package io.telicent.smart.cache.search.security;

import io.telicent.jena.abac.AttributeValueSet;
import io.telicent.jena.abac.Hierarchy;
import io.telicent.jena.abac.attributes.Attribute;
import io.telicent.jena.abac.attributes.AttributeExpr;
import io.telicent.jena.abac.attributes.AttributeParser;
import io.telicent.jena.abac.attributes.AttributeSyntaxError;
import io.telicent.jena.abac.core.AttributesStore;
import io.telicent.jena.abac.core.CxtABAC;
import io.telicent.smart.cache.search.model.Document;
import io.telicent.smart.cache.search.model.utils.FieldNameExpression;
import io.telicent.smart.cache.search.model.utils.PathMatchingVisitor;
import io.telicent.smart.cache.search.options.SearchOptions;
import io.telicent.smart.cache.search.options.SecurityOptions;
import io.telicent.smart.cache.search.options.TypeFilterOptions;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.BiConsumer;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.jena.atlas.lib.Cache;
import org.apache.jena.sparql.core.DatasetGraphZero;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/telicent/smart/cache/search/security/SecureSearchContext.class */
public final class SecureSearchContext {
    private static final Logger LOGGER = LoggerFactory.getLogger(SecureSearchContext.class);
    private final SearchOptions searchOptions;
    private final AttributeValueSet userAttributes;
    private final AttributesStore store;
    private final CxtABAC abacContext;
    private final Cache<String, List<AttributeExpr>> labelsToExpressions;
    private final RedactedDocumentsCache redactedDocumentsCache;
    private final Map<AttributeExpr, Boolean> evaluations = new HashMap();
    private final List<FieldNameExpression> typeFilterFields = new ArrayList();

    /* loaded from: input_file:io/telicent/smart/cache/search/security/SecureSearchContext$Builder.class */
    public static class Builder {
        private SearchOptions searchOptions;
        private AttributesStore store;
        private Cache<String, List<AttributeExpr>> labelsToExpressions;
        private RedactedDocumentsCache redactedDocumentsCache;
        private AttributeValueSet userAttributes = AttributeValueSet.EMPTY;
        private List<FieldNameExpression> typeFilterFields = new ArrayList();

        public Builder userAttributes(AttributeValueSet attributeValueSet) {
            this.userAttributes = attributeValueSet != null ? attributeValueSet : AttributeValueSet.EMPTY;
            return this;
        }

        public Builder noUserAttributes() {
            return userAttributes(AttributeValueSet.EMPTY);
        }

        public Builder attributesStore(AttributesStore attributesStore) {
            this.store = attributesStore;
            return this;
        }

        public Builder noAttributesStore() {
            return attributesStore(null);
        }

        public Builder withParserCache(Cache<String, List<AttributeExpr>> cache) {
            this.labelsToExpressions = cache;
            return this;
        }

        public Builder withoutParserCache() {
            return withParserCache(null);
        }

        public Builder withRedactionCache(int i, int i2, Duration duration) {
            return withRedactionCache(RedactedDocumentsConfiguration.create(i, i2, duration));
        }

        public Builder withRedactionCache(RedactedDocumentsCache redactedDocumentsCache) {
            this.redactedDocumentsCache = redactedDocumentsCache;
            return this;
        }

        public Builder withoutRedactionCache() {
            return withRedactionCache(null);
        }

        public Builder typeFilterFields(List<FieldNameExpression> list) {
            this.typeFilterFields.clear();
            this.typeFilterFields.addAll(list);
            return this;
        }

        public Builder withoutTypeFiltering() {
            this.typeFilterFields.clear();
            return this;
        }

        public Builder fromSearchOptions(SearchOptions searchOptions) {
            this.searchOptions = searchOptions;
            return this.searchOptions != null ? fromSecurityOptions(searchOptions.getSecurity()) : this;
        }

        public Builder fromSecurityOptions(SecurityOptions securityOptions) {
            return userAttributes(securityOptions.getAttributes()).attributesStore(securityOptions.getAttributesStore()).withParserCache(securityOptions.getLabelsToExpressions());
        }

        public SecureSearchContext build() {
            return new SecureSearchContext(this.searchOptions, this.userAttributes, this.store, this.labelsToExpressions, this.redactedDocumentsCache, this.typeFilterFields);
        }
    }

    private SecureSearchContext(SearchOptions searchOptions, AttributeValueSet attributeValueSet, AttributesStore attributesStore, Cache<String, List<AttributeExpr>> cache, RedactedDocumentsCache redactedDocumentsCache, List<FieldNameExpression> list) {
        this.searchOptions = searchOptions != null ? searchOptions : SearchOptions.defaults();
        this.userAttributes = attributeValueSet != null ? attributeValueSet : AttributeValueSet.EMPTY;
        this.redactedDocumentsCache = redactedDocumentsCache;
        this.abacContext = CxtABAC.context(this.userAttributes, this::lookupHierarchy, DatasetGraphZero.create());
        this.store = attributesStore;
        this.labelsToExpressions = cache;
        if (cache == null) {
            LOGGER.warn("Security labels cache missing, label enforcement performance may be reduced as a result");
        }
        this.typeFilterFields.addAll(list);
    }

