } else {
            accessInfo = accessInfoInternal.toAccessInfo();
        }
        if (accessInfo.getGrant() == GrantType.ALLOW) {
            accessInfo.setAdminRights(getAdminAuth(ruleFilter));
        }
        LOGGER.info("Returning " + accessInfo + " for " + ruleFilter);
        return accessInfo;
    }

    public AccessInfo getAdminAuthorization(RuleFilter ruleFilter) {
        AccessInfo accessInfo = new AccessInfo(GrantType.ALLOW);
        accessInfo.setAdminRights(getAdminAuth(ruleFilter));
        return accessInfo;
    }

    private AccessInfoInternal enlargeAccessInfo(AccessInfoInternal accessInfoInternal, AccessInfoInternal accessInfoInternal2) {
        if (accessInfoInternal == null) {
            if (accessInfoInternal2 != null && accessInfoInternal2.getGrant() == GrantType.ALLOW) {
                return accessInfoInternal2;
            }
            return null;
        }
        if (accessInfoInternal2 != null && accessInfoInternal2.getGrant() != GrantType.DENY) {
            AccessInfoInternal accessInfoInternal3 = new AccessInfoInternal(GrantType.ALLOW);
            accessInfoInternal3.setCqlFilterRead(unionCQL(accessInfoInternal.getCqlFilterRead(), accessInfoInternal2.getCqlFilterRead()));
            accessInfoInternal3.setCqlFilterWrite(unionCQL(accessInfoInternal.getCqlFilterWrite(), accessInfoInternal2.getCqlFilterWrite()));
            accessInfoInternal3.setCatalogMode(getLarger(accessInfoInternal.getCatalogMode(), accessInfoInternal2.getCatalogMode()));
            if (accessInfoInternal.getDefaultStyle() == null || accessInfoInternal2.getDefaultStyle() == null) {
                accessInfoInternal3.setDefaultStyle(null);
            } else {
                accessInfoInternal3.setDefaultStyle(accessInfoInternal.getDefaultStyle());
            }
            accessInfoInternal3.setAllowedStyles(unionAllowedStyles(accessInfoInternal.getAllowedStyles(), accessInfoInternal2.getAllowedStyles()));
            accessInfoInternal3.setAttributes(unionAttributes(accessInfoInternal.getAttributes(), accessInfoInternal2.getAttributes()));
            accessInfoInternal3.setArea(unionGeometry(accessInfoInternal.getArea(), accessInfoInternal2.getArea()));
            return accessInfoInternal3;
        }
        return accessInfoInternal;
    }

    private String unionCQL(String str, String str2) {
        if (str == null || str2 == null) {
            return null;
        }
        return "(" + str + ") OR (" + str2 + ")";
    }

    private Geometry unionGeometry(Geometry geometry, Geometry geometry2) {
        if (geometry == null || geometry2 == null) {
            return null;
        }
        return union(geometry, geometry2);
    }

    private static Set<LayerAttribute> unionAttributes(Set<LayerAttribute> set, Set<LayerAttribute> set2) {
        if (set == null || set.isEmpty()) {
            return Collections.EMPTY_SET;
        }
        if (set2 == null || set2.isEmpty()) {
            return Collections.EMPTY_SET;
        }
        HashSet hashSet = new HashSet();
        for (LayerAttribute layerAttribute : set) {
            LayerAttribute attribute = getAttribute(layerAttribute.getName(), set2);
            if (attribute == null) {
                hashSet.add(layerAttribute.clone());
            } else {
                LayerAttribute clone = layerAttribute.clone();
                if (layerAttribute.getAccess() == AccessType.READWRITE || attribute.getAccess() == AccessType.READWRITE) {
                    clone.setAccess(AccessType.READWRITE);
                } else if (layerAttribute.getAccess() == AccessType.READONLY || attribute.getAccess() == AccessType.READONLY) {
                    clone.setAccess(AccessType.READONLY);
                }
                hashSet.add(clone);
            }
        }
        for (LayerAttribute layerAttribute2 : set2) {
            if (getAttribute(layerAttribute2.getName(), set) == null) {
                hashSet.add(layerAttribute2.clone());
            }
        }
        return hashSet;
    }

    private static LayerAttribute getAttribute(String str, Set<LayerAttribute> set) {
        for (LayerAttribute layerAttribute : set) {
            if (layerAttribute.getName().equals(str)) {
                return layerAttribute;
            }
        }
        return null;
    }

