package org.rundeck.client.ext.acl;

import com.dtolabs.rundeck.core.authorization.AclSubject;
import com.dtolabs.rundeck.core.authorization.Attribute;
import com.dtolabs.rundeck.core.authorization.AuthorizationUtil;
import com.dtolabs.rundeck.core.authorization.Decision;
import com.dtolabs.rundeck.core.authorization.Explanation;
import com.dtolabs.rundeck.core.authorization.RuleEvaluator;
import com.dtolabs.rundeck.core.authorization.Validation;
import com.dtolabs.rundeck.core.authorization.ValidationSet;
import com.dtolabs.rundeck.core.authorization.providers.Policies;
import com.dtolabs.rundeck.core.authorization.providers.YamlParsePolicy;
import com.dtolabs.rundeck.core.authorization.providers.YamlProvider;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.PrintStream;
import java.net.URI;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import org.rundeck.client.tool.extension.BaseCommand;
import org.rundeck.client.util.Quoting;
import org.rundeck.core.auth.AuthConstants;
import org.rundeck.core.auth.AuthResources;
import org.yaml.snakeyaml.DumperOptions;
import org.yaml.snakeyaml.Yaml;
import picocli.CommandLine;

@CommandLine.Command(name = "acl", description = {"Generate, Test, and Validate ACLPolicy files"})
/* loaded from: input_file:org/rundeck/client/ext/acl/Acl.class */
public class Acl extends BaseCommand {

    @CommandLine.Spec
    CommandLine.Model.CommandSpec spec;
    private static final Comparator<Decision> comparator = Comparator.comparing((v0) -> {
        return v0.getAction();
    });

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/rundeck/client/ext/acl/Acl$AclCreateOptions.class */
    public static class AclCreateOptions extends AclOptions {

        @CommandLine.Option(names = {"--stdin"}, description = {"Read file or stdin for audit log data. (create command)"})
        private boolean stdin;

        @CommandLine.Option(names = {"-c", "--context"}, description = {"Context: ${COMPLETION-CANDIDATES}."})
        private Context context;

        @CommandLine.Option(names = {"-R", "--resource"}, description = {"Resource type name."})
        private String resource;

        @CommandLine.Option(names = {"-A", "--adhoc"}, description = {"Adhoc execution (project context)"})
        private boolean projectAdhoc;

        @CommandLine.Option(names = {"-G", "--generic"}, description = {"Generic resource kind."})
        private String genericType;

        @CommandLine.Option(names = {"-b", "--attrs"}, arity = "1..*", description = {"Attributes for the resource. A sequence of key=value pairs, multiple pairs can follow with a space. Use a value of '?' to see suggestions."})
        private List<String> attributes;

        @CommandLine.Option(names = {"-a", "--allow"}, arity = "1..*", description = {"Actions to test are allowed (test command) or to allow (create command). Accepts multiple values."})
        private List<String> allowAction;

        @CommandLine.Option(names = {"-D", "--deny"}, arity = "1..*", description = {"Actions to test are denied (test command) or to deny (create command). Accepts multiple values."})
        private List<String> denyAction;

        @CommandLine.Option(names = {"-r", "--regex"}, description = {"Match the resource using regular expressions. (create command)."})
        private boolean regex;

        AclCreateOptions() {
        }

        boolean isContext() {
            return this.context != null;
        }

        boolean isResource() {
            return this.resource != null;
        }

        boolean isGenericType() {
            return this.genericType != null;
        }

        boolean isAttributes() {
            return Acl.notEmpty(this.attributes);
        }

        boolean isAllowAction() {
            return Acl.notEmpty(this.allowAction);
        }

        boolean isDenyAction() {
            return Acl.notEmpty(this.denyAction);
        }

        public boolean isStdin() {
            return this.stdin;
        }

        public Context getContext() {
            return this.context;
        }

        public String getResource() {
            return this.resource;
        }

        public boolean isProjectAdhoc() {
            return this.projectAdhoc;
        }

        public String getGenericType() {
            return this.genericType;
        }

        public List<String> getAttributes() {
            return this.attributes;
        }

        public List<String> getAllowAction() {
            return this.allowAction;
        }

        public List<String> getDenyAction() {
            return this.denyAction;
        }

        public boolean isRegex() {
            return this.regex;
        }

        public void setStdin(boolean z) {
            this.stdin = z;
        }

        public void setContext(Context context) {
            this.context = context;
        }

        public void setResource(String str) {
            this.resource = str;
        }

        public void setProjectAdhoc(boolean z) {
            this.projectAdhoc = z;
        }

        public void setGenericType(String str) {
            this.genericType = str;
        }

        public void setAttributes(List<String> list) {
            this.attributes = list;
        }

        public void setAllowAction(List<String> list) {
            this.allowAction = list;
        }

        public void setDenyAction(List<String> list) {
            this.denyAction = list;
        }

        public void setRegex(boolean z) {
            this.regex = z;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/rundeck/client/ext/acl/Acl$AclOptions.class */
    public static class AclOptions {

        @CommandLine.Option(names = {"-f", "--file"}, description = {"File path. Load the specified aclpolicy file."})
        private File file;

        @CommandLine.Option(names = {"-d", "--dir"}, description = {"Directory. Load all policy files in the specified directory."})
        private File dir;

        @CommandLine.Option(names = {"-g", "--groups"}, arity = "1..*", description = {"Subject Groups names to validate (test command) or for by: clause (create command). Accepts multiple values."})
        private List<String> groups;

        @CommandLine.Option(names = {"-p", "--project"}, description = {"Name of project, used in project context or for application resource."})
        private String project;

        @CommandLine.Option(names = {"-P", "--projectacl"}, description = {"Project name for ACL policy access, used in application context."})
        String projectAcl;

        @CommandLine.Option(names = {"-s", "--storage"}, description = {"Storage path/name. (application context)"})
        private String appStorage;

        @CommandLine.Option(names = {"-j", "--job"}, description = {"Job group/name. (project context)"})
        private String job;

        @CommandLine.Option(names = {"-i", "--jobUuid"}, description = {"Job uuid. (project context)"})
        private String jobUUID;

