package com.dtolabs.rundeck.core.authorization.providers;

import com.dtolabs.rundeck.core.authorization.AclRule;
import com.dtolabs.rundeck.core.authorization.AclRuleBuilder;
import com.dtolabs.rundeck.core.authorization.AclRuleSet;
import com.dtolabs.rundeck.core.authorization.AclRuleSetImpl;
import com.dtolabs.rundeck.core.authorization.Attribute;
import com.dtolabs.rundeck.core.authorization.AuthorizationUtil;
import com.dtolabs.rundeck.core.authorization.BasicEnvironmentalContext;
import com.dtolabs.rundeck.core.authorization.ValidationSet;
import com.dtolabs.rundeck.core.authorization.providers.YamlPolicyCollection;
import com.dtolabs.rundeck.core.authorization.providers.yaml.model.ACLPolicyDoc;
import com.dtolabs.rundeck.core.authorization.providers.yaml.model.YamlPolicyDocConstructor;
import com.dtolabs.rundeck.core.cli.acl.AclTool;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Predicate;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import java.util.stream.Collectors;
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.constructor.ConstructorException;
import org.yaml.snakeyaml.error.YAMLException;

/* loaded from: input_file:com/dtolabs/rundeck/core/authorization/providers/YamlParsePolicy.class */
public class YamlParsePolicy implements Policy {
    public static final String BY_SECTION = "by";
    public static final String USERNAME_KEY = "username";
    public static final String GROUP_KEY = "group";
    ACLPolicyDoc policyDoc;
    String sourceIdent;
    int sourceIndex;
    ValidationSet validation;
    private YamlEnvironmentalContext environment;
    private Set<String> usernames = new HashSet();
    private Set<String> groups = new HashSet();
    private Set<AclRule> rules = new HashSet();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.dtolabs.rundeck.core.authorization.providers.YamlParsePolicy$4, reason: invalid class name */
    /* loaded from: input_file:com/dtolabs/rundeck/core/authorization/providers/YamlParsePolicy$4.class */
    public static class AnonymousClass4 implements YamlPolicyCollection.YamlSourceLoader<ACLPolicyDoc> {
        final /* synthetic */ YamlSource val$source1;
        final /* synthetic */ ValidationSet val$validation;

        AnonymousClass4(YamlSource yamlSource, ValidationSet validationSet) {
            this.val$source1 = yamlSource;
            this.val$validation = validationSet;
        }

        @Override // com.dtolabs.rundeck.core.authorization.providers.YamlPolicyCollection.YamlSourceLoader
        public Iterable<ACLPolicyDoc> loadAll() throws IOException {
            return documentIterable(this.val$source1.loadAll(new Yaml(new YamlPolicyDocConstructor())).iterator());
        }

        public Iterable<ACLPolicyDoc> documentIterable(final Iterator<ACLPolicyDoc> it) {
            return new Iterable<ACLPolicyDoc>() { // from class: com.dtolabs.rundeck.core.authorization.providers.YamlParsePolicy.4.1
                @Override // java.lang.Iterable
                public Iterator<ACLPolicyDoc> iterator() {
                    return new Iterator<ACLPolicyDoc>() { // from class: com.dtolabs.rundeck.core.authorization.providers.YamlParsePolicy.4.1.1
                        int index = 0;

                        @Override // java.util.Iterator
                        public boolean hasNext() {
                            return it.hasNext();
                        }

                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.util.Iterator
                        public ACLPolicyDoc next() {
                            this.index++;
                            try {
                                Object next = it.next();
                                if (next == null) {
                                    return null;
                                }
                                if (next instanceof ACLPolicyDoc) {
                                    return (ACLPolicyDoc) next;
                                }
                                if (null == AnonymousClass4.this.val$validation) {
                                    return null;
                                }
                                AnonymousClass4.this.val$validation.addError(currentIdentity(), "Expected a YamlPolicyDoc document, but was type: " + next.getClass());
                                return null;
                            } catch (YAMLException e) {
                                if (null == AnonymousClass4.this.val$validation) {
                                    return null;
                                }
                                AnonymousClass4.this.val$validation.addError(currentIdentity(), "Error parsing the policy document: " + e.getMessage());
                                return null;
                            } catch (ConstructorException e2) {
                                if (null == AnonymousClass4.this.val$validation) {
                                    return null;
                                }
                                AnonymousClass4.this.val$validation.addError(currentIdentity(), "Error parsing the policy document: " + AnonymousClass4.this.extractSyntaxError(e2.getCause().getMessage()));
                                return null;
                            }
                        }

