package org.geoserver.security;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.acegisecurity.Authentication;
import org.geoserver.catalog.Catalog;
import org.geoserver.catalog.LayerInfo;
import org.geoserver.catalog.ResourceInfo;
import org.geoserver.catalog.WorkspaceInfo;
import org.geoserver.security.DataAccessManager;
import org.geotools.util.logging.Logging;
import org.vfny.geoserver.global.GeoserverDataDirectory;

/* loaded from: input_file:org/geoserver/security/DefaultDataAccessManager.class */
public class DefaultDataAccessManager implements DataAccessManager {
    static final Logger LOGGER = Logging.getLogger(DataAccessManager.class);
    SecureTreeNode root;
    Catalog catalog;
    PropertyFileWatcher watcher;
    File layers;
    DataAccessManager.CatalogMode mode = DataAccessManager.CatalogMode.HIDE;

    DefaultDataAccessManager(Catalog catalog, Properties properties) {
        this.catalog = catalog;
        this.root = buildAuthorizationTree(properties);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public DefaultDataAccessManager(Catalog catalog) throws Exception {
        this.catalog = catalog;
        File findConfigDir = GeoserverDataDirectory.findConfigDir(GeoserverDataDirectory.getGeoserverDataDirectory(), "security");
        if (findConfigDir == null || !findConfigDir.exists()) {
            this.root = new SecureTreeNode();
            return;
        }
        this.layers = new File(findConfigDir, "layers.properties");
        if (!this.layers.exists()) {
            this.root = new SecureTreeNode();
        } else {
            this.watcher = new PropertyFileWatcher(this.layers);
            this.root = buildAuthorizationTree(this.watcher.getProperties());
        }
    }

    void checkPropertyFile() {
        try {
            if (this.watcher != null && this.watcher.isStale()) {
                this.root = buildAuthorizationTree(this.watcher.getProperties());
            }
        } catch (Exception e) {
            LOGGER.log(Level.SEVERE, "Failed to reload data access rules from " + this.layers + ", keeping old rules", (Throwable) e);
        }
    }

    @Override // org.geoserver.security.DataAccessManager
    public DataAccessManager.CatalogMode getMode() {
        return this.mode;
    }

    @Override // org.geoserver.security.DataAccessManager
    public boolean canAccess(Authentication authentication, WorkspaceInfo workspaceInfo, AccessMode accessMode) {
        checkPropertyFile();
        return this.root.getDeepestNode(new String[]{workspaceInfo.getName()}).canAccess(authentication, accessMode);
    }

    @Override // org.geoserver.security.DataAccessManager
    public boolean canAccess(Authentication authentication, LayerInfo layerInfo, AccessMode accessMode) {
        checkPropertyFile();
        if (layerInfo.getResource() != null) {
            return canAccess(authentication, layerInfo.getResource(), accessMode);
        }
        LOGGER.log(Level.FINE, "Layer " + layerInfo + " has no attached resource, assuming it's possible to access it");
        return true;
    }

    @Override // org.geoserver.security.DataAccessManager
    public boolean canAccess(Authentication authentication, ResourceInfo resourceInfo, AccessMode accessMode) {
        checkPropertyFile();
        try {
            return this.root.getDeepestNode(new String[]{resourceInfo.getStore().getWorkspace().getName(), resourceInfo.getName()}).canAccess(authentication, accessMode);
        } catch (Exception e) {
            LOGGER.log(Level.FINE, "Errors occurred trying to gather workspace of resource " + resourceInfo.getName());
            return true;
        }
    }

    private SecureTreeNode buildAuthorizationTree(File file) throws IOException, FileNotFoundException {
        Properties properties = new Properties();
        properties.load(new FileInputStream(file));
        return buildAuthorizationTree(properties);
    }

    SecureTreeNode buildAuthorizationTree(Properties properties) {
        SecureTreeNode secureTreeNode;
        SecureTreeNode secureTreeNode2 = new SecureTreeNode();
        for (Map.Entry entry : properties.entrySet()) {
            String str = (String) entry.getKey();
            String str2 = (String) entry.getValue();
            String str3 = str + "=" + str2;
            if ("mode".equalsIgnoreCase(str)) {
                try {
                    this.mode = DataAccessManager.CatalogMode.valueOf(str2.toUpperCase());
                } catch (Exception e) {
                    LOGGER.warning("Invalid security mode " + str2 + " acceptable values are " + Arrays.asList(DataAccessManager.CatalogMode.values()));
                }
            } else {
                String[] parseElements = parseElements(str);
                String str4 = parseElements[0];
                String str5 = parseElements[1];
                String str6 = parseElements[2];
                Set<String> parseRoles = parseRoles(str2);
                if (parseElements.length != 3) {
                    LOGGER.warning("Invalid rule '" + str3 + "', the standard form is [namespace].[layer].[mode]=[role]+ Rule has been ignored");
                }
                if (!"*".equals(str4) && this.catalog.getWorkspace(str4) == null) {
                    LOGGER.warning("Namespace/Workspace " + str4 + " is unknown in rule " + str3);
                }
                if (!"*".equals(str5) && this.catalog.getLayer(str5) == null) {
                    LOGGER.warning("Layer " + str4 + " is unknown in rule + " + str3);
                }
                AccessMode byAlias = AccessMode.getByAlias(str6);
                if (byAlias == null) {
                    LOGGER.warning("Unknown access mode " + str6 + " in " + entry.getKey() + ", skipping rule " + str3);
                } else {
                    if (!"*".equals(str4)) {
                        SecureTreeNode child = secureTreeNode2.getChild(str4);
                        if (child == null) {
                            child = secureTreeNode2.addChild(str4);
                        }
                        if ("*".equals(str5)) {
                            secureTreeNode = child;
                        } else {
                            SecureTreeNode child2 = child.getChild(str5);
                            if (child2 == null) {
                                child2 = child.addChild(str5);
                            }
                            secureTreeNode = child2;
                        }
                    } else if ("*".equals(str5)) {
                        secureTreeNode = secureTreeNode2;
                    } else {
                        LOGGER.warning("Invalid rule " + entry.getKey() + " when namespace is * then also layer must be *. Skipping rule " + str3);
                    }
                    if (secureTreeNode.getAuthorizedRoles(byAlias) != null && secureTreeNode.getAuthorizedRoles(byAlias).size() > 0) {
                        LOGGER.warning("Rule " + str3 + " is overriding another rule targetting the same resource");
                    }
                    secureTreeNode.setAuthorizedRoles(byAlias, parseRoles);
                }
            }
        }
        return secureTreeNode2;
    }

    Set<String> parseRoles(String str) {
        String[] split = str.split("[\\s,]+");
        HashSet hashSet = new HashSet(split.length);
        hashSet.addAll(Arrays.asList(split));
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            if ("*".equals((String) it.next())) {
                return Collections.singleton("*");
            }
        }
        return hashSet;
    }

    private String[] parseElements(String str) {
        return str.split("\\s*\\.\\s*");
    }
}
