package com.yahoo.elide.core.security.executors;

import com.google.common.collect.ImmutableSet;
import com.yahoo.elide.annotation.DeletePermission;
import com.yahoo.elide.annotation.ReadPermission;
import com.yahoo.elide.core.RequestScope;
import com.yahoo.elide.core.exceptions.ForbiddenAccessException;
import com.yahoo.elide.core.security.PermissionExecutor;
import com.yahoo.elide.core.security.permissions.ExpressionResult;
import com.yahoo.elide.core.security.permissions.ExpressionResultCache;
import com.yahoo.elide.core.security.permissions.PermissionExpressionBuilder;
import com.yahoo.elide.core.security.permissions.expressions.Expression;
import com.yahoo.elide.core.type.Type;
import java.lang.annotation.Annotation;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.Queue;
import java.util.Set;
import java.util.concurrent.LinkedBlockingQueue;
import java.util.function.Function;
import java.util.function.Supplier;
import org.apache.commons.lang3.tuple.Triple;
import org.slf4j.Logger;

/* loaded from: input_file:com/yahoo/elide/core/security/executors/AbstractPermissionExecutor.class */
public abstract class AbstractPermissionExecutor implements PermissionExecutor {
    private final Logger log;
    protected final Queue<QueuedCheck> commitCheckQueue = new LinkedBlockingQueue();
    protected final RequestScope requestScope;
    protected final PermissionExpressionBuilder expressionBuilder;
    protected final Map<Triple<Class<? extends Annotation>, Type, ImmutableSet<String>>, ExpressionResult> userPermissionCheckCache;
    protected final Map<String, Long> checkStats;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yahoo/elide/core/security/executors/AbstractPermissionExecutor$QueuedCheck.class */
    public static class QueuedCheck {
        private final Expression expression;
        private final Class<? extends Annotation> annotationClass;

        public QueuedCheck(Expression expression, Class<? extends Annotation> cls) {
            this.expression = expression;
            this.annotationClass = cls;
        }

        public Expression getExpression() {
            return this.expression;
        }

        public Class<? extends Annotation> getAnnotationClass() {
            return this.annotationClass;
        }
    }

    public AbstractPermissionExecutor(Logger logger, RequestScope requestScope) {
        ExpressionResultCache expressionResultCache = new ExpressionResultCache();
        this.log = logger;
        this.requestScope = requestScope;
        this.expressionBuilder = new PermissionExpressionBuilder(expressionResultCache, requestScope.getDictionary());
        this.userPermissionCheckCache = new HashMap();
        this.checkStats = new HashMap();
    }

    @Override // com.yahoo.elide.core.security.PermissionExecutor
    public void executeCommitChecks() {
        this.commitCheckQueue.forEach(queuedCheck -> {
            Expression expression = queuedCheck.getExpression();
            if (expression.evaluate(Expression.EvaluationMode.ALL_CHECKS) == ExpressionResult.FAIL) {
                ForbiddenAccessException forbiddenAccessException = new ForbiddenAccessException(queuedCheck.getAnnotationClass(), expression, Expression.EvaluationMode.ALL_CHECKS);
                if (this.log.isTraceEnabled()) {
                    this.log.trace("{}", forbiddenAccessException.getLoggedMessage());
                }
                throw forbiddenAccessException;
            }
        });
        this.commitCheckQueue.clear();
    }

    protected <A extends Annotation> ExpressionResult checkPermissions(Type<?> type, Class<A> cls, Set<String> set, Supplier<Expression> supplier, Optional<Function<Expression, ExpressionResult>> optional) {
        ImmutableSet copyOf = set == null ? null : ImmutableSet.copyOf(set);
        ExpressionResult expressionResult = this.userPermissionCheckCache.get(Triple.of(cls, type, copyOf));
        if (expressionResult == ExpressionResult.PASS) {
            return expressionResult;
        }
        Expression expression = supplier.get();
        if (expressionResult == null) {
            expressionResult = executeExpressions(expression, cls, Expression.EvaluationMode.USER_CHECKS_ONLY);
            this.userPermissionCheckCache.put(Triple.of(cls, type, copyOf), expressionResult);
            if (expressionResult == ExpressionResult.PASS) {
                return expressionResult;
            }
        }
        return (ExpressionResult) optional.map(function -> {
            return (ExpressionResult) function.apply(expression);
        }).orElse(expressionResult);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public <A extends Annotation> ExpressionResult checkOnlyUserPermissions(Type<?> type, Class<A> cls, Set<String> set, Supplier<Expression> supplier) {
        return checkPermissions(type, cls, set, supplier, Optional.empty());
    }

    protected <A extends Annotation> ExpressionResult checkPermissions(Type<?> type, Class<A> cls, Set<String> set, Supplier<Expression> supplier, Function<Expression, ExpressionResult> function) {
        return checkPermissions(type, cls, set, supplier, Optional.of(function));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ExpressionResult executeExpressions(Expression expression, Class<? extends Annotation> cls, Expression.EvaluationMode evaluationMode) {
        ExpressionResult evaluate = expression.evaluate(evaluationMode);
        if (this.log.isTraceEnabled()) {
            String obj = expression.toString();
            this.checkStats.put(obj, Long.valueOf(this.checkStats.getOrDefault(obj, 0L).longValue() + 1));
        }
        if (evaluate != ExpressionResult.DEFERRED) {
            if (evaluate != ExpressionResult.FAIL) {
                return evaluate;
            }
            ForbiddenAccessException forbiddenAccessException = new ForbiddenAccessException(cls, expression, evaluationMode);
            if (this.log.isTraceEnabled()) {
                this.log.trace("{}", forbiddenAccessException.getLoggedMessage());
            }
            throw forbiddenAccessException;
        }
        if (evaluationMode == Expression.EvaluationMode.USER_CHECKS_ONLY) {
            return ExpressionResult.DEFERRED;
        }
        if (!isInlineOnlyCheck(cls)) {
            this.commitCheckQueue.add(new QueuedCheck(expression, cls));
            return ExpressionResult.DEFERRED;
        }
        ExpressionResult evaluate2 = expression.evaluate(Expression.EvaluationMode.ALL_CHECKS);
        if (evaluate2 != ExpressionResult.FAIL) {
            return evaluate2;
        }
        ForbiddenAccessException forbiddenAccessException2 = new ForbiddenAccessException(cls, expression, Expression.EvaluationMode.ALL_CHECKS);
        if (this.log.isTraceEnabled()) {
            this.log.trace("{}", forbiddenAccessException2.getLoggedMessage());
        }
        throw forbiddenAccessException2;
    }

    private boolean isInlineOnlyCheck(Class<? extends Annotation> cls) {
        return ReadPermission.class.isAssignableFrom(cls) || DeletePermission.class.isAssignableFrom(cls);
    }
}
