package com.dtolabs.rundeck.core.cli.acl;

import com.dtolabs.rundeck.core.Constants;
import com.dtolabs.rundeck.core.authentication.Group;
import com.dtolabs.rundeck.core.authentication.Username;
import com.dtolabs.rundeck.core.authorization.Attribute;
import com.dtolabs.rundeck.core.authorization.AuthorizationUtil;
import com.dtolabs.rundeck.core.authorization.Decision;
import com.dtolabs.rundeck.core.authorization.Explanation;
import com.dtolabs.rundeck.core.authorization.RuleEvaluator;
import com.dtolabs.rundeck.core.authorization.Validation;
import com.dtolabs.rundeck.core.authorization.ValidationSet;
import com.dtolabs.rundeck.core.authorization.providers.Policies;
import com.dtolabs.rundeck.core.authorization.providers.PoliciesParseException;
import com.dtolabs.rundeck.core.authorization.providers.YamlParsePolicy;
import com.dtolabs.rundeck.core.authorization.providers.YamlProvider;
import com.dtolabs.rundeck.core.cli.BaseTool;
import com.dtolabs.rundeck.core.cli.CLIToolLogger;
import com.dtolabs.rundeck.core.cli.CLIToolOptions;
import com.dtolabs.rundeck.core.cli.CLIToolOptionsException;
import com.dtolabs.rundeck.core.cli.DefaultCLIToolLogger;
import com.dtolabs.rundeck.core.cli.HelpOptions;
import com.dtolabs.rundeck.core.cli.Log4JCLIToolLogger;
import com.dtolabs.rundeck.core.common.Framework;
import com.dtolabs.rundeck.core.common.FrameworkProject;
import com.dtolabs.rundeck.core.data.ScriptVarExpander;
import com.dtolabs.rundeck.core.execution.workflow.FlowControl;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.PrintStream;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.OptionBuilder;
import org.apache.commons.cli.Options;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.apache.log4j.PropertyConfigurator;
import org.yaml.snakeyaml.DumperOptions;
import org.yaml.snakeyaml.Yaml;

/* loaded from: input_file:com/dtolabs/rundeck/core/cli/acl/AclTool.class */
public class AclTool extends BaseTool {
    public static final String FILE_OPTION = "f";
    public static final String FILE_OPTION_LONG = "file";
    public static final String DIR_OPTION = "d";
    public static final String DIR_OPTION_LONG = "dir";
    public static final String ALLOW_LONG_OPT = "allow";
    public static final String ALLOW_OPT = "a";
    public static final String GROUPS_LONG_OPT = "groups";
    public static final String GROUPS_OPT = "g";
    public static final String USER_OPT = "u";
    public static final String USER_LONG_OPT = "user";
    public static final String PROJECT_OPT = "p";
    public static final String PROJECT_LONG_OPT = "project";
    public static final String PROJECT_ACL_OPT = "P";
    public static final String PROJECT_ACL_LONG_OPT = "projectacl";
    public static final String JOB_OPT = "j";
    public static final String JOB_LONG_OPT = "job";
    public static final String JOB_UUID_OPT = "I";
    public static final String JOB_UUID_LONG_OPT = "jobUuid";
    public static final String CONTEXT_OPT = "c";
    public static final String CONTEXT_LONG_OPT = "context";
    public static final String ADHOC_OPT = "A";
    public static final String ADHOC_LONG_OPT = "adhoc";
    public static final String NODE_OPT = "n";
    public static final String NODE_LONG_OPT = "node";
    public static final String TAGS_OPT = "t";
    public static final String TAGS_LONG_OPT = "tags";
    public static final String DENY_OPT = "D";
    public static final String DENY_LONG_OPT = "deny";
    public static final String VERBOSE_OPT = "v";
    public static final String VERBOSE_LONG_OPT = "verbose";
    public static final String VALIDATE_OPT = "V";
    public static final String VALIDATE_LONG_OPT = "validate";
    public static final String STORAGE_OPT = "s";
    public static final String STORAGE_LONG_OPT = "storage";
    public static final String GENERIC_OPT = "G";
    public static final String GENERIC_LONG_OPT = "generic";
    public static final String RESOURCE_OPT = "R";
    public static final String RESOURCE_LONG_OPT = "resource";
    public static final String INPUT_OPT = "i";
    public static final String INPUT_OPT_LONG = "input";
    public static final String REGEX_OPT = "r";
    public static final String REGEX_OPT_LONG = "regex";
    public static final String ATTRS_OPT = "b";
    public static final String ATTRS_OPT_LONG = "attributes";
    public static final String LIST_OPT = "l";
    public static final String LIST_OPT_LONG = "list";
    final CLIToolLogger clilogger;
    private Actions action;
    private String configDir;
    public static final String ACTION_TEST = "test";
    public static final String ACTION_CREATE = "create";
    public static final String ACTION_LIST = "list";
    public static final String ACTION_VALIDATE = "validate";
    private boolean argVerbose;
    private boolean argValidate;
    private boolean argList;
    private File argFile;
    private File argDir;
    private String argDenyAction;
    private List<String> actionsDenyList;
    private String argAllowAction;
    private List<String> actionsAllowList;
    private String argGroups;
    private List<String> groupsList;
    private String argUser;
    private Context argContext;
    private String argProject;
    private String argProjectAcl;
    private String argProjectJob;
    private String argProjectJobUUID;
    private String argProjectNode;
    private String argTags;
    private List<String> tagsSet;
    private boolean argProjectAdhoc;
    private String argAppStorage;
    private String argGenericType;
    private String argResource;
    private String argInput;
    private boolean argRegex;
    private Map<String, String> attrsMap;
    private boolean attrHelp;
    static final Map<String, List<String>> appResAttrsByType;
    static final Map<String, List<String>> appKindActionsByType;
    static final List<String> projectJobActions;
    static final List<String> projectJobKindActions;
    static final List<String> projectAdhocActions;
    static final List<String> projectNodeActions;
    static final Map<String, List<String>> projResActionsByType;
    static final Map<String, List<String>> projResAttrsByType;
    static final List<String> projectNodeKindActions;
    static final List<String> projectEventKindActions;
    static final Map<String, List<String>> projKindActionsByType;
    public static final Logger log4j = Logger.getLogger(AclTool.class);
    private static Comparator<Decision> comparator = new Comparator<Decision>() { // from class: com.dtolabs.rundeck.core.cli.acl.AclTool.1
        @Override // java.util.Comparator
        public int compare(Decision decision, Decision decision2) {
            return decision.getAction().compareTo(decision2.getAction());
        }
    };
    static final Set<String> projectTypes = new HashSet(Arrays.asList("adhoc", "job", "node"));
    static final Set<String> projectKinds = new HashSet(Arrays.asList("job", "node", ACLConstants.TYPE_EVENT));
    static final Set<String> appTypes = new HashSet(Arrays.asList("project", ACLConstants.TYPE_PROJECT_ACL, "storage", ACLConstants.TYPE_APITOKEN));
    static final Set<String> appKinds = new HashSet(Arrays.asList("project", ACLConstants.TYPE_SYSTEM, ACLConstants.TYPE_SYSTEM_ACL, "user", "job", ACLConstants.TYPE_APITOKEN, ACLConstants.TYPE_PLUGIN));
    static final List<String> appProjectActions = Arrays.asList(ACLConstants.ACTION_ADMIN, "read", ACLConstants.ACTION_CONFIGURE, "delete", ACLConstants.ACTION_IMPORT, ACLConstants.ACTION_EXPORT, ACLConstants.ACTION_DELETE_EXECUTION);
    static final List<String> appProjectAclActions = Arrays.asList("read", "create", "update", "delete", ACLConstants.ACTION_ADMIN);
    static final List<String> appStorageActions = Arrays.asList("create", "read", "update", "delete");
    static final List<String> appApitokenActions = Arrays.asList("create");
    static final List<String> appProjectKindActions = Arrays.asList("create");
    static final List<String> appSystemKindActions = Arrays.asList("read", ACLConstants.ACTION_ENABLE_EXECUTIONS, ACLConstants.ACTION_DISABLE_EXECUTIONS, ACLConstants.ACTION_ADMIN);
    static final List<String> appSystemAclKindActions = Arrays.asList("read", "create", "update", "delete", ACLConstants.ACTION_ADMIN);
    static final List<String> appUserKindActions = Arrays.asList(ACLConstants.ACTION_ADMIN);
    static final List<String> appJobKindActions = Arrays.asList(ACLConstants.ACTION_ADMIN);
    static final List<String> appApitokenKindActions = Arrays.asList(ACLConstants.ACTION_ADMIN, ACLConstants.ACTION_GENERATE_USER_TOKEN, ACLConstants.ACTION_GENERATE_SERVICE_TOKEN);
    static final List<String> appPluginActions = Arrays.asList("read", ACLConstants.ACTION_INSTALL, ACLConstants.ACTION_UNINSTALL, ACLConstants.ACTION_ADMIN);
    static final Map<String, List<String>> appResActionsByType = new HashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.dtolabs.rundeck.core.cli.acl.AclTool$2, reason: invalid class name */
    /* loaded from: input_file:com/dtolabs/rundeck/core/cli/acl/AclTool$2.class */
    public static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$com$dtolabs$rundeck$core$cli$acl$AclTool$Actions;

