package net.bluemind.core.container.service.internal;

import com.google.common.collect.ImmutableSet;
import java.sql.SQLException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import net.bluemind.core.api.fault.ErrorCode;
import net.bluemind.core.api.fault.ServerFault;
import net.bluemind.core.container.model.Container;
import net.bluemind.core.container.model.ContainerUid;
import net.bluemind.core.container.model.acl.Verb;
import net.bluemind.core.container.repository.IContainerStore;
import net.bluemind.core.context.SecurityContext;
import net.bluemind.core.rest.BmContext;
import net.bluemind.core.rest.ServerSideServiceProvider;
import net.bluemind.directory.api.BaseDirEntry;
import net.bluemind.directory.api.DirEntry;
import net.bluemind.directory.api.IDirectory;
import net.bluemind.repository.provider.RepositoryProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/bluemind/core/container/service/internal/RBACManager.class */
public class RBACManager {
    private static final Logger logger = LoggerFactory.getLogger(RBACManager.class);
    private BmContext context;
    private String domain;
    private IDirectory directory;
    private DirEntryPermissionResolver dirEntryResolver;
    private ContainerPermissionResolver containerPermissionResolver;
    private DirectPermissionResolver directPermissionResolver;
    private String dirEntryUid;
    private Container container;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/bluemind/core/container/service/internal/RBACManager$PermContext.class */
    public static final class PermContext {
        Set<Permission> perms = new HashSet();
        Set<Permission> checkPerms = new HashSet();

        private PermContext() {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/bluemind/core/container/service/internal/RBACManager$SystemRBACManager.class */
    public static final class SystemRBACManager extends RBACManager {
        public SystemRBACManager(BmContext bmContext) {
            super(bmContext);
        }

        @Override // net.bluemind.core.container.service.internal.RBACManager
        public boolean canAll(Set<String> set) {
            return true;
        }

        @Override // net.bluemind.core.container.service.internal.RBACManager
        public boolean can(Set<String> set) {
            return true;
        }

        @Override // net.bluemind.core.container.service.internal.RBACManager
        public void checkNotAnoynmous() throws ServerFault {
        }

        @Override // net.bluemind.core.container.service.internal.RBACManager
        public void check(Set<String> set) throws ServerFault {
        }

        @Override // net.bluemind.core.container.service.internal.RBACManager
        public RBACManager forContainer(String str) throws ServerFault {
            return this;
        }

        @Override // net.bluemind.core.container.service.internal.RBACManager
        public RBACManager forContainer(Container container) throws ServerFault {
            return this;
        }

        @Override // net.bluemind.core.container.service.internal.RBACManager
        public RBACManager forEntry(String str) throws ServerFault {
            return this;
        }

        @Override // net.bluemind.core.container.service.internal.RBACManager
        public RBACManager forDomain(String str) {
            return this;
        }

        @Override // net.bluemind.core.container.service.internal.RBACManager
        public RBACManager forOrgUnit(String str) {
            return this;
        }

        @Override // net.bluemind.core.container.service.internal.RBACManager
        public Set<Permission> resolve() {
            Set<Permission> resolve = super.resolve();
            resolve.add(new ContainerPermission(Verb.All));
            return resolve;
        }
    }

    public RBACManager(BmContext bmContext) {
        this.context = bmContext;
        this.directPermissionResolver = new DirectPermissionResolver(bmContext);
    }

    public final boolean can(String... strArr) {
        return can((Set<String>) ImmutableSet.copyOf(strArr));
    }

    public Set<Permission> resolve() {
        HashSet hashSet = new HashSet();
        if (this.containerPermissionResolver != null) {
            hashSet.addAll(this.containerPermissionResolver.resolve());
        }
        if (this.dirEntryResolver != null) {
            hashSet.addAll(this.dirEntryResolver.resolve());
        }
        hashSet.addAll(this.directPermissionResolver.resolve());
        return hashSet;
    }

