package eu.etaxonomy.cdm.api.util;

import eu.etaxonomy.cdm.api.application.CdmRepository;
import eu.etaxonomy.cdm.api.application.RunAsAuthenticator;
import eu.etaxonomy.cdm.model.ICdmEntityUuidCacher;
import eu.etaxonomy.cdm.model.common.CdmBase;
import eu.etaxonomy.cdm.model.permission.CRUD;
import eu.etaxonomy.cdm.model.permission.GrantedAuthorityImpl;
import eu.etaxonomy.cdm.model.permission.PermissionClass;
import eu.etaxonomy.cdm.model.permission.User;
import eu.etaxonomy.cdm.persistence.permission.CdmAuthority;
import eu.etaxonomy.cdm.persistence.permission.CdmAuthorityParsingException;
import eu.etaxonomy.cdm.persistence.permission.ICdmPermissionEvaluator;
import eu.etaxonomy.cdm.persistence.permission.PermissionDeniedException;
import eu.etaxonomy.cdm.persistence.permission.Role;
import java.io.Serializable;
import java.util.Collection;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.UUID;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Lazy;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.transaction.TransactionStatus;

/* loaded from: input_file:lib/cdmlib-services-5.45.0.jar:eu/etaxonomy/cdm/api/util/CdmUserHelper.class */
public class CdmUserHelper implements UserHelper, Serializable {
    private static final long serialVersionUID = -2521474709047255979L;
    private static final Logger logger = LogManager.getLogger();

    @Autowired
    private ICdmPermissionEvaluator permissionEvaluator;

    @Autowired
    @Lazy
    @Qualifier("cdmRepository")
    private CdmRepository repo;
    private AuthenticationProvider runAsAuthenticationProvider;
    private RunAsAuthenticator runAsAutheticator = new RunAsAuthenticator();
    private SecurityContextAccess securityContextAccess;

    /* loaded from: input_file:lib/cdmlib-services-5.45.0.jar:eu/etaxonomy/cdm/api/util/CdmUserHelper$CachingCdmUserHelper.class */
    class CachingCdmUserHelper extends CdmUserHelper {
        private static final long serialVersionUID = -5010082174809972831L;
        private ICdmEntityUuidCacher cache;

        public CachingCdmUserHelper(ICdmEntityUuidCacher iCdmEntityUuidCacher) {
            this.cache = iCdmEntityUuidCacher;
        }

        @Override // eu.etaxonomy.cdm.api.util.CdmUserHelper
        public ICdmEntityUuidCacher getCache() {
            return this.cache;
        }

        @Override // eu.etaxonomy.cdm.api.util.CdmUserHelper
        protected CdmRepository repo() {
            return CdmUserHelper.this.repo;
        }

        @Override // eu.etaxonomy.cdm.api.util.CdmUserHelper
        protected ICdmPermissionEvaluator permissionEvaluator() {
            return CdmUserHelper.this.permissionEvaluator;
        }
    }

    @Autowired(required = false)
    @Qualifier("runAsAuthenticationProvider")
    public void setRunAsAuthenticationProvider(AuthenticationProvider authenticationProvider) {
        this.runAsAuthenticationProvider = authenticationProvider;
        this.runAsAutheticator.setRunAsAuthenticationProvider(authenticationProvider);
    }

    protected ICdmPermissionEvaluator permissionEvaluator() {
        return this.permissionEvaluator;
    }

    protected CdmRepository repo() {
        return this.repo;
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public boolean userIsAutheticated() {
        Authentication authentication = getAuthentication();
        if (authentication == null || AnonymousAuthenticationToken.class.equals(authentication.getClass())) {
            return false;
        }
        return authentication.isAuthenticated();
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public boolean userIsAnnonymous() {
        Authentication authentication = getAuthentication();
        return authentication != null && authentication.isAuthenticated() && (authentication instanceof AnonymousAuthenticationToken);
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public User user() {
        Authentication authentication = getAuthentication();
        if (authentication == null || authentication.getPrincipal() == null || !(authentication.getPrincipal() instanceof User)) {
            return null;
        }
        return (User) authentication.getPrincipal();
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public String userName() {
        Authentication authentication = getAuthentication();
        if (authentication != null) {
            return authentication.getName();
        }
        return null;
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public boolean userIsAdmin() {
        Authentication authentication = getAuthentication();
        if (authentication != null) {
            return authentication.getAuthorities().stream().anyMatch(grantedAuthority -> {
                return grantedAuthority.getAuthority().equals(Role.ROLE_ADMIN.getAuthority());
            });
        }
        return false;
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public boolean userIs(IRoleProber iRoleProber) {
        return iRoleProber.checkForRole(getAuthentication());
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public boolean userHasPermission(CdmBase cdmBase, Object... objArr) {
        try {
            return permissionEvaluator().hasPermission(getAuthentication(), cdmBase, crudSetFromArgs(objArr));
        } catch (PermissionDeniedException e) {
            return false;
        }
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public boolean userHasPermission(Class<? extends CdmBase> cls, UUID uuid, Object... objArr) {
        EnumSet<CRUD> crudSetFromArgs = crudSetFromArgs(objArr);
        try {
            return permissionEvaluator().hasPermission(getAuthentication(), entity(cls, uuid), crudSetFromArgs);
        } catch (PermissionDeniedException e) {
            return false;
        }
    }

