package org.molgenis.data.security.permission;

import com.google.common.collect.Sets;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import org.molgenis.data.DataService;
import org.molgenis.data.meta.model.EntityType;
import org.molgenis.data.security.EntityIdentity;
import org.molgenis.data.security.EntityIdentityUtils;
import org.molgenis.data.security.EntityTypeIdentity;
import org.molgenis.data.security.EntityTypePermission;
import org.molgenis.data.security.PackageIdentity;
import org.molgenis.data.security.exception.AclAlreadyExistsException;
import org.molgenis.data.security.exception.AclClassAlreadyExistsException;
import org.molgenis.data.security.exception.DuplicatePermissionException;
import org.molgenis.data.security.exception.PermissionNotSuitableException;
import org.molgenis.data.security.exception.UnknownAceException;
import org.molgenis.data.security.exception.UnknownTypeException;
import org.molgenis.data.security.permission.inheritance.PermissionInheritanceResolver;
import org.molgenis.data.security.permission.model.LabelledObject;
import org.molgenis.data.security.permission.model.LabelledPermission;
import org.molgenis.data.security.permission.model.LabelledType;
import org.molgenis.data.security.permission.model.Permission;
import org.molgenis.security.acl.MutableAclClassService;
import org.molgenis.security.acl.ObjectIdentityService;
import org.molgenis.security.core.PermissionSet;
import org.molgenis.security.core.UserPermissionEvaluator;
import org.springframework.security.acls.model.AccessControlEntry;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.AlreadyExistsException;
import org.springframework.security.acls.model.MutableAcl;
import org.springframework.security.acls.model.MutableAclService;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.acls.model.Sid;
import org.springframework.transaction.annotation.Transactional;

/* loaded from: input_file:org/molgenis/data/security/permission/PermissionServiceImpl.class */
public class PermissionServiceImpl implements PermissionService {
    private static final String PLUGIN = "plugin";
    private final MutableAclService mutableAclService;
    private final PermissionInheritanceResolver inheritanceResolver;
    private final ObjectIdentityService objectIdentityService;
    private final DataService dataService;
    private final MutableAclClassService mutableAclClassService;
    private final UserRoleTools userRoleTools;
    private final EntityHelper entityHelper;
    private final UserPermissionEvaluator userPermissionEvaluator;

    public PermissionServiceImpl(MutableAclService mutableAclService, PermissionInheritanceResolver permissionInheritanceResolver, ObjectIdentityService objectIdentityService, DataService dataService, MutableAclClassService mutableAclClassService, UserRoleTools userRoleTools, EntityHelper entityHelper, UserPermissionEvaluator userPermissionEvaluator) {
        this.mutableAclService = (MutableAclService) Objects.requireNonNull(mutableAclService);
        this.inheritanceResolver = (PermissionInheritanceResolver) Objects.requireNonNull(permissionInheritanceResolver);
        this.objectIdentityService = (ObjectIdentityService) Objects.requireNonNull(objectIdentityService);
        this.dataService = (DataService) Objects.requireNonNull(dataService);
        this.mutableAclClassService = (MutableAclClassService) Objects.requireNonNull(mutableAclClassService);
        this.userRoleTools = (UserRoleTools) Objects.requireNonNull(userRoleTools);
        this.entityHelper = (EntityHelper) Objects.requireNonNull(entityHelper);
        this.userPermissionEvaluator = (UserPermissionEvaluator) Objects.requireNonNull(userPermissionEvaluator);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public Set<LabelledType> getLabelledTypes() {
        HashSet hashSet = new HashSet();
        for (String str : this.mutableAclClassService.getAclClassTypes()) {
            hashSet.add(LabelledType.create(str, this.entityHelper.getEntityTypeIdFromType(str), this.entityHelper.getLabel(str)));
        }
        return (Set) hashSet.stream().filter(labelledType -> {
            return this.userPermissionEvaluator.hasPermission(new EntityTypeIdentity(labelledType.getEntityType()), EntityTypePermission.READ_METADATA);
        }).collect(Collectors.toSet());
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public Set<LabelledObject> getObjects(String str, int i, int i2) {
        this.entityHelper.checkEntityTypeExists(str);
        return (Set) this.objectIdentityService.getObjectIdentities(str, i2, (i - 1) * i2).stream().map(this::getLabelledObject).collect(Collectors.toSet());
    }

