package eu.etaxonomy.cdm.persistence.permission;

import eu.etaxonomy.cdm.model.common.CdmBase;
import eu.etaxonomy.cdm.model.permission.CRUD;
import eu.etaxonomy.cdm.model.permission.PermissionClass;
import java.io.Serializable;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.UUID;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:lib/cdmlib-persistence-5.45.0.jar:eu/etaxonomy/cdm/persistence/permission/CdmPermissionEvaluator.class */
public class CdmPermissionEvaluator implements ICdmPermissionEvaluator {
    protected static final Logger logger = LogManager.getLogger();
    private AccessDecisionManager accessDecisionManager;

    public AccessDecisionManager getAccessDecisionManager() {
        return this.accessDecisionManager;
    }

    public void setAccessDecisionManager(AccessDecisionManager accessDecisionManager) {
        this.accessDecisionManager = accessDecisionManager;
    }

    @Override // org.springframework.security.access.PermissionEvaluator
    public boolean hasPermission(Authentication authentication, Serializable serializable, String str, Object obj) {
        logger.warn("UNINMPLEMENTED: hasPermission always returns false");
        return false;
    }

    @Override // org.springframework.security.access.PermissionEvaluator
    public boolean hasPermission(Authentication authentication, Object obj, Object obj2) {
        TargetEntityStates targetEntityStates = obj instanceof CdmBase ? new TargetEntityStates((CdmBase) obj) : (TargetEntityStates) obj;
        if (logger.isDebugEnabled()) {
            logUserAndRequirement(authentication, obj2.toString(), "  Object: " + (obj == null ? "null" : targetEntityStates.getEntity().instanceToString()));
        }
        try {
            return hasPermission(authentication, targetEntityStates, operationFrom(obj2));
        } catch (IllegalArgumentException e) {
            logger.debug("permission string '" + obj2.toString() + "' not parsable => true");
            return false;
        }
    }

    @Override // eu.etaxonomy.cdm.persistence.permission.ICdmPermissionEvaluator
    public boolean hasPermission(Authentication authentication, CdmBase cdmBase, EnumSet<CRUD> enumSet) {
        return hasPermission(authentication, new TargetEntityStates(cdmBase), enumSet);
    }

    @Override // eu.etaxonomy.cdm.persistence.permission.ICdmPermissionEvaluator
    public boolean hasPermission(Authentication authentication, TargetEntityStates targetEntityStates, EnumSet<CRUD> enumSet) {
        if (authentication == null) {
            return false;
        }
        CdmAuthority authorityRequiredFor = authorityRequiredFor(targetEntityStates.getEntity(), enumSet);
        if (authorityRequiredFor.getPermissionClass() != null) {
            logger.debug("starting evaluation => ...");
            return evalPermission(authentication, authorityRequiredFor, targetEntityStates);
        }
        logger.debug("skipping evaluation => true");
        return true;
    }

    @Override // eu.etaxonomy.cdm.persistence.permission.ICdmPermissionEvaluator
    public <T extends CdmBase> boolean hasPermission(Authentication authentication, Class<T> cls, EnumSet<CRUD> enumSet) {
        if (authentication == null) {
            return false;
        }
        if (logger.isDebugEnabled()) {
            logUserAndRequirement(authentication, enumSet.toString(), "  Cdm-Type: " + cls.getSimpleName());
        }
        CdmAuthority cdmAuthority = new CdmAuthority(PermissionClass.getValueOf(cls), (String) null, enumSet, (UUID) null);
        try {
            Constructor<T> declaredConstructor = cls.getDeclaredConstructor(new Class[0]);
            declaredConstructor.setAccessible(true);
            return evalPermission(authentication, cdmAuthority, new TargetEntityStates(declaredConstructor.newInstance(new Object[0])));
        } catch (IllegalAccessException | IllegalArgumentException | InstantiationException | NoSuchMethodException | SecurityException | InvocationTargetException e) {
            logger.error("Error while creating permission test instance ==> will deny", e);
            return false;
        }
    }

    protected void logUserAndRequirement(Authentication authentication, String str, String str2) {
        StringBuilder sb = new StringBuilder();
        Iterator<? extends GrantedAuthority> it = authentication.getAuthorities().iterator();
        while (it.hasNext()) {
            sb.append("    - ").append(it.next().getAuthority()).append("\n");
        }
        if (sb.length() == 0) {
            sb.append("    - ").append("<No GrantedAuthority given>").append("\n");
        }
        logger.debug("hasPermission()\n  User '" + authentication.getName() + "':\n" + ((Object) sb) + str2 + "\n  Permission: " + str);
    }

    protected EnumSet<CRUD> operationFrom(Object obj) {
        return eu.etaxonomy.cdm.model.permission.Operation.isOperation(obj) ? (EnumSet) obj : eu.etaxonomy.cdm.model.permission.Operation.fromString(obj.toString());
    }

    private CdmAuthority authorityRequiredFor(CdmBase cdmBase, EnumSet<CRUD> enumSet) {
        return new CdmAuthority(cdmBase, enumSet);
    }

    private boolean evalPermission(Authentication authentication, CdmAuthority cdmAuthority, TargetEntityStates targetEntityStates) {
        if (hasOneOfRoles(authentication, Role.ROLE_ADMIN)) {
            return true;
        }
        HashSet hashSet = new HashSet();
        hashSet.add(cdmAuthority);
        logger.debug("AccessDecisionManager will decide ...");
        try {
            this.accessDecisionManager.decide(authentication, targetEntityStates, hashSet);
            return true;
        } catch (AccessDeniedException e) {
            logger.debug("AccessDecisionManager denied by " + e, (Throwable) e);
            return false;
        } catch (InsufficientAuthenticationException e2) {
            logger.debug("AccessDecisionManager denied by " + e2, (Throwable) e2);
            return false;
        }
    }

    @Override // eu.etaxonomy.cdm.persistence.permission.ICdmPermissionEvaluator
    public boolean hasOneOfRoles(Authentication authentication, Role... roleArr) {
        for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
            for (Role role : roleArr) {
                if (role != null && grantedAuthority.getAuthority().equals(role.getAuthority())) {
                    if (!logger.isDebugEnabled()) {
                        return true;
                    }
                    logger.debug(role.getAuthority() + " found => true");
                    return true;
                }
            }
        }
        return false;
    }
}
