package org.apache.qpid.server.security.access.config;

import java.net.InetAddress;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.WeakHashMap;
import javax.security.auth.Subject;
import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.logging.EventLoggerProvider;
import org.apache.qpid.server.logging.messages.AccessControlMessages;
import org.apache.qpid.server.security.Result;
import org.apache.qpid.server.security.access.plugins.RuleOutcome;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/security/access/config/RuleSet.class */
public class RuleSet implements EventLoggerProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger(RuleSet.class);
    private final List<Rule> _rules;
    private final Map<Subject, Map<LegacyOperation, Map<ObjectType, List<Rule>>>> _cache = Collections.synchronizedMap(new WeakHashMap());
    private final EventLoggerProvider _eventLogger;
    private Result _defaultResult;

    public RuleSet(EventLoggerProvider eventLoggerProvider, Collection<Rule> collection, Result result) {
        this._defaultResult = Result.DENIED;
        this._eventLogger = eventLoggerProvider;
        this._rules = new ArrayList(collection);
        this._defaultResult = result;
    }

    int getRuleCount() {
        return this._rules.size();
    }

    private List<Rule> getRules(Subject subject, LegacyOperation legacyOperation, ObjectType objectType) {
        Map<ObjectType, List<Rule>> objectToRuleCache = getObjectToRuleCache(subject, legacyOperation);
        if (!objectToRuleCache.containsKey(objectType)) {
            Set<Principal> principals = subject.getPrincipals();
            boolean z = false;
            LinkedList linkedList = new LinkedList();
            for (Rule rule : this._rules) {
                Action action = rule.getAction();
                if (action.getOperation() == LegacyOperation.ALL || action.getOperation() == legacyOperation) {
                    if (action.getObjectType() == ObjectType.ALL || action.getObjectType() == objectType) {
                        z = true;
                        if (isRelevant(principals, rule)) {
                            linkedList.add(rule);
                        }
                    }
                }
            }
            if (linkedList.isEmpty() && !z) {
                linkedList = null;
            }
            objectToRuleCache.put(objectType, linkedList);
            LOGGER.debug("Cached {} RulesList: {}", objectType, linkedList);
        }
        List<Rule> list = objectToRuleCache.get(objectType);
        LOGGER.debug("Returning RuleList: {}", list);
        return list;
    }

    public Result check(Subject subject, LegacyOperation legacyOperation, ObjectType objectType, ObjectProperties objectProperties) {
        return check(subject, legacyOperation, objectType, objectProperties, null);
    }

    public Result check(Subject subject, LegacyOperation legacyOperation, ObjectType objectType, ObjectProperties objectProperties, InetAddress inetAddress) {
        ClientAction clientAction = new ClientAction(legacyOperation, objectType, objectProperties);
        LOGGER.debug("Checking action: {}", clientAction);
        List<Rule> rules = getRules(subject, legacyOperation, objectType);
        if (rules == null) {
            LOGGER.debug("No rules found, returning default result");
            return getDefault();
        }
        for (Rule rule : rules) {
            LOGGER.debug("Checking against rule: {}", rule);
            if (clientAction.matches(rule.getAclAction(), inetAddress)) {
                RuleOutcome ruleOutcome = rule.getRuleOutcome();
                LOGGER.debug("Action matches.  Result: {}", ruleOutcome);
                boolean isAllowed = ruleOutcome.isAllowed();
                if (ruleOutcome.isLogged()) {
                    if (isAllowed) {
                        getEventLogger().message(AccessControlMessages.ALLOWED(clientAction.getOperation().toString(), clientAction.getObjectType().toString(), clientAction.getProperties().toString()));
                    } else {
                        getEventLogger().message(AccessControlMessages.DENIED(clientAction.getOperation().toString(), clientAction.getObjectType().toString(), clientAction.getProperties().toString()));
                    }
                }
                return isAllowed ? Result.ALLOWED : Result.DENIED;
            }
        }
        LOGGER.debug("Deferring result of ACL check");
        return Result.DEFER;
    }

    public Result getDefault() {
        return this._defaultResult;
    }

    public List<Rule> getAllRules() {
        return Collections.unmodifiableList(this._rules);
    }

    private boolean isRelevant(Set<Principal> set, Rule rule) {
        if (rule.getIdentity().equalsIgnoreCase(Rule.ALL)) {
            return true;
        }
        Iterator<Principal> it = set.iterator();
        while (it.hasNext()) {
            if (rule.getIdentity().equalsIgnoreCase(it.next().getName())) {
                return true;
            }
        }
        return false;
    }

    private Map<ObjectType, List<Rule>> getObjectToRuleCache(Subject subject, LegacyOperation legacyOperation) {
        Map<LegacyOperation, Map<ObjectType, List<Rule>>> map = this._cache.get(subject);
        if (map == null) {
            map = Collections.synchronizedMap(new EnumMap(LegacyOperation.class));
            this._cache.put(subject, map);
        }
        Map<ObjectType, List<Rule>> map2 = map.get(legacyOperation);
        if (map2 == null) {
            map2 = Collections.synchronizedMap(new EnumMap(ObjectType.class));
            map.put(legacyOperation, map2);
        }
        return map2;
    }

    public EventLogger getEventLogger() {
        return this._eventLogger.getEventLogger();
    }
}
