package com.michelin.cio.hudson.plugins.rolestrategy;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.synopsys.arc.jenkins.plugins.rolestrategy.Macro;
import com.synopsys.arc.jenkins.plugins.rolestrategy.RoleMacroExtension;
import com.synopsys.arc.jenkins.plugins.rolestrategy.RoleType;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.model.Item;
import hudson.security.AccessControlled;
import hudson.security.Permission;
import hudson.security.SidACL;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.SortedMap;
import java.util.SortedSet;
import java.util.TreeMap;
import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.ConcurrentSkipListMap;
import java.util.concurrent.CopyOnWriteArraySet;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import jenkins.model.Jenkins;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.acls.sid.Sid;
import org.acegisecurity.userdetails.UserDetails;
import org.jenkinsci.plugins.rolestrategy.Settings;
import org.jenkinsci.plugins.rolestrategy.permissions.PermissionHelper;
import org.kohsuke.stapler.DataBoundConstructor;
import org.springframework.dao.DataAccessException;

/* loaded from: input_file:WEB-INF/lib/role-strategy.jar:com/michelin/cio/hudson/plugins/rolestrategy/RoleMap.class */
public class RoleMap {
    private final SortedMap<Role, Set<String>> grantedRoles;
    private static final Logger LOGGER = Logger.getLogger(RoleMap.class.getName());
    private static final ConcurrentMap<Permission, Set<Permission>> implyingPermissionCache = new ConcurrentHashMap();
    private final Cache<String, UserDetails> cache;
    private final Cache<String, RoleMap> matchingRoleMapCache;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/role-strategy.jar:com/michelin/cio/hudson/plugins/rolestrategy/RoleMap$AclImpl.class */
    public final class AclImpl extends SidACL {
        AccessControlled item;
        RoleType roleType;

        public AclImpl(RoleType roleType, AccessControlled accessControlled) {
            this.item = accessControlled;
            this.roleType = roleType;
        }

        @CheckForNull
        @SuppressFBWarnings(value = {"NP_BOOLEAN_RETURN_NULL"}, justification = "As declared in Jenkins API")
        protected Boolean hasPermission(Sid sid, Permission permission) {
            if (!RoleMap.this.hasPermission(toString(sid), permission, this.roleType, this.item)) {
                return null;
            }
            if (this.item instanceof Item) {
                Item parent = this.item.getParent();
                if ((parent instanceof Item) && ((Item.DISCOVER.equals(permission) || Item.READ.equals(permission)) && RoleMap.access$400())) {
                    if (!parent.hasPermission(permission == Item.DISCOVER ? Item.DISCOVER : Item.READ)) {
                        return null;
                    }
                }
            }
            return true;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/role-strategy.jar:com/michelin/cio/hudson/plugins/rolestrategy/RoleMap$RoleWalker.class */
    private abstract class RoleWalker {
        boolean shouldAbort = false;

        RoleWalker() {
            walk();
        }

        public void abort() {
            this.shouldAbort = true;
        }

        public void walk() {
            Iterator<Role> it = RoleMap.this.getRoles().iterator();
            while (it.hasNext()) {
                perform(it.next());
                if (this.shouldAbort) {
                    return;
                }
            }
        }

        public abstract void perform(Role role);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RoleMap() {
        this.cache = Caffeine.newBuilder().maximumSize(Settings.USER_DETAILS_CACHE_MAX_SIZE).expireAfterWrite(Settings.USER_DETAILS_CACHE_EXPIRATION_TIME_SEC, TimeUnit.SECONDS).build();
        this.matchingRoleMapCache = Caffeine.newBuilder().maximumSize(2048L).expireAfterWrite(1L, TimeUnit.HOURS).build();
        this.grantedRoles = new ConcurrentSkipListMap();
    }

