package org.xwiki.security.authorization;

import javax.inject.Inject;
import javax.inject.Singleton;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.xwiki.component.annotation.Component;
import org.xwiki.model.reference.DocumentReference;
import org.xwiki.model.reference.EntityReference;
import org.xwiki.model.reference.EntityReferenceSerializer;
import org.xwiki.security.SecurityReference;
import org.xwiki.security.SecurityReferenceFactory;
import org.xwiki.security.UserSecurityReference;
import org.xwiki.security.authorization.cache.SecurityCache;
import org.xwiki.security.authorization.cache.SecurityCacheLoader;
import org.xwiki.security.internal.XWikiBridge;

@Singleton
@Component
/* loaded from: input_file:WEB-INF/lib/xwiki-platform-security-api-9.10.jar:org/xwiki/security/authorization/DefaultAuthorizationManager.class */
public class DefaultAuthorizationManager implements AuthorizationManager {

    @Inject
    private Logger logger;

    @Inject
    private SecurityCache securityCache;

    @Inject
    private SecurityCacheLoader securityCacheLoader;

    @Inject
    private SecurityReferenceFactory securityReferenceFactory;

    @Inject
    private EntityReferenceSerializer<String> entityReferenceSerializer;

    @Inject
    private XWikiBridge xwikiBridge;

    private boolean isSuperAdmin(DocumentReference documentReference) {
        return documentReference != null && StringUtils.equalsIgnoreCase(documentReference.getName(), "superadmin");
    }

    @Override // org.xwiki.security.authorization.AuthorizationManager
    public void checkAccess(Right right, DocumentReference documentReference, EntityReference entityReference) throws AccessDeniedException {
        try {
            if (hasSecurityAccess(right, documentReference, entityReference, true)) {
            } else {
                throw new AccessDeniedException(right, documentReference, entityReference);
            }
        } catch (Exception e) {
            if (!(e instanceof AccessDeniedException)) {
                throw new AccessDeniedException(right, documentReference, entityReference, e);
            }
            throw ((AccessDeniedException) e);
        }
    }

    @Override // org.xwiki.security.authorization.AuthorizationManager
    public boolean hasAccess(Right right, DocumentReference documentReference, EntityReference entityReference) {
        try {
            return hasSecurityAccess(right, documentReference, entityReference, false);
        } catch (Exception e) {
            Logger logger = this.logger;
            Object[] objArr = new Object[2];
            objArr[0] = documentReference == null ? "Public" : documentReference;
            objArr[1] = entityReference == null ? "Main Wiki" : entityReference;
            logger.error(String.format("Failed to load rights for user [%s] on [%s].", objArr), (Throwable) e);
            return false;
        }
    }

    private boolean hasSecurityAccess(Right right, DocumentReference documentReference, EntityReference entityReference, boolean z) throws AuthorizationException {
        if (isSuperAdmin(documentReference)) {
            return true;
        }
        if (right == null || right == Right.ILLEGAL) {
            if (!z) {
                return false;
            }
            logDeny(documentReference, entityReference, right, "no such right");
            return false;
        }
        if (!right.isReadOnly() && this.xwikiBridge.isWikiReadOnly()) {
            return false;
        }
        if (documentReference == null && this.xwikiBridge.needsAuthentication(right)) {
            return false;
        }
        return evaluateSecurityAccess(right, documentReference, entityReference, z);
    }

    private boolean evaluateSecurityAccess(Right right, DocumentReference documentReference, EntityReference entityReference, boolean z) throws AuthorizationException {
        RuleState ruleState = getAccess(this.securityReferenceFactory.newUserReference(documentReference), this.securityReferenceFactory.newEntityReference(entityReference)).get(right);
        String str = z ? "security checkpoint" : "access inquiry";
        if (!z || ruleState == RuleState.ALLOW) {
            logAccess(ruleState, documentReference, entityReference, right, str, true);
        } else {
            logDeny(documentReference, entityReference, right, str);
        }
        return ruleState == RuleState.ALLOW;
    }

    @Override // org.xwiki.security.authorization.AuthorizationManager
    public Right register(RightDescription rightDescription) throws UnableToRegisterRightException {
        try {
            Right right = new Right(rightDescription);
            this.securityCache.remove(this.securityReferenceFactory.newEntityReference(this.xwikiBridge.getMainWikiReference()));
            return right;
        } catch (Throwable th) {
            Right right2 = Right.toRight(rightDescription.getName());
            if (right2 == Right.ILLEGAL || !right2.like(rightDescription)) {
                throw new UnableToRegisterRightException(rightDescription, th);
            }
            return right2;
        }
    }

    private SecurityAccess getAccess(UserSecurityReference userSecurityReference, SecurityReference securityReference) throws AuthorizationException {
        SecurityReference securityReference2 = securityReference;
        while (true) {
            SecurityReference securityReference3 = securityReference2;
            if (securityReference3 == null) {
                SecurityAccess access = this.securityCacheLoader.load(userSecurityReference, securityReference).getAccess();
                this.logger.debug("4. Loaded a new default entry for user {} on {} into cache: [{}]", userSecurityReference, securityReference, access);
                return access;
            }
            if (!Right.getEnabledRights(securityReference3.getSecurityType()).isEmpty()) {
                SecurityRuleEntry securityRuleEntry = this.securityCache.get(securityReference3);
                if (securityRuleEntry == null) {
                    SecurityAccess access2 = this.securityCacheLoader.load(userSecurityReference, securityReference).getAccess();
                    this.logger.debug("1. Loaded a new entry for user {} on {} into cache: [{}]", userSecurityReference, securityReference, access2);
                    return access2;
                }
                if (!securityRuleEntry.isEmpty()) {
                    SecurityAccessEntry securityAccessEntry = this.securityCache.get(userSecurityReference, securityReference3);
                    if (securityAccessEntry == null) {
                        SecurityAccess access3 = this.securityCacheLoader.load(userSecurityReference, securityReference).getAccess();
                        this.logger.debug("2. Loaded a new entry for user {} on {} into cache: [{}]", userSecurityReference, securityReference, access3);
                        return access3;
                    }
                    SecurityAccess access4 = securityAccessEntry.getAccess();
                    this.logger.debug("3. Got entry for user {} on {} from cache: [{}]", userSecurityReference, securityReference, access4);
                    return access4;
                }
            }
            securityReference2 = securityReference3.getParentSecurityReference();
        }
    }

    private void logAccess(RuleState ruleState, DocumentReference documentReference, EntityReference entityReference, Right right, String str, boolean z) {
        if (!(z && this.logger.isDebugEnabled()) && (z || !this.logger.isInfoEnabled())) {
            return;
        }
        String serialize = documentReference != null ? this.entityReferenceSerializer.serialize(documentReference, new Object[0]) : "Public";
        String serialize2 = entityReference != null ? this.entityReferenceSerializer.serialize(entityReference, new Object[0]) : "Public";
        String name = right != null ? right.getName() : "no right";
        String str2 = ruleState == RuleState.ALLOW ? "granted" : "denied";
        if (z) {
            this.logger.debug("[{}] access has been {} for user [{}] on [{}]: {}", name, str2, serialize, serialize2, str);
        } else {
            this.logger.info("[{}] access has been {} for user [{}] on [{}]: {}", name, str2, serialize, serialize2, str);
        }
    }

    protected void logDeny(DocumentReference documentReference, EntityReference entityReference, Right right, String str) {
        logAccess(RuleState.DENY, documentReference, entityReference, right, str, false);
    }
}
