package org.apache.marmotta.platform.security.services;

import com.google.common.collect.Lists;
import java.net.InetAddress;
import java.net.NetworkInterface;
import java.net.SocketException;
import java.net.URL;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import javax.annotation.PostConstruct;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.event.Observes;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.configuration.Configuration;
import org.apache.commons.configuration.ConfigurationException;
import org.apache.commons.configuration.PropertiesConfiguration;
import org.apache.marmotta.platform.core.api.config.ConfigurationService;
import org.apache.marmotta.platform.core.events.ConfigurationChangedEvent;
import org.apache.marmotta.platform.security.api.SecurityService;
import org.apache.marmotta.platform.security.model.HTTPMethods;
import org.apache.marmotta.platform.security.model.SecurityConstraint;
import org.apache.marmotta.platform.security.util.SubnetInfo;
import org.slf4j.Logger;
import sun.net.util.IPAddressUtil;

@ApplicationScoped
/* loaded from: input_file:org/apache/marmotta/platform/security/services/SecurityServiceImpl.class */
public class SecurityServiceImpl implements SecurityService {

    @Inject
    private Logger log;

    @Inject
    private ConfigurationService configurationService;
    private boolean profileLoading = false;
    private List<SecurityConstraint> constraints;

    @PostConstruct
    public void initialise() {
        this.log.info("Initialising Security Service;  Access control is {}.", this.configurationService.getBooleanConfiguration("security.enabled", true) ? "enabled" : "disabled");
        initSecurityConstraints();
    }

    private void initSecurityConstraints() {
        this.constraints = new ArrayList();
        if (this.configurationService.getBooleanConfiguration("security.enabled", true)) {
            Iterator it = Lists.newArrayList(new String[]{"permission", "restriction"}).iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                HashSet<String> hashSet = new HashSet();
                Iterator it2 = this.configurationService.listConfigurationKeys("security." + str).iterator();
                while (it2.hasNext()) {
                    String[] split = ((String) it2.next()).split("\\.");
                    if (split.length > 2) {
                        hashSet.add(split[2]);
                    }
                }
                for (String str2 : hashSet) {
                    String str3 = "security." + str + "." + str2;
                    String stringConfiguration = this.configurationService.getStringConfiguration(str3 + ".pattern");
                    boolean booleanConfiguration = this.configurationService.getBooleanConfiguration(str3 + ".enabled", true);
                    int intConfiguration = this.configurationService.getIntConfiguration(str3 + ".priority", 1);
                    List listConfiguration = this.configurationService.getListConfiguration(str3 + ".methods");
                    List<String> listConfiguration2 = this.configurationService.getListConfiguration(str3 + ".host");
                    List listConfiguration3 = this.configurationService.getListConfiguration(str3 + ".roles");
                    SecurityConstraint securityConstraint = new SecurityConstraint(SecurityConstraint.Type.valueOf(str.toUpperCase()), str2, stringConfiguration, booleanConfiguration, intConfiguration);
                    securityConstraint.getRoles().addAll(listConfiguration3);
                    Iterator it3 = listConfiguration.iterator();
                    while (it3.hasNext()) {
                        securityConstraint.getMethods().add(HTTPMethods.parse((String) it3.next()));
                    }
                    securityConstraint.setHostPatterns(parseHostAddresses(listConfiguration2));
                    this.constraints.add(securityConstraint);
                }
            }
            Collections.sort(this.constraints);
            if (this.log.isInfoEnabled()) {
                this.log.info("The following security constraints have been configured:");
                Iterator<SecurityConstraint> it4 = this.constraints.iterator();
                while (it4.hasNext()) {
                    this.log.info("-- {}", it4.next().toString());
                }
            }
        }
    }

    private Set<SubnetInfo> parseHostAddresses(List<String> list) {
        HashSet hashSet = new HashSet();
        for (String str : list) {
            try {
            } catch (IllegalArgumentException e) {
                this.log.warn("illegal host specification for security constraint {}; not in CIDR notation!", str);
            }
            if ("LOCAL".equalsIgnoreCase(str)) {
                try {
                    Enumeration<NetworkInterface> networkInterfaces = NetworkInterface.getNetworkInterfaces();
                    while (networkInterfaces.hasMoreElements()) {
                        Enumeration<InetAddress> inetAddresses = networkInterfaces.nextElement().getInetAddresses();
                        while (inetAddresses.hasMoreElements()) {
                            try {
                                hashSet.add(SubnetInfo.getSubnetInfo(inetAddresses.nextElement()));
                            } catch (UnknownHostException e2) {
                                this.log.warn("could not parse interface address: {}", e2.getMessage());
                            }
                        }
                    }
                } catch (SocketException e3) {
                    this.log.warn("could not determine local IP addresses, will use 127.0.0.1/24");
                    try {
                        hashSet.add(SubnetInfo.getSubnetInfo("127.0.0.1/24"));
                        hashSet.add(SubnetInfo.getSubnetInfo("::1/128"));
                    } catch (UnknownHostException e4) {
                        this.log.error("could not parse localhost address: {}", e4.getMessage());
                    }
                }
            } else if (str.matches("^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\\./[0-9]+$")) {
                try {
                    hashSet.add(SubnetInfo.getSubnetInfo(str));
                } catch (UnknownHostException e5) {
                    this.log.warn("could not parse host specification '{}': {}", str, e5.getMessage());
                }
            } else if (str.matches("^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+$")) {
                try {
                    hashSet.add(SubnetInfo.getSubnetInfo(str + "/32"));
                } catch (UnknownHostException e6) {
                    this.log.warn("could not parse host specification '{}': {}", str, e6.getMessage());
                }
            } else if (IPAddressUtil.isIPv6LiteralAddress(str)) {
                try {
                    hashSet.add(SubnetInfo.getSubnetInfo(str));
                } catch (UnknownHostException e7) {
                    this.log.warn("could not parse host specification '{}': {}", str, e7.getMessage());
                }
            } else {
                this.log.warn("invalid host name specification: {}; please use either CIDR u.v.w.x/zz notation or the keyword LOCAL", str);
            }
        }
        return hashSet;
    }

