package com.e2eq.framework.model.securityrules;

import com.e2eq.framework.model.persistent.base.UnversionedBaseModel;
import com.e2eq.framework.model.persistent.morphia.MorphiaUtils;
import com.e2eq.framework.model.persistent.security.Rule;
import com.e2eq.framework.model.securityrules.SecurityURIBody;
import com.e2eq.framework.model.securityrules.SecurityURIHeader;
import com.e2eq.framework.util.IOCase;
import com.e2eq.framework.util.SecurityUtils;
import com.e2eq.framework.util.WildCardMatcher;
import com.google.common.collect.Ordering;
import dev.morphia.query.filters.Filter;
import dev.morphia.query.filters.Filters;
import io.quarkus.logging.Log;
import jakarta.annotation.PostConstruct;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import jakarta.validation.Valid;
import jakarta.validation.constraints.NotNull;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringSubstitutor;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.graalvm.polyglot.Context;

@ApplicationScoped
/* loaded from: input_file:com/e2eq/framework/model/securityrules/RuleContext.class */
public class RuleContext {

    @Inject
    SecurityUtils securityUtils;
    Map<String, List<Rule>> rules = new HashMap();

    @ConfigProperty(name = "quantum.realmConfig.defaultRealm", defaultValue = "system-com")
    protected String defaultRealm;

    public RuleContext() {
        Log.debug("Creating ruleContext");
    }

    public RuleContext(SecurityUtils securityUtils) {
        this.securityUtils = securityUtils;
    }

    public String getDefaultRealm() {
        return this.defaultRealm;
    }

    @PostConstruct
    public void ensureDefaultRules() {
        if (this.rules.isEmpty()) {
            addSystemRules();
        } else if (rulesForIdentity(this.securityUtils.getSystemSecurityHeader().getIdentity()).isEmpty()) {
            addSystemRules();
        }
    }

    protected void addSystemRules() {
        addRule(this.securityUtils.getSystemSecurityHeader(), new Rule.Builder().withName("SysAnyActionSecurity").withDescription("System can take any action with in security").withSecurityURI(new SecurityURI(this.securityUtils.getSystemSecurityHeader(), this.securityUtils.getSystemSecurityBody())).withEffect(RuleEffect.ALLOW).withPriority(0).withFinalRule(true).build());
        SecurityURIHeader m27clone = this.securityUtils.getSystemSecurityHeader().m27clone();
        m27clone.setIdentity("system");
        addRule(m27clone, new Rule.Builder().withName("SysRoleAnyActionSecurity").withDescription("system role can take any action with in security").withSecurityURI(new SecurityURI(m27clone, this.securityUtils.getSystemSecurityBody())).withEffect(RuleEffect.ALLOW).withPriority(1).withFinalRule(true).build());
        SecurityURIHeader build = new SecurityURIHeader.Builder().withIdentity("user").withArea(SecurityUtils.any).withFunctionalDomain(SecurityUtils.any).withAction(SecurityUtils.any).build();
        SecurityURIBody build2 = new SecurityURIBody.Builder().withOrgRefName(SecurityUtils.any).withAccountNumber(SecurityUtils.any).withRealm(SecurityUtils.any).withTenantId(SecurityUtils.any).withOwnerId(SecurityUtils.any).withDataSegment(SecurityUtils.any).build();
        addRule(build, new Rule.Builder().withName("view your own resources, limit to default dataSegment").withSecurityURI(new SecurityURI(build, build2)).withAndFilterString("dataDomain.ownerId:${principalId}&&dataDomain.dataSegment:#0").withEffect(RuleEffect.ALLOW).withFinalRule(false).build());
        SecurityURIHeader build3 = new SecurityURIHeader.Builder().withIdentity("user").withArea("Security").withFunctionalDomain(SecurityUtils.any).withAction("DELETE").build();
        addRule(build3, new Rule.Builder().withName("users can't delete anything in security area").withSecurityURI(new SecurityURI(build3, build2)).withAndFilterString("dataDomain.ownerId:${principalId}&&dataDomain.dataSegment:#0").withEffect(RuleEffect.DENY).withFinalRule(true).build());
        SecurityURIHeader build4 = new SecurityURIHeader.Builder().withIdentity("admin").withArea(SecurityUtils.any).withFunctionalDomain(SecurityUtils.any).withAction(SecurityUtils.any).build();
        addRule(build4, new Rule.Builder().withName("tenant admin can administer the tenant records").withSecurityURI(new SecurityURI(build4, build2)).withAndFilterString("dataDomain.tenantId:${pTenantId}").withEffect(RuleEffect.ALLOW).withFinalRule(true).build());
        SecurityURIHeader build5 = new SecurityURIHeader.Builder().withIdentity("ANONYMOUS").withArea("onboarding").withFunctionalDomain("registrationRequest").withAction("create").build();
        addRule(build5, new Rule.Builder().withName("anonymous user can call register").withSecurityURI(new SecurityURI(build5, new SecurityURIBody.Builder().withRealm(this.securityUtils.getSystemRealm()).withTenantId(this.securityUtils.getSystemTenantId()).withAccountNumber(this.securityUtils.getSystemAccountNumber()).withDataSegment(SecurityUtils.any).withOwnerId(SecurityUtils.any).withOrgRefName(SecurityUtils.any).build())).withAndFilterString("dataDomain.tenantId:${pTenantId}").withEffect(RuleEffect.ALLOW).withFinalRule(true).build());
        SecurityURIHeader build6 = new SecurityURIHeader.Builder().withIdentity("ANONYMOUS").withArea("website").withFunctionalDomain("contactus").withAction("create").build();
        addRule(build6, new Rule.Builder().withName("anonymous user can call contactus").withSecurityURI(new SecurityURI(build6, new SecurityURIBody.Builder().withRealm(this.securityUtils.getSystemRealm()).withTenantId(this.securityUtils.getSystemTenantId()).withAccountNumber(this.securityUtils.getSystemAccountNumber()).withDataSegment(SecurityUtils.any).withOwnerId(SecurityUtils.any).withOrgRefName(SecurityUtils.any).build())).withAndFilterString("dataDomain.tenantId:${pTenantId}").withEffect(RuleEffect.ALLOW).withFinalRule(true).build());
    }