    private static Set<String> unionAllowedStyles(Set<String> set, Set<String> set2) {
        if (set == null || set.isEmpty()) {
            return Collections.EMPTY_SET;
        }
        if (set2 == null || set2.isEmpty()) {
            return Collections.EMPTY_SET;
        }
        HashSet hashSet = new HashSet();
        hashSet.addAll(set);
        hashSet.addAll(set2);
        return hashSet;
    }

    private AccessInfoInternal resolveRuleset(List<Rule> list) {
        ArrayList arrayList = new ArrayList();
        AccessInfoInternal accessInfoInternal = null;
        for (Rule rule : list) {
            if (accessInfoInternal != null) {
                return accessInfoInternal;
            }
            switch (AnonymousClass1.$SwitchMap$org$geoserver$geofence$core$model$enums$GrantType[rule.getAccess().ordinal()]) {
                case 1:
                    RuleLimits ruleLimits = rule.getRuleLimits();
                    if (ruleLimits != null) {
                        LOGGER.info("Collecting limits: " + ruleLimits);
                        arrayList.add(ruleLimits);
                        break;
                    } else {
                        LOGGER.warn(rule + " has no associated limits");
                        break;
                    }
                case 2:
                    accessInfoInternal = new AccessInfoInternal(GrantType.DENY);
                    break;
                case 3:
                    accessInfoInternal = buildAllowAccessInfo(rule, arrayList, null);
                    break;
                default:
                    throw new IllegalStateException("Unknown GrantType " + rule.getAccess());
            }
        }
        return accessInfoInternal;
    }

    private String validateUsername(RuleFilter.TextFilter textFilter) {
        switch (AnonymousClass1.$SwitchMap$org$geoserver$geofence$services$dto$RuleFilter$FilterType[textFilter.getType().ordinal()]) {
            case 1:
                String text = textFilter.getText();
                if (StringUtils.isBlank(text)) {
                    throw new BadRequestServiceEx("Blank user name");
                }
                return text.trim();
            case 2:
            case 3:
                return null;
            default:
                throw new BadRequestServiceEx("Unknown user filter type '" + textFilter + "'");
        }
    }

    private String validateRolename(RuleFilter.TextFilter textFilter) {
        switch (AnonymousClass1.$SwitchMap$org$geoserver$geofence$services$dto$RuleFilter$FilterType[textFilter.getType().ordinal()]) {
            case 1:
                String text = textFilter.getText();
                if (StringUtils.isBlank(text)) {
                    throw new BadRequestServiceEx("Blank role name");
                }
                return text.trim();
            case 2:
            case 3:
                return null;
            default:
                throw new BadRequestServiceEx("Unknown role filter type '" + textFilter + "'");
        }
    }

    private AccessInfoInternal buildAllowAccessInfo(Rule rule, List<RuleLimits> list, RuleFilter.IdNameFilter idNameFilter) {
        AccessInfoInternal accessInfoInternal = new AccessInfoInternal(GrantType.ALLOW);
        Geometry intersect = intersect(list);
        CatalogMode resolveCatalogMode = resolveCatalogMode(list);
        LayerDetails layerDetails = rule.getLayerDetails();
        if (layerDetails != null) {
            intersect = intersect(intersect, layerDetails.getArea());
            resolveCatalogMode = getStricter(resolveCatalogMode, layerDetails.getCatalogMode());
            accessInfoInternal.setAttributes(layerDetails.getAttributes());
            accessInfoInternal.setCqlFilterRead(layerDetails.getCqlFilterRead());
            accessInfoInternal.setCqlFilterWrite(layerDetails.getCqlFilterWrite());
            accessInfoInternal.setDefaultStyle(layerDetails.getDefaultStyle());
            accessInfoInternal.setAllowedStyles(layerDetails.getAllowedStyles());
        }
        accessInfoInternal.setCatalogMode(resolveCatalogMode);
        if (intersect != null) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Attaching an area to Accessinfo: " + intersect.getClass().getName() + " " + intersect.toString());
            }
            accessInfoInternal.setArea(intersect);
        }
        return accessInfoInternal;
    }

    private Geometry intersect(List<RuleLimits> list) {
        Geometry geometry = null;
        Iterator<RuleLimits> it = list.iterator();
        while (it.hasNext()) {
            Geometry allowedArea = it.next().getAllowedArea();
            if (allowedArea != null) {
                geometry = geometry == null ? allowedArea : geometry.intersection(allowedArea);
            }
        }
        return geometry;
    }

    private Geometry intersect(Geometry geometry, Geometry geometry2) {
        return geometry != null ? geometry2 == null ? geometry : geometry.intersection(geometry2) : geometry2;
    }

