package io.tesler.model.core.service;

import io.tesler.model.core.api.EffectiveUserAware;
import io.tesler.model.core.api.GroupService;
import io.tesler.model.core.api.security.AccessService;
import io.tesler.model.core.api.security.IAccessorSupplier;
import io.tesler.model.core.dao.JpaDao;
import io.tesler.model.core.entity.User;
import io.tesler.model.core.entity.security.AccessList;
import io.tesler.model.core.entity.security.AccessRecord;
import io.tesler.model.core.entity.security.AccessRecord_;
import io.tesler.model.core.entity.security.Accessor;
import io.tesler.model.core.entity.security.Accessor_;
import io.tesler.model.core.entity.security.SecurableEntity;
import io.tesler.model.core.entity.security.SecurableEntity_;
import io.tesler.model.core.entity.security.types.AccessListType;
import io.tesler.model.core.entity.security.types.AccessorType;
import io.tesler.model.core.entity.security.types.Permission;
import java.lang.invoke.SerializedLambda;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.persistence.criteria.CriteriaBuilder;
import javax.persistence.criteria.CriteriaQuery;
import javax.persistence.criteria.Expression;
import javax.persistence.criteria.Path;
import javax.persistence.criteria.Predicate;
import javax.persistence.criteria.Root;
import javax.persistence.criteria.Subquery;
import org.springframework.data.jpa.domain.Specification;
import org.springframework.stereotype.Service;

@Service(AccessService.SERVICE_NAME)
/* loaded from: input_file:io/tesler/model/core/service/BaseAccessService.class */
public class BaseAccessService implements AccessService {
    private final GroupService groupService;
    private final JpaDao jpaDao;
    private final EffectiveUserAware<User> effectiveUserAware;

    protected Set<Long> getAllUserGroups() {
        return this.groupService.getUserAllGroups(getSessionUser());
    }

    protected User getSessionUser() {
        return this.effectiveUserAware.getEffectiveSessionUser();
    }

    protected int getMaxInlineUserGroups() {
        return 100;
    }

    protected boolean isMACLEnabled() {
        return true;
    }

    @Override // io.tesler.model.core.api.security.AccessService
    public <T extends SecurableEntity> Specification<T> getSecuritySpecification(Permission permission) {
        return getSecuritySpecification(getSessionUser(), this::getAllUserGroups, permission);
    }

    @Override // io.tesler.model.core.api.security.AccessService
    public <T extends SecurableEntity> Specification<T> getSecuritySpecification(User user, Permission permission) {
        return getSecuritySpecification(user, () -> {
            return this.groupService.getUserAllGroups(user);
        }, permission);
    }

    private <T extends SecurableEntity> Specification<T> getSecuritySpecification(User user, Supplier<Set<Long>> supplier, Permission permission) {
        return (root, criteriaQuery, criteriaBuilder) -> {
            ArrayList arrayList = new ArrayList();
            Subquery subquery = criteriaQuery.subquery(Integer.class);
            Root from = subquery.from(AccessRecord.class);
            subquery.select(criteriaBuilder.literal(1)).where(criteriaBuilder.and(new Predicate[]{criteriaBuilder.equal(root.get(SecurableEntity_.accessList), from.get(AccessRecord_.accessList)), criteriaBuilder.greaterThanOrEqualTo(from.get(AccessRecord_.permission), permission), getAccessorPredicate(user, supplier, criteriaQuery, criteriaBuilder, from)}));
            arrayList.add(criteriaBuilder.exists(subquery));
            if (isMACLEnabled()) {
                Subquery subquery2 = criteriaQuery.subquery(Integer.class);
                Root from2 = subquery2.from(AccessRecord.class);
                subquery2.select(criteriaBuilder.literal(1)).where(criteriaBuilder.and(new Predicate[]{criteriaBuilder.equal(root.get(SecurableEntity_.accessList), from2.get(AccessRecord_.accessList)), criteriaBuilder.equal(from2.get(AccessRecord_.mandatory), criteriaBuilder.literal(true)), criteriaBuilder.not(getAccessorPredicate(user, supplier, criteriaQuery, criteriaBuilder, from2))}));
                arrayList.add(criteriaBuilder.not(criteriaBuilder.exists(subquery2)));
            }
            return criteriaBuilder.or(root.get(SecurableEntity_.accessList).isNull(), criteriaBuilder.and((Predicate[]) arrayList.toArray(new Predicate[0])));
        };
    }