        static {
            try {
                $SwitchMap$com$dtolabs$rundeck$core$authorization$Explanation$Code[Explanation.Code.REJECTED_NO_SUBJECT_OR_ENV_FOUND.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$dtolabs$rundeck$core$authorization$Explanation$Code[Explanation.Code.REJECTED_DENIED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            $SwitchMap$com$dtolabs$rundeck$core$cli$acl$AclTool$Actions = new int[Actions.values().length];
            try {
                $SwitchMap$com$dtolabs$rundeck$core$cli$acl$AclTool$Actions[Actions.list.ordinal()] = 1;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$com$dtolabs$rundeck$core$cli$acl$AclTool$Actions[Actions.test.ordinal()] = 2;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$com$dtolabs$rundeck$core$cli$acl$AclTool$Actions[Actions.create.ordinal()] = 3;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$com$dtolabs$rundeck$core$cli$acl$AclTool$Actions[Actions.validate.ordinal()] = 4;
            } catch (NoSuchFieldError e6) {
            }
        }
    }

    /* loaded from: input_file:com/dtolabs/rundeck/core/cli/acl/AclTool$ACLConstants.class */
    class ACLConstants {
        public static final String ACTION_CREATE = "create";
        public static final String ACTION_READ = "read";
        public static final String ACTION_VIEW = "view";
        public static final String ACTION_UPDATE = "update";
        public static final String ACTION_DELETE = "delete";
        public static final String ACTION_RUN = "run";
        public static final String ACTION_KILL = "kill";
        public static final String ACTION_ADMIN = "admin";
        public static final String ACTION_GENERATE_USER_TOKEN = "generate_user_token";
        public static final String ACTION_GENERATE_SERVICE_TOKEN = "generate_service_token";
        public static final String ACTION_REFRESH = "refresh";
        public static final String ACTION_RUNAS = "runAs";
        public static final String ACTION_KILLAS = "killAs";
        public static final String ACTION_CONFIGURE = "configure";
        public static final String ACTION_IMPORT = "import";
        public static final String ACTION_EXPORT = "export";
        public static final String ACTION_INSTALL = "install";
        public static final String ACTION_UNINSTALL = "uninstall";
        public static final String ACTION_DELETE_EXECUTION = "delete_execution";
        public static final String ACTION_ENABLE_EXECUTIONS = "enable_executions";
        public static final String ACTION_DISABLE_EXECUTIONS = "disable_executions";
        public static final String ACTION_TOGGLE_SCHEDULE = "toggle_schedule";
        public static final String ACTION_TOGGLE_EXECUTION = "toggle_execution";
        public static final String ACTION_SCM_UPDATE = "scm_update";
        public static final String ACTION_SCM_CREATE = "scm_create";
        public static final String ACTION_SCM_DELETE = "scm_delete";
        public static final String TYPE_SYSTEM = "system";
        public static final String TYPE_SYSTEM_ACL = "system_acl";
        public static final String TYPE_NODE = "node";
        public static final String TYPE_JOB = "job";
        public static final String TYPE_APITOKEN = "apitoken";
        public static final String TYPE_ADHOC = "adhoc";
        public static final String TYPE_PROJECT = "project";
        public static final String TYPE_PROJECT_ACL = "project_acl";
        public static final String TYPE_PLUGIN = "plugin";
        public static final String TYPE_EVENT = "event";
        public static final String TYPE_USER = "user";
        public static final String TYPE_STORAGE = "storage";
        public final Map<String, String> RESOURCE_TYPE_SYSTEM = resType(TYPE_SYSTEM);
        public final Map<String, String> RESOURCE_TYPE_NODE = resType("node");
        public final Map<String, String> RESOURCE_TYPE_JOB = resType("job");
        public final Map<String, String> RESOURCE_TYPE_EVENT = resType(TYPE_EVENT);
        public final Map<String, String> RESOURCE_ADHOC = Collections.unmodifiableMap(AuthorizationUtil.resource("adhoc"));

        ACLConstants() {
        }

        private Map<String, String> resType(String str) {
            return Collections.unmodifiableMap(AuthorizationUtil.resourceType(str));
        }
    }

    /* loaded from: input_file:com/dtolabs/rundeck/core/cli/acl/AclTool$Actions.class */
    enum Actions {
        test(AclTool.ACTION_TEST),
        create("create"),
        list("list"),
        validate("validate");

        private String name;

        Actions(String str) {
            this.name = str;
        }

        public String getName() {
            return this.name;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/dtolabs/rundeck/core/cli/acl/AclTool$AuthRequest.class */
    public class AuthRequest {
        String description;
        Map<String, Object> resourceMap;
        boolean regexMatch;
        boolean containsMatch;
        Subject subject;
        Set<String> actions;
        Set<Attribute> environment;
        Set<String> denyActions;

        private AuthRequest() {
        }

        boolean isAppContext() {
            return this.environment.equals(AclTool.access$3100());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/dtolabs/rundeck/core/cli/acl/AclTool$Context.class */
    public enum Context {
        project,
        application
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/dtolabs/rundeck/core/cli/acl/AclTool$OptionsPrompt.class */
    public class OptionsPrompt extends CLIToolOptionsException {
        private String prompt;

        public OptionsPrompt(String str, String str2) {
            super(str);
            this.prompt = str2;
        }

        public String getPrompt() {
            return this.prompt;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/dtolabs/rundeck/core/cli/acl/AclTool$ParsePart.class */
    public class ParsePart {
        int len;
        Map<String, Object> resourceMap;
        String value;

        private ParsePart() {
        }
    }

    /* loaded from: input_file:com/dtolabs/rundeck/core/cli/acl/AclTool$TestOptions.class */
    private class TestOptions implements CLIToolOptions {
        private TestOptions() {
        }