                        private String currentIdentity() {
                            return AnonymousClass4.this.val$source1.getIdentity() + "[" + this.index + "]";
                        }
                    };
                }
            };
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String extractSyntaxError(String str) {
            if (str != null) {
                Matcher matcher = Pattern.compile("Unable to find property\\s(.+)\\son class").matcher(str);
                if (matcher.find() && null != matcher.group(1)) {
                    return "Unknown property: " + matcher.group(1);
                }
            }
            return str;
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
            this.val$source1.close();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/dtolabs/rundeck/core/authorization/providers/YamlParsePolicy$YamlEnvironmentalContext.class */
    public static class YamlEnvironmentalContext {
        Map<URI, String> matcher = new HashMap();
        Map<URI, Pattern> matcherRegex = new HashMap();
        private boolean valid;
        private String validation;
        private String description;
        private static Comparator<Attribute> comparator = new Comparator<Attribute>() { // from class: com.dtolabs.rundeck.core.authorization.providers.YamlParsePolicy.YamlEnvironmentalContext.1
            @Override // java.util.Comparator
            public int compare(Attribute attribute, Attribute attribute2) {
                int compareTo = attribute.property.compareTo(attribute2.property);
                return compareTo == 0 ? attribute.value.compareTo(attribute2.value) : compareTo;
            }
        };

        EnvironmentalContext toBasic() {
            if (this.matcherRegex.size() != 1 && this.matcher.size() != 1) {
                throw new IllegalStateException("Expected environmental context to contain only one entry");
            }
            if (this.matcherRegex.size() == 1) {
                Map.Entry<URI, Pattern> next = this.matcherRegex.entrySet().iterator().next();
                return BasicEnvironmentalContext.patternContextFor(next.getKey().toString().substring(EnvironmentalContext.URI_BASE.length()), next.getValue().toString());
            }
            Map.Entry<URI, String> next2 = this.matcher.entrySet().iterator().next();
            URI key = next2.getKey();
            return BasicEnvironmentalContext.staticContextFor(key.toString().substring(EnvironmentalContext.URI_BASE.length()), next2.getValue());
        }

        YamlEnvironmentalContext(String str, Set<Attribute> set) {
            this.valid = false;
            for (Attribute attribute : set) {
                if (attribute.getProperty().toString().startsWith(str)) {
                    URI property = attribute.getProperty();
                    String value = attribute.getValue();
                    this.matcher.put(property, value);
                    try {
                        this.matcherRegex.put(property, Pattern.compile(value));
                    } catch (PatternSyntaxException e) {
                    }
                }
            }
            this.valid = this.matcher.size() >= 1;
            this.description = "YamlEnvironmentalContext{" + (this.valid ? ", valid=" + this.valid + ", context='" + this.matcher + "'}" : ", valid=" + this.valid + ", validation='" + getValidation() + "'}");
        }

        YamlEnvironmentalContext(String str, ACLPolicyDoc.Context context) {
            String str2;
            String application;
            this.valid = false;
            boolean z = false;
            ArrayList arrayList = new ArrayList();
            if (null != context.getProject()) {
                str2 = "project";
                application = context.getProject();
            } else {
                str2 = "application";
                application = context.getApplication();
            }
            try {
                URI uri = new URI(str + str2);
                this.matcher.put(uri, application);
                this.matcherRegex.put(uri, Pattern.compile(application));
            } catch (URISyntaxException e) {
                arrayList.add("Context section: " + str2 + ": invalid URI: " + e.getMessage());
                z = true;
            }
            if (arrayList.size() > 0) {
                StringBuffer stringBuffer = new StringBuffer();
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    String str3 = (String) it.next();
                    if (stringBuffer.length() > 0) {
                        stringBuffer.append("; ");
                    }
                    stringBuffer.append(str3);
                }
                this.validation = stringBuffer.toString();
            }
            this.valid = !z && this.matcher.size() >= 1;
            this.description = "YamlEnvironmentalContext{" + (this.valid ? ", valid=" + this.valid + ", context='" + this.matcher + "'}" : ", valid=" + this.valid + ", validation='" + getValidation() + "'}");
        }

        public boolean isValid() {
            return this.valid;
        }

        public String toString() {
            return this.description;
        }

        public String getValidation() {
            return this.validation;
        }
    }

