package org.apache.geode.security.templates;

import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.apache.geode.LogWriter;
import org.apache.geode.cache.Cache;
import org.apache.geode.cache.operations.ExecuteFunctionOperationContext;
import org.apache.geode.cache.operations.OperationContext;
import org.apache.geode.cache.operations.QueryOperationContext;
import org.apache.geode.distributed.DistributedMember;
import org.apache.geode.security.AccessControl;
import org.apache.geode.security.NotAuthorizedException;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.EntityResolver;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
import org.xml.sax.SAXParseException;

/* loaded from: input_file:org/apache/geode/security/templates/XmlAuthorization.class */
public class XmlAuthorization implements AccessControl {
    public static final String DOC_URI_PROP_NAME = "security-authz-xml-uri";
    private static final String EMPTY_VALUE = "";
    private static final String TAG_ROLE = "role";
    private static final String TAG_USER = "user";
    private static final String TAG_PERMS = "permission";
    private static final String TAG_OP = "operation";
    private static final String ATTR_ROLENAME = "name";
    private static final String ATTR_ROLE = "role";
    private static final String ATTR_REGIONS = "regions";
    private static final String ATTR_FUNCTION_IDS = "functionIds";
    private static final String ATTR_FUNCTION_OPTIMIZE_FOR_WRITE = "optimizeForWrite";
    private static final String ATTR_FUNCTION_KEY_SET = "keySet";
    private final Map<String, Map<OperationContext.OperationCode, FunctionSecurityPrmsHolder>> allowedOps = new HashMap();
    protected LogWriter systemLogWriter = null;
    protected LogWriter securityLogWriter = null;
    private static final Object sync = new Object();
    private static String currentDocUri = null;
    private static Map<String, HashSet<String>> userRoles = null;
    private static Map<String, Map<String, Map<OperationContext.OperationCode, FunctionSecurityPrmsHolder>>> rolePermissions = null;
    private static NotAuthorizedException xmlLoadFailure = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/geode/security/templates/XmlAuthorization$AuthzDtdResolver.class */
    public static class AuthzDtdResolver implements EntityResolver {
        final Pattern authzPattern;

        private AuthzDtdResolver() {
            this.authzPattern = Pattern.compile("authz.*\\.dtd");
        }

        @Override // org.xml.sax.EntityResolver
        public InputSource resolveEntity(String str, String str2) throws SAXException, IOException {
            try {
                Matcher matcher = this.authzPattern.matcher(str2);
                if (matcher.find()) {
                    return new InputSource(XmlAuthorization.class.getResourceAsStream(matcher.group(0)));
                }
                return null;
            } catch (Exception e) {
                return null;
            }
        }
    }

    public static AccessControl create() {
        return new XmlAuthorization();
    }

    public static void clear() {
        currentDocUri = null;
        if (userRoles != null) {
            userRoles.clear();
            userRoles = null;
        }
        if (rolePermissions != null) {
            rolePermissions.clear();
            rolePermissions = null;
        }
        xmlLoadFailure = null;
    }

    public static String normalizeRegionName(String str) {
        int i;
        if (str == null || str.length() == 0) {
            return EMPTY_VALUE;
        }
        char[] cArr = new char[str.length() + 1];
        boolean z = false;
        boolean z2 = false;
        if (str.charAt(0) != '/') {
            z = true;
            i = 0;
        } else {
            z2 = true;
            i = 1;
        }
        cArr[0] = '/';
        int i2 = 1;
        for (int i3 = i; i3 < str.length(); i3++) {
            char charAt = str.charAt(i3);
            if (charAt != '/') {
                z2 = false;
            } else if (z2) {
                z = true;
            } else {
                z2 = true;
            }
            int i4 = i2;
            i2++;
            cArr[i4] = charAt;
        }
        if (cArr[i2 - 1] == '/') {
            i2--;
            z = true;
        }
        return z ? new String(cArr, 0, i2) : str;
    }

    private XmlAuthorization() {
    }

    public void init(Principal principal, DistributedMember distributedMember, Cache cache) throws NotAuthorizedException {
        synchronized (sync) {
            init(cache);
        }
        this.systemLogWriter = cache.getLogger();
        this.securityLogWriter = cache.getSecurityLogger();
        HashSet<String> hashSet = userRoles.get(principal != null ? principal.getName() : EMPTY_VALUE);
        if (hashSet != null) {
            Iterator<String> it = hashSet.iterator();
            while (it.hasNext()) {
                Map<String, Map<OperationContext.OperationCode, FunctionSecurityPrmsHolder>> map = rolePermissions.get(it.next());
                if (map != null) {
                    for (Map.Entry<String, Map<OperationContext.OperationCode, FunctionSecurityPrmsHolder>> entry : map.entrySet()) {
                        String key = entry.getKey();
                        Map<OperationContext.OperationCode, FunctionSecurityPrmsHolder> map2 = this.allowedOps.get(key);
                        if (map2 == null) {
                            map2 = new HashMap();
                            this.allowedOps.put(key, map2);
                        }
                        map2.putAll(entry.getValue());
                    }
                }
            }
        }
    }

