package org.apache.qpid.server.security.access.config;

import java.security.Principal;
import java.util.AbstractList;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.logging.EventLoggerProvider;
import org.apache.qpid.server.security.Result;
import org.apache.qpid.server.security.access.config.RuleInspector;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/security/access/config/RuleSetImpl.class */
final class RuleSetImpl extends AbstractList<Rule> implements RuleSet {
    private static final Logger LOGGER = LoggerFactory.getLogger(RuleSet.class);
    private static final String CHECKING_AGAINST_RULE = "Checking against rule: {}";
    private static final String CHECKING_ACTION_OPERATION_OBJECT_PROPERTIES = "Checking action: operation={}, object={}, properties={}";
    private final List<Rule> _rules;
    private final Map<LegacyOperation, Map<ObjectType, RuleInspector>> _cache;
    private final EventLoggerProvider _eventLogger;
    private final DefaultResultInspector _defaultInspector;

    /* loaded from: input_file:org/apache/qpid/server/security/access/config/RuleSetImpl$AbstractInspectorFactory.class */
    private static abstract class AbstractInspectorFactory implements RuleInspector.RuleInspectorFactory {
        private final EventLoggerProvider _logger;
        private final Rule[] _rules;
        private final Set<String> _allRuleIdentities;

        abstract boolean matchAnyIdentity(Rule rule);

        abstract RuleInspector newInspector(List<? extends Rule> list, EventLoggerProvider eventLoggerProvider);

        AbstractInspectorFactory(List<? extends Rule> list, EventLoggerProvider eventLoggerProvider) {
            List<? extends Rule> filterSuppressedRules = filterSuppressedRules(list);
            this._rules = (Rule[]) filterSuppressedRules.toArray(new Rule[0]);
            this._logger = (EventLoggerProvider) Objects.requireNonNull(eventLoggerProvider);
            this._allRuleIdentities = collectRuleIdentities(filterSuppressedRules);
        }

        @Override // org.apache.qpid.server.security.access.config.RuleInspector.RuleInspectorFactory
        public Set<String> allRuleIdentities() {
            return Collections.unmodifiableSet(this._allRuleIdentities);
        }

        @Override // org.apache.qpid.server.security.access.config.RuleInspector.RuleInspectorFactory
        public RuleInspector newInspector(Set<String> set) {
            ArrayList arrayList = new ArrayList();
            for (Rule rule : this._rules) {
                if (matchAnyIdentity(rule) || set.contains(rule.getIdentity())) {
                    arrayList.add(rule);
                }
            }
            return newInspector(arrayList, this._logger);
        }

        private Set<String> collectRuleIdentities(Collection<? extends Rule> collection) {
            return (Set) collection.stream().filter(rule -> {
                return !rule.isForOwnerOrAll();
            }).map((v0) -> {
                return v0.getIdentity();
            }).collect(Collectors.toSet());
        }

        private List<? extends Rule> filterSuppressedRules(List<? extends Rule> list) {
            ListIterator<? extends Rule> listIterator = list.listIterator();
            while (listIterator.hasNext()) {
                if (isFinalRule(listIterator.next())) {
                    return list.subList(0, listIterator.nextIndex());
                }
            }
            return list;
        }

        private boolean isFinalRule(Rule rule) {
            return rule.anyPropertiesMatch() && rule.isForAll();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/qpid/server/security/access/config/RuleSetImpl$CachedInspector.class */
    public static final class CachedInspector implements RuleInspector {
        private final Map<Set<String>, RuleInspector> _cache = new ConcurrentHashMap();
        private final Set<String> _ruleIdentities;
        private final RuleInspector.RuleInspectorFactory _factory;

        /* JADX INFO: Access modifiers changed from: package-private */
        public CachedInspector(RuleInspector.RuleInspectorFactory ruleInspectorFactory) {
            this._ruleIdentities = new HashSet(ruleInspectorFactory.allRuleIdentities());
            this._factory = ruleInspectorFactory;
        }

        public CachedInspector init() {
            Set<String> emptySet = Collections.emptySet();
            this._cache.put(emptySet, this._factory.newInspector(emptySet));
            Iterator<String> it = this._ruleIdentities.iterator();
            while (it.hasNext()) {
                Set<String> singleton = Collections.singleton(it.next());
                this._cache.put(singleton, this._factory.newInspector(singleton));
            }
            return this;
        }

