package pl.edu.icm.yadda.aas.proxy;

import java.io.Serializable;
import java.util.Arrays;
import java.util.BitSet;
import java.util.List;
import java.util.Random;
import java.util.Set;
import java.util.UUID;
import org.opensaml.lite.xacml.policy.ObligationType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Required;
import pl.edu.icm.yadda.aas.client.YaddaErrorAwareResult;
import pl.edu.icm.yadda.aas.client.YaddaObligationsAwareResult;
import pl.edu.icm.yadda.aas.client.authz.lic.LicensingAuthorizationFacade;
import pl.edu.icm.yadda.aas.client.backend.BackendAuthorizerRequest;
import pl.edu.icm.yadda.aas.client.backend.IBackendAuthorizer;
import pl.edu.icm.yadda.aas.handler.HeaderFieldBasedSecurityRequestHandler;
import pl.edu.icm.yadda.aas.handler.ISecurityRequestHandler;
import pl.edu.icm.yadda.aas.proxy.browse.ExternalStringBasedCookie;
import pl.edu.icm.yadda.aas.proxy.criterion.CriterionCreatorResponse;
import pl.edu.icm.yadda.aas.proxy.criterion.ICriterionCreatorManager;
import pl.edu.icm.yadda.aas.proxy.token.CacheEntry;
import pl.edu.icm.yadda.aas.proxy.token.TokenAwareSecuredService;
import pl.edu.icm.yadda.aas.proxy.token.TokenSecurityException;
import pl.edu.icm.yadda.service2.GenericRequest;
import pl.edu.icm.yadda.service2.GetFeaturesRequest;
import pl.edu.icm.yadda.service2.GetFeaturesResponse;
import pl.edu.icm.yadda.service2.GetVersionResponse;
import pl.edu.icm.yadda.service2.VersionHelper;
import pl.edu.icm.yadda.service2.YaddaError;
import pl.edu.icm.yadda.service2.YaddaErrorCodeConstants;
import pl.edu.icm.yadda.service2.browse.AggregateCountRequest;
import pl.edu.icm.yadda.service2.browse.AggregateRequest;
import pl.edu.icm.yadda.service2.browse.AggregationInfoRequest;
import pl.edu.icm.yadda.service2.browse.AggregationInfoResponse;
import pl.edu.icm.yadda.service2.browse.ControlRequest;
import pl.edu.icm.yadda.service2.browse.ControlResponse;
import pl.edu.icm.yadda.service2.browse.Cookie;
import pl.edu.icm.yadda.service2.browse.CountRequest;
import pl.edu.icm.yadda.service2.browse.CountResponse;
import pl.edu.icm.yadda.service2.browse.DataResponse;
import pl.edu.icm.yadda.service2.browse.EditDataRequest;
import pl.edu.icm.yadda.service2.browse.EditDataResponse;
import pl.edu.icm.yadda.service2.browse.EditStructureRequest;
import pl.edu.icm.yadda.service2.browse.EditStructureResponse;
import pl.edu.icm.yadda.service2.browse.FetchRequest;
import pl.edu.icm.yadda.service2.browse.IBrowser;
import pl.edu.icm.yadda.service2.browse.RelationsInfoRequest;
import pl.edu.icm.yadda.service2.browse.RelationsInfoResponse;
import pl.edu.icm.yadda.service2.browse.SelectRequest;
import pl.edu.icm.yadda.service2.browse.query.AggregateCountQuery;
import pl.edu.icm.yadda.service2.browse.query.AggregateQuery;
import pl.edu.icm.yadda.service2.browse.query.ComplexClause;
import pl.edu.icm.yadda.service2.browse.query.Condition;
import pl.edu.icm.yadda.service2.browse.query.Query;
import pl.edu.icm.yadda.service2.browse.query.SelectQuery;
import pl.edu.icm.yadda.service2.browse.relation.AggregatingView;
import pl.edu.icm.yadda.service2.browse.relation.Field;
import pl.edu.icm.yadda.service2.browse.relation.RelationInfo;