        @CommandLine.Option(names = {"-n", "--node"}, description = {"Node name. (project context)"})
        private String node;

        @CommandLine.Option(names = {"-t", "--tags"}, arity = "1..*", description = {"Node tags. If specified, the resource match will be defined using 'contains'. (project context). Accepts multiple values."})
        private List<String> tags;

        @CommandLine.Option(names = {"-u", "--user"}, description = {"Subject User names to validate (test command) or for by: clause (create command)."})
        private String user;

        @CommandLine.Option(names = {"-v", "--verbose"}, description = {"Verbose output."})
        private boolean verbose;

        AclOptions() {
        }

        boolean isFile() {
            return this.file != null;
        }

        boolean isDir() {
            return this.dir != null;
        }

        boolean isGroups() {
            return Acl.notEmpty(this.groups);
        }

        boolean isProject() {
            return this.project != null;
        }

        boolean isProjectAcl() {
            return this.projectAcl != null;
        }

        boolean isAppStorage() {
            return this.appStorage != null;
        }

        boolean isJob() {
            return this.job != null;
        }

        boolean isJobUUID() {
            return this.jobUUID != null;
        }

        boolean isNode() {
            return this.node != null;
        }

        boolean isTags() {
            return Acl.notEmpty(this.tags);
        }

        boolean isUser() {
            return this.user != null;
        }

        public File getFile() {
            return this.file;
        }

        public File getDir() {
            return this.dir;
        }

        public List<String> getGroups() {
            return this.groups;
        }

        public String getProject() {
            return this.project;
        }

        public String getProjectAcl() {
            return this.projectAcl;
        }

        public String getAppStorage() {
            return this.appStorage;
        }

        public String getJob() {
            return this.job;
        }

        public String getJobUUID() {
            return this.jobUUID;
        }

        public String getNode() {
            return this.node;
        }

        public List<String> getTags() {
            return this.tags;
        }

        public String getUser() {
            return this.user;
        }

        public boolean isVerbose() {
            return this.verbose;
        }

        public void setFile(File file) {
            this.file = file;
        }

        public void setDir(File file) {
            this.dir = file;
        }

        public void setGroups(List<String> list) {
            this.groups = list;
        }

        public void setProject(String str) {
            this.project = str;
        }

        public void setProjectAcl(String str) {
            this.projectAcl = str;
        }

        public void setAppStorage(String str) {
            this.appStorage = str;
        }

        public void setJob(String str) {
            this.job = str;
        }

        public void setJobUUID(String str) {
            this.jobUUID = str;
        }

        public void setNode(String str) {
            this.node = str;
        }

        public void setTags(List<String> list) {
            this.tags = list;
        }

        public void setUser(String str) {
            this.user = str;
        }

        public void setVerbose(boolean z) {
            this.verbose = z;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/rundeck/client/ext/acl/Acl$AuthRequest.class */
    public static class AuthRequest {
        String description;
        Map<String, String> resourceMap;
        boolean regexMatch;
        boolean containsMatch;
        Subject subject;
        Set<String> actions;
        Set<Attribute> environment;
        Set<String> denyActions;

        private AuthRequest() {
        }

        boolean isAppContext() {
            return this.environment.equals(Acl.access$300());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/rundeck/client/ext/acl/Acl$Context.class */
    public enum Context {
        project,
        application
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/rundeck/client/ext/acl/Acl$Group.class */
    public static class Group implements Principal {
        final String name;

        public Group(String str) {
            this.name = str;
        }

        @Override // java.security.Principal
        public String getName() {
            return this.name;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/rundeck/client/ext/acl/Acl$ParsePart.class */
    public static class ParsePart {
        int len;
        Map<String, String> resourceMap;
        String value;

        private ParsePart() {
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/rundeck/client/ext/acl/Acl$TestOptions.class */
    public static class TestOptions extends AclCreateOptions {

        @CommandLine.Option(names = {"-V"}, description = {"Validate all input files."})
        private boolean validate;

        TestOptions() {
        }

        public boolean isValidate() {
            return this.validate;
        }

        public void setValidate(boolean z) {
            this.validate = z;
        }
    }

    /* loaded from: input_file:org/rundeck/client/ext/acl/Acl$Urn.class */
    static class Urn implements Principal {
        final String name;

        public Urn(String str) {
            this.name = str;
        }

        @Override // java.security.Principal
        public String getName() {
            return this.name;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/rundeck/client/ext/acl/Acl$Username.class */
    public static class Username implements Principal {
        final String name;

        public Username(String str) {
            this.name = str;
        }

        @Override // java.security.Principal
        public String getName() {
            return this.name;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean notEmpty(List<String> list) {
        return (list == null || list.isEmpty()) ? false : true;
    }

    static AclSubject createSubject(Subject subject) {
        Set principals = subject.getPrincipals(Username.class);
        String name = principals.size() > 0 ? ((Username) principals.iterator().next()).getName() : null;
        Set principals2 = subject.getPrincipals(Group.class);
        final HashSet hashSet = new HashSet();
        if (principals2.size() > 0) {
            Iterator it = principals2.iterator();
            while (it.hasNext()) {
                hashSet.add(((Group) it.next()).getName());
            }
        }
        Set principals3 = subject.getPrincipals(Urn.class);
        final String str = principals3.size() > 0 ? (String) principals3.stream().findFirst().map((v0) -> {
            return v0.getName();
        }).orElse(null) : null;
        final String str2 = name;
        return new AclSubject() { // from class: org.rundeck.client.ext.acl.Acl.1
            @Override // com.dtolabs.rundeck.core.authorization.AclSubject
            public String getUsername() {
                return str2;
            }

            @Override // com.dtolabs.rundeck.core.authorization.AclSubject
            public Set<String> getGroups() {
                return hashSet;
            }

            @Override // com.dtolabs.rundeck.core.authorization.AclSubject
            public String getUrn() {
                return str;
            }
        };
    }