    public void clear() {
        this.rules.clear();
    }

    public void addRule(@NotNull @Valid SecurityURIHeader securityURIHeader, @Valid @NotNull Rule rule) {
        List<Rule> list = this.rules.get(securityURIHeader.getIdentity());
        if (list == null) {
            list = new ArrayList();
            this.rules.put(securityURIHeader.getIdentity(), list);
        }
        list.add(rule);
    }

    public Optional<List<Rule>> rulesForIdentity(@NotNull String str) {
        List<Rule> list = this.rules.get(str);
        return list == null ? Optional.empty() : Optional.of(list);
    }

    boolean runScript(PrincipalContext principalContext, ResourceContext resourceContext, String str) {
        Context build = Context.newBuilder(new String[0]).allowAllAccess(true).build();
        build.getBindings("js").putMember("pcontext", principalContext);
        build.getBindings("js").putMember("rcontext", resourceContext);
        return build.eval("js", str).asBoolean();
    }

    SecurityURIHeader createHeaderFor(String str, ResourceContext resourceContext) {
        return new SecurityURIHeader.Builder().withIdentity(str).withArea(resourceContext.getArea()).withFunctionalDomain(resourceContext.getFunctionalDomain()).withAction(resourceContext.getAction()).build();
    }

    List<Rule> getApplicableRulesForPrincipalAndAssociatedRoles(PrincipalContext principalContext, ResourceContext resourceContext) {
        ArrayList arrayList = new ArrayList();
        Optional<List<Rule>> rulesForIdentity = rulesForIdentity(createHeaderFor(principalContext.getUserId(), resourceContext).getIdentity());
        if (rulesForIdentity.isPresent()) {
            arrayList.addAll(rulesForIdentity.get());
        }
        for (String str : principalContext.getRoles()) {
            Optional<List<Rule>> rulesForIdentity2 = rulesForIdentity(str);
            if (rulesForIdentity2.isPresent()) {
                arrayList.addAll(rulesForIdentity2.get());
            }
        }
        if (!arrayList.isEmpty() && arrayList.size() > 1) {
            arrayList.sort(new Ordering<Rule>() { // from class: com.e2eq.framework.model.securityrules.RuleContext.1
                public int compare(Rule rule, Rule rule2) {
                    return rule.getPriority() - rule2.getPriority();
                }
            });
        }
        return arrayList;
    }

    public SecurityCheckResponse checkRules(@Valid @NotNull PrincipalContext principalContext, @Valid @NotNull ResourceContext resourceContext) {
        return checkRules(principalContext, resourceContext, RuleEffect.DENY);
    }

