package pl.edu.icm.yadda.aas.proxy.user;

import java.util.HashMap;
import org.opensaml.lite.common.SAMLObject;
import pl.edu.icm.yadda.aas.audit.user.IIdExtractor;
import pl.edu.icm.yadda.aas.audit.user.IdExtractorException;
import pl.edu.icm.yadda.aas.client.backend.BackendAuthorizerRequest;
import pl.edu.icm.yadda.aas.handler.HeaderFieldBasedSecurityRequestHandler;
import pl.edu.icm.yadda.aas.handler.ISecurityRequestHandler;
import pl.edu.icm.yadda.aas.proxy.AbstractBackendAuthorizerAware;
import pl.edu.icm.yadda.aas.proxy.SecurityConstants;
import pl.edu.icm.yadda.aas.usercatalog.model.AbstractNamedObject;
import pl.edu.icm.yadda.aas.usercatalog.model.User;
import pl.edu.icm.yadda.aas.usercatalog.service.AlterGroupMembershipRequest;
import pl.edu.icm.yadda.aas.usercatalog.service.AlterGroupMembershipResponse;
import pl.edu.icm.yadda.aas.usercatalog.service.AlterUserRequest;
import pl.edu.icm.yadda.aas.usercatalog.service.AlterUserResponse;
import pl.edu.icm.yadda.aas.usercatalog.service.DeleteSecurityObjectRequest;
import pl.edu.icm.yadda.aas.usercatalog.service.DeleteSecurityObjectResponse;
import pl.edu.icm.yadda.aas.usercatalog.service.IUserEditorService;
import pl.edu.icm.yadda.aas.usercatalog.service.StoreSecurityObjectRequest;
import pl.edu.icm.yadda.aas.usercatalog.service.StoreSecurityObjectResponse;
import pl.edu.icm.yadda.service2.GenericRequest;
import pl.edu.icm.yadda.service2.GetFeaturesRequest;
import pl.edu.icm.yadda.service2.GetFeaturesResponse;
import pl.edu.icm.yadda.service2.GetVersionResponse;
import pl.edu.icm.yadda.service2.VersionHelper;
import pl.edu.icm.yadda.service2.YaddaError;
import pl.edu.icm.yadda.service2.YaddaErrorCodeConstants;
import pl.edu.icm.yadda.tools.encoding2.PasswordEncoder;

/* loaded from: input_file:WEB-INF/lib/yadda-aas2-common-0.4.5.jar:pl/edu/icm/yadda/aas/proxy/user/SecuredUserEditorService.class */
public class SecuredUserEditorService extends AbstractSecuredUserCommonService implements IUserEditorService {
    protected static final String ACTION_STORE_BARE_USER = "store-bare-user";
    protected static final String ACTION_OVERWRITE_BARE_USER = "overwrite-bare-user";
    protected static final String ACTION_STORE_STRICT = "store-strict";
    protected static final String ACTION_DELETE = "delete";
    protected static final String ACTION_ALTER_PASSWORD = "alter-password";
    protected static final String ACTION_ALTER_ENABLED = "alter-enabled";
    protected static final String ACTION_ALTER_GROUP_MEMB = "alter-group-membership";
    public static final String SECURITY_OBJECT_ATTR_CREATOR = "creator";
    private IUserEditorService service;
    private PasswordEncoder passwordEncoder;
    private IIdExtractor userIdExtractor;
    private ISecurityRequestHandler securityRequestHandler = new HeaderFieldBasedSecurityRequestHandler();

