package pl.edu.icm.yadda.aas.proxy.userdb;

import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.opensaml.lite.xacml.XACMLConstants;
import pl.edu.icm.yadda.aas.audit.user.IIdExtractor;
import pl.edu.icm.yadda.aas.client.YaddaObligationsAwareResult;
import pl.edu.icm.yadda.aas.client.backend.BackendAuthorizerRequest;
import pl.edu.icm.yadda.aas.handler.HeaderFieldBasedSecurityRequestHandler;
import pl.edu.icm.yadda.aas.handler.ISecurityRequestHandler;
import pl.edu.icm.yadda.aas.proxy.AbstractBackendAuthorizerAware;
import pl.edu.icm.yadda.aas.proxy.SecurityConstants;
import pl.edu.icm.yadda.exports.zentralblatt.YElementToZentralBlattConverter;
import pl.edu.icm.yadda.service2.GenericRequest;
import pl.edu.icm.yadda.service2.GenericResponse;
import pl.edu.icm.yadda.service2.GetFeaturesRequest;
import pl.edu.icm.yadda.service2.GetFeaturesResponse;
import pl.edu.icm.yadda.service2.GetVersionResponse;
import pl.edu.icm.yadda.service2.YaddaError;
import pl.edu.icm.yadda.service2.YaddaErrorCodeConstants;
import pl.edu.icm.yadda.service2.user.CredentialAwareRequest;
import pl.edu.icm.yadda.service2.user.CredentialResponse;
import pl.edu.icm.yadda.service2.user.DeleteGroupRequest;
import pl.edu.icm.yadda.service2.user.FetchDomainsResponse;
import pl.edu.icm.yadda.service2.user.FetchGroupUsersRequest;
import pl.edu.icm.yadda.service2.user.FetchUserIdentifiersRequest;
import pl.edu.icm.yadda.service2.user.FetchUserIndentifiersResponse;
import pl.edu.icm.yadda.service2.user.GroupAssignmentRequest;
import pl.edu.icm.yadda.service2.user.GroupAwareRequest;
import pl.edu.icm.yadda.service2.user.GroupNameAwareRequest;
import pl.edu.icm.yadda.service2.user.GroupResponse;
import pl.edu.icm.yadda.service2.user.GroupSetResponse;
import pl.edu.icm.yadda.service2.user.IdentifiedDomainAwareRequest;
import pl.edu.icm.yadda.service2.user.IdentifiedRequest;
import pl.edu.icm.yadda.service2.user.IdentifiedResponse;
import pl.edu.icm.yadda.service2.user.ListGroupsRequest;
import pl.edu.icm.yadda.service2.user.ListUsersRequest;
import pl.edu.icm.yadda.service2.user.LoadUserRequest;
import pl.edu.icm.yadda.service2.user.ModifyUserRequest;
import pl.edu.icm.yadda.service2.user.PaginationResponse;
import pl.edu.icm.yadda.service2.user.SearchUsersRequest;
import pl.edu.icm.yadda.service2.user.SecurityTokenRequest;
import pl.edu.icm.yadda.service2.user.UserAssignmentRequest;
import pl.edu.icm.yadda.service2.user.UserCatalogService;
import pl.edu.icm.yadda.service2.user.UserDataListResponse;
import pl.edu.icm.yadda.service2.user.UserDataResponse;
import pl.edu.icm.yadda.service2.user.credential.Credential;
import pl.edu.icm.yadda.service2.user.model.Group;
import pl.edu.icm.yadda.service2.user.model.User;
import pl.edu.icm.yadda.service2.user.model.UserData;

