package org.jboss.as.controller.access.constraint;

import java.util.Iterator;
import org.jboss.as.controller.ExpressionResolver;
import org.jboss.as.controller.VaultReader;
import org.jboss.as.controller.access.Action;
import org.jboss.as.controller.access.JmxAction;
import org.jboss.as.controller.access.JmxTarget;
import org.jboss.as.controller.access.TargetAttribute;
import org.jboss.as.controller.access.TargetResource;
import org.jboss.as.controller.access.rbac.StandardRole;
import org.jboss.dmr.ModelNode;
import org.jboss.dmr.ModelType;
import org.jboss.dmr.Property;

/* loaded from: input_file:wildfly.zip:modules/system/layers/base/org/jboss/as/controller/main/wildfly-controller-15.0.1.Final.jar:org/jboss/as/controller/access/constraint/SensitiveVaultExpressionConstraint.class */
public class SensitiveVaultExpressionConstraint extends AllowAllowNotConstraint {
    public static final ConstraintFactory FACTORY = new Factory();
    private static final SensitiveVaultExpressionConstraint SENSITIVE = new SensitiveVaultExpressionConstraint(true);
    private static final SensitiveVaultExpressionConstraint NOT_SENSITIVE = new SensitiveVaultExpressionConstraint(false);
    private static final SensitiveVaultExpressionConstraint ALLOWS = new SensitiveVaultExpressionConstraint(true, true);
    private static final SensitiveVaultExpressionConstraint DISALLOWS = new SensitiveVaultExpressionConstraint(false, true);

    /* loaded from: input_file:wildfly.zip:modules/system/layers/base/org/jboss/as/controller/main/wildfly-controller-15.0.1.Final.jar:org/jboss/as/controller/access/constraint/SensitiveVaultExpressionConstraint$Factory.class */
    private static class Factory extends AbstractConstraintFactory {
        private Factory() {
        }

        @Override // org.jboss.as.controller.access.constraint.ConstraintFactory
        public Constraint getStandardUserConstraint(StandardRole standardRole, Action.ActionEffect actionEffect) {
            return (standardRole == StandardRole.ADMINISTRATOR || standardRole == StandardRole.SUPERUSER || standardRole == StandardRole.AUDITOR) ? SensitiveVaultExpressionConstraint.ALLOWS : SensitiveVaultExpressionConstraint.DISALLOWS;
        }

        @Override // org.jboss.as.controller.access.constraint.ConstraintFactory
        public Constraint getRequiredConstraint(Action.ActionEffect actionEffect, Action action, TargetAttribute targetAttribute) {
            return isSensitiveAction(action, actionEffect, targetAttribute) ? SensitiveVaultExpressionConstraint.SENSITIVE : SensitiveVaultExpressionConstraint.NOT_SENSITIVE;
        }

        @Override // org.jboss.as.controller.access.constraint.ConstraintFactory
        public Constraint getRequiredConstraint(Action.ActionEffect actionEffect, Action action, TargetResource targetResource) {
            return isSensitiveAction(action, actionEffect) ? SensitiveVaultExpressionConstraint.SENSITIVE : SensitiveVaultExpressionConstraint.NOT_SENSITIVE;
        }

        private boolean isSensitiveAction(Action action, Action.ActionEffect actionEffect) {
            if (!VaultExpressionSensitivityConfig.INSTANCE.isSensitive(actionEffect)) {
                return false;
            }
            if (actionEffect != Action.ActionEffect.WRITE_RUNTIME && actionEffect != Action.ActionEffect.WRITE_CONFIG) {
                return false;
            }
            Iterator<Property> it = action.getOperation().asPropertyList().iterator();
            while (it.hasNext()) {
                if (isSensitiveValue(it.next().getValue())) {
                    return true;
                }
            }
            return false;
        }

        private boolean isSensitiveAction(Action action, Action.ActionEffect actionEffect, TargetAttribute targetAttribute) {
            if (!VaultExpressionSensitivityConfig.INSTANCE.isSensitive(actionEffect)) {
                return false;
            }
            if (actionEffect == Action.ActionEffect.WRITE_RUNTIME || actionEffect == Action.ActionEffect.WRITE_CONFIG) {
                ModelNode operation = action.getOperation();
                if (operation.hasDefined(targetAttribute.getAttributeName()) && isSensitiveValue(operation.get(targetAttribute.getAttributeName()))) {
                    return true;
                }
                if ("write-attribute".equals(operation.get("operation").asString()) && operation.hasDefined("value") && isSensitiveValue(operation.get("value"))) {
                    return true;
                }
            }
            return actionEffect != Action.ActionEffect.ADDRESS && isSensitiveValue(targetAttribute.getCurrentValue());
        }

        private boolean isSensitiveValue(ModelNode modelNode) {
            if (modelNode.getType() != ModelType.EXPRESSION && modelNode.getType() != ModelType.STRING) {
                return false;
            }
            String asString = modelNode.asString();
            if (!ExpressionResolver.EXPRESSION_PATTERN.matcher(asString).matches()) {
                return false;
            }
            int indexOf = asString.indexOf("${") + 2;
            return VaultReader.STANDARD_VAULT_PATTERN.matcher(asString.substring(indexOf, asString.indexOf("}", indexOf))).matches();
        }

        @Override // org.jboss.as.controller.access.constraint.AbstractConstraintFactory
        protected int internalCompare(AbstractConstraintFactory abstractConstraintFactory) {
            return 0;
        }

        @Override // org.jboss.as.controller.access.constraint.ConstraintFactory
        public Constraint getRequiredConstraint(Action.ActionEffect actionEffect, JmxAction jmxAction, JmxTarget jmxTarget) {
            return SensitiveVaultExpressionConstraint.NOT_SENSITIVE;
        }
    }

    private SensitiveVaultExpressionConstraint(boolean z) {
        super(z);
    }

    private SensitiveVaultExpressionConstraint(boolean z, boolean z2) {
        super(z, z2);
    }
}
