package com.hazelcast.security.impl;

import com.hazelcast.config.Config;
import com.hazelcast.config.ConfigPatternMatcher;
import com.hazelcast.config.PermissionConfig;
import com.hazelcast.core.HazelcastException;
import com.hazelcast.logging.ILogger;
import com.hazelcast.logging.Logger;
import com.hazelcast.ringbuffer.impl.RingbufferService;
import com.hazelcast.security.ClusterEndpointPrincipal;
import com.hazelcast.security.ClusterRolePrincipal;
import com.hazelcast.security.IPermissionPolicy;
import com.hazelcast.security.permission.ActionConstants;
import com.hazelcast.security.permission.AllPermissions;
import com.hazelcast.security.permission.ClusterPermission;
import com.hazelcast.security.permission.ClusterPermissionCollection;
import com.hazelcast.security.permission.DenyAllPermissionCollection;
import java.security.Permission;
import java.security.PermissionCollection;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.logging.Level;
import javax.security.auth.Subject;

/* loaded from: input_file:WEB-INF/lib/hazelcast-jet-enterprise-4.3.jar:com/hazelcast/security/impl/DefaultPermissionPolicy.class */
public class DefaultPermissionPolicy implements IPermissionPolicy {
    private static final String REGEX_ANY_PRINCIPAL = "*";
    private static final String PRINCIPAL_STRING_SEP = ",";
    final ConcurrentMap<PrincipalKey, PermissionCollection> configPermissions = new ConcurrentHashMap();
    final ConcurrentMap<String, PrincipalPermissionsHolder> principalPermissions = new ConcurrentHashMap();
    final Object configUpdateMutex = new Object();
    volatile ConfigPatternMatcher configPatternMatcher;
    private static final ILogger LOGGER = Logger.getLogger(DefaultPermissionPolicy.class.getName());
    private static final PermissionCollection DENY_ALL = new DenyAllPermissionCollection();
    private static final PermissionCollection ALLOW_ALL = new AllPermissions.AllPermissionsCollection(true);
    private static final String REGEX_ANY_ENDPOINT = "*.*.*.*";
    private static final Collection<String> ALL_ENDPOINTS = Collections.singleton(REGEX_ANY_ENDPOINT);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/hazelcast-jet-enterprise-4.3.jar:com/hazelcast/security/impl/DefaultPermissionPolicy$PrincipalKey.class */
    public static class PrincipalKey {
        final String principal;
        final String endpoint;

        PrincipalKey(String str, String str2) {
            this.principal = str;
            this.endpoint = str2;
        }

        public int hashCode() {
            return (31 * ((31 * 1) + (this.endpoint == null ? 0 : this.endpoint.hashCode()))) + (this.principal == null ? 0 : this.principal.hashCode());
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            PrincipalKey principalKey = (PrincipalKey) obj;
            if (this.endpoint == null ? principalKey.endpoint == null : this.endpoint.equals(principalKey.endpoint)) {
                if (this.principal == null ? principalKey.principal == null : this.principal.equals(principalKey.principal)) {
                    return true;
                }
            }
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/hazelcast-jet-enterprise-4.3.jar:com/hazelcast/security/impl/DefaultPermissionPolicy$PrincipalPermissionsHolder.class */
    public static class PrincipalPermissionsHolder {
        volatile boolean prepared;
        boolean hasAllPermissions;
        final ConcurrentMap<Class<? extends Permission>, PermissionCollection> permissions;

        private PrincipalPermissionsHolder() {
            this.permissions = new ConcurrentHashMap();
        }
    }

