package org.sonatype.nexus.security.internal;

import com.google.common.base.Preconditions;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import com.google.common.eventbus.AllowConcurrentEvents;
import com.google.common.eventbus.Subscribe;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import org.apache.shiro.authc.credential.PasswordService;
import org.sonatype.goodies.common.ComponentSupport;
import org.sonatype.nexus.common.event.EventAware;
import org.sonatype.nexus.common.event.EventManager;
import org.sonatype.nexus.common.text.Strings2;
import org.sonatype.nexus.security.authz.AuthorizationConfigurationChanged;
import org.sonatype.nexus.security.config.CPrivilege;
import org.sonatype.nexus.security.config.CRole;
import org.sonatype.nexus.security.config.CUser;
import org.sonatype.nexus.security.config.CUserRoleMapping;
import org.sonatype.nexus.security.config.MemorySecurityConfiguration;
import org.sonatype.nexus.security.config.SecurityConfiguration;
import org.sonatype.nexus.security.config.SecurityConfigurationCleaner;
import org.sonatype.nexus.security.config.SecurityConfigurationManager;
import org.sonatype.nexus.security.config.SecurityConfigurationSource;
import org.sonatype.nexus.security.config.SecurityContributor;
import org.sonatype.nexus.security.privilege.DuplicatePrivilegeException;
import org.sonatype.nexus.security.privilege.NoSuchPrivilegeException;
import org.sonatype.nexus.security.privilege.ReadonlyPrivilegeException;
import org.sonatype.nexus.security.role.DuplicateRoleException;
import org.sonatype.nexus.security.role.NoSuchRoleException;
import org.sonatype.nexus.security.role.ReadonlyRoleException;
import org.sonatype.nexus.security.role.RoleContainsItselfException;
import org.sonatype.nexus.security.user.NoSuchRoleMappingException;
import org.sonatype.nexus.security.user.UserNotFoundException;

@Singleton
@Named("default")
/* loaded from: input_file:org/sonatype/nexus/security/internal/SecurityConfigurationManagerImpl.class */
public class SecurityConfigurationManagerImpl extends ComponentSupport implements SecurityConfigurationManager, EventAware {
    private final SecurityConfigurationSource configurationSource;
    private final SecurityConfigurationCleaner configCleaner;
    private final PasswordService passwordService;
    private final EventManager eventManager;
    private volatile SecurityConfiguration defaultConfiguration;
    private volatile SecurityConfiguration mergedConfiguration;
    private final List<SecurityContributor> securityContributors = new ArrayList();
    private final AtomicInteger mergedConfigurationDirty = new AtomicInteger(1);
    private boolean firstTimeConfiguration = true;

