package org.restcomm.connect.http.security;

import java.util.Iterator;
import java.util.Set;
import javax.servlet.ServletContext;
import org.apache.commons.lang.NotImplementedException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.authz.SimpleRole;
import org.apache.shiro.authz.permission.WildcardPermissionResolver;
import org.restcomm.connect.commons.dao.Sid;
import org.restcomm.connect.dao.AccountsDao;
import org.restcomm.connect.dao.DaoManager;
import org.restcomm.connect.dao.OrganizationsDao;
import org.restcomm.connect.dao.entities.Account;
import org.restcomm.connect.dao.entities.Organization;
import org.restcomm.connect.dao.exceptions.AccountHierarchyDepthCrossed;
import org.restcomm.connect.http.exceptions.AuthorizationException;
import org.restcomm.connect.http.exceptions.InsufficientPermission;
import org.restcomm.connect.http.exceptions.OperatedAccountMissing;
import org.restcomm.connect.identity.AuthOutcome;
import org.restcomm.connect.identity.IdentityContext;
import org.restcomm.connect.identity.UserIdentityContext;
import org.restcomm.connect.identity.shiro.RestcommRoles;

/* loaded from: input_file:org/restcomm/connect/http/security/PermissionEvaluator.class */
public class PermissionEvaluator {
    private Logger logger = LogManager.getLogger(PermissionEvaluator.class);
    private AccountsDao accountsDao;
    private OrganizationsDao organizationsDao;
    private IdentityContext identityContext;
    private ServletContext context;

    /* loaded from: input_file:org/restcomm/connect/http/security/PermissionEvaluator$SecuredType.class */
    public enum SecuredType {
        SECURED_APP,
        SECURED_ACCOUNT,
        SECURED_STANDARD
    }

    public PermissionEvaluator() {
    }

    public PermissionEvaluator(ServletContext servletContext) {
        this.context = servletContext;
        DaoManager daoManager = (DaoManager) servletContext.getAttribute(DaoManager.class.getName());
        this.accountsDao = daoManager.getAccountsDao();
        this.organizationsDao = daoManager.getOrganizationsDao();
        this.identityContext = (IdentityContext) servletContext.getAttribute(IdentityContext.class.getName());
    }

    public boolean isSuperAdmin(UserIdentityContext userIdentityContext) {
        return userIdentityContext.getEffectiveAccount().getParentSid() == null && userIdentityContext.getEffectiveAccount().getStatus().equals(Account.Status.ACTIVE);
    }

    public boolean isDirectChildOfAccount(Account account, Account account2) {
        return account2.getParentSid().equals(account.getSid());
    }

    public void allowOnlySuperAdmin(UserIdentityContext userIdentityContext) {
        if (!isSuperAdmin(userIdentityContext)) {
            throw new InsufficientPermission();
        }
    }

    public void checkPermission(String str, UserIdentityContext userIdentityContext) {
        if (checkPermission(str, userIdentityContext.getEffectiveAccountRoles()) != AuthOutcome.OK) {
            throw new InsufficientPermission();
        }
    }

    public boolean isSecuredByPermission(String str, UserIdentityContext userIdentityContext) {
        try {
            checkPermission(str, userIdentityContext);
            return true;
        } catch (AuthorizationException e) {
            return false;
        }
    }

    public void secure(Account account, String str, UserIdentityContext userIdentityContext) throws AuthorizationException {
        secure(account, str, SecuredType.SECURED_STANDARD, userIdentityContext);
    }

    public void secure(Account account, String str, SecuredType securedType, UserIdentityContext userIdentityContext) throws AuthorizationException {
        checkPermission(str, userIdentityContext);
        checkOrganization(account, userIdentityContext);
        if (account == null) {
            throw new OperatedAccountMissing();
        }
        if (securedType == SecuredType.SECURED_STANDARD) {
            if (secureLevelControl(account, null, userIdentityContext) != AuthOutcome.OK) {
                throw new InsufficientPermission();
            }
        } else if (securedType == SecuredType.SECURED_APP) {
            if (secureLevelControlApplications(account, null, userIdentityContext) != AuthOutcome.OK) {
                throw new InsufficientPermission();
            }
        } else if (securedType == SecuredType.SECURED_ACCOUNT && secureLevelControlAccounts(account, userIdentityContext) != AuthOutcome.OK) {
            throw new InsufficientPermission();
        }
    }

