package pl.edu.icm.yadda.desklight.services.security.aas;

import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import pl.edu.icm.yadda.aal.model2.catalog.SecurityEntry;
import pl.edu.icm.yadda.aal.session.LoginIdentity;
import pl.edu.icm.yadda.aal.session.RoleAuthority;
import pl.edu.icm.yadda.aas.client.YaddaObligationsAwareResult;
import pl.edu.icm.yadda.aas.client.authn.session.AttributeAssertionExtractionHelper;
import pl.edu.icm.yadda.aas.client.backend.BackendAuthorizerRequest;
import pl.edu.icm.yadda.aas.client.backend.IBackendAuthorizer;
import pl.edu.icm.yadda.aas.proxy.event.AbstractSecurityEvent;
import pl.edu.icm.yadda.aas.proxy.event.AssertionPermanentlyExpiredSecurityEvent;
import pl.edu.icm.yadda.aas.proxy.event.AssertionRefreshedSecurityEvent;
import pl.edu.icm.yadda.aas.proxy.event.ISecurityEventListener;
import pl.edu.icm.yadda.common.YaddaException;
import pl.edu.icm.yadda.desklight.services.security.AccessControl;
import pl.edu.icm.yadda.desklight.services.security.AccessControlConstants;
import pl.edu.icm.yadda.desklight.services.security.AccessValidator;
import pl.edu.icm.yadda.desklight.services.security.DLSecurityException;
import pl.edu.icm.yadda.desklight.services.security.ServiceSecurityException;
import pl.edu.icm.yadda.service2.GenericRequest;
import pl.edu.icm.yadda.service2.GetVersionResponse;
import pl.edu.icm.yadda.service2.aas.IAAService;
import pl.edu.icm.yadda.service2.usersession.ISessionService;

/* loaded from: input_file:pl/edu/icm/yadda/desklight/services/security/aas/AASBasedAccessControl.class */
public class AASBasedAccessControl implements AccessControl, AccessValidator, ISecurityEventListener {
    public static final String ROLE_USERDB_ADMIN = "user_db:admin";
    public static final String ROLE_EDITOR = "metadata_repository:editor";
    public static final String ROLE_INST_EDITOR = "metadata_repository:institution_editor";
    public static final String ROLE_CLASS_EDITOR = "metadata_repository:classification_editor";
    public static final String ROLE_HORISONTAL_EDITOR_PREFIX = "metadata_repository:horisontal_restricted_editor:";
    protected ISessionService sessionService;
    protected IBackendAuthorizer backendAuthorizer;
    protected IAAService aaService;
    protected String supportedAASVersionMargin;
    private Boolean aasVersionSufficient;
    protected final Logger log = LoggerFactory.getLogger(getClass());
    protected AccessControlCache accessControlCache = new AccessControlCache();
    protected BackendAuthorizerRequestBuilder reqBuilder = new BackendAuthorizerRequestBuilder();

    @Override // pl.edu.icm.yadda.desklight.services.security.AccessControl
    public Set<String> getRoles() {
        return !AASLogonHelper.isLoggedIn(this.sessionService) ? Collections.emptySet() : new HashSet(AttributeAssertionExtractionHelper.getValues("yadda:user-profile:roles", AASLogonHelper.retrieveAssertion(this.sessionService)));
    }

    @Override // pl.edu.icm.yadda.desklight.services.security.AccessControl
    public boolean hasRole(String str) {
        if (AASLogonHelper.isLoggedIn(this.sessionService)) {
            return AttributeAssertionExtractionHelper.getValues("yadda:user-profile:roles", AASLogonHelper.retrieveAssertion(this.sessionService)).contains(str);
        }
        return false;
    }

    @Override // pl.edu.icm.yadda.desklight.services.security.AccessValidator
    public boolean haveAccess(String str, String str2) {
        return haveAccessToObject(str, str2, null, null, null, null, null);
    }