    private Geometry union(Geometry geometry, Geometry geometry2) {
        return geometry != null ? geometry2 == null ? geometry : geometry.union(geometry2) : geometry2;
    }

    private CatalogMode resolveCatalogMode(List<RuleLimits> list) {
        CatalogMode catalogMode = null;
        Iterator<RuleLimits> it = list.iterator();
        while (it.hasNext()) {
            catalogMode = getStricter(catalogMode, it.next().getCatalogMode());
        }
        return catalogMode;
    }

    protected static CatalogMode getStricter(CatalogMode catalogMode, CatalogMode catalogMode2) {
        return catalogMode == null ? catalogMode2 : catalogMode2 == null ? catalogMode : (CatalogMode.HIDE == catalogMode || CatalogMode.HIDE == catalogMode2) ? CatalogMode.HIDE : (CatalogMode.MIXED == catalogMode || CatalogMode.MIXED == catalogMode2) ? CatalogMode.MIXED : CatalogMode.CHALLENGE;
    }

    protected static CatalogMode getLarger(CatalogMode catalogMode, CatalogMode catalogMode2) {
        return catalogMode == null ? catalogMode2 : catalogMode2 == null ? catalogMode : (CatalogMode.CHALLENGE == catalogMode || CatalogMode.CHALLENGE == catalogMode2) ? CatalogMode.CHALLENGE : (CatalogMode.MIXED == catalogMode || CatalogMode.MIXED == catalogMode2) ? CatalogMode.MIXED : CatalogMode.HIDE;
    }

    protected Map<String, List<Rule>> getRules(RuleFilter ruleFilter) throws BadRequestServiceEx {
        Set<String> validateUserRoles = validateUserRoles(ruleFilter);
        if (validateUserRoles == null) {
            return Collections.EMPTY_MAP;
        }
        HashMap hashMap = new HashMap();
        if (validateUserRoles.isEmpty()) {
            hashMap.put(null, getRuleAux(ruleFilter, ruleFilter.getRole()));
        } else {
            for (String str : validateUserRoles) {
                RuleFilter.TextFilter textFilter = new RuleFilter.TextFilter(str);
                textFilter.setIncludeDefault(true);
                hashMap.put(str, getRuleAux(ruleFilter, textFilter));
            }
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Filter " + ruleFilter + " is matching the following Rules:");
            boolean z = false;
            for (Map.Entry entry : hashMap.entrySet()) {
                String str2 = (String) entry.getKey();
                LOGGER.debug("    Role:" + str2);
                Iterator it = ((List) entry.getValue()).iterator();
                while (it.hasNext()) {
                    LOGGER.debug("    Role:" + str2 + " ---> " + ((Rule) it.next()));
                    z = true;
                }
            }
            if (!z) {
                LOGGER.debug("No rules matching filter " + ruleFilter);
            }
        }
        return hashMap;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v25, types: [java.util.Set] */
    /* JADX WARN: Type inference failed for: r0v36, types: [java.util.Set] */
    protected Set<String> validateUserRoles(RuleFilter ruleFilter) throws BadRequestServiceEx {
        String validateUsername = validateUsername(ruleFilter.getUser());
        String validateRolename = validateRolename(ruleFilter.getRole());
        if (validateUsername != null && validateRolename != null) {
            throw new BadRequestServiceEx("You can filter either by user or role");
        }
        HashSet hashSet = new HashSet();
        if (validateUsername != null) {
            Set roles = this.userResolver.getRoles(validateUsername);
            if (validateRolename != null) {
                if (!roles.contains(validateRolename)) {
                    LOGGER.warn("User does not belong to role [User:" + ruleFilter.getUser() + "] [Role:" + ruleFilter.getRole() + "] [Roles:" + roles + "]");
                    return null;
                }
                hashSet = Collections.singleton(validateRolename);
            } else if (ruleFilter.getRole().getType() == RuleFilter.FilterType.ANY) {
                ?? roles2 = this.userResolver.getRoles(validateUsername);
                if (roles2.isEmpty()) {
                    ruleFilter.setRole(RuleFilter.SpecialFilterType.DEFAULT);
                } else {
                    hashSet = roles2;
                }
            }
        } else if (validateRolename != null) {
            hashSet.add(validateRolename);
        } else if (ruleFilter.getUser().getType() != RuleFilter.FilterType.ANY) {
            ruleFilter.setRole(RuleFilter.SpecialFilterType.DEFAULT);
        }
        return hashSet;
    }

