package org.sakaiproject.authz.impl;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Observable;
import java.util.Observer;
import java.util.Set;
import java.util.Stack;
import java.util.Vector;
import java.util.stream.Collectors;
import net.sf.ehcache.Ehcache;
import net.sf.ehcache.Element;
import org.apache.commons.lang3.StringUtils;
import org.sakaiproject.authz.api.AuthzGroup;
import org.sakaiproject.authz.api.AuthzGroupService;
import org.sakaiproject.authz.api.FunctionManager;
import org.sakaiproject.authz.api.GroupNotDefinedException;
import org.sakaiproject.authz.api.Member;
import org.sakaiproject.authz.api.Role;
import org.sakaiproject.authz.api.SecurityAdvisor;
import org.sakaiproject.authz.api.SecurityService;
import org.sakaiproject.component.api.ServerConfigurationService;
import org.sakaiproject.component.cover.ComponentManager;
import org.sakaiproject.content.impl.BaseContentService;
import org.sakaiproject.entity.api.EntityManager;
import org.sakaiproject.entity.api.Reference;
import org.sakaiproject.event.api.Event;
import org.sakaiproject.event.api.EventTrackingService;
import org.sakaiproject.exception.IdUnusedException;
import org.sakaiproject.exception.IllegalSecurityAdvisorException;
import org.sakaiproject.memory.api.Cache;
import org.sakaiproject.memory.api.MemoryService;
import org.sakaiproject.site.api.Site;
import org.sakaiproject.site.api.SiteService;
import org.sakaiproject.thread_local.api.ThreadLocalManager;
import org.sakaiproject.tool.api.SessionManager;
import org.sakaiproject.tool.api.ToolManager;
import org.sakaiproject.user.api.User;
import org.sakaiproject.user.api.UserDirectoryService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/sakaiproject/authz/impl/SakaiSecurity.class */
public abstract class SakaiSecurity implements SecurityService, Observer {
    private static final Logger log = LoggerFactory.getLogger(SakaiSecurity.class);
    protected static final String ADVISOR_STACK = "SakaiSecurity.advisor.stack";
    protected static final String ROLESWAP_PREFIX = "roleswap";
    protected static final String EVENT_ROLESWAP_CLEAR = "realm.clear.cache";
    protected ServerConfigurationService serverConfigurationService;
    HashSet<String> svRoles;
    Cache<String, Boolean> m_superCache;
    Cache<String, Boolean> m_contentCache;
    protected Cache<String, Boolean> m_callCache = null;
    protected int m_cacheMinutes = 3;
    boolean cacheDebug = false;
    boolean cacheDebugDetailed = false;

    protected abstract ThreadLocalManager threadLocalManager();

    protected abstract AuthzGroupService authzGroupService();

    protected abstract UserDirectoryService userDirectoryService();

    protected abstract MemoryService memoryService();

    protected abstract EntityManager entityManager();

    protected abstract SessionManager sessionManager();

    protected abstract EventTrackingService eventTrackingService();

    protected abstract FunctionManager functionManager();

    protected abstract SiteService siteService();

    protected abstract ToolManager toolManager();

    public void setCacheMinutes(String str) {
        this.m_cacheMinutes = Integer.parseInt(str);
    }

    public void init() {
        if (this.serverConfigurationService == null) {
            this.serverConfigurationService = (ServerConfigurationService) ComponentManager.get(ServerConfigurationService.class);
        }
        if (this.m_cacheMinutes > 0) {
            this.cacheDebug = this.serverConfigurationService.getBoolean("memory.SecurityService.debug", false);
            if (this.cacheDebug) {
                log.warn("SecurityService DEBUG logging is enabled... this is very bad for PRODUCTION and should only be used for DEVELOPMENT");
                this.cacheDebugDetailed = this.serverConfigurationService.getBoolean("memory.SecurityService.debugDetails", this.cacheDebugDetailed);
            } else {
                this.cacheDebugDetailed = false;
            }
            String[] split = this.serverConfigurationService.getString("studentview.roles", "").split(",");
            this.svRoles = new HashSet<>();
            for (String str : split) {
                this.svRoles.add(str.trim());
            }
            this.m_callCache = memoryService().getCache("org.sakaiproject.authz.api.SecurityService.cache");
            this.m_superCache = memoryService().getCache("org.sakaiproject.authz.api.SecurityService.superCache");
            this.m_contentCache = memoryService().getCache("org.sakaiproject.authz.api.SecurityService.contentCache");
        }
        eventTrackingService().addObserver(this);
    }

