package pl.edu.icm.yadda.aas.proxy.user;

import java.io.Serializable;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Set;
import pl.edu.icm.yadda.aas.client.backend.BackendAuthorizerRequest;
import pl.edu.icm.yadda.aas.handler.HeaderFieldBasedSecurityRequestHandler;
import pl.edu.icm.yadda.aas.handler.ISecurityRequestHandler;
import pl.edu.icm.yadda.aas.proxy.AbstractBackendAuthorizerAware;
import pl.edu.icm.yadda.aas.proxy.SecurityConstants;
import pl.edu.icm.yadda.aas.usercatalog.model.Group;
import pl.edu.icm.yadda.aas.usercatalog.model.NamedObject;
import pl.edu.icm.yadda.aas.usercatalog.model.Role;
import pl.edu.icm.yadda.aas.usercatalog.model.User;
import pl.edu.icm.yadda.aas.usercatalog.model.UserProfile;
import pl.edu.icm.yadda.aas.usercatalog.service.BrowseSecurityObjectResponse;
import pl.edu.icm.yadda.aas.usercatalog.service.BrowseSecurityObjectsRequest;
import pl.edu.icm.yadda.aas.usercatalog.service.EffectiveAttributesRequest;
import pl.edu.icm.yadda.aas.usercatalog.service.EffectiveAttributesResponse;
import pl.edu.icm.yadda.aas.usercatalog.service.IUserCatalogService;
import pl.edu.icm.yadda.aas.usercatalog.service.LoadSecurityObjectsRequest;
import pl.edu.icm.yadda.aas.usercatalog.service.LoadSecurityObjectsResponse;
import pl.edu.icm.yadda.aas.usercatalog.service.SecurityObjectFilter;
import pl.edu.icm.yadda.aas.usercatalog.service.SecurityObjectType;
import pl.edu.icm.yadda.aas.usercatalog.service.impl.UserCatalogCookie;
import pl.edu.icm.yadda.service2.GenericRequest;
import pl.edu.icm.yadda.service2.GetFeaturesRequest;
import pl.edu.icm.yadda.service2.GetFeaturesResponse;
import pl.edu.icm.yadda.service2.GetVersionResponse;
import pl.edu.icm.yadda.service2.VersionHelper;
import pl.edu.icm.yadda.service2.YaddaError;
import pl.edu.icm.yadda.service2.YaddaErrorCodeConstants;
import pl.edu.icm.yadda.service2.browse.FetchRequest;

/* loaded from: input_file:WEB-INF/lib/yadda-aas2-common-0.4.5.jar:pl/edu/icm/yadda/aas/proxy/user/SecuredUserCatalogService.class */
public class SecuredUserCatalogService extends AbstractSecuredUserCommonService implements IUserCatalogService {
    protected static final String ACTION_LOAD = "load";
    protected static final String ACTION_LOAD_WITH_PASS = "load-with-password";
    protected static final String ACTION_QUERY_ATTRS = "query-attributes";
    protected static final String ACTION_BROWSE = "browse";
    protected static final String ACTION_BROWSE_WITH_PASS = "browse-with-password";
    public static final String OBLIG_ID_STRIPOUT = "security:facade:stripout";
    private IUserCatalogService service;
    protected final Set<String> FEATURES = new HashSet();
    private ISecurityRequestHandler securityRequestHandler = new HeaderFieldBasedSecurityRequestHandler();