/* loaded from: input_file:WEB-INF/lib/yadda-aas2-common-4.4.17-AGRO-POPC-SNAPSHOT.jar:pl/edu/icm/yadda/aas/proxy/SecuredBrowser.class */
public class SecuredBrowser extends TokenAwareSecuredService<Cookie, BitSet> implements IBrowser {
    public static final String BACKEND_RESOURCE_VALUE_BROWSER = "browser";
    public static final String BACKEND_ACTION_VALUE_EDIT_STRUCT = "edit-structure";
    public static final String BACKEND_ACTION_VALUE_EDIT_DATA = "edit-data";
    public static final String BACKEND_ACTION_VALUE_CONTROL = "control";
    private ICriterionCreatorManager<BitSet> criterionCreatorManager;
    protected LicensingAuthorizationFacade licAuthzFacade;
    private IBrowser browser;
    private IBackendAuthorizer authorizer;
    protected final Logger log = LoggerFactory.getLogger(getClass());
    private boolean skipLicenses = true;
    protected Random rand = new Random();
    private ISecurityRequestHandler securityRequestHandler = new HeaderFieldBasedSecurityRequestHandler();

    @Override // pl.edu.icm.yadda.service2.IYaddaService
    public GetVersionResponse getVersionResponse(GenericRequest genericRequest) {
        return new GetVersionResponse(VersionHelper.currentAPIVersion());
    }

    @Override // pl.edu.icm.yadda.service2.IYaddaService
    public GetFeaturesResponse getFeatures(GetFeaturesRequest getFeaturesRequest) {
        GetFeaturesResponse features = this.browser.getFeatures(getFeaturesRequest);
        features.getFeatures().add(SecurityConstants.FEATURE_REQUIRES_AUTHORIZATION);
        return features;
    }

    @Override // pl.edu.icm.yadda.service2.browse.IBrowser
    public AggregationInfoResponse getAggregationInfo(AggregationInfoRequest aggregationInfoRequest) {
        return this.browser.getAggregationInfo(aggregationInfoRequest);
    }

    protected boolean evaluateBackendAccess(BackendAuthorizerRequest backendAuthorizerRequest) {
        YaddaObligationsAwareResult<Boolean> evaluateAccess = this.authorizer.evaluateAccess(backendAuthorizerRequest);
        return evaluateAccess.getError() != null ? processBackendError(evaluateAccess, backendAuthorizerRequest) : evaluateAccess.getData().booleanValue();
    }

    protected boolean processBackendError(YaddaErrorAwareResult<Boolean> yaddaErrorAwareResult, BackendAuthorizerRequest backendAuthorizerRequest) {
        this.log.warn(yaddaErrorAwareResult.getError().getCode() + ':' + yaddaErrorAwareResult.getError().getMssg(), (Throwable) yaddaErrorAwareResult.getError().getException());
        return yaddaErrorAwareResult.getData().booleanValue();
    }

    protected Field getSecurityField(String str) {
        if (str == null) {
            return null;
        }
        for (Field field : this.browser.getRelationsInfo(new RelationsInfoRequest(str)).getInfo(str).getFields()) {
            if (field.getType() == Field.Type.LICENSE) {
                return field;
            }
        }
        return null;
    }

    protected Field getSecurityFieldForUUID(UUID uuid) {
        if (uuid == null) {
            return null;
        }
        AggregationInfoResponse aggregationInfo = this.browser.getAggregationInfo(new AggregationInfoRequest(uuid.toString()));
        if (!aggregationInfo.isOK()) {
            this.log.error("unable to get valid aggregation info for uuid " + uuid + ", message: " + aggregationInfo.getError().getMssg(), (Throwable) aggregationInfo.getError().getException());
            return null;
        }
        AggregatingView view = aggregationInfo.getView();
        if (view == null) {
            this.log.error("no view details found for UUID " + uuid);
            return null;
        }
        RelationInfo relationInfo = view.getRelationInfo();
        if (relationInfo == null) {
            this.log.error("no relation info found for view " + view.getName());
            return null;
        }
        for (Field field : relationInfo.getFields()) {
            if (field.getType() == Field.Type.LICENSE) {
                return field;
            }
        }
        return null;
    }