    private void checkOrganization(Account account, UserIdentityContext userIdentityContext) throws IllegalStateException {
        Sid organizationSid = account.getOrganizationSid();
        if (organizationSid == null) {
            String str = "there is no organization assosiate with this account: " + account.getSid();
            this.logger.error(str);
            throw new IllegalStateException(str);
        }
        Organization organization = this.organizationsDao.getOrganization(organizationSid);
        if (organization == null || organization.getDomainName() == null || organization.getDomainName().trim().isEmpty()) {
            String str2 = "Invalid or Null Organization: " + organization + " for account: " + account.getSid();
            this.logger.error(str2);
            throw new IllegalStateException(str2);
        }
    }

    public void secure(Account account, Sid sid, SecuredType securedType, UserIdentityContext userIdentityContext) throws AuthorizationException {
        if (account == null) {
            throw new OperatedAccountMissing();
        }
        String sid2 = sid == null ? null : sid.toString();
        if (securedType == SecuredType.SECURED_APP) {
            if (secureLevelControlApplications(account, sid2, userIdentityContext) != AuthOutcome.OK) {
                throw new InsufficientPermission();
            }
        } else if (securedType == SecuredType.SECURED_STANDARD) {
            if (secureLevelControl(account, sid2, userIdentityContext) != AuthOutcome.OK) {
                throw new InsufficientPermission();
            }
        } else {
            if (securedType != SecuredType.SECURED_ACCOUNT) {
                throw new NotImplementedException();
            }
            throw new IllegalStateException("Account security is not supported when using sub-resources");
        }
    }

    public boolean hasAccountRole(String str, UserIdentityContext userIdentityContext) {
        if (userIdentityContext.getEffectiveAccount() != null) {
            return userIdentityContext.getEffectiveAccountRoles().contains(str);
        }
        return false;
    }

    private AuthOutcome checkPermission(String str, Set<String> set) {
        String next;
        SimpleRole role;
        if (set.contains(getAdministratorRole())) {
            return AuthOutcome.OK;
        }
        Permission resolvePermission = new WildcardPermissionResolver().resolvePermission(str);
        RestcommRoles restcommRoles = this.identityContext.getRestcommRoles();
        Iterator<String> it = set.iterator();
        while (it.hasNext() && (role = restcommRoles.getRole((next = it.next()))) != null) {
            for (Permission permission : role.getPermissions()) {
                if (permission.implies(resolvePermission)) {
                    if (this.logger.isDebugEnabled()) {
                        this.logger.debug("Granted access by permission " + permission.toString());
                    }
                    return AuthOutcome.OK;
                }
            }
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Role " + next + " does not allow " + str);
            }
        }
        return AuthOutcome.FAILED;
    }

    private AuthOutcome secureLevelControl(Account account, String str, UserIdentityContext userIdentityContext) {
        Account effectiveAccount = userIdentityContext.getEffectiveAccount();
        String str2 = null;
        if (effectiveAccount != null) {
            str2 = effectiveAccount.getSid().toString();
        }
        String str3 = null;
        if (account != null) {
            str3 = account.getSid().toString();
        }
        if (str != null && !str.equals(str3)) {
            return AuthOutcome.FAILED;
        }
        if (str2.equals(str3)) {
            return AuthOutcome.OK;
        }
        if (account.getParentSid() == null || (!account.getParentSid().toString().equals(str2) && !this.accountsDao.getAccountLineage(account).contains(str2))) {
            return AuthOutcome.FAILED;
        }
        return AuthOutcome.OK;
    }

    private AuthOutcome secureLevelControlApplications(Account account, String str, UserIdentityContext userIdentityContext) {
        return secureLevelControl(account, str, userIdentityContext);
    }

    private AuthOutcome secureLevelControlAccounts(Account account, UserIdentityContext userIdentityContext) throws AccountHierarchyDepthCrossed {
        Account effectiveAccount = userIdentityContext.getEffectiveAccount();
        String sid = effectiveAccount.getSid().toString();
        String sid2 = account.getSid().toString();
        if (!getAdministratorRole().equals(effectiveAccount.getRole())) {
            return sid.equals(sid2) ? AuthOutcome.OK : AuthOutcome.FAILED;
        }
        if (sid.equals(sid2)) {
            return AuthOutcome.OK;
        }
        if (account.getParentSid() == null || (!account.getParentSid().toString().equals(sid) && !this.accountsDao.getAccountLineage(account).contains(sid))) {
            return AuthOutcome.FAILED;
        }
        return AuthOutcome.OK;
    }

    public String getAdministratorRole() {
        return AccountPrincipal.ADMIN_ROLE;
    }
}
