package org.sonatype.security.realms;

import com.google.common.base.Throwables;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.collect.MapMaker;
import com.google.common.eventbus.AllowConcurrentEvents;
import com.google.common.eventbus.Subscribe;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.annotation.Nullable;
import javax.enterprise.inject.Typed;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.authz.permission.RolePermissionResolver;
import org.sonatype.security.authorization.NoSuchPrivilegeException;
import org.sonatype.security.authorization.NoSuchRoleException;
import org.sonatype.security.authorization.PermissionFactory;
import org.sonatype.security.events.AuthorizationConfigurationChanged;
import org.sonatype.security.events.SecurityConfigurationChanged;
import org.sonatype.security.model.CPrivilege;
import org.sonatype.security.model.CRole;
import org.sonatype.security.realms.privileges.PrivilegeDescriptor;
import org.sonatype.security.realms.tools.ConfigurationManager;
import org.sonatype.security.realms.tools.ConfigurationManagerAction;
import org.sonatype.sisu.goodies.common.ComponentSupport;
import org.sonatype.sisu.goodies.eventbus.EventBus;

@Singleton
@Typed({RolePermissionResolver.class})
@Named("default")
/* loaded from: input_file:WEB-INF/lib/nexus-security-realms-2.14.20-02.jar:org/sonatype/security/realms/XmlRolePermissionResolver.class */
public class XmlRolePermissionResolver extends ComponentSupport implements RolePermissionResolver {
    private final ConfigurationManager configuration;
    private final List<PrivilegeDescriptor> privilegeDescriptors;
    private final PermissionFactory permissionFactory;
    private final Map<String, Permission> permissionsCache = new MapMaker().softValues2().makeMap();
    private final Map<String, Collection<Permission>> rolePermissionsCache = new MapMaker().softValues2().makeMap();
    private final Cache<String, String> roleNotFoundCache;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Inject
    public XmlRolePermissionResolver(@Named("default") ConfigurationManager configurationManager, List<PrivilegeDescriptor> list, @Named("caching") PermissionFactory permissionFactory, EventBus eventBus, @Named("${security.roleNotFoundCacheSize:-100000}") int i) {
        this.configuration = configurationManager;
        this.privilegeDescriptors = list;
        this.permissionFactory = permissionFactory;
        this.roleNotFoundCache = CacheBuilder.newBuilder().maximumSize(i).build();
        eventBus.register(this);
    }

    private void invalidate() {
        this.permissionsCache.clear();
        this.rolePermissionsCache.clear();
        this.roleNotFoundCache.invalidateAll();
        this.log.trace("Cache invalidated");
    }

    @AllowConcurrentEvents
    @Subscribe
    public void on(AuthorizationConfigurationChanged authorizationConfigurationChanged) {
        invalidate();
    }

    @AllowConcurrentEvents
    @Subscribe
    public void on(SecurityConfigurationChanged securityConfigurationChanged) {
        invalidate();
    }

    @Override // org.apache.shiro.authz.permission.RolePermissionResolver
    public Collection<Permission> resolvePermissionsInRole(final String str) {
        try {
            final LinkedHashSet linkedHashSet = new LinkedHashSet();
            this.configuration.runRead(new ConfigurationManagerAction() { // from class: org.sonatype.security.realms.XmlRolePermissionResolver.1
                @Override // org.sonatype.security.realms.tools.ConfigurationManagerAction
                public void run() throws Exception {
                    XmlRolePermissionResolver.this.resolvePermissionsInRole(str, linkedHashSet);
                }
            });
            return linkedHashSet;
        } catch (Exception e) {
            throw Throwables.propagate(e);
        }
    }

    protected void resolvePermissionsInRole(String str, Collection<Permission> collection) {
        if (this.rolePermissionsCache.get(str) != null) {
            reloadConfigToMakeSureNotDirty(str);
            Collection<Permission> collection2 = this.rolePermissionsCache.get(str);
            if (collection2 != null && !collection2.isEmpty()) {
                collection.addAll(collection2);
                return;
            }
        }
        LinkedList linkedList = new LinkedList();
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        linkedList.add(str);
        while (!linkedList.isEmpty()) {
            String str2 = (String) linkedList.removeFirst();
            if (linkedHashSet.add(str2)) {
                if (this.roleNotFoundCache.getIfPresent(str2) != null) {
                    this.log.trace("Role {} found in NFC, role check skipped", str2);
                } else {
                    try {
                        CRole readRole = this.configuration.readRole(str2);
                        Collection<Permission> collection3 = this.rolePermissionsCache.get(str2);
                        if (collection3 != null) {
                            collection.addAll(collection3);
                        } else {
                            linkedList.addAll(readRole.getRoles());
                            Iterator<String> it = readRole.getPrivileges().iterator();
                            while (it.hasNext()) {
                                Permission permission = permission(it.next());
                                if (permission != null) {
                                    collection.add(permission);
                                }
                            }
                        }
                    } catch (NoSuchRoleException e) {
                        handleNoSuchRole(str2, e);
                    }
                }
            }
        }
        this.rolePermissionsCache.put(str, collection);
    }

    private void reloadConfigToMakeSureNotDirty(String str) {
        try {
            this.configuration.readRole(str);
        } catch (NoSuchRoleException e) {
        }
    }

    private void handleNoSuchRole(String str, NoSuchRoleException noSuchRoleException) {
        this.log.trace("Ignoring missing role: {}", str, noSuchRoleException);
        this.roleNotFoundCache.put(str, "");
    }

    @Nullable
    private PrivilegeDescriptor descriptor(String str) {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        for (PrivilegeDescriptor privilegeDescriptor : this.privilegeDescriptors) {
            if (str.equals(privilegeDescriptor.getType())) {
                return privilegeDescriptor;
            }
        }
        this.log.warn("Missing privilege-descriptor for type: {}", str);
        return null;
    }

    @Nullable
    private Permission permission(String str) {
        String buildPermission;
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        Permission permission = this.permissionsCache.get(str);
        if (permission == null) {
            try {
                CPrivilege readPrivilege = this.configuration.readPrivilege(str);
                PrivilegeDescriptor descriptor = descriptor(readPrivilege.getType());
                if (descriptor != null && (buildPermission = descriptor.buildPermission(readPrivilege)) != null) {
                    permission = this.permissionFactory.create(buildPermission);
                    this.permissionsCache.put(str, permission);
                }
            } catch (NoSuchPrivilegeException e) {
                this.log.trace("Ignoring missing privilege: {}", str, e);
            }
        }
        return permission;
    }

    static {
        $assertionsDisabled = !XmlRolePermissionResolver.class.desiredAssertionStatus();
    }
}
