package org.infinispan.security.impl;

import java.security.AccessControlException;
import java.security.Principal;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.infinispan.commons.util.Util;
import org.infinispan.configuration.cache.AuthorizationConfiguration;
import org.infinispan.configuration.global.GlobalSecurityConfiguration;
import org.infinispan.security.AuditContext;
import org.infinispan.security.AuditLogger;
import org.infinispan.security.AuditResponse;
import org.infinispan.security.AuthorizationPermission;
import org.infinispan.security.PrincipalRoleMapper;
import org.infinispan.security.Role;
import org.infinispan.security.Security;
import org.infinispan.util.logging.Log;
import org.infinispan.util.logging.LogFactory;

/* loaded from: input_file:BOOT-INF/lib/infinispan-core-13.0.21.Final.jar:org/infinispan/security/impl/Authorizer.class */
public class Authorizer {
    private static final Log log = LogFactory.getLog(Authorizer.class);
    public static final SubjectACL SUPERUSER = new SubjectACL(Collections.emptySet(), AuthorizationPermission.ALL.getMask());
    private final GlobalSecurityConfiguration globalConfiguration;
    private final AuditLogger audit;
    private final AuditContext context;
    private final String name;
    private Map<CacheSubjectPair, SubjectACL> aclCache;

    public Authorizer(GlobalSecurityConfiguration globalSecurityConfiguration, AuditContext auditContext, String str, Map<CacheSubjectPair, SubjectACL> map) {
        this.globalConfiguration = globalSecurityConfiguration;
        this.audit = globalSecurityConfiguration.authorization().auditLogger();
        this.context = auditContext;
        this.name = str;
        this.aclCache = map;
    }

    public void setAclCache(Map<CacheSubjectPair, SubjectACL> map) {
        this.aclCache = map;
    }

    public void checkPermission(AuthorizationPermission authorizationPermission) {
        checkPermission(null, null, this.name, this.context, null, authorizationPermission);
    }

    public void checkPermission(AuthorizationPermission authorizationPermission, String str) {
        checkPermission(null, null, this.name, this.context, str, authorizationPermission);
    }

    public void checkPermission(AuthorizationConfiguration authorizationConfiguration, AuthorizationPermission authorizationPermission) {
        checkPermission(authorizationConfiguration, null, this.name, this.context, null, authorizationPermission);
    }

    public void checkPermission(Subject subject, AuthorizationPermission authorizationPermission) {
        checkPermission(null, subject, this.name, this.context, null, authorizationPermission);
    }

    public SubjectACL getACL(Subject subject) {
        return getACL(subject, null);
    }

    public SubjectACL getACL(Subject subject, AuthorizationConfiguration authorizationConfiguration) {
        return (this.globalConfiguration.authorization().enabled() && (authorizationConfiguration == null || authorizationConfiguration.enabled())) ? computeSubjectACL(subject, authorizationConfiguration) : SUPERUSER;
    }

    public void checkPermission(AuthorizationConfiguration authorizationConfiguration, Subject subject, AuthorizationPermission authorizationPermission, String str) {
        checkPermission(authorizationConfiguration, subject, null, this.context, str, authorizationPermission);
    }

    public void checkPermission(Subject subject, AuthorizationPermission authorizationPermission, AuditContext auditContext) {
        checkPermission(null, subject, null, auditContext, null, authorizationPermission);
    }

    public void checkPermission(Subject subject, AuthorizationPermission authorizationPermission, String str, AuditContext auditContext) {
        checkPermission(null, subject, str, auditContext, null, authorizationPermission);
    }

    public void checkPermission(AuthorizationConfiguration authorizationConfiguration, Subject subject, String str, AuditContext auditContext, String str2, AuthorizationPermission authorizationPermission) {
        if (this.globalConfiguration.authorization().enabled()) {
            if (Security.isPrivileged()) {
                Security.checkPermission(authorizationPermission.getSecurityPermission());
                return;
            }
            Subject subject2 = subject != null ? subject : Security.getSubject();
            try {
                if (subject2 == null) {
                    checkSecurityManagerPermission(authorizationPermission);
                } else if (checkSubjectPermissionAndRole(subject2, authorizationConfiguration, authorizationPermission, str2)) {
                    this.audit.audit(subject2, auditContext, str, authorizationPermission, AuditResponse.ALLOW);
                } else {
                    checkSecurityManagerPermission(authorizationPermission);
                }
            } catch (SecurityException e) {
                this.audit.audit(subject2, auditContext, str, authorizationPermission, AuditResponse.DENY);
                throw Log.SECURITY.unauthorizedAccess(Util.prettyPrintSubject(subject2), authorizationPermission.toString());
            }
        }
    }

    private void checkSecurityManagerPermission(AuthorizationPermission authorizationPermission) {
        if (System.getSecurityManager() == null) {
            throw new AccessControlException("", authorizationPermission.getSecurityPermission());
        }
        System.getSecurityManager().checkPermission(authorizationPermission.getSecurityPermission());
    }

    private boolean checkSubjectPermissionAndRole(Subject subject, AuthorizationConfiguration authorizationConfiguration, AuthorizationPermission authorizationPermission, String str) {
        if (subject == null) {
            return false;
        }
        SubjectACL computeIfAbsent = this.aclCache != null ? this.aclCache.computeIfAbsent(new CacheSubjectPair(subject, this.name), cacheSubjectPair -> {
            return computeSubjectACL(subject, authorizationConfiguration);
        }) : computeSubjectACL(subject, authorizationConfiguration);
        boolean z = computeIfAbsent.matches(authorizationPermission.getMask()) && (str == null || computeIfAbsent.containsRole(str));
        if (log.isTraceEnabled()) {
            log.tracef("Check subject '%s' with ACL '%s' has permission '%s' and role '%s' = %b", subject, computeIfAbsent, authorizationPermission, str, Boolean.valueOf(z));
        }
        return z;
    }

    private SubjectACL computeSubjectACL(Subject subject, AuthorizationConfiguration authorizationConfiguration) {
        PrincipalRoleMapper principalRoleMapper = this.globalConfiguration.authorization().principalRoleMapper();
        Set<Principal> principals = subject.getPrincipals();
        HashSet<String> hashSet = new HashSet(principals.size());
        Iterator<Principal> it = principals.iterator();
        while (it.hasNext()) {
            Set<String> principalToRoles = principalRoleMapper.principalToRoles(it.next());
            if (principalToRoles != null) {
                hashSet.addAll(principalToRoles);
            }
        }
        int i = 0;
        Map<String, Role> roles = this.globalConfiguration.authorization().roles();
        boolean isEmpty = authorizationConfiguration != null ? authorizationConfiguration.roles().isEmpty() : false;
        for (String str : hashSet) {
            if (authorizationConfiguration == null || isEmpty || authorizationConfiguration.roles().contains(str)) {
                Role role = roles.get(str);
                if (role != null && (!isEmpty || role.isInheritable())) {
                    i |= role.getMask();
                }
            }
        }
        if (log.isTraceEnabled()) {
            log.tracef("Subject '%s' has roles '%s' and permission mask %d", subject, hashSet, Integer.valueOf(i));
        }
        return new SubjectACL(hashSet, i);
    }
}