    private PermContext buildPermContext(Set<String> set) {
        PermContext permContext = new PermContext();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            permContext.checkPerms.add(new SimplePermission(it.next()));
        }
        Iterator<String> it2 = set.iterator();
        while (it2.hasNext()) {
            try {
                permContext.checkPerms.add(ContainerPermission.asPerm(Verb.valueOf(it2.next())));
            } catch (IllegalArgumentException unused) {
            }
        }
        if (this.containerPermissionResolver != null) {
            permContext.perms.addAll(this.containerPermissionResolver.resolve());
        }
        if (this.dirEntryResolver != null) {
            permContext.perms.addAll(this.dirEntryResolver.resolve());
        }
        if (this.domain != null && this.dirEntryUid != null) {
            DirEntry findByEntryUid = directory().findByEntryUid(this.dirEntryUid);
            if (findByEntryUid != null) {
                Iterator<String> it3 = set.iterator();
                while (it3.hasNext()) {
                    permContext.checkPerms.add(DirEntryPermission.create(findByEntryUid.kind, it3.next()));
                }
            } else {
                Iterator<String> it4 = set.iterator();
                while (it4.hasNext()) {
                    permContext.checkPerms.add(DirEntryPermission.create(BaseDirEntry.Kind.DOMAIN, it4.next()));
                }
            }
        } else if (this.domain != null) {
            Iterator<String> it5 = set.iterator();
            while (it5.hasNext()) {
                permContext.checkPerms.add(DirEntryPermission.create(BaseDirEntry.Kind.DOMAIN, it5.next()));
            }
        }
        permContext.perms.addAll(this.directPermissionResolver.resolve());
        return permContext;
    }

    public boolean canAll(Set<String> set) {
        if (set.isEmpty() || this.context.getSecurityContext().isDomainGlobal()) {
            return true;
        }
        PermContext buildPermContext = buildPermContext(set);
        boolean z = true;
        for (Permission permission : buildPermContext.checkPerms) {
            logger.debug("check perm {} with perms {}", permission, buildPermContext.perms);
            boolean z2 = false;
            Iterator<Permission> it = buildPermContext.perms.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (it.next().implies(permission)) {
                    z2 = true;
                    break;
                }
            }
            z = z && z2;
        }
        return z;
    }

    public boolean can(Set<String> set) {
        if (set.isEmpty() || this.context.getSecurityContext().isDomainGlobal()) {
            return true;
        }
        PermContext buildPermContext = buildPermContext(set);
        for (Permission permission : buildPermContext.checkPerms) {
            logger.debug("check perm {} with perms {}", permission, buildPermContext.perms);
            Iterator<Permission> it = buildPermContext.perms.iterator();
            while (it.hasNext()) {
                if (it.next().implies(permission)) {
                    return true;
                }
            }
        }
        return false;
    }

    public void checkNotAnoynmous() throws ServerFault {
        if (this.context.getSecurityContext().isAnonymous()) {
            throw new ServerFault("not authorized call", ErrorCode.PERMISSION_DENIED);
        }
    }

    public void check(Set<String> set) throws ServerFault {
        if (can(set)) {
            return;
        }
        if (this.container != null) {
            throw new ServerFault(String.format("%s@%s Doesnt have role %s on container %s@%s ", this.context.getSecurityContext().getSubject(), this.context.getSecurityContext().getContainerUid(), String.join(",", set), this.container.uid, this.container.domainUid), ErrorCode.PERMISSION_DENIED);
        }
        if (this.dirEntryUid != null) {
            throw new ServerFault(String.format("%s@%s Doesnt have role %s on dirEntry %s@%s ", this.context.getSecurityContext().getSubject(), this.context.getSecurityContext().getContainerUid(), String.join(",", set), this.dirEntryUid, this.domain), ErrorCode.PERMISSION_DENIED);
        }
        if (this.domain == null) {
            throw new ServerFault(String.format("%s@%s Doesnt have role %s", this.context.getSecurityContext().getSubject(), this.context.getSecurityContext().getContainerUid(), String.join(",", set)), ErrorCode.PERMISSION_DENIED);
        }
        throw new ServerFault(String.format("%s@%s Doesnt have role %s on domain %s ", this.context.getSecurityContext().getSubject(), this.context.getSecurityContext().getContainerUid(), String.join(",", set), this.domain), ErrorCode.PERMISSION_DENIED);
    }

