package com.yahoo.elide.security.executors;

import com.yahoo.elide.annotation.DeletePermission;
import com.yahoo.elide.annotation.ReadPermission;
import com.yahoo.elide.annotation.SharePermission;
import com.yahoo.elide.core.RequestScope;
import com.yahoo.elide.core.exceptions.ForbiddenAccessException;
import com.yahoo.elide.core.filter.expression.FilterExpression;
import com.yahoo.elide.parsers.expression.CriterionExpressionVisitor;
import com.yahoo.elide.security.ChangeSpec;
import com.yahoo.elide.security.PermissionExecutor;
import com.yahoo.elide.security.PersistentResource;
import com.yahoo.elide.security.SecurityMode;
import com.yahoo.elide.security.permissions.ExpressionResult;
import com.yahoo.elide.security.permissions.ExpressionResultCache;
import com.yahoo.elide.security.permissions.PermissionExpressionBuilder;
import com.yahoo.elide.security.permissions.expressions.Expression;
import java.beans.ConstructorProperties;
import java.lang.annotation.Annotation;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Optional;
import java.util.Queue;
import java.util.Set;
import java.util.concurrent.LinkedBlockingQueue;
import java.util.function.BiFunction;
import java.util.function.Function;
import org.antlr.v4.runtime.tree.ParseTree;
import org.apache.commons.lang3.tuple.Triple;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/elide/security/executors/ActivePermissionExecutor.class */
public class ActivePermissionExecutor implements PermissionExecutor {
    private static final Logger log = LoggerFactory.getLogger(ActivePermissionExecutor.class);
    private final Queue<QueuedCheck> commitCheckQueue = new LinkedBlockingQueue();
    private final RequestScope requestScope;
    private final PermissionExpressionBuilder expressionBuilder;
    private final Set<Triple<Class<? extends Annotation>, Class, String>> expressionResultShortCircuit;
    private final Map<Triple<Class<? extends Annotation>, Class, String>, ExpressionResult> userPermissionCheckCache;
    private final Map<String, Long> checkStats;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yahoo/elide/security/executors/ActivePermissionExecutor$QueuedCheck.class */
    public static class QueuedCheck {
        private final Expression expression;
        private final Class<? extends Annotation> annotationClass;

        @ConstructorProperties({"expression", "annotationClass"})
        public QueuedCheck(Expression expression, Class<? extends Annotation> cls) {
            this.expression = expression;
            this.annotationClass = cls;
        }

        public Expression getExpression() {
            return this.expression;
        }

        public Class<? extends Annotation> getAnnotationClass() {
            return this.annotationClass;
        }
    }

    public ActivePermissionExecutor(RequestScope requestScope) {
        ExpressionResultCache expressionResultCache = new ExpressionResultCache();
        this.requestScope = requestScope;
        this.expressionBuilder = new PermissionExpressionBuilder(expressionResultCache, requestScope.getDictionary());
        this.userPermissionCheckCache = new HashMap();
        this.expressionResultShortCircuit = new HashSet();
        this.checkStats = new HashMap();
    }

    @Override // com.yahoo.elide.security.PermissionExecutor
    public <A extends Annotation> ExpressionResult checkPermission(Class<A> cls, PersistentResource persistentResource) {
        return checkPermission(cls, persistentResource, null);
    }

    @Override // com.yahoo.elide.security.PermissionExecutor
    public <A extends Annotation> ExpressionResult checkPermission(Class<A> cls, PersistentResource persistentResource, ChangeSpec changeSpec) {
        PermissionExpressionBuilder.Expressions buildAnyFieldExpressions;
        if (this.requestScope.getSecurityMode() == SecurityMode.SECURITY_INACTIVE) {
            return ExpressionResult.PASS;
        }
        if (SharePermission.class == cls) {
            buildAnyFieldExpressions = this.expressionBuilder.buildSharePermissionExpressions(persistentResource);
        } else {
            ExpressionResult checkUserPermissions = checkUserPermissions(persistentResource.getResourceClass(), cls);
            if (checkUserPermissions == ExpressionResult.PASS) {
                return checkUserPermissions;
            }
            buildAnyFieldExpressions = this.expressionBuilder.buildAnyFieldExpressions(persistentResource, cls, changeSpec);
        }
        return executeExpressions(buildAnyFieldExpressions, cls);
    }

