package org.molgenis.core.ui.admin.permission;

import com.google.common.collect.LinkedHashMultimap;
import com.google.common.collect.Lists;
import com.google.common.collect.Multimap;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.validation.Valid;
import org.molgenis.core.ui.admin.permission.exception.UnexpectedPermissionException;
import org.molgenis.data.DataService;
import org.molgenis.data.meta.model.EntityType;
import org.molgenis.data.meta.model.Package;
import org.molgenis.data.meta.system.SystemEntityTypeRegistry;
import org.molgenis.data.plugin.model.Plugin;
import org.molgenis.data.plugin.model.PluginIdentity;
import org.molgenis.data.security.EntityIdentity;
import org.molgenis.data.security.EntityIdentityUtils;
import org.molgenis.data.security.EntityTypeIdentity;
import org.molgenis.data.security.PackageIdentity;
import org.molgenis.data.security.auth.Role;
import org.molgenis.data.security.auth.User;
import org.molgenis.security.acl.MutableAclClassService;
import org.molgenis.security.core.Permission;
import org.molgenis.security.core.PermissionRegistry;
import org.molgenis.security.core.PermissionSet;
import org.molgenis.security.core.SidUtils;
import org.molgenis.security.permission.Permissions;
import org.molgenis.web.PluginController;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.acls.model.AccessControlEntry;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.MutableAcl;
import org.springframework.security.acls.model.MutableAclService;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.acls.model.Sid;
import org.springframework.stereotype.Controller;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.context.request.WebRequest;

@Api("PermissionManager")
@RequestMapping({PermissionManagerController.URI})
@Controller
/* loaded from: input_file:org/molgenis/core/ui/admin/permission/PermissionManagerController.class */
public class PermissionManagerController extends PluginController {
    private static final Logger LOG = LoggerFactory.getLogger(PermissionManagerController.class);
    public static final String URI = "/plugin/permissionmanager";
    public static final String RADIO = "radio-";
    private final DataService dataService;
    private final MutableAclService mutableAclService;
    private final MutableAclClassService mutableAclClassService;
    private final SystemEntityTypeRegistry systemEntityTypeRegistry;
    private final PermissionRegistry permissionRegistry;

    public PermissionManagerController(DataService dataService, MutableAclService mutableAclService, MutableAclClassService mutableAclClassService, SystemEntityTypeRegistry systemEntityTypeRegistry, PermissionRegistry permissionRegistry) {
        super(URI);
        this.dataService = (DataService) Objects.requireNonNull(dataService);
        this.mutableAclService = (MutableAclService) Objects.requireNonNull(mutableAclService);
        this.mutableAclClassService = (MutableAclClassService) Objects.requireNonNull(mutableAclClassService);
        this.systemEntityTypeRegistry = (SystemEntityTypeRegistry) Objects.requireNonNull(systemEntityTypeRegistry);
        this.permissionRegistry = (PermissionRegistry) Objects.requireNonNull(permissionRegistry);
    }

    @GetMapping
    public String init(Model model) {
        model.addAttribute("users", Lists.newArrayList((Iterable) getUsers().stream().filter(user -> {
            Boolean isSuperuser = user.isSuperuser();
            return isSuperuser == null || !isSuperuser.booleanValue();
        }).collect(Collectors.toList())));
        model.addAttribute("roles", getRoles());
        model.addAttribute("entityTypes", getEntityTypeDtos());
        return "view-permissionmanager";
    }

    private List<EntityTypeRlsResponse> getEntityTypeDtos() {
        List list = (List) getEntityTypes().filter(entityType -> {
            return !entityType.isAbstract();
        }).collect(Collectors.toList());
        Collection aclClassTypes = this.mutableAclClassService.getAclClassTypes();
        list.sort(Comparator.comparing((v0) -> {
            return v0.getLabel();
        }));
        return (List) list.stream().map(entityType2 -> {
            return new EntityTypeRlsResponse(entityType2.getId(), entityType2.getLabel(), aclClassTypes.contains(EntityIdentityUtils.toType(entityType2)), this.systemEntityTypeRegistry.hasSystemEntityType(entityType2.getId()));
        }).collect(Collectors.toList());
    }

    @PreAuthorize("hasAnyRole('ROLE_SU')")
    @Transactional(readOnly = true)
    @GetMapping({"/entityclass/role/{rolename}"})
    @ResponseBody
    public Permissions getRoleEntityClassPermissions(@PathVariable String str) {
        return getEntityTypePermissions(SidUtils.createRoleSid(str));
    }