    @Override // pl.edu.icm.yadda.aas.usercatalog.service.IUserEditorService
    public StoreSecurityObjectResponse storeObject(StoreSecurityObjectRequest storeSecurityObjectRequest) {
        HashMap hashMap = null;
        String actionType = getActionType(storeSecurityObjectRequest);
        if (ACTION_OVERWRITE_BARE_USER.equals(actionType)) {
            hashMap = new HashMap();
            hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, ((User) storeSecurityObjectRequest.getValue()).getName());
        }
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        if (!evaluateBackendAccess(new BackendAuthorizerRequest(actionType, "user", this.securityRequestHandler.extract(storeSecurityObjectRequest), null, hashMap), obligationContext)) {
            this.log.warn("Permission not granted to store security object!");
            return new StoreSecurityObjectResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to store security object!"));
        }
        if (obligationContext.understoodAll()) {
            return this.service.storeObject(setCreatorAttr(encodePassword(storeSecurityObjectRequest)));
        }
        this.log.error("some obligations were not understood: " + obligationContext.getObligsCVS());
        return new StoreSecurityObjectResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
    }

    protected StoreSecurityObjectRequest encodePassword(StoreSecurityObjectRequest storeSecurityObjectRequest) {
        if (storeSecurityObjectRequest != null && storeSecurityObjectRequest.getValue() != null && (storeSecurityObjectRequest.getValue() instanceof User)) {
            if (this.passwordEncoder != null) {
                User user = (User) storeSecurityObjectRequest.getValue();
                if (user.getPassword() != null) {
                    user.setPassword(this.passwordEncoder.encodePassword(user.getPassword()));
                } else {
                    this.log.warn("cannot encode: no password set for user " + user.getName());
                }
            } else {
                this.log.warn("passwordEncoder is not set therefore password will not be encoded!");
            }
        }
        return storeSecurityObjectRequest;
    }

    protected StoreSecurityObjectRequest setCreatorAttr(StoreSecurityObjectRequest storeSecurityObjectRequest) {
        if (storeSecurityObjectRequest == null) {
            return null;
        }
        if (storeSecurityObjectRequest.getValue() == null || !(storeSecurityObjectRequest.getValue() instanceof AbstractNamedObject)) {
            this.log.warn("couldn't set creator attribute for object: " + storeSecurityObjectRequest.getValue());
        } else {
            try {
                SAMLObject[] extract = this.securityRequestHandler.extract(storeSecurityObjectRequest);
                String extractId = this.userIdExtractor.extractId((extract == null || extract.length <= 0) ? null : extract[0]);
                if (extractId != null) {
                    ((AbstractNamedObject) storeSecurityObjectRequest.getValue()).setAttribute("creator", extractId);
                } else {
                    this.log.error("couldn't attach user id as creator: got null user id from extractor!");
                }
            } catch (IdExtractorException e) {
                this.log.error("couldn't attach user id as creator!", e);
            }
        }
        return storeSecurityObjectRequest;
    }

    protected String getActionType(StoreSecurityObjectRequest storeSecurityObjectRequest) {
        if (!(storeSecurityObjectRequest.getValue() instanceof User)) {
            return ACTION_STORE_STRICT;
        }
        User user = (User) storeSecurityObjectRequest.getValue();
        return (user.getAttributes().isEmpty() && user.getGroups().isEmpty() && user.getLicenses().isEmpty() && user.getRoles().isEmpty()) ? storeSecurityObjectRequest.isAllowOverwrite() ? ACTION_OVERWRITE_BARE_USER : ACTION_STORE_BARE_USER : ACTION_STORE_STRICT;
    }

    @Override // pl.edu.icm.yadda.aas.usercatalog.service.IUserEditorService
    public DeleteSecurityObjectResponse deleteObject(DeleteSecurityObjectRequest deleteSecurityObjectRequest) {
        HashMap hashMap = new HashMap();
        hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, deleteSecurityObjectRequest.getName());
        hashMap.put(AbstractSecuredUserCommonService.SECURITY_DATA_TYPE_FIELD, deleteSecurityObjectRequest.getType().getName());
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        if (!evaluateBackendAccess(new BackendAuthorizerRequest("delete", "user", this.securityRequestHandler.extract(deleteSecurityObjectRequest), null, hashMap), obligationContext)) {
            this.log.warn("Permission not granted to delete security object!");
            return new DeleteSecurityObjectResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to delete security object!"));
        }
        if (obligationContext.understoodAll()) {
            return this.service.deleteObject(deleteSecurityObjectRequest);
        }
        this.log.error("some obligations were not understood: " + obligationContext.getObligsCVS());
        return new DeleteSecurityObjectResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
    }

