package pl.edu.icm.unity.engine.attribute;

import com.google.common.collect.ImmutableMap;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Primary;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.attribute.Attribute;
import pl.edu.icm.unity.base.attribute.AttributeExt;
import pl.edu.icm.unity.base.attribute.AttributeType;
import pl.edu.icm.unity.base.attribute.IllegalAttributeValueException;
import pl.edu.icm.unity.base.audit.AuditEventAction;
import pl.edu.icm.unity.base.audit.AuditEventTag;
import pl.edu.icm.unity.base.audit.AuditEventType;
import pl.edu.icm.unity.base.entity.EntityParam;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.group.Group;
import pl.edu.icm.unity.base.tx.Transactional;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.AttributesManagement;
import pl.edu.icm.unity.engine.api.attributes.AttributeMetadataProvider;
import pl.edu.icm.unity.engine.api.attributes.AttributeMetadataProvidersRegistry;
import pl.edu.icm.unity.engine.api.authn.AuthorizationException;
import pl.edu.icm.unity.engine.api.confirmation.EmailConfirmationManager;
import pl.edu.icm.unity.engine.api.exceptions.RuntimeEngineException;
import pl.edu.icm.unity.engine.api.exceptions.SchemaConsistencyException;
import pl.edu.icm.unity.engine.api.group.GroupPattern;
import pl.edu.icm.unity.engine.api.group.IllegalGroupValueException;
import pl.edu.icm.unity.engine.api.identity.EntityResolver;
import pl.edu.icm.unity.engine.api.registration.GroupPatternMatcher;
import pl.edu.icm.unity.engine.audit.AuditEventTrigger;
import pl.edu.icm.unity.engine.audit.AuditPublisher;
import pl.edu.icm.unity.engine.authz.AuthzCapability;
import pl.edu.icm.unity.engine.authz.InternalAuthorizationManager;
import pl.edu.icm.unity.engine.authz.RoleAttributeTypeProvider;
import pl.edu.icm.unity.engine.events.InvocationEventProducer;
import pl.edu.icm.unity.engine.session.AdditionalAuthenticationService;
import pl.edu.icm.unity.store.api.AttributeDAO;
import pl.edu.icm.unity.store.api.AttributeTypeDAO;
import pl.edu.icm.unity.store.api.MembershipDAO;
import pl.edu.icm.unity.store.api.tx.TransactionalRunner;

@Component
@Primary
@InvocationEventProducer
/* loaded from: input_file:pl/edu/icm/unity/engine/attribute/AttributesManagementImpl.class */
public class AttributesManagementImpl implements AttributesManagement {
    private static final Logger log = Log.getLogger("unity.server.core", AttributesManagementImpl.class);
    private AttributeClassUtil acUtil;
    private AttributeTypeDAO attributeTypeDAO;
    private AttributeDAO dbAttributes;
    private EntityResolver idResolver;
    private InternalAuthorizationManager authz;
    private AttributesHelper attributesHelper;
    private EmailConfirmationManager confirmationManager;
    private TransactionalRunner txRunner;
    private AttributeMetadataProvidersRegistry atMetaProvidersRegistry;
    private AdditionalAuthenticationService additionalAuthnService;
    private final AuditPublisher audit;
    private final MembershipDAO membershipDAO;

    @Autowired
    public AttributesManagementImpl(AttributeClassUtil attributeClassUtil, AttributeTypeDAO attributeTypeDAO, AttributeDAO attributeDAO, EntityResolver entityResolver, InternalAuthorizationManager internalAuthorizationManager, AttributesHelper attributesHelper, EmailConfirmationManager emailConfirmationManager, TransactionalRunner transactionalRunner, AttributeMetadataProvidersRegistry attributeMetadataProvidersRegistry, AdditionalAuthenticationService additionalAuthenticationService, AuditPublisher auditPublisher, MembershipDAO membershipDAO) {
        this.acUtil = attributeClassUtil;
        this.attributeTypeDAO = attributeTypeDAO;
        this.dbAttributes = attributeDAO;
        this.idResolver = entityResolver;
        this.authz = internalAuthorizationManager;
        this.attributesHelper = attributesHelper;
        this.confirmationManager = emailConfirmationManager;
        this.txRunner = transactionalRunner;
        this.atMetaProvidersRegistry = attributeMetadataProvidersRegistry;
        this.additionalAuthnService = additionalAuthenticationService;
        this.audit = auditPublisher;
        this.membershipDAO = membershipDAO;
    }

    public void createAttribute(EntityParam entityParam, Attribute attribute) throws EngineException {
        setAttribute(entityParam, attribute, false, true);
    }

