package org.geoserver.security.validation;

import java.io.IOException;
import java.util.Iterator;
import java.util.List;
import java.util.SortedSet;
import org.geoserver.platform.GeoServerExtensions;
import org.geoserver.security.GeoServerAuthenticationProvider;
import org.geoserver.security.GeoServerRoleService;
import org.geoserver.security.GeoServerSecurityManager;
import org.geoserver.security.GeoServerSecurityProvider;
import org.geoserver.security.GeoServerUserGroupService;
import org.geoserver.security.MasterPasswordProvider;
import org.geoserver.security.config.PasswordPolicyConfig;
import org.geoserver.security.config.SecurityAuthProviderConfig;
import org.geoserver.security.config.SecurityManagerConfig;
import org.geoserver.security.config.SecurityNamedServiceConfig;
import org.geoserver.security.config.SecurityRoleServiceConfig;
import org.geoserver.security.config.SecurityUserGroupServiceConfig;
import org.geoserver.security.filter.GeoServerSecurityFilter;
import org.geoserver.security.impl.GeoServerRole;
import org.geoserver.security.password.GeoServerPasswordEncoder;
import org.geoserver.security.password.MasterPasswordProviderConfig;
import org.geoserver.security.password.PasswordValidator;
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/geoserver/security/validation/SecurityConfigValidator.class */
public class SecurityConfigValidator extends AbstractSecurityValidator {
    public SecurityConfigValidator(GeoServerSecurityManager geoServerSecurityManager) {
        super(geoServerSecurityManager);
    }

    public static SecurityConfigValidator getConfigurationValiator(Class<?> cls, String str) throws SecurityConfigException {
        GeoServerSecurityProvider provider = GeoServerSecurityProvider.getProvider(cls, str);
        if (str == null) {
            throw new SecurityConfigException(SecurityConfigException.CLASSNAME_REQUIRED, new Object[0]);
        }
        return provider.createConfigurationValidator((GeoServerSecurityManager) GeoServerExtensions.bean(GeoServerSecurityManager.class));
    }

    public void validateManagerConfig(SecurityManagerConfig securityManagerConfig) throws SecurityConfigException {
        String configPasswordEncrypterName = securityManagerConfig.getConfigPasswordEncrypterName();
        if (!isNotEmpty(configPasswordEncrypterName)) {
            throw createSecurityException(SecurityConfigException.PASSWORD_ENCODER_REQUIRED, new Object[0]);
        }
        try {
            GeoServerPasswordEncoder loadPasswordEncoder = this.manager.loadPasswordEncoder(securityManagerConfig.getConfigPasswordEncrypterName());
            if (loadPasswordEncoder == null) {
                throw createSecurityException(SecurityConfigException.INVALID_PASSWORD_ENCODER_$1, configPasswordEncrypterName);
            }
            if (!loadPasswordEncoder.isReversible()) {
                throw createSecurityException(SecurityConfigException.INVALID_PASSWORD_ENCODER_$1, configPasswordEncrypterName);
            }
            if (!this.manager.isStrongEncryptionAvailable() && loadPasswordEncoder != null && !loadPasswordEncoder.isAvailableWithoutStrongCryptogaphy()) {
                throw createSecurityException(SecurityConfigException.INVALID_STRONG_CONFIG_PASSWORD_ENCODER, new Object[0]);
            }
            String roleServiceName = securityManagerConfig.getRoleServiceName();
            if (roleServiceName == null) {
                roleServiceName = "";
            }
            try {
                if (!this.manager.listRoleServices().contains(roleServiceName)) {
                    throw createSecurityException(SecurityConfigException.ROLE_SERVICE_NOT_FOUND_$1, roleServiceName);
                }
                try {
                    SortedSet<String> listAuthenticationProviders = this.manager.listAuthenticationProviders();
                    for (String str : securityManagerConfig.getAuthProviderNames()) {
                        if (!listAuthenticationProviders.contains(str)) {
                            throw createSecurityException(SecurityConfigException.AUTH_PROVIDER_NOT_FOUND_$1, str);
                        }
                    }
                    if (securityManagerConfig.getFilterChain() == null) {
                        throw createSecurityException(SecurityConfigException.FILTER_CHAIN_NULL_ERROR, new Object[0]);
                    }
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            } catch (IOException e2) {
                throw new RuntimeException(e2);
            }
        } catch (NoSuchBeanDefinitionException e3) {
            throw createSecurityException(SecurityConfigException.INVALID_PASSWORD_ENCODER_$1, configPasswordEncrypterName);
        }
    }