    @DataBoundConstructor
    public RoleMap(@Nonnull SortedMap<Role, Set<String>> sortedMap) {
        this();
        for (Map.Entry<Role, Set<String>> entry : sortedMap.entrySet()) {
            this.grantedRoles.put(entry.getKey(), new HashSet(entry.getValue()));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean hasPermission(final String str, final Permission permission, final RoleType roleType, final AccessControlled accessControlled) {
        final Set<Permission> implyingPermissions = getImplyingPermissions(permission);
        final boolean[] zArr = {false};
        new RoleWalker() { // from class: com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.1
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.RoleWalker
            public void perform(Role role) {
                if (role.hasAnyPermission(implyingPermissions).booleanValue()) {
                    if (((Set) RoleMap.this.grantedRoles.get(role)).contains(str)) {
                        if (!Macro.isMacro(role)) {
                            zArr[0] = true;
                            abort();
                            return;
                        }
                        Macro macro = RoleMacroExtension.getMacro(role.getName());
                        if (macro != null) {
                            RoleMacroExtension macroExtension = RoleMacroExtension.getMacroExtension(macro.getName());
                            if (macroExtension.IsApplicable(roleType) && macroExtension.hasPermission(str, permission, roleType, accessControlled, macro)) {
                                zArr[0] = true;
                                abort();
                                return;
                            }
                            return;
                        }
                        return;
                    }
                    if (Settings.TREAT_USER_AUTHORITIES_AS_ROLES) {
                        try {
                            UserDetails userDetails = (UserDetails) RoleMap.this.cache.getIfPresent(str);
                            if (userDetails == null) {
                                userDetails = Jenkins.get().getSecurityRealm().loadUserByUsername(str);
                                RoleMap.this.cache.put(str, userDetails);
                            }
                            for (GrantedAuthority grantedAuthority : userDetails.getAuthorities()) {
                                if (grantedAuthority.getAuthority().equals(role.getName())) {
                                    zArr[0] = true;
                                    abort();
                                    return;
                                }
                            }
                        } catch (BadCredentialsException e) {
                            RoleMap.LOGGER.log(Level.FINE, "Bad credentials", e);
                        } catch (DataAccessException e2) {
                            RoleMap.LOGGER.log(Level.FINE, "failed to access the data", e2);
                        } catch (RuntimeException e3) {
                            RoleMap.LOGGER.log(Level.WARNING, "Unhandled exception during user authorities processing", (Throwable) e3);
                        }
                    }
                }
            }
        };
        return zArr[0];
    }

    private static Set<Permission> getImplyingPermissions(Permission permission) {
        Set<Permission> set = implyingPermissionCache.get(permission);
        return set != null ? set : cacheImplyingPermissions(permission);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private static Set<Permission> cacheImplyingPermissions(Permission permission) {
        Set hashSet;
        if (!PermissionHelper.isDangerous(permission)) {
            hashSet = new HashSet();
            Permission permission2 = permission;
            while (true) {
                Permission permission3 = permission2;
                if (permission3 == null) {
                    break;
                }
                hashSet.add(permission3);
                permission2 = permission3.impliedBy;
            }
        } else {
            hashSet = getImplyingPermissions(Jenkins.ADMINISTER);
        }
        implyingPermissionCache.put(permission, hashSet);
        return hashSet;
    }

    public boolean hasRole(@Nonnull Role role) {
        return this.grantedRoles.containsKey(role);
    }

    public SidACL getACL(RoleType roleType, AccessControlled accessControlled) {
        return new AclImpl(roleType, accessControlled);
    }

    public void addRole(Role role) {
        if (getRole(role.getName()) == null) {
            this.grantedRoles.put(role, new CopyOnWriteArraySet());
            this.matchingRoleMapCache.invalidateAll();
        }
    }

    public void assignRole(Role role, String str) {
        if (hasRole(role)) {
            this.grantedRoles.get(role).add(str);
            this.matchingRoleMapCache.invalidateAll();
        }
    }

    public void unAssignRole(Role role, String str) {
        Set<String> set = this.grantedRoles.get(role);
        if (set != null) {
            set.remove(str);
            this.matchingRoleMapCache.invalidateAll();
        }
    }

