package org.sonatype.nexus.security.internal;

import com.google.common.base.Preconditions;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.eventbus.AllowConcurrentEvents;
import com.google.common.eventbus.Subscribe;
import java.util.ArrayDeque;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import javax.annotation.Nullable;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.authz.permission.RolePermissionResolver;
import org.sonatype.goodies.common.ComponentSupport;
import org.sonatype.nexus.common.event.EventHelper;
import org.sonatype.nexus.common.event.EventManager;
import org.sonatype.nexus.distributed.event.service.api.common.AuthorizationChangedDistributedEvent;
import org.sonatype.nexus.security.authz.AuthorizationConfigurationChanged;
import org.sonatype.nexus.security.config.CPrivilege;
import org.sonatype.nexus.security.config.CRole;
import org.sonatype.nexus.security.config.SecurityConfigurationManager;
import org.sonatype.nexus.security.privilege.NoSuchPrivilegeException;
import org.sonatype.nexus.security.privilege.PrivilegeDescriptor;
import org.sonatype.nexus.security.role.NoSuchRoleException;

@Singleton
@Named("default")
/* loaded from: input_file:org/sonatype/nexus/security/internal/RolePermissionResolverImpl.class */
public class RolePermissionResolverImpl extends ComponentSupport implements RolePermissionResolver {
    private final SecurityConfigurationManager configuration;
    private final List<PrivilegeDescriptor> privilegeDescriptors;
    private final Cache<String, Permission> permissionsCache = CacheBuilder.newBuilder().softValues().build();
    private final Cache<String, Collection<Permission>> rolePermissionsCache = CacheBuilder.newBuilder().softValues().build();
    private final Cache<String, String> roleNotFoundCache;

    @Inject
    public RolePermissionResolverImpl(SecurityConfigurationManager securityConfigurationManager, List<PrivilegeDescriptor> list, EventManager eventManager, @Named("${security.roleNotFoundCacheSize:-100000}") int i) {
        this.configuration = (SecurityConfigurationManager) Preconditions.checkNotNull(securityConfigurationManager);
        this.privilegeDescriptors = (List) Preconditions.checkNotNull(list);
        this.roleNotFoundCache = CacheBuilder.newBuilder().maximumSize(i).build();
        eventManager.register(this);
    }

    private void invalidate() {
        this.permissionsCache.invalidateAll();
        this.rolePermissionsCache.invalidateAll();
        this.roleNotFoundCache.invalidateAll();
        this.log.trace("Cache invalidated");
    }

    @AllowConcurrentEvents
    @Subscribe
    public void on(AuthorizationConfigurationChanged authorizationConfigurationChanged) {
        invalidate();
    }

    @AllowConcurrentEvents
    @Subscribe
    public void on(SecurityContributionChangedEvent securityContributionChangedEvent) {
        invalidate();
    }

    @AllowConcurrentEvents
    @Subscribe
    public void on(AuthorizationChangedDistributedEvent authorizationChangedDistributedEvent) {
        if (EventHelper.isReplicating()) {
            invalidate();
        }
    }

    @Override // org.apache.shiro.authz.permission.RolePermissionResolver
    public Collection<Permission> resolvePermissionsInRole(String str) {
        Preconditions.checkNotNull(str);
        Collection<Permission> ifPresent = this.rolePermissionsCache.getIfPresent(str);
        if (ifPresent != null) {
            return ifPresent;
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        ArrayDeque arrayDeque = new ArrayDeque();
        HashSet hashSet = new HashSet();
        arrayDeque.add(str);
        while (!arrayDeque.isEmpty()) {
            String str2 = (String) arrayDeque.removeFirst();
            if (hashSet.add(str2)) {
                if (this.roleNotFoundCache.getIfPresent(str2) != null) {
                    this.log.trace("Role {} found in NFC, role check skipped", str2);
                } else {
                    try {
                        Collection<Permission> ifPresent2 = this.rolePermissionsCache.getIfPresent(str2);
                        if (ifPresent2 != null) {
                            linkedHashSet.addAll(ifPresent2);
                        } else {
                            CRole readRole = this.configuration.readRole(str2);
                            arrayDeque.addAll(readRole.getRoles());
                            Iterator<String> it = readRole.getPrivileges().iterator();
                            while (it.hasNext()) {
                                Permission permission = permission(it.next());
                                if (permission != null) {
                                    linkedHashSet.add(permission);
                                }
                            }
                        }
                    } catch (NoSuchRoleException e) {
                        this.log.trace("Ignoring missing role: {}", str2, e);
                        this.roleNotFoundCache.put(str2, "");
                    }
                }
            }
        }
        this.rolePermissionsCache.put(str, linkedHashSet);
        return linkedHashSet;
    }

    @Nullable
    private PrivilegeDescriptor descriptor(String str) {
        Preconditions.checkNotNull(str);
        for (PrivilegeDescriptor privilegeDescriptor : this.privilegeDescriptors) {
            if (str.equals(privilegeDescriptor.getType())) {
                return privilegeDescriptor;
            }
        }
        this.log.warn("Missing privilege-descriptor for type: {}", str);
        return null;
    }

    @Nullable
    private Permission permission(String str) {
        Preconditions.checkNotNull(str);
        Permission ifPresent = this.permissionsCache.getIfPresent(str);
        if (ifPresent == null) {
            try {
                CPrivilege readPrivilege = this.configuration.readPrivilege(str);
                PrivilegeDescriptor descriptor = descriptor(readPrivilege.getType());
                if (descriptor != null) {
                    ifPresent = descriptor.createPermission(readPrivilege);
                    this.permissionsCache.put(str, ifPresent);
                }
            } catch (NoSuchPrivilegeException e) {
                this.log.trace("Ignoring missing privilege: {}", str, e);
            }
        }
        return ifPresent;
    }
}