    private Predicate getAccessorPredicate(User user, Supplier<Set<Long>> supplier, CriteriaQuery<?> criteriaQuery, CriteriaBuilder criteriaBuilder, Path<AccessRecord> path) {
        Set<Long> set = supplier.get();
        return set.size() > getMaxInlineUserGroups() ? getAccessorPredicate(user, this.groupService.getAllGroupsSubquery(user, criteriaQuery, criteriaBuilder), criteriaBuilder, path) : getAccessorPredicate(user, set, criteriaBuilder, path);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Predicate getAccessorPredicate(User user, Subquery<Long> subquery, CriteriaBuilder criteriaBuilder, Path<AccessRecord> path) {
        return criteriaBuilder.or(criteriaBuilder.and(path.get(AccessRecord_.accessor).get(Accessor_.ACCESSOR_ID).in(new Expression[]{subquery}), criteriaBuilder.equal(path.get(AccessRecord_.accessor).get(Accessor_.ACCESSOR_TYPE), AccessorType.GROUP)), criteriaBuilder.and(new Predicate[]{criteriaBuilder.equal(path.get(AccessRecord_.accessor), user.getAccessor())}));
    }

    private Predicate getAccessorPredicate(User user, Set<Long> set, CriteriaBuilder criteriaBuilder, Path<AccessRecord> path) {
        Stream<Long> stream = set.stream();
        AccessorType accessorType = AccessorType.GROUP;
        accessorType.getClass();
        List list = (List) stream.map(accessorType::toAccessor).map(accessor -> {
            return criteriaBuilder.equal(path.get(AccessRecord_.accessor), accessor);
        }).collect(Collectors.toList());
        list.add(criteriaBuilder.equal(path.get(AccessRecord_.accessor), user.getAccessor()));
        return criteriaBuilder.or((Predicate[]) list.toArray(new Predicate[0]));
    }

    @Override // io.tesler.model.core.api.security.AccessService
    public Permission getPermission(SecurableEntity securableEntity) {
        return (Permission) Optional.ofNullable(securableEntity).map((v0) -> {
            return v0.getAccessList();
        }).map(this::getPermission).orElse(Permission.DELETE);
    }

    @Override // io.tesler.model.core.api.security.AccessService
    public Permission getPermission(SecurableEntity securableEntity, User user) {
        return (Permission) Optional.ofNullable(securableEntity).map((v0) -> {
            return v0.getAccessList();
        }).map(accessList -> {
            return getPermission(accessList, user);
        }).orElse(Permission.DELETE);
    }

    @Override // io.tesler.model.core.api.security.AccessService
    public Permission getPermission(AccessList accessList) {
        return getPermission(accessList, getSessionUser(), getAllUserGroups());
    }

    @Override // io.tesler.model.core.api.security.AccessService
    public Permission getPermission(AccessList accessList, User user) {
        return getPermission(accessList, user, this.groupService.getUserAllGroups(user));
    }

    private Permission getPermission(AccessList accessList, User user, Set<Long> set) {
        HashSet hashSet = new HashSet();
        return (Permission) this.jpaDao.getStream(AccessRecord.class, (root, criteriaQuery, criteriaBuilder) -> {
            return criteriaBuilder.and(new Predicate[]{criteriaBuilder.equal(root.get(AccessRecord_.accessList), accessList)});
        }).peek(accessRecord -> {
            if (isMACLEnabled() && accessRecord.isMandatory()) {
                hashSet.add(accessRecord.getAccessor().getAccessorId());
            }
        }).filter(accessRecord2 -> {
            Accessor accessor = accessRecord2.getAccessor();
            switch (accessor.getAccessorType()) {
                case USER:
                    return Objects.equals(accessor.getAccessorId(), user.getId());
                case GROUP:
                    return set.contains(accessor.getAccessorId());
                default:
                    return false;
            }
        }).map((v0) -> {
            return v0.getPermission();
        }).max(Comparator.comparing(Function.identity())).filter(permission -> {
            return set.containsAll(hashSet);
        }).orElse(Permission.NONE);
    }