    @Override // pl.edu.icm.yadda.desklight.services.security.AccessValidator
    public boolean haveAccessToObject(String str, String str2, String str3, String str4, String str5, String str6, String[] strArr) {
        Boolean checkAccess = this.accessControlCache.checkAccess(str, str2, str3, str4, str5, str6, strArr);
        if (checkAccess != null) {
            return checkAccess.booleanValue();
        }
        try {
            YaddaObligationsAwareResult<Boolean> evaluateAccess = evaluateAccess(this.reqBuilder.buildRequest(str, str2, str3, str4, str5, str6, strArr, AASLogonHelper.retrieveAssertion(this.sessionService)));
            if (evaluateAccess.getData() != null) {
                this.accessControlCache.setAccess(str, str2, str3, str4, str5, str6, strArr, ((Boolean) evaluateAccess.getData()).booleanValue());
                return ((Boolean) evaluateAccess.getData()).booleanValue();
            }
            if (evaluateAccess.getError() != null) {
                this.log.warn("evaluation error: " + evaluateAccess.getError().getMssg(), evaluateAccess.getError().getException());
                return false;
            }
            this.log.warn("unable to cache: received null evaluation result for module: {}, accessLevel: {}, objectType: {}, objectHierarchyId: {}, objectLevelId: {}", new Object[]{str, str2, str3, str4, str5});
            return false;
        } catch (YaddaException e) {
            this.log.error("exception occurred when building backend authorizer request", e);
            return false;
        }
    }

    protected boolean checkAASVersionSufficient() {
        if (this.aasVersionSufficient != null) {
            return this.aasVersionSufficient.booleanValue();
        }
        if (this.supportedAASVersionMargin == null) {
            this.log.warn("no supportedAASVersionMargin defined, assuming AAS version is sufficient for external authorization!");
            Boolean bool = true;
            this.aasVersionSufficient = bool;
            return bool.booleanValue();
        }
        GetVersionResponse versionResponse = this.aaService.getVersionResponse(new GenericRequest());
        String[] split = StringUtils.split(this.supportedAASVersionMargin, '.');
        if (split.length != 3) {
            throw new RuntimeException("invalid expected version: " + this.supportedAASVersionMargin + ", all three version parts in X.Y.Z format are required!");
        }
        int parseInt = Integer.parseInt(split[0]);
        int parseInt2 = Integer.parseInt(split[1]);
        int parseInt3 = Integer.parseInt(split[2]);
        if (versionResponse.getVersion().getMajor() > parseInt) {
            Boolean bool2 = true;
            this.aasVersionSufficient = bool2;
            return bool2.booleanValue();
        }
        if (versionResponse.getVersion().getMajor() != parseInt) {
            Boolean bool3 = false;
            this.aasVersionSufficient = bool3;
            return bool3.booleanValue();
        }
        if (versionResponse.getVersion().getMinor() > parseInt2) {
            Boolean bool4 = true;
            this.aasVersionSufficient = bool4;
            return bool4.booleanValue();
        }
        if (versionResponse.getVersion().getMinor() != parseInt2) {
            Boolean bool5 = false;
            this.aasVersionSufficient = bool5;
            return bool5.booleanValue();
        }
        if (versionResponse.getVersion().getMicro() >= parseInt3) {
            Boolean bool6 = true;
            this.aasVersionSufficient = bool6;
            return bool6.booleanValue();
        }
        Boolean bool7 = false;
        this.aasVersionSufficient = bool7;
        return bool7.booleanValue();
    }