    protected CdmBase entity(Class<? extends CdmBase> cls, UUID uuid) {
        CdmBase entityFromCache = entityFromCache(cls, uuid);
        if (entityFromCache == null) {
            entityFromCache = repo().getCommonService().find((Class<CdmBase>) cls, uuid);
            if (getCache() != null && entityFromCache != null) {
                getCache().putToCache(entityFromCache);
            }
        }
        return entityFromCache;
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public boolean userHasPermission(Class<? extends CdmBase> cls, Object... objArr) {
        try {
            return permissionEvaluator().hasPermission(getAuthentication(), (Class) cls, crudSetFromArgs(objArr));
        } catch (PermissionDeniedException e) {
            return false;
        }
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public void logout() {
        SecurityContextHolder.getContext().setAuthentication(null);
        SecurityContextHolder.clearContext();
    }

    private EnumSet<CRUD> crudSetFromArgs(Object[] objArr) {
        EnumSet<CRUD> noneOf = EnumSet.noneOf(CRUD.class);
        for (int i = 0; i < objArr.length; i++) {
            try {
                noneOf.add(CRUD.valueOf(objArr[i].toString()));
            } catch (Exception e) {
                throw new IllegalArgumentException("could not add " + objArr[i], e);
            }
        }
        return noneOf;
    }

