package org.sonatype.nexus.proxy.access;

import com.google.common.annotations.VisibleForTesting;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import org.apache.shiro.subject.Subject;
import org.apache.tika.metadata.Metadata;
import org.sonatype.nexus.jsecurity.realms.TargetPrivilegeRepositoryTargetPropertyDescriptor;
import org.sonatype.nexus.proxy.NoSuchRepositoryException;
import org.sonatype.nexus.proxy.ResourceStoreRequest;
import org.sonatype.nexus.proxy.registry.RepositoryRegistry;
import org.sonatype.nexus.proxy.repository.GroupRepository;
import org.sonatype.nexus.proxy.repository.Repository;
import org.sonatype.nexus.proxy.targets.Target;
import org.sonatype.nexus.proxy.targets.TargetMatch;
import org.sonatype.nexus.proxy.targets.TargetRegistry;
import org.sonatype.nexus.proxy.targets.TargetSet;
import org.sonatype.nexus.threads.FakeAlmightySubject;
import org.sonatype.security.SecuritySystem;
import org.sonatype.security.authorization.AuthorizationManager;
import org.sonatype.security.authorization.NoSuchPrivilegeException;
import org.sonatype.security.authorization.NoSuchRoleException;
import org.sonatype.security.authorization.Privilege;
import org.sonatype.security.authorization.Role;
import org.sonatype.security.usermanagement.User;
import org.sonatype.security.usermanagement.UserNotFoundException;
import org.sonatype.sisu.goodies.common.ComponentSupport;

@Singleton
@Named
/* loaded from: input_file:WEB-INF/lib/nexus-core-2.14.18-01.jar:org/sonatype/nexus/proxy/access/DefaultNexusItemAuthorizer.class */
public class DefaultNexusItemAuthorizer extends ComponentSupport implements NexusItemAuthorizer {
    private final SecuritySystem securitySystem;
    private final RepositoryRegistry repoRegistry;
    private final TargetRegistry targetRegistry;
    private final AuthorizationManager defaultAuthorizationManager;
    private final boolean authorizeByPrivilegedTargets;

    @VisibleForTesting
    static final String ADMIN_PRIVILEGE_ID = "1000";

    @Inject
    public DefaultNexusItemAuthorizer(SecuritySystem securitySystem, RepositoryRegistry repositoryRegistry, TargetRegistry targetRegistry, @Named("default") AuthorizationManager authorizationManager, @Named("${defaultNexusItemAuthorizer.authorizeByPrivilegedTargets:-true}") boolean z) {
        this.securitySystem = securitySystem;
        this.repoRegistry = repositoryRegistry;
        this.targetRegistry = targetRegistry;
        this.defaultAuthorizationManager = authorizationManager;
        this.authorizeByPrivilegedTargets = z;
    }

    @Override // org.sonatype.nexus.proxy.access.NexusItemAuthorizer
    public boolean authorizePath(Repository repository, ResourceStoreRequest resourceStoreRequest, Action action) {
        if (!this.authorizeByPrivilegedTargets) {
            TargetSet targetsForRequest = repository.getTargetsForRequest(resourceStoreRequest);
            if (targetsForRequest != null && authorizePath(targetsForRequest, action)) {
                return true;
            }
        } else if (isAuthorizeByPrivilegedTargets(repository, resourceStoreRequest, action)) {
            return true;
        }
        return authorizePathCascade(repository, resourceStoreRequest, action);
    }

    private boolean isAuthorizeByPrivilegedTargets(Repository repository, ResourceStoreRequest resourceStoreRequest, Action action) {
        Subject subject = this.securitySystem.getSubject();
        if (subject instanceof FakeAlmightySubject) {
            return true;
        }
        User user = getUser(subject);
        if (user == null) {
            return false;
        }
        Set<String> assignedPrivileges = getAssignedPrivileges(user);
        if (hasAdminPrivilege(assignedPrivileges)) {
            return true;
        }
        return hasRequiredRepoTargetPrivilege(assignedPrivileges, resourceStoreRequest, repository, action);
    }

    private boolean authorizePathCascade(Repository repository, ResourceStoreRequest resourceStoreRequest, Action action) {
        Iterator<GroupRepository> it = this.repoRegistry.getGroupsOfRepository(repository).iterator();
        while (it.hasNext()) {
            if (authorizePath(it.next(), resourceStoreRequest, action)) {
                return true;
            }
        }
        return false;
    }

    @Override // org.sonatype.nexus.proxy.access.NexusItemAuthorizer
    public boolean authorizePermission(String str) {
        return isPermitted(Collections.singletonList(str));
    }

    @Override // org.sonatype.nexus.proxy.access.NexusItemAuthorizer
    public TargetSet getGroupsTargetSet(Repository repository, ResourceStoreRequest resourceStoreRequest) {
        TargetSet targetSet = new TargetSet();
        for (Repository repository2 : getListOfGroups(repository.getId())) {
            targetSet.addTargetSet(repository2.getTargetsForRequest(resourceStoreRequest));
            targetSet.addTargetSet(getGroupsTargetSet(repository2, resourceStoreRequest));
        }
        return targetSet;
    }

    @Override // org.sonatype.nexus.proxy.access.NexusItemAuthorizer
    public boolean authorizePath(TargetSet targetSet, Action action) {
        if (targetSet.getMatchedRepositoryIds().size() > 0) {
            return isPermitted(getTargetPerms(targetSet, action));
        }
        return true;
    }