    @Override // io.tesler.model.core.api.security.AccessService
    public AccessRecord getAccessRecord(AccessList accessList, IAccessorSupplier iAccessorSupplier) {
        return (AccessRecord) this.jpaDao.getStream(AccessRecord.class, (root, criteriaQuery, criteriaBuilder) -> {
            return criteriaBuilder.and(criteriaBuilder.equal(root.get(AccessRecord_.accessList), accessList), criteriaBuilder.equal(root.get(AccessRecord_.accessor), iAccessorSupplier.getAccessor()));
        }).findAny().orElse(null);
    }

    @Override // io.tesler.model.core.api.security.AccessService
    public void grantPermission(SecurableEntity securableEntity, IAccessorSupplier iAccessorSupplier, Permission permission) {
        grantPermission(securableEntity, iAccessorSupplier, permission, (Boolean) null);
    }

    @Override // io.tesler.model.core.api.security.AccessService
    public void grantPermission(SecurableEntity securableEntity, IAccessorSupplier iAccessorSupplier, Permission permission, Boolean bool) {
        AccessList accessList = securableEntity.getAccessList();
        if (accessList != null) {
            if (isChanging(getAccessRecord(accessList, iAccessorSupplier), permission, bool) && accessList.getType() != AccessListType.PRIVATE) {
                accessList = copy(accessList, AccessListType.PRIVATE);
            }
            grantPermission(accessList, iAccessorSupplier, permission);
        }
    }

    private boolean isChanging(AccessRecord accessRecord, Permission permission, Boolean bool) {
        if (accessRecord != null && accessRecord.getPermission() == permission) {
            return (bool == null || bool.equals(Boolean.valueOf(accessRecord.isMandatory()))) ? false : true;
        }
        return true;
    }

    @Override // io.tesler.model.core.api.security.AccessService
    public void removeAccessor(SecurableEntity securableEntity, IAccessorSupplier iAccessorSupplier) {
        AccessList accessList = securableEntity.getAccessList();
        if ((getAccessRecord(accessList, iAccessorSupplier) == null || accessList.getType() == AccessListType.PRIVATE) ? false : true) {
            accessList = copy(accessList, AccessListType.PRIVATE);
        }
        removeAccessor(accessList, iAccessorSupplier);
    }

    @Override // io.tesler.model.core.api.security.AccessService
    public void grantPermission(AccessList accessList, IAccessorSupplier iAccessorSupplier, Permission permission) {
        grantPermission(accessList, iAccessorSupplier, permission, (Boolean) null);
    }

    @Override // io.tesler.model.core.api.security.AccessService
    public void grantPermission(AccessList accessList, IAccessorSupplier iAccessorSupplier, Permission permission, Boolean bool) {
        AccessRecord accessRecord = getAccessRecord(accessList, iAccessorSupplier);
        if (accessRecord != null) {
            if (isChanging(accessRecord, permission, bool)) {
                accessRecord.setPermission(permission);
                if (bool != null) {
                    accessRecord.setMandatory(bool.booleanValue());
                    return;
                }
                return;
            }
            return;
        }
        AccessRecord accessRecord2 = new AccessRecord();
        accessRecord2.setAccessList(accessList);
        accessRecord2.setAccessor(iAccessorSupplier.getAccessor());
        accessRecord2.setPermission(permission);
        if (bool != null) {
            accessRecord2.setMandatory(bool.booleanValue());
        }
        this.jpaDao.save(accessRecord2);
    }

    @Override // io.tesler.model.core.api.security.AccessService
    public void removeAccessor(AccessList accessList, IAccessorSupplier iAccessorSupplier) {
        Optional ofNullable = Optional.ofNullable(getAccessRecord(accessList, iAccessorSupplier));
        JpaDao jpaDao = this.jpaDao;
        jpaDao.getClass();
        ofNullable.ifPresent((v1) -> {
            r1.delete(v1);
        });
    }

    @Override // io.tesler.model.core.api.security.AccessService
    public void assignAccessList(SecurableEntity securableEntity, AccessList accessList) {
        securableEntity.setAccessList(accessList);
    }