    protected List<Rule> getRuleAux(RuleFilter ruleFilter, RuleFilter.TextFilter textFilter) {
        Search search = new Search(Rule.class);
        search.addSortAsc("priority");
        addStringCriteria(search, "username", ruleFilter.getUser());
        addStringCriteria(search, "rolename", textFilter);
        addCriteria(search, "instance", ruleFilter.getInstance());
        addStringCriteria(search, "service", ruleFilter.getService());
        addStringCriteria(search, "request", ruleFilter.getRequest());
        addStringCriteria(search, "workspace", ruleFilter.getWorkspace());
        addStringCriteria(search, "layer", ruleFilter.getLayer());
        return FilterUtils.filterByAddress(ruleFilter, this.ruleDAO.search(search));
    }

    private void addCriteria(Search search, String str, RuleFilter.IdNameFilter idNameFilter) {
        switch (AnonymousClass1.$SwitchMap$org$geoserver$geofence$services$dto$RuleFilter$FilterType[idNameFilter.getType().ordinal()]) {
            case 1:
                search.addFilterOr(new Filter[]{Filter.isNull(str), Filter.equal(str + ".name", idNameFilter.getName())});
                return;
            case 2:
                search.addFilterNull(str);
                return;
            case 3:
                return;
            case 4:
                search.addFilterOr(new Filter[]{Filter.isNull(str), Filter.equal(str + ".id", idNameFilter.getId())});
                return;
            default:
                throw new AssertionError();
        }
    }

    private void addStringCriteria(Search search, String str, RuleFilter.TextFilter textFilter) {
        switch (AnonymousClass1.$SwitchMap$org$geoserver$geofence$services$dto$RuleFilter$FilterType[textFilter.getType().ordinal()]) {
            case 1:
                search.addFilterOr(new Filter[]{Filter.isNull(str), Filter.equal(str, textFilter.getText())});
                return;
            case 2:
                search.addFilterNull(str);
                return;
            case 3:
                return;
            case 4:
            default:
                throw new AssertionError();
        }
    }

    @Deprecated
    public AuthUser authorize(String str, String str2) {
        return this.authorizationService.authorize(str, str2);
    }

    private List<ShortRule> convertToShortList(List<Rule> list) {
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<Rule> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(new ShortRule(it.next()));
        }
        return arrayList;
    }

    public void setRuleDAO(RuleDAO ruleDAO) {
        this.ruleDAO = ruleDAO;
    }

    public void setAdminRuleDAO(AdminRuleDAO adminRuleDAO) {
        this.adminRuleDAO = adminRuleDAO;
    }

    public void setLayerDetailsDAO(LayerDetailsDAO layerDetailsDAO) {
        this.detailsDAO = layerDetailsDAO;
    }

    public void setUserResolver(UserResolver userResolver) {
        this.userResolver = userResolver;
    }

    public void setAuthorizationService(AuthorizationService authorizationService) {
        this.authorizationService = authorizationService;
    }

    private boolean getAdminAuth(RuleFilter ruleFilter) {
        Set<String> validateUserRoles = validateUserRoles(ruleFilter);
        if (validateUserRoles == null) {
            return false;
        }
        boolean z = false;
        if (validateUserRoles.isEmpty()) {
            AdminRule adminAuthAux = getAdminAuthAux(ruleFilter, ruleFilter.getRole());
            z = adminAuthAux == null ? false : adminAuthAux.getAccess() == AdminGrantType.ADMIN;
        } else {
            Iterator<String> it = validateUserRoles.iterator();
            while (it.hasNext()) {
                RuleFilter.TextFilter textFilter = new RuleFilter.TextFilter(it.next());
                textFilter.setIncludeDefault(true);
                AdminRule adminAuthAux2 = getAdminAuthAux(ruleFilter, textFilter);
                if (adminAuthAux2 != null && adminAuthAux2.getAccess() == AdminGrantType.ADMIN) {
                    z = true;
                }
            }
        }
        return z;
    }

    protected AdminRule getAdminAuthAux(RuleFilter ruleFilter, RuleFilter.TextFilter textFilter) {
        Search search = new Search(AdminRule.class);
        search.addSortAsc("priority");
        addStringCriteria(search, "username", ruleFilter.getUser());
        addStringCriteria(search, "rolename", textFilter);
        addCriteria(search, "instance", ruleFilter.getInstance());
        addStringCriteria(search, "workspace", ruleFilter.getWorkspace());
        search.setMaxResults(1);
        List filterByAddress = FilterUtils.filterByAddress(ruleFilter, this.adminRuleDAO.search(search));
        switch (filterByAddress.size()) {
            case 0:
                return null;
            case 1:
                return (AdminRule) filterByAddress.get(0);
            default:
                throw new IllegalStateException("Too many admin auth rules");
        }
    }
}
