package org.bonitasoft.engine.authorization;

import groovy.lang.GroovyClassLoader;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import org.bonitasoft.engine.api.impl.APIAccessorImpl;
import org.bonitasoft.engine.api.permission.APICallContext;
import org.bonitasoft.engine.api.permission.PermissionRule;
import org.bonitasoft.engine.authorization.properties.CompoundPermissionsMapping;
import org.bonitasoft.engine.authorization.properties.CustomPermissionsMapping;
import org.bonitasoft.engine.authorization.properties.PropertiesWithSet;
import org.bonitasoft.engine.authorization.properties.ResourcesPermissionsMapping;
import org.bonitasoft.engine.classloader.ClassLoaderIdentifier;
import org.bonitasoft.engine.classloader.ClassLoaderService;
import org.bonitasoft.engine.commons.exceptions.SBonitaException;
import org.bonitasoft.engine.commons.exceptions.SExecutionException;
import org.bonitasoft.engine.dependency.model.ScopeType;
import org.bonitasoft.engine.exception.BonitaHomeNotSetException;
import org.bonitasoft.engine.home.BonitaHomeServer;
import org.bonitasoft.engine.page.SContentType;
import org.bonitasoft.engine.service.ModelConvertor;
import org.bonitasoft.engine.service.impl.ServerLoggerWrapper;
import org.bonitasoft.engine.session.APISession;
import org.bonitasoft.engine.session.SSessionNotFoundException;
import org.bonitasoft.engine.session.SessionService;
import org.bonitasoft.engine.session.model.SSession;
import org.bonitasoft.engine.sessionaccessor.SessionAccessor;
import org.bonitasoft.engine.sessionaccessor.SessionIdNotSetException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnSingleCandidate;
import org.springframework.stereotype.Component;

@Component
@ConditionalOnSingleCandidate(PermissionService.class)
/* loaded from: input_file:org/bonitasoft/engine/authorization/PermissionServiceImpl.class */
public class PermissionServiceImpl implements PermissionService {
    private static final Logger log = LoggerFactory.getLogger(PermissionServiceImpl.class);
    public static final String RESOURCES_PROPERTY = "resources";
    public static final String PROPERTY_CONTENT_TYPE = "contentType";
    public static final String PROPERTY_API_EXTENSIONS = "apiExtensions";
    public static final String PROPERTY_METHOD_MASK = "%s.method";
    public static final String PROPERTY_PATH_TEMPLATE_MASK = "%s.pathTemplate";
    public static final String PROPERTY_PERMISSIONS_MASK = "%s.permissions";
    public static final String RESOURCE_PERMISSION_KEY_MASK = "%s|extension/%s";
    public static final String RESOURCE_PERMISSION_VALUE = "[%s]";
    public static final String EXTENSION_SEPARATOR = ",";
    private final ClassLoaderService classLoaderService;
    private final SessionAccessor sessionAccessor;
    private final SessionService sessionService;
    private GroovyClassLoader groovyClassLoader;
    private final CompoundPermissionsMapping compoundPermissionsMapping;
    private final ResourcesPermissionsMapping resourcesPermissionsMapping;
    private final CustomPermissionsMapping customPermissionsMapping;
    protected final long tenantId;

    public PermissionServiceImpl(ClassLoaderService classLoaderService, SessionAccessor sessionAccessor, SessionService sessionService, @Value("${tenantId}") long j, CompoundPermissionsMapping compoundPermissionsMapping, ResourcesPermissionsMapping resourcesPermissionsMapping, CustomPermissionsMapping customPermissionsMapping) {
        this.classLoaderService = classLoaderService;
        this.sessionAccessor = sessionAccessor;
        this.sessionService = sessionService;
        this.tenantId = j;
        this.compoundPermissionsMapping = compoundPermissionsMapping;
        this.resourcesPermissionsMapping = resourcesPermissionsMapping;
        this.customPermissionsMapping = customPermissionsMapping;
    }