/* loaded from: input_file:WEB-INF/lib/yadda-aas2-common-1.12.6.jar:pl/edu/icm/yadda/aas/proxy/userdb/SecuredUserCatalogService.class */
public class SecuredUserCatalogService extends AbstractBackendAuthorizerAware implements UserCatalogService {
    public static final String RESOURCE_USER = "user";
    protected static final String ACTION_BROWSE = "browse";
    protected static final String ACTION_LOAD = "load";
    public static final String ACTION_STORE_STRICT = "store-strict";
    public static final String ACTION_DELETE = "delete";
    public static final String ACTION_ALTER_GROUP_MEMB = "alter-group-membership";
    public static final String ACTION_ALTER_PASSWORD = "alter-password";
    protected UserCatalogService service;
    protected IIdExtractor userIdExtractor;
    protected Set<String> allowedAttributesForMinimalProfiles;
    protected boolean disallowNullDomain = true;
    protected boolean allowSendingMinimalProfilesWhenBrowsingDenied = true;
    protected ISecurityRequestHandler securityRequestHandler = new HeaderFieldBasedSecurityRequestHandler();

    @Override // pl.edu.icm.yadda.service2.IYaddaService
    public GetFeaturesResponse getFeatures(GetFeaturesRequest getFeaturesRequest) {
        GetFeaturesResponse features = this.service.getFeatures(getFeaturesRequest);
        features.getFeatures().add(SecurityConstants.FEATURE_REQUIRES_AUTHORIZATION);
        return features;
    }

    @Override // pl.edu.icm.yadda.service2.IYaddaService
    public GetVersionResponse getVersionResponse(GenericRequest genericRequest) {
        return this.service.getVersionResponse(genericRequest);
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public IdentifiedResponse verifyToken(SecurityTokenRequest securityTokenRequest) {
        return this.service.verifyToken(securityTokenRequest);
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public FetchDomainsResponse fetchDomains(GenericRequest genericRequest) {
        return this.service.fetchDomains(genericRequest);
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public GroupResponse loadGroup(GroupNameAwareRequest groupNameAwareRequest) {
        return this.service.loadGroup(groupNameAwareRequest);
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public GroupResponse loadGroup(IdentifiedRequest identifiedRequest) {
        return this.service.loadGroup(identifiedRequest);
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public PaginationResponse<Group> listGroups(ListGroupsRequest listGroupsRequest) {
        return this.service.listGroups(listGroupsRequest);
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public GroupSetResponse fetchChildGroups(GroupNameAwareRequest groupNameAwareRequest) {
        return this.service.fetchChildGroups(groupNameAwareRequest);
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public PaginationResponse<UserData> fetchGroupUsers(FetchGroupUsersRequest fetchGroupUsersRequest) {
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        HashMap hashMap = new HashMap();
        if (fetchGroupUsersRequest.getGroupName() != null && fetchGroupUsersRequest.getGroupName().getDomain() != null) {
            hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(fetchGroupUsersRequest.getGroupName().getDomain()));
            hashMap.put("domain", fetchGroupUsersRequest.getGroupName().getDomain());
        }
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest(ACTION_BROWSE, "user", this.securityRequestHandler.extract(fetchGroupUsersRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return this.service.fetchGroupUsers(fetchGroupUsersRequest);
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new PaginationResponse<>(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new PaginationResponse<>(evaluateBackendAccess.getError());
        }
        if (this.allowSendingMinimalProfilesWhenBrowsingDenied) {
            return prepareMinimalResponse(this.service.fetchGroupUsers(fetchGroupUsersRequest));
        }
        this.log.warn("Permission not granted to perform fetching group users!");
        return new PaginationResponse<>(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to perform fetching group users!"));
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public UserDataListResponse listUsers(ListUsersRequest listUsersRequest) {
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        HashMap hashMap = new HashMap();
        if (listUsersRequest.getDomain() != null) {
            hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(listUsersRequest.getDomain()));
            hashMap.put("domain", listUsersRequest.getDomain());
        }
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest(ACTION_BROWSE, "user", this.securityRequestHandler.extract(listUsersRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return this.service.listUsers(listUsersRequest);
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new UserDataListResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new UserDataListResponse(evaluateBackendAccess.getError());
        }
        if (this.allowSendingMinimalProfilesWhenBrowsingDenied) {
            return prepareMinimalResponse(this.service.listUsers(listUsersRequest));
        }
        this.log.warn("Permission not granted to list users!");
        return new UserDataListResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to list users!"));
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public PaginationResponse<UserData> searchUsers(SearchUsersRequest searchUsersRequest) {
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        HashMap hashMap = new HashMap();
        if (searchUsersRequest.getDomain() != null) {
            hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(searchUsersRequest.getDomain()));
            hashMap.put("domain", searchUsersRequest.getDomain());
        }
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest(ACTION_BROWSE, "user", this.securityRequestHandler.extract(searchUsersRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return this.service.searchUsers(searchUsersRequest);
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new PaginationResponse<>(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new PaginationResponse<>(evaluateBackendAccess.getError());
        }
        if (this.allowSendingMinimalProfilesWhenBrowsingDenied) {
            return prepareMinimalResponse(this.service.searchUsers(searchUsersRequest));
        }
        this.log.warn("Permission not granted to search users!");
        return new PaginationResponse<>(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to search users!"));
    }

