package org.apache.wiki.auth;

import java.io.File;
import java.io.IOException;
import java.net.URL;
import java.security.AccessControlException;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.Permission;
import java.security.Principal;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.Map;
import java.util.Properties;
import java.util.ResourceBundle;
import java.util.WeakHashMap;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.apache.lucene.geo.SimpleWKTShapeParser;
import org.apache.wiki.api.core.Acl;
import org.apache.wiki.api.core.AclEntry;
import org.apache.wiki.api.core.Context;
import org.apache.wiki.api.core.ContextEnum;
import org.apache.wiki.api.core.Engine;
import org.apache.wiki.api.core.Page;
import org.apache.wiki.api.core.Session;
import org.apache.wiki.api.exceptions.NoRequiredPropertyException;
import org.apache.wiki.api.exceptions.WikiException;
import org.apache.wiki.auth.acl.AclManager;
import org.apache.wiki.auth.acl.UnresolvedPrincipal;
import org.apache.wiki.auth.authorize.GroupManager;
import org.apache.wiki.auth.authorize.Role;
import org.apache.wiki.auth.permissions.AllPermission;
import org.apache.wiki.auth.permissions.PagePermission;
import org.apache.wiki.auth.user.UserDatabase;
import org.apache.wiki.event.WikiEventListener;
import org.apache.wiki.event.WikiEventManager;
import org.apache.wiki.i18n.InternationalizationManager;
import org.apache.wiki.pages.PageManager;
import org.apache.wiki.preferences.Preferences;
import org.apache.wiki.util.ClassUtil;
import org.freshcookies.security.policy.LocalPolicy;

/* loaded from: input_file:WEB-INF/lib/jspwiki-main-2.11.0.M7.jar:org/apache/wiki/auth/DefaultAuthorizationManager.class */
public class DefaultAuthorizationManager implements AuthorizationManager {
    private static final Logger log = Logger.getLogger(DefaultAuthorizationManager.class);
    private Authorizer m_authorizer = null;
    private Map<Principal, ProtectionDomain> m_cachedPds = new WeakHashMap();
    private Engine m_engine = null;
    private LocalPolicy m_localPolicy = null;

    @Override // org.apache.wiki.auth.AuthorizationManager
    public boolean checkPermission(Session session, Permission permission) {
        if (session == null || permission == null) {
            fireEvent(52, null, permission);
            return false;
        }
        Principal loginPrincipal = session.getLoginPrincipal();
        if (checkStaticPermission(session, new AllPermission(this.m_engine.getApplicationName()))) {
            fireEvent(51, loginPrincipal, permission);
            return true;
        }
        if (!checkStaticPermission(session, permission)) {
            fireEvent(52, loginPrincipal, permission);
            return false;
        }
        if (!(permission instanceof PagePermission)) {
            fireEvent(51, loginPrincipal, permission);
            return true;
        }
        Page page = ((PageManager) this.m_engine.getManager(PageManager.class)).getPage(((PagePermission) permission).getPage());
        Acl permissions = page == null ? null : ((AclManager) this.m_engine.getManager(AclManager.class)).getPermissions(page);
        if (page == null || permissions == null || permissions.isEmpty()) {
            fireEvent(51, loginPrincipal, permission);
            return true;
        }
        Principal[] findPrincipals = permissions.findPrincipals(permission);
        log.debug("Checking ACL entries...");
        log.debug("Acl for this page is: " + permissions);
        log.debug("Checking for principal: " + Arrays.toString(findPrincipals));
        log.debug("Permission: " + permission);
        int length = findPrincipals.length;
        for (int i = 0; i < length; i++) {
            Principal principal = findPrincipals[i];
            if (principal instanceof UnresolvedPrincipal) {
                AclEntry aclEntry = permissions.getAclEntry(principal);
                principal = resolvePrincipal(principal.getName());
                if (aclEntry != null && !(principal instanceof UnresolvedPrincipal)) {
                    aclEntry.setPrincipal(principal);
                }
            }
            if (hasRoleOrPrincipal(session, principal)) {
                fireEvent(51, loginPrincipal, permission);
                return true;
            }
        }
        fireEvent(52, loginPrincipal, permission);
        return false;
    }

