package pl.edu.icm.unity.engine.authz;

import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Primary;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.authn.LoginSession;
import pl.edu.icm.unity.engine.api.config.UnityServerConfiguration;
import pl.edu.icm.unity.engine.attribute.AttributesHelper;
import pl.edu.icm.unity.exceptions.AuthorizationException;
import pl.edu.icm.unity.exceptions.AuthorizationExceptionRT;
import pl.edu.icm.unity.store.api.GroupDAO;
import pl.edu.icm.unity.store.api.tx.Transactional;
import pl.edu.icm.unity.types.basic.Attribute;
import pl.edu.icm.unity.types.basic.Group;

@Component
@Primary
/* loaded from: input_file:pl/edu/icm/unity/engine/authz/InternalAuthorizationManagerImpl.class */
public class InternalAuthorizationManagerImpl implements InternalAuthorizationManager {
    public static final String SYSTEM_MANAGER_ROLE = "System Manager";
    public static final String CONTENTS_MANAGER_ROLE = "Contents Manager";
    public static final String PRIVILEGED_INSPECTOR_ROLE = "Privileged Inspector";
    public static final String INSPECTOR_ROLE = "Inspector";
    public static final String USER_ROLE = "Regular User";
    public static final String ANONYMOUS_ROLE = "Anonymous User";
    private Map<String, AuthzRole> roles = new LinkedHashMap();
    private CachingRolesResolver rolesResolver;

    @Autowired
    public InternalAuthorizationManagerImpl(AttributesHelper attributesHelper, UnityServerConfiguration unityServerConfiguration, GroupDAO groupDAO) {
        setupRoleCapabilities();
        this.rolesResolver = new CachingRolesResolver(this.roles, attributesHelper, unityServerConfiguration.getLongValue("authorizationRoleCacheTTL").longValue(), groupDAO);
    }

    private void setupRoleCapabilities() {
        setupRole(new RoleImpl(SYSTEM_MANAGER_ROLE, "System manager with all privileges.", new AuthzCapability[]{AuthzCapability.maintenance, AuthzCapability.attributeModify, AuthzCapability.groupModify, AuthzCapability.identityModify, AuthzCapability.credentialModify, AuthzCapability.readHidden, AuthzCapability.read, AuthzCapability.readInfo}));
        setupRole(new RoleImpl(CONTENTS_MANAGER_ROLE, "Allows for performing all management operations related to groups, entities and attributes. Also allows for reading information about hidden attributes.", new AuthzCapability[]{AuthzCapability.attributeModify, AuthzCapability.groupModify, AuthzCapability.identityModify, AuthzCapability.credentialModify, AuthzCapability.readHidden, AuthzCapability.read, AuthzCapability.readInfo}));
        setupRole(new RoleImpl(PRIVILEGED_INSPECTOR_ROLE, "Allows for reading entities, groups and attributes, including the attributes visible locally only. No modifications are possible", new AuthzCapability[]{AuthzCapability.readHidden, AuthzCapability.read, AuthzCapability.readInfo}, new AuthzCapability[]{AuthzCapability.credentialModify, AuthzCapability.attributeModify, AuthzCapability.identityModify, AuthzCapability.read}));
        setupRole(new RoleImpl(INSPECTOR_ROLE, "Allows for reading entities, groups and attributes. No modifications are possible", new AuthzCapability[]{AuthzCapability.read, AuthzCapability.readInfo}, new AuthzCapability[]{AuthzCapability.credentialModify, AuthzCapability.attributeModify, AuthzCapability.identityModify, AuthzCapability.read}));
        setupRole(new RoleImpl(USER_ROLE, "Allows owners for reading of the basic system information, retrieval of information about themselves and also for changing self managed attributes, identities and passwords", new AuthzCapability[]{AuthzCapability.readInfo}, new AuthzCapability[]{AuthzCapability.credentialModify, AuthzCapability.attributeModify, AuthzCapability.identityModify, AuthzCapability.read}));
        setupRole(new RoleImpl(ANONYMOUS_ROLE, "Allows for minimal access to the system: owners can get basic system information and retrieve information about themselves", new AuthzCapability[]{AuthzCapability.readInfo}, new AuthzCapability[]{AuthzCapability.read}));
    }

    private void setupRole(AuthzRole authzRole) {
        this.roles.put(authzRole.getName(), authzRole);
    }

    @Override // pl.edu.icm.unity.engine.authz.InternalAuthorizationManager
    public Set<String> getRoleNames() {
        return this.roles.keySet();
    }

    @Override // pl.edu.icm.unity.engine.authz.InternalAuthorizationManager
    public String getRolesDescription() {
        StringBuilder sb = new StringBuilder();
        for (AuthzRole authzRole : this.roles.values()) {
            sb.append("<b>").append(authzRole.getName()).append("</b> - ").append(authzRole.getDescription()).append("\n");
        }
        return sb.toString();
    }

    @Override // pl.edu.icm.unity.engine.authz.InternalAuthorizationManager
    @Transactional
    public void checkAuthorization(AuthzCapability... authzCapabilityArr) throws AuthorizationException {
        checkAuthorizationInternal(getCallerMethodName(2), false, null, authzCapabilityArr);
    }

    @Override // pl.edu.icm.unity.engine.authz.InternalAuthorizationManager
    @Transactional
    public void checkAuthorization(boolean z, AuthzCapability... authzCapabilityArr) throws AuthorizationException {
        checkAuthorizationInternal(getCallerMethodName(2), z, null, authzCapabilityArr);
    }