    @Override // pl.edu.icm.yadda.aas.usercatalog.service.IUserEditorService
    public AlterUserResponse alterUser(AlterUserRequest alterUserRequest) {
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        HashMap hashMap = new HashMap();
        hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, alterUserRequest.getUser());
        if (alterUserRequest.getPassword() != null) {
            if (!evaluateBackendAccess(new BackendAuthorizerRequest(ACTION_ALTER_PASSWORD, "user", this.securityRequestHandler.extract(alterUserRequest), null, hashMap), obligationContext)) {
                this.log.warn("Permission not granted to alter user's password!");
                return new AlterUserResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to alter user's password!"));
            }
            if (!obligationContext.understoodAll()) {
                this.log.error("some obligations were not understood: " + obligationContext.getObligsCVS());
                return new AlterUserResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
            }
            if (this.passwordEncoder != null) {
                alterUserRequest.setPassword(this.passwordEncoder.encodePassword(alterUserRequest.getPassword()));
            } else {
                this.log.warn("passwordEncoder is not set therefore password will not be encoded!");
            }
        }
        if (alterUserRequest.getEnabled() != null) {
            if (!evaluateBackendAccess(new BackendAuthorizerRequest(ACTION_ALTER_ENABLED, "user", this.securityRequestHandler.extract(alterUserRequest), null, hashMap), obligationContext)) {
                this.log.warn("Permission not granted to alter user's enabled state!");
                return new AlterUserResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to alter user's enabled state!"));
            }
            if (!obligationContext.understoodAll()) {
                this.log.error("some obligations were not understood: " + obligationContext.getObligsCVS());
                return new AlterUserResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
            }
        }
        return this.service.alterUser(alterUserRequest);
    }

    @Override // pl.edu.icm.yadda.aas.usercatalog.service.IUserEditorService
    public AlterGroupMembershipResponse alterGroupMembership(AlterGroupMembershipRequest alterGroupMembershipRequest) {
        AbstractBackendAuthorizerAware.ObligationContext obligationContext = new AbstractBackendAuthorizerAware.ObligationContext();
        HashMap hashMap = new HashMap();
        hashMap.put(BackendAuthorizerRequest.UNSUFFIXED_GENERIC_PARAM_VALUE, alterGroupMembershipRequest.getGroup());
        if (!evaluateBackendAccess(new BackendAuthorizerRequest(ACTION_ALTER_GROUP_MEMB, "user", this.securityRequestHandler.extract(alterGroupMembershipRequest), null, hashMap), obligationContext)) {
            this.log.warn("Permission not granted to alter group membership!");
            return new AlterGroupMembershipResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to alter group membership!"));
        }
        if (obligationContext.understoodAll()) {
            return this.service.alterGroupMembership(alterGroupMembershipRequest);
        }
        this.log.error("some obligations were not understood: " + obligationContext.getObligsCVS());
        return new AlterGroupMembershipResponse(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "some obligations were not understood"));
    }

    @Override // pl.edu.icm.yadda.service2.IYaddaService
    public GetFeaturesResponse getFeatures(GetFeaturesRequest getFeaturesRequest) {
        GetFeaturesResponse features = this.service.getFeatures(getFeaturesRequest);
        features.getFeatures().add(SecurityConstants.FEATURE_REQUIRES_AUTHORIZATION);
        return features;
    }

    @Override // pl.edu.icm.yadda.service2.IYaddaService
    public GetVersionResponse getVersionResponse(GenericRequest genericRequest) {
        return new GetVersionResponse(VersionHelper.currentAPIVersion());
    }

    public void setService(IUserEditorService iUserEditorService) {
        this.service = iUserEditorService;
    }

    public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
        this.passwordEncoder = passwordEncoder;
    }

    public void setUserIdExtractor(IIdExtractor iIdExtractor) {
        this.userIdExtractor = iIdExtractor;
    }

    public void setSecurityRequestHandler(ISecurityRequestHandler iSecurityRequestHandler) {
        this.securityRequestHandler = iSecurityRequestHandler;
    }
}
