package org.openremote.manager.rules;

import jakarta.ws.rs.BeanParam;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Response;
import java.util.List;
import java.util.logging.Logger;
import org.openremote.container.timer.TimerService;
import org.openremote.manager.asset.AssetStorageService;
import org.openremote.manager.security.ManagerIdentityService;
import org.openremote.manager.security.ManagerKeycloakIdentityProvider;
import org.openremote.manager.web.ManagerWebResource;
import org.openremote.model.asset.Asset;
import org.openremote.model.asset.UserAssetLink;
import org.openremote.model.http.RequestParams;
import org.openremote.model.query.AssetQuery;
import org.openremote.model.query.RulesetQuery;
import org.openremote.model.rules.AssetRuleset;
import org.openremote.model.rules.GlobalRuleset;
import org.openremote.model.rules.RealmRuleset;
import org.openremote.model.rules.RulesEngineInfo;
import org.openremote.model.rules.RulesResource;
import org.openremote.model.rules.Ruleset;
import org.openremote.model.rules.geofence.GeofenceDefinition;
import org.openremote.model.security.ClientRole;
import org.openremote.model.security.Realm;

/* loaded from: input_file:org/openremote/manager/rules/RulesResourceImpl.class */
public class RulesResourceImpl extends ManagerWebResource implements RulesResource {
    private static final Logger LOG = Logger.getLogger(RulesResourceImpl.class.getName());
    protected final RulesetStorageService rulesetStorageService;
    protected final AssetStorageService assetStorageService;
    protected final RulesService rulesService;

    public RulesResourceImpl(TimerService timerService, ManagerIdentityService managerIdentityService, RulesetStorageService rulesetStorageService, AssetStorageService assetStorageService, RulesService rulesService) {
        super(timerService, managerIdentityService);
        this.rulesetStorageService = rulesetStorageService;
        this.assetStorageService = assetStorageService;
        this.rulesService = rulesService;
    }

    public RulesEngineInfo getGlobalEngineInfo(RequestParams requestParams) {
        if (isSuperUser()) {
            return getEngineInfo(this.rulesService.globalEngine.get());
        }
        throw new WebApplicationException(Response.Status.FORBIDDEN);
    }

    public RulesEngineInfo getRealmEngineInfo(RequestParams requestParams, String str) {
        if (!isRealmAccessibleByUser(str) || isRestrictedUser()) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        return getEngineInfo(this.rulesService.realmEngines.get(str));
    }

    public RulesEngineInfo getAssetEngineInfo(RequestParams requestParams, String str) {
        Asset<?> find = this.assetStorageService.find(str, false);
        if (find == null) {
            return null;
        }
        if (!isRealmAccessibleByUser(find.getRealm())) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        if (!isRestrictedUser() || this.assetStorageService.isUserAsset(getUserId(), str)) {
            return getEngineInfo(this.rulesService.assetEngines.get(str));
        }
        throw new WebApplicationException(Response.Status.FORBIDDEN);
    }

    protected RulesEngineInfo getEngineInfo(RulesEngine rulesEngine) {
        if (rulesEngine == null) {
            return null;
        }
        return new RulesEngineInfo(rulesEngine.getStatus(), rulesEngine.getCompilationErrorDeploymentCount(), rulesEngine.getExecutionErrorDeploymentCount());
    }

    public GlobalRuleset[] getGlobalRulesets(@BeanParam RequestParams requestParams, List<Ruleset.Lang> list, boolean z) {
        if (!isSuperUser()) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        List findAll = this.rulesetStorageService.findAll(GlobalRuleset.class, new RulesetQuery().setLanguages((Ruleset.Lang[]) list.toArray(new Ruleset.Lang[0])).setFullyPopulate(z));
        findAll.forEach(globalRuleset -> {
            this.rulesService.getRulesetDeployment(globalRuleset.getId()).ifPresent(rulesetDeployment -> {
                globalRuleset.setStatus(rulesetDeployment.getStatus());
                globalRuleset.setError(rulesetDeployment.getErrorMessage());
            });
        });
        return (GlobalRuleset[]) findAll.toArray(new GlobalRuleset[0]);
    }