    public YaddaObligationsAwareResult<Boolean> evaluateAccess(BackendAuthorizerRequest backendAuthorizerRequest) {
        if (checkAASVersionSufficient()) {
            return this.backendAuthorizer.evaluateAccess(backendAuthorizerRequest);
        }
        if (AccessControlConstants.MODULE_EDITOR.equals(backendAuthorizerRequest.getResource())) {
            if ("write-class".equals(backendAuthorizerRequest.getAction())) {
                return new YaddaObligationsAwareResult<>(Boolean.valueOf(hasRole(ROLE_EDITOR) || hasRole(ROLE_CLASS_EDITOR)), (List) null);
            }
            if ("write-institution".equals(backendAuthorizerRequest.getAction())) {
                return new YaddaObligationsAwareResult<>(Boolean.valueOf(hasRole(ROLE_EDITOR) || hasRole(ROLE_INST_EDITOR)), (List) null);
            }
            if (BackendAuthorizerRequestBuilder.ACTION_WRITE_SOME.equals(backendAuthorizerRequest.getAction())) {
                for (String str : getRoles()) {
                    if (ROLE_EDITOR.equals(str) || ROLE_CLASS_EDITOR.equals(str) || ROLE_INST_EDITOR.equals(str) || str.startsWith(ROLE_HORISONTAL_EDITOR_PREFIX)) {
                        return new YaddaObligationsAwareResult<>(true, (List) null);
                    }
                }
                return new YaddaObligationsAwareResult<>(false, (List) null);
            }
        } else if ("user".equals(backendAuthorizerRequest.getResource())) {
            return new YaddaObligationsAwareResult<>(Boolean.valueOf(hasRole(ROLE_USERDB_ADMIN)), (List) null);
        }
        return this.backendAuthorizer.evaluateAccess(backendAuthorizerRequest);
    }

    @Override // pl.edu.icm.yadda.desklight.services.security.AccessControl
    public SecurityEntry getSecurityEntry(String str, String str2) {
        return buildEntry(AASLogonHelper.retrieveLoginIdentity(this.sessionService), str, str2, "localhost");
    }

    protected SecurityEntry buildEntry(LoginIdentity loginIdentity, String str, String str2, String str3) {
        SecurityEntry securityEntry = new SecurityEntry();
        securityEntry.setServiceId(str);
        securityEntry.setHost(str3);
        securityEntry.setTimestamp(new Date());
        securityEntry.setAction(str2);
        if (loginIdentity != null) {
            HashMap hashMap = new HashMap();
            hashMap.put("LOGIN", loginIdentity);
            securityEntry.setAuthorityEntries(hashMap);
        }
        RoleAuthority roleAuthority = new RoleAuthority();
        Iterator it = AttributeAssertionExtractionHelper.getValues("yadda:user-profile:roles", AASLogonHelper.retrieveAssertion(this.sessionService)).iterator();
        while (it.hasNext()) {
            roleAuthority.add((String) it.next());
        }
        if (roleAuthority != null) {
            if (securityEntry.getAuthorityEntries() == null) {
                securityEntry.setAuthorityEntries(new HashMap());
            }
            securityEntry.getAuthorityEntries().put("ROLE", roleAuthority);
        }
        return securityEntry;
    }

    @Override // pl.edu.icm.yadda.desklight.services.security.AccessControl
    public void tryToAccess(String str, String str2) throws DLSecurityException {
    }

    @Override // pl.edu.icm.yadda.desklight.services.security.AccessControl
    public void tryToAccessInternal(String str, String str2) throws ServiceSecurityException {
    }

    @Override // pl.edu.icm.yadda.desklight.services.security.AccessControl
    public void tryToAccessObject(String str, String str2, String str3, String str4, String str5) throws DLSecurityException {
    }

    public void notify(AbstractSecurityEvent abstractSecurityEvent) {
        if ((abstractSecurityEvent instanceof AssertionRefreshedSecurityEvent) || (abstractSecurityEvent instanceof AssertionPermanentlyExpiredSecurityEvent)) {
            invalidate();
        }
    }

    public void invalidate() {
        this.aasVersionSufficient = null;
        this.accessControlCache.invalidate();
    }

    public void setSessionService(ISessionService iSessionService) {
        this.sessionService = iSessionService;
    }

    public void setBackendAuthorizer(IBackendAuthorizer iBackendAuthorizer) {
        this.backendAuthorizer = iBackendAuthorizer;
    }

    public void setSupportedAASVersionMargin(String str) {
        this.supportedAASVersionMargin = str;
    }

    public void setAaService(IAAService iAAService) {
        this.aaService = iAAService;
    }
}