    @CommandLine.Command(description = {"List ACL Policies"}, mixinStandardHelpOptions = true)
    public void list(@CommandLine.Mixin AclOptions aclOptions) {
        RuleEvaluator createAuthorization = createAuthorization(aclOptions);
        Subject createSubject = createSubject(aclOptions);
        String str = aclOptions.isGroups() ? "group " + aclOptions.getGroups() : "username " + aclOptions.getUser();
        info("# Application Context access for " + str + "\n");
        if (aclOptions.isProject()) {
            HashMap hashMap = new HashMap();
            hashMap.put("name", aclOptions.getProject());
            logDecisions("project named \"" + aclOptions.getProject() + Quoting.DQ, createAuthorization, createSubject, resources(AuthorizationUtil.resource("project", hashMap)), new HashSet<>(AuthResources.appProjectActions), createAppEnv(), aclOptions);
        } else {
            info("\n(No project (-p) specified, skipping Application context actions for a specific project.)\n");
        }
        if (null != aclOptions.getProjectAcl()) {
            HashMap hashMap2 = new HashMap();
            hashMap2.put("name", aclOptions.getProjectAcl());
            logDecisions("project_acl for Project named \"" + aclOptions.getProjectAcl() + Quoting.DQ, createAuthorization, createSubject, resources(AuthorizationUtil.resource(AuthConstants.TYPE_PROJECT_ACL, hashMap2)), new HashSet<>(AuthResources.appProjectAclActions), createAppEnv(), aclOptions);
        } else {
            info("\n(No project_acl (-P) specified, skipping Application context actions for a ACLs for a specific project.)\n");
        }
        if (null != aclOptions.getAppStorage()) {
            logDecisions("storage path \"" + aclOptions.getAppStorage() + Quoting.DQ, createAuthorization, createSubject, resources(createStorageResource(aclOptions)), new HashSet<>(AuthResources.storageActions), createAppEnv(), aclOptions);
        } else {
            info("\n(No storage path (-s) specified, skipping Application context actions for a specific storage path.)\n");
        }
        for (String str2 : AuthResources.appKindActionsByType.keySet()) {
            logDecisions(str2, createAuthorization, createSubject, resources(AuthorizationUtil.resourceTypeRule(str2)), new HashSet<>(AuthResources.appKindActionsByType.get(str2)), createAppEnv(), aclOptions);
        }
        if (null == aclOptions.getProject()) {
            info("\n(No project (-p) specified, skipping Project context listing.)");
            return;
        }
        Set<Attribute> createAuthEnvironment = createAuthEnvironment(aclOptions.getProject());
        info("\n# Project \"" + aclOptions.getProject() + "\" access for " + str + "\n");
        logDecisions("Adhoc executions", createAuthorization, createSubject, resources(createProjectAdhocResource()), new HashSet<>(AuthResources.projectAdhocActions), createAuthEnvironment, aclOptions);
        if (null != aclOptions.getJob()) {
            logDecisions("Job \"" + aclOptions.getJob() + Quoting.DQ, createAuthorization, createSubject, resources(createProjectJobResource(aclOptions)), new HashSet<>(AuthResources.projectJobActions), createAuthEnvironment, aclOptions);
        } else if (null != aclOptions.getJobUUID()) {
            logDecisions("Job UUID\"" + aclOptions.getJobUUID() + Quoting.DQ, createAuthorization, createSubject, resources(createProjectJobUUIDResource(aclOptions)), new HashSet<>(AuthResources.projectJobActions), createAuthEnvironment, aclOptions);
        } else {
            info("\n(No job name(-j) or uuid (-i) specified, skipping Project context actions for a specific job.)\n");
        }
        if (null == aclOptions.getNode() && null == aclOptions.getTags()) {
            info("\n(No node (-n) or tags (-t) specified, skipping Project context actions for a specific node or node tags.)\n");
        } else {
            logDecisions("Node " + (null != aclOptions.getNode() ? Quoting.DQ + aclOptions.getNode() + Quoting.DQ : "") + (null != aclOptions.getTags() ? " tags: " + aclOptions.getTags() : ""), createAuthorization, createSubject, resources(createProjectNodeResource(aclOptions)), new HashSet<>(AuthResources.projectNodeActions), createAuthEnvironment, aclOptions);
        }
        for (String str3 : AuthResources.projKindActionsByType.keySet()) {
            logDecisions(str3, createAuthorization, createSubject, resources(AuthorizationUtil.resourceTypeRule(str3)), new HashSet<>(AuthResources.projKindActionsByType.get(str3)), createAuthEnvironment, aclOptions);
        }
    }

    private RuleEvaluator createAuthorization(AclOptions aclOptions) {
        return RuleEvaluator.createRuleEvaluator(createPolicies(aclOptions), Acl::createSubject);
    }

    private boolean applyArgValidate(TestOptions testOptions) {
        if (!testOptions.isValidate()) {
            return true;
        }
        Validation validatePolicies = validatePolicies(testOptions);
        if (testOptions.isVerbose() && !validatePolicies.isValid()) {
            reportValidation(validatePolicies);
        }
        if (validatePolicies.isValid()) {
            return true;
        }
        log("The validation " + (validatePolicies.isValid() ? "passed" : "failed"));
        return false;
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Code restructure failed: missing block: B:29:0x01a5, code lost:
    
        r15 = false;
     */
    @picocli.CommandLine.Command(description = {"Test ACL Policies"})
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public boolean test(@picocli.CommandLine.Mixin org.rundeck.client.ext.acl.Acl.TestOptions r8) {
        /*
            Method dump skipped, instructions count: 605
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.rundeck.client.ext.acl.Acl.test(org.rundeck.client.ext.acl.Acl$TestOptions):boolean");
    }

    @CommandLine.Command(description = {"Create ACL Policies"})
    public void create(@CommandLine.Mixin AclCreateOptions aclCreateOptions) throws IOException {
        List<AuthRequest> arrayList = new ArrayList();
        if (aclCreateOptions.isFile() || aclCreateOptions.isStdin()) {
            arrayList = readRequests(aclCreateOptions);
        } else {
            arrayList.add(createAuthRequestFromArgs(aclCreateOptions));
        }
        Iterator<AuthRequest> it = arrayList.iterator();
        while (it.hasNext()) {
            generateYaml(it.next(), System.out);
        }
    }

