package org.openmetadata.service.security.policyevaluator;

import com.fasterxml.jackson.annotation.JsonIgnore;
import java.util.ListIterator;
import java.util.Map;
import org.openmetadata.schema.entity.policies.accessControl.Rule;
import org.openmetadata.schema.type.MetadataOperation;
import org.openmetadata.schema.type.Permission;
import org.openmetadata.schema.type.ResourcePermission;
import org.openmetadata.service.Entity;
import org.openmetadata.service.exception.CatalogExceptionMessage;
import org.openmetadata.service.security.AuthorizationException;
import org.openmetadata.service.security.auth.BotTokenCache;
import org.openmetadata.service.security.policyevaluator.SubjectContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.expression.Expression;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.SimpleEvaluationContext;

/* loaded from: input_file:org/openmetadata/service/security/policyevaluator/CompiledRule.class */
public class CompiledRule extends Rule {
    private static final Logger LOG = LoggerFactory.getLogger(CompiledRule.class);
    private static final SpelExpressionParser EXPRESSION_PARSER = new SpelExpressionParser();

    @JsonIgnore
    private Expression expression;

    public CompiledRule(Rule rule) {
        withName(rule.getName()).withDescription(rule.getDescription()).withCondition(rule.getCondition()).withEffect(rule.getEffect()).withOperations(rule.getOperations()).withResources(rule.getResources());
    }

    public static Expression parseExpression(String str) {
        if (str == null) {
            return null;
        }
        try {
            return EXPRESSION_PARSER.parseExpression(str);
        } catch (Exception e) {
            throw new IllegalArgumentException(CatalogExceptionMessage.failedToParse(e.getMessage()));
        }
    }

    public static <T> void validateExpression(String str, Class<T> cls) {
        if (str == null) {
            return;
        }
        try {
            parseExpression(str).getValue(SimpleEvaluationContext.forReadOnlyDataBinding().withInstanceMethods().withRootObject(new RuleEvaluator()).build(), cls);
        } catch (Exception e) {
            throw new IllegalArgumentException(CatalogExceptionMessage.failedToEvaluate(e.getMessage().replaceAll("on type .*$", BotTokenCache.EMPTY_STRING).replaceAll("on object .*$", BotTokenCache.EMPTY_STRING)));
        }
    }

    public Expression getExpression() {
        if (getCondition() == null) {
            return null;
        }
        if (this.expression == null) {
            this.expression = parseExpression(getCondition());
        }
        return this.expression;
    }

    public void evaluateDenyRule(OperationContext operationContext, SubjectContext subjectContext, ResourceContextInterface resourceContextInterface, SubjectContext.PolicyContext policyContext) {
        if (getEffect() == Rule.Effect.DENY && matchResource(operationContext.getResource())) {
            for (MetadataOperation metadataOperation : operationContext.getOperations()) {
                if (matchOperation(metadataOperation)) {
                    LOG.debug("operation {} denied by {}{}{}", new Object[]{metadataOperation, policyContext.getRoleName(), policyContext.getPolicyName(), getName()});
                    if (matchExpression(policyContext, subjectContext, resourceContextInterface)) {
                        throw new AuthorizationException(CatalogExceptionMessage.permissionDenied(subjectContext.user().getName(), metadataOperation, policyContext.getRoleName(), policyContext.getPolicyName(), getName()));
                    }
                }
            }
        }
    }

    private Permission.Access getAccess() {
        return getCondition() != null ? getEffect() == Rule.Effect.DENY ? Permission.Access.CONDITIONAL_DENY : Permission.Access.CONDITIONAL_ALLOW : getEffect() == Rule.Effect.DENY ? Permission.Access.DENY : Permission.Access.ALLOW;
    }

    public void evaluateAllowRule(OperationContext operationContext, SubjectContext subjectContext, ResourceContextInterface resourceContextInterface, SubjectContext.PolicyContext policyContext) {
        if (getEffect() == Rule.Effect.ALLOW && matchResource(operationContext.getResource())) {
            ListIterator<MetadataOperation> listIterator = operationContext.getOperations().listIterator();
            while (listIterator.hasNext()) {
                MetadataOperation next = listIterator.next();
                if (matchOperation(next) && matchExpression(policyContext, subjectContext, resourceContextInterface)) {
                    LOG.debug("operation {} allowed", next);
                    listIterator.remove();
                }
            }
        }
    }

    public void evaluatePermission(Map<String, ResourcePermission> map, SubjectContext.PolicyContext policyContext) {
        for (ResourcePermission resourcePermission : map.values()) {
            evaluatePermission(resourcePermission.getResource(), resourcePermission, policyContext);
        }
    }

    public void evaluatePermission(String str, ResourcePermission resourcePermission, SubjectContext.PolicyContext policyContext) {
        if (matchResource(str)) {
            Permission.Access access = getAccess();
            for (Permission permission : resourcePermission.getPermissions()) {
                if (matchOperation(permission.getOperation()) && overrideAccess(access, permission.getAccess())) {
                    permission.withAccess(access).withRole(policyContext.getRoleName()).withPolicy(policyContext.getPolicyName()).withRule(this);
                    LOG.debug("Updated permission {}", permission);
                }
            }
        }
    }

    public void evaluatePermission(SubjectContext subjectContext, ResourceContextInterface resourceContextInterface, ResourcePermission resourcePermission, SubjectContext.PolicyContext policyContext) {
        if (matchResource(resourceContextInterface.getResource())) {
            for (Permission permission : resourcePermission.getPermissions()) {
                if (matchOperation(permission.getOperation()) && matchExpression(policyContext, subjectContext, resourceContextInterface)) {
                    Permission.Access access = getEffect() == Rule.Effect.DENY ? Permission.Access.DENY : Permission.Access.ALLOW;
                    if (overrideAccess(access, permission.getAccess())) {
                        permission.withAccess(access).withRole(policyContext.getRoleName()).withPolicy(policyContext.getPolicyName()).withRule(this);
                        LOG.debug("Updated permission {}", permission);
                    }
                }
            }
        }
    }

    protected boolean matchResource(String str) {
        return ((String) getResources().get(0)).equalsIgnoreCase(Entity.ALL_RESOURCES) || getResources().contains(str);
    }

    private boolean matchOperation(MetadataOperation metadataOperation) {
        if (getOperations().contains(MetadataOperation.ALL)) {
            LOG.debug("matched all operations");
            return true;
        }
        if (getOperations().contains(MetadataOperation.EDIT_ALL) && OperationContext.isEditOperation(metadataOperation)) {
            LOG.debug("matched editAll operations");
            return true;
        }
        if (!getOperations().contains(MetadataOperation.VIEW_ALL) || !OperationContext.isViewOperation(metadataOperation)) {
            return getOperations().contains(metadataOperation);
        }
        LOG.debug("matched viewAll operations");
        return true;
    }

    private boolean matchExpression(SubjectContext.PolicyContext policyContext, SubjectContext subjectContext, ResourceContextInterface resourceContextInterface) {
        Expression expression = getExpression();
        if (expression == null) {
            return true;
        }
        return Boolean.TRUE.equals(expression.getValue(SimpleEvaluationContext.forReadOnlyDataBinding().withInstanceMethods().withRootObject(new RuleEvaluator(policyContext, subjectContext, resourceContextInterface)).build(), Boolean.class));
    }

    public static boolean overrideAccess(Permission.Access access, Permission.Access access2) {
        return access2.ordinal() > access.ordinal();
    }
}