    private YamlParsePolicy(Set<Attribute> set, ACLPolicyDoc aCLPolicyDoc, String str, int i, ValidationSet validationSet) {
        this.policyDoc = aCLPolicyDoc;
        this.sourceIdent = str;
        this.sourceIndex = i;
        this.validation = validationSet;
        validate();
        parseEnvironment(set);
        parseByClause();
        enumerateRules();
    }

    private Set<AclRule> createRules(AclRuleBuilder aclRuleBuilder) {
        HashSet hashSet = new HashSet();
        for (Map.Entry<String, List<ACLPolicyDoc.TypeRule>> entry : this.policyDoc.getFor().entrySet()) {
            AclRuleBuilder builder = AclRuleBuilder.builder(aclRuleBuilder);
            String key = entry.getKey();
            builder.sourceIdentityAppend("[type:" + key + "]");
            builder.resourceType(key);
            hashSet.addAll(createRules(key, entry.getValue(), builder));
        }
        return hashSet;
    }

    private Set<? extends AclRule> createRules(String str, List<ACLPolicyDoc.TypeRule> list, AclRuleBuilder aclRuleBuilder) {
        HashSet hashSet = new HashSet();
        int i = 1;
        Iterator<ACLPolicyDoc.TypeRule> it = list.iterator();
        while (it.hasNext()) {
            int i2 = i;
            i++;
            hashSet.add(createRule(str, i2, it.next(), AclRuleBuilder.builder(aclRuleBuilder)));
        }
        return hashSet;
    }

    private AclRule createRule(String str, int i, ACLPolicyDoc.TypeRule typeRule, AclRuleBuilder aclRuleBuilder) {
        AclRuleBuilder builder = AclRuleBuilder.builder(aclRuleBuilder);
        typeRule.getAllow();
        typeRule.getDeny();
        builder.sourceIdentityAppend("[rule: " + i + "]").allowActions(null != typeRule.getAllow() ? typeRule.getAllowActions() : new HashSet<>()).denyActions(null != typeRule.getDeny() ? typeRule.getDenyActions() : new HashSet<>()).regexResource(typeRule.getMatch()).containsResource(typeRule.getContains()).subsetResource(typeRule.getSubset()).equalsResource(typeRule.getEquals());
        return builder.build();
    }

    private void enumerateRules() {
        AclRuleBuilder sourceIdentity = AclRuleBuilder.builder().environment(this.environment.toBasic()).description(this.policyDoc.getDescription()).sourceIdentity(this.sourceIdent);
        Iterator<String> it = this.usernames.iterator();
        while (it.hasNext()) {
            this.rules.addAll(createRules(AclRuleBuilder.builder(sourceIdentity).username(it.next())));
        }
        Iterator<String> it2 = this.groups.iterator();
        while (it2.hasNext()) {
            this.rules.addAll(createRules(AclRuleBuilder.builder(sourceIdentity).group(it2.next())));
        }
    }

    private void parseByClause() {
        Object username = this.policyDoc.getBy().getUsername();
        Object group = this.policyDoc.getBy().getGroup();
        if (null != username) {
            if (username instanceof String) {
                addUsername((String) username);
            } else {
                if (!(username instanceof Collection)) {
                    throw new AclPolicySyntaxException("Section 'username:' should be a list or a String, but it was: " + username.getClass().getName());
                }
                for (Object obj : (Collection) username) {
                    if (!(obj instanceof String)) {
                        throw new AclPolicySyntaxException("Section 'username:' should contain only Strings, but saw a: " + obj.getClass().getName());
                    }
                    addUsername((String) obj);
                }
            }
        }
        if (null != group) {
            if (group instanceof String) {
                addGroup((String) group);
            } else {
                if (!(group instanceof Collection)) {
                    throw new AclPolicySyntaxException("Section 'group:' should be a list or a String, but it was: " + group.getClass().getName());
                }
                for (Object obj2 : (Collection) group) {
                    if (!(obj2 instanceof String)) {
                        throw new AclPolicySyntaxException("Section 'group:' should contain only Strings, but saw a: " + obj2.getClass().getName());
                    }
                    addGroup((String) obj2);
                }
            }
        }
        if (this.groups.size() >= 1 || this.usernames.size() >= 1 || null == this.validation) {
            return;
        }
        this.validation.addError(this.sourceIdent, "Section 'by:' is not valid:  it must contain 'group:' and/or 'username:'");
    }