        @Override // org.apache.qpid.server.security.access.config.RuleInspector
        public Result check(Subject subject, LegacyOperation legacyOperation, ObjectType objectType, ObjectProperties objectProperties) {
            Set<String> collectPrincipalNames = collectPrincipalNames(subject);
            collectPrincipalNames.retainAll(this._ruleIdentities);
            Map<Set<String>, RuleInspector> map = this._cache;
            RuleInspector.RuleInspectorFactory ruleInspectorFactory = this._factory;
            Objects.requireNonNull(ruleInspectorFactory);
            return map.computeIfAbsent(collectPrincipalNames, ruleInspectorFactory::newInspector).check(subject, legacyOperation, objectType, objectProperties);
        }

        private Set<String> collectPrincipalNames(Subject subject) {
            Set<Principal> principals = subject.getPrincipals();
            HashSet hashSet = new HashSet(principals.size());
            Iterator<Principal> it = principals.iterator();
            while (it.hasNext()) {
                hashSet.add(it.next().getName());
            }
            return hashSet;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/qpid/server/security/access/config/RuleSetImpl$DefaultResultInspector.class */
    public static final class DefaultResultInspector implements RuleInspector {
        private final Result _defaultResult;

        /* JADX INFO: Access modifiers changed from: package-private */
        public DefaultResultInspector(Result result) {
            this._defaultResult = (Result) Optional.ofNullable(result).orElse(Result.DENIED);
        }

        @Override // org.apache.qpid.server.security.access.config.RuleInspector
        public Result check(Subject subject, LegacyOperation legacyOperation, ObjectType objectType, ObjectProperties objectProperties) {
            RuleSetImpl.LOGGER.debug("No rules found, returning default result");
            return this._defaultResult;
        }

        public Result getDefaultResult() {
            return this._defaultResult;
        }
    }

    /* loaded from: input_file:org/apache/qpid/server/security/access/config/RuleSetImpl$RuleBasedInspector.class */
    private static final class RuleBasedInspector implements RuleInspector {
        private final EventLoggerProvider _logger;
        private final Rule[] _rules;

        RuleBasedInspector(Collection<? extends Rule> collection, EventLoggerProvider eventLoggerProvider) {
            this._logger = eventLoggerProvider;
            this._rules = (Rule[]) collection.toArray(new Rule[0]);
        }

        @Override // org.apache.qpid.server.security.access.config.RuleInspector
        public Result check(Subject subject, LegacyOperation legacyOperation, ObjectType objectType, ObjectProperties objectProperties) {
            RuleSetImpl.LOGGER.debug(RuleSetImpl.CHECKING_ACTION_OPERATION_OBJECT_PROPERTIES, new Object[]{legacyOperation, objectType, objectProperties});
            for (Rule rule : this._rules) {
                RuleSetImpl.LOGGER.debug(RuleSetImpl.CHECKING_AGAINST_RULE, rule);
                if (rule.predicatesMatch(legacyOperation, objectProperties, subject)) {
                    return rule.getOutcome().logResult(this._logger, legacyOperation, objectType, objectProperties);
                }
            }
            RuleSetImpl.LOGGER.debug("Deferring result of ACL check");
            return Result.DEFER;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/qpid/server/security/access/config/RuleSetImpl$RuleBasedInspectorFactory.class */
    public static final class RuleBasedInspectorFactory extends AbstractInspectorFactory {
        public static RuleInspector.RuleInspectorFactory newInstance(List<? extends Rule> list, EventLoggerProvider eventLoggerProvider) {
            return new RuleBasedInspectorFactory(list, eventLoggerProvider);
        }

        RuleBasedInspectorFactory(List<? extends Rule> list, EventLoggerProvider eventLoggerProvider) {
            super(list, eventLoggerProvider);
        }

        @Override // org.apache.qpid.server.security.access.config.RuleSetImpl.AbstractInspectorFactory
        boolean matchAnyIdentity(Rule rule) {
            return rule.isForAll();
        }

        @Override // org.apache.qpid.server.security.access.config.RuleSetImpl.AbstractInspectorFactory
        RuleInspector newInspector(List<? extends Rule> list, EventLoggerProvider eventLoggerProvider) {
            return new RuleBasedInspector(list, eventLoggerProvider);
        }
    }

    /* loaded from: input_file:org/apache/qpid/server/security/access/config/RuleSetImpl$RuleBasedInspectorWithOwnerFiltering.class */
    private static final class RuleBasedInspectorWithOwnerFiltering implements RuleInspector {
        private final Rule[] _rules;
        private final EventLoggerProvider _logger;