        @Override // com.dtolabs.rundeck.core.cli.CLIToolOptions
        public void addOptions(Options options) {
            options.addOption(AclTool.VERBOSE_OPT, "verbose", false, "Verbose output.");
            options.addOption(AclTool.VALIDATE_OPT, "validate", false, "Validate all input files.");
            OptionBuilder.withArgName("file");
            OptionBuilder.withLongOpt("file");
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("File path. Load the specified aclpolicy file.");
            options.addOption(OptionBuilder.create(AclTool.FILE_OPTION));
            OptionBuilder.withArgName(AclTool.DIR_OPTION_LONG);
            OptionBuilder.withLongOpt(AclTool.DIR_OPTION_LONG);
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("Directory. Load all policy files in the specified directory.");
            options.addOption(OptionBuilder.create(AclTool.DIR_OPTION));
            OptionBuilder.withArgName("action,...");
            OptionBuilder.withLongOpt(AclTool.ALLOW_LONG_OPT);
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("Actions to test are allowed (test command) or to allow (create command).");
            options.addOption(OptionBuilder.create(AclTool.ALLOW_OPT));
            OptionBuilder.withArgName("action,...");
            OptionBuilder.withLongOpt(AclTool.DENY_LONG_OPT);
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("Actions to test are denied (test command) or to deny (create command).");
            options.addOption(OptionBuilder.create(AclTool.DENY_OPT));
            OptionBuilder.withArgName("group,...");
            OptionBuilder.withLongOpt(AclTool.GROUPS_LONG_OPT);
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("Subject Groups names to validate (test command) or for by: clause (create command).");
            options.addOption(OptionBuilder.create(AclTool.GROUPS_OPT));
            OptionBuilder.withArgName("user,...");
            OptionBuilder.withLongOpt("user");
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("Subject User names to validate (test command) or for by: clause (create command).");
            options.addOption(OptionBuilder.create(AclTool.USER_OPT));
            OptionBuilder.withArgName("project");
            OptionBuilder.withLongOpt("project");
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("Name of project, used in project context or for application resource.");
            options.addOption(OptionBuilder.create(AclTool.PROJECT_OPT));
            OptionBuilder.withArgName(AclTool.PROJECT_ACL_LONG_OPT);
            OptionBuilder.withLongOpt(AclTool.PROJECT_ACL_LONG_OPT);
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("Project name for ACL policy access, used in application context.");
            options.addOption(OptionBuilder.create(AclTool.PROJECT_ACL_OPT));
            OptionBuilder.withArgName("group/name");
            OptionBuilder.withLongOpt("job");
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("Job group/name. (project context)");
            options.addOption(OptionBuilder.create(AclTool.JOB_OPT));
            OptionBuilder.withArgName("uuid");
            OptionBuilder.withLongOpt(AclTool.JOB_UUID_LONG_OPT);
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("Job uuid. (project context)");
            options.addOption(OptionBuilder.create(AclTool.JOB_UUID_OPT));
            OptionBuilder.withArgName("application | project");
            OptionBuilder.withLongOpt(AclTool.CONTEXT_LONG_OPT);
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("Context: either 'project' or 'application'.");
            options.addOption(OptionBuilder.create(AclTool.CONTEXT_OPT));
            OptionBuilder.withLongOpt("adhoc");
            OptionBuilder.withDescription("Adhoc execution (project context)");
            options.addOption(OptionBuilder.create(AclTool.ADHOC_OPT));
            OptionBuilder.withArgName("nodename");
            OptionBuilder.withLongOpt("node");
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("Node name. (project context)");
            options.addOption(OptionBuilder.create(AclTool.NODE_OPT));
            OptionBuilder.withArgName("tag,..");
            OptionBuilder.withLongOpt("tags");
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("Node tags. If specified, the resource match will be defined using 'contains'. (project context)");
            options.addOption(OptionBuilder.create(AclTool.TAGS_OPT));
            OptionBuilder.withArgName("path/file");
            OptionBuilder.withLongOpt("storage");
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("Storage path/name. (application context)");
            options.addOption(OptionBuilder.create(AclTool.STORAGE_OPT));
            OptionBuilder.withArgName(AuthorizationUtil.TYPE_KIND_FIELD);
            OptionBuilder.withLongOpt(AclTool.GENERIC_LONG_OPT);
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("Generic resource kind.");
            options.addOption(OptionBuilder.create(AclTool.GENERIC_OPT));
            OptionBuilder.withArgName("type");
            OptionBuilder.withLongOpt("resource");
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("Resource type name.");
            options.addOption(OptionBuilder.create(AclTool.RESOURCE_OPT));
            OptionBuilder.withArgName("file | -");
            OptionBuilder.withLongOpt(AclTool.INPUT_OPT_LONG);
            OptionBuilder.hasArg();
            OptionBuilder.withDescription("Read file or stdin for audit log data. (create command)");
            options.addOption(OptionBuilder.create(AclTool.INPUT_OPT));
            options.addOption(AclTool.REGEX_OPT, AclTool.REGEX_OPT_LONG, false, "Match the resource using regular expressions. (create command).");
            options.addOption(AclTool.LIST_OPT, "list", false, "List all permissions for the group or user. (test command).");
            OptionBuilder.withArgName("key=value ...");
            OptionBuilder.withDescription("Attributes for the resource. A sequence of key=value pairs, multiple pairs can follow with a space. Use a value of '?' to see suggestions.");
            OptionBuilder.withLongOpt(AclTool.ATTRS_OPT_LONG);
            OptionBuilder.withValueSeparator();
            OptionBuilder.hasArgs();
            options.addOption(OptionBuilder.create(AclTool.ATTRS_OPT));
        }

        @Override // com.dtolabs.rundeck.core.cli.CLIToolOptions
        public void parseArgs(CommandLine commandLine, String[] strArr) throws CLIToolOptionsException {
            if (commandLine.hasOption(AclTool.FILE_OPTION)) {
                AclTool.this.argFile = new File(commandLine.getOptionValue(AclTool.FILE_OPTION));
            } else if (commandLine.hasOption(AclTool.DIR_OPTION)) {
                AclTool.this.argDir = new File(commandLine.getOptionValue(AclTool.DIR_OPTION));
            }
            if (commandLine.hasOption(AclTool.ALLOW_OPT)) {
                AclTool.this.argAllowAction = commandLine.getOptionValue(AclTool.ALLOW_OPT);
                AclTool.this.actionsAllowList = Arrays.asList(AclTool.this.argAllowAction.split(", *"));
            }
            if (commandLine.hasOption(AclTool.DENY_OPT)) {
                AclTool.this.argDenyAction = commandLine.getOptionValue(AclTool.DENY_OPT);
                AclTool.this.actionsDenyList = Arrays.asList(AclTool.this.argDenyAction.split(", *"));
            }
            if (commandLine.hasOption(AclTool.GROUPS_OPT)) {
                AclTool.this.argGroups = commandLine.getOptionValue(AclTool.GROUPS_OPT);
                AclTool.this.groupsList = Arrays.asList(AclTool.this.argGroups.split(", *"));
            }
            if (commandLine.hasOption(AclTool.USER_OPT)) {
                AclTool.this.argUser = commandLine.getOptionValue(AclTool.USER_OPT);
            }
            if (commandLine.hasOption(AclTool.PROJECT_OPT)) {
                AclTool.this.argProject = commandLine.getOptionValue(AclTool.PROJECT_OPT);
            }
            if (commandLine.hasOption(AclTool.PROJECT_ACL_OPT)) {
                AclTool.this.argProjectAcl = commandLine.getOptionValue(AclTool.PROJECT_ACL_OPT);
            }
            if (commandLine.hasOption(AclTool.JOB_OPT)) {
                AclTool.this.argProjectJob = commandLine.getOptionValue(AclTool.JOB_OPT);
            }
            if (commandLine.hasOption(AclTool.JOB_UUID_OPT)) {
                AclTool.this.argProjectJobUUID = commandLine.getOptionValue(AclTool.JOB_UUID_OPT);
            }
            if (commandLine.hasOption(AclTool.CONTEXT_OPT)) {
                AclTool.this.argContext = Context.valueOf(commandLine.getOptionValue(AclTool.CONTEXT_OPT).toLowerCase());
            }
            if (commandLine.hasOption(AclTool.ADHOC_OPT)) {
                AclTool.this.argProjectAdhoc = commandLine.hasOption(AclTool.ADHOC_OPT);
            }
            if (commandLine.hasOption(AclTool.VERBOSE_OPT)) {
                AclTool.this.argVerbose = commandLine.hasOption(AclTool.VERBOSE_OPT);
            }
            if (commandLine.hasOption(AclTool.VALIDATE_OPT)) {
                AclTool.this.argValidate = commandLine.hasOption(AclTool.VALIDATE_OPT);
            }
            if (commandLine.hasOption(AclTool.NODE_OPT)) {
                AclTool.this.argProjectNode = commandLine.getOptionValue(AclTool.NODE_OPT);
            }
            if (commandLine.hasOption(AclTool.STORAGE_OPT)) {
                AclTool.this.argAppStorage = commandLine.getOptionValue(AclTool.STORAGE_OPT);
            }
            if (commandLine.hasOption(AclTool.GENERIC_OPT)) {
                AclTool.this.argGenericType = commandLine.getOptionValue(AclTool.GENERIC_OPT);
            }
            if (commandLine.hasOption(AclTool.INPUT_OPT)) {
                AclTool.this.argInput = commandLine.getOptionValue(AclTool.INPUT_OPT);
            }
            if (commandLine.hasOption(AclTool.REGEX_OPT)) {
                AclTool.this.argRegex = commandLine.hasOption(AclTool.REGEX_OPT);
            }
            if (commandLine.hasOption(AclTool.LIST_OPT)) {
                AclTool.this.argList = commandLine.hasOption(AclTool.LIST_OPT);
            }
            if (commandLine.hasOption(AclTool.TAGS_OPT)) {
                AclTool.this.argTags = commandLine.getOptionValue(AclTool.TAGS_OPT);
                AclTool.this.tagsSet = Arrays.asList(AclTool.this.argTags.split(", *"));
            }
            if (commandLine.hasOption(AclTool.RESOURCE_OPT)) {
                AclTool.this.argResource = commandLine.getOptionValue(AclTool.RESOURCE_OPT);
            }
            if (commandLine.hasOption(AclTool.ATTRS_OPT)) {
                AclTool.this.attrsMap = new HashMap();
                commandLine.getOptionValues(AclTool.ATTRS_OPT);
                String str = null;
                for (String str2 : commandLine.getOptionValues(AclTool.ATTRS_OPT)) {
                    if (str == null) {
                        str = str2;
                    } else if (str2.equals("")) {
                        AclTool.this.warn("Extraneous attribute key with no value: " + str);
                        AclTool.this.attrHelp = true;
                        str = null;
                    } else if (!str2.equals("")) {
                        AclTool.this.attrsMap.put(str, str2);
                        str = null;
                    }
                }
                if (str != null) {
                    AclTool.this.attrHelp = true;
                    AclTool.this.warn("Extraneous attribute key with no value: " + str);
                }
            }
        }