    protected PaginationResponse<UserData> prepareMinimalResponse(PaginationResponse<UserData> paginationResponse) {
        if (paginationResponse.getError() != null) {
            return paginationResponse;
        }
        paginationResponse.setResults(prepareMinimalListOfUserData(paginationResponse.getResults()));
        return paginationResponse;
    }

    protected UserDataListResponse prepareMinimalResponse(UserDataListResponse userDataListResponse) {
        if (userDataListResponse.getError() != null) {
            return userDataListResponse;
        }
        userDataListResponse.setUserDataList(prepareMinimalListOfUserData(userDataListResponse.getUserDataList()));
        return userDataListResponse;
    }

    protected List<UserData> prepareMinimalListOfUserData(List<UserData> list) {
        if (list != null && list.size() > 0) {
            for (int i = 0; i < list.size(); i++) {
                list.set(i, prepareMinimalUserData(list.get(i)));
            }
        }
        return list;
    }

    protected UserData prepareMinimalUserData(UserData userData) {
        if (userData == null) {
            return null;
        }
        UserData userData2 = new UserData();
        userData2.setId(userData.getId());
        userData2.setUser(prepareMinimalUser(userData.getUser()));
        return userData2;
    }

    protected User prepareMinimalUser(User user) {
        if (user == null) {
            return null;
        }
        User user2 = new User();
        user2.setId(user.getId());
        user2.setDomain(user.getDomain());
        user2.setIdentifiers(user.getIdentifiers());
        user2.setAttributes(prepareMinimalAttributes(user.getAttributes()));
        return user2;
    }