    private LabelledObject getLabelledObject(ObjectIdentity objectIdentity) {
        return LabelledObject.create(objectIdentity.getIdentifier().toString(), this.entityHelper.getLabel(objectIdentity.getType(), objectIdentity.getIdentifier().toString()));
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public Set<PermissionSet> getSuitablePermissionsForType(String str) {
        HashSet newHashSet;
        this.entityHelper.checkEntityTypeExists(str);
        boolean z = -1;
        switch (str.hashCode()) {
            case -1482998339:
                if (str.equals(EntityTypeIdentity.ENTITY_TYPE)) {
                    z = false;
                    break;
                }
                break;
            case -985174221:
                if (str.equals("plugin")) {
                    z = 3;
                    break;
                }
                break;
            case -807062458:
                if (str.equals(PackageIdentity.PACKAGE)) {
                    z = true;
                    break;
                }
                break;
            case 98629247:
                if (str.equals("group")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
            case true:
                newHashSet = Sets.newHashSet(new PermissionSet[]{PermissionSet.READMETA, PermissionSet.COUNT, PermissionSet.READ, PermissionSet.WRITE, PermissionSet.WRITEMETA});
                break;
            case true:
                newHashSet = Sets.newHashSet(new PermissionSet[]{PermissionSet.READ});
                break;
            default:
                newHashSet = Sets.newHashSet(new PermissionSet[]{PermissionSet.READ, PermissionSet.WRITE});
                break;
        }
        return newHashSet;
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public Set<LabelledPermission> getPermissionsForObject(ObjectIdentity objectIdentity, Set<Sid> set, boolean z) {
        checkTypeExists(objectIdentity.getType());
        this.entityHelper.checkEntityExists(objectIdentity);
        return getPermissionResponses(this.mutableAclService.readAclById(objectIdentity), z, set);
    }

    private void checkTypeExists(String str) {
        if (!this.mutableAclClassService.getAclClassTypes().contains(str)) {
            throw new UnknownTypeException(str);
        }
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public Set<LabelledPermission> getPermissions(Set<Sid> set, boolean z) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        Iterator it = this.mutableAclClassService.getAclClassTypes().iterator();
        while (it.hasNext()) {
            Map<String, Set<LabelledPermission>> permissionsForType = getPermissionsForType((String) it.next(), z ? this.userRoleTools.getInheritedSids(set) : set, z);
            if (!permissionsForType.isEmpty()) {
                Iterator<Set<LabelledPermission>> it2 = permissionsForType.values().iterator();
                while (it2.hasNext()) {
                    linkedHashSet.addAll(it2.next());
                }
            }
        }
        return linkedHashSet;
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public Map<String, Set<LabelledPermission>> getPermissionsForType(String str, Set<Sid> set, int i, int i2) {
        this.entityHelper.checkEntityTypeExists(str);
        List<ObjectIdentity> objectIdentities = this.objectIdentityService.getObjectIdentities(str, set, i2, (i - 1) * i2);
        Map<ObjectIdentity, Acl> linkedHashMap = new LinkedHashMap();
        if (!objectIdentities.isEmpty()) {
            linkedHashMap = this.mutableAclService.readAclsById(objectIdentities, this.userRoleTools.sortSids(set));
        }
        return getPermissions(linkedHashMap, objectIdentities, set, false);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public Map<String, Set<LabelledPermission>> getPermissionsForType(String str, Set<Sid> set, boolean z) {
        this.entityHelper.checkEntityTypeExists(str);
        List<ObjectIdentity> objectIdentities = getObjectIdentities(str, set, z);
        return getPermissions(readAcls(set, objectIdentities), objectIdentities, set, z);
    }