    @Override // pl.edu.icm.yadda.service2.browse.IBrowser
    public CountResponse count(CountRequest countRequest) {
        CriterionCreatorResponse<BitSet> createCriteria;
        Field securityField = getSecurityField((countRequest == null || countRequest.getQuery() == null) ? null : countRequest.getQuery().getRelationName());
        if (securityField == null) {
            return this.browser.count(countRequest);
        }
        if (this.skipLicenses) {
            createCriteria = new CriterionCreatorResponse<>(true);
        } else {
            YaddaErrorAwareResult<Set<ObligationType>> retrieveLicenseObligations = this.licAuthzFacade.retrieveLicenseObligations(this.securityRequestHandler.extract(countRequest));
            if (retrieveLicenseObligations.getError() != null) {
                this.log.error("got error from security client: " + retrieveLicenseObligations.getError().getCode() + ", " + retrieveLicenseObligations.getError().getMssg());
                return new CountResponse(retrieveLicenseObligations.getError());
            }
            createCriteria = this.criterionCreatorManager.createCriteria(retrieveLicenseObligations.getData());
        }
        if (!shouldBeProcessed(createCriteria)) {
            this.log.debug("no permission to read browser");
            return new CountResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "no permission to read browser"));
        }
        if (createCriteria.getSecurityCriterion() == null) {
            return this.browser.count(countRequest);
        }
        Condition permitted = Condition.permitted(securityField.getName(), createCriteria.getSecurityCriterion());
        return this.browser.count(new CountRequest(countRequest.getQuery().getCondition() != null ? Query.count(countRequest.getQuery().getRelationName()).where(new ComplexClause(ComplexClause.Operator.AND, (List<Condition>) Arrays.asList(countRequest.getQuery().getCondition(), permitted))) : Query.count(countRequest.getQuery().getRelationName()).where(permitted)));
    }

    @Override // pl.edu.icm.yadda.service2.browse.IBrowser
    public CountResponse aggregatedCount(AggregateCountRequest aggregateCountRequest) {
        CriterionCreatorResponse<BitSet> createCriteria;
        UUID uuid = (aggregateCountRequest == null || aggregateCountRequest.getQuery() == null) ? null : aggregateCountRequest.getQuery().getUuid();
        Field securityFieldForUUID = getSecurityFieldForUUID(uuid);
        if (securityFieldForUUID == null) {
            this.log.debug("no security field for uuid " + uuid);
            return this.browser.aggregatedCount(aggregateCountRequest);
        }
        if (this.skipLicenses) {
            createCriteria = new CriterionCreatorResponse<>(true);
        } else {
            YaddaErrorAwareResult<Set<ObligationType>> retrieveLicenseObligations = this.licAuthzFacade.retrieveLicenseObligations(this.securityRequestHandler.extract(aggregateCountRequest));
            if (retrieveLicenseObligations.getError() != null) {
                this.log.error("got error from security client: " + retrieveLicenseObligations.getError().getCode() + ", " + retrieveLicenseObligations.getError().getMssg());
                return new CountResponse(retrieveLicenseObligations.getError());
            }
            createCriteria = this.criterionCreatorManager.createCriteria(retrieveLicenseObligations.getData());
        }
        if (!shouldBeProcessed(createCriteria)) {
            this.log.debug("no permission to read browser");
            return new CountResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "no permission to read browser"));
        }
        if (createCriteria.getSecurityCriterion() == null) {
            return this.browser.aggregatedCount(aggregateCountRequest);
        }
        Condition permitted = Condition.permitted(securityFieldForUUID.getName(), createCriteria.getSecurityCriterion());
        return this.browser.aggregatedCount(new AggregateCountRequest(aggregateCountRequest.getQuery().getCondition() != null ? new AggregateCountQuery(uuid, new ComplexClause(ComplexClause.Operator.AND, (List<Condition>) Arrays.asList(aggregateCountRequest.getQuery().getCondition(), permitted))) : new AggregateCountQuery(uuid, permitted)));
    }

    protected boolean shouldBeProcessed(CriterionCreatorResponse<BitSet> criterionCreatorResponse) {
        return criterionCreatorResponse.isAllowAll() || criterionCreatorResponse.getSecurityCriterion() != null;
    }

