package pl.edu.icm.unity.engine.group;

import com.google.common.collect.ImmutableMap;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Primary;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.MessageSource;
import pl.edu.icm.unity.base.capacityLimit.CapacityLimitName;
import pl.edu.icm.unity.engine.api.GroupsManagement;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.confirmation.EmailConfirmationManager;
import pl.edu.icm.unity.engine.api.identity.EntityResolver;
import pl.edu.icm.unity.engine.api.registration.GroupPatternMatcher;
import pl.edu.icm.unity.engine.attribute.AttributeClassUtil;
import pl.edu.icm.unity.engine.attribute.AttributesHelper;
import pl.edu.icm.unity.engine.audit.AuditEventTrigger;
import pl.edu.icm.unity.engine.audit.AuditPublisher;
import pl.edu.icm.unity.engine.authz.AuthzCapability;
import pl.edu.icm.unity.engine.authz.InternalAuthorizationManager;
import pl.edu.icm.unity.engine.capacityLimits.InternalCapacityLimitVerificator;
import pl.edu.icm.unity.engine.events.InvocationEventProducer;
import pl.edu.icm.unity.exceptions.AuthorizationException;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.IllegalGroupValueException;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.store.api.AttributeDAO;
import pl.edu.icm.unity.store.api.AttributeTypeDAO;
import pl.edu.icm.unity.store.api.GroupDAO;
import pl.edu.icm.unity.store.api.MembershipDAO;
import pl.edu.icm.unity.store.api.generic.AttributeClassDB;
import pl.edu.icm.unity.store.api.tx.Transactional;
import pl.edu.icm.unity.store.api.tx.TransactionalRunner;
import pl.edu.icm.unity.types.basic.Attribute;
import pl.edu.icm.unity.types.basic.EntityParam;
import pl.edu.icm.unity.types.basic.Group;
import pl.edu.icm.unity.types.basic.GroupContents;
import pl.edu.icm.unity.types.basic.GroupMembership;
import pl.edu.icm.unity.types.basic.audit.AuditEventAction;
import pl.edu.icm.unity.types.basic.audit.AuditEventTag;
import pl.edu.icm.unity.types.basic.audit.AuditEventType;

@Component
@Primary
@InvocationEventProducer
/* loaded from: input_file:pl/edu/icm/unity/engine/group/GroupsManagementImpl.class */
public class GroupsManagementImpl implements GroupsManagement {
    private GroupDAO dbGroups;
    private MembershipDAO membershipDAO;
    private GroupHelper groupHelper;
    private AttributeDAO dbAttributes;
    private AttributeTypeDAO attributeTypeDAO;
    private AttributeClassDB acDB;
    private InternalAuthorizationManager authz;
    private AttributesHelper attributesHelper;
    private EntityResolver idResolver;
    private EmailConfirmationManager confirmationManager;
    private TransactionalRunner tx;
    private AttributeClassUtil acUtil;
    private MessageSource msg;
    private AuditPublisher audit;
    private InternalCapacityLimitVerificator capacityLimitVerificator;

    /* loaded from: input_file:pl/edu/icm/unity/engine/group/GroupsManagementImpl$ParentIsPrivateGroupException.class */
    public static class ParentIsPrivateGroupException extends InternalException {
        public ParentIsPrivateGroupException(String str, String str2) {
            super("Cannot set group " + str2 + " to public mode, parent group " + str + " is private");
        }
    }

    /* loaded from: input_file:pl/edu/icm/unity/engine/group/GroupsManagementImpl$PublicChildGroupException.class */
    public static class PublicChildGroupException extends InternalException {
        public PublicChildGroupException(String str, String str2) {
            super("Cannot set group " + str + " to private mode, child group " + str2 + " is public");
        }
    }

