package org.uberfire.security.impl.authz;

import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import org.jboss.errai.security.shared.api.Role;
import org.jboss.errai.security.shared.api.identity.User;
import org.uberfire.commons.data.Cacheable;
import org.uberfire.commons.validation.PortablePreconditions;
import org.uberfire.security.Resource;
import org.uberfire.security.annotations.All;
import org.uberfire.security.annotations.Authorized;
import org.uberfire.security.annotations.Deny;
import org.uberfire.security.authz.AuthorizationResult;
import org.uberfire.security.authz.ResourceDecisionManager;
import org.uberfire.security.authz.RoleDecisionManager;
import org.uberfire.security.authz.RolesResource;
import org.uberfire.security.authz.RuntimeResource;
import org.uberfire.security.authz.VotingStrategy;
import org.uberfire.security.impl.authz.RuntimeResourceManager;

/* loaded from: input_file:WEB-INF/lib/uberfire-security-api-0.5.0.CR11.jar:org/uberfire/security/impl/authz/RuntimeResourceDecisionManager.class */
public class RuntimeResourceDecisionManager implements ResourceDecisionManager {
    private static final UnanimousBasedVoter ALL_VOTER = new UnanimousBasedVoter();
    private static final AffirmativeBasedVoter DEFAULT_VOTER = new AffirmativeBasedVoter();
    private final RuntimeAuthzCache cache = new RuntimeAuthzCache();
    private final RuntimeResourceManager resourceManager;

    /* loaded from: input_file:WEB-INF/lib/uberfire-security-api-0.5.0.CR11.jar:org/uberfire/security/impl/authz/RuntimeResourceDecisionManager$RuntimeAuthzCache.class */
    class RuntimeAuthzCache {
        final Map<String, Map<String, AuthorizationResult>> internal = new HashMap();

        RuntimeAuthzCache() {
        }

        public boolean notContains(User user, RuntimeResource runtimeResource) {
            Map<String, AuthorizationResult> map = this.internal.get(runtimeResource.getSignatureId());
            return map == null || !map.containsKey(user.getIdentifier());
        }

        public void put(User user, RuntimeResource runtimeResource, AuthorizationResult authorizationResult) {
            if (!this.internal.containsKey(runtimeResource.getSignatureId())) {
                this.internal.put(runtimeResource.getSignatureId(), new HashMap());
            }
            Map<String, AuthorizationResult> map = this.internal.get(runtimeResource.getSignatureId());
            AuthorizationResult authorizationResult2 = map.get(user.getIdentifier());
            if (map.containsKey(user.getIdentifier()) && authorizationResult2.equals(authorizationResult)) {
                return;
            }
            map.put(user.getIdentifier(), authorizationResult);
        }

        public AuthorizationResult get(User user, RuntimeResource runtimeResource) {
            AuthorizationResult authorizationResult;
            Map<String, AuthorizationResult> map = this.internal.get(runtimeResource.getSignatureId());
            if (map != null && (authorizationResult = map.get(user.getIdentifier())) != null) {
                return authorizationResult;
            }
            return AuthorizationResult.ACCESS_DENIED;
        }
    }

    public RuntimeResourceDecisionManager(RuntimeResourceManager runtimeResourceManager) {
        this.resourceManager = runtimeResourceManager;
    }

    @Override // org.uberfire.security.authz.ResourceDecisionManager
    public boolean supports(Resource resource) {
        return resource != null && (resource instanceof RuntimeResource);
    }

    @Override // org.uberfire.security.authz.ResourceDecisionManager
    public AuthorizationResult decide(Resource resource, User user, RoleDecisionManager roleDecisionManager) {
        PortablePreconditions.checkNotNull("roleDecisionManager", roleDecisionManager);
        if (!(resource instanceof RuntimeResource)) {
            throw new IllegalArgumentException("Parameter named 'resource' is not instance of clazz 'RuntimeResource'!");
        }
        boolean requiresRefresh = resource instanceof Cacheable ? ((Cacheable) resource).requiresRefresh() : false;
        RuntimeResource runtimeResource = (RuntimeResource) resource;
        if (this.cache.notContains(user, runtimeResource) || requiresRefresh) {
            if (!this.resourceManager.requiresAuthentication(runtimeResource)) {
                return AuthorizationResult.ACCESS_ABSTAIN;
            }
            final RuntimeResourceManager.RuntimeRestriction restriction = this.resourceManager.getRestriction(runtimeResource);
            if (restriction == null || restriction.isEmpty()) {
                return AuthorizationResult.ACCESS_ABSTAIN;
            }
            boolean z = false;
            VotingStrategy votingStrategy = null;
            for (String str : restriction.getTraits()) {
                if (str.equals(All.class.getName())) {
                    votingStrategy = ALL_VOTER;
                } else if (str.equals(Authorized.class.getName())) {
                    if (user != null) {
                        return AuthorizationResult.ACCESS_GRANTED;
                    }
                } else if (str.equals(Deny.class.getName())) {
                    z = true;
                }
            }
            if (votingStrategy == null) {
                votingStrategy = DEFAULT_VOTER;
            }
            AuthorizationResult vote = votingStrategy.vote(roleDecisionManager.decide(new RolesResource() { // from class: org.uberfire.security.impl.authz.RuntimeResourceDecisionManager.1
                @Override // org.uberfire.security.authz.RolesResource
                public Collection<Role> getRoles() {
                    return restriction.getRoles();
                }
            }, user));
            if (z) {
                this.cache.put(user, runtimeResource, vote.invert());
            } else {
                this.cache.put(user, runtimeResource, vote);
            }
            if (resource instanceof Cacheable) {
                ((Cacheable) resource).markAsCached();
            }
        }
        return this.cache.get(user, runtimeResource);
    }
}