    @Override // pl.edu.icm.yadda.service2.browse.IBrowser
    public DataResponse select(SelectRequest selectRequest) {
        CriterionCreatorResponse<BitSet> createCriteria;
        SelectQuery query;
        Field securityField = getSecurityField((selectRequest == null || selectRequest.getQuery() == null) ? null : selectRequest.getQuery().getRelationName());
        if (securityField == null) {
            return this.browser.select(selectRequest);
        }
        if (this.skipLicenses) {
            createCriteria = new CriterionCreatorResponse<>(true);
        } else {
            YaddaErrorAwareResult<Set<ObligationType>> retrieveLicenseObligations = this.licAuthzFacade.retrieveLicenseObligations(this.securityRequestHandler.extract(selectRequest));
            if (retrieveLicenseObligations.getError() != null) {
                this.log.error("got error from security client: " + retrieveLicenseObligations.getError().getCode() + ", " + retrieveLicenseObligations.getError().getMssg());
                return new DataResponse(retrieveLicenseObligations.getError());
            }
            createCriteria = this.criterionCreatorManager.createCriteria(retrieveLicenseObligations.getData());
        }
        if (!shouldBeProcessed(createCriteria)) {
            this.log.debug("no permission to read browser");
            return new DataResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "no permission to read browser"));
        }
        if (createCriteria.getSecurityCriterion() != null) {
            Condition permitted = Condition.permitted(securityField.getName(), createCriteria.getSecurityCriterion());
            if (selectRequest.getQuery().getSelection() != null && selectRequest.getQuery().getSelection().getCondition() != null) {
                query = new SelectQuery(selectRequest.getQuery().getRelationName(), selectRequest.getQuery().getSelection().where(new ComplexClause(ComplexClause.Operator.AND, (List<Condition>) Arrays.asList(selectRequest.getQuery().getSelection().getCondition(), permitted))));
            } else {
                if (selectRequest.getQuery().getSelection() == null) {
                    this.log.warn("no selection in query, returning 0 results");
                    return new DataResponse(new Serializable[0][0]);
                }
                query = new SelectQuery(selectRequest.getQuery().getRelationName(), selectRequest.getQuery().getSelection().where(permitted));
            }
        } else {
            query = selectRequest.getQuery();
        }
        DataResponse select = this.browser.select(new SelectRequest(query, selectRequest.getPageLimit()));
        select.setCookie(storeEntry(select.getCookie(), createCriteria));
        return select;
    }