    @Autowired
    public GroupsManagementImpl(GroupDAO groupDAO, MembershipDAO membershipDAO, GroupHelper groupHelper, AttributeDAO attributeDAO, AttributeTypeDAO attributeTypeDAO, AttributeClassDB attributeClassDB, InternalAuthorizationManager internalAuthorizationManager, AttributesHelper attributesHelper, EntityResolver entityResolver, EmailConfirmationManager emailConfirmationManager, AttributeClassUtil attributeClassUtil, TransactionalRunner transactionalRunner, MessageSource messageSource, AuditPublisher auditPublisher, InternalCapacityLimitVerificator internalCapacityLimitVerificator) {
        this.dbGroups = groupDAO;
        this.membershipDAO = membershipDAO;
        this.groupHelper = groupHelper;
        this.dbAttributes = attributeDAO;
        this.attributeTypeDAO = attributeTypeDAO;
        this.acDB = attributeClassDB;
        this.authz = internalAuthorizationManager;
        this.attributesHelper = attributesHelper;
        this.idResolver = entityResolver;
        this.confirmationManager = emailConfirmationManager;
        this.acUtil = attributeClassUtil;
        this.tx = transactionalRunner;
        this.msg = messageSource;
        this.audit = auditPublisher;
        this.capacityLimitVerificator = internalCapacityLimitVerificator;
    }

    @Transactional
    public void addGroup(Group group, boolean z) throws EngineException {
        this.authz.checkAuthorization(group.getParentPath(), AuthzCapability.groupModify);
        this.capacityLimitVerificator.assertInSystemLimitForSingleAdd(CapacityLimitName.GroupsCount, () -> {
            return Long.valueOf(this.dbGroups.getCount());
        });
        this.groupHelper.validateGroupStatements(group);
        AttributeClassUtil.validateAttributeClasses(group.getAttributesClasses(), this.acDB);
        boolean exists = this.dbGroups.exists(group.getParentPath());
        if (!exists && z) {
            addGroup(new Group(group.getParentPath()), z);
        } else if (!exists) {
            throw new IllegalArgumentException("Parent group " + group.getParentPath() + " does not exist");
        }
        if (group.isPublic()) {
            assertParentIsPrivate(group);
        }
        this.dbGroups.create(group);
        this.audit.log(AuditEventTrigger.builder().type(AuditEventType.GROUP).action(AuditEventAction.ADD).name(group.getName()).tags(AuditEventTag.GROUPS));
    }

    @Transactional
    public void removeGroup(String str, boolean z) throws EngineException {
        this.authz.checkAuthorization(str, AuthzCapability.groupModify);
        if ("/".equals(str)) {
            throw new IllegalGroupValueException("Removing the root group is forbidden");
        }
        if (!z && !getSubGroups(str).isEmpty()) {
            throw new IllegalGroupValueException("The group contains subgroups");
        }
        this.dbGroups.delete(str);
        this.audit.log(AuditEventTrigger.builder().type(AuditEventType.GROUP).action(AuditEventAction.REMOVE).name(str).tags(AuditEventTag.GROUPS));
    }

    public void addMemberFromParent(String str, EntityParam entityParam) throws EngineException {
        addMemberFromParent(str, entityParam, null);
    }

    public void addMemberFromParent(String str, EntityParam entityParam, List<Attribute> list) throws EngineException {
        addMemberFromParent(str, entityParam, list, null, null);
    }

    public void addMemberFromParent(String str, EntityParam entityParam, List<Attribute> list, String str2, String str3) throws EngineException {
        entityParam.validateInitialization();
        List<Attribute> emptyList = list == null ? Collections.emptyList() : list;
        this.tx.runInTransactionThrowing(() -> {
            long entityId = this.idResolver.getEntityId(entityParam);
            this.authz.checkAuthorization(this.authz.isSelf(entityId), str, AuthzCapability.groupModify);
            this.attributesHelper.checkGroupAttributeClassesConsistency(emptyList, str);
            this.groupHelper.addMemberFromParent(str, entityParam, str2, str3, new Date());
            this.attributesHelper.addAttributesList(emptyList, entityId, true);
        });
        this.confirmationManager.sendVerificationsQuietNoTx(entityParam, emptyList, false);
    }