    public void setAttribute(EntityParam entityParam, Attribute attribute) throws EngineException {
        setAttribute(entityParam, attribute, true, true);
    }

    public void createAttributeSuppressingConfirmation(EntityParam entityParam, Attribute attribute) throws EngineException {
        setAttribute(entityParam, attribute, false, false);
    }

    public void setAttributeSuppressingConfirmation(EntityParam entityParam, Attribute attribute) throws EngineException {
        setAttribute(entityParam, attribute, true, false);
    }

    public void setAttribute(EntityParam entityParam, Attribute attribute, boolean z) throws EngineException {
        setAttribute(entityParam, attribute, z, true);
    }

    private void setAttribute(EntityParam entityParam, Attribute attribute, boolean z, boolean z2) throws EngineException {
        entityParam.validateInitialization();
        this.txRunner.runInTransactionThrowing(() -> {
            long entityId = this.idResolver.getEntityId(entityParam);
            AttributeType attributeType = (AttributeType) this.attributeTypeDAO.get(attribute.getName());
            boolean checkSetAttributeAuthz = checkSetAttributeAuthz(entityId, attributeType, attribute);
            if (!checkSetAttributeAuthz) {
                checkAdditionalAuthn(attributeType);
            }
            checkIfAllowed(entityId, attribute.getGroupPath(), attribute.getName());
            this.attributesHelper.addAttribute(entityId, attribute, attributeType, z, checkSetAttributeAuthz);
        });
        if (RoleAttributeTypeProvider.AUTHORIZATION_ROLE.equals(attribute.getName())) {
            this.authz.clearCache();
        }
        if (z2) {
            this.confirmationManager.sendVerificationQuietNoTx(entityParam, attribute, false);
        }
    }

    private void checkAdditionalAuthn(AttributeType attributeType) {
        if (isSensitiveAttributeChange(attributeType)) {
            log.info("Additional authentication triggered for sensitive >{}< attribute change", attributeType.getName());
            this.additionalAuthnService.checkAdditionalAuthenticationRequirements();
        }
    }

    private boolean isSensitiveAttributeChange(AttributeType attributeType) {
        Iterator it = attributeType.getMetadata().keySet().iterator();
        while (it.hasNext()) {
            if (((AttributeMetadataProvider) this.atMetaProvidersRegistry.getByName((String) it.next())).isSecuritySensitive()) {
                return true;
            }
        }
        return false;
    }

    private boolean checkSetAttributeAuthz(long j, AttributeType attributeType, Attribute attribute) throws AuthorizationException {
        if (RoleAttributeTypeProvider.AUTHORIZATION_ROLE.equals(attribute.getName())) {
            this.authz.checkAuthZAttributeChangeAuthorization(this.authz.isSelf(j), attribute);
            return true;
        }
        boolean hasFullAuthzToChangeAttr = hasFullAuthzToChangeAttr(attribute.getGroupPath());
        this.authz.checkAuthorization(attributeType.isSelfModificable() && this.authz.isSelf(j), attribute.getGroupPath(), AuthzCapability.attributeModify);
        return hasFullAuthzToChangeAttr;
    }

    private boolean hasFullAuthzToChangeAttr(String str) throws AuthorizationException {
        return this.authz.getCapabilities(false, str).contains(AuthzCapability.attributeModify);
    }

    @Transactional
    public void removeAttribute(EntityParam entityParam, String str, String str2) throws EngineException {
        if (str == null) {
            throw new IllegalGroupValueException("Group must not be null");
        }
        if (str2 == null) {
            throw new IllegalAttributeValueException("Attribute name must not be null");
        }
        entityParam.validateInitialization();
        long entityId = this.idResolver.getEntityId(entityParam);
        AttributeType attributeType = (AttributeType) this.attributeTypeDAO.get(str2);
        if (attributeType.isInstanceImmutable()) {
            throw new SchemaConsistencyException("The attribute with name " + attributeType.getName() + " can not be manually modified");
        }
        this.authz.checkAuthorization(attributeType.isSelfModificable() && this.authz.isSelf(entityId), str, AuthzCapability.attributeModify);
        if (!hasFullAuthzToChangeAttr(str)) {
            checkAdditionalAuthn(attributeType);
        }
        checkIfMandatory(entityId, str, str2);
        this.dbAttributes.deleteAttribute(str2, entityId, str);
        this.audit.log(AuditEventTrigger.builder().type(AuditEventType.ATTRIBUTE).action(AuditEventAction.REMOVE).name(str2).subject(Long.valueOf(entityId)).details(ImmutableMap.of("group", str)).tags(AuditEventTag.USERS));
    }