    @Override // pl.edu.icm.yadda.service2.browse.IBrowser
    public DataResponse aggregate(AggregateRequest aggregateRequest) {
        CriterionCreatorResponse<BitSet> createCriteria;
        AggregateQuery query;
        Field securityField = getSecurityField((aggregateRequest == null || aggregateRequest.getQuery() == null) ? null : aggregateRequest.getQuery().getRelationName());
        if (securityField == null) {
            return this.browser.aggregate(aggregateRequest);
        }
        if (this.skipLicenses) {
            createCriteria = new CriterionCreatorResponse<>(true);
        } else {
            YaddaErrorAwareResult<Set<ObligationType>> retrieveLicenseObligations = this.licAuthzFacade.retrieveLicenseObligations(this.securityRequestHandler.extract(aggregateRequest));
            if (retrieveLicenseObligations.getError() != null) {
                this.log.error("got error from security client: " + retrieveLicenseObligations.getError().getCode() + ", " + retrieveLicenseObligations.getError().getMssg());
                return new DataResponse(retrieveLicenseObligations.getError());
            }
            createCriteria = this.criterionCreatorManager.createCriteria(retrieveLicenseObligations.getData());
        }
        if (!shouldBeProcessed(createCriteria)) {
            this.log.debug("no permission to read browser");
            return new DataResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "no permission to read browser"));
        }
        if (createCriteria.getSecurityCriterion() != null) {
            Condition permitted = Condition.permitted(securityField.getName(), createCriteria.getSecurityCriterion());
            if (aggregateRequest.getQuery().getSelection() != null && aggregateRequest.getQuery().getSelection().getCondition() != null) {
                query = new AggregateQuery(aggregateRequest.getQuery().getUuid(), aggregateRequest.getQuery().getSelection().where(new ComplexClause(ComplexClause.Operator.AND, (List<Condition>) Arrays.asList(aggregateRequest.getQuery().getSelection().getCondition(), permitted))), aggregateRequest.getQuery().isBlocking());
            } else {
                if (aggregateRequest.getQuery().getSelection() == null) {
                    this.log.warn("no selection in query, returning 0 results");
                    return new DataResponse(new Serializable[0][0]);
                }
                query = new AggregateQuery(aggregateRequest.getQuery().getUuid(), aggregateRequest.getQuery().getSelection().where(permitted), aggregateRequest.getQuery().isBlocking());
            }
        } else {
            query = aggregateRequest.getQuery();
        }
        DataResponse aggregate = this.browser.aggregate(new AggregateRequest(query, aggregateRequest.getPageLimit(), aggregateRequest.isBlocking()));
        aggregate.setCookie(storeEntry(aggregate.getCookie(), createCriteria));
        return aggregate;
    }

    @Override // pl.edu.icm.yadda.service2.browse.IBrowser
    public DataResponse fetch(FetchRequest fetchRequest) {
        CriterionCreatorResponse<BitSet> createCriteria;
        if (fetchRequest.getCookie() == null) {
            this.log.debug("no cookie found in request");
            return new DataResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "no cookie found in request"));
        }
        if (!isExternalToken(fetchRequest.getCookie())) {
            return this.browser.fetch(fetchRequest);
        }
        if (this.skipLicenses) {
            createCriteria = new CriterionCreatorResponse<>(true);
        } else {
            YaddaErrorAwareResult<Set<ObligationType>> retrieveLicenseObligations = this.licAuthzFacade.retrieveLicenseObligations(this.securityRequestHandler.extract(fetchRequest));
            if (retrieveLicenseObligations.getError() != null) {
                this.log.error("got error from security client: " + retrieveLicenseObligations.getError().getCode() + ", " + retrieveLicenseObligations.getError().getMssg());
                return new DataResponse(retrieveLicenseObligations.getError());
            }
            createCriteria = this.criterionCreatorManager.createCriteria(retrieveLicenseObligations.getData());
        }
        if (!shouldBeProcessed(createCriteria)) {
            this.log.debug("no permission to read browser");
            return new DataResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "no permission to read browser"));
        }
        try {
            CacheEntry<Cookie, BitSet> cachedEntryWithSecurityCriterionCheckAndRemoval = getCachedEntryWithSecurityCriterionCheckAndRemoval(fetchRequest.getCookie(), createCriteria);
            if (cachedEntryWithSecurityCriterionCheckAndRemoval == null) {
                String str = "invalid resumption token: " + fetchRequest.getCookie();
                this.log.debug(str);
                return new DataResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, str));
            }
            fetchRequest.setCookie(cachedEntryWithSecurityCriterionCheckAndRemoval.getInternalToken());
            DataResponse fetch = this.browser.fetch(fetchRequest);
            fetch.setCookie(storeEntry(fetch.getCookie(), createCriteria));
            return fetch;
        } catch (TokenSecurityException e) {
            this.log.debug("Security constraints were violated: security criteria have changed!");
            return new DataResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Security constraints were violated: security criteria have changed!", e));
        }
    }