    @Override // com.hazelcast.security.IPermissionPolicy
    public void configure(Config config, Properties properties) {
        LOGGER.log(Level.FINEST, "Configuring and initializing policy.");
        this.configPatternMatcher = config.getConfigPatternMatcher();
        loadPermissionConfig(config.getSecurityConfig().getClientPermissionConfigs());
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void loadPermissionConfig(Set<PermissionConfig> set) {
        HashSet<PermissionConfig> hashSet = new HashSet(set);
        hashSet.addAll(createImpliedRingBufferPermissionConfigs(set));
        for (PermissionConfig permissionConfig : hashSet) {
            ClusterPermission createPermission = SecurityUtil.createPermission(permissionConfig);
            String[] split = permissionConfig.getPrincipal() != null ? permissionConfig.getPrincipal().split(",") : new String[]{"*"};
            Collection endpoints = permissionConfig.getEndpoints();
            if (endpoints.isEmpty()) {
                endpoints = ALL_ENDPOINTS;
            }
            for (String str : endpoints) {
                for (String str2 : split) {
                    PrincipalKey principalKey = new PrincipalKey(str2, str);
                    PermissionCollection permissionCollection = this.configPermissions.get(principalKey);
                    if (permissionCollection == null) {
                        permissionCollection = new ClusterPermissionCollection();
                        this.configPermissions.put(principalKey, permissionCollection);
                    }
                    permissionCollection.add(createPermission);
                }
            }
        }
    }

    private Set<PermissionConfig> createImpliedRingBufferPermissionConfigs(Set<PermissionConfig> set) {
        HashSet hashSet = new HashSet();
        for (PermissionConfig permissionConfig : set) {
            if (permissionConfig.getType().equals(PermissionConfig.PermissionType.RELIABLE_TOPIC)) {
                PermissionConfig permissionConfig2 = new PermissionConfig();
                permissionConfig2.setName(RingbufferService.TOPIC_RB_PREFIX + permissionConfig.getName());
                permissionConfig2.setType(PermissionConfig.PermissionType.RING_BUFFER);
                permissionConfig2.setEndpoints(permissionConfig.getEndpoints());
                Set<String> actions = permissionConfig.getActions();
                HashSet hashSet2 = new HashSet();
                for (String str : actions) {
                    if (ActionConstants.ACTION_CREATE.equals(str)) {
                        hashSet2.add(str);
                    } else if (ActionConstants.ACTION_DESTROY.equals(str)) {
                        hashSet2.add(str);
                    } else if (ActionConstants.ACTION_PUBLISH.equals(str)) {
                        hashSet2.add(ActionConstants.ACTION_PUT);
                    } else if (ActionConstants.ACTION_LISTEN.equals(str)) {
                        hashSet2.add(ActionConstants.ACTION_READ);
                    }
                }
                permissionConfig2.setActions(hashSet2);
                hashSet.add(permissionConfig2);
            }
        }
        return hashSet;
    }

    @Override // com.hazelcast.security.IPermissionPolicy
    public PermissionCollection getPermissions(Subject subject, Class<? extends Permission> cls) {
        PrincipalPermissionsHolder principalPermissionsHolder;
        Set<ClusterRolePrincipal> principals = subject.getPrincipals(ClusterRolePrincipal.class);
        Set principals2 = subject.getPrincipals(ClusterEndpointPrincipal.class);
        if (principals.isEmpty()) {
            return DENY_ALL;
        }
        Iterator it = principals2.iterator();
        String name = it.hasNext() ? ((ClusterEndpointPrincipal) it.next()).getName() : null;
        ClusterPermissionCollection clusterPermissionCollection = new ClusterPermissionCollection(cls);
        for (ClusterRolePrincipal clusterRolePrincipal : principals) {
            do {
                ensurePrincipalPermissions(clusterRolePrincipal, name);
                principalPermissionsHolder = this.principalPermissions.get(getRoleEndpointKey(clusterRolePrincipal.getName(), name));
            } while (principalPermissionsHolder == null);
            if (!principalPermissionsHolder.prepared) {
                try {
                    synchronized (principalPermissionsHolder) {
                        while (!principalPermissionsHolder.prepared) {
                            principalPermissionsHolder.wait();
                        }
                    }
                } catch (InterruptedException e) {
                    Thread.currentThread().interrupt();
                    throw new HazelcastException("Interrupted while waiting for the permissions holder to get prepared");
                }
            }
            if (principalPermissionsHolder.hasAllPermissions) {
                return ALLOW_ALL;
            }
            PermissionCollection permissionCollection = principalPermissionsHolder.permissions.get(cls);
            if (permissionCollection == null) {
                principalPermissionsHolder.permissions.putIfAbsent(cls, DENY_ALL);
            } else if (permissionCollection != DENY_ALL) {
                clusterPermissionCollection.add(permissionCollection);
            }
        }
        return clusterPermissionCollection;
    }

