package net.bluemind.cli.group;

import java.util.Arrays;
import java.util.List;
import java.util.Optional;
import net.bluemind.cli.cmd.api.CliContext;
import net.bluemind.cli.cmd.api.CliException;
import net.bluemind.cli.cmd.api.ICmdLet;
import net.bluemind.cli.cmd.api.ICmdLetRegistration;
import net.bluemind.cli.utils.CliUtils;
import net.bluemind.core.container.api.ContainerQuery;
import net.bluemind.core.container.api.IContainerManagement;
import net.bluemind.core.container.api.IContainers;
import net.bluemind.core.container.model.ItemValue;
import net.bluemind.core.container.model.acl.AccessControlEntry;
import net.bluemind.core.container.model.acl.Verb;
import net.bluemind.domain.api.Domain;
import net.bluemind.group.api.IGroup;
import net.bluemind.group.api.Member;
import picocli.CommandLine;

@CommandLine.Command(name = "set-delegation-acl", description = {"Manage delegation acl of a user's group (group with write acces on mailbox container)"})
/* loaded from: input_file:net/bluemind/cli/group/GroupSetDelegationAclCommand.class */
public class GroupSetDelegationAclCommand implements ICmdLet, Runnable {
    private CliContext ctx;
    private CliUtils cliUtils;

    @CommandLine.Option(names = {"--domain"}, required = true, description = {"Target domain - must not be global.virt"})
    private String domain;

    @CommandLine.ArgGroup(exclusive = true, heading = "All domain's groups if --name or --uid is not set\r\n")
    private GroupOptions groupOptions;

    @CommandLine.Option(names = {"--verb"}, required = true, description = {"Delegation access verb (SendOnBehalf, SendAs)"})
    private String verb;

    @CommandLine.Option(names = {"--dry"}, description = {"Dry-run (do nothing)"})
    public boolean dry;
    private static final String DRY_MODE_PREFIX = "DRY MODE: ";

    /* loaded from: input_file:net/bluemind/cli/group/GroupSetDelegationAclCommand$GroupOptions.class */
    private static class GroupOptions {

        @CommandLine.Option(names = {"--name"}, required = true, description = {"Target group name"})
        private String name;

        @CommandLine.Option(names = {"--uid"}, required = true, description = {"Target group UID"})
        private String uid;

        private GroupOptions() {
        }
    }

    /* loaded from: input_file:net/bluemind/cli/group/GroupSetDelegationAclCommand$Reg.class */
    public static class Reg implements ICmdLetRegistration {
        public Optional<String> group() {
            return Optional.of("group");
        }

        public Class<? extends ICmdLet> commandClass() {
            return GroupSetDelegationAclCommand.class;
        }
    }

    @Override // java.lang.Runnable
    public void run() {
        ItemValue<Domain> notGlobalDomain = this.cliUtils.getNotGlobalDomain(this.domain);
        try {
            Verb.valueOf(this.verb);
            if (this.dry) {
                CliContext cliContext = this.ctx;
                Object[] objArr = new Object[1];
                objArr[0] = this.groupOptions != null ? ("group '" + this.groupOptions.name) != null ? this.groupOptions.name : this.groupOptions.uid + "'" : "all '" + notGlobalDomain.displayName + "' domain's groups";
                cliContext.info("DRY MODE: Only list members with mailbox WRITE access inherited from {}", objArr);
            }
            ContainerQuery type = ContainerQuery.type("mailboxacl");
            type.verb = Arrays.asList(Verb.Write);
            IGroup iGroup = (IGroup) this.ctx.adminApi().instance(IGroup.class, new String[]{notGlobalDomain.uid});
            if (this.groupOptions == null) {
                if (!this.dry) {
                    this.ctx.info("Verify all '{}' domain's groups", new Object[]{notGlobalDomain.displayName});
                }
                iGroup.allUids().forEach(str -> {
                    singleGroupTreatment(iGroup, notGlobalDomain, type, str, str);
                });
                return;
            }
            Optional ofNullable = Optional.ofNullable(this.groupOptions.name);
            iGroup.getClass();
            String str2 = (String) ofNullable.map(iGroup::byName).map(itemValue -> {
                return itemValue.uid;
            }).orElse(this.groupOptions.uid);
            String str3 = this.groupOptions.name != null ? this.groupOptions.name : this.groupOptions.uid;
            if (str2 == null) {
                throw new CliException("Group " + str3 + " not found!");
            }
            singleGroupTreatment(iGroup, notGlobalDomain, type, str2, str3);
        } catch (Exception unused) {
            throw new CliException(String.format("Unauthorized verb '%s', only accept [%s,%s]", this.verb, Verb.SendOnBehalf, Verb.SendAs));
        }
    }

    private void singleGroupTreatment(IGroup iGroup, ItemValue<Domain> itemValue, ContainerQuery containerQuery, String str, String str2) {
        String str3 = this.dry ? DRY_MODE_PREFIX : "";
        List members = iGroup.getMembers(str);
        this.ctx.info(str3 + "Verify all {} members WRITE access for group '{}'", new Object[]{Integer.valueOf(members.size()), str2});
        members.stream().filter(member -> {
            return member.type == Member.Type.user;
        }).map(member2 -> {
            return member2.uid;
        }).forEach(str4 -> {
            ((IContainers) this.ctx.adminApi().instance(IContainers.class, new String[0])).allForUser(itemValue.uid, str4, containerQuery).stream().filter(containerDescriptor -> {
                return !containerDescriptor.owner.equalsIgnoreCase(str4);
            }).map(containerDescriptor2 -> {
                return containerDescriptor2.uid;
            }).toList().stream().forEach(str4 -> {
                IContainerManagement iContainerManagement = (IContainerManagement) this.ctx.adminApi().instance(IContainerManagement.class, new String[]{str4});
                List accessControlList = iContainerManagement.getAccessControlList();
                if (!accessControlList.stream().anyMatch(accessControlEntry -> {
                    return accessControlEntry.verb.can(Verb.Write) && accessControlEntry.subject.equalsIgnoreCase(str);
                })) {
                    this.ctx.warn(str3 + "No '{}' access add to Member '{}' on '{}' (because it does not inherit the 'WRITE' access from the group)", new Object[]{this.verb, str4, str4});
                    return;
                }
                if (accessControlList.stream().anyMatch(accessControlEntry2 -> {
                    return Verb.valueOf(this.verb).can(Verb.SendOnBehalf) && accessControlEntry2.verb.can(Verb.SendAs) && accessControlEntry2.subject.equalsIgnoreCase(str4);
                })) {
                    this.ctx.warn(str3 + "No '{}' access add to Member '{}' on '{}' (because the 'SendAs' access is already present)", new Object[]{this.verb, str4, str4});
                    return;
                }
                this.ctx.info(str3 + "Add '{}' access to Member '{}' on '{}' (because it inherits the 'WRITE' access from the group)", new Object[]{this.verb, str4, str4});
                accessControlList.add(AccessControlEntry.create(str4, Verb.valueOf(this.verb)));
                if (this.dry) {
                    return;
                }
                iContainerManagement.setAccessControlList(accessControlList);
            });
        });
    }

    public Runnable forContext(CliContext cliContext) {
        this.ctx = cliContext;
        this.cliUtils = new CliUtils(cliContext);
        return this;
    }
}