    @Override // com.yahoo.elide.security.PermissionExecutor
    public <A extends Annotation> ExpressionResult checkSpecificFieldPermissions(PersistentResource<?> persistentResource, ChangeSpec changeSpec, Class<A> cls, String str) {
        if (this.requestScope.getSecurityMode() == SecurityMode.SECURITY_INACTIVE) {
            return ExpressionResult.PASS;
        }
        ExpressionResult checkUserPermissions = checkUserPermissions(persistentResource, cls, str);
        return checkUserPermissions == ExpressionResult.PASS ? checkUserPermissions : executeExpressions(this.expressionBuilder.buildSpecificFieldExpressions(persistentResource, cls, str, changeSpec), cls);
    }

    @Override // com.yahoo.elide.security.PermissionExecutor
    public <A extends Annotation> ExpressionResult checkSpecificFieldPermissionsDeferred(PersistentResource<?> persistentResource, ChangeSpec changeSpec, Class<A> cls, String str) {
        if (this.requestScope.getSecurityMode() == SecurityMode.SECURITY_INACTIVE) {
            return ExpressionResult.PASS;
        }
        ExpressionResult checkUserPermissions = checkUserPermissions(persistentResource, cls, str);
        if (checkUserPermissions == ExpressionResult.PASS) {
            return checkUserPermissions;
        }
        Expression commitExpression = this.expressionBuilder.buildSpecificFieldExpressions(persistentResource, cls, str, changeSpec).getCommitExpression();
        if (commitExpression != null) {
            this.commitCheckQueue.add(new QueuedCheck(commitExpression, cls));
        }
        return ExpressionResult.DEFERRED;
    }

    @Override // com.yahoo.elide.security.PermissionExecutor
    public <A extends Annotation> ExpressionResult checkUserPermissions(PersistentResource<?> persistentResource, Class<A> cls, String str) {
        if (this.requestScope.getSecurityMode() == SecurityMode.SECURITY_INACTIVE) {
            return ExpressionResult.PASS;
        }
        ExpressionResult expressionResult = this.userPermissionCheckCache.get(Triple.of(cls, persistentResource.getResourceClass(), str));
        if (expressionResult != null) {
            return expressionResult;
        }
        ExpressionResult executeExpressions = executeExpressions(this.expressionBuilder.buildUserCheckFieldExpressions(persistentResource, cls, str), cls);
        this.userPermissionCheckCache.put(Triple.of(cls, persistentResource.getResourceClass(), str), executeExpressions);
        if (executeExpressions == ExpressionResult.PASS) {
            this.expressionResultShortCircuit.add(Triple.of(cls, persistentResource.getResourceClass(), str));
        }
        return executeExpressions;
    }

    @Override // com.yahoo.elide.security.PermissionExecutor
    public <A extends Annotation> ExpressionResult checkUserPermissions(Class<?> cls, Class<A> cls2) {
        if (this.requestScope.getSecurityMode() == SecurityMode.SECURITY_INACTIVE) {
            return ExpressionResult.PASS;
        }
        ExpressionResult expressionResult = this.userPermissionCheckCache.get(Triple.of(cls2, cls, (Object) null));
        if (expressionResult != null) {
            return expressionResult;
        }
        ExpressionResult executeExpressions = executeExpressions(this.expressionBuilder.buildUserCheckAnyExpression(cls, cls2, this.requestScope), cls2);
        this.userPermissionCheckCache.put(Triple.of(cls2, cls, (Object) null), executeExpressions);
        if (executeExpressions == ExpressionResult.PASS) {
            this.expressionResultShortCircuit.add(Triple.of(cls2, cls, (Object) null));
        }
        return executeExpressions;
    }

