package ome.security.basic;

import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import ome.conditions.ApiUsageException;
import ome.conditions.GroupSecurityViolation;
import ome.conditions.InternalException;
import ome.conditions.SecurityViolation;
import ome.model.IObject;
import ome.model.internal.Permissions;
import ome.model.meta.ExperimenterGroup;
import ome.security.ChmodStrategy;
import ome.services.messages.EventLogMessage;
import ome.system.OmeroContext;
import ome.tools.hibernate.ExtendedMetadata;
import ome.tools.hibernate.SessionFactory;
import ome.util.SqlAction;
import ome.util.Utils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.hibernate.Session;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;

/* loaded from: input_file:ome/security/basic/GroupChmodStrategy.class */
public class GroupChmodStrategy implements ChmodStrategy, ApplicationContextAware {
    private static final Log log = LogFactory.getLog(GroupChmodStrategy.class);
    private final BasicACLVoter voter;
    private final SessionFactory osf;
    private final SqlAction sql;
    private final ExtendedMetadata em;
    private OmeroContext ctx;

    /* loaded from: input_file:ome/security/basic/GroupChmodStrategy$Check.class */
    private static class Check {
        final long groupID;
        final String perms;
        final Class<?> k;
        final String[][] lockChecks;
        final PermDrop drop;

        Check(long j, String str, Class<?> cls, String[][] strArr, PermDrop permDrop) {
            this.groupID = j;
            this.perms = str;
            this.k = cls;
            this.lockChecks = strArr;
            this.drop = permDrop;
        }

        public Map<String, Long> run(Session session, ExtendedMetadata extendedMetadata) {
            StringBuilder sb = new StringBuilder();
            sb.append("x.details.group.id = ");
            sb.append(this.groupID);
            sb.append(" and ");
            sb.append("y.details.group.id = ");
            sb.append(this.groupID);
            if (this.drop.reduceGroup) {
                sb.append(" and x.details.owner.id <> y.details.owner.id");
            }
            return extendedMetadata.countLocks(session, null, this.lockChecks, sb.toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:ome/security/basic/GroupChmodStrategy$PermDrop.class */
    public static class PermDrop {
        static final Permissions.Role u = Permissions.Role.USER;
        static final Permissions.Role g = Permissions.Role.GROUP;
        static final Permissions.Role a = Permissions.Role.WORLD;
        static final Permissions.Right r = Permissions.Right.READ;
        final Permissions oldPerms;
        final Permissions newPerms;
        final boolean reduceGroup;

        PermDrop(ExperimenterGroup experimenterGroup, String str) {
            this.oldPerms = experimenterGroup.getDetails().getPermissions();
            this.newPerms = Permissions.parseString(str);
            if (!this.newPerms.isGranted(u, r)) {
                throw new GroupSecurityViolation("Cannot remove user read: " + experimenterGroup);
            }
            if (!this.oldPerms.isGranted(g, r) || this.newPerms.isGranted(g, r)) {
                this.reduceGroup = false;
            } else {
                this.reduceGroup = true;
            }
        }

        boolean found() {
            return this.reduceGroup;
        }
    }

    public GroupChmodStrategy(BasicACLVoter basicACLVoter, SessionFactory sessionFactory, SqlAction sqlAction, ExtendedMetadata extendedMetadata) {
        this.voter = basicACLVoter;
        this.osf = sessionFactory;
        this.sql = sqlAction;
        this.em = extendedMetadata;
    }

    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
        this.ctx = (OmeroContext) applicationContext;
    }

    @Override // ome.security.ChmodStrategy
    public Object[] getChecks(IObject iObject, String str) {
        IObject load = load(iObject);
        if (!this.voter.allowChmod(load)) {
            throw new SecurityViolation("chmod not permitted");
        }
        PermDrop permDrop = new PermDrop(load, str);
        if (!permDrop.found()) {
            return new Object[0];
        }
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = this.em.getClasses().iterator();
        while (it.hasNext()) {
            Class<? extends IObject> hibernateClass = this.em.getHibernateClass(it.next());
            if (!this.voter.sysTypes.isSystemType(hibernateClass)) {
                arrayList.add(new Check(load.getId().longValue(), str, hibernateClass, this.em.getLockChecks(hibernateClass), permDrop));
            }
        }
        return arrayList.toArray(new Object[arrayList.size()]);
    }

    @Override // ome.security.ChmodStrategy
    public void chmod(IObject iObject, String str) {
        handleGroupChange(iObject, Permissions.parseString(str));
    }

    @Override // ome.security.ChmodStrategy
    public void check(IObject iObject, Object obj) {
        if (!(obj instanceof Check)) {
            throw new InternalException("Bad check:" + obj);
        }
        Check check = (Check) obj;
        Map<String, Long> run = check.run(this.osf.getSession(), this.em);
        if (run.get("*").longValue() > 0) {
            throw new SecurityViolation(String.format("Cannot change permissions on %s to %s due to locks:\n%s", iObject, check.perms, run));
        }
    }

    private ExperimenterGroup load(IObject iObject) {
        if (!(iObject instanceof ExperimenterGroup)) {
            throw new SecurityViolation("Only groups allowed");
        }
        if (iObject.getId() == null) {
            throw new ApiUsageException("ID cannot be null");
        }
        return (ExperimenterGroup) this.osf.getSession().get(ExperimenterGroup.class, iObject.getId());
    }

    private void handleGroupChange(IObject iObject, Permissions permissions) {
        ExperimenterGroup load = load(iObject);
        if (permissions == null) {
            throw new ApiUsageException("PERMS cannot be null");
        }
        if (load.getDetails().getPermissions().sameRights(permissions)) {
            log.debug(String.format("Ignoring unchanged permissions: %s", permissions));
            return;
        }
        Long l = (Long) Utils.internalForm(permissions);
        this.sql.changeGroupPermissions(iObject.getId(), l);
        log.info(String.format("Changed permissions for %s to %s", iObject.getId(), l));
        eventlog(iObject.getId().longValue(), permissions.toString());
    }

    private void eventlog(long j, String str) {
        try {
            this.ctx.publishMessage(new EventLogMessage(this, String.format("CHMOD(%s)", str), ExperimenterGroup.class, Collections.singletonList(Long.valueOf(j))));
        } catch (Throwable th) {
            if (!(th instanceof RuntimeException)) {
                throw new RuntimeException(th);
            }
            throw ((RuntimeException) th);
        }
    }
}
