package edu.internet2.middleware.grouper.rules;

import edu.internet2.middleware.grouper.Group;
import edu.internet2.middleware.grouper.GroupFinder;
import edu.internet2.middleware.grouper.GrouperSession;
import edu.internet2.middleware.grouper.Stem;
import edu.internet2.middleware.grouper.SubjectFinder;
import edu.internet2.middleware.grouper.cache.GrouperCache;
import edu.internet2.middleware.grouper.cfg.GrouperConfig;
import edu.internet2.middleware.grouper.exception.GrouperSessionException;
import edu.internet2.middleware.grouper.misc.GrouperSessionHandler;
import edu.internet2.middleware.grouper.privs.PrivilegeHelper;
import edu.internet2.middleware.grouper.subj.SubjectHelper;
import edu.internet2.middleware.grouper.util.GrouperUtil;
import edu.internet2.middleware.grouperClient.collections.MultiKey;
import edu.internet2.middleware.subject.Subject;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.joda.time.DateTimeConstants;

/* loaded from: input_file:WEB-INF/lib/grouper-4.5.5.jar:edu/internet2/middleware/grouper/rules/RuleSubjectActAs.class */
public class RuleSubjectActAs {
    private String subjectId;
    private String sourceId;
    private String subjectIdentifier;
    private static final Log LOG = GrouperUtil.getLog(RuleSubjectActAs.class);
    private static ThreadLocal<Subject> actAsThreadLocal = new ThreadLocal<>();
    private static GrouperCache<MultiKey, Boolean> subjectAllowedCache = null;
    public static final String ACT_AS_SEPARATOR = "::::";

    public RuleSubjectActAs(String str, String str2, String str3) {
        this.subjectId = str;
        this.sourceId = str2;
        this.subjectIdentifier = str3;
    }

    public RuleSubjectActAs() {
    }

    public String getSubjectId() {
        return this.subjectId;
    }

    public void setSubjectId(String str) {
        this.subjectId = str;
    }

    public String getSourceId() {
        return this.sourceId;
    }

    public void setSourceId(String str) {
        this.sourceId = str;
    }

    public String getSubjectIdentifier() {
        return this.subjectIdentifier;
    }

    public void setSubjectIdentifier(String str) {
        this.subjectIdentifier = str;
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        toStringHelper(sb);
        return sb.toString();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void toStringHelper(StringBuilder sb) {
        if (!StringUtils.isBlank(this.sourceId)) {
            sb.append("actAsSourceId: ").append(this.sourceId).append(", ");
        }
        if (!StringUtils.isBlank(this.subjectId)) {
            sb.append("actAsSubjectId: ").append(this.subjectId).append(", ");
        }
        if (StringUtils.isBlank(this.subjectIdentifier)) {
            return;
        }
        sb.append("actAsSubjectIdentifier: ").append(this.subjectIdentifier).append(", ");
    }

    public Subject subject(boolean z) {
        return SubjectFinder.findByOptionalArgs(this.sourceId, this.subjectId, this.subjectId, z);
    }

    public static void actAsThreadLocalClear() {
        actAsThreadLocal.remove();
    }

    public static void actAsThreadLocalAssign(Subject subject) {
        actAsThreadLocal.set(subject);
    }

    public String validate(RuleDefinition ruleDefinition) {
        if (StringUtils.isBlank(this.subjectId) == StringUtils.isBlank(this.subjectIdentifier)) {
            return "Enter one and only one of actAsSubjectId and actAsSubjectIdentifier!";
        }
        Subject subject = subject(false);
        if (subject == null) {
            return "Cant find subject: " + this;
        }
        Subject subject2 = actAsThreadLocal.get();
        if (subject2 == null) {
            subject2 = GrouperSession.staticGrouperSession().getSubject();
        }
        if (allowedToActAs(ruleDefinition, subject2, subject)) {
            return null;
        }
        return "Subject: " + GrouperUtil.subjectToString(subject2) + " cannot act as subject: " + GrouperUtil.subjectToString(subject) + " based on grouper.properties:  rules.act.as.group";
    }

    private static int actAsCacheMinutes() {
        return GrouperConfig.retrieveConfig().propertyValueInt("rules.act.as.cache.minutes", 30);
    }

    private static GrouperCache<MultiKey, Boolean> subjectAllowedCache() {
        if (subjectAllowedCache == null) {
            synchronized (RuleSubjectActAs.class) {
                if (subjectAllowedCache == null) {
                    subjectAllowedCache = new GrouperCache<>(RuleSubjectActAs.class.getName() + "subjectAllowedCache", 1000, false, DateTimeConstants.SECONDS_PER_DAY, actAsCacheMinutes() * 60, false);
                }
            }
        }
        return subjectAllowedCache;
    }