        @Override // com.dtolabs.rundeck.core.cli.CLIToolOptions
        public void validate(CommandLine commandLine, String[] strArr) throws CLIToolOptionsException {
        }
    }

    public AclTool(CLIToolLogger cLIToolLogger) throws IOException, PoliciesParseException {
        this(cLIToolLogger, System.getProperty("rdeck.base"));
    }

    public AclTool(CLIToolLogger cLIToolLogger, String str) throws IOException, PoliciesParseException {
        this.action = null;
        if (null == cLIToolLogger) {
            PropertyConfigurator.configure(Constants.getLog4jPropertiesFile().getAbsolutePath());
            this.clilogger = new Log4JCLIToolLogger(log4j);
        } else {
            this.clilogger = cLIToolLogger;
        }
        this.configDir = System.getProperty("rdeck.config", str + "/etc");
        addToolOptions(new TestOptions());
    }

    public static void main(String[] strArr) throws Exception {
        AclTool aclTool = new AclTool(new DefaultCLIToolLogger());
        aclTool.setShouldExit(true);
        int i = 1;
        try {
            aclTool.run(strArr);
            i = 0;
        } catch (OptionsPrompt e) {
            i = 2;
            aclTool.error(e.getMessage());
            aclTool.error(e.getPrompt());
            if (aclTool.argVerbose) {
                e.printStackTrace();
            }
        } catch (CLIToolOptionsException e2) {
            i = 2;
            aclTool.error(e2.getMessage());
            if (aclTool.argVerbose) {
                e2.printStackTrace();
            }
        } catch (Throwable th) {
            if (th.getMessage() == null || aclTool.argVerbose) {
                th.printStackTrace();
            }
            aclTool.error("Error: " + th.getMessage());
        }
        aclTool.exit(i);
    }

    @Override // com.dtolabs.rundeck.core.cli.BaseTool
    protected boolean isUseHelpOption() {
        return true;
    }

    @Override // com.dtolabs.rundeck.core.cli.BaseTool, com.dtolabs.rundeck.core.cli.CLITool
    public CommandLine parseArgs(String[] strArr) throws CLIToolOptionsException {
        CommandLine parseArgs = super.parseArgs(strArr);
        if (strArr.length > 0 && !strArr[0].startsWith("-")) {
            try {
                this.action = Actions.valueOf(strArr[0]);
            } catch (IllegalArgumentException e) {
                throw new CLIToolOptionsException("Invalid action: " + strArr[0] + ", must be one of: " + Arrays.toString(Actions.values()));
            }
        }
        if (parseArgs.hasOption(HelpOptions.HELP_OPTION)) {
            help();
            exit(1);
        }
        return parseArgs;
    }

    @Override // com.dtolabs.rundeck.core.cli.BaseTool
    protected void go() throws CLIToolOptionsException {
        if (null == this.action) {
            throw new CLIToolOptionsException("Command expected. Choose one of: " + Arrays.asList(Actions.values()));
        }
        try {
            switch (AnonymousClass2.$SwitchMap$com$dtolabs$rundeck$core$cli$acl$AclTool$Actions[this.action.ordinal()]) {
                case 1:
                    listAction();
                    break;
                case 2:
                    testAction();
                    break;
                case Constants.VERBOSE_LEVEL /* 3 */:
                    createAction();
                    break;
                case Constants.DEBUG_LEVEL /* 4 */:
                    validateAction();
                    break;
                default:
                    throw new CLIToolOptionsException("Unrecognized action: " + this.action);
            }
        } catch (PoliciesParseException | IOException e) {
            throw new CLIToolOptionsException(e);
        }
    }

    private void listAction() throws CLIToolOptionsException, IOException, PoliciesParseException {
        if (applyArgValidate()) {
            return;
        }
        RuleEvaluator createAuthorization = createAuthorization();
        Subject createSubject = createSubject();
        String str = null != this.argGroups ? "group " + this.argGroups : "username " + this.argUser;
        log("# Application Context access for " + str + "\n");
        if (null != this.argProject) {
            HashMap hashMap = new HashMap();
            hashMap.put("name", this.argProject);
            logDecisions("project named \"" + this.argProject + "\"", createAuthorization, createSubject, resources(AuthorizationUtil.resourceRule("project", hashMap)), new HashSet<>(appProjectActions), createAppEnv());
        } else {
            log("\n(No project (-p) specified, skipping Application context actions for a specific project.)\n");
        }
        if (null != this.argProjectAcl) {
            HashMap hashMap2 = new HashMap();
            hashMap2.put("name", this.argProjectAcl);
            logDecisions("project_acl for Project named \"" + this.argProjectAcl + "\"", createAuthorization, createSubject, resources(AuthorizationUtil.resourceRule(ACLConstants.TYPE_PROJECT_ACL, hashMap2)), new HashSet<>(appProjectAclActions), createAppEnv());
        } else {
            log("\n(No project_acl (-P) specified, skipping Application context actions for a ACLs for a specific project.)\n");
        }
        if (null != this.argAppStorage) {
            logDecisions("storage path \"" + this.argAppStorage + "\"", createAuthorization, createSubject, resources(createStorageResource()), new HashSet<>(appStorageActions), createAppEnv());
        } else {
            log("\n(No storage path (-s) specified, skipping Application context actions for a specific storage path.)\n");
        }
        for (String str2 : appKindActionsByType.keySet()) {
            logDecisions(str2, createAuthorization, createSubject, resources(AuthorizationUtil.resourceTypeRule(str2)), new HashSet<>(appKindActionsByType.get(str2)), createAppEnv());
        }
        if (null == this.argProject) {
            log("\n(No project (-p) specified, skipping Project context listing.)");
            return;
        }
        Set<Attribute> createAuthEnvironment = createAuthEnvironment(this.argProject);
        log("\n# Project \"" + this.argProject + "\" access for " + str + "\n");
        logDecisions("Adhoc executions", createAuthorization, createSubject, resources(createProjectAdhocResource()), new HashSet<>(projectAdhocActions), createAuthEnvironment);
        if (null != this.argProjectJob) {
            logDecisions("Job \"" + this.argProjectJob + "\"", createAuthorization, createSubject, resources(createProjectJobResource()), new HashSet<>(projectJobActions), createAuthEnvironment);
        } else if (null != this.argProjectJobUUID) {
            logDecisions("Job UUID\"" + this.argProjectJobUUID + "\"", createAuthorization, createSubject, resources(createProjectJobUUIDResource()), new HashSet<>(projectJobActions), createAuthEnvironment);
        } else {
            log("\n(No job name(-j) or uuid (-I) specified, skipping Project context actions for a specific job.)\n");
        }
        if (null == this.argProjectNode && null == this.argTags) {
            log("\n(No node (-n) or tags (-t) specified, skipping Project context actions for a specific node or node tags.)\n");
        } else {
            logDecisions("Node " + (null != this.argProjectNode ? "\"" + this.argProjectNode + "\"" : "") + (null != this.argTags ? " tags: " + this.argTags : ""), createAuthorization, createSubject, resources(createProjectNodeResource()), new HashSet<>(projectNodeActions), createAuthEnvironment);
        }
        for (String str3 : projKindActionsByType.keySet()) {
            logDecisions(str3, createAuthorization, createSubject, resources(AuthorizationUtil.resourceTypeRule(str3)), new HashSet<>(projKindActionsByType.get(str3)), createAuthEnvironment);
        }
    }

    private static Set<Attribute> createAppEnv() {
        return Framework.RUNDECK_APP_ENV;
    }

    private Set<Attribute> createAuthEnvironment(String str) {
        return FrameworkProject.authorizationEnvironment(str);
    }

