package org.molgenis.data.security.permission;

import java.util.Arrays;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.molgenis.data.security.EntityPermission;
import org.molgenis.data.security.EntityTypeIdentity;
import org.molgenis.data.security.EntityTypePermission;
import org.molgenis.data.security.exception.InsufficientPermissionsException;
import org.molgenis.data.security.exception.ReadPermissionDeniedException;
import org.molgenis.data.security.exception.SidPermissionException;
import org.molgenis.data.security.exception.SuperUserPermissionsException;
import org.molgenis.data.security.exception.UnknownTypeException;
import org.molgenis.data.security.permission.model.LabelledObject;
import org.molgenis.data.security.permission.model.LabelledPermission;
import org.molgenis.data.security.permission.model.LabelledType;
import org.molgenis.data.security.permission.model.Permission;
import org.molgenis.security.acl.MutableAclClassService;
import org.molgenis.security.core.PermissionSet;
import org.molgenis.security.core.SidUtils;
import org.molgenis.security.core.UserPermissionEvaluator;
import org.molgenis.security.core.runas.RunAsSystemAspect;
import org.molgenis.security.core.utils.SecurityUtils;
import org.springframework.security.acls.model.MutableAcl;
import org.springframework.security.acls.model.MutableAclService;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.acls.model.Sid;

/* loaded from: input_file:org/molgenis/data/security/permission/PermissionServiceDecorator.class */
public class PermissionServiceDecorator implements PermissionService {
    public static final String SUPERUSER = "superuser";
    private final UserRoleTools userRoleTools;
    private final MutableAclService mutableAclService;
    private final MutableAclClassService mutableAclClassService;
    private final PermissionService permissionService;
    private final UserPermissionEvaluator userPermissionEvaluator;
    private final EntityHelper entityHelper;

    public PermissionServiceDecorator(PermissionService permissionService, EntityHelper entityHelper, UserRoleTools userRoleTools, MutableAclService mutableAclService, MutableAclClassService mutableAclClassService, UserPermissionEvaluator userPermissionEvaluator) {
        this.permissionService = (PermissionService) Objects.requireNonNull(permissionService);
        this.userRoleTools = (UserRoleTools) Objects.requireNonNull(userRoleTools);
        this.mutableAclService = (MutableAclService) Objects.requireNonNull(mutableAclService);
        this.mutableAclClassService = (MutableAclClassService) Objects.requireNonNull(mutableAclClassService);
        this.userPermissionEvaluator = (UserPermissionEvaluator) Objects.requireNonNull(userPermissionEvaluator);
        this.entityHelper = (EntityHelper) Objects.requireNonNull(entityHelper);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public Set<LabelledType> getLabelledTypes() {
        return (Set) this.permissionService.getLabelledTypes().stream().filter(labelledType -> {
            return this.userPermissionEvaluator.hasPermission(new EntityTypeIdentity(labelledType.getEntityType()), EntityPermission.READ);
        }).collect(Collectors.toSet());
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public Set<LabelledPermission> getPermissionsForObject(ObjectIdentity objectIdentity, Set<Sid> set, boolean z) {
        checkForSu(set);
        checkReadPermission(objectIdentity.getType(), set);
        return this.permissionService.getPermissionsForObject(objectIdentity, set, z);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public void createAcl(ObjectIdentity objectIdentity) {
        checkSuOrSystem(objectIdentity.getType(), objectIdentity.getIdentifier().toString());
        this.permissionService.createAcl(objectIdentity);
    }