    @Transactional
    public Collection<AttributeExt> getAttributes(EntityParam entityParam, String str, String str2) throws EngineException {
        return this.attributesHelper.filterSecuritySensitive(getAllAttributesInternal(entityParam, true, str, str2, new AuthzCapability[]{AuthzCapability.read}, false));
    }

    @Transactional
    public Collection<AttributeExt> getAllAttributes(EntityParam entityParam, boolean z, String str, String str2, boolean z2) throws EngineException {
        try {
            return getAllAttributesInternal(entityParam, z, str, str2, new AuthzCapability[]{AuthzCapability.readHidden, AuthzCapability.read}, true);
        } catch (AuthorizationException e) {
            if (z2) {
                return getAllAttributesInternal(entityParam, z, str, str2, new AuthzCapability[]{AuthzCapability.read}, false);
            }
            throw e;
        }
    }

    @Transactional
    public Collection<AttributeExt> getAllAttributes(EntityParam entityParam, boolean z, List<GroupPattern> list, String str, boolean z2) throws EngineException {
        try {
            return getAllAttributesInternal(entityParam, z, list, str, new AuthzCapability[]{AuthzCapability.readHidden, AuthzCapability.read}, true);
        } catch (AuthorizationException e) {
            if (z2) {
                return getAllAttributesInternal(entityParam, z, list, str, new AuthzCapability[]{AuthzCapability.read}, false);
            }
            throw e;
        }
    }

    @Transactional
    public Collection<AttributeExt> getAllDirectAttributes(EntityParam entityParam) {
        this.authz.checkAuthorizationRT(AuthzCapability.readHidden, AuthzCapability.read);
        try {
            return (Collection) this.attributesHelper.getAllEntityAttributesMap(this.idResolver.getEntityId(entityParam)).values().stream().map((v0) -> {
                return v0.values();
            }).flatMap((v0) -> {
                return v0.stream();
            }).collect(Collectors.toList());
        } catch (EngineException e) {
            throw new RuntimeEngineException(e);
        }
    }

    private Collection<AttributeExt> getAllAttributesInternal(EntityParam entityParam, boolean z, List<GroupPattern> list, String str, AuthzCapability[] authzCapabilityArr, boolean z2) throws EngineException {
        entityParam.validateInitialization();
        long entityId = this.idResolver.getEntityId(entityParam);
        List<String> groupsPaths = getGroupsPaths(list, entityId);
        if (groupsPaths.isEmpty()) {
            return Collections.emptyList();
        }
        Iterator<String> it = groupsPaths.iterator();
        while (it.hasNext()) {
            this.authz.checkAuthorization(this.authz.isSelf(entityId), it.next(), authzCapabilityArr);
        }
        return this.attributesHelper.getAttributesInternal(entityId, z, groupsPaths, str, z2);
    }

    private Collection<AttributeExt> getAllAttributesInternal(EntityParam entityParam, boolean z, String str, String str2, AuthzCapability[] authzCapabilityArr, boolean z2) throws EngineException {
        entityParam.validateInitialization();
        long entityId = this.idResolver.getEntityId(entityParam);
        this.authz.checkAuthorization(this.authz.isSelf(entityId), str, authzCapabilityArr);
        return this.attributesHelper.getAttributesInternal(entityId, z, str, str2, z2);
    }

    private List<String> getGroupsPaths(List<GroupPattern> list, long j) {
        List<Group> entityMembershipGroups = this.membershipDAO.getEntityMembershipGroups(j);
        ArrayList arrayList = new ArrayList();
        Iterator<GroupPattern> it = list.iterator();
        while (it.hasNext()) {
            arrayList.addAll(getMatchingGroups(entityMembershipGroups, it.next().pattern));
        }
        return arrayList;
    }

    private List<String> getMatchingGroups(List<Group> list, String str) {
        return (List) GroupPatternMatcher.filterMatching(list, str).stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toList());
    }

    private void checkIfAllowed(long j, String str, String str2) throws EngineException {
        if (!this.acUtil.getACHelper(j, str).isAllowed(str2)) {
            throw new SchemaConsistencyException("The attribute with name " + str2 + " is not allowed by the entity's attribute classes in the group " + str);
        }
    }

    private void checkIfMandatory(long j, String str, String str2) throws EngineException {
        if (this.acUtil.getACHelper(j, str).isMandatory(str2)) {
            throw new SchemaConsistencyException("The attribute with name " + str2 + " is required by the entity's attribute classes in the group " + str);
        }
    }
}