    public void clearSidsForRole(Role role) {
        if (hasRole(role)) {
            this.grantedRoles.get(role).clear();
            this.matchingRoleMapCache.invalidateAll();
        }
    }

    public void deleteSids(String str) {
        Iterator<Map.Entry<Role, Set<String>>> it = this.grantedRoles.entrySet().iterator();
        while (it.hasNext()) {
            Set<String> value = it.next().getValue();
            if (value.contains(str)) {
                value.remove(str);
            }
        }
        this.matchingRoleMapCache.invalidateAll();
    }

    public void deleteRoleSid(String str, String str2) {
        Iterator<Map.Entry<Role, Set<String>>> it = this.grantedRoles.entrySet().iterator();
        while (it.hasNext()) {
            Role key = it.next().getKey();
            if (key.getName().equals(str2)) {
                unAssignRole(key, str);
                return;
            }
        }
    }

    public void clearSids() {
        Iterator<Map.Entry<Role, Set<String>>> it = this.grantedRoles.entrySet().iterator();
        while (it.hasNext()) {
            clearSidsForRole(it.next().getKey());
        }
    }

    @CheckForNull
    public Role getRole(String str) {
        for (Role role : getRoles()) {
            if (role.getName().equals(str)) {
                return role;
            }
        }
        return null;
    }

    public void removeRole(Role role) {
        this.grantedRoles.remove(role);
        this.matchingRoleMapCache.invalidateAll();
    }

    public SortedMap<Role, Set<String>> getGrantedRoles() {
        return Collections.unmodifiableSortedMap(this.grantedRoles);
    }

    public Set<Role> getRoles() {
        return Collections.unmodifiableSet(this.grantedRoles.keySet());
    }

    public SortedSet<String> getSids() {
        return getSids(false);
    }

    public SortedSet<String> getSids(Boolean bool) {
        TreeSet treeSet = new TreeSet();
        Iterator<Map.Entry<Role, Set<String>>> it = this.grantedRoles.entrySet().iterator();
        while (it.hasNext()) {
            treeSet.addAll(it.next().getValue());
        }
        if (!bool.booleanValue()) {
            treeSet.remove("anonymous");
        }
        return Collections.unmodifiableSortedSet(treeSet);
    }

    @CheckForNull
    public Set<String> getSidsForRole(String str) {
        Role role = getRole(str);
        if (role != null) {
            return Collections.unmodifiableSet(this.grantedRoles.get(role));
        }
        return null;
    }

    public RoleMap newMatchingRoleMap(String str) {
        return (RoleMap) this.matchingRoleMapCache.get(str, this::createMatchingRoleMap);
    }

    private RoleMap createMatchingRoleMap(final String str) {
        final TreeMap treeMap = new TreeMap();
        new RoleWalker() { // from class: com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.2
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.RoleWalker
            public void perform(Role role) {
                if (role.getPattern().matcher(str).matches()) {
                    treeMap.put(role, RoleMap.this.grantedRoles.get(role));
                }
            }
        };
        return new RoleMap(treeMap);
    }

    public static List<String> getMatchingJobNames(Pattern pattern, int i) {
        ArrayList arrayList = new ArrayList();
        for (Item item : Jenkins.get().allItems(Item.class, item2 -> {
            return pattern.matcher(item2.getFullName()).matches();
        })) {
            if (arrayList.size() >= i) {
                break;
            }
            arrayList.add(item.getFullName());
        }
        return arrayList;
    }

    private static boolean shouldCheckParentPermissions() {
        String property = System.getProperty(RoleMap.class.getName() + ".checkParentPermissions");
        if (property == null) {
            return true;
        }
        return Boolean.parseBoolean(property);
    }

    static /* synthetic */ boolean access$400() {
        return shouldCheckParentPermissions();
    }

    static {
        Permission.getAll().forEach(RoleMap::cacheImplyingPermissions);
    }
}