    @PreAuthorize("hasAnyRole('ROLE_SU')")
    @Transactional(readOnly = true)
    @GetMapping({"/plugin/user/{username}"})
    @ResponseBody
    public Permissions getUserPluginPermissions(@PathVariable String str) {
        return getPluginPermissions(SidUtils.createUserSid(str));
    }

    @PreAuthorize("hasAnyRole('ROLE_SU')")
    @Transactional(readOnly = true)
    @GetMapping({"/package/user/{username}"})
    @ResponseBody
    public Permissions getUserPackagePermissions(@PathVariable String str) {
        return getPackagePermissions(SidUtils.createUserSid(str));
    }

    @PreAuthorize("hasAnyRole('ROLE_SU')")
    @Transactional(readOnly = true)
    @GetMapping({"/package/role/{rolename}"})
    @ResponseBody
    public Permissions getRolePackagePermissions(@PathVariable String str) {
        return getPackagePermissions(SidUtils.createRoleSid(str));
    }

    @PreAuthorize("hasAnyRole('ROLE_SU')")
    @Transactional(readOnly = true)
    @GetMapping({"/entityclass/user/{username}"})
    @ResponseBody
    public Permissions getUserEntityClassPermissions(@PathVariable String str) {
        return getEntityTypePermissions(SidUtils.createUserSid(str));
    }

    @PostMapping({"/update/plugin/role"})
    @PreAuthorize("hasAnyRole('ROLE_SU')")
    @ResponseStatus(HttpStatus.OK)
    @Transactional
    public void updateRolePluginPermissions(@RequestParam String str, WebRequest webRequest) {
        updatePluginPermissions(webRequest, SidUtils.createRoleSid(str));
    }

    @PostMapping({"/update/entityclass/role"})
    @PreAuthorize("hasAnyRole('ROLE_SU')")
    @ResponseStatus(HttpStatus.OK)
    @Transactional
    public void updateRoleEntityClassPermissions(@RequestParam String str, WebRequest webRequest) {
        updateEntityTypePermissions(webRequest, SidUtils.createRoleSid(str));
    }

    @PostMapping({"/update/package/role"})
    @PreAuthorize("hasAnyRole('ROLE_SU')")
    @ResponseStatus(HttpStatus.OK)
    @Transactional
    public void updateRolePackagePermissions(@RequestParam String str, WebRequest webRequest) {
        updatePackagePermissions(webRequest, SidUtils.createRoleSid(str));
    }

    @PostMapping({"/update/package/user"})
    @PreAuthorize("hasAnyRole('ROLE_SU')")
    @ResponseStatus(HttpStatus.OK)
    @Transactional
    public void updateUserPackagePermissions(@RequestParam String str, WebRequest webRequest) {
        updatePackagePermissions(webRequest, SidUtils.createUserSid(str));
    }

    @PostMapping({"/update/plugin/user"})
    @PreAuthorize("hasAnyRole('ROLE_SU')")
    @ResponseStatus(HttpStatus.OK)
    @Transactional
    public void updateUserPluginPermissions(@RequestParam String str, WebRequest webRequest) {
        updatePluginPermissions(webRequest, SidUtils.createUserSid(str));
    }

    private void removeSidPluginPermission(Plugin plugin, Sid sid) {
        removePermissionForSid(sid, new PluginIdentity(plugin));
    }

    private void createSidPluginPermission(Plugin plugin, Sid sid, PermissionSet permissionSet) {
        createSidPermission(sid, new PluginIdentity(plugin), permissionSet);
    }

    @PreAuthorize("hasAnyRole('ROLE_SU')")
    @Transactional(readOnly = true)
    @GetMapping({"/plugin/role/{rolename}"})
    @ResponseBody
    public Permissions getRolePluginPermissions(@PathVariable String str) {
        return getPluginPermissions(SidUtils.createRoleSid(str));
    }

    List<Plugin> getPlugins() {
        return (List) this.dataService.findAll("sys_Plugin", Plugin.class).collect(Collectors.toList());
    }

    @PostMapping({"/update/entityclass/user"})
    @PreAuthorize("hasAnyRole('ROLE_SU')")
    @ResponseStatus(HttpStatus.OK)
    @Transactional
    public void updateUserEntityClassPermissions(@RequestParam String str, WebRequest webRequest) {
        updateEntityTypePermissions(webRequest, SidUtils.createUserSid(str));
    }

