package com.bazaarvoice.emodb.web.auth;

import com.bazaarvoice.emodb.auth.apikey.ApiKeyAuthenticationToken;
import com.bazaarvoice.emodb.auth.apikey.ApiKeyRequest;
import com.bazaarvoice.emodb.auth.permissions.PermissionUpdateRequest;
import com.bazaarvoice.emodb.auth.role.RoleIdentifier;
import com.bazaarvoice.emodb.auth.role.RoleManager;
import com.bazaarvoice.emodb.auth.role.RoleUpdateRequest;
import com.bazaarvoice.emodb.common.dropwizard.task.TaskRegistry;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMultimap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Sets;
import com.google.inject.Inject;
import io.dropwizard.servlets.tasks.Task;
import java.io.PrintWriter;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.TimeoutException;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.stream.Collectors;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.authz.permission.PermissionResolver;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/bazaarvoice/emodb/web/auth/RoleAdminTask.class */
public class RoleAdminTask extends Task {
    private final Logger _log;
    private final SecurityManager _securityManager;
    private final RoleManager _roleManager;
    private final PermissionResolver _permissionResolver;

    /* loaded from: input_file:com/bazaarvoice/emodb/web/auth/RoleAdminTask$Action.class */
    private enum Action {
        VIEW,
        UPDATE,
        DELETE,
        CHECK,
        FIND_DEPRECATED_PERMISSIONS
    }

    @Inject
    public RoleAdminTask(SecurityManager securityManager, RoleManager roleManager, PermissionResolver permissionResolver, TaskRegistry taskRegistry) {
        super(Permissions.ROLE);
        this._log = LoggerFactory.getLogger(RoleAdminTask.class);
        this._securityManager = (SecurityManager) Preconditions.checkNotNull(securityManager, "securityManager");
        this._roleManager = (RoleManager) Preconditions.checkNotNull(roleManager, "roleManager");
        this._permissionResolver = (PermissionResolver) Preconditions.checkNotNull(permissionResolver, "permissionResolver");
        taskRegistry.addTask(this);
    }

    @Override // io.dropwizard.servlets.tasks.Task
    public void execute(ImmutableMultimap<String, String> immutableMultimap, PrintWriter printWriter) throws Exception {
        Subject buildSubject = new Subject.Builder(this._securityManager).buildSubject();
        try {
            try {
                buildSubject.login(new ApiKeyAuthenticationToken(getValueFromParams(ApiKeyRequest.AUTHENTICATION_PARAM, immutableMultimap)));
                Action valueOf = Action.valueOf(getValueFromParams("action", immutableMultimap).toUpperCase().replace('-', '_'));
                RoleIdentifier role = getRole(immutableMultimap);
                switch (valueOf) {
                    case VIEW:
                        viewRole(buildSubject, role, printWriter);
                        break;
                    case UPDATE:
                        createOrUpdateRole(buildSubject, role, immutableMultimap, printWriter);
                        break;
                    case DELETE:
                        deleteRole(buildSubject, role, printWriter);
                        break;
                    case CHECK:
                        checkPermission(buildSubject, role, immutableMultimap, printWriter);
                        break;
                    case FIND_DEPRECATED_PERMISSIONS:
                        findDeprecatedPermissions(buildSubject, printWriter);
                        break;
                }
                buildSubject.logout();
            } catch (AuthenticationException | AuthorizationException e) {
                this._log.warn("Unauthorized attempt to access role management task");
                printWriter.println("Not authorized");
                buildSubject.logout();
            } catch (Exception e2) {
                if (!(Throwables.getRootCause(e2) instanceof TimeoutException)) {
                    throw Throwables.propagate(e2);
                }
                printWriter.println("Timed out, try again later");
                buildSubject.logout();
            }
        } catch (Throwable th) {
            buildSubject.logout();
            throw th;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private RoleIdentifier getRole(ImmutableMultimap<String, String> immutableMultimap) {
        ImmutableList build = ImmutableList.builder().addAll((Iterable) immutableMultimap.get((ImmutableMultimap<String, String>) "id")).addAll((Iterable) immutableMultimap.get((ImmutableMultimap<String, String>) Permissions.ROLE)).build();
        Preconditions.checkArgument(build.size() == 1, "A single 'id' parameter value is required");
        return new RoleIdentifier((String) immutableMultimap.get((ImmutableMultimap<String, String>) "group").stream().findFirst().orElse(null), (String) build.get(0));
    }

    private void viewRole(Subject subject, RoleIdentifier roleIdentifier, PrintWriter printWriter) {
        subject.checkPermission(Permissions.readRole(roleIdentifier));
        Set<String> permissionsForRole = this._roleManager.getPermissionsForRole(roleIdentifier);
        printWriter.println(String.format("%s has %d permissions", roleIdentifier, Integer.valueOf(permissionsForRole.size())));
        Iterator<String> it2 = permissionsForRole.iterator();
        while (it2.hasNext()) {
            printWriter.println("- " + it2.next());
        }
    }