    Boolean getFromCache(String str, boolean z) {
        Boolean bool = null;
        if (this.m_callCache != null) {
            bool = z ? (Boolean) this.m_superCache.get(str) : str.contains("@/content") ? (Boolean) this.m_contentCache.get(str) : (Boolean) this.m_callCache.get(str);
        }
        if (this.cacheDebugDetailed) {
            if (bool != null) {
                log.info("SScache:hit:" + str + ":val=" + bool);
            } else {
                log.info("SScache:MISS:" + str);
            }
        }
        return bool;
    }

    void addToCache(String str, Boolean bool, boolean z) {
        if (this.m_callCache == null || str == null) {
            return;
        }
        if (z) {
            this.m_superCache.put(str, bool);
            if (this.cacheDebugDetailed) {
                log.info("SScache:ADD->super:" + str + "=>" + bool);
                return;
            }
            return;
        }
        if (str.contains("@/content")) {
            this.m_contentCache.put(str, bool);
            if (this.cacheDebugDetailed) {
                log.info("SScache:ADD->content:" + str + "=>" + bool);
                return;
            }
            return;
        }
        this.m_callCache.put(str, bool);
        if (this.cacheDebugDetailed) {
            logCacheState("addToCache(" + str + ", " + bool + ")");
        }
    }

    public boolean notifyRealmChanged(String str, Set<String> set, Set<String> set2) {
        if (this.m_callCache == null || str == null) {
            return false;
        }
        String convertRealmRefToRef = convertRealmRefToRef(str);
        if ("!site.helper".equals(convertRealmRefToRef) || convertRealmRefToRef.startsWith("!user.template")) {
            if (set2 == null || set2.isEmpty()) {
                return false;
            }
            this.m_callCache.clear();
            if (!this.cacheDebug) {
                return true;
            }
            log.info("SScache:changed template:CLEAR:" + convertRealmRefToRef);
            return true;
        }
        if ("/site/!admin".equals(convertRealmRefToRef)) {
            if (this.m_superCache == null) {
                return true;
            }
            this.m_superCache.clear();
            if (!this.cacheDebug) {
                return true;
            }
            log.info("SScache:changed !admin:CLEAR SUPER:" + convertRealmRefToRef);
            return true;
        }
        if (convertRealmRefToRef.startsWith("/content")) {
            this.m_contentCache.clear();
            if (!this.cacheDebug) {
                return true;
            }
            log.info("SScache:changed content:CLEAR CONTENT:" + convertRealmRefToRef);
            return true;
        }
        if (set2 == null || set2.isEmpty()) {
            return false;
        }
        cacheRealmPermsChanged(convertRealmRefToRef, set, set2);
        return true;
    }

    public boolean notifyRealmRemoved(String str) {
        if (this.m_callCache == null || str == null) {
            return false;
        }
        String convertRealmRefToRef = convertRealmRefToRef(str);
        if (!convertRealmRefToRef.startsWith("/content")) {
            cacheRealmPermsChanged(convertRealmRefToRef, null, null);
            return true;
        }
        this.m_contentCache.clear();
        if (!this.cacheDebug) {
            return true;
        }
        log.info("SScache:removed content:CLEAR CONTENT:" + convertRealmRefToRef);
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void notifyMembersRemovedFromRealm(Set<String> set, String str) {
        this.m_callCache.removeAll((Set) set.stream().map(str2 -> {
            return makeCacheKey(str2, null, "site.visit", str, false);
        }).collect(Collectors.toSet()));
    }