    protected void checkExtensionPont(Class<?> cls, String str) throws SecurityConfigException {
        if (!isNotEmpty(str)) {
            throw createSecurityException(SecurityConfigException.CLASSNAME_REQUIRED, new Object[0]);
        }
        try {
            if (!cls.isAssignableFrom(Class.forName(str))) {
                throw createSecurityException(SecurityConfigException.CLASS_WRONG_TYPE_$2, cls, str);
            }
        } catch (ClassNotFoundException e) {
            throw createSecurityException(SecurityConfigException.CLASS_NOT_FOUND_$1, str);
        }
    }

    protected void checkServiceName(Class<?> cls, String str) throws SecurityConfigException {
        if (str == null || str.isEmpty()) {
            throw createSecurityException("NAME_REQUIRED", new Object[0]);
        }
    }

    protected SortedSet<String> getNamesFor(Class<?> cls) {
        try {
            if (cls == GeoServerUserGroupService.class) {
                return this.manager.listUserGroupServices();
            }
            if (cls == GeoServerRoleService.class) {
                return this.manager.listRoleServices();
            }
            if (cls != GeoServerAuthenticationProvider.class && cls != AuthenticationProvider.class) {
                if (cls == GeoServerSecurityFilter.class) {
                    return this.manager.listFilters();
                }
                if (cls == PasswordValidator.class) {
                    return this.manager.listPasswordValidators();
                }
                if (cls == MasterPasswordProvider.class) {
                    return this.manager.listMasterPasswordProviders();
                }
                throw new RuntimeException("Unkwnown extension point: " + cls.getName());
            }
            return this.manager.listAuthenticationProviders();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public void validateAddNamedService(Class<?> cls, SecurityNamedServiceConfig securityNamedServiceConfig) throws SecurityConfigException {
        checkExtensionPont(cls, securityNamedServiceConfig.getClassName());
        checkServiceName(cls, securityNamedServiceConfig.getName());
        if (getNamesFor(cls).contains(securityNamedServiceConfig.getName())) {
            throw createSecurityException(alreadyExistsErrorCode(cls), securityNamedServiceConfig.getName());
        }
    }

    public void validateModifiedNamedService(Class<?> cls, SecurityNamedServiceConfig securityNamedServiceConfig) throws SecurityConfigException {
        checkExtensionPont(cls, securityNamedServiceConfig.getClassName());
        checkServiceName(cls, securityNamedServiceConfig.getName());
        if (!getNamesFor(cls).contains(securityNamedServiceConfig.getName())) {
            throw createSecurityException(notFoundErrorCode(cls), securityNamedServiceConfig.getName());
        }
    }

    public void validateRemoveNamedService(Class<?> cls, SecurityNamedServiceConfig securityNamedServiceConfig) throws SecurityConfigException {
        checkServiceName(cls, securityNamedServiceConfig.getName());
    }

    public void validateAddUserGroupService(SecurityUserGroupServiceConfig securityUserGroupServiceConfig) throws SecurityConfigException {
        validateAddNamedService(GeoServerUserGroupService.class, securityUserGroupServiceConfig);
        validate(securityUserGroupServiceConfig);
    }

    public void validateAddRoleService(SecurityRoleServiceConfig securityRoleServiceConfig) throws SecurityConfigException {
        validateAddNamedService(GeoServerRoleService.class, securityRoleServiceConfig);
        validate(securityRoleServiceConfig);
    }

    public void validateAddPasswordPolicy(PasswordPolicyConfig passwordPolicyConfig) throws SecurityConfigException {
        validateAddNamedService(PasswordValidator.class, passwordPolicyConfig);
        validate(passwordPolicyConfig);
    }