    @Override // org.bonitasoft.engine.authorization.PermissionService
    public boolean checkAPICallWithScript(String str, APICallContext aPICallContext, boolean z) throws SExecutionException, ClassNotFoundException {
        Class<?> cls;
        checkStarted();
        if (z) {
            reload();
            cls = this.groovyClassLoader.loadClass(str, true, true, true);
        } else {
            cls = Class.forName(str, true, this.groovyClassLoader);
        }
        if (!PermissionRule.class.isAssignableFrom(cls)) {
            throw new SExecutionException("The class " + cls.getName() + " does not implements org.bonitasoft.engine.api.permission.PermissionRule");
        }
        try {
            APISession aPISession = ModelConvertor.toAPISession(getSession(), null);
            PermissionRule permissionRule = (PermissionRule) cls.getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
            return permissionRule.isAllowed(aPISession, aPICallContext, createAPIAccessorImpl(), new ServerLoggerWrapper(permissionRule.getClass(), log));
        } catch (Throwable th) {
            throw new SExecutionException("The permission rule " + cls.getName() + " threw an exception", th);
        }
    }

    public SSession getSession() throws SExecutionException {
        try {
            return this.sessionService.getSession(this.sessionAccessor.getSessionId());
        } catch (SSessionNotFoundException | SessionIdNotSetException e) {
            throw new SExecutionException("The session is not set.", e);
        }
    }

    private void reload() throws SExecutionException {
        stop();
        try {
            start();
        } catch (SBonitaException e) {
            throw new SExecutionException("The permission rule service could not be reloaded", e);
        }
    }

    protected APIAccessorImpl createAPIAccessorImpl() {
        return new APIAccessorImpl();
    }

    private void checkStarted() throws SExecutionException {
        if (this.groovyClassLoader == null) {
            throw new SExecutionException("The permission rule service is not started");
        }
    }

    @Override // org.bonitasoft.engine.commons.LifecycleService
    public void start() throws SBonitaException {
        this.groovyClassLoader = new GroovyClassLoader(this.classLoaderService.getClassLoader(ClassLoaderIdentifier.identifier(ScopeType.TENANT, this.tenantId)));
        this.groovyClassLoader.setShouldRecompile(true);
        try {
            this.groovyClassLoader.addClasspath(getBonitaHomeServer().getSecurityScriptsFolder(this.tenantId).getAbsolutePath());
        } catch (BonitaHomeNotSetException | IOException e) {
            throw new SExecutionException((Throwable) e);
        }
    }

    BonitaHomeServer getBonitaHomeServer() {
        return BonitaHomeServer.getInstance();
    }

    @Override // org.bonitasoft.engine.commons.LifecycleService
    public void stop() {
        if (this.groovyClassLoader != null) {
            this.groovyClassLoader.clearCache();
            this.groovyClassLoader = null;
        }
    }

    @Override // org.bonitasoft.engine.authorization.PermissionService
    public boolean isAuthorized(APICallContext aPICallContext) throws SExecutionException {
        if (log.isTraceEnabled()) {
            log.trace("Static REST API permissions check");
        }
        Set<String> declaredPermissions = getDeclaredPermissions(aPICallContext.getApiName(), aPICallContext.getResourceName(), aPICallContext.getMethod(), aPICallContext.getResourceId(), this.resourcesPermissionsMapping);
        Set<String> userPermissions = getSession().getUserPermissions();
        Iterator<String> it = declaredPermissions.iterator();
        while (it.hasNext()) {
            if (userPermissions.contains(it.next())) {
                return true;
            }
        }
        log.debug("Unauthorized access to " + aPICallContext.getMethod() + " " + aPICallContext.getApiName() + "/" + aPICallContext.getResourceName() + (aPICallContext.getResourceId() != null ? "/" + aPICallContext.getResourceId() : "") + " attempted by " + getSession().getUserName() + ", required permissions: " + declaredPermissions);
        return false;
    }

    protected Set<String> getDeclaredPermissions(String str, String str2, String str3, String str4, ResourcesPermissionsMapping resourcesPermissionsMapping) {
        List<String> list = null;
        if (str4 != null) {
            list = Arrays.asList(str4.split(ResourcesPermissionsMapping.RESOURCE_IDS_SEPARATOR));
        }
        Set<String> resourcePermissions = resourcesPermissionsMapping.getResourcePermissions(str3, str, str2, list);
        if (resourcePermissions.isEmpty()) {
            resourcePermissions = resourcesPermissionsMapping.getResourcePermissionsWithWildCard(str3, str, str2, list);
        }
        if (resourcePermissions.isEmpty()) {
            resourcePermissions = resourcesPermissionsMapping.getResourcePermissions(str3, str, str2);
        }
        return resourcePermissions;
    }

