package org.geoserver.security.impl;

import java.io.File;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import org.geoserver.catalog.WorkspaceInfo;
import org.geoserver.catalog.util.CloseableIterator;
import org.geoserver.platform.GeoServerExtensions;
import org.geoserver.security.FileAccessManager;
import org.geoserver.security.GeoServerSecurityManager;
import org.geoserver.security.ResourceAccessManager;
import org.geoserver.security.ResourceAccessManagerWrapper;
import org.geoserver.security.SecureCatalogImpl;
import org.geoserver.security.WorkspaceAccessLimits;
import org.geotools.api.filter.Filter;
import org.geotools.util.logging.Logging;
import org.springframework.security.core.Authentication;

/* loaded from: input_file:org/geoserver/security/impl/DefaultFileAccessManager.class */
public class DefaultFileAccessManager implements FileAccessManager {
    private static final Logger LOGGER = Logging.getLogger(DefaultFileAccessManager.class);
    public static String GEOSERVER_DATA_SANDBOX = "GEOSERVER_FILESYSTEM_SANDBOX";
    private final DataAccessRuleDAO dao;
    private final GeoServerSecurityManager securityManager;
    private final ResourceAccessManager resourceAccessManager;
    private final SecureCatalogImpl catalog;
    private String systemSandbox = GeoServerExtensions.getProperty(GEOSERVER_DATA_SANDBOX);

    public DefaultFileAccessManager(DataAccessRuleDAO dataAccessRuleDAO, SecureCatalogImpl secureCatalogImpl, GeoServerSecurityManager geoServerSecurityManager) {
        this.dao = dataAccessRuleDAO;
        this.catalog = secureCatalogImpl;
        this.securityManager = geoServerSecurityManager;
        this.resourceAccessManager = secureCatalogImpl.getResourceAccessManager();
    }

    @Override // org.geoserver.security.FileAccessManager
    public List<File> getAvailableRoots() {
        String filesystemSandbox = this.systemSandbox != null ? this.systemSandbox : this.dao.getFilesystemSandbox();
        if (filesystemSandbox == null) {
            return null;
        }
        Authentication user = user();
        if (this.securityManager.checkAuthenticationForAdminRole(user)) {
            if (this.systemSandbox != null) {
                return List.of(new File(this.systemSandbox));
            }
            return null;
        }
        ArrayList arrayList = new ArrayList();
        CloseableIterator list = this.catalog.list(WorkspaceInfo.class, Filter.INCLUDE);
        while (list.hasNext()) {
            try {
                WorkspaceInfo workspaceInfo = (WorkspaceInfo) list.next();
                WorkspaceAccessLimits accessLimits = this.resourceAccessManager.getAccessLimits(user, workspaceInfo);
                if (accessLimits != null && accessLimits.isAdminable()) {
                    arrayList.add(workspaceInfo.getName());
                }
            } catch (Throwable th) {
                if (list != null) {
                    try {
                        list.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        if (list != null) {
            list.close();
        }
        List<File> list2 = (List) arrayList.stream().map(str -> {
            return new File(filesystemSandbox, str);
        }).collect(Collectors.toList());
        list2.forEach((v0) -> {
            v0.mkdirs();
        });
        return list2;
    }

    @Override // org.geoserver.security.FileAccessManager
    public File getSandbox() {
        String filesystemSandbox = this.systemSandbox != null ? this.systemSandbox : this.dao.getFilesystemSandbox();
        if (filesystemSandbox == null) {
            return null;
        }
        return new File(filesystemSandbox);
    }

    @Override // org.geoserver.security.FileAccessManager
    public boolean checkAccess(File file) {
        String filesystemSandbox = this.systemSandbox != null ? this.systemSandbox : this.dao.getFilesystemSandbox();
        LOGGER.log(Level.FINE, () -> {
            return "Filesystem sandbox: " + filesystemSandbox;
        });
        if (filesystemSandbox == null) {
            return true;
        }
        Path canonical = canonical(filesystemSandbox);
        Path canonical2 = canonical(file);
        Authentication user = user();
        if (this.securityManager.checkAuthenticationForAdminRole()) {
            if (this.systemSandbox == null || canonical2.startsWith(canonical)) {
                return true;
            }
            LOGGER.log(Level.FINE, () -> {
                return "Checked path " + canonical2 + " does not start with " + canonical;
            });
            return false;
        }
        if (!canonical2.startsWith(canonical)) {
            return false;
        }
        String path = canonical.relativize(canonical2).getName(0).toString();
        WorkspaceInfo workspaceByName = this.catalog.getWorkspaceByName(path);
        if (workspaceByName == null) {
            LOGGER.log(Level.FINE, () -> {
                return "Sandbox check, workspace not authorized " + path;
            });
            return false;
        }
        WorkspaceAccessLimits accessLimits = this.resourceAccessManager.getAccessLimits(user, workspaceByName);
        LOGGER.log(Level.FINE, () -> {
            return "Sandbox auth check, workspace " + path + " access limits " + accessLimits;
        });
        return accessLimits != null && accessLimits.isAdminable();
    }

    public void reload() {
        ResourceAccessManager resourceAccessManager;
        this.systemSandbox = GeoServerExtensions.getProperty(GEOSERVER_DATA_SANDBOX);
        if (this.systemSandbox != null) {
            LOGGER.log(Level.FINE, () -> {
                return "System sandbox property found: " + this.systemSandbox;
            });
        }
        this.dao.reload();
        ResourceAccessManager resourceAccessManager2 = this.resourceAccessManager;
        while (true) {
            resourceAccessManager = resourceAccessManager2;
            if (!(resourceAccessManager instanceof ResourceAccessManagerWrapper)) {
                break;
            } else {
                resourceAccessManager2 = ((ResourceAccessManagerWrapper) resourceAccessManager).unwrap();
            }
        }
        if (resourceAccessManager instanceof DefaultResourceAccessManager) {
            ((DefaultResourceAccessManager) resourceAccessManager).reload();
        }
    }

    private static Path canonical(String str) {
        return Paths.get(str, new String[0]).toAbsolutePath().normalize();
    }

    private static Path canonical(File file) {
        return file.toPath().toAbsolutePath().normalize();
    }

    public boolean isSystemSanboxEnabled() {
        return this.systemSandbox != null;
    }
}