    @Override // pl.edu.icm.yadda.aas.usercatalog.service.IUserCatalogService
    public LoadSecurityObjectsResponse loadSecurityObjects(LoadSecurityObjectsRequest loadSecurityObjectsRequest) {
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        if (!isAccessEvaluationRequired(loadSecurityObjectsRequest.getType())) {
            return this.service.loadSecurityObjects(loadSecurityObjectsRequest);
        }
        HashMap hashMap = new HashMap();
        try {
            hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, getUserNames(loadSecurityObjectsRequest));
            if (!evaluateBackendAccess(new BackendAuthorizerRequest(loadSecurityObjectsRequest.isLoadPassword() ? ACTION_LOAD_WITH_PASS : ACTION_LOAD, "user", this.securityRequestHandler.extract(loadSecurityObjectsRequest), null, hashMap), obligationContext)) {
                this.log.warn("Permission not granted to load security objects!");
                return new LoadSecurityObjectsResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to load security objects!"));
            }
            LoadSecurityObjectsResponse loadSecurityObjects = this.service.loadSecurityObjects(loadSecurityObjectsRequest);
            LoadSecurityObjectsResponse strip = obligationContext.getAndMarkAsProcessed(OBLIG_ID_STRIPOUT) != null ? strip(loadSecurityObjects) : loadSecurityObjects;
            if (obligationContext.understoodAll()) {
                return strip;
            }
            this.log.error("some obligations were not understood: " + obligationContext.getObligsCVS());
            return new LoadSecurityObjectsResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
        } catch (Exception e) {
            return new LoadSecurityObjectsResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "unable to extract user name!", e));
        }
    }

    protected LoadSecurityObjectsResponse strip(LoadSecurityObjectsResponse loadSecurityObjectsResponse) {
        if (loadSecurityObjectsResponse != null && loadSecurityObjectsResponse.getResult() != null) {
            for (int i = 0; i < loadSecurityObjectsResponse.getResult().size(); i++) {
                loadSecurityObjectsResponse.getResult().set(i, strip(loadSecurityObjectsResponse.getResult().get(i)));
            }
        }
        return loadSecurityObjectsResponse;
    }

    protected Serializable strip(Serializable serializable) {
        NamedObject role;
        if (serializable == null) {
            return null;
        }
        if (serializable instanceof User) {
            role = new User(((User) serializable).getName());
        } else if (serializable instanceof Group) {
            role = new Group(((Group) serializable).getName());
        } else {
            if (!(serializable instanceof Role)) {
                throw new RuntimeException("cannot strip object, unsupported instance: " + serializable.getClass().getName());
            }
            role = new Role(((Role) serializable).getName());
        }
        if (role != null) {
            role.getAttributes().put(OBLIG_ID_STRIPOUT, "true");
        }
        return role;
    }

    protected String[] getUserNames(LoadSecurityObjectsRequest loadSecurityObjectsRequest) throws Exception {
        if (SecurityObjectType.USER == loadSecurityObjectsRequest.getType()) {
            return loadSecurityObjectsRequest.getNames() != null ? (String[]) loadSecurityObjectsRequest.getNames().toArray(new String[loadSecurityObjectsRequest.getNames().size()]) : new String[0];
        }
        if (SecurityObjectType.USER_PROFILE != loadSecurityObjectsRequest.getType()) {
            String str = "unsupported security object type: " + loadSecurityObjectsRequest.getType();
            this.log.error(str);
            throw new Exception(str);
        }
        if (loadSecurityObjectsRequest.getNames() == null) {
            return new String[0];
        }
        String[] strArr = new String[loadSecurityObjectsRequest.getNames().size()];
        for (int i = 0; i < loadSecurityObjectsRequest.getNames().size(); i++) {
            strArr[i] = UserProfile.getUserAndProfileName(loadSecurityObjectsRequest.getNames().get(i))[0];
        }
        return strArr;
    }

    @Override // pl.edu.icm.yadda.aas.usercatalog.service.IUserCatalogService
    public EffectiveAttributesResponse queryEffectiveAttributes(EffectiveAttributesRequest effectiveAttributesRequest) {
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        if (!isAccessEvaluationRequired(effectiveAttributesRequest.getSubjectType())) {
            return this.service.queryEffectiveAttributes(effectiveAttributesRequest);
        }
        HashMap hashMap = new HashMap();
        hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, effectiveAttributesRequest.getSubject());
        if (!evaluateBackendAccess(new BackendAuthorizerRequest(ACTION_QUERY_ATTRS, "user", this.securityRequestHandler.extract(effectiveAttributesRequest), null, hashMap), obligationContext)) {
            this.log.warn("Permission not granted to query effective attributes!");
            return new EffectiveAttributesResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to query effective attributes!"));
        }
        if (obligationContext.understoodAll()) {
            return this.service.queryEffectiveAttributes(effectiveAttributesRequest);
        }
        this.log.error("some obligations were not understood: " + obligationContext.getObligsCVS());
        return new EffectiveAttributesResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
    }