    void cacheRealmPermsChanged(String str, Set<String> set, Set<String> set2) {
        if (this.m_callCache == null) {
            return;
        }
        String convertRealmRefToRef = convertRealmRefToRef(str);
        if (set2 == null || set2.isEmpty()) {
            set2 = new HashSet(functionManager().getRegisteredFunctions());
        }
        HashSet hashSet = new HashSet();
        try {
            AuthzGroup authzGroup = authzGroupService().getAuthzGroup(convertRealmRefToRef);
            if (set == null || set.isEmpty()) {
                Set roles = authzGroup.getRoles();
                set = new HashSet();
                Iterator it = roles.iterator();
                while (it.hasNext()) {
                    set.add(((Role) it.next()).getId());
                }
            }
            if (set.contains(".auth")) {
                this.m_callCache.clear();
                if (this.cacheDebug) {
                    log.info("SScache:changed .auth:CLEAR and DONE");
                    return;
                }
                return;
            }
            boolean z = set.contains(".anon");
            if (!z) {
                Iterator it2 = authzGroup.getRoles().iterator();
                while (true) {
                    if (it2.hasNext()) {
                        if (".anon".equals(((Role) it2.next()).getId())) {
                            z = true;
                            break;
                        }
                    } else {
                        break;
                    }
                }
            }
            if (z) {
                if (this.cacheDebug) {
                    log.info("SScache:changed .anon:found in " + convertRealmRefToRef);
                }
                for (String str2 : set2) {
                    if (str2 != null) {
                        hashSet.add(makeCacheKey(null, null, str2, convertRealmRefToRef, false));
                    }
                }
            }
            this.m_callCache.removeAll(hashSet);
            Set set3 = (Set) this.svRoles.clone();
            set3.retainAll(set);
            Set<Member> members = authzGroup.getMembers();
            if (members != null && !members.isEmpty()) {
                for (String str3 : set2) {
                    if (str3 != null) {
                        HashSet hashSet2 = new HashSet();
                        for (Member member : members) {
                            if (member != null && member.isActive() && member.getUserId() != null) {
                                boolean isAllowed = member.getRole().isAllowed("site.roleswap");
                                hashSet2.add(makeCacheKey(member.getUserId(), null, str3, convertRealmRefToRef, false));
                                if (isAllowed) {
                                    Iterator it3 = set3.iterator();
                                    while (it3.hasNext()) {
                                        hashSet2.add(makeCacheKey(member.getUserId(), (String) it3.next(), str3, convertRealmRefToRef, false));
                                    }
                                }
                            }
                        }
                        if (this.cacheDebug) {
                            log.info("SScache:changed " + convertRealmRefToRef + ":keys=" + hashSet);
                        }
                        this.m_callCache.removeAll(hashSet2);
                    }
                }
            }
            if (this.cacheDebug) {
                logCacheState("cacheRealmPermsChanged(" + str + ", roles=" + set + ", perms=" + set2 + ")");
            }
        } catch (GroupNotDefinedException e) {
            if (this.cacheDebug) {
                log.warn("SScache:changed FAIL: AZG realm not found:" + convertRealmRefToRef + " from " + str);
            }
        }
    }

    String convertRealmRefToRef(String str) {
        String str2 = null;
        if (str != null) {
            str2 = str.startsWith("/realm/") ? str.substring(7) : str.startsWith("/realm") ? str.substring(6) : str;
        }
        return str2;
    }

    String makeCacheKey(String str, String str2, String str3, String str4, boolean z) {
        if (z) {
            if (str != null) {
                return "super@" + str;
            }
            return null;
        }
        if (str3 == null || str4 == null) {
            return null;
        }
        if (str2 == null) {
            str2 = "";
        }
        if (!str4.startsWith("/site") && !str4.startsWith("/content")) {
            Iterator it = entityManager().newReference(str4).getAuthzGroups(str).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String str5 = (String) it.next();
                if (str5.startsWith("/site")) {
                    if (this.cacheDebug) {
                        log.warn("SScache:converted ref " + str4 + " to " + str5);
                    }
                    str4 = str5;
                }
            }
        }
        return "unlock@" + str + "@" + str2 + "@" + str3 + "@" + str4;
    }

    void logCacheState(String str) {
        if (this.cacheDebug) {
            String name = this.m_callCache.getName();
            Ehcache ehcache = (Ehcache) this.m_callCache.unwrap(Ehcache.class);
            StringBuilder sb = new StringBuilder();
            List keysWithExpiryCheck = ehcache.getKeysWithExpiryCheck();
            sb.append("   * keys(").append(keysWithExpiryCheck.size()).append("):").append(new ArrayList(keysWithExpiryCheck)).append("\n");
            int i = 0;
            for (Element element : ehcache.getAll(keysWithExpiryCheck).values()) {
                if (element != null) {
                    i += 0;
                    if (this.cacheDebugDetailed) {
                        sb.append("   ").append(element.getObjectKey()).append(" => (").append(0).append(")").append(element.getObjectValue()).append("\n");
                    }
                }
            }
            log.info("SScache:" + name + ":: " + str + " ::\n  entries(Ehcache[key => payload]," + keysWithExpiryCheck.size() + " + " + i + " = " + (keysWithExpiryCheck.size() + i) + "):\n" + ((Object) sb));
        }
    }

    protected Collection<String> makeAzgRefsForAzgIds(Collection<String> collection) {
        HashSet hashSet = null;
        if (collection != null) {
            hashSet = new HashSet(collection.size());
            Iterator<String> it = collection.iterator();
            while (it.hasNext()) {
                hashSet.add(authzGroupService().authzGroupReference(it.next()));
            }
        }
        return hashSet;
    }