    @CommandLine.Command(description = {"Validate ACL Policies"})
    public boolean validate(@CommandLine.Mixin AclOptions aclOptions) {
        Validation validatePolicies = validatePolicies(aclOptions);
        reportValidation(validatePolicies);
        log("The validation " + (validatePolicies.isValid() ? "passed" : "failed"));
        return validatePolicies.isValid();
    }

    private HashSet<Map<String, String>> resources(Map<String, String> map) {
        HashSet<Map<String, String>> hashSet = new HashSet<>();
        Collections.addAll(hashSet, map);
        return hashSet;
    }

    private void logDecisions(String str, RuleEvaluator ruleEvaluator, Subject subject, HashSet<Map<String, String>> hashSet, HashSet<String> hashSet2, Set<Attribute> set, AclOptions aclOptions) {
        for (Decision decision : sortByAction(ruleEvaluator.evaluate(hashSet, subject, hashSet2, set))) {
            log((decision.isAuthorized() ? "+" : decision.explain().getCode() == Explanation.Code.REJECTED_DENIED ? "!" : "-") + " " + decision.getAction() + ": " + str + (decision.isAuthorized() ? "" : " [" + decision.explain().getCode() + "]"));
            if (!decision.isAuthorized() && decision.explain().getCode() == Explanation.Code.REJECTED_DENIED) {
                verbose(aclOptions, "  " + decision.explain().toString());
            }
        }
    }

    private void verbose(AclOptions aclOptions, String str) {
        if (aclOptions.isVerbose()) {
            info(str);
        }
    }

    private void info(String str) {
        getRdTool().getRdApp().getOutput().info(str);
    }

    private void log(String str) {
        getRdTool().getRdApp().getOutput().output(str);
    }

    private void warn(String str) {
        getRdTool().getRdApp().getOutput().warning(str);
    }

    private Set<Decision> sortByAction(Set<Decision> set) {
        TreeSet treeSet = new TreeSet(comparator);
        treeSet.addAll(set);
        return treeSet;
    }

    String optionDisplayString(String str) {
        return "--" + str.toLowerCase();
    }