    @Override // com.yahoo.elide.security.PermissionExecutor
    public Optional<FilterExpression> getReadPermissionFilter(Class<?> cls) {
        return this.requestScope.getSecurityMode() == SecurityMode.SECURITY_INACTIVE ? Optional.empty() : Optional.ofNullable(this.expressionBuilder.buildAnyFieldFilterExpression(cls, this.requestScope));
    }

    @Override // com.yahoo.elide.security.PermissionExecutor
    public void executeCommitChecks() {
        this.commitCheckQueue.forEach(queuedCheck -> {
            Expression expression = queuedCheck.getExpression();
            if (expression.evaluate() == ExpressionResult.FAIL) {
                ForbiddenAccessException forbiddenAccessException = new ForbiddenAccessException(queuedCheck.getAnnotationClass().getSimpleName(), expression);
                log.trace("{}", forbiddenAccessException.getLoggedMessage());
                throw forbiddenAccessException;
            }
        });
        this.commitCheckQueue.clear();
    }

    @Override // com.yahoo.elide.security.PermissionExecutor
    public <T> T getCriterion(ParseTree parseTree, Function<T, T> function, BiFunction<T, T, T> biFunction, BiFunction<T, T, T> biFunction2) {
        if (parseTree == null) {
            return null;
        }
        return (T) new CriterionExpressionVisitor(this.requestScope, this.requestScope.getDictionary(), function, biFunction2, biFunction).visit(parseTree);
    }

    @Override // com.yahoo.elide.security.PermissionExecutor
    public boolean shouldShortCircuitPermissionChecks(Class<? extends Annotation> cls, Class cls2, String str) {
        return this.expressionResultShortCircuit.contains(Triple.of(cls, cls2, str));
    }

    private ExpressionResult executeExpressions(PermissionExpressionBuilder.Expressions expressions, Class<? extends Annotation> cls) {
        Expression operationExpression = expressions.getOperationExpression();
        ExpressionResult evaluate = operationExpression.evaluate();
        this.checkStats.put(operationExpression.toString(), Long.valueOf(this.checkStats.getOrDefault(operationExpression.toString(), 0L).longValue() + 1));
        if (evaluate != ExpressionResult.DEFERRED) {
            if (evaluate != ExpressionResult.FAIL) {
                return evaluate;
            }
            ForbiddenAccessException forbiddenAccessException = new ForbiddenAccessException(cls.getSimpleName(), operationExpression);
            log.trace("{}", forbiddenAccessException.getLoggedMessage());
            throw forbiddenAccessException;
        }
        Expression commitExpression = expressions.getCommitExpression();
        if (commitExpression != null) {
            if (!isInlineOnlyCheck(cls)) {
                this.commitCheckQueue.add(new QueuedCheck(commitExpression, cls));
            } else if (commitExpression.evaluate() == ExpressionResult.FAIL) {
                ForbiddenAccessException forbiddenAccessException2 = new ForbiddenAccessException(cls.getSimpleName(), commitExpression);
                log.trace("{}", forbiddenAccessException2.getLoggedMessage());
                throw forbiddenAccessException2;
            }
        }
        return ExpressionResult.DEFERRED;
    }

    private boolean isInlineOnlyCheck(Class<? extends Annotation> cls) {
        return ReadPermission.class.isAssignableFrom(cls) || DeletePermission.class.isAssignableFrom(cls);
    }

    @Override // com.yahoo.elide.security.PermissionExecutor
    public String printCheckStats() {
        StringBuilder sb = new StringBuilder("Permission Check Statistics:\n");
        this.checkStats.entrySet().stream().sorted(Map.Entry.comparingByValue()).forEachOrdered(entry -> {
            sb.append(((String) entry.getKey()) + ": " + entry.getValue() + "\n");
        });
        String sb2 = sb.toString();
        log.trace(sb2);
        return sb2;
    }

    @Override // com.yahoo.elide.security.PermissionExecutor
    public boolean isVerbose() {
        return this.requestScope.getSecurityMode() == SecurityMode.SECURITY_ACTIVE_VERBOSE;
    }
}