    public void validateAddAuthProvider(SecurityAuthProviderConfig securityAuthProviderConfig) throws SecurityConfigException {
        validateAddNamedService(GeoServerAuthenticationProvider.class, securityAuthProviderConfig);
        validate(securityAuthProviderConfig);
    }

    public void validateAddFilter(SecurityNamedServiceConfig securityNamedServiceConfig) throws SecurityConfigException {
        validateAddNamedService(GeoServerSecurityFilter.class, securityNamedServiceConfig);
    }

    public void validateAddMasterPasswordProvider(MasterPasswordProviderConfig masterPasswordProviderConfig) throws SecurityConfigException {
        validateAddNamedService(MasterPasswordProvider.class, masterPasswordProviderConfig);
        validate(masterPasswordProviderConfig);
    }

    public void validateModifiedUserGroupService(SecurityUserGroupServiceConfig securityUserGroupServiceConfig, SecurityUserGroupServiceConfig securityUserGroupServiceConfig2) throws SecurityConfigException {
        validateModifiedNamedService(GeoServerUserGroupService.class, securityUserGroupServiceConfig);
        validate(securityUserGroupServiceConfig);
    }

    public void validateModifiedRoleService(SecurityRoleServiceConfig securityRoleServiceConfig, SecurityRoleServiceConfig securityRoleServiceConfig2) throws SecurityConfigException {
        validateModifiedNamedService(GeoServerRoleService.class, securityRoleServiceConfig);
        validate(securityRoleServiceConfig);
    }

    public void validateModifiedPasswordPolicy(PasswordPolicyConfig passwordPolicyConfig, PasswordPolicyConfig passwordPolicyConfig2) throws SecurityConfigException {
        validateModifiedNamedService(PasswordValidator.class, passwordPolicyConfig);
        validate(passwordPolicyConfig);
    }

    public void validateModifiedAuthProvider(SecurityAuthProviderConfig securityAuthProviderConfig, SecurityAuthProviderConfig securityAuthProviderConfig2) throws SecurityConfigException {
        validateModifiedNamedService(GeoServerAuthenticationProvider.class, securityAuthProviderConfig);
        validate(securityAuthProviderConfig);
    }

    public void validateModifiedFilter(SecurityNamedServiceConfig securityNamedServiceConfig, SecurityNamedServiceConfig securityNamedServiceConfig2) throws SecurityConfigException {
        validateModifiedNamedService(GeoServerSecurityFilter.class, securityNamedServiceConfig);
    }

    public void validateModifiedMasterPasswordProvider(MasterPasswordProviderConfig masterPasswordProviderConfig, MasterPasswordProviderConfig masterPasswordProviderConfig2) throws SecurityConfigException {
        validateModifiedNamedService(MasterPasswordProvider.class, masterPasswordProviderConfig);
        validate(masterPasswordProviderConfig);
    }

    public void validateRemoveUserGroupService(SecurityUserGroupServiceConfig securityUserGroupServiceConfig) throws SecurityConfigException {
        validateRemoveNamedService(GeoServerUserGroupService.class, securityUserGroupServiceConfig);
        try {
            Iterator<String> it = this.manager.listAuthenticationProviders().iterator();
            while (it.hasNext()) {
                SecurityAuthProviderConfig loadAuthenticationProviderConfig = this.manager.loadAuthenticationProviderConfig(it.next());
                if (isNotEmpty(loadAuthenticationProviderConfig.getUserGroupServiceName()) && loadAuthenticationProviderConfig.getUserGroupServiceName().equals(securityUserGroupServiceConfig.getName())) {
                    throw createSecurityException(SecurityConfigException.USERGROUP_SERVICE_ACTIVE_$2, securityUserGroupServiceConfig.getName(), loadAuthenticationProviderConfig.getName());
                }
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public void validateRemoveRoleService(SecurityRoleServiceConfig securityRoleServiceConfig) throws SecurityConfigException {
        validateRemoveNamedService(GeoServerRoleService.class, securityRoleServiceConfig);
        if (this.manager.getActiveRoleService().getName().equals(securityRoleServiceConfig.getName())) {
            throw createSecurityException(SecurityConfigException.ROLE_SERVICE_ACTIVE_$1, securityRoleServiceConfig.getName());
        }
    }