    private List<ObjectIdentity> getObjectIdentities(String str, Set<Sid> set, boolean z) {
        return set.isEmpty() ? this.objectIdentityService.getObjectIdentities(str) : z ? this.objectIdentityService.getObjectIdentities(str, this.userRoleTools.getInheritedSids(set)) : this.objectIdentityService.getObjectIdentities(str, set);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v11, types: [java.util.Map] */
    /* JADX WARN: Type inference failed for: r0v8, types: [java.util.Map] */
    private Map<ObjectIdentity, Acl> readAcls(Set<Sid> set, List<ObjectIdentity> list) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        if (!list.isEmpty()) {
            linkedHashMap = set.isEmpty() ? this.mutableAclService.readAclsById(list) : this.mutableAclService.readAclsById(list, this.userRoleTools.sortSids(set));
        }
        return linkedHashMap;
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    @Transactional
    public void createAcl(ObjectIdentity objectIdentity) {
        this.entityHelper.checkEntityExists(objectIdentity);
        this.mutableAclService.createAcl(objectIdentity);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    @Transactional
    public void createPermission(Permission permission) {
        ObjectIdentity objectIdentity = permission.getObjectIdentity();
        checkTypeExists(objectIdentity.getType());
        this.entityHelper.checkEntityExists(objectIdentity);
        MutableAcl readAclById = this.mutableAclService.readAclById(objectIdentity);
        if (!getSuitablePermissionsForType(objectIdentity.getType()).contains(permission.getPermission())) {
            throw new PermissionNotSuitableException(permission.getPermission().name(), objectIdentity.getType());
        }
        Sid sid = permission.getSid();
        if (!getPermissionResponses(readAclById, false, Collections.singleton(sid)).isEmpty()) {
            throw new DuplicatePermissionException(objectIdentity, sid);
        }
        readAclById.insertAce(readAclById.getEntries().size(), permission.getPermission(), sid, true);
        this.mutableAclService.updateAcl(readAclById);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    @Transactional
    public void createPermissions(Set<Permission> set) {
        Iterator<Permission> it = set.iterator();
        while (it.hasNext()) {
            createPermission(it.next());
        }
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    @Transactional
    public void updatePermission(Permission permission) {
        ObjectIdentity objectIdentity = permission.getObjectIdentity();
        checkTypeExists(objectIdentity.getType());
        this.entityHelper.checkEntityExists(objectIdentity);
        MutableAcl mutableAcl = (MutableAcl) this.mutableAclService.readAclById(objectIdentity);
        if (!getSuitablePermissionsForType(objectIdentity.getType()).contains(permission.getPermission())) {
            throw new PermissionNotSuitableException(permission.getPermission().name(), objectIdentity.getType());
        }
        Sid sid = permission.getSid();
        if (getPermissionsForObject(objectIdentity, Collections.singleton(sid), false).isEmpty()) {
            throw new UnknownAceException(objectIdentity, sid, "update");
        }
        deleteAce(sid, mutableAcl);
        mutableAcl.insertAce(mutableAcl.getEntries().size(), permission.getPermission(), sid, true);
        this.mutableAclService.updateAcl(mutableAcl);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    @Transactional
    public void updatePermissions(Set<Permission> set) {
        for (Permission permission : set) {
            this.entityHelper.checkEntityExists(permission.getObjectIdentity());
            updatePermission(permission);
        }
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    @Transactional
    public void deletePermission(Sid sid, ObjectIdentity objectIdentity) {
        this.entityHelper.checkEntityExists(objectIdentity);
        MutableAcl mutableAcl = (MutableAcl) this.mutableAclService.readAclById(objectIdentity, Collections.singletonList(sid));
        Set<LabelledPermission> permissionsForObject = getPermissionsForObject(objectIdentity, Collections.singleton(sid), false);
        if (mutableAcl == null || permissionsForObject.isEmpty()) {
            throw new UnknownAceException(objectIdentity, sid, "delete");
        }
        deleteAce(sid, mutableAcl);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    @Transactional
    public void addType(String str) {
        this.entityHelper.checkEntityTypeExists(str);
        this.entityHelper.checkIsNotSystem(str);
        EntityType entityType = this.dataService.getEntityType(this.entityHelper.getEntityTypeIdFromType(str));
        if (this.mutableAclClassService.getAclClassTypes().contains(str)) {
            throw new AclClassAlreadyExistsException(str);
        }
        this.mutableAclClassService.createAclClass(str, EntityIdentityUtils.toIdType(entityType));
        this.dataService.findAll(entityType.getId()).forEach(entity -> {
            try {
                this.mutableAclService.createAcl(new EntityIdentity(entity));
            } catch (AlreadyExistsException e) {
                throw new AclAlreadyExistsException(str, entityType.getId());
            }
        });
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    @Transactional
    public void deleteType(String str) {
        checkTypeExists(str);
        this.entityHelper.checkEntityTypeExists(str);
        this.entityHelper.checkIsNotSystem(str);
        this.mutableAclClassService.deleteAclClass(str);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public boolean exists(ObjectIdentity objectIdentity, Sid sid) {
        return this.mutableAclService.readAclById(objectIdentity, Collections.singletonList(sid)).getEntries().stream().anyMatch(accessControlEntry -> {
            return accessControlEntry.getSid().equals(sid);
        });
    }

