package org.xwiki.security.authorization;

import java.util.Formatter;
import javax.inject.Inject;
import javax.inject.Singleton;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.xwiki.component.annotation.Component;
import org.xwiki.model.reference.DocumentReference;
import org.xwiki.model.reference.EntityReference;
import org.xwiki.model.reference.EntityReferenceSerializer;
import org.xwiki.security.SecurityReference;
import org.xwiki.security.SecurityReferenceFactory;
import org.xwiki.security.UserSecurityReference;
import org.xwiki.security.authorization.cache.SecurityCache;
import org.xwiki.security.authorization.cache.SecurityCacheLoader;
import org.xwiki.security.authorization.internal.XWikiSecurityAccess;
import org.xwiki.security.internal.XWikiBridge;

@Singleton
@Component
/* loaded from: input_file:WEB-INF/lib/xwiki-platform-security-api-4.5.3.jar:org/xwiki/security/authorization/DefaultAuthorizationManager.class */
public class DefaultAuthorizationManager implements AuthorizationManager {

    @Inject
    private Logger logger;

    @Inject
    private SecurityCache securityCache;

    @Inject
    private SecurityCacheLoader securityCacheLoader;

    @Inject
    private SecurityReferenceFactory securityReferenceFactory;

    @Inject
    private EntityReferenceSerializer<String> entityReferenceSerializer;

    @Inject
    private XWikiBridge xwikiBridge;

    private boolean isSuperAdmin(DocumentReference documentReference) {
        return StringUtils.equalsIgnoreCase(documentReference.getName(), "superadmin");
    }

    @Override // org.xwiki.security.authorization.AuthorizationManager
    public void checkAccess(Right right, DocumentReference documentReference, EntityReference entityReference) throws AccessDeniedException {
        try {
            if (hasSecurityAccess(right, documentReference, entityReference, true)) {
            } else {
                throw new AccessDeniedException(documentReference, entityReference);
            }
        } catch (Exception e) {
            throw new AccessDeniedException(documentReference, entityReference, e);
        }
    }

    @Override // org.xwiki.security.authorization.AuthorizationManager
    public boolean hasAccess(Right right, DocumentReference documentReference, EntityReference entityReference) {
        try {
            return hasSecurityAccess(right, documentReference, entityReference, false);
        } catch (Exception e) {
            this.logger.error("Failed to load rights for user {}.", documentReference, e);
            return false;
        }
    }

    private boolean hasSecurityAccess(Right right, DocumentReference documentReference, EntityReference entityReference, boolean z) throws AuthorizationException {
        if (documentReference == null) {
            logDeny(documentReference, entityReference, right, "missing user");
            return false;
        }
        if (isSuperAdmin(documentReference)) {
            return true;
        }
        if (right == null || right == Right.ILLEGAL) {
            logDeny(documentReference, entityReference, right, "no such right");
            return false;
        }
        if (!right.isReadOnly() && this.xwikiBridge.isWikiReadOnly()) {
            return false;
        }
        RuleState ruleState = getAccess(this.securityReferenceFactory.newUserReference(documentReference), this.securityReferenceFactory.newEntityReference(entityReference)).get(right);
        String str = z ? "security checkpoint" : "access inquiry";
        if (!z || ruleState == RuleState.ALLOW) {
            logAccess(ruleState, documentReference, entityReference, right, str, true);
        } else {
            logDeny(documentReference, entityReference, right, str);
        }
        return ruleState == RuleState.ALLOW;
    }

    @Override // org.xwiki.security.authorization.AuthorizationManager
    public Right register(RightDescription rightDescription) throws UnableToRegisterRightException {
        try {
            Right right = new Right(rightDescription);
            this.securityCache.remove(this.securityReferenceFactory.newEntityReference(this.xwikiBridge.getMainWikiReference()));
            return right;
        } catch (Throwable th) {
            Right right2 = Right.toRight(rightDescription.getName());
            if (right2 == Right.ILLEGAL || !right2.like(rightDescription)) {
                throw new UnableToRegisterRightException(rightDescription, th);
            }
            return right2;
        }
    }

    private SecurityAccess getAccess(UserSecurityReference userSecurityReference, SecurityReference securityReference) throws AuthorizationException {
        SecurityReference securityReference2;
        SecurityReference securityReference3 = securityReference;
        while (true) {
            securityReference2 = securityReference3;
            if (securityReference2 == null) {
                this.logger.debug("4. Returning default access level.  (This should never be reached!)");
                return XWikiSecurityAccess.getDefaultAccess();
            }
            SecurityRuleEntry securityRuleEntry = this.securityCache.get(securityReference2);
            if (securityRuleEntry == null) {
                SecurityAccess access = this.securityCacheLoader.load(userSecurityReference, securityReference).getAccess();
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug(new Formatter().format("1. Loaded a new entry for %s@%s into cache: %s", this.entityReferenceSerializer.serialize(userSecurityReference, new Object[0]), this.entityReferenceSerializer.serialize(securityReference, new Object[0]), access).toString());
                }
                return access;
            }
            if (!securityRuleEntry.isEmpty() || securityReference2.getParentSecurityReference() == null) {
                break;
            }
            securityReference3 = securityReference2.getParentSecurityReference();
        }
        SecurityAccessEntry securityAccessEntry = this.securityCache.get(userSecurityReference, securityReference2);
        if (securityAccessEntry == null) {
            SecurityAccess access2 = this.securityCacheLoader.load(userSecurityReference, securityReference).getAccess();
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(new Formatter().format("2. Loaded a new entry for %s@%s into cache: %s", this.entityReferenceSerializer.serialize(userSecurityReference, new Object[0]), this.entityReferenceSerializer.serialize(securityReference, new Object[0]), access2).toString());
            }
            return access2;
        }
        SecurityAccess access3 = securityAccessEntry.getAccess();
        if (this.logger.isDebugEnabled()) {
            this.logger.debug(new Formatter().format("3. Got entry for %s@%s from cache: %s", this.entityReferenceSerializer.serialize(userSecurityReference, new Object[0]), this.entityReferenceSerializer.serialize(securityReference, new Object[0]), access3).toString());
        }
        return access3;
    }

    private void logAccess(RuleState ruleState, DocumentReference documentReference, EntityReference entityReference, Right right, String str, boolean z) {
        if (!(z && this.logger.isDebugEnabled()) && (z || !this.logger.isInfoEnabled())) {
            return;
        }
        String serialize = documentReference != null ? this.entityReferenceSerializer.serialize(documentReference, new Object[0]) : "no user";
        String serialize2 = entityReference != null ? this.entityReferenceSerializer.serialize(entityReference, new Object[0]) : "no entity";
        String name = right != null ? right.getName() : "no right";
        String str2 = ruleState == RuleState.ALLOW ? "granted" : "denied";
        Formatter formatter = new Formatter();
        if (z) {
            this.logger.debug(formatter.format("Access has been %s for (%s,%s,%s): %s", str2, serialize, serialize2, name, str).toString());
        } else {
            this.logger.info(formatter.format("Access has been %s for (%s,%s,%s): %s", str2, serialize, serialize2, name, str).toString());
        }
    }

    protected void logDeny(DocumentReference documentReference, EntityReference entityReference, Right right, String str) {
        logAccess(RuleState.DENY, documentReference, entityReference, right, str, false);
    }
}