    protected Map<String, String> prepareMinimalAttributes(Map<String, String> map) {
        if (map == null || map.size() <= 0) {
            return map;
        }
        if (this.allowedAttributesForMinimalProfiles == null || this.allowedAttributesForMinimalProfiles.size() <= 0) {
            return Collections.emptyMap();
        }
        Iterator<Map.Entry<String, String>> it = map.entrySet().iterator();
        while (it.hasNext()) {
            if (!this.allowedAttributesForMinimalProfiles.contains(it.next().getKey())) {
                it.remove();
            }
        }
        return map;
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public FetchUserIndentifiersResponse fetchUserIndentifiers(FetchUserIdentifiersRequest fetchUserIdentifiersRequest) {
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        HashMap hashMap = new HashMap();
        UserDataResponse loadUser = this.service.loadUser(new LoadUserRequest(fetchUserIdentifiersRequest.getUserId(), fetchUserIdentifiersRequest.getNamespace(), new UserData.UserDataParts[0]));
        if (!loadUser.isOK()) {
            String str = "Unable to get user data for id: " + fetchUserIdentifiersRequest.getUserId() + " and domain: " + fetchUserIdentifiersRequest.getNamespace();
            this.log.warn(str);
            return new FetchUserIndentifiersResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, str));
        }
        if (loadUser.getUserData() != null && loadUser.getUserData().getUser() != null) {
            hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, loadUser.getUserData().getUser().getId());
            if (loadUser.getUserData().getUser().getDomain() != null) {
                hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(loadUser.getUserData().getUser().getDomain()));
                hashMap.put("domain", loadUser.getUserData().getUser().getDomain());
            }
        }
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest(ACTION_LOAD, "user", this.securityRequestHandler.extract(fetchUserIdentifiersRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return this.service.fetchUserIndentifiers(fetchUserIdentifiersRequest);
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new FetchUserIndentifiersResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new FetchUserIndentifiersResponse(evaluateBackendAccess.getError());
        }
        this.log.warn("Permission not granted to fetch user identifiers!");
        return new FetchUserIndentifiersResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to fetch user identifiers!"));
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public UserDataResponse loadUser(LoadUserRequest loadUserRequest) {
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        HashMap hashMap = new HashMap();
        UserDataResponse loadUser = this.service.loadUser(loadUserRequest);
        if (!loadUser.isOK()) {
            return new UserDataResponse(loadUser.getError());
        }
        if (loadUser.getUserData() != null && loadUser.getUserData().getUser() != null) {
            hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, loadUser.getUserData().getUser().getId());
            if (loadUser.getUserData().getUser().getDomain() != null) {
                hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(loadUser.getUserData().getUser().getDomain()));
                hashMap.put("domain", loadUser.getUserData().getUser().getDomain());
            }
        } else if (loadUserRequest.getDomain() != null) {
            hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(loadUserRequest.getDomain()));
            hashMap.put("domain", loadUserRequest.getDomain());
        }
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest(ACTION_LOAD, "user", this.securityRequestHandler.extract(loadUserRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return loadUser;
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new UserDataResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new UserDataResponse(evaluateBackendAccess.getError());
        }
        this.log.warn("Permission not granted to load user data!");
        return new UserDataResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to load user data!"));
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public CredentialResponse getCredential(IdentifiedRequest identifiedRequest) {
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        HashMap hashMap = new HashMap();
        CredentialResponse credential = this.service.getCredential(identifiedRequest);
        if (!credential.isOK()) {
            return new CredentialResponse(credential.getError());
        }
        if (credential.getCredential() == null || credential.getCredential().getUserId() == null) {
            this.log.warn("no user id found in credential " + identifiedRequest.getId());
        } else {
            hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, credential.getCredential().getUserId());
            UserDataResponse loadUser = this.service.loadUser(new LoadUserRequest(credential.getCredential().getUserId(), null, new UserData.UserDataParts[0]));
            if (!loadUser.isOK()) {
                this.log.warn("Unable to get user data for id: " + credential.getCredential().getUserId());
            } else if (loadUser.getUserData() == null || loadUser.getUserData().getUser() == null || loadUser.getUserData().getUser().getDomain() == null) {
                this.log.warn("unable to find domain for user " + credential.getCredential().getUserId());
            } else {
                hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(loadUser.getUserData().getUser().getDomain()));
                hashMap.put("domain", loadUser.getUserData().getUser().getDomain());
            }
        }
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest(ACTION_LOAD, "user", this.securityRequestHandler.extract(identifiedRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return credential;
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new CredentialResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new CredentialResponse(evaluateBackendAccess.getError());
        }
        this.log.warn("Permission not granted to load user credential!");
        return new CredentialResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to load user credential!"));
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public IdentifiedResponse addGroup(GroupAwareRequest groupAwareRequest) {
        HashMap hashMap = new HashMap();
        if (groupAwareRequest.getGroup() != null && groupAwareRequest.getGroup().getGroupName() != null && groupAwareRequest.getGroup().getGroupName().getDomain() != null) {
            hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(groupAwareRequest.getGroup().getGroupName().getDomain()));
            hashMap.put("domain", groupAwareRequest.getGroup().getGroupName().getDomain());