    @PostMapping({"/update/entityclass/rls"})
    @PreAuthorize("hasAnyRole('ROLE_SU')")
    @ResponseStatus(HttpStatus.OK)
    @Transactional
    public void updateEntityClassRls(@Valid @RequestBody EntityTypeRlsRequest entityTypeRlsRequest) {
        String id = entityTypeRlsRequest.getId();
        if (this.systemEntityTypeRegistry.hasSystemEntityType(id)) {
            throw new IllegalArgumentException("Updating system entity type not allowed");
        }
        EntityType entityType = this.dataService.getEntityType(id);
        String type = EntityIdentityUtils.toType(entityType);
        boolean hasAclClass = this.mutableAclClassService.hasAclClass(type);
        if (!entityTypeRlsRequest.isRlsEnabled()) {
            if (hasAclClass) {
                this.mutableAclClassService.deleteAclClass(type);
            }
        } else {
            if (hasAclClass) {
                return;
            }
            this.mutableAclClassService.createAclClass(type, EntityIdentityUtils.toIdType(entityType));
            this.dataService.findAll(entityType.getId()).forEach(entity -> {
                this.mutableAclService.createAcl(new EntityIdentity(entity));
            });
        }
    }

    @GetMapping({"/permissionSets"})
    @ApiOperation(value = "Get all permission sets", response = PermissionSetResponse.class, responseContainer = "List")
    @ResponseBody
    public List<PermissionSetResponse> getPermissionSets() {
        return (List) this.permissionRegistry.getPermissionSets().entrySet().stream().map(entry -> {
            return PermissionSetResponse.create((PermissionSet) entry.getKey(), (Set<Permission>) entry.getValue());
        }).sorted(Comparator.comparing((v0) -> {
            return v0.getPermissions();
        }, Comparator.comparingInt((v0) -> {
            return v0.size();
        }))).collect(Collectors.toList());
    }

    private static PermissionSet paramValueToPermissionSet(String str) {
        String upperCase = str.toUpperCase();
        boolean z = -1;
        switch (upperCase.hashCode()) {
            case -84171621:
                if (upperCase.equals("READMETA")) {
                    z = false;
                    break;
                }
                break;
            case 2511254:
                if (upperCase.equals("READ")) {
                    z = 2;
                    break;
                }
                break;
            case 64313583:
                if (upperCase.equals("COUNT")) {
                    z = true;
                    break;
                }
                break;
            case 82862015:
                if (upperCase.equals("WRITE")) {
                    z = 3;
                    break;
                }
                break;
            case 1381004868:
                if (upperCase.equals("WRITEMETA")) {
                    z = 4;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return PermissionSet.READMETA;
            case true:
                return PermissionSet.COUNT;
            case true:
                return PermissionSet.READ;
            case true:
                return PermissionSet.WRITE;
            case true:
                return PermissionSet.WRITEMETA;
            default:
                throw new IllegalArgumentException(String.format("Unknown PermissionSet '%s'", str));
        }
    }

    private void updatePluginPermissions(WebRequest webRequest, Sid sid) {
        for (Plugin plugin : getPlugins()) {
            String parameter = webRequest.getParameter(RADIO + plugin.getId());
            if (parameter != null) {
                if (parameter.equals("none")) {
                    removeSidPluginPermission(plugin, sid);
                } else {
                    createSidPluginPermission(plugin, sid, paramValueToPermissionSet(parameter));
                }
            }
        }
    }

    private void updatePackagePermissions(WebRequest webRequest, Sid sid) {
        for (Package r0 : getPackages()) {
            String parameter = webRequest.getParameter(RADIO + r0.getId());
            if (parameter != null) {
                if (parameter.equals("none")) {
                    removeSidPackagePermission(r0, sid);
                } else {
                    createSidPackagePermission(r0, sid, paramValueToPermissionSet(parameter));
                }
            }
        }
    }

    private Permissions getPackagePermissions(Sid sid) {
        return getPermissions(sid, (List<ObjectIdentity>) getPackages().stream().map(PackageIdentity::new).collect(Collectors.toList()));
    }

    private Permissions getPluginPermissions(Sid sid) {
        return getPermissions(sid, (List<ObjectIdentity>) getPlugins().stream().map(PluginIdentity::new).collect(Collectors.toList()));
    }

    private Permissions getPermissions(Sid sid, List<ObjectIdentity> list) {
        return Permissions.create((Set) list.stream().map((v0) -> {
            return v0.getIdentifier();
        }).map((v0) -> {
            return v0.toString();
        }).collect(Collectors.toSet()), getPermissions(this.mutableAclService.readAclsById(list, Collections.singletonList(sid)), sid));
    }

