package org.cesecore.authorization.access;

import java.util.AbstractMap;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import org.apache.log4j.Logger;
import org.cesecore.authentication.AuthenticationFailedException;
import org.cesecore.authentication.tokens.AuthenticationToken;
import org.cesecore.authorization.rules.AccessRuleData;
import org.cesecore.authorization.user.AccessMatchType;
import org.cesecore.authorization.user.AccessUserAspect;
import org.cesecore.authorization.user.matchvalues.AccessMatchValue;
import org.cesecore.roles.RoleData;

/* loaded from: input_file:org/cesecore/authorization/access/AccessTreeNode.class */
public class AccessTreeNode {
    private static final Logger log = Logger.getLogger(AccessTreeNode.class);
    private String resource;
    private Collection<AbstractMap.SimpleEntry<RoleData, AccessRuleData>> roleRulePairs = new ArrayList();
    private HashMap<String, AccessTreeNode> leafs = new HashMap<>();

    public AccessTreeNode(String str) {
        this.resource = str;
    }

    public boolean isAuthorized(AuthenticationToken authenticationToken, String str) throws AuthenticationFailedException {
        return isAuthorizedRecursive(authenticationToken, str, AccessTreeState.STATE_UNKNOWN, false);
    }

    public boolean isAuthorized(AuthenticationToken authenticationToken, String str, boolean z) throws AuthenticationFailedException {
        return isAuthorizedRecursive(authenticationToken, str, AccessTreeState.STATE_UNKNOWN, z);
    }

    private boolean isAuthorizedRecursive(AuthenticationToken authenticationToken, String str, AccessTreeState accessTreeState, boolean z) throws AuthenticationFailedException {
        if (log.isTraceEnabled()) {
            log.trace(">isAuthorizedRecursive(" + authenticationToken.toString() + ", " + str + ", " + accessTreeState + "). Resource=" + this.resource);
        }
        boolean z2 = false;
        AccessTreeState findPreferredRule = findPreferredRule(authenticationToken);
        if (log.isTraceEnabled()) {
            log.trace("preferredRule: " + findPreferredRule);
        }
        if (!str.equals(this.resource)) {
            String substring = str.substring(this.resource.length());
            if (substring.toCharArray()[0] == '/') {
                substring = substring.substring(1);
            }
            int indexOf = substring.indexOf(47);
            AccessTreeNode accessTreeNode = this.leafs.get(indexOf != -1 ? substring.substring(0, indexOf) : substring);
            if (accessTreeNode != null) {
                if (findPreferredRule == AccessTreeState.STATE_ACCEPT_RECURSIVE || findPreferredRule == AccessTreeState.STATE_DECLINE) {
                    accessTreeState = findPreferredRule;
                }
                z2 = accessTreeNode.isAuthorizedRecursive(authenticationToken, substring, accessTreeState, z);
            } else if (findPreferredRule == AccessTreeState.STATE_ACCEPT_RECURSIVE) {
                z2 = true;
            } else if (accessTreeState == AccessTreeState.STATE_ACCEPT_RECURSIVE && findPreferredRule != AccessTreeState.STATE_DECLINE) {
                z2 = true;
            } else if (log.isTraceEnabled()) {
                log.trace("Not accepting because state is not STATE_ACCEPT_RECURSIVE. Internalstate=" + findPreferredRule + ", legacyState=" + accessTreeState);
            }
        } else if (accessTreeState == AccessTreeState.STATE_DECLINE) {
            if (log.isTraceEnabled()) {
                log.trace("Rejecting because legacyState is AccessTreeState.STATE_DECLINE");
            }
            z2 = false;
        } else if (accessTreeState == AccessTreeState.STATE_ACCEPT_RECURSIVE) {
            if (findPreferredRule != AccessTreeState.STATE_DECLINE) {
                z2 = true;
            }
        } else if ((findPreferredRule == AccessTreeState.STATE_ACCEPT && !z) || findPreferredRule == AccessTreeState.STATE_ACCEPT_RECURSIVE) {
            z2 = true;
        }
        if (log.isTraceEnabled()) {
            log.trace("<isAuthorizedRecursive(" + authenticationToken.toString() + ", " + str + ", " + accessTreeState + "): " + z2);
        }
        return z2;
    }