    private void addGroup(String str) {
        this.groups.add(str);
    }

    private void addUsername(String str) {
        this.usernames.add(str);
    }

    private void validate() {
        if (null == this.policyDoc.getBy()) {
            throw new AclPolicySyntaxException("Required 'by:' section was not present");
        }
        if (null == this.policyDoc.getBy().getGroup() && null == this.policyDoc.getBy().getUsername()) {
            throw new AclPolicySyntaxException("Section 'by:' is not valid:  it must contain 'group:' and/or 'username:'");
        }
        if (null == this.policyDoc.getFor()) {
            throw new AclPolicySyntaxException("Required 'for:' section was not present");
        }
        if (this.policyDoc.getFor().isEmpty()) {
            throw new AclPolicySyntaxException("Section 'for:' should not be empty");
        }
        HashSet<String> hashSet = new HashSet<>(Arrays.asList(AclTool.ALLOW_LONG_OPT, AclTool.DENY_LONG_OPT));
        for (String str : this.policyDoc.getFor().keySet()) {
            List<ACLPolicyDoc.TypeRule> list = this.policyDoc.getFor().get(str);
            if (list.size() < 1) {
                throw new AclPolicySyntaxException(String.format("Type rule 'for: { %s: [...] }' list should not be empty.", str));
            }
            int i = 1;
            for (ACLPolicyDoc.TypeRule typeRule : list) {
                validateRule(str, i, typeRule.getAllow(), AclTool.ALLOW_LONG_OPT);
                validateRule(str, i, typeRule.getDeny(), AclTool.DENY_LONG_OPT);
                if (typeRule.isEmpty()) {
                    throw new AclPolicySyntaxException(String.format("Type rule 'for: { %s: [...] }' entry at index [%d] One of 'allow:' or 'deny:' must be present.", str, Integer.valueOf(i)));
                }
                verifyTypeResourceKeys(hashSet, str, i, typeRule.getContains(), "contains", "tags");
                verifyTypeResourceKeys(hashSet, str, i, typeRule.getEquals(), "equals", null);
                verifyTypeResourceKeys(hashSet, str, i, typeRule.getMatch(), "match", null);
                verifyTypeResourceKeys(hashSet, str, i, typeRule.getSubset(), "subset", null);
                i++;
            }
        }
        if (null == this.policyDoc.getDescription()) {
            throw new AclPolicySyntaxException("Policy is missing a description");
        }
    }

    private void validateRule(String str, int i, Object obj, String str2) {
        if (obj == null) {
            return;
        }
        if (obj instanceof List) {
            if (((List) obj).size() < 1) {
                throw new AclPolicySyntaxException(String.format("Type rule 'for: { %s: [...] }' entry at index [%d] Section '%s:' should not be empty", str, Integer.valueOf(i), str2));
            }
        } else if (!(obj instanceof String)) {
            throw new AclPolicySyntaxException(String.format("Type rule 'for: { %s: [...] }' entry at index [%d] Section '%s:' expected a String or a sequence of Strings, but was a %s", str, Integer.valueOf(i), str2, obj.getClass().getName()));
        }
    }

    private void verifyTypeResourceKeys(final HashSet<String> hashSet, String str, int i, Map<String, Object> map, String str2, final String str3) {
        if (map == null) {
            return;
        }
        if (map.size() == 0) {
            throw new AclPolicySyntaxException("Type rule 'for: { " + str + ": [...] }' entry at index [" + i + "] Section '" + str2 + ":' should not be empty.");
        }
        List list = (List) map.keySet().stream().filter(new Predicate<String>() { // from class: com.dtolabs.rundeck.core.authorization.providers.YamlParsePolicy.1
            @Override // java.util.function.Predicate
            public boolean test(String str4) {
                return hashSet.contains(str4);
            }
        }).collect(Collectors.toList());
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            if (entry.getValue() == null) {
                throw new AclPolicySyntaxException("Type rule 'for: { " + str + ": [...] }' entry at index [" + i + "] Section '" + str2 + ":' value for key: '" + entry.getKey() + "' cannot be null");
            }
        }
        if (list.size() > 0) {
            throw new AclPolicySyntaxException("Type rule 'for: { " + str + ": [...] }' entry at index [" + i + "] Section '" + str2 + ":' should not contain 'allow:' or 'deny:'");
        }
        if (str3 != null && ((List) map.keySet().stream().filter(new Predicate<String>() { // from class: com.dtolabs.rundeck.core.authorization.providers.YamlParsePolicy.2
            @Override // java.util.function.Predicate
            public boolean test(String str4) {
                return !str3.equals(str4);
            }
        }).collect(Collectors.toList())).size() > 0) {
            throw new AclPolicySyntaxException("Type rule 'for: { " + str + ": [...] }' entry at index [" + i + "] Section '" + str2 + ":' can only be applied to: '" + str3 + "'");
        }
    }