    public void validateRemovePasswordPolicy(PasswordPolicyConfig passwordPolicyConfig) throws SecurityConfigException {
        validateRemoveNamedService(PasswordValidator.class, passwordPolicyConfig);
        if (PasswordValidator.MASTERPASSWORD_NAME.equals(passwordPolicyConfig.getName())) {
            throw createSecurityException(SecurityConfigException.PASSWD_POLICY_MASTER_DELETE, new Object[0]);
        }
        try {
            Iterator<String> it = this.manager.listUserGroupServices().iterator();
            while (it.hasNext()) {
                SecurityUserGroupServiceConfig loadUserGroupServiceConfig = this.manager.loadUserGroupServiceConfig(it.next());
                if (loadUserGroupServiceConfig.getPasswordPolicyName().equals(passwordPolicyConfig.getName())) {
                    throw createSecurityException(SecurityConfigException.PASSWD_POLICY_ACTIVE_$2, passwordPolicyConfig.getName(), loadUserGroupServiceConfig.getName());
                }
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public void validateRemoveAuthProvider(SecurityAuthProviderConfig securityAuthProviderConfig) throws SecurityConfigException {
        validateRemoveNamedService(GeoServerAuthenticationProvider.class, securityAuthProviderConfig);
        Iterator<GeoServerAuthenticationProvider> it = this.manager.getAuthenticationProviders().iterator();
        while (it.hasNext()) {
            if (it.next().getName().equals(securityAuthProviderConfig.getName())) {
                throw createSecurityException(SecurityConfigException.AUTH_PROVIDER_ACTIVE_$1, securityAuthProviderConfig.getName());
            }
        }
    }

    public void validateRemoveFilter(SecurityNamedServiceConfig securityNamedServiceConfig) throws SecurityConfigException {
        validateRemoveNamedService(GeoServerSecurityFilter.class, securityNamedServiceConfig);
        List<String> patternsForFilter = this.manager.getSecurityConfig().getFilterChain().patternsForFilter(securityNamedServiceConfig.getClassName());
        if (!patternsForFilter.isEmpty()) {
            throw createSecurityException(SecurityConfigException.FILTER_STILL_USED, securityNamedServiceConfig.getName(), StringUtils.arrayToCommaDelimitedString(patternsForFilter.toArray()));
        }
    }

    public void validateRemoveMasterPasswordProvider(MasterPasswordProviderConfig masterPasswordProviderConfig) throws SecurityConfigException {
        validateRemoveNamedService(MasterPasswordProvider.class, masterPasswordProviderConfig);
    }

    public void validate(SecurityAuthProviderConfig securityAuthProviderConfig) throws SecurityConfigException {
        if (isNotEmpty(securityAuthProviderConfig.getUserGroupServiceName()) && !getNamesFor(GeoServerUserGroupService.class).contains(securityAuthProviderConfig.getUserGroupServiceName())) {
            throw createSecurityException(SecurityConfigException.USERGROUP_SERVICE_NOT_FOUND_$1, securityAuthProviderConfig.getUserGroupServiceName());
        }
    }

    public void validate(SecurityRoleServiceConfig securityRoleServiceConfig) throws SecurityConfigException {
        for (GeoServerRole geoServerRole : GeoServerRole.SystemRoles) {
            if (geoServerRole.getAuthority().equals(securityRoleServiceConfig.getAdminRoleName())) {
                throw createSecurityException(SecurityConfigException.RESERVED_ROLE_NAME, geoServerRole.getAuthority());
            }
            if (geoServerRole.getAuthority().equals(securityRoleServiceConfig.getGroupAdminRoleName())) {
                throw createSecurityException(SecurityConfigException.RESERVED_ROLE_NAME, geoServerRole.getAuthority());
            }
        }
    }