    private AuthRequest createAuthRequestFromArgs(AclCreateOptions aclCreateOptions) {
        Map<String, String> resourceTypeRule;
        if (null == aclCreateOptions.getContext()) {
            throw new CommandLine.ParameterException(this.spec.commandLine(), optionDisplayString("CONTEXT") + " is required. Choose one of: \n  -c " + Context.application + "\n    Access to projects, users, storage, system info, execution management.\n  -c " + Context.project + "\n    Access to jobs, nodes, events, within a project.");
        }
        if (aclCreateOptions.getContext() == Context.project && !aclCreateOptions.isProject()) {
            throw new CommandLine.ParameterException(this.spec.commandLine(), "--project is required. Choose the name of a project, or .*: \n  -p myproject\n  -p '.*'");
        }
        Set<Attribute> createAppEnv = aclCreateOptions.getContext() == Context.application ? createAppEnv() : createAuthEnvironment(aclCreateOptions.getProject());
        Subject createSubject = createSubject(aclCreateOptions);
        if (aclCreateOptions.getContext() == Context.application && aclCreateOptions.getResource() != null) {
            if (!AuthResources.appTypes.contains(aclCreateOptions.getResource().toLowerCase())) {
                throw new CommandLine.ParameterException(this.spec.commandLine(), "--resource invalid resource type: " + aclCreateOptions.getResource() + "  resource types in application context:     " + String.join("\n    ", AuthResources.appTypes));
            }
            resourceTypeRule = AuthorizationUtil.resource(aclCreateOptions.getResource().toLowerCase(), null);
        } else if (aclCreateOptions.getContext() == Context.project && aclCreateOptions.getResource() != null) {
            if (!AuthResources.projectTypes.contains(aclCreateOptions.getResource().toLowerCase())) {
                throw new CommandLine.ParameterException(this.spec.commandLine(), "--resource invalid resource type: " + aclCreateOptions.getResource() + "  resource types in project context:     " + String.join("\n    ", AuthResources.projectTypes));
            }
            resourceTypeRule = AuthorizationUtil.resource(aclCreateOptions.getResource().toLowerCase(), null);
        } else if (aclCreateOptions.getContext() == Context.application && aclCreateOptions.getProject() != null) {
            HashMap hashMap = new HashMap();
            hashMap.put("name", aclCreateOptions.getProject());
            resourceTypeRule = AuthorizationUtil.resource("project", hashMap);
        } else if (aclCreateOptions.getContext() == Context.application && aclCreateOptions.getProjectAcl() != null) {
            HashMap hashMap2 = new HashMap();
            hashMap2.put("name", aclCreateOptions.getProjectAcl());
            resourceTypeRule = AuthorizationUtil.resource(AuthConstants.TYPE_PROJECT_ACL, hashMap2);
        } else if (aclCreateOptions.getContext() == Context.application && aclCreateOptions.getAppStorage() != null) {
            resourceTypeRule = createStorageResource(aclCreateOptions);
        } else if (aclCreateOptions.getContext() == Context.project && aclCreateOptions.getJob() != null) {
            resourceTypeRule = createProjectJobResource(aclCreateOptions);
        } else if (aclCreateOptions.getContext() == Context.project && aclCreateOptions.getJobUUID() != null) {
            resourceTypeRule = createProjectJobUUIDResource(aclCreateOptions);
        } else if (aclCreateOptions.getContext() == Context.project && !(aclCreateOptions.getNode() == null && aclCreateOptions.getTags() == null)) {
            resourceTypeRule = createProjectNodeResource(aclCreateOptions);
        } else if (aclCreateOptions.getContext() == Context.project && aclCreateOptions.isProjectAdhoc()) {
            resourceTypeRule = createProjectAdhocResource();
        } else if (aclCreateOptions.getContext() != Context.project || null == aclCreateOptions.getGenericType()) {
            if (aclCreateOptions.getContext() != Context.application || null == aclCreateOptions.getGenericType()) {
                if (aclCreateOptions.getContext() == Context.project) {
                    throw new CommandLine.ParameterException(this.spec.commandLine(), "Project-context resource option is required.Possible options:\n  Job: " + optionDisplayString("JOB") + "\n    View, modify, create*, delete*, run, and kill specific jobs,\n    and toggle whether schedule and/or execution are enabled.\n    * Create and delete also require additional " + optionDisplayString("GENERIC") + " level access.\n  Adhoc: " + optionDisplayString("ADHOC") + "\n    View, run, and kill adhoc commands.\n  Node: " + optionDisplayString("NODE") + "\n      : " + optionDisplayString("TAGS") + "\n    View and run on specific nodes by name or tag.\n  Resource: " + optionDisplayString("RESOURCE") + "\n    Specify the resource type directly. " + optionDisplayString("ATTRS") + " should also be used.\n    resource types in this context: \n    " + String.join("\n    ", AuthResources.projectTypes) + "\n  Generic: " + optionDisplayString("GENERIC") + "\n    Create and delete jobs.\n    View and manage nodes.\n    View events.\n    generic kinds in this context: \n    " + String.join("\n    ", AuthResources.projectKinds));
                }
                throw new CommandLine.ParameterException(this.spec.commandLine(), "Application-context resource option is required.Possible options:\n  Project: " + optionDisplayString("PROJECT") + "\n    Visibility, import, export, config, and delete executions.\n    *Note: Project create requires additional " + optionDisplayString("GENERIC") + " level access.\n  Project ACLs: " + optionDisplayString("PROJECT_ACL") + "\n    CRUD access for the project ACLs.\n  Storage: " + optionDisplayString("STORAGE") + "\n    CRUD access for the key storage system.\n  Resource: " + optionDisplayString("RESOURCE") + "\n    Specify the resource type directly. " + optionDisplayString("ATTRS") + " should also be used.\n    resource types in this context: \n    " + String.join("\n    ", AuthResources.appTypes) + "\n  Generic: " + optionDisplayString("GENERIC") + "\n    Create projects, read system info, manage system ACLs, manage users, change\n      execution mode, manage plugins.\n    generic kinds in this context: \n    " + String.join("\n    ", AuthResources.appKinds));
            }
            if (!AuthResources.appKinds.contains(aclCreateOptions.getGenericType().toLowerCase())) {
                throw new CommandLine.ParameterException(this.spec.commandLine(), "--generic invalid generic kind: " + aclCreateOptions.getGenericType() + "  generic kind in this context:     " + String.join("\n    ", AuthResources.appKinds));
            }
            resourceTypeRule = AuthorizationUtil.resourceTypeRule(aclCreateOptions.getGenericType().toLowerCase());
        } else {
            if (!AuthResources.projectKinds.contains(aclCreateOptions.getGenericType().toLowerCase())) {
                throw new CommandLine.ParameterException(this.spec.commandLine(), "--generic invalid generic kind: " + aclCreateOptions.getGenericType() + "  generic kinds in this context:     " + String.join("\n    ", AuthResources.projectKinds));
            }
            resourceTypeRule = AuthorizationUtil.resourceTypeRule(aclCreateOptions.getGenericType().toLowerCase());
        }
        HashMap hashMap3 = new HashMap();
        boolean parseAttrsMap = aclCreateOptions.isAttributes() ? parseAttrsMap(aclCreateOptions, hashMap3) : false;
        if (!parseAttrsMap && hashMap3.size() > 0) {
            resourceTypeRule.putAll(hashMap3);
        } else if (parseAttrsMap && null != aclCreateOptions.getResource() && !aclCreateOptions.getResource().equalsIgnoreCase("adhoc")) {
            throw new CommandLine.ParameterException(this.spec.commandLine(), optionDisplayString("ATTRS") + " should be specified when " + optionDisplayString("RESOURCE") + " is used. Possible attributes for resource type " + aclCreateOptions.getResource() + " in this context:\n  " + String.join("\n  ", (aclCreateOptions.getContext() == Context.application ? AuthResources.appResAttrsByType : AuthResources.projResAttrsByType).get(aclCreateOptions.getResource().toLowerCase())));
        }
        ArrayList arrayList = new ArrayList(Collections.singletonList("*"));
        if (aclCreateOptions.getContext() == Context.application && null != aclCreateOptions.getResource()) {
            arrayList.addAll(AuthResources.appResActionsByType.get(aclCreateOptions.getResource()));
        } else if (aclCreateOptions.getContext() == Context.project && null != aclCreateOptions.getResource()) {
            arrayList.addAll(AuthResources.projResActionsByType.get(aclCreateOptions.getResource()));
        } else if (aclCreateOptions.getContext() == Context.application && aclCreateOptions.getAppStorage() != null) {
            arrayList.addAll(AuthResources.storageActions);
        } else if (aclCreateOptions.getContext() == Context.application && aclCreateOptions.getProject() != null) {
            arrayList.addAll(AuthResources.appProjectActions);
        } else if (aclCreateOptions.getContext() == Context.application && aclCreateOptions.getProjectAcl() != null) {
            arrayList.addAll(AuthResources.appProjectAclActions);
        } else if (aclCreateOptions.getContext() == Context.application && aclCreateOptions.getGenericType() != null) {
            arrayList.addAll(AuthResources.appKindActionsByType.get(aclCreateOptions.getGenericType().toLowerCase()));
        } else if (aclCreateOptions.getContext() == Context.project && aclCreateOptions.getGenericType() != null) {
            arrayList.addAll(AuthResources.projKindActionsByType.get(aclCreateOptions.getGenericType().toLowerCase()));
        } else if (aclCreateOptions.getContext() == Context.project && !(aclCreateOptions.getJob() == null && aclCreateOptions.getJobUUID() == null)) {
            arrayList.addAll(AuthResources.projectJobActions);
        } else if (aclCreateOptions.getContext() == Context.project && aclCreateOptions.isProjectAdhoc()) {
            arrayList.addAll(AuthResources.projectAdhocActions);
        } else if (aclCreateOptions.getContext() == Context.project && (aclCreateOptions.getNode() != null || aclCreateOptions.getTags() != null)) {
            arrayList.addAll(AuthResources.projectNodeActions);
        }
        if (null == aclCreateOptions.getAllowAction() && null == aclCreateOptions.getDenyAction()) {
            throw new CommandLine.ParameterException(this.spec.commandLine(), optionDisplayString("ALLOW") + " or " + optionDisplayString("DENY") + " is required. Possible actions in this context: \n  " + String.join("\n  ", arrayList));
        }
        if (null != aclCreateOptions.getAllowAction()) {
            ArrayList arrayList2 = new ArrayList();
            for (String str : aclCreateOptions.getAllowAction()) {
                if (!arrayList.contains(str)) {
                    arrayList2.add(str);
                }
            }
            if (arrayList2.size() > 0) {
                throw new CommandLine.ParameterException(this.spec.commandLine(), optionDisplayString("ALLOW") + " specified invalid actions. These actions are not valid for the context:  " + String.join("\n  ", arrayList2) + "Possible actions in this context: \n  " + String.join("\n  ", arrayList));
            }
        }
        if (null != aclCreateOptions.getDenyAction()) {
            ArrayList arrayList3 = new ArrayList();
            for (String str2 : aclCreateOptions.getDenyAction()) {
                if (!arrayList.contains(str2)) {
                    arrayList3.add(str2);
                }
            }
            if (arrayList3.size() > 0) {
                throw new CommandLine.ParameterException(this.spec.commandLine(), optionDisplayString("DENY") + " specified invalid actions. These actions are not valid for the context:\n  " + String.join("\n  ", arrayList3) + "\n\nPossible actions in this context:\n  " + String.join("\n  ", arrayList));
            }
        }
        AuthRequest authRequest = new AuthRequest();
        authRequest.resourceMap = resourceTypeRule;
        authRequest.subject = createSubject;
        if (null != aclCreateOptions.getAllowAction()) {
            authRequest.actions = new HashSet(aclCreateOptions.getAllowAction());
        }
        authRequest.environment = createAppEnv;
        if (null != aclCreateOptions.getDenyAction()) {
            authRequest.denyActions = new HashSet(aclCreateOptions.getDenyAction());
        }
        authRequest.regexMatch = aclCreateOptions.isRegex();
        authRequest.containsMatch = aclCreateOptions.getContext() == Context.project && aclCreateOptions.getTags() != null;
        return authRequest;
    }