    @Override // org.apache.wiki.auth.AuthorizationManager
    public Authorizer getAuthorizer() throws WikiSecurityException {
        if (this.m_authorizer != null) {
            return this.m_authorizer;
        }
        throw new WikiSecurityException("Authorizer did not initialize properly. Check the logs.");
    }

    @Override // org.apache.wiki.auth.AuthorizationManager
    public boolean hasRoleOrPrincipal(Session session, Principal principal) {
        if (session == null || principal == null) {
            return false;
        }
        if (AuthenticationManager.isRolePrincipal(principal)) {
            return isUserInRole(session, principal);
        }
        if (!session.isAuthenticated() || !AuthenticationManager.isUserPrincipal(principal)) {
            return false;
        }
        String name = principal.getName();
        for (Principal principal2 : session.getPrincipals()) {
            if (principal2.getName().equals(name)) {
                return true;
            }
        }
        return false;
    }

    @Override // org.apache.wiki.auth.AuthorizationManager
    public boolean hasAccess(Context context, HttpServletResponse httpServletResponse, boolean z) throws IOException {
        boolean checkPermission = checkPermission(context.getWikiSession(), context.requiredPermission());
        ResourceBundle bundle = Preferences.getBundle(context, InternationalizationManager.CORE_BUNDLE);
        if (context.getHttpRequest() != null && context.getHttpRequest().getAttribute(Context.ATTR_CONTEXT) == null) {
            context.getHttpRequest().setAttribute(Context.ATTR_CONTEXT, context);
        }
        if (!checkPermission && z) {
            Principal userPrincipal = context.getWikiSession().getUserPrincipal();
            String name = context.getPage().getName();
            if (context.getWikiSession().isAuthenticated()) {
                log.info("User " + userPrincipal.getName() + " has no access - forbidden (permission=" + context.requiredPermission() + SimpleWKTShapeParser.RPAREN);
                context.getWikiSession().addMessage(MessageFormat.format(bundle.getString("security.error.noaccess.logged"), context.getName()));
            } else {
                log.info("User " + userPrincipal.getName() + " has no access - redirecting (permission=" + context.requiredPermission() + SimpleWKTShapeParser.RPAREN);
                context.getWikiSession().addMessage(MessageFormat.format(bundle.getString("security.error.noaccess"), context.getName()));
            }
            httpServletResponse.sendRedirect(this.m_engine.getURL(ContextEnum.WIKI_LOGIN.getRequestContext(), name, null));
        }
        return checkPermission;
    }

    @Override // org.apache.wiki.api.engine.Initializable
    public void initialize(Engine engine, Properties properties) throws WikiException {
        this.m_engine = engine;
        this.m_authorizer = getAuthorizerImplementation(properties);
        this.m_authorizer.initialize(engine, properties);
        try {
            URL findConfigFile = engine.findConfigFile(properties.getProperty(AuthorizationManager.POLICY, AuthorizationManager.DEFAULT_POLICY));
            if (findConfigFile == null) {
                WikiSecurityException wikiSecurityException = new WikiSecurityException("JSPWiki was unable to initialize the default security policy (WEB-INF/jspwiki.policy) file. Please ensure that the jspwiki.policy file exists in the default location. This file should exist regardless of the existance of a global policy file. The global policy file is identified by the java.security.policy variable. ");
                log.fatal("JSPWiki was unable to initialize the default security policy (WEB-INF/jspwiki.policy) file. Please ensure that the jspwiki.policy file exists in the default location. This file should exist regardless of the existance of a global policy file. The global policy file is identified by the java.security.policy variable. ", wikiSecurityException);
                throw wikiSecurityException;
            }
            File file = new File(findConfigFile.toURI().getPath());
            log.info("We found security policy URL: " + findConfigFile + " and transformed it to file " + file.getAbsolutePath());
            this.m_localPolicy = new LocalPolicy(file, engine.getContentEncoding().displayName());
            this.m_localPolicy.refresh();
            log.info("Initialized default security policy: " + file.getAbsolutePath());
        } catch (Exception e) {
            log.error("Could not initialize local security policy: " + e.getMessage());
            throw new WikiException("Could not initialize local security policy: " + e.getMessage(), e);
        }
    }