    @Transactional
    public void removeMember(String str, EntityParam entityParam) throws EngineException {
        entityParam.validateInitialization();
        long entityId = this.idResolver.getEntityId(entityParam);
        this.authz.checkAuthorization(this.authz.isSelf(entityId), str, AuthzCapability.groupModify);
        if (str.equals("/")) {
            throw new IllegalArgumentException("The entity can not be removed from the root group");
        }
        Set<String> entityMembershipSimple = this.membershipDAO.getEntityMembershipSimple(entityId);
        if (!entityMembershipSimple.contains(str)) {
            throw new IllegalArgumentException("The entity is not a member of the group " + str);
        }
        for (String str2 : entityMembershipSimple) {
            if (Group.isChildOrSame(str2, str)) {
                this.membershipDAO.deleteByKey(entityId, str2);
                this.audit.log(AuditEventTrigger.builder().type(AuditEventType.MEMBERSHIP).action(AuditEventAction.REMOVE).name(str2).subject(Long.valueOf(entityId)).tags(AuditEventTag.MEMBERS, AuditEventTag.GROUPS));
                this.dbAttributes.deleteAttributesInGroup(entityId, str2);
            }
        }
    }

    @Transactional
    public GroupContents getContents(String str, int i) throws EngineException {
        try {
            this.authz.checkAuthorization(str, AuthzCapability.read);
            return getCompleteContents(str, i);
        } catch (AuthorizationException e) {
            if ((9 & i) == 0) {
                throw e;
            }
            return getLimitedContents(str, i);
        }
    }

    private GroupContents getCompleteContents(String str, int i) throws IllegalGroupValueException {
        GroupContents groupContents = new GroupContents();
        if ((i & 1) != 0) {
            groupContents.setSubGroups(getDirectSubGroups(str));
        }
        if ((i & 4) != 0) {
            groupContents.setMembers(this.membershipDAO.getMembers(str));
        }
        if ((i & 8) != 0) {
            groupContents.setGroup(this.dbGroups.get(str));
        }
        return groupContents;
    }

    private GroupContents getLimitedContents(String str, int i) throws EngineException {
        long entityId = InvocationContext.getCurrent().getLoginSession().getEntityId();
        Set<String> set = (Set) this.tx.runInTransactionRetThrowing(() -> {
            this.authz.checkAuthorization(true, AuthzCapability.read);
            return this.membershipDAO.getEntityMembershipSimple(entityId);
        });
        if (!set.contains(str)) {
            throw new AuthorizationException("Access is denied. The operation getContents requires 'read' capability");
        }
        GroupContents groupContents = new GroupContents();
        if ((i & 1) != 0) {
            ArrayList arrayList = new ArrayList();
            for (String str2 : set) {
                String parentPath = new Group(str2).getParentPath();
                if (parentPath != null && parentPath.equals(str)) {
                    arrayList.add(str2);
                }
            }
            groupContents.setSubGroups(arrayList);
        }
        if ((i & 4) != 0) {
            groupContents.setMembers(new ArrayList());
        }
        if ((i & 8) != 0) {
            groupContents.setGroup(this.dbGroups.get(str));
        }
        return groupContents;
    }

    @Transactional
    public void updateGroup(String str, Group group) throws EngineException {
        updateGroup(str, group, null, null);
    }