    private Multimap<String, String> getPermissions(Map<ObjectIdentity, Acl> map, Sid sid) {
        LinkedHashMultimap create = LinkedHashMultimap.create();
        map.forEach((objectIdentity, acl) -> {
            String obj = objectIdentity.getIdentifier().toString();
            acl.getEntries().stream().filter(accessControlEntry -> {
                return accessControlEntry.getSid().equals(sid);
            }).map(this::getPermissionString).forEach(str -> {
                create.put(obj, str);
            });
        });
        return create;
    }

    private String getPermissionString(AccessControlEntry accessControlEntry) {
        switch (accessControlEntry.getPermission().getMask()) {
            case 1:
                return "readmeta";
            case 2:
                return "count";
            case 4:
                return "read";
            case 8:
                return "write";
            case 16:
                return "writemeta";
            default:
                throw new UnexpectedPermissionException(accessControlEntry.getPermission());
        }
    }

    private void removeSidEntityTypePermission(EntityType entityType, Sid sid) {
        removePermissionForSid(sid, new EntityTypeIdentity(entityType));
    }

    private void createSidEntityTypePermission(EntityType entityType, Sid sid, PermissionSet permissionSet) {
        createSidPermission(sid, new EntityTypeIdentity(entityType), permissionSet);
    }

    private void createSidPackagePermission(Package r6, Sid sid, PermissionSet permissionSet) {
        createSidPermission(sid, new PackageIdentity(r6), permissionSet);
    }

    private void removeSidPackagePermission(Package r5, Sid sid) {
        removePermissionForSid(sid, new PackageIdentity(r5));
    }

    private void removePermissionForSid(Sid sid, ObjectIdentity objectIdentity) {
        MutableAcl mutableAcl = (MutableAcl) this.mutableAclService.readAclById(objectIdentity, Collections.singletonList(sid));
        if (deleteAceIfExists(sid, mutableAcl)) {
            this.mutableAclService.updateAcl(mutableAcl);
        }
    }

    private void updateEntityTypePermissions(WebRequest webRequest, Sid sid) {
        getEntityTypes().forEach(entityType -> {
            String parameter = webRequest.getParameter(RADIO + entityType.getId());
            if (parameter != null) {
                if (parameter.equals("none")) {
                    removeSidEntityTypePermission(entityType, sid);
                } else {
                    createSidEntityTypePermission(entityType, sid, paramValueToPermissionSet(parameter));
                }
            }
        });
    }

    private Permissions getEntityTypePermissions(Sid sid) {
        return getPermissions(sid, (List<ObjectIdentity>) ((List) getEntityTypes().collect(Collectors.toList())).stream().map(EntityTypeIdentity::new).collect(Collectors.toList()));
    }

    private void createSidPermission(Sid sid, ObjectIdentity objectIdentity, org.springframework.security.acls.model.Permission permission) {
        MutableAcl mutableAcl = (MutableAcl) this.mutableAclService.readAclById(objectIdentity, Collections.singletonList(sid));
        deleteAceIfExists(sid, mutableAcl);
        mutableAcl.insertAce(0, permission, sid, true);
        this.mutableAclService.updateAcl(mutableAcl);
    }

    List<User> getUsers() {
        return (List) this.dataService.findAll("sys_sec_User", User.class).collect(Collectors.toList());
    }

    List<Role> getRoles() {
        return (List) this.dataService.findAll("sys_sec_Role", Role.class).collect(Collectors.toList());
    }

    List<Package> getPackages() {
        return (List) this.dataService.findAll("sys_md_Package", Package.class).collect(Collectors.toList());
    }

    private boolean deleteAceIfExists(Sid sid, MutableAcl mutableAcl) {
        boolean z = false;
        for (int size = mutableAcl.getEntries().size() - 1; size >= 0; size--) {
            if (((AccessControlEntry) mutableAcl.getEntries().get(size)).getSid().equals(sid)) {
                mutableAcl.deleteAce(size);
                z = true;
            }
        }
        return z;
    }

    private Stream<EntityType> getEntityTypes() {
        return this.dataService.findAll("sys_md_EntityType", EntityType.class);
    }

    @ExceptionHandler({RuntimeException.class})
    @ResponseBody
    @ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
    public Map<String, String> handleRuntimeException(RuntimeException runtimeException) {
        LOG.error((String) null, runtimeException);
        return Collections.singletonMap("errorMessage", "An error occurred. Please contact the administrator.<br />Message:" + runtimeException.getMessage());
    }
}