    public RealmRuleset[] getRealmRulesets(@BeanParam RequestParams requestParams, String str, List<Ruleset.Lang> list, boolean z) {
        boolean z2;
        if (isAuthenticated() && !isRealmAccessibleByUser(str)) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        if (isAuthenticated()) {
            if (!(isRestrictedUser() | (!hasResourceRole(ClientRole.READ_RULES.getValue(), ManagerKeycloakIdentityProvider.DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT)))) {
                z2 = false;
                List findAll = this.rulesetStorageService.findAll(RealmRuleset.class, new RulesetQuery().setRealm(str).setLanguages((Ruleset.Lang[]) list.toArray(new Ruleset.Lang[0])).setFullyPopulate(z).setPublicOnly(z2));
                findAll.forEach(realmRuleset -> {
                    this.rulesService.getRulesetDeployment(realmRuleset.getId()).ifPresent(rulesetDeployment -> {
                        realmRuleset.setStatus(rulesetDeployment.getStatus());
                        realmRuleset.setError(rulesetDeployment.getErrorMessage());
                    });
                });
                return (RealmRuleset[]) findAll.toArray(new RealmRuleset[0]);
            }
        }
        z2 = true;
        List findAll2 = this.rulesetStorageService.findAll(RealmRuleset.class, new RulesetQuery().setRealm(str).setLanguages((Ruleset.Lang[]) list.toArray(new Ruleset.Lang[0])).setFullyPopulate(z).setPublicOnly(z2));
        findAll2.forEach(realmRuleset2 -> {
            this.rulesService.getRulesetDeployment(realmRuleset2.getId()).ifPresent(rulesetDeployment -> {
                realmRuleset2.setStatus(rulesetDeployment.getStatus());
                realmRuleset2.setError(rulesetDeployment.getErrorMessage());
            });
        });
        return (RealmRuleset[]) findAll2.toArray(new RealmRuleset[0]);
    }

    public AssetRuleset[] getAssetRulesets(@BeanParam RequestParams requestParams, String str, List<Ruleset.Lang> list, boolean z) {
        Asset<?> find = this.assetStorageService.find(str, false);
        if (find == null) {
            return new AssetRuleset[0];
        }
        if (isAuthenticated() && !isRealmAccessibleByUser(find.getRealm())) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        List findAll = this.rulesetStorageService.findAll(AssetRuleset.class, new RulesetQuery().setRealm(find.getRealm()).setAssetIds(new String[]{str}).setPublicOnly(!isAuthenticated() || (isRestrictedUser() && !this.assetStorageService.isUserAsset(getUserId(), str)) || !hasResourceRole(ClientRole.READ_RULES.getValue(), ManagerKeycloakIdentityProvider.DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT)).setLanguages((Ruleset.Lang[]) list.toArray(new Ruleset.Lang[0])).setFullyPopulate(z));
        findAll.forEach(assetRuleset -> {
            this.rulesService.getRulesetDeployment(assetRuleset.getId()).ifPresent(rulesetDeployment -> {
                assetRuleset.setStatus(rulesetDeployment.getStatus());
                assetRuleset.setError(rulesetDeployment.getErrorMessage());
            });
        });
        return (AssetRuleset[]) findAll.toArray(new AssetRuleset[0]);
    }

    public long createGlobalRuleset(@BeanParam RequestParams requestParams, GlobalRuleset globalRuleset) {
        if (isSuperUser()) {
            return this.rulesetStorageService.merge(globalRuleset).getId().longValue();
        }
        throw new WebApplicationException(Response.Status.FORBIDDEN);
    }

    public GlobalRuleset getGlobalRuleset(@BeanParam RequestParams requestParams, Long l) {
        if (!isSuperUser()) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        GlobalRuleset find = this.rulesetStorageService.find((Class<GlobalRuleset>) GlobalRuleset.class, l);
        if (find == null) {
            throw new WebApplicationException(Response.Status.NOT_FOUND);
        }
        return find;
    }

    public void updateGlobalRuleset(@BeanParam RequestParams requestParams, Long l, GlobalRuleset globalRuleset) {
        if (!isSuperUser()) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        if (this.rulesetStorageService.find(GlobalRuleset.class, l) == null) {
            throw new WebApplicationException(Response.Status.NOT_FOUND);
        }
        this.rulesetStorageService.merge(globalRuleset);
    }

    public void deleteGlobalRuleset(@BeanParam RequestParams requestParams, Long l) {
        if (!isSuperUser()) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        this.rulesetStorageService.delete(GlobalRuleset.class, l);
    }