    public boolean authorizeOperation(String str, OperationContext operationContext) {
        if (operationContext.isClientUpdate()) {
            Map<OperationContext.OperationCode, FunctionSecurityPrmsHolder> map = this.allowedOps.get(str);
            if (map == null && str.length() > 0) {
                map = this.allowedOps.get(EMPTY_VALUE);
            }
            if (map != null) {
                return map.containsKey(OperationContext.OperationCode.GET);
            }
            return false;
        }
        OperationContext.OperationCode operationCode = operationContext.getOperationCode();
        if (operationCode.isQuery() || operationCode.isExecuteCQ() || operationCode.isCloseCQ() || operationCode.isStopCQ()) {
            Map<OperationContext.OperationCode, FunctionSecurityPrmsHolder> map2 = this.allowedOps.get(EMPTY_VALUE);
            boolean z = map2 != null && map2.containsKey(operationCode);
            Set regionNames = ((QueryOperationContext) operationContext).getRegionNames();
            if (regionNames == null || regionNames.size() == 0) {
                return z;
            }
            Iterator it = regionNames.iterator();
            while (it.hasNext()) {
                Map<OperationContext.OperationCode, FunctionSecurityPrmsHolder> map3 = this.allowedOps.get(normalizeRegionName((String) it.next()));
                if (map3 == null) {
                    if (!z) {
                        return false;
                    }
                } else if (!map3.containsKey(operationCode)) {
                    return false;
                }
            }
            return true;
        }
        String normalizeRegionName = normalizeRegionName(str);
        Map<OperationContext.OperationCode, FunctionSecurityPrmsHolder> map4 = this.allowedOps.get(normalizeRegionName);
        if (map4 == null && normalizeRegionName.length() > 0) {
            map4 = this.allowedOps.get(EMPTY_VALUE);
        }
        if (map4 == null) {
            return false;
        }
        if (operationContext.getOperationCode() != OperationContext.OperationCode.EXECUTE_FUNCTION) {
            return map4.containsKey(operationContext.getOperationCode());
        }
        if (!map4.containsKey(operationContext.getOperationCode())) {
            return false;
        }
        if (operationContext.isPostOperation()) {
            ExecuteFunctionOperationContext executeFunctionOperationContext = (ExecuteFunctionOperationContext) operationContext;
            FunctionSecurityPrmsHolder functionSecurityPrmsHolder = map4.get(operationContext.getOperationCode());
            return executeFunctionOperationContext.getRegionName() != null ? ((executeFunctionOperationContext.getResult() instanceof ArrayList) && functionSecurityPrmsHolder.getKeySet() != null && ((ArrayList) executeFunctionOperationContext.getResult()).containsAll(functionSecurityPrmsHolder.getKeySet())) ? false : true : !((ArrayList) executeFunctionOperationContext.getResult()).contains("Insecure item");
        }
        FunctionSecurityPrmsHolder functionSecurityPrmsHolder2 = map4.get(operationContext.getOperationCode());
        ExecuteFunctionOperationContext executeFunctionOperationContext2 = (ExecuteFunctionOperationContext) operationContext;
        if (executeFunctionOperationContext2.getRegionName() == null) {
            return functionSecurityPrmsHolder2.getFunctionIds() == null || functionSecurityPrmsHolder2.getFunctionIds().contains(executeFunctionOperationContext2.getFunctionId());
        }
        if (functionSecurityPrmsHolder2.isOptimizeForWrite() != null && functionSecurityPrmsHolder2.isOptimizeForWrite().booleanValue() != executeFunctionOperationContext2.isOptimizeForWrite()) {
            return false;
        }
        if (functionSecurityPrmsHolder2.getFunctionIds() == null || functionSecurityPrmsHolder2.getFunctionIds().contains(executeFunctionOperationContext2.getFunctionId())) {
            return functionSecurityPrmsHolder2.getKeySet() == null || executeFunctionOperationContext2.getKeySet() == null || !executeFunctionOperationContext2.getKeySet().containsAll(functionSecurityPrmsHolder2.getKeySet());
        }
        return false;
    }

    public void close() {
        this.allowedOps.clear();
    }

    private static String getAttributeValue(Node node, String str) {
        Node namedItem;
        NamedNodeMap attributes = node.getAttributes();
        return (attributes == null || (namedItem = attributes.getNamedItem(str)) == null) ? EMPTY_VALUE : ((Attr) namedItem).getValue();
    }

    private static String getNodeValue(Node node) {
        NodeList childNodes = node.getChildNodes();
        for (int i = 0; i < childNodes.getLength(); i++) {
            Node item = childNodes.item(i);
            if (item.getNodeType() == 3) {
                return item.getNodeValue();
            }
        }
        return EMPTY_VALUE;
    }