    private void checkSuOrSystem(String str, String str2) {
        if (!SecurityUtils.currentUserIsSuOrSystem()) {
            throw new InsufficientPermissionsException(str, str2, Collections.singletonList("superuser"));
        }
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public void createPermission(Permission permission) {
        checkForSu(permission.getSid());
        checkSuOrOwner(permission.getObjectIdentity());
        this.permissionService.createPermission(permission);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public void createPermissions(Set<Permission> set) {
        for (Permission permission : set) {
            checkForSu(permission.getSid());
            checkSuOrOwner(permission.getObjectIdentity());
        }
        this.permissionService.createPermissions(set);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public void updatePermission(Permission permission) {
        checkForSu(permission.getSid());
        checkSuOrOwner(permission.getObjectIdentity());
        this.permissionService.updatePermission(permission);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public void updatePermissions(Set<Permission> set) {
        for (Permission permission : set) {
            checkForSu(permission.getSid());
            checkSuOrOwner(permission.getObjectIdentity());
        }
        this.permissionService.updatePermissions(set);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public void deletePermission(Sid sid, ObjectIdentity objectIdentity) {
        checkForSu(sid);
        checkSuOrOwner(objectIdentity);
        this.permissionService.deletePermission(sid, objectIdentity);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public void addType(String str) {
        if (!SecurityUtils.currentUserIsSuOrSystem()) {
            throw new InsufficientPermissionsException("type", str, Collections.singletonList("superuser"));
        }
        this.permissionService.addType(str);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public void deleteType(String str) {
        checkSuOrSystem("type", str);
        this.permissionService.deleteType(str);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public Map<String, Set<LabelledPermission>> getPermissionsForType(String str, Set<Sid> set, boolean z) {
        checkForSu(set);
        checkReadPermission(str, set);
        return this.permissionService.getPermissionsForType(str, set, z);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public Map<String, Set<LabelledPermission>> getPermissionsForType(String str, Set<Sid> set, int i, int i2) {
        checkForSu(set);
        checkReadPermission(str, set);
        return this.permissionService.getPermissionsForType(str, set, i, i2);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public Set<LabelledPermission> getPermissions(Set<Sid> set, boolean z) {
        checkForSu(set);
        checkPermissionsOnSid(set);
        return this.permissionService.getPermissions(set, z);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public Set<LabelledObject> getObjects(String str, int i, int i2) {
        checkReadPermission(str, Collections.emptySet());
        return this.permissionService.getObjects(str, i, i2);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public Set<PermissionSet> getSuitablePermissionsForType(String str) {
        if (this.userPermissionEvaluator.hasPermission(new EntityTypeIdentity(this.entityHelper.getEntityTypeIdFromType(str)), EntityTypePermission.READ_METADATA)) {
            return this.permissionService.getSuitablePermissionsForType(str);
        }
        throw new ReadPermissionDeniedException(str);
    }

    @Override // org.molgenis.data.security.permission.PermissionService
    public boolean exists(ObjectIdentity objectIdentity, Sid sid) {
        checkForSu(sid);
        checkReadPermission(objectIdentity.getType(), Collections.singleton(sid));
        return this.permissionService.exists(objectIdentity, sid);
    }

    private void checkPermissionsOnSid(Set<Sid> set) {
        List<Sid> forbiddenSids = getForbiddenSids(set);
        if (!SecurityUtils.currentUserIsSuOrSystem() && !forbiddenSids.isEmpty()) {
            throw new SidPermissionException(StringUtils.join((List) forbiddenSids.stream().map(UserRoleTools::getName).collect(Collectors.toList()), ","));
        }
    }

    private void checkReadPermission(String str, Set<Sid> set) {
        if (!isSuOrSelf(set)) {
            throw new ReadPermissionDeniedException(str);
        }
    }

    private void checkSuOrOwner(ObjectIdentity objectIdentity) {
        if (!this.mutableAclClassService.getAclClassTypes().contains(objectIdentity.getType())) {
            throw new UnknownTypeException(objectIdentity.getType());
        }
        this.entityHelper.checkEntityExists(objectIdentity);
        MutableAcl readAclById = this.mutableAclService.readAclById(objectIdentity);
        boolean equals = readAclById.getOwner().equals(SidUtils.createSecurityContextSid());
        if (!SecurityUtils.currentUserIsSuOrSystem() && !equals) {
            throw new InsufficientPermissionsException(readAclById.getObjectIdentity(), Arrays.asList("superuser", "owner"));
        }
    }

    private boolean isSuOrSelf(Set<Sid> set) {
        return SecurityUtils.currentUserIsSuOrSystem() || (!set.isEmpty() && getForbiddenSids(set).isEmpty());
    }

    private List<Sid> getForbiddenSids(Set<Sid> set) {
        LinkedList linkedList = new LinkedList();
        Sid createSecurityContextSid = SidUtils.createSecurityContextSid();
        Set set2 = (Set) RunAsSystemAspect.runAsSystem(() -> {
            return this.userRoleTools.getRoles(createSecurityContextSid);
        });
        for (Sid sid : set) {
            if (!set2.contains(sid) && !createSecurityContextSid.equals(sid)) {
                linkedList.add(sid);
            }
        }
        return linkedList;
    }

    private void checkForSu(Sid sid) {
        if (this.userRoleTools.isSuperUser(sid)) {
            throw new SuperUserPermissionsException(UserRoleTools.getName(sid));
        }
    }

    private void checkForSu(Set<Sid> set) {
        set.forEach(this::checkForSu);
    }
}