    public String getUsername() {
        if (this.searchOptions.getSecurity().isEnabled()) {
            return this.searchOptions.getSecurity().getUsername();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static List<AttributeExpr> tryParseExpressions(String str, String str2) {
        try {
            return AttributeParser.parseAttrExprList(str2);
        } catch (AttributeSyntaxError e) {
            LOGGER.warn("Security labels ({}) on document {} are malformed: {}", new Object[]{str2, str, e.getMessage()});
            return List.of();
        }
    }

    public List<AttributeExpr> parseLabelExpressions(String str, String str2) {
        return this.labelsToExpressions != null ? (List) this.labelsToExpressions.get(str2, str3 -> {
            return tryParseExpressions(str, str2);
        }) : tryParseExpressions(str, str2);
    }

    public boolean evaluate(List<AttributeExpr> list) {
        return list.stream().allMatch(attributeExpr -> {
            return this.evaluations.computeIfAbsent(attributeExpr, attributeExpr -> {
                return Boolean.valueOf(attributeExpr.eval(this.abacContext).getBoolean());
            }).booleanValue();
        });
    }

    private Hierarchy lookupHierarchy(Attribute attribute) {
        if (this.store == null || !this.store.hasHierarchy(attribute)) {
            return null;
        }
        return this.store.getHierarchy(attribute);
    }

    @Deprecated(since = "0.11.0", forRemoval = true)
    public boolean canViewDocument(String str, Document document) {
        return canViewDocument(str, "1", document);
    }

    public boolean canViewDocument(String str, String str2, Document document) {
        SecurityOptions security = this.searchOptions.getSecurity();
        if (!security.isEnabled()) {
            if (security.getShowSecurityLabels()) {
                return true;
            }
            document.trimSecurityLabels();
            return true;
        }
        if (this.redactedDocumentsCache != null) {
            Boolean isVisible = this.redactedDocumentsCache.isVisible(this, str, str2);
            if (isVisible == null) {
                Boolean valueOf = Boolean.valueOf(canViewFilteredDocument(str, document));
                if (!valueOf.booleanValue()) {
                    this.redactedDocumentsCache.setVisible(this, str, str2, false);
                }
                return valueOf.booleanValue();
            }
            if (!isVisible.booleanValue()) {
                return false;
            }
        }
        return canViewFilteredDocument(str, document);
    }

    boolean canViewFilteredDocument(String str, Document document) {
        String str2 = (String) document.getProperty("securityLabels", "defaults");
        if (!StringUtils.isNotBlank(str2)) {
            return filterDocument(str, document, true) && filterByType(str, document, this.searchOptions.getTypeFilterOpts());
        }
        List<AttributeExpr> parseLabelExpressions = parseLabelExpressions(str, str2);
        return CollectionUtils.isEmpty(parseLabelExpressions) ? filterDocument(str, document, false) && filterByType(str, document, this.searchOptions.getTypeFilterOpts()) : filterDocument(str, document, evaluate(parseLabelExpressions)) && filterByType(str, document, this.searchOptions.getTypeFilterOpts());
    }

    private boolean filterDocument(String str, Document document, boolean z) {
        SecurityOptions security = this.searchOptions.getSecurity();
        document.filter(this, z, security.getShowSecurityLabels());
        if (document.isEmpty()) {
            LOGGER.warn("Security labels prevented user {} from accessing document {}", security.getUsername(), str);
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Document {} had security labels which were not satisfied by user {}'s attribute set: {}", new Object[]{str, security.getUsername(), security.getAttributes().toString()});
            }
        }
        return !document.isEmpty();
    }

    private boolean filterByType(String str, Document document, TypeFilterOptions typeFilterOptions) {
        if (!typeFilterOptions.isEnabled()) {
            return true;
        }
        AtomicBoolean atomicBoolean = new AtomicBoolean(false);
        new PathMatchingVisitor(createTypeFilterFunction(typeFilterOptions, atomicBoolean), this.typeFilterFields).visit(document.getProperties());
        return atomicBoolean.get();
    }

    private static BiConsumer<String[], Object> createTypeFilterFunction(TypeFilterOptions typeFilterOptions, AtomicBoolean atomicBoolean) {
        return (strArr, obj) -> {
            if (obj instanceof List) {
                if (CollectionUtils.containsAny((Collection) obj, new String[]{typeFilterOptions.getTypeFilter()})) {
                    atomicBoolean.set(true);
                }
            } else if ((obj instanceof String) && StringUtils.equals((String) obj, typeFilterOptions.getTypeFilter())) {
                atomicBoolean.set(true);
            }
        };
    }

    public static Builder create() {
        return new Builder();
    }

    public SearchOptions getSearchOptions() {
        return this.searchOptions;
    }

    public AttributeValueSet getUserAttributes() {
        return this.userAttributes;
    }

    List<FieldNameExpression> getTypeFilterFields() {
        return this.typeFilterFields;
    }
}