        } else if (this.disallowNullDomain) {
            return new IdentifiedResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "null domain is disallowed!"));
        }
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest("store-strict", "user", this.securityRequestHandler.extract(groupAwareRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return this.service.addGroup(groupAwareRequest);
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new IdentifiedResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new IdentifiedResponse(evaluateBackendAccess.getError());
        }
        this.log.warn("Permission not granted to add group!");
        return new IdentifiedResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to add group!"));
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public GenericResponse updateGroup(GroupAwareRequest groupAwareRequest) {
        HashMap hashMap = new HashMap();
        if (groupAwareRequest.getGroup() != null && groupAwareRequest.getGroup().getGroupName() != null && groupAwareRequest.getGroup().getGroupName().getDomain() != null) {
            hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(groupAwareRequest.getGroup().getGroupName().getDomain()));
            hashMap.put("domain", groupAwareRequest.getGroup().getGroupName().getDomain());
        }
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest("store-strict", "user", this.securityRequestHandler.extract(groupAwareRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return this.service.updateGroup(groupAwareRequest);
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new IdentifiedResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new IdentifiedResponse(evaluateBackendAccess.getError());
        }
        this.log.warn("Permission not granted to update group!");
        return new IdentifiedResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to update group!"));
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public GenericResponse deleteGroup(DeleteGroupRequest deleteGroupRequest) {
        HashMap hashMap = new HashMap();
        if (deleteGroupRequest.getGroupName() != null && deleteGroupRequest.getGroupName().getDomain() != null) {
            hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(deleteGroupRequest.getGroupName().getDomain()));
            hashMap.put("domain", deleteGroupRequest.getGroupName().getDomain());
        }
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest("delete", "user", this.securityRequestHandler.extract(deleteGroupRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return this.service.deleteGroup(deleteGroupRequest);
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new GenericResponse(evaluateBackendAccess.getError());
        }
        this.log.warn("Permission not granted to delete group!");
        return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to delete group!"));
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public GenericResponse assignGroup(GroupAssignmentRequest groupAssignmentRequest) {
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        HashMap hashMap = new HashMap();
        hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, groupAssignmentRequest.getGroup().getName());
        if (groupAssignmentRequest.getGroup().getDomain() != null) {
            hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(groupAssignmentRequest.getGroup().getDomain()));
            hashMap.put("domain", groupAssignmentRequest.getGroup().getDomain());
        }
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest("alter-group-membership", "user", this.securityRequestHandler.extract(groupAssignmentRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return this.service.assignGroup(groupAssignmentRequest);
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new GenericResponse(evaluateBackendAccess.getError());
        }
        this.log.warn("Permission not granted to alter group membership!");
        return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to alter group membership!"));
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public GenericResponse unassignGroup(GroupAssignmentRequest groupAssignmentRequest) {
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        HashMap hashMap = new HashMap();
        hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, groupAssignmentRequest.getGroup().getName());
        if (groupAssignmentRequest.getGroup().getDomain() != null) {
            hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(groupAssignmentRequest.getGroup().getDomain()));
            hashMap.put("domain", groupAssignmentRequest.getGroup().getDomain());
        }
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest("alter-group-membership", "user", this.securityRequestHandler.extract(groupAssignmentRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return this.service.unassignGroup(groupAssignmentRequest);
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new GenericResponse(evaluateBackendAccess.getError());
        }
        this.log.warn("Permission not granted to alter group membership!");
        return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to alter group membership!"));
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public IdentifiedResponse addUser(ModifyUserRequest modifyUserRequest) {
        HashMap hashMap = new HashMap();
        if (modifyUserRequest.getUser() != null && modifyUserRequest.getUser().getDomain() != null) {
            hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(modifyUserRequest.getUser().getDomain()));
            hashMap.put("domain", modifyUserRequest.getUser().getDomain());
        } else if (this.disallowNullDomain) {
            return new IdentifiedResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "null domain is disallowed!"));
        }
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest("store-strict", "user", this.securityRequestHandler.extract(modifyUserRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return this.service.addUser(modifyUserRequest);
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new IdentifiedResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new IdentifiedResponse(evaluateBackendAccess.getError());
        }
        this.log.warn("Permission not granted to add user!");
        return new IdentifiedResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to add user!"));
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public GenericResponse updateUser(ModifyUserRequest modifyUserRequest) {
        HashMap hashMap = new HashMap();
        if (modifyUserRequest.getUser() != null && modifyUserRequest.getUser().getDomain() != null) {
            hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(modifyUserRequest.getUser().getDomain()));
            hashMap.put("domain", modifyUserRequest.getUser().getDomain());