    public long createRealmRuleset(@BeanParam RequestParams requestParams, RealmRuleset realmRuleset) {
        Realm realm = this.identityService.getIdentityProvider().getRealm(realmRuleset.getRealm());
        if (realm == null) {
            throw new WebApplicationException(Response.Status.BAD_REQUEST);
        }
        if (!isRealmActiveAndAccessible(realm) || isRestrictedUser()) {
            LOG.fine("Realm '" + realm + "' is nonexistent, inactive or inaccessible: username=" + getUsername());
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        if (realmRuleset.getLang() != Ruleset.Lang.GROOVY || isSuperUser()) {
            return this.rulesetStorageService.merge(realmRuleset).getId().longValue();
        }
        throw new ForbiddenException("Only super users can create/modify groovy rules for security reasons");
    }

    public RealmRuleset getRealmRuleset(@BeanParam RequestParams requestParams, Long l) {
        RealmRuleset find = this.rulesetStorageService.find((Class<RealmRuleset>) RealmRuleset.class, l);
        if (find == null) {
            throw new WebApplicationException(Response.Status.NOT_FOUND);
        }
        Realm realm = this.identityService.getIdentityProvider().getRealm(find.getRealm());
        if (realm == null) {
            throw new WebApplicationException(Response.Status.BAD_REQUEST);
        }
        if (isRealmActiveAndAccessible(realm) && !isRestrictedUser()) {
            return find;
        }
        LOG.fine("Forbidden access for user '" + getUsername() + "': " + realm);
        throw new WebApplicationException(Response.Status.FORBIDDEN);
    }

    public void updateRealmRuleset(@BeanParam RequestParams requestParams, Long l, RealmRuleset realmRuleset) {
        RealmRuleset find = this.rulesetStorageService.find((Class<RealmRuleset>) RealmRuleset.class, l);
        if (find == null) {
            throw new WebApplicationException(Response.Status.NOT_FOUND);
        }
        Realm realm = this.identityService.getIdentityProvider().getRealm(find.getRealm());
        if (realm == null) {
            throw new WebApplicationException(Response.Status.BAD_REQUEST);
        }
        if (!isRealmActiveAndAccessible(realm) || isRestrictedUser()) {
            LOG.fine("Forbidden access for user '" + getUsername() + "': " + realm);
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        if (!l.equals(realmRuleset.getId())) {
            throw new WebApplicationException("Requested ID and ruleset ID don't match", Response.Status.BAD_REQUEST);
        }
        if (!find.getRealm().equals(realmRuleset.getRealm())) {
            throw new WebApplicationException("Requested realm and existing ruleset realm must match", Response.Status.BAD_REQUEST);
        }
        if (realmRuleset.getLang() == Ruleset.Lang.GROOVY && !isSuperUser()) {
            throw new ForbiddenException("Only super users can create/modify groovy rules for security reasons");
        }
        this.rulesetStorageService.merge(realmRuleset);
    }

    public void deleteRealmRuleset(@BeanParam RequestParams requestParams, Long l) {
        RealmRuleset find = this.rulesetStorageService.find((Class<RealmRuleset>) RealmRuleset.class, l);
        if (find == null) {
            return;
        }
        Realm realm = this.identityService.getIdentityProvider().getRealm(find.getRealm());
        if (realm == null) {
            throw new WebApplicationException(Response.Status.BAD_REQUEST);
        }
        if (!isRealmActiveAndAccessible(realm) || isRestrictedUser()) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        if (find.getLang() == Ruleset.Lang.GROOVY && !isSuperUser()) {
            throw new ForbiddenException("Only super users can create/modify groovy rules for security reasons");
        }
        this.rulesetStorageService.delete(RealmRuleset.class, l);
    }

    public long createAssetRuleset(@BeanParam RequestParams requestParams, AssetRuleset assetRuleset) {
        String assetId = assetRuleset.getAssetId();
        if (assetId == null || assetId.length() == 0) {
            throw new WebApplicationException("Missing asset identifier value", Response.Status.BAD_REQUEST);
        }
        Asset<?> find = this.assetStorageService.find(assetId, false);
        if (find == null) {
            throw new WebApplicationException(Response.Status.NOT_FOUND);
        }
        if (!isRealmAccessibleByUser(find.getRealm())) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        if (isRestrictedUser() && !this.assetStorageService.isUserAsset(getUserId(), find.getId())) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        if (assetRuleset.getLang() != Ruleset.Lang.GROOVY || isSuperUser()) {
            return this.rulesetStorageService.merge(assetRuleset).getId().longValue();
        }
        throw new ForbiddenException("Only super users can create/modify groovy rules for security reasons");
    }