    private void createOrUpdateRole(Subject subject, RoleIdentifier roleIdentifier, ImmutableMultimap<String, String> immutableMultimap, PrintWriter printWriter) {
        Preconditions.checkArgument(!DefaultRoles.isDefaultRole(roleIdentifier), "Cannot update default role: %s", roleIdentifier);
        String str = (String) immutableMultimap.get((ImmutableMultimap<String, String>) "name").stream().findFirst().orElse(null);
        String str2 = (String) immutableMultimap.get((ImmutableMultimap<String, String>) "description").stream().findFirst().orElse(null);
        ImmutableSet<String> copyOf = ImmutableSet.copyOf((Collection) immutableMultimap.get((ImmutableMultimap<String, String>) "permit"));
        ImmutableSet copyOf2 = ImmutableSet.copyOf((Collection) immutableMultimap.get((ImmutableMultimap<String, String>) "revoke"));
        Preconditions.checkArgument(Sets.intersection(copyOf, copyOf2).isEmpty(), "Cannot permit and revoke the same permission in a single request");
        boolean z = true;
        for (String str3 : copyOf) {
            if (!((EmoPermission) this._permissionResolver.resolvePermission(str3)).isAssignable()) {
                if (z) {
                    printWriter.println("The following permission(s) cannot be assigned to a role:");
                    z = false;
                }
                printWriter.println("- " + str3);
            }
        }
        if (!z) {
            printWriter.println("Please rewrite the above permission(s) using constants, wildcard strings, or \"if()\" expressions");
            return;
        }
        RoleUpdateRequest roleUpdateRequest = new RoleUpdateRequest();
        if (str != null) {
            roleUpdateRequest = roleUpdateRequest.withName(Strings.emptyToNull(str));
        }
        if (str2 != null) {
            roleUpdateRequest = roleUpdateRequest.withDescription(Strings.emptyToNull(str2));
        }
        if (!copyOf.isEmpty() || !copyOf2.isEmpty()) {
            roleUpdateRequest = roleUpdateRequest.withPermissionUpdate(new PermissionUpdateRequest().permit(copyOf).revoke(copyOf2));
        }
        if (this._roleManager.getRole(roleIdentifier) == null) {
            subject.checkPermission(Permissions.createRole(roleIdentifier));
            this._roleManager.createRole(roleIdentifier, roleUpdateRequest);
        } else {
            subject.checkPermission(Permissions.updateRole(roleIdentifier));
            this._roleManager.updateRole(roleIdentifier, roleUpdateRequest);
        }
        printWriter.println("Role updated.");
        viewRole(subject, roleIdentifier, printWriter);
    }

    private void deleteRole(Subject subject, RoleIdentifier roleIdentifier, PrintWriter printWriter) {
        subject.checkPermission(Permissions.deleteRole(roleIdentifier));
        Preconditions.checkArgument(!DefaultRoles.isDefaultRole(roleIdentifier), "Cannot delete default role: %s", roleIdentifier);
        this._roleManager.deleteRole(roleIdentifier);
        printWriter.println("Role deleted");
    }

    private void checkPermission(Subject subject, RoleIdentifier roleIdentifier, ImmutableMultimap<String, String> immutableMultimap, PrintWriter printWriter) {
        subject.checkPermission(Permissions.readRole(roleIdentifier));
        String valueFromParams = getValueFromParams("permission", immutableMultimap);
        Permission resolvePermission = this._permissionResolver.resolvePermission(valueFromParams);
        List list = (List) this._roleManager.getPermissionsForRole(roleIdentifier).stream().filter(str -> {
            return this._permissionResolver.resolvePermission(str).implies(resolvePermission);
        }).sorted().collect(Collectors.toList());
        if (list.isEmpty()) {
            printWriter.println(String.format("%s is not permitted %s", roleIdentifier, valueFromParams));
            return;
        }
        printWriter.println(String.format("%s is permitted %s by the following:", roleIdentifier, valueFromParams));
        Iterator it2 = list.iterator();
        while (it2.hasNext()) {
            printWriter.println("- " + ((String) it2.next()));
        }
    }

    private void findDeprecatedPermissions(Subject subject, PrintWriter printWriter) {
        subject.checkPermission(Permissions.readRole(Permissions.ALL, Permissions.ALL));
        AtomicBoolean atomicBoolean = new AtomicBoolean(false);
        this._roleManager.getAll().forEachRemaining(role -> {
            List list = (List) this._roleManager.getPermissionsForRole(role.getRoleIdentifier()).stream().map(str -> {
                return (EmoPermission) this._permissionResolver.resolvePermission(str);
            }).filter(emoPermission -> {
                return !emoPermission.isAssignable();
            }).collect(Collectors.toList());
            if (list.isEmpty()) {
                return;
            }
            if (atomicBoolean.compareAndSet(false, true)) {
                printWriter.println("The following roles have deprecated permissions:\n");
            }
            printWriter.println(role.getRoleIdentifier());
            list.forEach(permission -> {
                printWriter.println("- " + permission);
            });
        });
        if (atomicBoolean.get()) {
            return;
        }
        printWriter.println("There are no roles with deprecated permissions.");
    }

    private String getValueFromParams(String str, ImmutableMultimap<String, String> immutableMultimap) {
        try {
            return (String) Iterables.getOnlyElement(immutableMultimap.get((ImmutableMultimap<String, String>) str));
        } catch (Exception e) {
            throw new IllegalArgumentException(String.format("A single '%s' parameter value is required", str));
        }
    }
}
