package org.duracloud.account.security.vote;

import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.aopalliance.intercept.MethodInvocation;
import org.duracloud.account.db.model.AccountRights;
import org.duracloud.account.db.model.DuracloudUser;
import org.duracloud.account.db.model.Role;
import org.duracloud.account.db.repo.DuracloudRepoMgr;
import org.duracloud.account.db.util.DuracloudInstanceService;
import org.duracloud.account.security.domain.SecuredRule;
import org.duracloud.common.error.DuraCloudRuntimeException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.core.Authentication;

/* loaded from: input_file:org/duracloud/account/security/vote/InstanceAccessDecisionVoter.class */
public class InstanceAccessDecisionVoter extends BaseAccessDecisionVoter {
    private Logger log;
    private final int USER_INDEX = 0;

    public InstanceAccessDecisionVoter(DuracloudRepoMgr duracloudRepoMgr) {
        super(duracloudRepoMgr);
        this.log = LoggerFactory.getLogger(AccountAccessDecisionVoter.class);
        this.USER_INDEX = 0;
    }

    @Override // org.duracloud.account.security.vote.BaseAccessDecisionVoter
    protected Class<?> getTargetService() {
        return DuracloudInstanceService.class;
    }

    @Override // org.duracloud.account.security.vote.BaseAccessDecisionVoter
    protected int voteImpl(Authentication authentication, MethodInvocation methodInvocation, Collection<ConfigAttribute> collection, Object[] objArr, DuracloudUser duracloudUser, SecuredRule securedRule, String str, SecuredRule.Scope scope) {
        int i = -1;
        if (scope.equals(SecuredRule.Scope.ANY)) {
            i = super.voteHasRole(str, getUserRoles(authentication));
        } else if (scope.equals(SecuredRule.Scope.SELF_ACCT)) {
            i = voteUserHasRoleOnAccount(duracloudUser, str, getAcctId(methodInvocation));
        } else {
            if (!scope.equals(SecuredRule.Scope.SELF_ACCT_PEER_UPDATE)) {
                String str2 = "Invalid scope: " + scope;
                this.log.error(str2);
                throw new DuraCloudRuntimeException(str2);
            }
            Long acctId = getAcctId(methodInvocation);
            if (hasVote(voteUserHasRoleOnAccount(duracloudUser, str, acctId))) {
                i = voteUserHasRoleOnAcctToUpdateUsers(duracloudUser.getId(), acctId, getAllUserRightsForAcct(acctId), getUpdatedRights(objArr, acctId));
            }
        }
        return castVote(i, methodInvocation);
    }

    private Set<AccountRights> getUpdatedRights(Object[] objArr, Long l) {
        HashSet hashSet = new HashSet();
        Iterator<DuracloudUser> it = getUsersArg(objArr).iterator();
        while (it.hasNext()) {
            for (AccountRights accountRights : it.next().getAccountRights()) {
                if (accountRights.getAccount().getId().equals(l)) {
                    hashSet.add(accountRights);
                }
            }
        }
        return hashSet;
    }

    private int voteUserHasRoleOnAcctToUpdateUsers(Long l, Long l2, Set<AccountRights> set, Set<AccountRights> set2) {
        Set<Role> roles = getUserRightsForAcct(l, l2).getRoles();
        Iterator<AccountRights> it = set.iterator();
        while (it.hasNext()) {
            if (!hasVote(voteRolesAreSufficientToUpdateOther(roles, it.next().getRoles()))) {
                return -1;
            }
        }
        Iterator<AccountRights> it2 = set2.iterator();
        while (it2.hasNext()) {
            if (!hasVote(voteRolesAreSufficientToUpdateOther(roles, it2.next().getRoles()))) {
                return -1;
            }
        }
        return 1;
    }

    private Set<DuracloudUser> getUsersArg(Object[] objArr) {
        if (objArr.length <= 0) {
            this.log.error("Illegal number of args: " + objArr.length);
        }
        return (Set) objArr[0];
    }

    private Long getAcctId(MethodInvocation methodInvocation) {
        return ((DuracloudInstanceService) methodInvocation.getThis()).getAccountId();
    }
}