    @Transactional
    public void updateGroup(String str, Group group, String str2, String str3) throws EngineException {
        this.authz.checkAuthorization(str, AuthzCapability.groupModify);
        if (!str.equals(group.toString())) {
            throw new IllegalGroupValueException("Changing group name is currently unsupported. Only displayed name can be changed.");
        }
        this.groupHelper.validateGroupStatements(group);
        AttributeClassUtil.validateAttributeClasses(group.getAttributesClasses(), this.acDB);
        List members = this.membershipDAO.getMembers(str);
        Map allAsMap = this.attributeTypeDAO.getAllAsMap();
        Iterator it = members.iterator();
        while (it.hasNext()) {
            long entityId = ((GroupMembership) it.next()).getEntityId();
            this.acUtil.getACHelper(entityId, str, group.getAttributesClasses()).checkAttribtues(getEntityInGroupAttributeNames(entityId, str), allAsMap);
        }
        Group group2 = (Group) this.dbGroups.get(str);
        if (group2.isPublic() != group.isPublic()) {
            if (group.isPublic()) {
                assertParentIsPrivate(group);
            } else {
                assertChildrenArePublic(group2, getDirectSubGroups(str));
            }
        }
        this.dbGroups.updateByName(str, group);
        AuditEventTrigger.AuditEventTriggerBuilder tags = AuditEventTrigger.builder().type(AuditEventType.GROUP).action(AuditEventAction.UPDATE).name(group.getName()).tags(AuditEventTag.GROUPS);
        if (Objects.nonNull(str2) && Objects.nonNull(str3)) {
            tags.details(ImmutableMap.of("action", str2, "value", str3));
        }
        this.audit.log(tags);
    }

    private Collection<String> getEntityInGroupAttributeNames(long j, String str) {
        return (Collection) this.dbAttributes.getEntityAttributes(j, (String) null, str).stream().map(attributeExt -> {
            return attributeExt.getName();
        }).collect(Collectors.toSet());
    }

    @Transactional
    public Set<String> getChildGroups(String str) throws EngineException {
        this.authz.checkAuthorization(str, AuthzCapability.read);
        return getSubGroupsInclusive(str);
    }

    @Transactional
    public boolean isPresent(String str) throws AuthorizationException {
        this.authz.checkAuthorization(str, AuthzCapability.read);
        return this.dbGroups.exists(str);
    }

    @Transactional
    public void addGroup(Group group) throws EngineException {
        addGroup(group, false);
    }

    @Transactional
    public List<Group> getGroupsByWildcard(String str) {
        this.authz.checkAuthorizationRT("/", AuthzCapability.read);
        return GroupPatternMatcher.filterMatching(this.dbGroups.getAll(), str);
    }

    private Set<String> getSubGroupsInclusive(String str) {
        return (Set) this.dbGroups.getAllNames().stream().filter(str2 -> {
            return Group.isChildOrSame(str2, str);
        }).collect(Collectors.toSet());
    }

    private Set<String> getSubGroups(String str) {
        return (Set) this.dbGroups.getAllNames().stream().filter(str2 -> {
            return Group.isChild(str2, str);
        }).collect(Collectors.toSet());
    }

    private List<String> getDirectSubGroups(String str) {
        Set allNames = this.dbGroups.getAllNames();
        int length = str.length() + 1;
        return (List) allNames.stream().filter(str2 -> {
            return Group.isChild(str2, str);
        }).filter(str3 -> {
            return !str3.substring(length).contains("/");
        }).collect(Collectors.toList());
    }

    private void assertChildrenArePublic(Group group, List<String> list) throws EngineException {
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            Group group2 = this.dbGroups.get(it.next());
            if (group2.isPublic()) {
                throw new PublicChildGroupException(group.getDisplayedName().getValue(this.msg), group2.getDisplayedName().getValue(this.msg));
            }
        }
    }

    private void assertParentIsPrivate(Group group) throws EngineException {
        if (group.isTopLevel()) {
            return;
        }
        Group group2 = this.dbGroups.get(group.getParentPath());
        if (!group2.isPublic()) {
            throw new ParentIsPrivateGroupException(group2.getDisplayedName().getValue(this.msg), group.getDisplayedName().getValue(this.msg));
        }
    }
}