    /* JADX WARN: Type inference failed for: r0v53, types: [com.e2eq.framework.model.securityrules.MatchEvent$MatchEventBuilder] */
    /* JADX WARN: Type inference failed for: r1v45, types: [com.e2eq.framework.model.securityrules.MatchEvent$MatchEventBuilder] */
    public SecurityCheckResponse checkRules(@Valid @NotNull PrincipalContext principalContext, @Valid @NotNull ResourceContext resourceContext, @NotNull RuleEffect ruleEffect) {
        if (Log.isDebugEnabled()) {
            Log.debug("####  checking Permissions for pcontext:" + principalContext.toString() + " resource context:" + resourceContext.toString());
        }
        SecurityCheckResponse securityCheckResponse = new SecurityCheckResponse(principalContext, resourceContext);
        securityCheckResponse.setFinalEffect(ruleEffect);
        List<Rule> applicableRulesForPrincipalAndAssociatedRoles = getApplicableRulesForPrincipalAndAssociatedRoles(principalContext, resourceContext);
        List<SecurityURI> expandURIPrincipalIdentities = expandURIPrincipalIdentities(principalContext, resourceContext);
        securityCheckResponse.getApplicableSecurityURIs().addAll(expandURIPrincipalIdentities);
        if (Log.isDebugEnabled()) {
            Log.debug("");
            Log.debug("--- Applicable rules:" + applicableRulesForPrincipalAndAssociatedRoles.size());
        }
        boolean z = false;
        for (Rule rule : applicableRulesForPrincipalAndAssociatedRoles) {
            securityCheckResponse.getEvaluatedRules().add(rule);
            if (Log.isDebugEnabled()) {
                Log.debug(" rule:" + rule.getName() + "compared to uris:" + expandURIPrincipalIdentities.size());
            }
            Iterator<SecurityURI> it = expandURIPrincipalIdentities.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SecurityURI next = it.next();
                if (Log.isDebugEnabled()) {
                    Log.debug("Comparing:" + next.getURIString());
                    Log.debug("To ruleName:" + rule.getName() + " URI:" + rule.getSecurityURI().getURIString());
                    Log.debug("");
                }
                if (WildCardMatcher.wildcardMatch(next.getURIString(), rule.getSecurityURI().getURIString(), IOCase.INSENSITIVE)) {
                    RuleResult ruleResult = new RuleResult(rule);
                    MatchEvent build = MatchEvent.builder().principalUriString(next.getURIString()).ruleUriString(rule.getSecurityURI().getURIString()).ruleName(rule.getName()).matched(true).difference(StringUtils.difference(next.getURIString(), rule.getSecurityURI().getURIString())).build();
                    if (rule.getPostconditionScript() != null) {
                        boolean runScript = runScript(principalContext, resourceContext, rule.getPostconditionScript());
                        build.setPostScript(rule.getPostconditionScript());
                        build.setPostScriptResult(runScript);
                        if (runScript) {
                            ruleResult.setDeterminedEffect(RuleDeterminedEffect.valueOf(rule.getEffect()));
                            securityCheckResponse.setFinalEffect(rule.getEffect());
                        } else {
                            ruleResult.setDeterminedEffect(RuleDeterminedEffect.NOT_APPLICABLE);
                        }
                    } else {
                        ruleResult.setDeterminedEffect(RuleDeterminedEffect.valueOf(rule.getEffect()));
                        securityCheckResponse.setFinalEffect(rule.getEffect());
                    }
                    securityCheckResponse.getMatchedRuleResults().add(ruleResult);
                    securityCheckResponse.getMatchEvents().add(build);
                    if (rule.isFinalRule()) {
                        z = true;
                        break;
                    }
                } else {
                    String difference = StringUtils.difference(next.getURIString(), rule.getSecurityURI().getURIString());
                    securityCheckResponse.getMatchEvents().add(MatchEvent.builder().principalUriString(next.getURIString()).ruleUriString(rule.getSecurityURI().getURIString()).ruleName(rule.getName()).matched(false).difference(difference).build());
                    if (Log.isDebugEnabled()) {
                        Log.debug(" >>>  Difference:" + difference);
                    }
                }
            }
            if (Log.isDebugEnabled()) {
                Log.debug("");
                Log.debug(" -- Matched Rules:");
                for (RuleResult ruleResult2 : securityCheckResponse.getMatchedRuleResults()) {
                    Log.debug("  " + ruleResult2.getRule().getName() + " " + String.valueOf(ruleResult2.getDeterminedEffect()));
                }
            }
            if (z) {
                break;
            }
        }
        return securityCheckResponse;
    }