    private static void init(Cache cache) throws NotAuthorizedException {
        HashSet hashSet;
        HashSet hashSet2;
        LogWriter logger = cache.getLogger();
        String str = (String) cache.getDistributedSystem().getSecurityProperties().get(DOC_URI_PROP_NAME);
        try {
            if (str == null) {
                throw new NotAuthorizedException("No ACL file defined using tag [security-authz-xml-uri] in system properties");
            }
            if (str.equals(currentDocUri)) {
                if (xmlLoadFailure != null) {
                    throw xmlLoadFailure;
                }
                return;
            }
            DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
            newInstance.setIgnoringComments(true);
            newInstance.setIgnoringElementContentWhitespace(true);
            newInstance.setValidating(true);
            DocumentBuilder newDocumentBuilder = newInstance.newDocumentBuilder();
            newDocumentBuilder.setErrorHandler(new XmlErrorHandler(logger, str));
            newDocumentBuilder.setEntityResolver(new AuthzDtdResolver());
            Document parse = newDocumentBuilder.parse(str);
            userRoles = new HashMap();
            rolePermissions = new HashMap();
            NodeList elementsByTagName = parse.getElementsByTagName("role");
            for (int i = 0; i < elementsByTagName.getLength(); i++) {
                Node item = elementsByTagName.item(i);
                String attributeValue = getAttributeValue(item, ATTR_ROLENAME);
                NodeList childNodes = item.getChildNodes();
                for (int i2 = 0; i2 < childNodes.getLength(); i2++) {
                    Node item2 = childNodes.item(i2);
                    if (!TAG_USER.equals(item2.getNodeName())) {
                        throw new SAXParseException("Unknown tag [" + item2.getNodeName() + "] as child of tag [role]", null);
                    }
                    String nodeValue = getNodeValue(item2);
                    HashSet<String> hashSet3 = userRoles.get(nodeValue);
                    if (hashSet3 == null) {
                        hashSet3 = new HashSet<>();
                        userRoles.put(nodeValue, hashSet3);
                    }
                    hashSet3.add(attributeValue);
                }
            }
            NodeList elementsByTagName2 = parse.getElementsByTagName(TAG_PERMS);
            for (int i3 = 0; i3 < elementsByTagName2.getLength(); i3++) {
                Node item3 = elementsByTagName2.item(i3);
                String attributeValue2 = getAttributeValue(item3, "role");
                Map<String, Map<OperationContext.OperationCode, FunctionSecurityPrmsHolder>> map = rolePermissions.get(attributeValue2);
                if (map == null) {
                    map = new HashMap();
                    rolePermissions.put(attributeValue2, map);
                }
                NodeList childNodes2 = item3.getChildNodes();
                HashMap hashMap = new HashMap();
                for (int i4 = 0; i4 < childNodes2.getLength(); i4++) {
                    Node item4 = childNodes2.item(i4);
                    if (!TAG_OP.equals(item4.getNodeName())) {
                        throw new SAXParseException("Unknown tag [" + item4.getNodeName() + "] as child of tag [" + TAG_PERMS + ']', null);
                    }
                    String nodeValue2 = getNodeValue(item4);
                    OperationContext.OperationCode valueOf = OperationContext.OperationCode.valueOf(nodeValue2);
                    if (valueOf == null) {
                        throw new SAXParseException("Unknown operation [" + nodeValue2 + ']', null);
                    }
                    if (valueOf != OperationContext.OperationCode.EXECUTE_FUNCTION) {
                        hashMap.put(valueOf, null);
                    } else {
                        String attributeValue3 = getAttributeValue(item4, ATTR_FUNCTION_OPTIMIZE_FOR_WRITE);
                        String attributeValue4 = getAttributeValue(item4, ATTR_FUNCTION_IDS);
                        String attributeValue5 = getAttributeValue(item4, ATTR_FUNCTION_KEY_SET);
                        Boolean valueOf2 = (attributeValue3 == null || attributeValue3.length() == 0) ? null : Boolean.valueOf(Boolean.parseBoolean(attributeValue3));
                        if (attributeValue4 == null || attributeValue4.length() == 0) {
                            hashSet = null;
                        } else {
                            String[] split = attributeValue4.split(",");
                            hashSet = new HashSet();
                            for (String str2 : split) {
                                hashSet.add(str2);
                            }
                        }
                        if (attributeValue5 == null || attributeValue5.length() == 0) {
                            hashSet2 = null;
                        } else {
                            String[] split2 = attributeValue5.split(",");
                            hashSet2 = new HashSet();
                            for (String str3 : split2) {
                                hashSet2.add(str3);
                            }
                        }
                        hashMap.put(valueOf, new FunctionSecurityPrmsHolder(valueOf2, hashSet, hashSet2));
                    }
                }
                String attributeValue6 = getAttributeValue(item3, ATTR_REGIONS);
                if (attributeValue6 == null || attributeValue6.length() == 0) {
                    map.put(EMPTY_VALUE, hashMap);
                } else {
                    for (String str4 : attributeValue6.split(",")) {
                        map.put(normalizeRegionName(str4), hashMap);
                    }
                }
            }
            currentDocUri = str;
        } catch (Exception e) {
            String message = e instanceof NotAuthorizedException ? e.getMessage() : e.getClass().getName() + ": " + e.getMessage();
            logger.warning("XmlAuthorization.init: " + message);
            xmlLoadFailure = new NotAuthorizedException(message, e);
            throw xmlLoadFailure;
        }
    }
}