    private boolean applyArgValidate() throws CLIToolOptionsException {
        if (!this.argValidate) {
            return false;
        }
        Validation validatePolicies = validatePolicies();
        if (this.argVerbose && !validatePolicies.isValid()) {
            reportValidation(validatePolicies);
        }
        if (validatePolicies.isValid()) {
            return false;
        }
        log("The validation " + (validatePolicies.isValid() ? "passed" : FlowControl.STATUS_FAILED));
        exit(2);
        return true;
    }

    private HashSet<Map<String, String>> resources(Map<String, Object>... mapArr) {
        HashSet<Map<String, String>> hashSet = new HashSet<>();
        for (Map<String, Object> map : mapArr) {
            hashSet.add(toStringMap(map));
        }
        return hashSet;
    }

    private void logDecisions(String str, RuleEvaluator ruleEvaluator, Subject subject, HashSet<Map<String, String>> hashSet, HashSet<String> hashSet2, Set<Attribute> set) {
        for (Decision decision : sortByAction(ruleEvaluator.evaluate(hashSet, subject, hashSet2, set))) {
            log((decision.isAuthorized() ? "+" : decision.explain().getCode() == Explanation.Code.REJECTED_DENIED ? "!" : "-") + " " + decision.getAction() + ": " + str + (decision.isAuthorized() ? "" : " [" + decision.explain().getCode() + "]"));
            if (!decision.isAuthorized() && decision.explain().getCode() == Explanation.Code.REJECTED_DENIED) {
                verbose("  " + decision.explain().toString());
            }
        }
    }

    private Set<Decision> sortByAction(Set<Decision> set) {
        TreeSet treeSet = new TreeSet(comparator);
        treeSet.addAll(set);
        return treeSet;
    }

    private AuthRequest createAuthRequestFromArgs() throws CLIToolOptionsException, IOException, PoliciesParseException {
        Map<String, Object> resourceTypeRule;
        if (null == this.argContext) {
            throw new OptionsPrompt(optionDisplayString(CONTEXT_OPT, false) + " is required.", "Choose one of: \n  -c " + Context.application + "\n    Access to projects, users, storage, system info, execution management.\n  -c " + Context.project + "\n    Access to jobs, nodes, events, within a project.");
        }
        if (this.argContext == Context.project && null == this.argProject) {
            throw new OptionsPrompt(optionDisplayString(PROJECT_OPT, false) + " is required.", "Choose the name of a project, or .*: \n  -p myproject\n  -p '.*'");
        }
        Set<Attribute> createAppEnv = this.argContext == Context.application ? createAppEnv() : createAuthEnvironment(this.argProject);
        Subject createSubject = createSubject();
        new HashMap();
        if (this.argContext == Context.application && this.argResource != null) {
            if (!appTypes.contains(this.argResource.toLowerCase())) {
                throw new OptionsPrompt(optionDisplayString(RESOURCE_OPT, false) + " invalid resource type: " + this.argResource, "  resource types in application context:     " + StringUtils.join(appTypes, "\n    "));
            }
            resourceTypeRule = AuthorizationUtil.resourceRule(this.argResource.toLowerCase(), null);
        } else if (this.argContext == Context.project && this.argResource != null) {
            if (!projectTypes.contains(this.argResource.toLowerCase())) {
                throw new OptionsPrompt(optionDisplayString(RESOURCE_OPT, false) + " invalid resource type: " + this.argResource, "  resource types in project context:     " + StringUtils.join(projectTypes, "\n    "));
            }
            resourceTypeRule = AuthorizationUtil.resourceRule(this.argResource.toLowerCase(), null);
        } else if (this.argContext == Context.application && this.argProject != null) {
            HashMap hashMap = new HashMap();
            hashMap.put("name", this.argProject);
            resourceTypeRule = AuthorizationUtil.resourceRule("project", hashMap);
        } else if (this.argContext == Context.application && this.argProjectAcl != null) {
            HashMap hashMap2 = new HashMap();
            hashMap2.put("name", this.argProjectAcl);
            resourceTypeRule = AuthorizationUtil.resourceRule(ACLConstants.TYPE_PROJECT_ACL, hashMap2);
        } else if (this.argContext == Context.application && this.argAppStorage != null) {
            resourceTypeRule = createStorageResource();
        } else if (this.argContext == Context.project && this.argProjectJob != null) {
            resourceTypeRule = createProjectJobResource();
        } else if (this.argContext == Context.project && this.argProjectJobUUID != null) {
            resourceTypeRule = createProjectJobUUIDResource();
        } else if (this.argContext == Context.project && !(this.argProjectNode == null && this.argTags == null)) {
            resourceTypeRule = createProjectNodeResource();
        } else if (this.argContext == Context.project && this.argProjectAdhoc) {
            resourceTypeRule = createProjectAdhocResource();
        } else if (this.argContext != Context.project || null == this.argGenericType) {
            if (this.argContext != Context.application || null == this.argGenericType) {
                if (this.argContext == Context.project) {
                    throw new OptionsPrompt("Project-context resource option is required.", "Possible options:\n  Job: " + optionDisplayString(JOB_OPT) + "\n    View, modify, create*, delete*, run, and kill specific jobs,\n    and toggle whether schedule and/or execution are enabled.\n    * Create and delete also require additional " + optionDisplayString(GENERIC_OPT) + " level access.\n  Adhoc: " + optionDisplayString(ADHOC_OPT) + "\n    View, run, and kill adhoc commands.\n  Node: " + optionDisplayString(NODE_OPT) + "\n      : " + optionDisplayString(TAGS_OPT) + "\n    View and run on specific nodes by name or tag.\n  Resource: " + optionDisplayString(RESOURCE_OPT) + "\n    Specify the resource type directly. " + optionDisplayString(ATTRS_OPT) + " should also be used.\n    resource types in this context: \n    " + StringUtils.join(projectTypes, "\n    ") + "\n  Generic: " + optionDisplayString(GENERIC_OPT) + "\n    Create and delete jobs.\n    View and manage nodes.\n    View events.\n    generic kinds in this context: \n    " + StringUtils.join(projectKinds, "\n    "));
                }
                throw new OptionsPrompt("Application-context resource option is required.", "Possible options:\n  Project: " + optionDisplayString(PROJECT_OPT) + "\n    Visibility, import, export, config, and delete executions.\n    *Note: Project create requires additional " + optionDisplayString(GENERIC_OPT) + " level access.\n  Project ACLs: " + optionDisplayString(PROJECT_ACL_OPT) + "\n    CRUD access for the project ACLs.\n  Storage: " + optionDisplayString(STORAGE_OPT) + "\n    CRUD access for the key storage system.\n  Resource: " + optionDisplayString(RESOURCE_OPT) + "\n    Specify the resource type directly. " + optionDisplayString(ATTRS_OPT) + " should also be used.\n    resource types in this context: \n    " + StringUtils.join(appTypes, "\n    ") + "\n  Generic: " + optionDisplayString(GENERIC_OPT) + "\n    Create projects, read system info, manage system ACLs, manage users, change\n      execution mode, manage plugins.\n    generic kinds in this context: \n    " + StringUtils.join(appKinds, "\n    "));
            }
            if (!appKinds.contains(this.argGenericType.toLowerCase())) {
                throw new OptionsPrompt(optionDisplayString(GENERIC_OPT, false) + " invalid generic kind: " + this.argGenericType, "  generic kind in this context:     " + StringUtils.join(appKinds, "\n    "));
            }
            resourceTypeRule = AuthorizationUtil.resourceTypeRule(this.argGenericType.toLowerCase());
        } else {
            if (!projectKinds.contains(this.argGenericType.toLowerCase())) {
                throw new OptionsPrompt(optionDisplayString(GENERIC_OPT, false) + " invalid generic kind: " + this.argGenericType, "  generic kinds in this context:     " + StringUtils.join(projectKinds, "\n    "));
            }
            resourceTypeRule = AuthorizationUtil.resourceTypeRule(this.argGenericType.toLowerCase());
        }
        if (null != this.attrsMap && this.attrsMap.size() > 0) {
            resourceTypeRule.putAll(this.attrsMap);
        } else if (this.attrHelp && null != this.argResource && !this.argResource.equalsIgnoreCase("adhoc")) {
            throw new OptionsPrompt(optionDisplayString(ATTRS_OPT) + " should be specified when " + optionDisplayString(RESOURCE_OPT) + " is used", "Possible attributes for resource type " + this.argResource + " in this context:\n  " + StringUtils.join((this.argContext == Context.application ? appResAttrsByType : projResAttrsByType).get(this.argResource.toLowerCase()), "\n  "));
        }
        ArrayList arrayList = new ArrayList(Arrays.asList("*"));
        if (this.argContext == Context.application && null != this.argResource) {
            arrayList.addAll(appResActionsByType.get(this.argResource));
        } else if (this.argContext == Context.project && null != this.argResource) {
            arrayList.addAll(projResActionsByType.get(this.argResource));
        } else if (this.argContext == Context.application && this.argAppStorage != null) {
            arrayList.addAll(appStorageActions);
        } else if (this.argContext == Context.application && this.argProject != null) {
            arrayList.addAll(appProjectActions);
        } else if (this.argContext == Context.application && this.argProjectAcl != null) {
            arrayList.addAll(appProjectAclActions);
        } else if (this.argContext == Context.application && this.argGenericType != null) {
            arrayList.addAll(appKindActionsByType.get(this.argGenericType.toLowerCase()));
        } else if (this.argContext == Context.project && this.argGenericType != null) {
            arrayList.addAll(projKindActionsByType.get(this.argGenericType.toLowerCase()));
        } else if (this.argContext == Context.project && !(this.argProjectJob == null && this.argProjectJobUUID == null)) {
            arrayList.addAll(projectJobActions);
        } else if (this.argContext == Context.project && this.argProjectAdhoc) {
            arrayList.addAll(projectAdhocActions);
        } else if (this.argContext == Context.project && (this.argProjectNode != null || this.argTags != null)) {
            arrayList.addAll(projectNodeActions);
        }
        if (null == this.argAllowAction && null == this.argDenyAction) {
            throw new OptionsPrompt(optionDisplayString(ALLOW_OPT) + " or " + optionDisplayString(DENY_OPT) + " is required.", "Possible actions in this context: \n  " + StringUtils.join(arrayList, "\n  "));
        }
        if (null != this.argAllowAction) {
            ArrayList arrayList2 = new ArrayList();
            for (String str : this.actionsAllowList) {
                if (!arrayList.contains(str)) {
                    arrayList2.add(str);
                }
            }
            if (arrayList2.size() > 0) {
                throw new OptionsPrompt(optionDisplayString(ALLOW_OPT, false) + " specified invalid actions.", "These actions are not valid for the context:  " + StringUtils.join(arrayList2, "\n  ") + "Possible actions in this context: \n  " + StringUtils.join(arrayList, "\n  "));
            }
        }
        if (null != this.argDenyAction) {
            ArrayList arrayList3 = new ArrayList();
            for (String str2 : this.actionsDenyList) {
                if (!arrayList.contains(str2)) {
                    arrayList3.add(str2);
                }
            }
            if (arrayList3.size() > 0) {
                throw new OptionsPrompt(optionDisplayString(DENY_OPT, false) + " specified invalid actions.", "These actions are not valid for the context:\n  " + StringUtils.join(arrayList3, "\n  ") + "\n\nPossible actions in this context:\n  " + StringUtils.join(arrayList, "\n  "));
            }
        }
        AuthRequest authRequest = new AuthRequest();
        authRequest.resourceMap = resourceTypeRule;
        authRequest.subject = createSubject;
        if (null != this.actionsAllowList) {
            authRequest.actions = new HashSet(this.actionsAllowList);
        }
        authRequest.environment = createAppEnv;
        if (null != this.actionsDenyList) {
            authRequest.denyActions = new HashSet(this.actionsDenyList);
        }
        authRequest.regexMatch = this.argRegex;
        authRequest.containsMatch = this.argContext == Context.project && this.argTags != null;
        return authRequest;
    }