    private SecurityContext currentSecurityContext() {
        return this.securityContextAccess != null ? this.securityContextAccess.currentSecurityContext() : SecurityContextHolder.getContext();
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public Authentication getAuthentication() {
        return currentSecurityContext().getAuthentication();
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public CdmAuthority createAuthorityFor(String str, CdmBase cdmBase, EnumSet<CRUD> enumSet, String str2) {
        TransactionStatus startTransaction = repo().startTransaction();
        UserDetails loadUserByUsername = repo().getUserService().loadUserByUsername(str);
        boolean z = false;
        CdmAuthority cdmAuthority = null;
        User user = (User) loadUserByUsername;
        if (loadUserByUsername != null) {
            try {
                repo().getSession().flush();
                getRunAsAutheticator().runAsAuthentication(Role.ROLE_USER_MANAGER);
                cdmAuthority = new CdmAuthority(cdmBase, str2, enumSet);
                try {
                    GrantedAuthorityImpl findAuthorityString = repo().getGrantedAuthorityService().findAuthorityString(cdmAuthority.toString());
                    if (findAuthorityString == null) {
                        findAuthorityString = cdmAuthority.asNewGrantedAuthority();
                    }
                    z = user.getGrantedAuthorities().add(findAuthorityString);
                    repo().getSession().flush();
                    getRunAsAutheticator().restoreAuthentication();
                    if (logger.isDebugEnabled()) {
                        logger.debug("new authority for " + str + ": " + cdmAuthority.toString());
                    }
                    SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities()));
                    logger.debug("security context refreshed with user " + str);
                } catch (CdmAuthorityParsingException e) {
                    getRunAsAutheticator().restoreAuthentication();
                    throw new RuntimeException(e);
                }
            } catch (Throwable th) {
                getRunAsAutheticator().restoreAuthentication();
                throw th;
            }
        }
        repo().commitTransaction(startTransaction);
        if (z) {
            return cdmAuthority;
        }
        return null;
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public CdmAuthority createAuthorityFor(String str, Class<? extends CdmBase> cls, UUID uuid, EnumSet<CRUD> enumSet, String str2) {
        return createAuthorityFor(str, entity(cls, uuid), enumSet, str2);
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public CdmAuthority createAuthorityForCurrentUser(CdmBase cdmBase, EnumSet<CRUD> enumSet, String str) {
        return createAuthorityFor(userName(), cdmBase, enumSet, str);
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public CdmAuthority createAuthorityForCurrentUser(Class<? extends CdmBase> cls, UUID uuid, EnumSet<CRUD> enumSet, String str) {
        return createAuthorityFor(userName(), cls, uuid, enumSet, str);
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public void removeAuthorityForCurrentUser(CdmAuthority cdmAuthority) {
        removeAuthorityForUser(userName(), cdmAuthority);
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public void removeAuthorityForUser(String str, CdmAuthority cdmAuthority) {
        TransactionStatus startTransaction = repo().startTransaction();
        UserDetails loadUserByUsername = repo().getUserService().loadUserByUsername(str);
        User user = (User) loadUserByUsername;
        if (loadUserByUsername != null) {
            try {
                getRunAsAutheticator().runAsAuthentication(Role.ROLE_USER_MANAGER);
                user.getGrantedAuthorities().remove(cdmAuthority);
                repo().getSession().flush();
                logger.debug("security context refreshed with user " + str);
                getRunAsAutheticator().restoreAuthentication();
                logger.debug("authority removed from " + str + ": " + cdmAuthority.toString());
                SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities()));
                logger.debug("security context refreshed with user " + str);
            } catch (Throwable th) {
                getRunAsAutheticator().restoreAuthentication();
                throw th;
            }
        }
        repo().commitTransaction(startTransaction);
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public Collection<CdmAuthority> findUserPermissions(CdmBase cdmBase, EnumSet<CRUD> enumSet) {
        HashSet hashSet = new HashSet();
        PermissionClass valueOf = PermissionClass.getValueOf(cdmBase);
        Iterator<? extends GrantedAuthority> it = getAuthentication().getAuthorities().iterator();
        while (it.hasNext()) {
            try {
                CdmAuthority fromGrantedAuthority = CdmAuthority.fromGrantedAuthority(it.next());
                if (fromGrantedAuthority.getPermissionClass().equals(valueOf) && fromGrantedAuthority.getOperation().containsAll(enumSet)) {
                    if (fromGrantedAuthority.hasTargetUuid() && fromGrantedAuthority.getTargetUUID().equals(cdmBase.getUuid())) {
                        hashSet.add(fromGrantedAuthority);
                    } else {
                        hashSet.add(fromGrantedAuthority);
                    }
                }
            } catch (CdmAuthorityParsingException e) {
            }
        }
        return hashSet;
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public <T extends CdmBase> Collection<CdmAuthority> findUserPermissions(Class<T> cls, EnumSet<CRUD> enumSet) {
        HashSet hashSet = new HashSet();
        PermissionClass valueOf = PermissionClass.getValueOf(cls);
        Iterator<? extends GrantedAuthority> it = getAuthentication().getAuthorities().iterator();
        while (it.hasNext()) {
            try {
                CdmAuthority fromGrantedAuthority = CdmAuthority.fromGrantedAuthority(it.next());
                if (fromGrantedAuthority.getPermissionClass().equals(valueOf) && fromGrantedAuthority.getOperation().containsAll(enumSet)) {
                    hashSet.add(fromGrantedAuthority);
                }
            } catch (CdmAuthorityParsingException e) {
            }
        }
        return hashSet;
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public void setSecurityContextAccess(SecurityContextAccess securityContextAccess) {
        this.securityContextAccess = securityContextAccess;
    }

    public RunAsAuthenticator getRunAsAutheticator() {
        if (this.runAsAutheticator == null) {
            throw new RuntimeException("RunAsAuthenticator is missing! The application needs to be configured with security context.");
        }
        return this.runAsAutheticator;
    }

    public ICdmEntityUuidCacher getCache() {
        return null;
    }

    private CdmBase entityFromCache(Class<? extends CdmBase> cls, UUID uuid) {
        CdmBase cdmBase = null;
        if (getCache() != null) {
            cdmBase = getCache().getFromCache(uuid);
            if (cdmBase != null && !cls.isAssignableFrom(cdmBase.getClass())) {
                logger.error("Entity with " + uuid + " does not match the required type");
                cdmBase = null;
            }
        }
        return cdmBase;
    }

    @Override // eu.etaxonomy.cdm.api.util.UserHelper
    public CdmUserHelper withCache(ICdmEntityUuidCacher iCdmEntityUuidCacher) {
        return new CachingCdmUserHelper(iCdmEntityUuidCacher);
    }
}