        RuleBasedInspectorWithOwnerFiltering(Collection<? extends Rule> collection, EventLoggerProvider eventLoggerProvider) {
            this._logger = eventLoggerProvider;
            this._rules = (Rule[]) collection.toArray(new Rule[0]);
        }

        @Override // org.apache.qpid.server.security.access.config.RuleInspector
        public Result check(Subject subject, LegacyOperation legacyOperation, ObjectType objectType, ObjectProperties objectProperties) {
            RuleSetImpl.LOGGER.debug(RuleSetImpl.CHECKING_ACTION_OPERATION_OBJECT_PROPERTIES, new Object[]{legacyOperation, objectType, objectProperties});
            Object obj = objectProperties.get(Property.CREATED_BY);
            AuthenticatedPrincipal optionalAuthenticatedPrincipalFromSubject = AuthenticatedPrincipal.getOptionalAuthenticatedPrincipalFromSubject(subject);
            if (optionalAuthenticatedPrincipalFromSubject == null || !optionalAuthenticatedPrincipalFromSubject.getName().equals(obj)) {
                for (Rule rule : this._rules) {
                    RuleSetImpl.LOGGER.debug(RuleSetImpl.CHECKING_AGAINST_RULE, rule);
                    if (!rule.isForOwner() && rule.predicatesMatch(legacyOperation, objectProperties, subject)) {
                        return rule.getOutcome().logResult(this._logger, legacyOperation, objectType, objectProperties);
                    }
                }
            } else {
                for (Rule rule2 : this._rules) {
                    RuleSetImpl.LOGGER.debug(RuleSetImpl.CHECKING_AGAINST_RULE, rule2);
                    if (rule2.predicatesMatch(legacyOperation, objectProperties, subject)) {
                        return rule2.getOutcome().logResult(this._logger, legacyOperation, objectType, objectProperties);
                    }
                }
            }
            RuleSetImpl.LOGGER.debug("Deferring result of ACL check");
            return Result.DEFER;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/qpid/server/security/access/config/RuleSetImpl$RuleBasedInspectorWithOwnerFilteringFactory.class */
    public static final class RuleBasedInspectorWithOwnerFilteringFactory extends AbstractInspectorFactory {
        public static RuleInspector.RuleInspectorFactory newInstance(List<? extends Rule> list, EventLoggerProvider eventLoggerProvider) {
            return new RuleBasedInspectorWithOwnerFilteringFactory(list, eventLoggerProvider);
        }

        RuleBasedInspectorWithOwnerFilteringFactory(List<? extends Rule> list, EventLoggerProvider eventLoggerProvider) {
            super(list, eventLoggerProvider);
        }

        @Override // org.apache.qpid.server.security.access.config.RuleSetImpl.AbstractInspectorFactory
        boolean matchAnyIdentity(Rule rule) {
            return rule.isForOwnerOrAll();
        }

        @Override // org.apache.qpid.server.security.access.config.RuleSetImpl.AbstractInspectorFactory
        RuleInspector newInspector(List<? extends Rule> list, EventLoggerProvider eventLoggerProvider) {
            return new RuleBasedInspectorWithOwnerFiltering(list, eventLoggerProvider);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RuleSetImpl(RuleSetBuilder ruleSetBuilder) {
        this._rules = new ArrayList(ruleSetBuilder);
        this._eventLogger = ruleSetBuilder.getEventLogger();
        this._defaultInspector = ruleSetBuilder.getDefaultInspector();
        this._cache = ruleSetBuilder.buildCache();
    }

    @Override // org.apache.qpid.server.security.access.config.RuleSet
    public Result getDefault() {
        return this._defaultInspector.getDefaultResult();
    }

    @Override // org.apache.qpid.server.security.access.config.RuleSet, org.apache.qpid.server.security.access.config.RuleInspector
    public Result check(Subject subject, LegacyOperation legacyOperation, ObjectType objectType, ObjectProperties objectProperties) {
        return this._cache.get(legacyOperation).get(objectType).check(subject, legacyOperation, objectType, objectProperties);
    }

    public EventLogger getEventLogger() {
        return this._eventLogger.getEventLogger();
    }

    @Override // java.util.AbstractList, java.util.List
    public Rule get(int i) {
        return this._rules.get(i);
    }

    @Override // java.util.AbstractCollection, java.util.Collection, java.util.List
    public int size() {
        return this._rules.size();
    }
}