    @Override // pl.edu.icm.yadda.service2.browse.IBrowser
    public EditStructureResponse editStructure(EditStructureRequest editStructureRequest) {
        if (evaluateBackendAccess(new BackendAuthorizerRequest(BACKEND_ACTION_VALUE_EDIT_STRUCT, "browser", this.securityRequestHandler.extract(editStructureRequest)))) {
            return this.browser.editStructure(editStructureRequest);
        }
        this.log.warn("Permission not granted to edit structure by browser!");
        return new EditStructureResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to edit structure by browser!"));
    }

    @Override // pl.edu.icm.yadda.service2.browse.IBrowser
    public EditDataResponse editData(EditDataRequest editDataRequest) {
        if (evaluateBackendAccess(new BackendAuthorizerRequest(BACKEND_ACTION_VALUE_EDIT_DATA, "browser", this.securityRequestHandler.extract(editDataRequest)))) {
            return this.browser.editData(editDataRequest);
        }
        this.log.warn("Permission not granted to edit data by browser!");
        return new EditDataResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to edit data by browser!"));
    }

    @Override // pl.edu.icm.yadda.service2.browse.IBrowser
    public RelationsInfoResponse getRelationsInfo(RelationsInfoRequest relationsInfoRequest) {
        return this.browser.getRelationsInfo(relationsInfoRequest);
    }

    @Override // pl.edu.icm.yadda.service2.browse.IBrowser
    public ControlResponse control(ControlRequest controlRequest) {
        if (evaluateBackendAccess(new BackendAuthorizerRequest(BACKEND_ACTION_VALUE_CONTROL, "browser", this.securityRequestHandler.extract(controlRequest)))) {
            return this.browser.control(controlRequest);
        }
        this.log.warn("Permission not granted to control data by browser!");
        return new ControlResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to control data by browser!"));
    }

    @Override // pl.edu.icm.yadda.aas.proxy.token.TokenAwareSecuredService
    public boolean equals(CriterionCreatorResponse<BitSet> criterionCreatorResponse, CriterionCreatorResponse<BitSet> criterionCreatorResponse2) {
        if (criterionCreatorResponse.isAllowAll()) {
            return criterionCreatorResponse2.isAllowAll();
        }
        if (criterionCreatorResponse2.isAllowAll()) {
            return false;
        }
        return SecurityCriterionComparatorHelper.equals(criterionCreatorResponse.getSecurityCriterion(), criterionCreatorResponse2.getSecurityCriterion());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // pl.edu.icm.yadda.aas.proxy.token.TokenAwareSecuredService
    public Cookie generateExternalToken(Cookie cookie) {
        return new ExternalStringBasedCookie(generateExternalTokenId());
    }

    protected boolean isExternalToken(Cookie cookie) {
        return cookie != null && (cookie instanceof ExternalStringBasedCookie);
    }

    protected String generateExternalTokenId() {
        return System.currentTimeMillis() + "-" + this.rand.nextInt(100);
    }

    @Required
    public void setBrowser(IBrowser iBrowser) {
        this.browser = iBrowser;
    }

    @Required
    public void setLicAuthzFacade(LicensingAuthorizationFacade licensingAuthorizationFacade) {
        this.licAuthzFacade = licensingAuthorizationFacade;
    }

    @Required
    public void setCriterionCreatorManager(ICriterionCreatorManager<BitSet> iCriterionCreatorManager) {
        this.criterionCreatorManager = iCriterionCreatorManager;
    }

    @Required
    public void setAuthorizer(IBackendAuthorizer iBackendAuthorizer) {
        this.authorizer = iBackendAuthorizer;
    }

    public void setSecurityRequestHandler(ISecurityRequestHandler iSecurityRequestHandler) {
        this.securityRequestHandler = iSecurityRequestHandler;
    }
}