    private void parseEnvironment(Set<Attribute> set) {
        ACLPolicyDoc.Context context = this.policyDoc.getContext();
        if (null != set) {
            if (null != context) {
                throw new AclPolicySyntaxException("Context section should not be specified, it is already set to: " + AuthorizationUtil.contextAsString(set));
            }
            this.environment = new YamlEnvironmentalContext(EnvironmentalContext.URI_BASE, set);
        } else {
            if (null == context) {
                throw new AclPolicySyntaxException("Required 'context:' section was not present");
            }
            if ((null != context.getProject() && null != context.getApplication()) || (null == context.getProject() && null == context.getApplication())) {
                throw new AclPolicySyntaxException("Context section is not valid: " + context + ", it should have only one entry: 'application:' or 'project:'");
            }
            this.environment = new YamlEnvironmentalContext(EnvironmentalContext.URI_BASE, context);
        }
        if (!this.environment.isValid()) {
            throw new AclPolicySyntaxException("Context section is not valid: " + context + this.environment.getValidation());
        }
    }

    public static Policy createYamlPolicy(Set<Attribute> set, ACLPolicyDoc aCLPolicyDoc, String str, int i, ValidationSet validationSet) {
        return new YamlParsePolicy(set, aCLPolicyDoc, str, i, validationSet);
    }

    @Override // com.dtolabs.rundeck.core.authorization.AclRuleSetSource
    public AclRuleSet getRuleSet() {
        return new AclRuleSetImpl(this.rules);
    }

    @Override // com.dtolabs.rundeck.core.authorization.providers.Policy
    public Set<String> getUsernames() {
        return this.usernames;
    }

    @Override // com.dtolabs.rundeck.core.authorization.providers.Policy
    public Set<String> getGroups() {
        return this.groups;
    }

    @Override // com.dtolabs.rundeck.core.authorization.providers.Policy
    public String getDescription() {
        return this.policyDoc.getDescription();
    }

    @Override // com.dtolabs.rundeck.core.authorization.providers.Policy
    public EnvironmentalContext getEnvironment() {
        return this.environment.toBasic();
    }

    public static Iterable<ACLPolicyDoc> documentIterable(Iterable<Object> iterable) {
        return documentIterable(iterable.iterator());
    }

    public static Iterable<ACLPolicyDoc> documentIterable(Iterator<Object> it) {
        return () -> {
            return new Iterator<ACLPolicyDoc>() { // from class: com.dtolabs.rundeck.core.authorization.providers.YamlParsePolicy.3
                @Override // java.util.Iterator
                public boolean hasNext() {
                    return it.hasNext();
                }

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.Iterator
                public ACLPolicyDoc next() {
                    Object next = it.next();
                    if (next == null) {
                        return null;
                    }
                    return (ACLPolicyDoc) next;
                }
            };
        };
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static YamlPolicyCollection.YamlSourceLoader<ACLPolicyDoc> loader(YamlSource yamlSource, ValidationSet validationSet) {
        return new AnonymousClass4(yamlSource, validationSet);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static YamlPolicyCollection.YamlPolicyCreator<ACLPolicyDoc> creator(final Set<Attribute> set, final ValidationSet validationSet) {
        return new YamlPolicyCollection.YamlPolicyCreator<ACLPolicyDoc>() { // from class: com.dtolabs.rundeck.core.authorization.providers.YamlParsePolicy.5
            @Override // com.dtolabs.rundeck.core.authorization.providers.YamlPolicyCollection.YamlPolicyCreator
            public Policy createYamlPolicy(ACLPolicyDoc aCLPolicyDoc, String str, int i) throws AclPolicySyntaxException {
                return YamlParsePolicy.createYamlPolicy(set, aCLPolicyDoc, str, i, validationSet);
            }
        };
    }
}