    private boolean parseAttrsMap(AclCreateOptions aclCreateOptions, Map<String, String> map) {
        boolean z = aclCreateOptions.getAttributes().size() < 1;
        for (String str : aclCreateOptions.getAttributes()) {
            if (str.indexOf("=") > 0) {
                String[] split = str.split("=", 2);
                if ("".equals(split[1]) || "?".equals(split[1])) {
                    z = true;
                }
                map.put(split[0], split[1]);
            } else {
                z = true;
            }
        }
        return z;
    }

    private Map<String, String> createProjectNodeResource(AclOptions aclOptions) {
        HashMap hashMap = new HashMap();
        if (null != aclOptions.getNode()) {
            hashMap.put("nodename", aclOptions.getNode());
        }
        if (null != aclOptions.getTags()) {
            hashMap.put("tags", String.join(",", aclOptions.getTags()));
        }
        return AuthorizationUtil.resource(AuthConstants.TYPE_NODE, hashMap);
    }

    private Map<String, String> createProjectJobResource(AclOptions aclOptions) {
        HashMap hashMap = new HashMap();
        int lastIndexOf = aclOptions.getJob().lastIndexOf("/");
        if (lastIndexOf >= 0) {
            hashMap.put(YamlParsePolicy.GROUP_KEY, aclOptions.getJob().substring(0, lastIndexOf));
            hashMap.put("name", aclOptions.getJob().substring(lastIndexOf + 1));
        } else {
            hashMap.put(YamlParsePolicy.GROUP_KEY, "");
            hashMap.put("name", aclOptions.getJob());
        }
        return AuthorizationUtil.resource("job", hashMap);
    }

    private Map<String, String> createProjectJobUUIDResource(AclOptions aclOptions) {
        HashMap hashMap = new HashMap();
        hashMap.put("uuid", aclOptions.getJobUUID());
        return AuthorizationUtil.resource("job", hashMap);
    }

    private Map<String, String> createProjectAdhocResource() {
        return AuthorizationUtil.resource("adhoc", new HashMap());
    }

    private Map<String, String> createStorageResource(AclOptions aclOptions) {
        HashMap hashMap = new HashMap();
        int lastIndexOf = aclOptions.getAppStorage().lastIndexOf("/");
        hashMap.put("path", aclOptions.getAppStorage());
        if (lastIndexOf >= 0) {
            hashMap.put("name", aclOptions.getAppStorage().substring(lastIndexOf + 1));
        } else {
            hashMap.put("name", aclOptions.getAppStorage());
        }
        return AuthorizationUtil.resource(AuthConstants.TYPE_STORAGE, hashMap);
    }

    private Subject createSubject(AclOptions aclOptions) {
        if (aclOptions.getGroups() == null && aclOptions.getUser() == null) {
            throw new CommandLine.ParameterException(this.spec.commandLine(), optionDisplayString("GROUPS") + " or " + optionDisplayString("USER") + " are required.   -u user1,user2... \n  -g group1,group2... \n    Groups control access for a set of users, and correspond\n    to authorization roles.");
        }
        return makeSubject(aclOptions.getUser(), aclOptions.getGroups());
    }

    private Subject makeSubject(String str, Collection<String> collection) {
        Subject subject = new Subject();
        subject.getPrincipals().add(new Username(str != null ? str : AuthConstants.TYPE_USER));
        if (null != collection) {
            Iterator<String> it = collection.iterator();
            while (it.hasNext()) {
                subject.getPrincipals().add(new Group(it.next()));
            }
        }
        return subject;
    }