    public AssetRuleset getAssetRuleset(@BeanParam RequestParams requestParams, Long l) {
        AssetRuleset find = this.rulesetStorageService.find((Class<AssetRuleset>) AssetRuleset.class, l);
        if (find == null) {
            throw new WebApplicationException(Response.Status.NOT_FOUND);
        }
        Asset<?> find2 = this.assetStorageService.find(find.getAssetId(), false);
        if (find2 == null) {
            throw new WebApplicationException(Response.Status.NOT_FOUND);
        }
        if (!isRealmAccessibleByUser(find2.getRealm())) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        if (!isRestrictedUser() || this.assetStorageService.isUserAsset(getUserId(), find2.getId())) {
            return find;
        }
        throw new WebApplicationException(Response.Status.FORBIDDEN);
    }

    public void updateAssetRuleset(@BeanParam RequestParams requestParams, Long l, AssetRuleset assetRuleset) {
        AssetRuleset find = this.rulesetStorageService.find((Class<AssetRuleset>) AssetRuleset.class, l);
        if (find == null) {
            throw new WebApplicationException(Response.Status.NOT_FOUND);
        }
        Asset<?> find2 = this.assetStorageService.find(find.getAssetId(), false);
        if (find2 == null) {
            throw new WebApplicationException(Response.Status.NOT_FOUND);
        }
        if (!isRealmAccessibleByUser(find2.getRealm())) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        if (isRestrictedUser() && !this.assetStorageService.isUserAsset(getUserId(), find2.getId())) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        if (!l.equals(assetRuleset.getId())) {
            throw new WebApplicationException("Requested ID and ruleset ID don't match", Response.Status.BAD_REQUEST);
        }
        if (!find.getAssetId().equals(assetRuleset.getAssetId())) {
            throw new WebApplicationException("Can't update asset ID, delete and create the ruleset to reassign", Response.Status.BAD_REQUEST);
        }
        if (assetRuleset.getLang() == Ruleset.Lang.GROOVY && !isSuperUser()) {
            throw new ForbiddenException("Only super users can create/modify groovy rules for security reasons");
        }
        this.rulesetStorageService.merge(assetRuleset);
    }

    public void deleteAssetRuleset(@BeanParam RequestParams requestParams, Long l) {
        AssetRuleset find = this.rulesetStorageService.find((Class<AssetRuleset>) AssetRuleset.class, l);
        if (find == null) {
            return;
        }
        Asset<?> find2 = this.assetStorageService.find(find.getAssetId(), false);
        if (find2 == null) {
            throw new WebApplicationException(Response.Status.NOT_FOUND);
        }
        if (!isRealmAccessibleByUser(find2.getRealm())) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        if (isRestrictedUser() && !this.assetStorageService.isUserAsset(getUserId(), find2.getId())) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        if (find.getLang() == Ruleset.Lang.GROOVY && !isSuperUser()) {
            throw new ForbiddenException("Only super users can create/modify groovy rules for security reasons");
        }
        this.rulesetStorageService.delete(AssetRuleset.class, l);
    }

    public GeofenceDefinition[] getAssetGeofences(@BeanParam RequestParams requestParams, String str) {
        Asset<?> find = this.assetStorageService.find(new AssetQuery().select(new AssetQuery.Select().excludeAttributes()).ids(new String[]{str}));
        if (find == null) {
            return new GeofenceDefinition[0];
        }
        if (!find.isAccessPublicRead()) {
            List<UserAssetLink> findUserAssetLinks = this.assetStorageService.findUserAssetLinks(find.getRealm(), (String) null, str);
            if (!findUserAssetLinks.isEmpty() && (!isAuthenticated() || findUserAssetLinks.stream().noneMatch(userAssetLink -> {
                return userAssetLink.getId().getUserId().equals(getUserId());
            }))) {
                throw new WebApplicationException(Response.Status.FORBIDDEN);
            }
        }
        return this.rulesService.getAssetGeofences(str);
    }
}
