package ome.security.policy;

import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import ome.conditions.SecurityViolation;
import ome.model.IObject;
import ome.model.core.Image;
import ome.model.core.OriginalFile;
import ome.model.fs.Fileset;
import ome.model.fs.FilesetEntry;
import ome.model.internal.NamedValue;
import ome.model.meta.ExperimenterGroup;
import ome.model.screen.Plate;
import ome.model.screen.PlateAcquisition;
import ome.model.screen.Well;
import ome.model.screen.WellSample;
import ome.security.ACLVoter;
import org.hibernate.AssertionFailure;
import org.hibernate.Hibernate;

/* loaded from: input_file:ome/security/policy/BinaryAccessPolicy.class */
public class BinaryAccessPolicy extends BasePolicy {
    public static final String NAME = "RESTRICT-BINARY-ACCESS";
    private final ACLVoter voter;
    private final Set<String> global;

    public BinaryAccessPolicy(Set<Class<IObject>> set, ACLVoter aCLVoter) {
        this(set, aCLVoter, null);
    }

    public BinaryAccessPolicy(Set<Class<IObject>> set, ACLVoter aCLVoter, String[] strArr) {
        super(set);
        this.voter = aCLVoter;
        if (strArr == null) {
            this.global = Collections.emptySet();
        } else {
            this.global = new HashSet(Arrays.asList(strArr));
        }
    }

    @Override // ome.security.policy.BasePolicy, ome.security.policy.Policy
    public String getName() {
        return NAME;
    }

    @Override // ome.security.policy.BasePolicy, ome.security.policy.Policy
    public boolean isRestricted(IObject iObject) {
        Set<String> groupRestrictions = groupRestrictions(iObject);
        if (notAorB("+write", "-write", groupRestrictions)) {
            return true;
        }
        if (notAorB("+read", "-read", groupRestrictions) && !this.voter.allowUpdate(iObject, iObject.getDetails())) {
            return true;
        }
        boolean notAorB = notAorB("+image", "-image", groupRestrictions);
        boolean notAorB2 = notAorB("+plate", "-plate", groupRestrictions);
        if (!(iObject instanceof OriginalFile)) {
            if (iObject instanceof Image) {
                if (notAorB) {
                    return true;
                }
                return notAorB2 && has((Image) iObject, "ome.model.core.Image_wellSamples");
            }
            if ((iObject instanceof Plate) || (iObject instanceof PlateAcquisition) || (iObject instanceof Well) || (iObject instanceof WellSample)) {
                return notAorB || notAorB2;
            }
            return false;
        }
        Iterator iterateFilesetEntries = ((OriginalFile) iObject).iterateFilesetEntries();
        while (iterateFilesetEntries.hasNext()) {
            FilesetEntry filesetEntry = (FilesetEntry) iterateFilesetEntries.next();
            if (filesetEntry != null && filesetEntry.getFileset() != null) {
                Fileset fileset = filesetEntry.getFileset();
                if (!has(fileset, "ome.model.fs.Fileset_images")) {
                    continue;
                } else {
                    if (notAorB) {
                        return true;
                    }
                    if (notAorB2) {
                        Iterator iterateImages = fileset.iterateImages();
                        while (iterateImages.hasNext()) {
                            Image image = (Image) iterateImages.next();
                            if (image != null && has(image, "ome.model.core.Image_wellSamples")) {
                                return true;
                            }
                        }
                    } else {
                        continue;
                    }
                }
            }
        }
        return false;
    }

    protected Set<String> groupRestrictions(IObject iObject) {
        ExperimenterGroup group = iObject.getDetails().getGroup();
        if (group != null && group.getConfig() != null && group.getConfig().size() > 0) {
            HashSet hashSet = null;
            for (NamedValue namedValue : group.getConfig()) {
                if ("omero.policy.binary_access".equals(namedValue.getName())) {
                    if (hashSet == null) {
                        hashSet = new HashSet();
                    }
                    hashSet.add(namedValue.getValue());
                }
            }
            if (hashSet != null) {
                return hashSet;
            }
        }
        return Collections.emptySet();
    }

    private final boolean notAorB(String str, String str2, Collection<String> collection) {
        if (this.global.contains(str2) || collection.contains(str2)) {
            return true;
        }
        return (this.global.contains(str) || collection.contains(str)) ? false : true;
    }

    private boolean has(IObject iObject, String str) {
        try {
            Collection collection = (Collection) iObject.retrieve(str);
            Hibernate.initialize(collection);
            if (collection != null) {
                return !collection.isEmpty();
            }
            return false;
        } catch (AssertionFailure e) {
            return false;
        }
    }

    @Override // ome.security.policy.BasePolicy, ome.security.policy.Policy
    public void checkRestriction(IObject iObject) {
        if (isRestricted(iObject)) {
            throw new SecurityViolation(String.format("Download is restricted for %s", iObject));
        }
    }
}