    private void reportValidation(Validation validation) {
        for (Map.Entry<String, List<String>> entry : validation.getErrors().entrySet()) {
            String key = entry.getKey();
            List<String> value = entry.getValue();
            warn(key + ":");
            Iterator<String> it = value.iterator();
            while (it.hasNext()) {
                warn("\t" + it.next());
            }
        }
    }

    private Validation validatePolicies(AclOptions aclOptions) {
        Validation validate;
        ValidationSet validationSet = new ValidationSet();
        if (null != aclOptions.getFile()) {
            if (!aclOptions.getFile().isFile()) {
                throw new CommandLine.ParameterException(this.spec.commandLine(), "File: " + aclOptions.getFile() + ", does not exist or is not a file");
            }
            validate = YamlProvider.validate(YamlProvider.sourceFromFile(aclOptions.getFile(), validationSet), validationSet);
        } else {
            if (null == aclOptions.getDir()) {
                throw new CommandLine.ParameterException(this.spec.commandLine(), "-f or -d are required");
            }
            if (!aclOptions.getDir().isDirectory()) {
                throw new CommandLine.ParameterException(this.spec.commandLine(), "File: " + aclOptions.getDir() + ", does not exist or is not a directory");
            }
            validate = YamlProvider.validate(YamlProvider.asSources(aclOptions.getDir()), validationSet);
        }
        return validate;
    }

    private List<AuthRequest> readRequests(AclCreateOptions aclCreateOptions) throws IOException {
        ArrayList arrayList = new ArrayList();
        BufferedReader bufferedReader = new BufferedReader(aclCreateOptions.isStdin() ? new InputStreamReader(System.in) : new FileReader(aclCreateOptions.getFile()));
        Throwable th = null;
        while (true) {
            try {
                try {
                    String readLine = bufferedReader.readLine();
                    if (readLine == null) {
                        break;
                    }
                    if (!readLine.contains("Decision for:")) {
                        verbose(aclCreateOptions, "did not see start. skip line: " + readLine);
                    } else if (readLine.indexOf("authorized: false") <= 0) {
                        verbose(aclCreateOptions, "skip line: " + readLine);
                    } else {
                        ParsePart parsePart = parsePart("res", readLine, ", ", false);
                        if (null == parsePart) {
                            verbose(aclCreateOptions, "no res< " + readLine);
                        } else {
                            Map<String, String> map = parsePart.resourceMap;
                            String substring = readLine.substring(parsePart.len);
                            ParsePart parsePart2 = parsePart("subject", substring, " ", true);
                            if (null == parsePart2) {
                                verbose(aclCreateOptions, "no subject<: " + substring);
                            } else {
                                Map<String, String> map2 = parsePart2.resourceMap;
                                Subject createSubject = createSubject(map2);
                                if (null == createSubject) {
                                    verbose(aclCreateOptions, "parse subject< failed: " + map2 + ": " + substring);
                                } else {
                                    String substring2 = substring.substring(parsePart2.len);
                                    ParsePart parseString = parseString("action", substring2);
                                    if (null == parseString) {
                                        verbose(aclCreateOptions, "no action<: " + substring2);
                                    } else {
                                        String str = parseString.value;
                                        String substring3 = substring2.substring(parseString.len);
                                        ParsePart parseString2 = parseString("env", substring3);
                                        if (null == parseString2) {
                                            verbose(aclCreateOptions, "no env<: " + substring3);
                                        } else {
                                            String str2 = parseString2.value;
                                            String substring4 = substring3.substring(parseString2.len);
                                            if (str2.lastIndexOf(":") < 0) {
                                                verbose(aclCreateOptions, "env parse failed: " + substring4);
                                            } else {
                                                AuthRequest authRequest = new AuthRequest();
                                                authRequest.environment = str2.equals("rundeck:auth:env:application:rundeck") || str2.equals("http://dtolabs.com/rundeck/auth/env/application:rundeck") ? createAppEnv() : createAuthEnvironment(str2.substring(str2.lastIndexOf(":") + 1));
                                                authRequest.actions = new HashSet(Collections.singletonList(str));
                                                authRequest.resourceMap = map;
                                                authRequest.subject = createSubject;
                                                arrayList.add(authRequest);
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                } catch (Throwable th2) {
                    if (bufferedReader != null) {
                        if (th != null) {
                            try {
                                bufferedReader.close();
                            } catch (Throwable th3) {
                                th.addSuppressed(th3);
                            }
                        } else {
                            bufferedReader.close();
                        }
                    }
                    throw th2;
                }
            } finally {
            }
        }
        if (bufferedReader != null) {
            if (0 != 0) {
                try {
                    bufferedReader.close();
                } catch (Throwable th4) {
                    th.addSuppressed(th4);
                }
            } else {
                bufferedReader.close();
            }
        }
        return arrayList;
    }

    private Subject createSubject(Map<String, String> map) {
        if (null == map.get("Username") || null == map.get("Group")) {
            return null;
        }
        return makeSubject(map.get("Username"), Collections.singletonList(map.get("Group")));
    }

    private ParsePart parsePart(String str, String str2, String str3, boolean z) {
        String substring;
        int indexOf;
        Map<String, String> parseMap;
        int indexOf2 = str2.indexOf(str + "<");
        if (indexOf2 < 0 || indexOf2 > str2.length() - (str.length() + 1) || (indexOf = (substring = str2.substring(indexOf2 + str.length() + 1)).indexOf(">")) < 0 || null == (parseMap = parseMap(substring.substring(0, indexOf), str3, z))) {
            return null;
        }
        int length = indexOf2 + str.length() + 1 + indexOf + 1;
        ParsePart parsePart = new ParsePart();
        parsePart.len = length;
        parsePart.resourceMap = parseMap;
        return parsePart;
    }

    private ParsePart parseString(String str, String str2) {
        String substring;
        int indexOf;
        int indexOf2 = str2.indexOf(str + "<");
        if (indexOf2 < 0 || indexOf2 > str2.length() - (str.length() + 1) || (indexOf = (substring = str2.substring(indexOf2 + str.length() + 1)).indexOf(">")) < 0) {
            return null;
        }
        String substring2 = substring.substring(0, indexOf);
        int length = indexOf2 + str.length() + 1 + indexOf + 1;
        ParsePart parsePart = new ParsePart();
        parsePart.value = substring2;
        parsePart.len = length;
        return parsePart;
    }