        }
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest("store-strict", "user", this.securityRequestHandler.extract(modifyUserRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return this.service.updateUser(modifyUserRequest);
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new GenericResponse(evaluateBackendAccess.getError());
        }
        this.log.warn("Permission not granted to update user!");
        return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to update user!"));
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public GenericResponse deleteUser(IdentifiedDomainAwareRequest identifiedDomainAwareRequest) {
        HashMap hashMap = new HashMap();
        if (identifiedDomainAwareRequest.getDomain() != null) {
            hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(identifiedDomainAwareRequest.getDomain()));
            hashMap.put("domain", identifiedDomainAwareRequest.getDomain());
        } else {
            UserDataResponse loadUser = this.service.loadUser(new LoadUserRequest(identifiedDomainAwareRequest.getIdentifier(), null, new UserData.UserDataParts[0]));
            if (!loadUser.isOK()) {
                this.log.warn("Unable to get user data for id: " + identifiedDomainAwareRequest.getIdentifier() + " and domain: " + identifiedDomainAwareRequest.getDomain());
            } else if (loadUser.getUserData() == null || loadUser.getUserData().getUser() == null || loadUser.getUserData().getUser().getDomain() == null) {
                this.log.warn("Unable to inspect domain for user: " + identifiedDomainAwareRequest.getIdentifier());
            } else {
                hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(loadUser.getUserData().getUser().getDomain()));
                hashMap.put("domain", loadUser.getUserData().getUser().getDomain());
            }
        }
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest("delete", "user", this.securityRequestHandler.extract(identifiedDomainAwareRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return this.service.deleteUser(identifiedDomainAwareRequest);
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new GenericResponse(evaluateBackendAccess.getError());
        }
        this.log.warn("Permission not granted to delete user!");
        return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to delete user!"));
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public GenericResponse assignUser(UserAssignmentRequest userAssignmentRequest) {
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        HashMap hashMap = new HashMap();
        if (userAssignmentRequest.getGroup() != null) {
            hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, userAssignmentRequest.getGroup().getName());
            if (userAssignmentRequest.getGroup().getDomain() != null) {
                hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(userAssignmentRequest.getGroup().getDomain()));
                hashMap.put("domain", userAssignmentRequest.getGroup().getDomain());
            }
        }
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest("alter-group-membership", "user", this.securityRequestHandler.extract(userAssignmentRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return this.service.assignUser(userAssignmentRequest);
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new GenericResponse(evaluateBackendAccess.getError());
        }
        this.log.warn("Permission not granted to alter group membership!");
        return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to alter group membership!"));
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public GenericResponse unassignUser(UserAssignmentRequest userAssignmentRequest) {
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        HashMap hashMap = new HashMap();
        if (userAssignmentRequest.getGroup() != null) {
            hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, userAssignmentRequest.getGroup().getName());
            if (userAssignmentRequest.getGroup().getDomain() != null) {
                hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(userAssignmentRequest.getGroup().getDomain()));
                hashMap.put("domain", userAssignmentRequest.getGroup().getDomain());
            }
        }
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest("alter-group-membership", "user", this.securityRequestHandler.extract(userAssignmentRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return this.service.unassignUser(userAssignmentRequest);
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new GenericResponse(evaluateBackendAccess.getError());
        }
        this.log.warn("Permission not granted to alter group membership!");
        return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to alter group membership!"));
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public IdentifiedResponse addCredential(CredentialAwareRequest credentialAwareRequest) {
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        HashMap hashMap = new HashMap();
        String extractUserId = extractUserId(credentialAwareRequest.getCredential());
        if (extractUserId != null) {
            hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, extractUserId);
        }
        UserDataResponse loadUser = this.service.loadUser(new LoadUserRequest(credentialAwareRequest.getCredential().getUserId(), null, new UserData.UserDataParts[0]));
        if (!loadUser.isOK()) {
            this.log.warn("Unable to get user data for id: " + credentialAwareRequest.getCredential().getUserId());
        } else if (loadUser.getUserData() == null || loadUser.getUserData().getUser() == null || loadUser.getUserData().getUser().getDomain() == null) {
            this.log.warn("unable to find domain for user " + credentialAwareRequest.getCredential().getUserId());
        } else {
            hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(loadUser.getUserData().getUser().getDomain()));
            hashMap.put("domain", loadUser.getUserData().getUser().getDomain());
        }
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest("alter-password", "user", this.securityRequestHandler.extract(credentialAwareRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return this.service.addCredential(credentialAwareRequest);
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new IdentifiedResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new IdentifiedResponse(evaluateBackendAccess.getError());
        }
        this.log.warn("Permission not granted to alter user's credential!");
        return new IdentifiedResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to alter user's credential!"));
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public IdentifiedResponse updateCredential(CredentialAwareRequest credentialAwareRequest) {
        return null;
    }