    @Inject
    public SecurityConfigurationManagerImpl(SecurityConfigurationSource securityConfigurationSource, SecurityConfigurationCleaner securityConfigurationCleaner, PasswordService passwordService, EventManager eventManager) {
        this.configurationSource = securityConfigurationSource;
        this.eventManager = eventManager;
        this.configCleaner = securityConfigurationCleaner;
        this.passwordService = passwordService;
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public List<CPrivilege> listPrivileges() {
        ArrayList newArrayList = Lists.newArrayList();
        newArrayList.addAll(getDefaultConfiguration().getPrivileges());
        newArrayList.addAll(getMergedConfiguration().getPrivileges());
        return Collections.unmodifiableList(newArrayList);
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public List<CRole> listRoles() {
        ArrayList newArrayList = Lists.newArrayList();
        newArrayList.addAll(getDefaultConfiguration().getRoles());
        newArrayList.addAll(getMergedConfiguration().getRoles());
        return Collections.unmodifiableList(newArrayList);
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public List<CUser> listUsers() {
        return Collections.unmodifiableList(getDefaultConfiguration().getUsers());
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public List<CUserRoleMapping> listUserRoleMappings() {
        return Collections.unmodifiableList(getDefaultConfiguration().getUserRoleMappings());
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void createPrivilege(CPrivilege cPrivilege) {
        if (getMergedConfiguration().getPrivileges().stream().anyMatch(cPrivilege2 -> {
            return cPrivilege2.getId().equals(cPrivilege.getId());
        })) {
            throw new DuplicatePrivilegeException(cPrivilege.getId());
        }
        getDefaultConfiguration().addPrivilege(cPrivilege);
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void createRole(CRole cRole) {
        if (getMergedConfiguration().getRoles().stream().anyMatch(cRole2 -> {
            return cRole2.getId().equals(cRole.getId());
        })) {
            throw new DuplicateRoleException(cRole.getId());
        }
        validateContainedRolesAndPrivileges(cRole);
        getDefaultConfiguration().addRole(cRole);
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void createUser(CUser cUser, Set<String> set) {
        createUser(cUser, null, set);
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void createUser(CUser cUser, String str, Set<String> set) {
        if (!Strings2.isBlank(str)) {
            cUser.setPassword(this.passwordService.encryptPassword(str));
        }
        getDefaultConfiguration().addUser(cUser, set);
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void deletePrivilege(String str) {
        try {
            getDefaultConfiguration().removePrivilege(str);
            cleanRemovedPrivilege(str);
        } catch (NoSuchPrivilegeException e) {
            if (!getMergedConfiguration().getPrivileges().stream().anyMatch(cPrivilege -> {
                return cPrivilege.getId().equals(str);
            })) {
                throw new NoSuchPrivilegeException(str);
            }
            throw new ReadonlyPrivilegeException(str);
        }
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void deletePrivilegeByName(String str) {
        CPrivilege readPrivilegeByName = readPrivilegeByName(str);
        try {
            getDefaultConfiguration().removePrivilegeByName(str);
            cleanRemovedPrivilege(readPrivilegeByName.getId());
        } catch (NoSuchPrivilegeException e) {
            if (!getMergedConfiguration().getPrivileges().stream().anyMatch(cPrivilege -> {
                return cPrivilege.getName().equals(str);
            })) {
                throw new NoSuchPrivilegeException(str);
            }
            throw new ReadonlyPrivilegeException(str);
        }
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void deleteRole(String str) {
        try {
            getDefaultConfiguration().removeRole(str);
            this.configCleaner.roleRemoved(getDefaultConfiguration(), str);
        } catch (NoSuchRoleException e) {
            if (!getMergedConfiguration().getRoles().stream().anyMatch(cRole -> {
                return cRole.getId().equals(str);
            })) {
                throw e;
            }
            throw new ReadonlyRoleException(str);
        }
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void deleteUser(String str) throws UserNotFoundException {
        if (!getDefaultConfiguration().removeUser(str)) {
            throw new UserNotFoundException(str);
        }
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public CPrivilege newPrivilege() {
        return getDefaultConfiguration().newPrivilege();
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public CRole newRole() {
        return getDefaultConfiguration().newRole();
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public CUser newUser() {
        return getDefaultConfiguration().newUser();
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public CUserRoleMapping newUserRoleMapping() {
        return getDefaultConfiguration().newUserRoleMapping();
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public CPrivilege readPrivilege(String str) {
        CPrivilege privilege = getMergedConfiguration().getPrivilege(str);
        if (privilege != null) {
            return privilege;
        }
        CPrivilege validateExistingPrivilege = validateExistingPrivilege(str);
        if (validateExistingPrivilege != null) {
            return validateExistingPrivilege;
        }
        throw new NoSuchPrivilegeException(str);
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public CPrivilege readPrivilegeByName(String str) {
        return (CPrivilege) Optional.of(str).map(str2 -> {
            return getMergedConfiguration().getPrivilegeByName(str2);
        }).orElseGet(() -> {
            return (CPrivilege) Optional.ofNullable(getDefaultConfiguration().getPrivilegeByName(str)).orElseThrow(() -> {
                return new NoSuchPrivilegeException(str);
            });
        });
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public List<CPrivilege> readPrivileges(Set<String> set) {
        List<CPrivilege> privileges = getMergedConfiguration().getPrivileges(set);
        Sets.SetView difference = Sets.difference(set, (Set) privileges.stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toSet()));
        if (difference.isEmpty()) {
            return privileges;
        }
        List<CPrivilege> privileges2 = getDefaultConfiguration().getPrivileges(difference);
        Sets.SetView difference2 = Sets.difference(difference, (Set) privileges2.stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toSet()));
        if (!difference2.isEmpty()) {
            this.log.debug("Unable to find privileges for ids={}", difference2);
        }
        return (List) Stream.concat(privileges2.stream(), privileges.stream()).collect(Collectors.toList());
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public CRole readRole(String str) {
        CRole role = getMergedConfiguration().getRole(str);
        if (role != null) {
            return role;
        }
        CRole role2 = getDefaultConfiguration().getRole(str);
        if (role2 != null) {
            return role2;
        }
        throw new NoSuchRoleException(str);
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public CUser readUser(String str) throws UserNotFoundException {
        CUser user = getDefaultConfiguration().getUser(str);
        if (user != null) {
            return user;
        }
        throw new UserNotFoundException(str);
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void updatePrivilege(CPrivilege cPrivilege) {
        if (getDefaultConfiguration().getPrivilege(cPrivilege.getId()) != null) {
            getDefaultConfiguration().updatePrivilege(cPrivilege);
        } else {
            if (!getMergedConfiguration().getPrivileges().stream().anyMatch(cPrivilege2 -> {
                return cPrivilege2.getId().equals(cPrivilege.getId());
            })) {
                throw new NoSuchPrivilegeException(cPrivilege.getId());
            }
            throw new ReadonlyPrivilegeException(cPrivilege.getId());
        }
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void updatePrivilegeByName(CPrivilege cPrivilege) {
        if (Optional.ofNullable(getDefaultConfiguration().getPrivilegeByName(cPrivilege.getName())).isPresent()) {
            getDefaultConfiguration().updatePrivilegeByName(cPrivilege);
        } else {
            if (!getMergedConfiguration().getPrivileges().stream().anyMatch(cPrivilege2 -> {
                return cPrivilege2.getName().equals(cPrivilege.getName());
            })) {
                throw new NoSuchPrivilegeException(cPrivilege.getName());
            }
            throw new ReadonlyPrivilegeException(cPrivilege.getName());
        }
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void updateRole(CRole cRole) {
        if (getDefaultConfiguration().getRole(cRole.getId()) == null) {
            if (!getMergedConfiguration().getRoles().stream().anyMatch(cRole2 -> {
                return cRole2.getId().equals(cRole.getId());
            })) {
                throw new NoSuchRoleException(cRole.getId());
            }
            throw new ReadonlyRoleException(cRole.getId());
        }
        validateContainedRolesAndPrivileges(cRole);
        validateRoleDoesntContainItself(cRole);
        getDefaultConfiguration().updateRole(cRole);
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void updateUser(CUser cUser) throws UserNotFoundException {
        getDefaultConfiguration().updateUser(cUser);
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void updateUser(CUser cUser, Set<String> set) throws UserNotFoundException {
        getDefaultConfiguration().updateUser(cUser, set);
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void createUserRoleMapping(CUserRoleMapping cUserRoleMapping) {
        getDefaultConfiguration().addUserRoleMapping(cUserRoleMapping);
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public CUserRoleMapping readUserRoleMapping(String str, String str2) throws NoSuchRoleMappingException {
        CUserRoleMapping userRoleMapping = getDefaultConfiguration().getUserRoleMapping(str, str2);
        if (userRoleMapping != null) {
            return userRoleMapping;
        }
        throw new NoSuchRoleMappingException(str);
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void updateUserRoleMapping(CUserRoleMapping cUserRoleMapping) throws NoSuchRoleMappingException {
        getDefaultConfiguration().updateUserRoleMapping(cUserRoleMapping);
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void deleteUserRoleMapping(String str, String str2) throws NoSuchRoleMappingException {
        if (!getDefaultConfiguration().removeUserRoleMapping(str, str2)) {
            throw new NoSuchRoleMappingException(str);
        }
    }