    public void destroy() {
        log.info("destroy()");
        if (this.m_callCache != null) {
            this.m_callCache.close();
        }
        if (this.m_superCache != null) {
            this.m_superCache.close();
        }
        if (this.m_contentCache != null) {
            this.m_contentCache.close();
        }
    }

    public boolean isSuperUser() {
        User currentUser = userDirectoryService().getCurrentUser();
        if (currentUser == null) {
            return false;
        }
        return isSuperUser(currentUser.getId());
    }

    public boolean isSuperUser(String str) {
        Boolean fromCache;
        if (str == null || str.length() == 0) {
            return false;
        }
        String makeCacheKey = makeCacheKey(str, null, null, null, true);
        if (this.m_callCache != null && (fromCache = getFromCache(makeCacheKey, true)) != null) {
            return fromCache.booleanValue();
        }
        boolean z = false;
        if ("admin".equalsIgnoreCase(str)) {
            z = true;
        } else if ("postmaster".equalsIgnoreCase(str)) {
            z = true;
        } else if (authzGroupService().isAllowed(str, BaseContentService.SITE_UPDATE_ACCESS, "/site/!admin")) {
            z = true;
        }
        if (this.m_callCache != null) {
            new HashSet().add("/site/!admin");
            addToCache(makeCacheKey, Boolean.valueOf(z), true);
        }
        return z;
    }

    public boolean unlock(String str, String str2) {
        return unlock(userDirectoryService().getCurrentUser(), str, str2);
    }

    public boolean unlock(User user, String str, String str2) {
        User user2 = user;
        if (user2 == null) {
            user2 = userDirectoryService().getCurrentUser();
        }
        return unlock(user2.getId(), str, str2);
    }

    public boolean unlock(String str, String str2, String str3) {
        return unlock(str, str2, str3, null);
    }

    public boolean unlock(String str, String str2, String str3, Collection<String> collection) {
        SecurityAdvisor.SecurityAdvice adviseIsAllowed;
        if (str == null || str2 == null || str3 == null) {
            log.warn("unlock(): null: " + str + " " + str2 + " " + str3);
            return false;
        }
        if (isSuperUser(str)) {
            return true;
        }
        return (!hasAdvisors() || (adviseIsAllowed = adviseIsAllowed(str, str2, str3)) == SecurityAdvisor.SecurityAdvice.PASS) ? checkAuthzGroups(str, str2, str3, collection) : adviseIsAllowed == SecurityAdvisor.SecurityAdvice.ALLOWED;
    }

    protected boolean checkAuthzGroups(String str, String str2, String str3, Collection<String> collection) {
        Boolean fromCache;
        if (collection == null) {
            collection = entityManager().newReference(str3).getAuthzGroups(str);
        }
        String str4 = null;
        String str5 = null;
        if (collection != null && str != null && str.equals(sessionManager().getCurrentSessionUserId())) {
            for (String str6 : collection) {
                if (str6.startsWith("/site/") && !str.equals(siteService().getSiteUserId(str6))) {
                    str4 = str6;
                }
            }
            Reference newReference = entityManager().newReference(str4);
            if ("group".equals(newReference.getSubType())) {
                str5 = getUserEffectiveRole(siteService().siteReference(newReference.getContainer()));
                if (str5 != null) {
                }
            } else {
                str5 = getUserEffectiveRole(str4);
            }
        }
        String makeCacheKey = makeCacheKey(str, str5, str2, str3, false);
        if (this.m_callCache != null && (fromCache = getFromCache(makeCacheKey, false)) != null) {
            return fromCache.booleanValue();
        }
        boolean isAllowed = authzGroupService().isAllowed(str, str2, collection);
        addToCache(makeCacheKey, Boolean.valueOf(isAllowed), false);
        return isAllowed;
    }

    public List<User> unlockUsers(String str, String str2) {
        if (str2 == null) {
            log.warn("unlockUsers(): null resource: " + str);
            return new Vector();
        }
        Collection authzGroups = entityManager().newReference(str2).getAuthzGroups();
        Vector vector = new Vector();
        vector.addAll(authzGroupService().getUsersIsAllowed(str, authzGroups));
        List<User> users = userDirectoryService().getUsers(vector);
        Collections.sort(users);
        return users;
    }

    protected Stack<SecurityAdvisor> getAdvisorStack(boolean z) {
        Stack<SecurityAdvisor> stack = (Stack) threadLocalManager().get(ADVISOR_STACK);
        if (stack == null && z) {
            stack = new Stack<>();
            threadLocalManager().set(ADVISOR_STACK, stack);
        }
        return stack;
    }

    protected void dropAdvisorStack() {
        threadLocalManager().set(ADVISOR_STACK, (Object) null);
    }