    private Authorizer getAuthorizerImplementation(Properties properties) throws WikiException {
        return (Authorizer) locateImplementation(properties.getProperty(AuthorizationManager.PROP_AUTHORIZER, AuthorizationManager.DEFAULT_AUTHORIZER));
    }

    private Object locateImplementation(String str) throws WikiException {
        if (str == null) {
            throw new NoRequiredPropertyException("Unable to find a jspwiki.authorizer entry in the properties.", AuthorizationManager.PROP_AUTHORIZER);
        }
        try {
            return ClassUtil.findClass("org.apache.wiki.auth.authorize", str).newInstance();
        } catch (ClassNotFoundException e) {
            log.fatal("Authorizer " + str + " cannot be found", e);
            throw new WikiException("Authorizer " + str + " cannot be found", e);
        } catch (IllegalAccessException e2) {
            log.fatal("You are not allowed to access this authorizer class", e2);
            throw new WikiException("You are not allowed to access this authorizer class", e2);
        } catch (InstantiationException e3) {
            log.fatal("Authorizer " + str + " cannot be created", e3);
            throw new WikiException("Authorizer " + str + " cannot be created", e3);
        }
    }

    @Override // org.apache.wiki.auth.AuthorizationManager
    public boolean allowedByLocalPolicy(Principal[] principalArr, Permission permission) {
        for (Principal principal : principalArr) {
            ProtectionDomain protectionDomain = this.m_cachedPds.get(principal);
            if (protectionDomain == null) {
                protectionDomain = new ProtectionDomain(new CodeSource((URL) null, (Certificate[]) null), null, getClass().getClassLoader(), new Principal[]{principal});
                this.m_cachedPds.put(principal, protectionDomain);
            }
            if (this.m_localPolicy.implies(protectionDomain, permission)) {
                return true;
            }
        }
        return false;
    }

    @Override // org.apache.wiki.auth.AuthorizationManager
    public boolean checkStaticPermission(Session session, Permission permission) {
        return ((Boolean) Session.doPrivileged(session, () -> {
            try {
                AccessController.checkPermission(permission);
                return Boolean.TRUE;
            } catch (AccessControlException e) {
                return (allowedByLocalPolicy(session.getRoles(), permission) || allowedByLocalPolicy(session.getPrincipals(), permission)) ? Boolean.TRUE : Boolean.FALSE;
            }
        })).booleanValue();
    }

    @Override // org.apache.wiki.auth.AuthorizationManager
    public Principal resolvePrincipal(String str) {
        Role role = new Role(str);
        if (Role.isBuiltInRole(role)) {
            return role;
        }
        Principal findRole = this.m_authorizer.findRole(str);
        if (findRole != null) {
            return findRole;
        }
        Principal findRole2 = ((GroupManager) this.m_engine.getManager(GroupManager.class)).findRole(str);
        if (findRole2 != null) {
            return findRole2;
        }
        UserDatabase userDatabase = ((UserManager) this.m_engine.getManager(UserManager.class)).getUserDatabase();
        try {
            for (Principal principal : userDatabase.getPrincipals(userDatabase.find(str).getLoginName())) {
                if (principal.getName().equals(str)) {
                    return principal;
                }
            }
        } catch (NoSuchPrincipalException e) {
        }
        return new UnresolvedPrincipal(str);
    }

    @Override // org.apache.wiki.auth.AuthorizationManager
    public synchronized void addWikiEventListener(WikiEventListener wikiEventListener) {
        WikiEventManager.addWikiEventListener(this, wikiEventListener);
    }

    @Override // org.apache.wiki.auth.AuthorizationManager
    public synchronized void removeWikiEventListener(WikiEventListener wikiEventListener) {
        WikiEventManager.removeWikiEventListener(this, wikiEventListener);
    }
}