    public void addAccessRule(String str, AccessRuleData accessRuleData, RoleData roleData) {
        if (str.equals(this.resource)) {
            this.roleRulePairs.add(new AbstractMap.SimpleEntry<>(roleData, accessRuleData));
            return;
        }
        String substring = str.substring(this.resource.length());
        if (substring.toCharArray()[0] == '/') {
            substring = substring.substring(1);
        }
        int indexOf = substring.indexOf(47);
        String substring2 = indexOf != -1 ? substring.substring(0, indexOf) : substring;
        AccessTreeNode accessTreeNode = this.leafs.get(substring2);
        if (accessTreeNode == null) {
            accessTreeNode = new AccessTreeNode(substring2);
            this.leafs.put(substring2, accessTreeNode);
        }
        accessTreeNode.addAccessRule(substring, accessRuleData, roleData);
    }

    private AccessTreeState findPreferredRule(AuthenticationToken authenticationToken) throws AuthenticationFailedException {
        AccessTreeState accessTreeState = null;
        AccessMatchValue defaultMatchValue = authenticationToken.getDefaultMatchValue();
        if (log.isTraceEnabled()) {
            log.trace("AccessTreeNode " + this.resource + " has " + this.roleRulePairs.size() + " roleRulePairs");
        }
        loop0: for (AbstractMap.SimpleEntry<RoleData, AccessRuleData> simpleEntry : this.roleRulePairs) {
            Collection<AccessUserAspect> values = simpleEntry.getKey().getAccessUsers().values();
            if (log.isTraceEnabled()) {
                log.trace("roleRulePair for accessRuleName " + simpleEntry.getValue().getAccessRuleName() + " has " + values.size() + " accessUsers");
            }
            for (AccessUserAspect accessUserAspect : values) {
                if (authenticationToken.matchTokenType(accessUserAspect.getTokenType())) {
                    if (authenticationToken.matches(accessUserAspect)) {
                        accessTreeState = AccessTreeState.STATE_ACCEPT_RECURSIVE;
                        AccessTreeState treeState = simpleEntry.getValue().getTreeState();
                        AccessMatchValue matchValueFromDatabaseValue = authenticationToken.getMatchValueFromDatabaseValue(Integer.valueOf(accessUserAspect.getMatchWith()));
                        if (log.isTraceEnabled()) {
                            AccessTreeState accessTreeState2 = treeState;
                            if (accessTreeState2 == null) {
                                log.trace("logState is null for authenticationToken " + authenticationToken.toString());
                                accessTreeState2 = AccessTreeState.STATE_UNKNOWN;
                            }
                            AccessMatchValue accessMatchValue = matchValueFromDatabaseValue;
                            if (accessMatchValue == null) {
                                log.trace("logMatchValue is null for authenticationToken " + authenticationToken.toString());
                                accessMatchValue = authenticationToken.getDefaultMatchValue();
                            }
                            AccessMatchType matchTypeAsType = accessUserAspect.getMatchTypeAsType();
                            log.trace("accessUser " + accessMatchValue.name() + " " + (matchTypeAsType == null ? "null" : matchTypeAsType.name()) + " " + accessUserAspect.getMatchValue() + " matched authenticationToken. thisUserState=" + accessTreeState2.name() + " thisUserStatePriority=" + matchValueFromDatabaseValue);
                        }
                        if (defaultMatchValue.getNumericValue() < matchValueFromDatabaseValue.getNumericValue()) {
                            accessTreeState = treeState;
                            defaultMatchValue = matchValueFromDatabaseValue;
                        } else if (defaultMatchValue == matchValueFromDatabaseValue && accessTreeState.getLegacyNumber() < treeState.getLegacyNumber()) {
                            accessTreeState = treeState;
                        }
                        if (defaultMatchValue.getNumericValue() == Integer.MAX_VALUE) {
                            break loop0;
                        }
                    } else if (log.isTraceEnabled()) {
                        log.trace("accessUser " + authenticationToken.getMatchValueFromDatabaseValue(Integer.valueOf(accessUserAspect.getMatchWith())).name() + " " + accessUserAspect.getMatchTypeAsType().name() + " " + accessUserAspect.getMatchValue() + " did not match authenticationToken.");
                    }
                }
            }
        }
        if (accessTreeState == null) {
            accessTreeState = AccessTreeState.STATE_UNKNOWN;
        }
        return accessTreeState;
    }

    public String getResource() {
        return this.resource;
    }
}