    public void validate(SecurityUserGroupServiceConfig securityUserGroupServiceConfig) throws SecurityConfigException {
        String passwordEncoderName = securityUserGroupServiceConfig.getPasswordEncoderName();
        if (!isNotEmpty(passwordEncoderName)) {
            throw createSecurityException(SecurityConfigException.PASSWD_ENCODER_REQUIRED_$1, securityUserGroupServiceConfig.getName());
        }
        try {
            GeoServerPasswordEncoder loadPasswordEncoder = this.manager.loadPasswordEncoder(passwordEncoderName);
            if (loadPasswordEncoder == null) {
                throw createSecurityException("INVALID_CONFIG_PASSWORD_ENCODER", passwordEncoderName);
            }
            if (!this.manager.isStrongEncryptionAvailable() && loadPasswordEncoder != null && !loadPasswordEncoder.isAvailableWithoutStrongCryptogaphy()) {
                throw createSecurityException("INVALID_CONFIG_PASSWORD_ENCODER", new Object[0]);
            }
            String passwordPolicyName = securityUserGroupServiceConfig.getPasswordPolicyName();
            if (!isNotEmpty(passwordPolicyName)) {
                throw createSecurityException(SecurityConfigException.PASSWD_POLICY_REQUIRED_$1, securityUserGroupServiceConfig.getName());
            }
            if (!getNamesFor(PasswordValidator.class).contains(passwordPolicyName)) {
                throw createSecurityException(SecurityConfigException.PASSWD_POLICY_NOT_FOUND_$1, passwordPolicyName);
            }
        } catch (NoSuchBeanDefinitionException e) {
            throw createSecurityException("INVALID_CONFIG_PASSWORD_ENCODER", passwordEncoderName);
        }
    }

    public void validate(PasswordPolicyConfig passwordPolicyConfig) throws SecurityConfigException {
        if (passwordPolicyConfig.getMinLength() < 0) {
            throw createSecurityException(SecurityConfigException.INVALID_MIN_LENGTH, new Object[0]);
        }
        if (passwordPolicyConfig.getMaxLength() != -1 && passwordPolicyConfig.getMinLength() > passwordPolicyConfig.getMaxLength()) {
            throw createSecurityException(SecurityConfigException.INVALID_MAX_LENGTH, new Object[0]);
        }
    }

    public void validate(MasterPasswordProviderConfig masterPasswordProviderConfig) throws SecurityConfigException {
    }

    protected String alreadyExistsErrorCode(Class<?> cls) {
        if (GeoServerAuthenticationProvider.class == cls) {
            return SecurityConfigException.AUTH_PROVIDER_ALREADY_EXISTS_$1;
        }
        if (PasswordValidator.class == cls) {
            return SecurityConfigException.PASSWD_POLICY_ALREADY_EXISTS_$1;
        }
        if (GeoServerRoleService.class == cls) {
            return SecurityConfigException.ROLE_SERVICE_ALREADY_EXISTS_$1;
        }
        if (GeoServerUserGroupService.class == cls) {
            return SecurityConfigException.USERGROUP_SERVICE_ALREADY_EXISTS_$1;
        }
        if (GeoServerSecurityFilter.class == cls) {
            return SecurityConfigException.AUTH_FILTER_ALREADY_EXISTS_$1;
        }
        throw new RuntimeException("Unkonw extension point: " + cls.getName());
    }

    protected String notFoundErrorCode(Class<?> cls) {
        if (GeoServerAuthenticationProvider.class == cls) {
            return SecurityConfigException.AUTH_PROVIDER_NOT_FOUND_$1;
        }
        if (PasswordValidator.class == cls) {
            return SecurityConfigException.PASSWD_POLICY_NOT_FOUND_$1;
        }
        if (GeoServerRoleService.class == cls) {
            return SecurityConfigException.ROLE_SERVICE_NOT_FOUND_$1;
        }
        if (GeoServerUserGroupService.class == cls) {
            return SecurityConfigException.USERGROUP_SERVICE_NOT_FOUND_$1;
        }
        if (GeoServerSecurityFilter.class == cls) {
            return SecurityConfigException.AUTH_FILTER_NOT_FOUND_$1;
        }
        throw new RuntimeException("Unkonw extension point: " + cls.getName());
    }

    protected SecurityConfigException createSecurityException(String str, Object... objArr) {
        return new SecurityConfigException(str, objArr);
    }
}