    private Map<String, Object> createProjectNodeResource() {
        HashMap hashMap = new HashMap();
        if (null != this.argProjectNode) {
            hashMap.put("nodename", this.argProjectNode);
        }
        if (null != this.argTags) {
            hashMap.put("tags", this.tagsSet);
        }
        return AuthorizationUtil.resourceRule("node", hashMap);
    }

    private Map<String, Object> createProjectJobResource() {
        HashMap hashMap = new HashMap();
        int lastIndexOf = this.argProjectJob.lastIndexOf(ScriptVarExpander.PROPERTY_SCRIPT_VAR_NODE_CHAR);
        if (lastIndexOf >= 0) {
            hashMap.put(YamlParsePolicy.GROUP_KEY, this.argProjectJob.substring(0, lastIndexOf));
            hashMap.put("name", this.argProjectJob.substring(lastIndexOf + 1));
        } else {
            hashMap.put(YamlParsePolicy.GROUP_KEY, "");
            hashMap.put("name", this.argProjectJob);
        }
        return AuthorizationUtil.resourceRule("job", hashMap);
    }

    private Map<String, Object> createProjectJobUUIDResource() {
        HashMap hashMap = new HashMap();
        hashMap.put("uuid", this.argProjectJobUUID);
        return AuthorizationUtil.resourceRule("job", hashMap);
    }

    private Map<String, Object> createProjectAdhocResource() {
        return AuthorizationUtil.resourceRule("adhoc", new HashMap());
    }

    private Map<String, Object> createStorageResource() {
        HashMap hashMap = new HashMap();
        int lastIndexOf = this.argAppStorage.lastIndexOf(ScriptVarExpander.PROPERTY_SCRIPT_VAR_NODE_CHAR);
        if (lastIndexOf >= 0) {
            hashMap.put("path", this.argAppStorage);
            hashMap.put("name", this.argAppStorage.substring(lastIndexOf + 1));
        } else {
            hashMap.put("path", this.argAppStorage);
            hashMap.put("name", this.argAppStorage);
        }
        return AuthorizationUtil.resourceRule("storage", hashMap);
    }

    private Subject createSubject() throws OptionsPrompt {
        if (this.argGroups == null && this.argUser == null) {
            throw new OptionsPrompt(optionDisplayString(GROUPS_OPT) + " or " + optionDisplayString(USER_OPT) + " are required", "  -u user1,user2... \n  -g group1,group2... \n    Groups control access for a set of users, and correspond\n    to authorization roles.");
        }
        return makeSubject(this.argUser, this.groupsList);
    }

    private Subject makeSubject(String str, Collection<String> collection) {
        Subject subject = new Subject();
        subject.getPrincipals().add(new Username(str != null ? str : "user"));
        if (null != collection) {
            Iterator<String> it = collection.iterator();
            while (it.hasNext()) {
                subject.getPrincipals().add(new Group(it.next()));
            }
        }
        return subject;
    }

    private void validateAction() throws CLIToolOptionsException, IOException, PoliciesParseException {
        if (null == this.argFile && null == this.argDir && null != this.configDir) {
            log("Using configured Rundeck etc dir: " + this.configDir);
        }
        Validation validatePolicies = validatePolicies();
        reportValidation(validatePolicies);
        log("The validation " + (validatePolicies.isValid() ? "passed" : FlowControl.STATUS_FAILED));
        if (validatePolicies.isValid()) {
            return;
        }
        exit(2);
    }

    private void reportValidation(Validation validation) {
        for (Map.Entry<String, List<String>> entry : validation.getErrors().entrySet()) {
            String key = entry.getKey();
            List<String> value = entry.getValue();
            System.err.println(key + ":");
            Iterator<String> it = value.iterator();
            while (it.hasNext()) {
                System.err.println("\t" + it.next());
            }
        }
    }

    private Validation validatePolicies() throws CLIToolOptionsException {
        Validation validate;
        ValidationSet validationSet = new ValidationSet();
        if (null != this.argFile) {
            if (!this.argFile.isFile()) {
                throw new CLIToolOptionsException("File: " + this.argFile + ", does not exist or is not a file");
            }
            validate = YamlProvider.validate(YamlProvider.sourceFromFile(this.argFile, validationSet), validationSet);
        } else if (null != this.argDir) {
            if (!this.argDir.isDirectory()) {
                throw new CLIToolOptionsException("File: " + this.argDir + ", does not exist or is not a directory");
            }
            validate = YamlProvider.validate(YamlProvider.asSources(this.argDir), validationSet);
        } else {
            if (null == this.configDir) {
                throw new CLIToolOptionsException("-f or -d are required");
            }
            File file = new File(this.configDir);
            if (!file.isDirectory()) {
                throw new CLIToolOptionsException("File: " + file + ", does not exist or is not a directory");
            }
            validate = YamlProvider.validate(YamlProvider.asSources(file), validationSet);
        }
        return validate;
    }