    @Override // org.sonatype.nexus.proxy.access.NexusItemAuthorizer
    public boolean isViewable(String str, String str2) {
        return authorizePermission("nexus:view:" + str + Metadata.NAMESPACE_PREFIX_DELIMITER + str2);
    }

    protected List<Repository> getListOfGroups(String str) {
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = this.repoRegistry.getGroupsOfRepository(str).iterator();
        while (it.hasNext()) {
            try {
                arrayList.add(this.repoRegistry.getRepository(it.next()));
            } catch (NoSuchRepositoryException e) {
            }
        }
        return arrayList;
    }

    protected List<String> getTargetPerms(TargetSet targetSet, Action action) {
        ArrayList arrayList = new ArrayList(targetSet.getMatches().size());
        for (TargetMatch targetMatch : targetSet.getMatches()) {
            arrayList.add("nexus:target:" + targetMatch.getTarget().getId() + Metadata.NAMESPACE_PREFIX_DELIMITER + targetMatch.getRepository().getId() + Metadata.NAMESPACE_PREFIX_DELIMITER + action);
        }
        return arrayList;
    }

    protected boolean isPermitted(List<String> list) {
        boolean isTraceEnabled = this.log.isTraceEnabled();
        Subject subject = this.securitySystem.getSubject();
        if (isTraceEnabled) {
            this.log.trace("Subject: {}", subject);
        }
        if (subject == null) {
            if (!isTraceEnabled) {
                return false;
            }
            this.log.trace("Subject is not authenticated; rejecting");
            return false;
        }
        if (isTraceEnabled) {
            this.log.trace("Checking if subject '{}' has one of these permissions: {}", subject.getPrincipal(), list);
        }
        for (String str : list) {
            if (subject.isPermitted(str)) {
                if (!isTraceEnabled) {
                    return true;
                }
                this.log.trace("Subject '{}' has permission: {}; allowing", subject.getPrincipal(), str);
                return true;
            }
        }
        if (!isTraceEnabled) {
            return false;
        }
        this.log.trace("Subject '{}' is missing required permissions; rejecting", subject.getPrincipal());
        return false;
    }

    private User getUser(Subject subject) {
        try {
            if (subject != null) {
                return this.securitySystem.getUser((String) subject.getPrincipal());
            }
            this.log.debug("Attempt to authenticate with no Subject.");
            return null;
        } catch (UserNotFoundException e) {
            this.log.debug("Unable to find user: {}", e.getMessage());
            return null;
        }
    }

    private Set<String> getPrivilegedTargets(Set<String> set) {
        HashSet hashSet = new HashSet();
        set.forEach(str -> {
            addPrivilege(hashSet, str);
        });
        return hashSet;
    }

    private Set<String> getAssignedPrivileges(User user) {
        HashSet hashSet = new HashSet();
        user.getRoles().forEach(roleIdentifier -> {
            try {
                hashSet.addAll(getAllPrivilegesFromRole(this.defaultAuthorizationManager.getRole(roleIdentifier.getRoleId()), this.defaultAuthorizationManager));
            } catch (NoSuchRoleException e) {
                this.log.debug("Unable to find Role: '{}' for User: '{}'. Because of: {}", roleIdentifier, user, e.getMessage());
            }
        });
        return hashSet;
    }

    private Set<String> getAllPrivilegesFromRole(Role role, AuthorizationManager authorizationManager) {
        HashSet hashSet = new HashSet(role.getPrivileges());
        role.getRoles().forEach(str -> {
            try {
                hashSet.addAll(getAllPrivilegesFromRole(authorizationManager.getRole(str), authorizationManager));
            } catch (NoSuchRoleException e) {
                this.log.debug("Unable to find Role: '{}'. Because of: {}", str, e.getMessage());
            }
        });
        return hashSet;
    }

    private void addPrivilege(Set<String> set, String str) {
        try {
            Privilege privilege = this.defaultAuthorizationManager.getPrivilege(str);
            if ("target".equals(privilege.getType())) {
                set.add(privilege.getPrivilegeProperty(TargetPrivilegeRepositoryTargetPropertyDescriptor.ID));
            }
        } catch (NoSuchPrivilegeException e) {
            this.log.debug("Unable to find Privilege: '{}'. Because of: {}", str, e.getMessage());
        }
    }

    private boolean hasAdminPrivilege(Set<String> set) {
        return set.contains(ADMIN_PRIVILEGE_ID);
    }

    private boolean hasRequiredRepoTargetPrivilege(Set<String> set, ResourceStoreRequest resourceStoreRequest, Repository repository, Action action) {
        Set<String> privilegedTargets = getPrivilegedTargets(set);
        TargetSet targetSet = new TargetSet();
        for (String str : privilegedTargets) {
            Target repositoryTarget = this.targetRegistry.getRepositoryTarget(str);
            if (repositoryTarget == null) {
                this.log.debug("Unable to find Repository Target: '{}'.", str);
            } else if (repositoryTarget.isPathContained(repository.getRepositoryContentClass(), resourceStoreRequest.getRequestPath())) {
                targetSet.addTargetMatch(new TargetMatch(repositoryTarget, repository));
            }
        }
        if (targetSet.getMatches().size() > 0) {
            return authorizePath(targetSet, action);
        }
        return false;
    }
}
