package pl.edu.icm.unity.engine.project;

import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.authn.LoginSession;
import pl.edu.icm.unity.engine.api.project.GroupAuthorizationRole;
import pl.edu.icm.unity.exceptions.AuthorizationException;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.store.api.AttributeDAO;
import pl.edu.icm.unity.store.api.GroupDAO;
import pl.edu.icm.unity.store.api.tx.Transactional;
import pl.edu.icm.unity.store.types.StoredAttribute;
import pl.edu.icm.unity.types.basic.Group;
import pl.edu.icm.unity.types.basic.GroupDelegationConfiguration;

@Component
/* loaded from: input_file:pl/edu/icm/unity/engine/project/ProjectAuthorizationManager.class */
public class ProjectAuthorizationManager {
    private GroupDAO groupDao;
    private AttributeDAO attrDao;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/engine/project/ProjectAuthorizationManager$NotChildOfProjectGroupException.class */
    public static class NotChildOfProjectGroupException extends RuntimeException {
        public NotChildOfProjectGroupException(String str, String str2) {
            super("Group " + str2 + " is not child of main project group " + str);
        }
    }

    @Autowired
    public ProjectAuthorizationManager(GroupDAO groupDAO, AttributeDAO attributeDAO) {
        this.groupDao = groupDAO;
        this.attrDao = attributeDAO;
    }

    @Transactional
    public void assertManagerAuthorization(String str) throws AuthorizationException {
        LoginSession client = getClient();
        assertDelegationIsEnabled(str);
        assertClientIsProjectManager(str, client.getEntityId());
    }

    private LoginSession getClient() throws AuthorizationException {
        LoginSession loginSession = InvocationContext.getCurrent().getLoginSession();
        if (loginSession == null) {
            throw new AuthorizationException("Access is denied. The client is not authenticated.");
        }
        if (loginSession.isUsedOutdatedCredential()) {
            throw new AuthorizationException("Access is denied. The client's credential is outdated and the only allowed operation is the credential update");
        }
        return loginSession;
    }

    @Transactional
    public void assertManagerAuthorization(String str, String str2) throws AuthorizationException {
        assertManagerAuthorization(str);
        assertGroupIsUnderProject(str, str2);
    }

    @Transactional
    public void assertProjectsAdminAuthorization(String str, String str2) throws AuthorizationException {
        LoginSession client = getClient();
        assertDelegationAndSubprojectsAreEnabled(str);
        assertGroupIsUnderProject(str, str2);
        assertClientIsProjectsAdmin(str, str2, client.getEntityId());
    }

    @Transactional
    public void assertRoleManagerAuthorization(String str, String str2, GroupAuthorizationRole groupAuthorizationRole) throws AuthorizationException {
        LoginSession client = getClient();
        assertDelegationIsEnabled(str);
        assertDelegationIsEnabled(str2);
        assertGroupIsUnderProject(str, str2);
        assertClientCanGiveRole(client.getEntityId(), str, str2, groupAuthorizationRole);
    }

    private void assertClientCanGiveRole(long j, String str, String str2, GroupAuthorizationRole groupAuthorizationRole) throws AuthorizationException {
        Set<GroupAuthorizationRole> authManagerAttribute = getAuthManagerAttribute(str, j);
        if (authManagerAttribute.contains(GroupAuthorizationRole.projectsAdmin)) {
            return;
        }
        if (!authManagerAttribute.contains(GroupAuthorizationRole.manager) || !str.equals(str2) || groupAuthorizationRole.equals(GroupAuthorizationRole.projectsAdmin)) {
            throw new AuthorizationException("Access is denied. The operation requires manager capability in " + str + " group");
        }
    }

    private void assertDelegationIsEnabled(String str) throws AuthorizationException {
        if (!getGroup(str).getDelegationConfiguration().enabled) {
            throw new AuthorizationException("Access is denied. The operation requires enabled delegation on " + str + " group");
        }
    }

    private void assertDelegationAndSubprojectsAreEnabled(String str) throws AuthorizationException {
        GroupDelegationConfiguration delegationConfiguration = getGroup(str).getDelegationConfiguration();
        if (!delegationConfiguration.enabled || !delegationConfiguration.enableSubprojects) {
            throw new AuthorizationException("Access is denied. The operation requires enabled delegation and subprojects creation on " + str + " group");
        }
    }

    private Group getGroup(String str) {
        try {
            return this.groupDao.get(str);
        } catch (Exception e) {
            throw new InternalException("Can not get group " + str);
        }
    }

    private void assertClientIsProjectManager(String str, long j) throws AuthorizationException {
        Set<GroupAuthorizationRole> authManagerAttribute = getAuthManagerAttribute(str, j);
        if (!authManagerAttribute.contains(GroupAuthorizationRole.manager) && !authManagerAttribute.contains(GroupAuthorizationRole.projectsAdmin)) {
            throw new AuthorizationException("Access is denied. The operation requires manager capability in " + str + " group");
        }
    }

    private void assertClientIsProjectsAdmin(String str, String str2, long j) throws AuthorizationException {
        if (!getAuthManagerAttribute(str, j).contains(GroupAuthorizationRole.projectsAdmin)) {
            throw new AuthorizationException("Access is denied. The operation requires tree manager in " + str + " group");
        }
    }

    private Set<GroupAuthorizationRole> getAuthManagerAttribute(String str, long j) {
        ArrayList arrayList = new ArrayList();
        try {
            arrayList.addAll(this.attrDao.getAttributes(ProjectAuthorizationRoleAttributeTypeProvider.PROJECT_MANAGEMENT_AUTHORIZATION_ROLE.toString(), Long.valueOf(j), str));
            HashSet hashSet = new HashSet();
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                Iterator it2 = ((StoredAttribute) it.next()).getAttribute().getValues().iterator();
                while (it2.hasNext()) {
                    hashSet.add(GroupAuthorizationRole.valueOf((String) it2.next()));
                }
            }
            return hashSet;
        } catch (Exception e) {
            throw new InternalException("Can not get group authorization attribute of entity " + j);
        }
    }

    private void assertGroupIsUnderProject(String str, String str2) throws NotChildOfProjectGroupException {
        if (!Group.isChildOrSame(str2, str)) {
            throw new NotChildOfProjectGroupException(str, str2);
        }
    }
}