    private Map<String, String> parseMap(String str, String str2, boolean z) {
        String[] split = str.split(Pattern.quote(str2));
        if (split.length < 1) {
            return null;
        }
        HashMap<String, Object> hashMap = new HashMap<>();
        for (String str3 : split) {
            String[] split2 = str3.split(":", 2);
            if (split2.length < 2) {
                return null;
            }
            if (!hashMap.containsKey(split2[0]) || !z) {
                hashMap.put(split2[0], split2[1]);
            } else if (hashMap.get(split2[0]) instanceof Collection) {
                ((Collection) hashMap.get(split2[0])).add(split2[1]);
            } else if (hashMap.get(split2[0]) instanceof String) {
                ArrayList arrayList = new ArrayList();
                arrayList.add((String) hashMap.get(split2[0]));
                arrayList.add(split2[1]);
                hashMap.put(split2[0], arrayList);
            }
        }
        return flattenMap(hashMap);
    }

    private Map<String, String> flattenMap(HashMap<String, Object> hashMap) {
        HashMap hashMap2 = new HashMap();
        for (String str : hashMap.keySet()) {
            if (hashMap.get(str) instanceof Collection) {
                hashMap2.put(str, String.join(",", (Collection) hashMap.get(str)));
            } else {
                hashMap2.put(str, hashMap.get(str).toString());
            }
        }
        return hashMap2;
    }

    private void generateYaml(AuthRequest authRequest, PrintStream printStream) {
        Map<String, ?> dataMap = toDataMap(authRequest);
        DumperOptions dumperOptions = new DumperOptions();
        dumperOptions.setDefaultFlowStyle(DumperOptions.FlowStyle.BLOCK);
        Yaml yaml = new Yaml(dumperOptions);
        printStream.println("# create or append this to a .aclpolicy file");
        printStream.println("---");
        yaml.dump(dataMap, new OutputStreamWriter(printStream));
    }

    public static Map<String, ?> toDataMap(AuthRequest authRequest) {
        HashMap hashMap = new HashMap();
        if (authRequest.environment.equals(createAppEnv())) {
            HashMap hashMap2 = new HashMap();
            hashMap2.put(AuthConstants.CTX_APPLICATION, "rundeck");
            hashMap.put("context", hashMap2);
        } else {
            String str = authRequest.environment.iterator().next().value;
            HashMap hashMap3 = new HashMap();
            hashMap3.put("project", str);
            hashMap.put("context", hashMap3);
        }
        Set principals = authRequest.subject.getPrincipals(Username.class);
        if (((Username) principals.iterator().next()).getName().equals(AuthConstants.TYPE_USER)) {
            HashMap hashMap4 = new HashMap();
            ArrayList arrayList = new ArrayList();
            Iterator it = authRequest.subject.getPrincipals(Group.class).iterator();
            while (it.hasNext()) {
                arrayList.add(((Group) it.next()).getName());
            }
            hashMap4.put(YamlParsePolicy.GROUP_KEY, arrayList.size() > 1 ? arrayList : arrayList.iterator().next());
            hashMap.put(YamlParsePolicy.BY_SECTION, hashMap4);
        } else {
            HashMap hashMap5 = new HashMap();
            hashMap5.put(YamlParsePolicy.USERNAME_KEY, ((Username) principals.iterator().next()).getName());
            hashMap.put(YamlParsePolicy.BY_SECTION, hashMap5);
        }
        String str2 = authRequest.resourceMap.get(AuthorizationUtil.TYPE_FIELD);
        HashMap hashMap6 = new HashMap(authRequest.resourceMap);
        hashMap6.remove(AuthorizationUtil.TYPE_FIELD);
        HashMap hashMap7 = new HashMap();
        ArrayList arrayList2 = new ArrayList();
        hashMap7.put(str2, arrayList2);
        HashMap hashMap8 = new HashMap();
        if (hashMap6.size() > 0) {
            hashMap8.put(authRequest.regexMatch ? "match" : authRequest.containsMatch ? "contains" : "equals", hashMap6);
        }
        if (authRequest.actions != null && authRequest.actions.size() > 0) {
            hashMap8.put("allow", authRequest.actions.size() > 1 ? new ArrayList(authRequest.actions) : authRequest.actions.iterator().next());
        }
        if (authRequest.denyActions != null && authRequest.denyActions.size() > 0) {
            hashMap8.put("deny", authRequest.denyActions.size() > 1 ? new ArrayList(authRequest.denyActions) : authRequest.denyActions.iterator().next());
        }
        arrayList2.add(hashMap8);
        hashMap.put("for", new HashMap(hashMap7));
        hashMap.put(CommandLine.Model.UsageMessageSpec.SECTION_KEY_DESCRIPTION, authRequest.description != null ? authRequest.description : "generated");
        return hashMap;
    }

    private Policies createPolicies(AclOptions aclOptions) {
        Policies load;
        if (aclOptions.isFile()) {
            load = Policies.loadFile(aclOptions.getFile());
        } else {
            if (!aclOptions.isDir()) {
                throw new CommandLine.ParameterException(this.spec.commandLine(), String.format("One of %s or %s are required", optionDisplayString("file"), optionDisplayString("dir")));
            }
            if (!aclOptions.getDir().isDirectory()) {
                throw new RuntimeException("File: " + aclOptions.getDir() + ", does not exist or is not a directory");
            }
            load = Policies.load(aclOptions.getDir());
        }
        return load;
    }

    private static Set<Attribute> createAppEnv() {
        return Collections.singleton(new Attribute(URI.create("rundeck:auth:env:application"), "rundeck"));
    }

    private Set<Attribute> createAuthEnvironment(String str) {
        return Collections.singleton(new Attribute(URI.create("rundeck:auth:env:project"), str));
    }

    static /* synthetic */ Set access$300() {
        return createAppEnv();
    }
}
