package org.apache.solr.security;

import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.solr.api.AnnotatedApi;
import org.apache.solr.common.SpecProvider;
import org.apache.solr.common.util.CommandOperation;
import org.apache.solr.common.util.ValidatingJsonMap;
import org.apache.solr.handler.admin.SecurityConfHandler;
import org.apache.solr.handler.admin.api.ModifyRuleBasedAuthConfigAPI;
import org.apache.solr.handler.configsets.UploadConfigSetFileAPI;
import org.apache.solr.security.AuthorizationContext;
import org.apache.solr.security.PermissionNameProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/solr/security/RuleBasedAuthorizationPluginBase.class */
public abstract class RuleBasedAuthorizationPluginBase implements AuthorizationPlugin, ConfigEditablePlugin, SpecProvider {
    private final Map<String, WildCardSupportMap> mapping = new HashMap();
    private final Map<String, Set<Permission>> roleToPermissionsMap = new HashMap();
    private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
    private static final Map<String, AutorizationEditOperation> ops = (Map) Arrays.stream(AutorizationEditOperation.values()).collect(Collectors.toMap((v0) -> {
        return v0.getOperationName();
    }, Function.identity()));

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/solr/security/RuleBasedAuthorizationPluginBase$MatchStatus.class */
    public enum MatchStatus {
        USER_REQUIRED(AuthorizationResponse.PROMPT),
        NO_PERMISSIONS_FOUND(AuthorizationResponse.OK),
        PERMITTED(AuthorizationResponse.OK),
        FORBIDDEN(AuthorizationResponse.FORBIDDEN);

        final AuthorizationResponse rsp;

        MatchStatus(AuthorizationResponse authorizationResponse) {
            this.rsp = authorizationResponse;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/solr/security/RuleBasedAuthorizationPluginBase$WildCardSupportMap.class */
    public static class WildCardSupportMap {
        final Set<String> wildcardPrefixes = new HashSet();
        final Map<String, List<Permission>> delegate = new HashMap();

        private WildCardSupportMap() {
        }

        public List<Permission> put(String str, List<Permission> list) {
            if (str != null && str.endsWith("/*")) {
                str = str.substring(0, str.length() - 2);
                this.wildcardPrefixes.add(str);
            }
            return this.delegate.put(str, list);
        }

        public List<Permission> get(String str) {
            List<Permission> list;
            List<Permission> list2 = this.delegate.get(str);
            if (str == null || list2 != null) {
                return list2;
            }
            for (String str2 : this.wildcardPrefixes) {
                if (str.startsWith(str2) && (list = this.delegate.get(str2)) != null) {
                    if (list2 == null) {
                        list2 = new ArrayList();
                    }
                    list2.addAll(list);
                }
            }
            return list2;
        }

        public Set<String> keySet() {
            return this.delegate.keySet();
        }
    }

    @Override // org.apache.solr.security.AuthorizationPlugin
    public AuthorizationResponse authorize(AuthorizationContext authorizationContext) {
        List<AuthorizationContext.CollectionRequest> collectionRequests = authorizationContext.getCollectionRequests();
        if (log.isDebugEnabled()) {
            log.debug("Attempting to authorize request to [{}] of type: [{}], associated with collections [{}]", new Object[]{authorizationContext.getResource(), authorizationContext.getRequestType(), collectionRequests});
        }
        if (authorizationContext.getRequestType() == AuthorizationContext.RequestType.ADMIN) {
            log.debug("Authorizing an ADMIN request, checking admin permissions");
            return checkCollPerm(this.mapping.get(null), authorizationContext).rsp;
        }
        for (AuthorizationContext.CollectionRequest collectionRequest : collectionRequests) {
            log.debug("Authorizing collection-aware request, checking perms applicable to specific collection [{}]", collectionRequest.collectionName);
            MatchStatus checkCollPerm = checkCollPerm(this.mapping.get(collectionRequest.collectionName), authorizationContext);
            if (checkCollPerm != MatchStatus.NO_PERMISSIONS_FOUND) {
                return checkCollPerm.rsp;
            }
        }
        log.debug("Authorizing collection-aware request, checking perms applicable to all (*) collections");
        return checkCollPerm(this.mapping.get(UploadConfigSetFileAPI.FILEPATH_PLACEHOLDER), authorizationContext).rsp;
    }