    @Override // io.tesler.model.core.api.security.AccessService
    public AccessList copy(AccessList accessList, AccessListType accessListType) {
        AccessList accessList2 = new AccessList();
        accessList2.setType(accessListType);
        this.jpaDao.save(accessList2);
        this.jpaDao.getStream(AccessRecord.class, (root, criteriaQuery, criteriaBuilder) -> {
            return criteriaBuilder.equal(root.get(AccessRecord_.accessList), accessList);
        }).forEach(accessRecord -> {
            this.jpaDao.save(copyRecordTo(accessRecord, accessList2));
        });
        return accessList2;
    }

    private AccessRecord copyRecordTo(AccessRecord accessRecord, AccessList accessList) {
        AccessRecord accessRecord2 = new AccessRecord();
        accessRecord2.setAccessor(accessRecord.getAccessor());
        accessRecord2.setPermission(accessRecord.getPermission());
        accessRecord2.setMandatory(accessRecord.isMandatory());
        accessRecord2.setAccessList(accessList);
        return accessRecord2;
    }

    public BaseAccessService(GroupService groupService, JpaDao jpaDao, EffectiveUserAware<User> effectiveUserAware) {
        this.groupService = groupService;
        this.jpaDao = jpaDao;
        this.effectiveUserAware = effectiveUserAware;
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -1813373531:
                if (implMethodName.equals("lambda$getAccessRecord$d13e0ef4$1")) {
                    z = 3;
                    break;
                }
                break;
            case -1291113180:
                if (implMethodName.equals("lambda$getPermission$1006b7ab$1")) {
                    z = 2;
                    break;
                }
                break;
            case -451197094:
                if (implMethodName.equals("lambda$copy$fb991176$1")) {
                    z = false;
                    break;
                }
                break;
            case 838292354:
                if (implMethodName.equals("lambda$getSecuritySpecification$47761ee$1")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/springframework/data/jpa/domain/Specification") && serializedLambda.getFunctionalInterfaceMethodName().equals("toPredicate") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljavax/persistence/criteria/Root;Ljavax/persistence/criteria/CriteriaQuery;Ljavax/persistence/criteria/CriteriaBuilder;)Ljavax/persistence/criteria/Predicate;") && serializedLambda.getImplClass().equals("io/tesler/model/core/service/BaseAccessService") && serializedLambda.getImplMethodSignature().equals("(Lio/tesler/model/core/entity/security/AccessList;Ljavax/persistence/criteria/Root;Ljavax/persistence/criteria/CriteriaQuery;Ljavax/persistence/criteria/CriteriaBuilder;)Ljavax/persistence/criteria/Predicate;")) {
                    AccessList accessList = (AccessList) serializedLambda.getCapturedArg(0);
                    return (root, criteriaQuery, criteriaBuilder) -> {
                        return criteriaBuilder.equal(root.get(AccessRecord_.accessList), accessList);
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 7 && serializedLambda.getFunctionalInterfaceClass().equals("org/springframework/data/jpa/domain/Specification") && serializedLambda.getFunctionalInterfaceMethodName().equals("toPredicate") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljavax/persistence/criteria/Root;Ljavax/persistence/criteria/CriteriaQuery;Ljavax/persistence/criteria/CriteriaBuilder;)Ljavax/persistence/criteria/Predicate;") && serializedLambda.getImplClass().equals("io/tesler/model/core/service/BaseAccessService") && serializedLambda.getImplMethodSignature().equals("(Lio/tesler/model/core/entity/security/types/Permission;Lio/tesler/model/core/entity/User;Ljava/util/function/Supplier;Ljavax/persistence/criteria/Root;Ljavax/persistence/criteria/CriteriaQuery;Ljavax/persistence/criteria/CriteriaBuilder;)Ljavax/persistence/criteria/Predicate;")) {
                    BaseAccessService baseAccessService = (BaseAccessService) serializedLambda.getCapturedArg(0);
                    Permission permission = (Permission) serializedLambda.getCapturedArg(1);
                    User user = (User) serializedLambda.getCapturedArg(2);