    public final void check(String... strArr) throws ServerFault {
        check((Set<String>) ImmutableSet.builder().add(strArr).build());
    }

    public RBACManager forContainer(String str) throws ServerFault {
        try {
            Container container = ((IContainerStore) RepositoryProvider.instance(IContainerStore.class, this.context, ContainerUid.of(str))).get(str);
            if (container == null) {
                throw new ServerFault("container " + str + " not found", ErrorCode.NOT_FOUND);
            }
            return forContainer(container);
        } catch (SQLException e) {
            throw ServerFault.sqlFault(e);
        }
    }

    public RBACManager forContainer(Container container) throws ServerFault {
        RBACManager rBACManager = new RBACManager(this.context);
        rBACManager.containerPermissionResolver = new ContainerPermissionResolver(this.context, container);
        rBACManager.container = container;
        if (container.domainUid != null) {
            rBACManager.domain = container.domainUid;
            rBACManager.dirEntryUid = container.owner;
            rBACManager.dirEntryResolver = new DirEntryPermissionResolver(this.context, rBACManager.domain, rBACManager.dirEntryUid, null);
        } else {
            logger.warn("container {} domain uid is null ", container.uid);
            rBACManager.domain = null;
            rBACManager.dirEntryUid = null;
            rBACManager.dirEntryResolver = null;
        }
        return rBACManager;
    }

    public RBACManager forEntry(String str) throws ServerFault {
        RBACManager rBACManager = new RBACManager(this.context);
        rBACManager.containerPermissionResolver = null;
        rBACManager.container = null;
        rBACManager.domain = this.domain;
        rBACManager.dirEntryUid = str;
        rBACManager.dirEntryResolver = new DirEntryPermissionResolver(this.context, rBACManager.domain, rBACManager.dirEntryUid, null);
        return rBACManager;
    }

    public RBACManager forDomain(String str) {
        RBACManager rBACManager = new RBACManager(this.context);
        rBACManager.container = null;
        rBACManager.containerPermissionResolver = null;
        rBACManager.domain = str;
        rBACManager.dirEntryUid = null;
        rBACManager.dirEntryResolver = new DirEntryPermissionResolver(this.context, rBACManager.domain, null, null);
        return rBACManager;
    }

    public RBACManager forOrgUnit(String str) {
        if (str == null) {
            return this;
        }
        RBACManager rBACManager = new RBACManager(this.context);
        rBACManager.containerPermissionResolver = null;
        rBACManager.container = null;
        rBACManager.domain = this.domain;
        rBACManager.dirEntryUid = null;
        rBACManager.dirEntryResolver = new DirEntryPermissionResolver(this.context, rBACManager.domain, null, str);
        return rBACManager;
    }

    public Set<String> roles() {
        return (Set) resolve().stream().map(permission -> {
            return permission.asRole();
        }).collect(Collectors.toSet());
    }

    public List<String> directRoles() {
        return this.context.getSecurityContext().getRoles();
    }

    public static RBACManager forContext(BmContext bmContext) {
        return bmContext.getSecurityContext().isDomainGlobal() ? new SystemRBACManager(bmContext) : new RBACManager(bmContext);
    }

    public static RBACManager forSecurityContext(SecurityContext securityContext) {
        return forContext(ServerSideServiceProvider.getProvider(securityContext).getContext());
    }

    private IDirectory directory() throws ServerFault {
        if (this.domain == null) {
            throw new ServerFault("domain is not defined");
        }
        if (this.directory == null) {
            this.directory = (IDirectory) this.context.su().provider().instance(IDirectory.class, new String[]{this.domain});
        }
        return this.directory;
    }
}