    public Set<String> getPermissionNamesForRoles(Set<String> set) {
        if (set == null) {
            return Set.of();
        }
        Stream<String> stream = set.stream();
        Map<String, Set<Permission>> map = this.roleToPermissionsMap;
        Objects.requireNonNull(map);
        return (Set) stream.filter((v1) -> {
            return r1.containsKey(v1);
        }).flatMap(str -> {
            return this.roleToPermissionsMap.get(str).stream();
        }).map(permission -> {
            return permission.name;
        }).collect(Collectors.toSet());
    }

    private MatchStatus checkCollPerm(WildCardSupportMap wildCardSupportMap, AuthorizationContext authorizationContext) {
        if (wildCardSupportMap == null) {
            return MatchStatus.NO_PERMISSIONS_FOUND;
        }
        if (log.isTraceEnabled()) {
            log.trace("Following perms are associated with collection");
            for (String str : wildCardSupportMap.keySet()) {
                log.trace("Path: [{}], Perms: [{}]", str, wildCardSupportMap.get(str));
            }
        }
        MatchStatus checkPathPerm = checkPathPerm(wildCardSupportMap.get(authorizationContext.getResource()), authorizationContext);
        return checkPathPerm != MatchStatus.NO_PERMISSIONS_FOUND ? checkPathPerm : checkPathPerm(wildCardSupportMap.get(null), authorizationContext);
    }

    private MatchStatus checkPathPerm(List<Permission> list, AuthorizationContext authorizationContext) {
        if (list == null || list.isEmpty()) {
            return MatchStatus.NO_PERMISSIONS_FOUND;
        }
        log.trace("Following perms are associated with this collection and path: [{}]", list);
        Permission findFirstGoverningPermission = findFirstGoverningPermission(list, authorizationContext);
        if (findFirstGoverningPermission == null) {
            if (log.isDebugEnabled()) {
                log.debug("No perms configured for the resource {} . So allowed to access", authorizationContext.getResource());
            }
            return MatchStatus.NO_PERMISSIONS_FOUND;
        }
        if (log.isDebugEnabled()) {
            log.debug("Found perm [{}] to govern resource [{}]", findFirstGoverningPermission, authorizationContext.getResource());
        }
        return determineIfPermissionPermitsPrincipal(authorizationContext, findFirstGoverningPermission);
    }

    private Permission findFirstGoverningPermission(List<Permission> list, AuthorizationContext authorizationContext) {
        for (int i = 0; i < list.size(); i++) {
            Permission permission = list.get(i);
            if (permissionAppliesToRequest(permission, authorizationContext)) {
                return permission;
            }
        }
        return null;
    }

    private boolean permissionAppliesToRequest(Permission permission, AuthorizationContext authorizationContext) {
        if (log.isTraceEnabled()) {
            log.trace("Testing whether permission [{}] applies to request [{}]", permission, authorizationContext.getResource());
        }
        return PermissionNameProvider.values.containsKey(permission.name) ? predefinedPermissionAppliesToRequest(permission, authorizationContext) : customPermissionAppliesToRequest(permission, authorizationContext);
    }

    private boolean predefinedPermissionAppliesToRequest(Permission permission, AuthorizationContext authorizationContext) {
        log.trace("Permission [{}] is a predefined perm", permission);
        if (permission.wellknownName == PermissionNameProvider.Name.ALL) {
            log.trace("'ALL' perm applies to all requests; perm applies.");
            return true;
        }
        if (!(authorizationContext.getHandler() instanceof PermissionNameProvider)) {
            if (!log.isTraceEnabled()) {
                return false;
            }
            log.trace("Request handler [{}] is not a PermissionNameProvider, perm doesnt apply", authorizationContext.getHandler());
            return false;
        }
        PermissionNameProvider permissionNameProvider = (PermissionNameProvider) authorizationContext.getHandler();
        PermissionNameProvider.Name permissionName = permissionNameProvider.getPermissionName(authorizationContext);
        boolean z = permissionName != null && permission.name.equals(permissionName.name);
        log.trace("Request handler [{}] is associated with predefined perm [{}]? {}", new Object[]{permissionNameProvider, permission.name, Boolean.valueOf(z)});
        return z;
    }