    protected String extractUserId(Credential credential) {
        return credential.getUserId();
    }

    @Override // pl.edu.icm.yadda.service2.user.UserCatalogService
    public GenericResponse deleteCredential(IdentifiedRequest identifiedRequest) {
        CredentialResponse credential = this.service.getCredential(identifiedRequest);
        if (!credential.isOK()) {
            return new GenericResponse(credential.getError());
        }
        if (credential.getCredential() == null) {
            return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_NOT_FOUND, "No credential for id: " + identifiedRequest.getId()));
        }
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        HashMap hashMap = new HashMap();
        if (credential.getCredential().getUserId() != null) {
            hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, credential.getCredential().getUserId());
            UserDataResponse loadUser = this.service.loadUser(new LoadUserRequest(credential.getCredential().getUserId(), null, new UserData.UserDataParts[0]));
            if (!loadUser.isOK()) {
                this.log.warn("Unable to get user data for id: " + credential.getCredential().getUserId());
            } else if (loadUser.getUserData() == null || loadUser.getUserData().getUser() == null || loadUser.getUserData().getUser().getDomain() == null) {
                this.log.warn("unable to find domain for user " + credential.getCredential().getUserId());
            } else {
                hashMap.put(XACMLConstants.SUBJECT_AUX_PARAM_DOMAIN_ROOT_SUFFIX, extractDomainRoot(loadUser.getUserData().getUser().getDomain()));
                hashMap.put("domain", loadUser.getUserData().getUser().getDomain());
            }
        }
        YaddaObligationsAwareResult<Boolean> evaluateBackendAccess = evaluateBackendAccess(new BackendAuthorizerRequest("alter-password", "user", this.securityRequestHandler.extract(identifiedRequest), null, hashMap), obligationContext);
        if (evaluateBackendAccess.getData().booleanValue()) {
            if (obligationContext.understoodAll()) {
                return this.service.deleteCredential(identifiedRequest);
            }
            this.log.error("some obligations were not understood" + YElementToZentralBlattConverter.SUGGESTED_DICTIONARY_VALUE_SEPARATOR + obligationContext.getObligsCVS());
            return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        }
        if (evaluateBackendAccess.getError() != null) {
            return new GenericResponse(evaluateBackendAccess.getError());
        }
        this.log.warn("Permission not granted to alter user's credential!");
        return new GenericResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to alter user's credential!"));
    }

    public void setService(UserCatalogService userCatalogService) {
        this.service = userCatalogService;
    }

    public void setUserIdExtractor(IIdExtractor iIdExtractor) {
        this.userIdExtractor = iIdExtractor;
    }

    public void setSecurityRequestHandler(ISecurityRequestHandler iSecurityRequestHandler) {
        this.securityRequestHandler = iSecurityRequestHandler;
    }

    protected String extractDomainRoot(String str) {
        int lastIndexOf;
        if (str != null && (lastIndexOf = str.lastIndexOf(46)) > 0) {
            return str.substring(0, lastIndexOf);
        }
        return str;
    }

    public void setDisallowNullDomain(boolean z) {
        this.disallowNullDomain = z;
    }

    public void setAllowedAttributesForMinimalProfiles(Set<String> set) {
        this.allowedAttributesForMinimalProfiles = set;
    }

    public void setAllowSendingMinimalProfilesWhenBrowsingDenied(boolean z) {
        this.allowSendingMinimalProfilesWhenBrowsingDenied = z;
    }
}