    @Override // org.bonitasoft.engine.authorization.PermissionService
    public void addPermissions(String str, Properties properties) {
        Set<String> customPagePermissions = getCustomPagePermissions(properties.getProperty("resources"), this.resourcesPermissionsMapping);
        addRestApiExtensionPermissions(this.resourcesPermissionsMapping, properties);
        addPagePermissions(str, properties, customPagePermissions);
    }

    private void addPagePermissions(String str, Properties properties, Set<String> set) {
        if (SContentType.PAGE.equals(properties.getProperty("contentType")) || "layout".equals(properties.getProperty("contentType"))) {
            this.compoundPermissionsMapping.setInternalPropertyAsSet(str, set);
        }
    }

    @Override // org.bonitasoft.engine.authorization.PermissionService
    public void removePermissions(Properties properties) {
        Iterator<String> it = getApiExtensionResourcesPermissionsMapping(properties).keySet().iterator();
        while (it.hasNext()) {
            this.resourcesPermissionsMapping.removeInternalProperty(it.next());
        }
        this.compoundPermissionsMapping.removeInternalProperty(properties.getProperty("name"));
    }

    public Set<String> getCustomPagePermissions(String str, ResourcesPermissionsMapping resourcesPermissionsMapping) {
        Set<String> stringToSet = PropertiesWithSet.stringToSet(str);
        HashSet hashSet = new HashSet();
        for (String str2 : stringToSet) {
            Set<String> propertyAsSet = resourcesPermissionsMapping.getPropertyAsSet(str2);
            if (propertyAsSet.isEmpty()) {
                log.warn("Error while getting resources permissions. Unknown resource: {} defined in page.properties", str2);
            }
            hashSet.addAll(propertyAsSet);
        }
        return hashSet;
    }

    void addRestApiExtensionPermissions(ResourcesPermissionsMapping resourcesPermissionsMapping, Properties properties) {
        Map<String, String> apiExtensionResourcesPermissionsMapping = getApiExtensionResourcesPermissionsMapping(properties);
        apiExtensionResourcesPermissionsMapping.keySet().forEach(str -> {
            resourcesPermissionsMapping.setInternalProperty(str, (String) apiExtensionResourcesPermissionsMapping.get(str));
        });
    }

    private Map<String, String> getApiExtensionResourcesPermissionsMapping(Properties properties) {
        PropertiesWithSet propertiesWithSet = new PropertiesWithSet(properties);
        HashMap hashMap = new HashMap();
        if (SContentType.API_EXTENSION.equals(propertiesWithSet.getProperty("contentType"))) {
            for (String str : propertiesWithSet.getProperty(PROPERTY_API_EXTENSIONS).split(",")) {
                String property = propertiesWithSet.getProperty(String.format(PROPERTY_METHOD_MASK, str.trim()));
                String property2 = propertiesWithSet.getProperty(String.format(PROPERTY_PATH_TEMPLATE_MASK, str.trim()));
                if (property2 != null && property2.startsWith(ResourcesPermissionsMapping.RESOURCE_IDS_SEPARATOR)) {
                    property2 = property2.substring(1);
                }
                hashMap.put(String.format(RESOURCE_PERMISSION_KEY_MASK, property, property2), String.format(RESOURCE_PERMISSION_VALUE, propertiesWithSet.getProperty(String.format(PROPERTY_PERMISSIONS_MASK, str.trim()))));
            }
        }
        return hashMap;
    }

    @Override // org.bonitasoft.engine.authorization.PermissionService
    public Set<String> getResourcePermissions(String str) {
        return this.resourcesPermissionsMapping.getPropertyAsSet(str);
    }

    public void addCustomEntityPermissions(String str, Set<String> set) {
        this.customPermissionsMapping.setPropertyAsSet(str, set);
    }

    public void removeCustomEntityPermissions(String str) {
        this.customPermissionsMapping.removeProperty(str);
    }
}