    private boolean customPermissionAppliesToRequest(Permission permission, AuthorizationContext authorizationContext) {
        log.trace("Permission [{}] is a custom permission", permission);
        if (permission.method != null && !permission.method.contains(authorizationContext.getHttpMethod())) {
            if (!log.isTraceEnabled()) {
                return false;
            }
            log.trace("Custom permission requires method [{}] but request had method [{}]; permission doesn't apply", permission.method, authorizationContext.getHttpMethod());
            return false;
        }
        if (permission.params != null) {
            for (Map.Entry<String, Function<String[], Boolean>> entry : permission.params.entrySet()) {
                if (!entry.getValue().apply(authorizationContext.getParams().getParams(entry.getKey())).booleanValue()) {
                    if (!log.isTraceEnabled()) {
                        return false;
                    }
                    log.trace("Request has param [{}] which is incompatible with custom perm [{}]; perm doesnt apply", entry.getKey(), permission);
                    return false;
                }
            }
        }
        log.trace("Perm [{}] matches method and params for request; permission applies", permission);
        return true;
    }

    private MatchStatus determineIfPermissionPermitsPrincipal(AuthorizationContext authorizationContext, Permission permission) {
        if (permission.role == null) {
            log.debug("Governing permission [{}] has no role; permitting access", permission);
            return MatchStatus.PERMITTED;
        }
        Principal userPrincipal = authorizationContext.getUserPrincipal();
        if (userPrincipal == null) {
            log.debug("Governing permission [{}] has role, but request principal cannot be identified; forbidding access", permission);
            return MatchStatus.USER_REQUIRED;
        }
        if (permission.role.contains(UploadConfigSetFileAPI.FILEPATH_PLACEHOLDER)) {
            log.debug("Governing permission [{}] allows all roles; permitting access", permission);
            return MatchStatus.PERMITTED;
        }
        Set<String> userRoles = getUserRoles(authorizationContext);
        for (String str : permission.role) {
            if (userRoles != null && userRoles.contains(str)) {
                log.debug("Governing permission [{}] allows access to role [{}]; permitting access", permission, str);
                return MatchStatus.PERMITTED;
            }
        }
        log.info("This resource is configured to have a permission {}, The principal {} does not have the right role ", permission, userPrincipal);
        return MatchStatus.FORBIDDEN;
    }

    public boolean doesUserHavePermission(Principal principal, PermissionNameProvider.Name name) {
        List<Permission> list;
        Set<String> userRoles = getUserRoles(principal);
        if (userRoles == null) {
            return false;
        }
        for (String str : userRoles) {
            if (this.mapping.get(null) != null && (list = this.mapping.get(null).get(null)) != null) {
                for (Permission permission : list) {
                    if (name.equals(permission.wellknownName) && permission.role.contains(str)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    @Override // org.apache.solr.security.AuthorizationPlugin
    public void init(Map<String, Object> map) {
        this.mapping.put(null, new WildCardSupportMap());
        Iterator it = SecurityConfHandler.getListValue(map, "permissions").iterator();
        while (it.hasNext()) {
            try {
                add2Mapping(Permission.load((Map) it.next()));
            } catch (Exception e) {
                log.error("Invalid permission ", e);
            }
        }
    }

    private void add2Mapping(Permission permission) {
        Iterator<String> it = permission.collections.iterator();
        while (it.hasNext()) {
            WildCardSupportMap computeIfAbsent = this.mapping.computeIfAbsent(it.next(), str -> {
                return new WildCardSupportMap();
            });
            for (String str2 : permission.path) {
                List<Permission> list = computeIfAbsent.get(str2);
                if (list == null) {
                    ArrayList arrayList = new ArrayList();
                    list = arrayList;
                    computeIfAbsent.put(str2, arrayList);
                }
                list.add(permission);
            }
        }
        if (permission.role != null) {
            Iterator<String> it2 = permission.role.iterator();
            while (it2.hasNext()) {
                this.roleToPermissionsMap.computeIfAbsent(it2.next(), str3 -> {
                    return new HashSet();
                }).add(permission);
            }
        }
    }

    public Set<String> getUserRoles(AuthorizationContext authorizationContext) {
        return getUserRoles(authorizationContext.getUserPrincipal());
    }

    public abstract Set<String> getUserRoles(Principal principal);

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
    }

    public Map<String, Object> edit(Map<String, Object> map, List<CommandOperation> list) {
        for (CommandOperation commandOperation : list) {
            AutorizationEditOperation autorizationEditOperation = ops.get(commandOperation.name);
            if (autorizationEditOperation == null) {
                commandOperation.unknownOperation();
                return null;
            }
            map = autorizationEditOperation.edit(map, commandOperation);
            if (map == null) {
                return null;
            }
        }
        return map;
    }

    public ValidatingJsonMap getSpec() {
        return AnnotatedApi.getApis(new ModifyRuleBasedAuthConfigAPI()).get(0).getSpec();
    }
}