    private void createAction() throws CLIToolOptionsException, IOException, PoliciesParseException {
        List<AuthRequest> arrayList = new ArrayList();
        if (null != this.argInput) {
            arrayList = readRequests(this.argInput);
        } else {
            arrayList.add(createAuthRequestFromArgs());
        }
        Iterator<AuthRequest> it = arrayList.iterator();
        while (it.hasNext()) {
            generateYaml(it.next(), System.out);
        }
    }

    private List<AuthRequest> readRequests(String str) throws IOException {
        ArrayList arrayList = new ArrayList();
        BufferedReader bufferedReader = new BufferedReader(str.equals("-") ? new InputStreamReader(System.in) : new FileReader(new File(str)));
        Throwable th = null;
        while (true) {
            try {
                try {
                    String readLine = bufferedReader.readLine();
                    if (readLine == null) {
                        break;
                    }
                    if (!readLine.contains("Decision for:")) {
                        verbose("did not see start. skip line: " + readLine);
                    } else if (readLine.indexOf("authorized: false") <= 0) {
                        verbose("skip line: " + readLine);
                    } else {
                        ParsePart parsePart = parsePart("res", readLine, ", ", false);
                        if (null == parsePart) {
                            verbose("no res< " + readLine);
                        } else {
                            Map<String, Object> map = parsePart.resourceMap;
                            if (map.containsKey("tags") && map.get("tags").toString().contains(",")) {
                                map.put("tags", Arrays.asList(map.get("tags").toString().split(",")));
                            }
                            String substring = readLine.substring(parsePart.len);
                            ParsePart parsePart2 = parsePart("subject", substring, " ", true);
                            if (null == parsePart2) {
                                verbose("no subject<: " + substring);
                            } else {
                                Map<String, Object> map2 = parsePart2.resourceMap;
                                Subject createSubject = createSubject(map2);
                                if (null == createSubject) {
                                    verbose("parse subject< failed: " + map2 + ": " + substring);
                                } else {
                                    String substring2 = substring.substring(parsePart2.len);
                                    ParsePart parseString = parseString("action", substring2);
                                    if (null == parseString) {
                                        verbose("no action<: " + substring2);
                                    } else {
                                        String str2 = parseString.value;
                                        String substring3 = substring2.substring(parseString.len);
                                        ParsePart parseString2 = parseString("env", substring3);
                                        if (null == parseString2) {
                                            verbose("no env<: " + substring3);
                                        } else {
                                            String str3 = parseString2.value;
                                            String substring4 = substring3.substring(parseString2.len);
                                            if (str3.lastIndexOf(":") < 0 || str3.lastIndexOf(":") >= str3.length()) {
                                                verbose("env parse failed: " + substring4);
                                            } else {
                                                AuthRequest authRequest = new AuthRequest();
                                                authRequest.environment = str3.equals("rundeck:auth:env:application:rundeck") || str3.equals("http://dtolabs.com/rundeck/auth/env/application:rundeck") ? createAppEnv() : createAuthEnvironment(str3.substring(str3.lastIndexOf(":") + 1));
                                                authRequest.actions = new HashSet(Arrays.asList(str2));
                                                authRequest.resourceMap = map;
                                                authRequest.subject = createSubject;
                                                arrayList.add(authRequest);
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                } finally {
                }
            } catch (Throwable th2) {
                if (bufferedReader != null) {
                    if (th != null) {
                        try {
                            bufferedReader.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        bufferedReader.close();
                    }
                }
                throw th2;
            }
        }
        if (bufferedReader != null) {
            if (0 != 0) {
                try {
                    bufferedReader.close();
                } catch (Throwable th4) {
                    th.addSuppressed(th4);
                }
            } else {
                bufferedReader.close();
            }
        }
        return arrayList;
    }

    private Map<String, String> toStringMap(Map<String, Object> map) {
        HashMap hashMap = new HashMap();
        for (String str : map.keySet()) {
            Object obj = map.get(str);
            if (str.equals("tags") && (obj instanceof Collection)) {
                hashMap.put(str, StringUtils.join((Collection) obj, ","));
            } else {
                hashMap.put(str, obj.toString());
            }
        }
        return hashMap;
    }

    private Subject createSubject(Map<String, Object> map) {
        if (null == map.get("Username") || !(map.get("Username") instanceof String) || null == map.get("Group")) {
            return null;
        }
        if (!(map.get("Group") instanceof Collection) && !(map.get("Group") instanceof String)) {
            return null;
        }
        Object obj = map.get("Group");
        return makeSubject(map.get("Username").toString(), obj instanceof Collection ? (Collection) obj : Arrays.asList((String) obj));
    }

    private ParsePart parsePart(String str, String str2, String str3, boolean z) {
        String substring;
        int indexOf;
        Map<String, Object> parseMap;
        new HashMap();
        int indexOf2 = str2.indexOf(str + "<");
        if (indexOf2 < 0 || indexOf2 > str2.length() - (str.length() + 1) || (indexOf = (substring = str2.substring(indexOf2 + str.length() + 1)).indexOf(">")) < 0 || null == (parseMap = parseMap(substring.substring(0, indexOf), str3, z))) {
            return null;
        }
        int length = indexOf2 + str.length() + 1 + indexOf + 1;
        ParsePart parsePart = new ParsePart();
        parsePart.len = length;
        parsePart.resourceMap = parseMap;
        return parsePart;
    }

    private ParsePart parseString(String str, String str2) {
        String substring;
        int indexOf;
        new HashMap();
        int indexOf2 = str2.indexOf(str + "<");
        if (indexOf2 < 0 || indexOf2 > str2.length() - (str.length() + 1) || (indexOf = (substring = str2.substring(indexOf2 + str.length() + 1)).indexOf(">")) < 0) {
            return null;
        }
        String substring2 = substring.substring(0, indexOf);
        int length = indexOf2 + str.length() + 1 + indexOf + 1;
        ParsePart parsePart = new ParsePart();
        parsePart.value = substring2;
        parsePart.len = length;
        return parsePart;
    }

    private Map<String, Object> parseMap(String str, String str2, boolean z) {
        String[] split = str.split(Pattern.quote(str2));
        if (split.length < 1) {
            return null;
        }
        HashMap hashMap = new HashMap();
        for (String str3 : split) {
            String[] split2 = str3.split(":", 2);
            if (split2.length < 2) {
                return null;
            }
            if (!hashMap.containsKey(split2[0]) || !z) {
                hashMap.put(split2[0], split2[1]);
            } else if (hashMap.get(split2[0]) instanceof Collection) {
                ((Collection) hashMap.get(split2[0])).add(split2[1]);
            } else if (hashMap.get(split2[0]) instanceof String) {
                ArrayList arrayList = new ArrayList();
                arrayList.add((String) hashMap.get(split2[0]));
                arrayList.add(split2[1]);
                hashMap.put(split2[0], arrayList);
            }
        }
        return hashMap;
    }

    private void generateYaml(AuthRequest authRequest, PrintStream printStream) {
        Map<String, ?> dataMap = toDataMap(authRequest);
        DumperOptions dumperOptions = new DumperOptions();
        dumperOptions.setDefaultFlowStyle(DumperOptions.FlowStyle.BLOCK);
        Yaml yaml = new Yaml(dumperOptions);
        printStream.println("# create or append this to a .aclpolicy file");
        printStream.println("---");
        yaml.dump(dataMap, new OutputStreamWriter(printStream));
    }