    @Override // pl.edu.icm.unity.engine.authz.InternalAuthorizationManager
    @Transactional
    public void checkAuthorization(String str, AuthzCapability... authzCapabilityArr) throws AuthorizationException {
        checkAuthorizationInternal(getCallerMethodName(2), false, str, authzCapabilityArr);
    }

    @Override // pl.edu.icm.unity.engine.authz.InternalAuthorizationManager
    @Transactional
    public void checkAuthorizationRT(String str, AuthzCapability... authzCapabilityArr) throws AuthorizationExceptionRT {
        try {
            checkAuthorizationInternal(getCallerMethodName(2), false, str, authzCapabilityArr);
        } catch (AuthorizationException e) {
            throw new AuthorizationExceptionRT(e.getMessage(), e.getCause());
        }
    }

    @Override // pl.edu.icm.unity.engine.authz.InternalAuthorizationManager
    @Transactional
    public void checkAuthorization(boolean z, String str, AuthzCapability... authzCapabilityArr) throws AuthorizationException {
        checkAuthorizationInternal(getCallerMethodName(2), z, str, authzCapabilityArr);
    }

    @Override // pl.edu.icm.unity.engine.authz.InternalAuthorizationManager
    @Transactional
    public void checkAuthZAttributeChangeAuthorization(boolean z, Attribute attribute) throws AuthorizationException {
        String callerMethodName = getCallerMethodName(2);
        Set<AuthzCapability> roleCapabilities = getRoleCapabilities(this.rolesResolver.establishRoles(getVerifiedClient(AuthzCapability.attributeModify).getEntityId(), new Group(attribute.getGroupPath())), z);
        if (!roleCapabilities.containsAll(getRoleCapabilities(this.rolesResolver.getRolesFromAttribute(attribute), z))) {
            throw new AuthorizationException("Access is denied. It is not allowed to set roles with higher privileges then those already possessed");
        }
        if (!roleCapabilities.contains(AuthzCapability.attributeModify)) {
            throw new AuthorizationException("Access is denied. The operation " + callerMethodName + " requires '" + AuthzCapability.attributeModify + "' capability");
        }
    }

    @Override // pl.edu.icm.unity.engine.authz.InternalAuthorizationManager
    @Transactional
    public Set<AuthzCapability> getCapabilities(boolean z, String str) throws AuthorizationException {
        return getCapabilities(getCallerMethodName(2), z, str, getVerifiedClient(new AuthzCapability[0]));
    }

    private Set<AuthzCapability> getCapabilities(String str, boolean z, String str2, LoginSession loginSession) throws AuthorizationException {
        return getRoleCapabilities(this.rolesResolver.establishRoles(loginSession.getEntityId(), str2 == null ? new Group("/") : new Group(str2)), z);
    }

    private LoginSession getVerifiedClient(AuthzCapability... authzCapabilityArr) throws AuthorizationException {
        LoginSession callerSession = getCallerSession();
        if (!callerSession.isUsedOutdatedCredential() || (authzCapabilityArr.length <= 1 && (authzCapabilityArr.length != 1 || authzCapabilityArr[0] == AuthzCapability.credentialModify || authzCapabilityArr[0] == AuthzCapability.readInfo || authzCapabilityArr[0] == AuthzCapability.read))) {
            return callerSession;
        }
        throw new AuthorizationException("Access is denied. The client's credential is outdated and the only allowed operation is the credential update");
    }

    private void checkAuthorizationInternal(String str, boolean z, String str2, AuthzCapability... authzCapabilityArr) throws AuthorizationException {
        Set<AuthzCapability> capabilities = getCapabilities(str, z, str2, getVerifiedClient(authzCapabilityArr));
        for (AuthzCapability authzCapability : authzCapabilityArr) {
            if (!capabilities.contains(authzCapability)) {
                throw new AuthorizationException("Access is denied. The operation " + str + " requires '" + authzCapability + "' capability");
            }
        }
    }

    @Override // pl.edu.icm.unity.engine.authz.InternalAuthorizationManager
    public boolean isSelf(long j) {
        return InvocationContext.getCurrent().getLoginSession().getEntityId() == j;
    }

    private Set<AuthzCapability> getRoleCapabilities(Set<AuthzRole> set, boolean z) {
        HashSet hashSet = new HashSet();
        Iterator<AuthzRole> it = set.iterator();
        while (it.hasNext()) {
            Collections.addAll(hashSet, it.next().getCapabilities(z));
        }
        return hashSet;
    }

    private String getCallerMethodName(int i) {
        StackTraceElement[] stackTrace = Thread.currentThread().getStackTrace();
        int i2 = i + 1;
        while (i2 < stackTrace.length && (stackTrace[i2].getClassName().contains("Transaction") || !stackTrace[i2].getClassName().contains("pl.edu.icm.unity."))) {
            i2++;
        }
        return i2 >= stackTrace.length ? "UNKNOWN" : stackTrace[i2].getMethodName();
    }

    @Override // pl.edu.icm.unity.engine.authz.InternalAuthorizationManager
    public void clearCache() {
        this.rolesResolver.clearCache();
    }

    @Override // pl.edu.icm.unity.engine.authz.InternalAuthorizationManager
    @Transactional
    public Set<AuthzRole> getRoles() throws AuthorizationException {
        return this.rolesResolver.establishRoles(getCallerSession().getEntityId(), new Group("/"));
    }

    private LoginSession getCallerSession() throws AuthorizationException {
        LoginSession loginSession = InvocationContext.getCurrent().getLoginSession();
        if (loginSession == null) {
            throw new AuthorizationException("Access is denied. The client is not authenticated.");
        }
        return loginSession;
    }
}