    List<SecurityURI> expandURIPrincipalIdentities(@NotNull @Valid PrincipalContext principalContext, @NotNull @Valid ResourceContext resourceContext) {
        ArrayList arrayList = new ArrayList();
        for (String str : principalContext.getRoles()) {
            arrayList.add(createURLForIdentity(str, principalContext, resourceContext));
        }
        arrayList.add(createURLForIdentity(principalContext.getUserId(), principalContext, resourceContext));
        return arrayList;
    }

    SecurityURI createURLForIdentity(@NotNull String str, @NotNull @Valid PrincipalContext principalContext, @NotNull @Valid ResourceContext resourceContext) {
        SecurityURIHeader.Builder withAction = new SecurityURIHeader.Builder().withIdentity(str).withArea(resourceContext.getArea()).withFunctionalDomain(resourceContext.getFunctionalDomain()).withAction(resourceContext.getAction());
        SecurityURIBody.Builder withDataSegment = new SecurityURIBody.Builder().withRealm(principalContext.getDefaultRealm()).withOrgRefName(principalContext.getDataDomain().getOrgRefName()).withAccountNumber(principalContext.getDataDomain().getAccountNum()).withTenantId(principalContext.getDataDomain().getTenantId()).withOwnerId(str).withDataSegment(Integer.toString(principalContext.getDataDomain().getDataSegment()));
        withDataSegment.withResourceId(resourceContext.getResourceId());
        return new SecurityURI(withAction.build(), withDataSegment.build());
    }

    public List<Filter> getFilters(List<Filter> list, @Valid @NotNull(message = "Principal Context can not be null") PrincipalContext principalContext, @Valid @NotNull(message = "Resource Context can not be null") ResourceContext resourceContext, Class<? extends UnversionedBaseModel> cls) {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(list);
        SecurityCheckResponse checkRules = checkRules(principalContext, resourceContext);
        ArrayList arrayList2 = new ArrayList();
        ArrayList arrayList3 = new ArrayList();
        Map<String, String> createStandardVariableMapFrom = MorphiaUtils.createStandardVariableMapFrom(principalContext, resourceContext);
        StringSubstitutor stringSubstitutor = new StringSubstitutor(createStandardVariableMapFrom);
        for (RuleResult ruleResult : checkRules.getMatchedRuleResults()) {
            if (ruleResult.getDeterminedEffect() != RuleDeterminedEffect.NOT_APPLICABLE) {
                Rule rule = ruleResult.getRule();
                if (rule.getAndFilterString() != null && !rule.getAndFilterString().isEmpty()) {
                    arrayList2.add(MorphiaUtils.convertToFilter(rule.getAndFilterString(), createStandardVariableMapFrom, stringSubstitutor, cls));
                }
                if (rule.getOrFilterString() != null && !rule.getOrFilterString().isEmpty()) {
                    arrayList3.add(MorphiaUtils.convertToFilter(rule.getOrFilterString(), createStandardVariableMapFrom, stringSubstitutor, cls));
                }
                if (arrayList2.isEmpty() || arrayList3.isEmpty()) {
                    if (!arrayList2.isEmpty()) {
                        arrayList.addAll(arrayList2);
                        arrayList2.clear();
                    } else if (!arrayList3.isEmpty()) {
                        arrayList.add(Filters.or((Filter[]) arrayList3.toArray(new Filter[arrayList3.size()])));
                        arrayList3.clear();
                    }
                } else if ((rule.getJoinOp() != null ? rule.getJoinOp() : FilterJoinOp.AND) == FilterJoinOp.AND) {
                    arrayList2.add(Filters.or((Filter[]) arrayList3.toArray(new Filter[arrayList3.size()])));
                    arrayList.add(Filters.and((Filter[]) arrayList2.toArray(new Filter[arrayList2.size()])));
                } else {
                    arrayList3.add(Filters.and((Filter[]) arrayList2.toArray(new Filter[arrayList2.size()])));
                    arrayList.add(Filters.and((Filter[]) arrayList3.toArray(new Filter[arrayList3.size()])));
                }
                if (rule.isFinalRule()) {
                    break;
                }
            }
        }
        ArrayList arrayList4 = new ArrayList();
        HashMap hashMap = new HashMap();
        arrayList.forEach(filter -> {
            hashMap.put(filter.toString(), filter);
        });
        arrayList4.addAll(hashMap.values());
        return arrayList4;
    }

    public String getRealmId(PrincipalContext principalContext, ResourceContext resourceContext) {
        return principalContext != null ? principalContext.getDefaultRealm() : this.defaultRealm;
    }
}