    public void addContributor(SecurityContributor securityContributor) {
        synchronized (this) {
            this.securityContributors.add(securityContributor);
        }
        this.eventManager.post(new SecurityContributionChangedEvent());
    }

    public void removeContributor(SecurityContributor securityContributor) {
        synchronized (this) {
            this.securityContributors.remove(securityContributor);
        }
        this.eventManager.post(new SecurityContributionChangedEvent());
    }

    @Override // org.sonatype.nexus.security.config.SecurityConfigurationManager
    public void cleanRemovedPrivilege(String str) {
        this.configCleaner.privilegeRemoved(getDefaultConfiguration(), str);
    }

    private SecurityConfiguration getDefaultConfiguration() {
        SecurityConfiguration securityConfiguration = this.defaultConfiguration;
        if (securityConfiguration == null) {
            synchronized (this) {
                securityConfiguration = this.defaultConfiguration;
                if (securityConfiguration == null) {
                    SecurityConfiguration doGetDefaultConfiguration = doGetDefaultConfiguration();
                    securityConfiguration = doGetDefaultConfiguration;
                    this.defaultConfiguration = doGetDefaultConfiguration;
                }
            }
        }
        return securityConfiguration;
    }

    private SecurityConfiguration doGetDefaultConfiguration() {
        return this.configurationSource.loadConfiguration();
    }