    @Override // com.hazelcast.security.IPermissionPolicy
    public void refreshPermissions(Set<PermissionConfig> set) {
        synchronized (this.configUpdateMutex) {
            this.configPermissions.clear();
            loadPermissionConfig(set);
            this.principalPermissions.clear();
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void ensurePrincipalPermissions(ClusterRolePrincipal clusterRolePrincipal, String str) {
        if (clusterRolePrincipal == null) {
            return;
        }
        String name = clusterRolePrincipal.getName();
        String roleEndpointKey = getRoleEndpointKey(name, str);
        if (this.principalPermissions.containsKey(roleEndpointKey)) {
            return;
        }
        PrincipalPermissionsHolder principalPermissionsHolder = new PrincipalPermissionsHolder();
        if (this.principalPermissions.putIfAbsent(roleEndpointKey, principalPermissionsHolder) != null) {
            return;
        }
        try {
            LOGGER.log(Level.FINEST, "Preparing permissions for: " + roleEndpointKey);
            ClusterPermissionCollection clusterPermissionCollection = new ClusterPermissionCollection();
            synchronized (this.configUpdateMutex) {
                for (Map.Entry<PrincipalKey, PermissionCollection> entry : this.configPermissions.entrySet()) {
                    PrincipalKey key = entry.getKey();
                    if (nameMatches(name, key.principal) && endpointMatches(str, key.endpoint)) {
                        clusterPermissionCollection.add(entry.getValue());
                    }
                }
            }
            for (Permission permission : clusterPermissionCollection.getPermissions()) {
                if (permission instanceof AllPermissions) {
                    principalPermissionsHolder.permissions.clear();
                    principalPermissionsHolder.hasAllPermissions = true;
                    LOGGER.log(Level.FINEST, "Granted all-permissions to: " + roleEndpointKey);
                    synchronized (principalPermissionsHolder) {
                        principalPermissionsHolder.prepared = true;
                        principalPermissionsHolder.notifyAll();
                    }
                    return;
                }
                Class<?> cls = permission.getClass();
                ClusterPermissionCollection clusterPermissionCollection2 = (ClusterPermissionCollection) principalPermissionsHolder.permissions.get(cls);
                if (clusterPermissionCollection2 == null) {
                    clusterPermissionCollection2 = new ClusterPermissionCollection(cls);
                    principalPermissionsHolder.permissions.put(cls, clusterPermissionCollection2);
                }
                clusterPermissionCollection2.add(permission);
            }
            LOGGER.log(Level.FINEST, "Compacting permissions for: " + roleEndpointKey);
            Iterator<PermissionCollection> it = principalPermissionsHolder.permissions.values().iterator();
            while (it.hasNext()) {
                ((ClusterPermissionCollection) it.next()).compact();
            }
            synchronized (principalPermissionsHolder) {
                principalPermissionsHolder.prepared = true;
                principalPermissionsHolder.notifyAll();
            }
        } catch (Throwable th) {
            synchronized (principalPermissionsHolder) {
                principalPermissionsHolder.prepared = true;
                principalPermissionsHolder.notifyAll();
                throw th;
            }
        }
    }

    private boolean endpointMatches(String str, String str2) {
        return str == null ? REGEX_ANY_ENDPOINT.equals(str2) : SecurityUtil.addressMatches(str, str2);
    }

    private boolean nameMatches(String str, String str2) {
        if (str == null) {
            return "*".equals(str2);
        }
        if (str.equals(str2)) {
            return true;
        }
        return this.configPatternMatcher.matches(Collections.singleton(str2), str) != null;
    }

    @Override // com.hazelcast.security.IPermissionPolicy
    public void destroy() {
        this.principalPermissions.clear();
        this.configPermissions.clear();
    }

    private static String getRoleEndpointKey(String str, String str2) {
        return str + "@" + (str2 != null ? str2 : "");
    }
}