    protected SecurityAdvisor.SecurityAdvice adviseIsAllowed(String str, String str2, String str3) {
        Stack<SecurityAdvisor> advisorStack = getAdvisorStack(false);
        if (advisorStack == null || advisorStack.isEmpty()) {
            return SecurityAdvisor.SecurityAdvice.PASS;
        }
        for (int size = advisorStack.size() - 1; size >= 0; size--) {
            SecurityAdvisor.SecurityAdvice isAllowed = advisorStack.elementAt(size).isAllowed(str, str2, str3);
            if (isAllowed != SecurityAdvisor.SecurityAdvice.PASS) {
                return isAllowed;
            }
        }
        return SecurityAdvisor.SecurityAdvice.PASS;
    }

    public void pushAdvisor(SecurityAdvisor securityAdvisor) {
        getAdvisorStack(true).push(securityAdvisor);
    }

    public SecurityAdvisor popAdvisor(SecurityAdvisor securityAdvisor) {
        Stack<SecurityAdvisor> advisorStack = getAdvisorStack(false);
        if (advisorStack == null) {
            return null;
        }
        SecurityAdvisor securityAdvisor2 = null;
        if (advisorStack.size() > 0) {
            if (securityAdvisor == null) {
                securityAdvisor2 = advisorStack.pop();
            } else {
                if (!securityAdvisor.equals(advisorStack.peek())) {
                    dropAdvisorStack();
                    throw new IllegalSecurityAdvisorException("SecurityAdvisor not called in correct order");
                }
                securityAdvisor2 = advisorStack.pop();
            }
        }
        if (advisorStack.isEmpty()) {
            dropAdvisorStack();
        }
        return securityAdvisor2;
    }

    public SecurityAdvisor popAdvisor() {
        return popAdvisor(null);
    }

    public boolean hasAdvisors() {
        Stack<SecurityAdvisor> advisorStack = getAdvisorStack(false);
        return (advisorStack == null || advisorStack.isEmpty()) ? false : true;
    }

    public void clearAdvisors() {
        dropAdvisorStack();
    }

    public boolean setUserEffectiveRole(String str, String str2) {
        if (!unlock("site.roleswap", str)) {
            return false;
        }
        sessionManager().getCurrentSession().setAttribute(ROLESWAP_PREFIX + str, str2);
        resetSecurityCache(str);
        return true;
    }

    public String getUserEffectiveRole(String str) {
        if (str == null || "".equals(str)) {
            return null;
        }
        return (String) sessionManager().getCurrentSession().getAttribute(ROLESWAP_PREFIX + str);
    }

    public void clearUserEffectiveRole(String str) {
        sessionManager().getCurrentSession().removeAttribute(ROLESWAP_PREFIX + str);
        resetSecurityCache(str);
    }

    public void clearUserEffectiveRoles() {
        Enumeration attributeNames = sessionManager().getCurrentSession().getAttributeNames();
        while (attributeNames.hasMoreElements()) {
            String str = (String) attributeNames.nextElement();
            if (str.startsWith(ROLESWAP_PREFIX)) {
                clearUserEffectiveRole(str.substring(ROLESWAP_PREFIX.length()));
            }
        }
    }

    protected void resetSecurityCache(String str) {
        String str2 = "/realm/" + str;
        eventTrackingService().post(eventTrackingService().newEvent(EVENT_ROLESWAP_CLEAR, str2, true));
        cacheRealmPermsChanged(str2, null, null);
    }

    @Override // java.util.Observer
    public void update(Observable observable, Object obj) {
        if (obj == null || !(obj instanceof Event)) {
            return;
        }
        Event event = (Event) obj;
        if ("site.usersite.invalidate".equals(event.getEvent())) {
            Site site = null;
            try {
                site = siteService().getSite(event.getResource());
            } catch (IdUnusedException e) {
                log.warn("Security invalidation error when handling an event (" + event.getEvent() + "), for site " + event.getResource());
            }
            if (site != null) {
                resetSecurityCache(site.getReference());
            }
        }
    }

    private String getCurrentSiteId() {
        try {
            return toolManager().getCurrentPlacement().getContext();
        } catch (Exception e) {
            return null;
        }
    }

    public boolean isUserRoleSwapped() throws IdUnusedException {
        return isUserRoleSwapped(null);
    }

    public boolean isUserRoleSwapped(String str) throws IdUnusedException {
        if (str == null) {
            str = getCurrentSiteId();
        }
        return StringUtils.isNotBlank(getUserEffectiveRole(siteService().getSite(str).getReference()));
    }
}