    @Override // pl.edu.icm.yadda.aas.usercatalog.service.IUserCatalogService
    public BrowseSecurityObjectResponse browseObjects(BrowseSecurityObjectsRequest browseSecurityObjectsRequest) {
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        if (!isAccessEvaluationRequired(browseSecurityObjectsRequest.getType())) {
            return this.service.browseObjects(browseSecurityObjectsRequest);
        }
        HashMap hashMap = null;
        if (browseSecurityObjectsRequest.getFilter() != null && browseSecurityObjectsRequest.getFilter().getType() == SecurityObjectFilter.FilterType.GROUP) {
            hashMap = new HashMap();
            hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, browseSecurityObjectsRequest.getFilter().getFilter());
        }
        if (!evaluateBackendAccess(new BackendAuthorizerRequest(browseSecurityObjectsRequest.isLoadPasswords() ? ACTION_BROWSE_WITH_PASS : ACTION_BROWSE, "user", this.securityRequestHandler.extract(browseSecurityObjectsRequest), null, hashMap), obligationContext)) {
            this.log.warn("Permission not granted to perform browsing!");
            return new BrowseSecurityObjectResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to perform browsing!"));
        }
        if (obligationContext.understoodAll()) {
            return this.service.browseObjects(browseSecurityObjectsRequest);
        }
        this.log.error("some obligations were not understood: " + obligationContext.getObligsCVS());
        return new BrowseSecurityObjectResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
    }

    @Override // pl.edu.icm.yadda.aas.usercatalog.service.IUserCatalogService
    public BrowseSecurityObjectResponse fetchMoreObjects(FetchRequest fetchRequest) {
        if (!(fetchRequest.getCookie() instanceof UserCatalogCookie)) {
            String str = "Permission not granted to perform browsing! Unknown cookie instance: " + (fetchRequest.getCookie() != null ? fetchRequest.getCookie().getClass().getName() : "null");
            this.log.warn(str);
            return new BrowseSecurityObjectResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, str));
        }
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        UserCatalogCookie userCatalogCookie = (UserCatalogCookie) fetchRequest.getCookie();
        if (!isAccessEvaluationRequired(userCatalogCookie.getType())) {
            return this.service.fetchMoreObjects(fetchRequest);
        }
        HashMap hashMap = null;
        if (userCatalogCookie.getFilter() != null && userCatalogCookie.getFilter().getType() == SecurityObjectFilter.FilterType.GROUP) {
            hashMap = new HashMap();
            hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, userCatalogCookie.getFilter().getFilter());
        }
        if (!evaluateBackendAccess(new BackendAuthorizerRequest(ACTION_BROWSE, "user", this.securityRequestHandler.extract(fetchRequest), null, hashMap), obligationContext)) {
            this.log.warn("Permission not granted to perform fetching!");
            return new BrowseSecurityObjectResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to perform fetching!"));
        }
        if (obligationContext.understoodAll()) {
            return this.service.fetchMoreObjects(fetchRequest);
        }
        this.log.error("some obligations were not understood: " + obligationContext.getObligsCVS());
        return new BrowseSecurityObjectResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
    }

    @Override // pl.edu.icm.yadda.service2.IYaddaService
    public GetFeaturesResponse getFeatures(GetFeaturesRequest getFeaturesRequest) {
        GetFeaturesResponse features = this.service.getFeatures(getFeaturesRequest);
        features.getFeatures().add(SecurityConstants.FEATURE_REQUIRES_AUTHORIZATION);
        return features;
    }

    @Override // pl.edu.icm.yadda.service2.IYaddaService
    public GetVersionResponse getVersionResponse(GenericRequest genericRequest) {
        return new GetVersionResponse(VersionHelper.currentAPIVersion());
    }

    public void setService(IUserCatalogService iUserCatalogService) {
        this.service = iUserCatalogService;
    }

    public void setSecurityRequestHandler(ISecurityRequestHandler iSecurityRequestHandler) {
        this.securityRequestHandler = iSecurityRequestHandler;
    }
}
