package net.nemerosa.ontrack.service.security;

import java.util.function.Function;
import java.util.function.Supplier;
import net.nemerosa.ontrack.model.security.Account;
import net.nemerosa.ontrack.model.security.AccountHolder;
import net.nemerosa.ontrack.model.security.GlobalFunction;
import net.nemerosa.ontrack.model.security.ProjectFunction;
import net.nemerosa.ontrack.model.security.ProjectView;
import net.nemerosa.ontrack.model.security.SecurityService;
import net.nemerosa.ontrack.model.settings.CachedSettingsService;
import net.nemerosa.ontrack.model.settings.SecuritySettings;
import net.nemerosa.ontrack.model.structure.Signature;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:net/nemerosa/ontrack/service/security/SecurityServiceImpl.class */
public class SecurityServiceImpl implements SecurityService {
    private final CachedSettingsService cachedSettingsService;

    @Autowired
    public SecurityServiceImpl(CachedSettingsService cachedSettingsService) {
        this.cachedSettingsService = cachedSettingsService;
    }

    public SecuritySettings getSecuritySettings() {
        return (SecuritySettings) this.cachedSettingsService.getCachedSettings(SecuritySettings.class);
    }

    public void checkGlobalFunction(Class<? extends GlobalFunction> cls) {
        if (!isGlobalFunctionGranted(cls)) {
            throw new AccessDeniedException(String.format("Global function '%s' is not granted.", cls.getSimpleName()));
        }
    }

    public boolean isGlobalFunctionGranted(Class<? extends GlobalFunction> cls) {
        Account currentAccount = getCurrentAccount();
        return currentAccount != null && currentAccount.isGranted(cls);
    }

    public void checkProjectFunction(int i, Class<? extends ProjectFunction> cls) {
        if (!isProjectFunctionGranted(i, cls)) {
            throw new AccessDeniedException(String.format("Project function '%s' is not granted", cls.getSimpleName()));
        }
    }

    public boolean isProjectFunctionGranted(int i, Class<? extends ProjectFunction> cls) {
        Account currentAccount = getCurrentAccount();
        return (currentAccount != null && currentAccount.isGranted(i, cls)) || isGlobalGrant(cls);
    }

    protected boolean isGlobalGrant(Class<? extends ProjectFunction> cls) {
        return ((SecuritySettings) this.cachedSettingsService.getCachedSettings(SecuritySettings.class)).isGrantProjectViewToAll() && cls.isAssignableFrom(ProjectView.class);
    }

    public Account getCurrentAccount() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication != null && authentication.isAuthenticated() && (authentication.getPrincipal() instanceof AccountHolder)) {
            return ((AccountHolder) authentication.getPrincipal()).getAccount();
        }
        return null;
    }

    public Signature getCurrentSignature() {
        Account currentAccount = getCurrentAccount();
        return currentAccount != null ? Signature.of(currentAccount.getName()) : Signature.none();
    }

    public <T> Supplier<T> runAsAdmin(Supplier<T> supplier) {
        Account currentAccount = getCurrentAccount();
        SecurityContextImpl securityContextImpl = new SecurityContextImpl();
        securityContextImpl.setAuthentication(new RunAsAdminAuthentication(currentAccount));
        return withSecurityContext((Supplier) supplier, (SecurityContext) securityContextImpl);
    }

    public <T> T asAdmin(Supplier<T> supplier) {
        return runAsAdmin(supplier).get();
    }

    public void asAdmin(Runnable runnable) {
        asAdmin(() -> {
            runnable.run();
            return null;
        });
    }

    public Runnable runAsAdmin(Runnable runnable) {
        Supplier runAsAdmin = runAsAdmin(() -> {
            runnable.run();
            return null;
        });
        runAsAdmin.getClass();
        return runAsAdmin::get;
    }

    public <T> Supplier<T> runner(Supplier<T> supplier) {
        return withSecurityContext(supplier, SecurityContextHolder.getContext());
    }

    public <T, R> Function<T, R> runner(Function<T, R> function) {
        return withSecurityContext(function, SecurityContextHolder.getContext());
    }

    private <T, R> Function<T, R> withSecurityContext(Function<T, R> function, SecurityContext securityContext) {
        return obj -> {
            SecurityContext context = SecurityContextHolder.getContext();
            try {
                SecurityContextHolder.setContext(securityContext);
                Object apply = function.apply(obj);
                SecurityContextHolder.setContext(context);
                return apply;
            } catch (Throwable th) {
                SecurityContextHolder.setContext(context);
                throw th;
            }
        };
    }

    protected <T> Supplier<T> withSecurityContext(Supplier<T> supplier, SecurityContext securityContext) {
        return () -> {
            SecurityContext context = SecurityContextHolder.getContext();
            try {
                SecurityContextHolder.setContext(securityContext);
                Object obj = supplier.get();
                SecurityContextHolder.setContext(context);
                return obj;
            } catch (Throwable th) {
                SecurityContextHolder.setContext(context);
                throw th;
            }
        };
    }
}