    private void deleteAce(Sid sid, MutableAcl mutableAcl) {
        boolean z = false;
        for (int size = mutableAcl.getEntries().size() - 1; size >= 0; size--) {
            if (((AccessControlEntry) mutableAcl.getEntries().get(size)).getSid().equals(sid)) {
                mutableAcl.deleteAce(size);
                z = true;
            }
        }
        if (z) {
            this.mutableAclService.updateAcl(mutableAcl);
        }
    }

    private Map<String, Set<LabelledPermission>> getPermissions(Map<ObjectIdentity, Acl> map, List<ObjectIdentity> list, Set<Sid> set, boolean z) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        list.forEach(objectIdentity -> {
            linkedHashMap.put(objectIdentity.getIdentifier().toString(), getPermissionResponses((Acl) map.get(objectIdentity), z, set));
        });
        return linkedHashMap;
    }

    private Set<LabelledPermission> getPermissionResponses(Acl acl, boolean z, Set<Sid> set) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        if (set.isEmpty()) {
            set = this.userRoleTools.getAllAvailableSids();
        }
        Iterator<Sid> it = this.userRoleTools.sortSids(set).iterator();
        while (it.hasNext()) {
            getPermissionResponsesForSingleSid(acl, z, linkedHashSet, it.next());
        }
        return linkedHashSet;
    }

    private void getPermissionResponsesForSingleSid(Acl acl, boolean z, Set<LabelledPermission> set, Sid sid) {
        PermissionSet permissionSet = null;
        for (AccessControlEntry accessControlEntry : acl.getEntries()) {
            if (sid.equals(accessControlEntry.getSid())) {
                permissionSet = PermissionSetUtils.getPermissionSet(accessControlEntry);
            }
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        if (z) {
            linkedHashSet.addAll(this.inheritanceResolver.getInheritedPermissions(acl, sid));
        }
        if (permissionSet == null && linkedHashSet.isEmpty()) {
            return;
        }
        set.add(LabelledPermission.create(sid, this.entityHelper.getLabelledObjectIdentity(acl.getObjectIdentity()), permissionSet, linkedHashSet.isEmpty() ? null : linkedHashSet));
    }
}