                    Supplier supplier = (Supplier) serializedLambda.getCapturedArg(3);
                    return (root2, criteriaQuery2, criteriaBuilder2) -> {
                        ArrayList arrayList = new ArrayList();
                        Subquery subquery = criteriaQuery2.subquery(Integer.class);
                        Root from = subquery.from(AccessRecord.class);
                        subquery.select(criteriaBuilder2.literal(1)).where(criteriaBuilder2.and(new Predicate[]{criteriaBuilder2.equal(root2.get(SecurableEntity_.accessList), from.get(AccessRecord_.accessList)), criteriaBuilder2.greaterThanOrEqualTo(from.get(AccessRecord_.permission), permission), getAccessorPredicate(user, supplier, criteriaQuery2, criteriaBuilder2, from)}));
                        arrayList.add(criteriaBuilder2.exists(subquery));
                        if (isMACLEnabled()) {
                            Subquery subquery2 = criteriaQuery2.subquery(Integer.class);
                            Root from2 = subquery2.from(AccessRecord.class);
                            subquery2.select(criteriaBuilder2.literal(1)).where(criteriaBuilder2.and(new Predicate[]{criteriaBuilder2.equal(root2.get(SecurableEntity_.accessList), from2.get(AccessRecord_.accessList)), criteriaBuilder2.equal(from2.get(AccessRecord_.mandatory), criteriaBuilder2.literal(true)), criteriaBuilder2.not(getAccessorPredicate(user, supplier, criteriaQuery2, criteriaBuilder2, from2))}));
                            arrayList.add(criteriaBuilder2.not(criteriaBuilder2.exists(subquery2)));
                        }
                        return criteriaBuilder2.or(root2.get(SecurableEntity_.accessList).isNull(), criteriaBuilder2.and((Predicate[]) arrayList.toArray(new Predicate[0])));
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/springframework/data/jpa/domain/Specification") && serializedLambda.getFunctionalInterfaceMethodName().equals("toPredicate") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljavax/persistence/criteria/Root;Ljavax/persistence/criteria/CriteriaQuery;Ljavax/persistence/criteria/CriteriaBuilder;)Ljavax/persistence/criteria/Predicate;") && serializedLambda.getImplClass().equals("io/tesler/model/core/service/BaseAccessService") && serializedLambda.getImplMethodSignature().equals("(Lio/tesler/model/core/entity/security/AccessList;Ljavax/persistence/criteria/Root;Ljavax/persistence/criteria/CriteriaQuery;Ljavax/persistence/criteria/CriteriaBuilder;)Ljavax/persistence/criteria/Predicate;")) {
                    AccessList accessList2 = (AccessList) serializedLambda.getCapturedArg(0);
                    return (root3, criteriaQuery3, criteriaBuilder3) -> {
                        return criteriaBuilder3.and(new Predicate[]{criteriaBuilder3.equal(root3.get(AccessRecord_.accessList), accessList2)});
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/springframework/data/jpa/domain/Specification") && serializedLambda.getFunctionalInterfaceMethodName().equals("toPredicate") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljavax/persistence/criteria/Root;Ljavax/persistence/criteria/CriteriaQuery;Ljavax/persistence/criteria/CriteriaBuilder;)Ljavax/persistence/criteria/Predicate;") && serializedLambda.getImplClass().equals("io/tesler/model/core/service/BaseAccessService") && serializedLambda.getImplMethodSignature().equals("(Lio/tesler/model/core/entity/security/AccessList;Lio/tesler/model/core/api/security/IAccessorSupplier;Ljavax/persistence/criteria/Root;Ljavax/persistence/criteria/CriteriaQuery;Ljavax/persistence/criteria/CriteriaBuilder;)Ljavax/persistence/criteria/Predicate;")) {
                    AccessList accessList3 = (AccessList) serializedLambda.getCapturedArg(0);
                    IAccessorSupplier iAccessorSupplier = (IAccessorSupplier) serializedLambda.getCapturedArg(1);
                    return (root4, criteriaQuery4, criteriaBuilder4) -> {
                        return criteriaBuilder4.and(criteriaBuilder4.equal(root4.get(AccessRecord_.accessList), accessList3), criteriaBuilder4.equal(root4.get(AccessRecord_.accessor), iAccessorSupplier.getAccessor()));
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