    public void configurationChangedEvent(@Observes ConfigurationChangedEvent configurationChangedEvent) {
        if (this.profileLoading) {
            return;
        }
        boolean z = false;
        boolean z2 = false;
        for (String str : configurationChangedEvent.getKeys()) {
            if ("security.profile".equals(str)) {
                z = true;
            } else if (str.startsWith("security")) {
                z2 = true;
            }
        }
        if (z) {
            loadSecurityProfile(this.configurationService.getStringConfiguration("security.profile"));
        }
        if (z2) {
            this.log.info("Access Control Filter reloading. Access control is {}.", this.configurationService.getBooleanConfiguration("security.enabled", true) ? "enabled" : "disabled");
            initSecurityConstraints();
        }
    }

    @Override // org.apache.marmotta.platform.security.api.SecurityService
    public boolean grantAccess(HttpServletRequest httpServletRequest) {
        if (!this.configurationService.getBooleanConfiguration("security.enabled", true)) {
            return true;
        }
        if (!this.configurationService.getBooleanConfiguration("security.configured")) {
            loadSecurityProfile(this.configurationService.getStringConfiguration("security.profile"));
        }
        for (SecurityConstraint securityConstraint : this.constraints) {
            if (securityConstraint.matches(httpServletRequest)) {
                if (securityConstraint.getType() == SecurityConstraint.Type.PERMISSION) {
                    this.log.debug("access to {} granted; {}", httpServletRequest.getRequestURL(), securityConstraint);
                    return true;
                }
                this.log.debug("access to {} denied; {}", httpServletRequest.getRequestURL(), securityConstraint);
                return false;
            }
        }
        this.log.debug("access to {} denied; no rule matched", httpServletRequest.getRequestURL());
        return false;
    }

    @Override // org.apache.marmotta.platform.security.api.SecurityService
    public void loadSecurityProfile(String str) {
        this.profileLoading = true;
        Configuration loadProfile = loadProfile(str, new LinkedHashSet<>());
        if (loadProfile != null) {
            Iterator it = Lists.newArrayList(new String[]{"permission", "restriction"}).iterator();
            while (it.hasNext()) {
                Iterator it2 = this.configurationService.listConfigurationKeys("security." + ((String) it.next())).iterator();
                while (it2.hasNext()) {
                    this.configurationService.removeConfiguration((String) it2.next());
                }
            }
            Iterator keys = loadProfile.getKeys();
            while (keys.hasNext()) {
                String str2 = (String) keys.next();
                this.configurationService.setConfigurationWithoutEvent(str2, loadProfile.getProperty(str2));
            }
            this.configurationService.setConfigurationWithoutEvent("security.configured", true);
        }
        this.profileLoading = false;
        initSecurityConstraints();
    }

    private Configuration loadProfile(String str, LinkedHashSet<String> linkedHashSet) {
        URL resource = getClass().getClassLoader().getResource("security-profile." + str + ".properties");
        if (resource == null) {
            return null;
        }
        try {
            PropertiesConfiguration propertiesConfiguration = new PropertiesConfiguration(resource);
            if (!propertiesConfiguration.containsKey("security.profile.base")) {
                return propertiesConfiguration;
            }
            String string = propertiesConfiguration.getString("security.profile.base");
            if (linkedHashSet.contains(string)) {
                this.log.warn("Cycle in security configuration detected: {} -> {}", linkedHashSet, string);
                return propertiesConfiguration;
            }
            linkedHashSet.add(string);
            Configuration loadProfile = loadProfile(string, linkedHashSet);
            Iterator keys = propertiesConfiguration.getKeys();
            while (keys.hasNext()) {
                String str2 = (String) keys.next();
                loadProfile.setProperty(str2, propertiesConfiguration.getProperty(str2));
            }
            return loadProfile;
        } catch (ConfigurationException e) {
            this.log.error("error parsing security-profile.{}.properties file at {}: {}", new Object[]{str, resource, e.getMessage()});
            return null;
        }
    }

    @Override // org.apache.marmotta.platform.security.api.SecurityService
    public List<SecurityConstraint> listSecurityConstraints() {
        return this.constraints;
    }

    @Override // org.apache.marmotta.platform.security.api.SecurityService
    public void ping() {
    }
}