    @AllowConcurrentEvents
    @Subscribe
    public void on(SecurityContributionChangedEvent securityContributionChangedEvent) {
        this.mergedConfigurationDirty.incrementAndGet();
    }

    private SecurityConfiguration getMergedConfiguration() {
        if (this.mergedConfigurationDirty.get() != 0) {
            boolean z = false;
            synchronized (this) {
                int i = this.mergedConfigurationDirty.get();
                if (i != 0) {
                    this.mergedConfiguration = doGetMergedConfiguration();
                    this.mergedConfigurationDirty.compareAndSet(i, 0);
                    z = !this.firstTimeConfiguration;
                    this.firstTimeConfiguration = false;
                }
            }
            if (z) {
                this.eventManager.post(new AuthorizationConfigurationChanged());
            }
        }
        return this.mergedConfiguration;
    }

    private MemorySecurityConfiguration doGetMergedConfiguration() {
        MemorySecurityConfiguration memorySecurityConfiguration = new MemorySecurityConfiguration();
        Iterator<SecurityContributor> it = this.securityContributors.iterator();
        while (it.hasNext()) {
            SecurityConfiguration contribution = it.next().getContribution();
            if (contribution != null) {
                Preconditions.checkState(contribution.getUsers() == null || contribution.getUsers().isEmpty(), "Security contributions cannot have users");
                Preconditions.checkState(contribution.getUserRoleMappings() == null || contribution.getUserRoleMappings().isEmpty(), "Security contributions cannot have user/role mappings");
                appendConfig(memorySecurityConfiguration, contribution);
            }
        }
        return memorySecurityConfiguration;
    }

    private SecurityConfiguration appendConfig(SecurityConfiguration securityConfiguration, SecurityConfiguration securityConfiguration2) {
        for (CPrivilege cPrivilege : securityConfiguration2.getPrivileges()) {
            cPrivilege.setReadOnly(true);
            securityConfiguration.addPrivilege(cPrivilege);
        }
        HashMap hashMap = new HashMap();
        for (CRole cRole : securityConfiguration.getRoles()) {
            hashMap.put(cRole.getId(), cRole);
        }
        for (CRole cRole2 : securityConfiguration2.getRoles()) {
            CRole cRole3 = (CRole) hashMap.get(cRole2.getId());
            if (cRole3 != null) {
                cRole2 = mergeRolesContents(cRole2, cRole3);
                securityConfiguration.removeRole(cRole2.getId());
            }
            cRole2.setReadOnly(true);
            securityConfiguration.addRole(cRole2);
            hashMap.put(cRole2.getId(), cRole2);
        }
        return securityConfiguration;
    }

    private CRole mergeRolesContents(CRole cRole, CRole cRole2) {
        HashSet hashSet = new HashSet();
        if (cRole.getRoles() != null) {
            hashSet.addAll(cRole.getRoles());
        }
        if (cRole2.getRoles() != null) {
            hashSet.addAll(cRole2.getRoles());
        }
        HashSet hashSet2 = new HashSet();
        if (cRole.getPrivileges() != null) {
            hashSet2.addAll(cRole.getPrivileges());
        }
        if (cRole2.getPrivileges() != null) {
            hashSet2.addAll(cRole2.getPrivileges());
        }
        CRole newRole = newRole();
        newRole.setId(cRole.getId());
        newRole.setRoles(Sets.newHashSet(hashSet));
        newRole.setPrivileges(Sets.newHashSet(hashSet2));
        if (Strings2.isBlank(cRole.getName())) {
            newRole.setName(cRole2.getName());
        } else {
            newRole.setName(cRole.getName());
        }
        if (Strings2.isBlank(cRole.getDescription())) {
            newRole.setDescription(cRole2.getDescription());
        } else {
            newRole.setDescription(cRole.getDescription());
        }
        return newRole;
    }

    private void validateContainedRolesAndPrivileges(CRole cRole) {
        cRole.getRoles().forEach(this::readRole);
        cRole.getPrivileges().forEach(this::readPrivilege);
    }

    private void validateRoleDoesntContainItself(CRole cRole) {
        validateRoleDoesntContainItself(cRole, cRole, new HashSet());
    }

    private void validateRoleDoesntContainItself(CRole cRole, CRole cRole2, Set<String> set) {
        cRole2.getRoles().forEach(str -> {
            if (str.equals(cRole.getId())) {
                throw new RoleContainsItselfException(cRole.getId());
            }
            if (set.contains(str)) {
                return;
            }
            set.add(str);
            validateRoleDoesntContainItself(cRole, readRole(str), set);
        });
    }

    private CPrivilege validateExistingPrivilege(String str) {
        CPrivilege privilege = getDefaultConfiguration().getPrivilege(str);
        return privilege == null ? getDefaultConfiguration().getPrivilegeByName(str) : privilege;
    }
}