    public static Map<String, ?> toDataMap(AuthRequest authRequest) {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        if (authRequest.environment.equals(createAppEnv())) {
            HashMap hashMap3 = new HashMap();
            hashMap3.put("application", "rundeck");
            hashMap.put(CONTEXT_LONG_OPT, hashMap3);
        } else {
            String str = authRequest.environment.iterator().next().value;
            HashMap hashMap4 = new HashMap();
            hashMap4.put("project", str);
            hashMap.put(CONTEXT_LONG_OPT, hashMap4);
        }
        Set principals = authRequest.subject.getPrincipals(Username.class);
        if (((Username) principals.iterator().next()).getName().equals("user")) {
            HashMap hashMap5 = new HashMap();
            ArrayList arrayList = new ArrayList();
            Iterator it = authRequest.subject.getPrincipals(Group.class).iterator();
            while (it.hasNext()) {
                arrayList.add(((Group) it.next()).getName());
            }
            hashMap5.put(YamlParsePolicy.GROUP_KEY, arrayList.size() > 1 ? arrayList : arrayList.iterator().next());
            hashMap.put(YamlParsePolicy.BY_SECTION, hashMap5);
        } else {
            HashMap hashMap6 = new HashMap();
            hashMap6.put("username", ((Username) principals.iterator().next()).getName());
            hashMap.put(YamlParsePolicy.BY_SECTION, hashMap6);
        }
        HashMap hashMap7 = new HashMap();
        String obj = authRequest.resourceMap.get("type").toString();
        hashMap7.putAll(authRequest.resourceMap);
        hashMap7.remove("type");
        HashMap hashMap8 = new HashMap();
        ArrayList arrayList2 = new ArrayList();
        hashMap8.put(obj, arrayList2);
        HashMap hashMap9 = new HashMap();
        if (hashMap7.size() > 0) {
            hashMap9.put(authRequest.regexMatch ? "match" : authRequest.containsMatch ? "contains" : "equals", hashMap7);
        }
        if (authRequest.actions != null && authRequest.actions.size() > 0) {
            hashMap9.put(ALLOW_LONG_OPT, authRequest.actions.size() > 1 ? new ArrayList(authRequest.actions) : authRequest.actions.iterator().next());
        }
        if (authRequest.denyActions != null && authRequest.denyActions.size() > 0) {
            hashMap9.put(DENY_LONG_OPT, authRequest.denyActions.size() > 1 ? new ArrayList(authRequest.denyActions) : authRequest.denyActions.iterator().next());
        }
        arrayList2.add(hashMap9);
        hashMap2.putAll(hashMap8);
        hashMap.put("for", hashMap2);
        hashMap.put("description", authRequest.description != null ? authRequest.description : "generated");
        return hashMap;
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Code restructure failed: missing block: B:29:0x01aa, code lost:
    
        r13 = false;
     */
    /* JADX WARN: Failed to find 'out' block for switch in B:38:0x01c3. Please report as an issue. */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void testAction() throws com.dtolabs.rundeck.core.cli.CLIToolOptionsException, java.io.IOException, com.dtolabs.rundeck.core.authorization.providers.PoliciesParseException {
        /*
            Method dump skipped, instructions count: 643
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.dtolabs.rundeck.core.cli.acl.AclTool.testAction():void");
    }

    private RuleEvaluator createAuthorization() throws IOException, PoliciesParseException, CLIToolOptionsException {
        return RuleEvaluator.createRuleEvaluator(createPolicies());
    }

    private Policies createPolicies() throws IOException, PoliciesParseException, CLIToolOptionsException {
        Policies load;
        if (null != this.argFile) {
            if (!this.argFile.isFile()) {
                throw new CLIToolOptionsException("File: " + this.argFile + ", does not exist or is not a file");
            }
            load = Policies.loadFile(this.argFile);
        } else if (null != this.argDir) {
            if (!this.argDir.isDirectory()) {
                throw new CLIToolOptionsException("File: " + this.argDir + ", does not exist or is not a directory");
            }
            load = Policies.load(this.argDir);
        } else {
            if (null == this.configDir) {
                throw new CLIToolOptionsException("-f or -d are required");
            }
            log("Using configured Rundeck etc dir: " + this.configDir);
            File file = new File(this.configDir);
            if (!file.isDirectory()) {
                throw new CLIToolOptionsException("File: " + file + ", does not exist or is not a directory");
            }
            load = Policies.load(file);
        }
        return load;
    }

    @Override // com.dtolabs.rundeck.core.cli.BaseTool
    public String getHelpString() {
        return "rd-acl <command> [options...]: test [options]\n\tTest action:\nrd-acl test [options] : Test existing aclpolicy files\nrd-acl test --dir <path> [options] : Test all aclpolicy files in specific dir\nrd-acl test --file <file> [options] : Test specific aclpolicy file\nrd-acl test -v [options] : Verbose output, including policy definitions to resolve failing tests\n\tCreate action:\nrd-acl create [options] : Generate aclpolicy definition based on input options\nrd-acl create -i <audit.log> : Generate aclpolicy definitions to resolve rejected access requests\nrd-acl create -i - : Read audit log entries from stdin\n";
    }

    @Override // com.dtolabs.rundeck.core.execution.BaseLogger
    public void log(String str) {
        if (null != this.clilogger) {
            this.clilogger.log(str);
        }
    }

    @Override // com.dtolabs.rundeck.core.execution.BaseLogger
    public void error(String str) {
        if (null != this.clilogger) {
            this.clilogger.error(str);
        }
    }

    @Override // com.dtolabs.rundeck.core.execution.BaseLogger
    public void warn(String str) {
        if (null != this.clilogger) {
            this.clilogger.warn(str);
        }
    }

    @Override // com.dtolabs.rundeck.core.execution.BaseLogger
    public void verbose(String str) {
        if (!this.argVerbose || null == this.clilogger) {
            return;
        }
        this.clilogger.verbose(str);
    }

    @Override // com.dtolabs.rundeck.core.execution.BaseLogger
    public void debug(String str) {
        if (null != this.clilogger) {
            this.clilogger.debug(str);
        }
    }

    static /* synthetic */ Set access$3100() {
        return createAppEnv();
    }

    static {
        appResActionsByType.put("project", appProjectActions);
        appResActionsByType.put(ACLConstants.TYPE_PROJECT_ACL, appProjectAclActions);
        appResActionsByType.put("storage", appStorageActions);
        appResActionsByType.put(ACLConstants.TYPE_APITOKEN, appApitokenActions);
        appResAttrsByType = new HashMap();
        appResAttrsByType.put("project", Collections.singletonList("name"));
        appResAttrsByType.put(ACLConstants.TYPE_PROJECT_ACL, Collections.singletonList("name"));
        appResAttrsByType.put("storage", Arrays.asList("path", "name"));
        appResAttrsByType.put(ACLConstants.TYPE_APITOKEN, Arrays.asList("username", "roles"));
        appKindActionsByType = new HashMap();
        appKindActionsByType.put("project", appProjectKindActions);
        appKindActionsByType.put(ACLConstants.TYPE_SYSTEM, appSystemKindActions);
        appKindActionsByType.put(ACLConstants.TYPE_SYSTEM_ACL, appSystemAclKindActions);
        appKindActionsByType.put("user", appUserKindActions);
        appKindActionsByType.put("job", appJobKindActions);
        appKindActionsByType.put(ACLConstants.TYPE_APITOKEN, appApitokenKindActions);
        appKindActionsByType.put(ACLConstants.TYPE_PLUGIN, appPluginActions);
        projectJobActions = Arrays.asList("read", ACLConstants.ACTION_VIEW, "update", "delete", ACLConstants.ACTION_RUN, ACLConstants.ACTION_RUNAS, ACLConstants.ACTION_KILL, ACLConstants.ACTION_KILLAS, "create", ACLConstants.ACTION_TOGGLE_EXECUTION, ACLConstants.ACTION_TOGGLE_SCHEDULE, ACLConstants.ACTION_SCM_UPDATE, ACLConstants.ACTION_SCM_CREATE, ACLConstants.ACTION_SCM_DELETE);
        projectJobKindActions = Arrays.asList("create", "delete");
        projectAdhocActions = Arrays.asList("read", ACLConstants.ACTION_VIEW, ACLConstants.ACTION_RUN, ACLConstants.ACTION_RUNAS, ACLConstants.ACTION_KILL, ACLConstants.ACTION_KILLAS);
        projectNodeActions = Arrays.asList("read", ACLConstants.ACTION_RUN);
        projResActionsByType = new HashMap();
        projResActionsByType.put("job", projectJobActions);
        projResActionsByType.put("adhoc", projectAdhocActions);
        projResActionsByType.put("node", projectNodeActions);
        projResAttrsByType = new HashMap();
        projResAttrsByType.put("job", Arrays.asList(YamlParsePolicy.GROUP_KEY, "name", "uuid"));
        projResAttrsByType.put("adhoc", new ArrayList());
        projResAttrsByType.put("node", Arrays.asList("nodename", "rundeck_server", "username", "hostname", "osFamily", "osVersion", "(etc. any node attribute)"));
        projectNodeKindActions = Arrays.asList("read", "create", "update", ACLConstants.ACTION_REFRESH);
        projectEventKindActions = Arrays.asList("read", "create");
        projKindActionsByType = new HashMap();
        projKindActionsByType.put("job", projectJobKindActions);
        projKindActionsByType.put("node", projectNodeKindActions);
        projKindActionsByType.put(ACLConstants.TYPE_EVENT, projectEventKindActions);
    }
}