    public static boolean allowedToActAs(RuleDefinition ruleDefinition, final Subject subject, final Subject subject2) {
        if (subject == null || subject2 == null) {
            throw new RuntimeException("Need to pass in subject and subjectToActAs");
        }
        if (SubjectHelper.eq(subject, subject2) || PrivilegeHelper.isWheelOrRoot(subject) || ((Boolean) GrouperSession.callbackGrouperSession(GrouperSession.staticGrouperSession().internal_getRootSession(), new GrouperSessionHandler() { // from class: edu.internet2.middleware.grouper.rules.RuleSubjectActAs.1
            @Override // edu.internet2.middleware.grouper.misc.GrouperSessionHandler
            public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
                String propertyValueString = GrouperConfig.retrieveConfig().propertyValueString("rules.act.as.group");
                if (StringUtils.isBlank(propertyValueString)) {
                    return false;
                }
                MultiKey multiKey = new MultiKey(Subject.this.getId(), Subject.this.getSourceId(), subject2.getId(), subject2.getSourceId());
                Boolean bool = RuleSubjectActAs.actAsCacheMinutes() > 0 ? RuleSubjectActAs.subjectAllowedCache().get(multiKey) : false;
                if (bool != null && Boolean.TRUE.equals(bool)) {
                    return true;
                }
                int i = 0;
                for (String str : GrouperUtil.splitTrim(propertyValueString, ",")) {
                    try {
                        if (StringUtils.contains(str, RuleSubjectActAs.ACT_AS_SEPARATOR)) {
                            String[] splitTrim = GrouperUtil.splitTrim(str, RuleSubjectActAs.ACT_AS_SEPARATOR);
                            String str2 = splitTrim[0];
                            String str3 = splitTrim[1];
                            Group findByName = GroupFinder.findByName(GrouperSession.staticGrouperSession(), str2, true);
                            Group findByName2 = GroupFinder.findByName(GrouperSession.staticGrouperSession(), str3, true);
                            if (findByName.hasMember(Subject.this) && findByName2.hasMember(subject2)) {
                                RuleSubjectActAs.subjectAllowedCache().put(multiKey, Boolean.TRUE);
                                return true;
                            }
                        } else if (GroupFinder.findByName(GrouperSession.staticGrouperSession(), str, true).hasMember(Subject.this)) {
                            RuleSubjectActAs.subjectAllowedCache().put(multiKey, Boolean.TRUE);
                            return true;
                        }
                        i++;
                    } catch (Exception e) {
                        RuleSubjectActAs.LOG.error("Problem with groupEntry: " + str + ", subject: " + Subject.this + ", actAsSubject: " + subject2, e);
                    }
                }
                if (i == 0) {
                    return false;
                }
                RuleSubjectActAs.LOG.error("A rule is specifying an actAsUser, but the groups specified in  rules.act.as.group in the grouper.properties  does not have a valid rule for member: '" + GrouperUtil.subjectToString(Subject.this) + "', and actAs: '" + GrouperUtil.subjectToString(subject2) + "'");
                return false;
            }
        })).booleanValue()) {
            return true;
        }
        if (!GrouperConfig.retrieveConfig().propertyValueBoolean("rules.allowActAsGrouperSystemForInheritedStemPrivileges", true)) {
            return false;
        }
        try {
            RuleCheckType checkTypeEnum = ruleDefinition.getCheck().checkTypeEnum();
            if (checkTypeEnum != RuleCheckType.groupCreate && checkTypeEnum != RuleCheckType.stemCreate && checkTypeEnum != RuleCheckType.attributeDefCreate) {
                return false;
            }
            Stem ownerStem = ruleDefinition.getAttributeAssignType().getOwnerStem();
            if (!SubjectHelper.eq(SubjectFinder.findRootSubject(), subject2) || ownerStem == null) {
                return false;
            }
            if ((!StringUtils.isBlank(ruleDefinition.getCheck().getCheckOwnerId()) || !StringUtils.isBlank(ruleDefinition.getCheck().getCheckOwnerName())) && !StringUtils.equals(ruleDefinition.getCheck().getCheckOwnerName(), ownerStem.getName())) {
                return false;
            }
            RuleThenEnum thenEnum = ruleDefinition.getThen().thenEnum();
            if (thenEnum == RuleThenEnum.assignGroupPrivilegeToGroupId || thenEnum == RuleThenEnum.assignStemPrivilegeToStemId) {
                return true;
            }
            return thenEnum == RuleThenEnum.assignAttributeDefPrivilegeToAttributeDefId;
        } catch (Exception e) {
            LOG.debug("error figuring out act as grouper system for inherited stem privileges", e);
            return false;
        }
    }
}
