package org.sonatype.nexus.proxy.access;

import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.apache.shiro.subject.Subject;
import org.codehaus.plexus.component.annotations.Component;
import org.codehaus.plexus.component.annotations.Requirement;
import org.sonatype.nexus.logging.AbstractLoggingComponent;
import org.sonatype.nexus.proxy.NoSuchRepositoryException;
import org.sonatype.nexus.proxy.ResourceStoreRequest;
import org.sonatype.nexus.proxy.registry.RepositoryRegistry;
import org.sonatype.nexus.proxy.repository.Repository;
import org.sonatype.nexus.proxy.targets.TargetMatch;
import org.sonatype.nexus.proxy.targets.TargetSet;
import org.sonatype.security.SecuritySystem;

@Component(role = NexusItemAuthorizer.class)
/* loaded from: input_file:org/sonatype/nexus/proxy/access/DefaultNexusItemAuthorizer.class */
public class DefaultNexusItemAuthorizer extends AbstractLoggingComponent implements NexusItemAuthorizer {

    @Requirement
    private SecuritySystem securitySystem;

    @Requirement
    private RepositoryRegistry repoRegistry;

    @Override // org.sonatype.nexus.proxy.access.NexusItemAuthorizer
    public boolean authorizePath(Repository repository, ResourceStoreRequest resourceStoreRequest, Action action) {
        TargetSet targetsForRequest = repository.getTargetsForRequest(resourceStoreRequest);
        if (targetsForRequest == null) {
            targetsForRequest = new TargetSet();
        }
        targetsForRequest.addTargetSet(getGroupsTargetSet(repository, resourceStoreRequest));
        return authorizePath(targetsForRequest, action);
    }

    @Override // org.sonatype.nexus.proxy.access.NexusItemAuthorizer
    public boolean authorizePermission(String str) {
        return isPermitted(Collections.singletonList(str));
    }

    @Override // org.sonatype.nexus.proxy.access.NexusItemAuthorizer
    public TargetSet getGroupsTargetSet(Repository repository, ResourceStoreRequest resourceStoreRequest) {
        TargetSet targetSet = new TargetSet();
        for (Repository repository2 : getListOfGroups(repository.getId())) {
            targetSet.addTargetSet(repository2.getTargetsForRequest(resourceStoreRequest));
            targetSet.addTargetSet(getGroupsTargetSet(repository2, resourceStoreRequest));
        }
        return targetSet;
    }

    @Override // org.sonatype.nexus.proxy.access.NexusItemAuthorizer
    public boolean authorizePath(TargetSet targetSet, Action action) {
        if (targetSet.getMatchedRepositoryIds().size() > 0) {
            return isPermitted(getTargetPerms(targetSet, action));
        }
        return true;
    }

    @Override // org.sonatype.nexus.proxy.access.NexusItemAuthorizer
    public boolean isViewable(String str, String str2) {
        return authorizePermission("nexus:view:" + str + ":" + str2);
    }

    protected List<Repository> getListOfGroups(String str) {
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = this.repoRegistry.getGroupsOfRepository(str).iterator();
        while (it.hasNext()) {
            try {
                arrayList.add(this.repoRegistry.getRepository(it.next()));
            } catch (NoSuchRepositoryException e) {
            }
        }
        return arrayList;
    }

    protected List<String> getTargetPerms(TargetSet targetSet, Action action) {
        ArrayList arrayList = new ArrayList(targetSet.getMatches().size());
        for (TargetMatch targetMatch : targetSet.getMatches()) {
            arrayList.add("nexus:target:" + targetMatch.getTarget().getId() + ":" + targetMatch.getRepository().getId() + ":" + action);
        }
        return arrayList;
    }

    protected boolean isPermitted(List<String> list) {
        if (!this.securitySystem.isSecurityEnabled()) {
            return true;
        }
        boolean isTraceEnabled = getLogger().isTraceEnabled();
        Subject subject = this.securitySystem.getSubject();
        if (isTraceEnabled) {
            getLogger().trace("Subject: {}", subject);
        }
        if (subject == null) {
            if (!isTraceEnabled) {
                return false;
            }
            getLogger().trace("Subject is not authenticated; rejecting");
            return false;
        }
        if (isTraceEnabled) {
            getLogger().trace("Checking if subject '{}' has one of these permissions: {}", subject.getPrincipal(), list);
        }
        for (String str : list) {
            if (subject.isPermitted(str)) {
                if (!isTraceEnabled) {
                    return true;
                }
                getLogger().trace("Subject '{}' has permission: {}; allowing", subject.getPrincipal(), str);
                return true;
            }
        }
        if (!isTraceEnabled) {
            return false;
        }
        getLogger().trace("Subject '{}' is missing required permissions; rejecting", subject.getPrincipal());
        return false;
    }
}
