package ome.security.basic;

import com.google.common.collect.ArrayListMultimap;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import ome.api.local.LocalAdmin;
import ome.api.local.LocalQuery;
import ome.api.local.LocalUpdate;
import ome.conditions.ApiUsageException;
import ome.conditions.InternalException;
import ome.conditions.SecurityViolation;
import ome.conditions.SessionTimeoutException;
import ome.model.IObject;
import ome.model.enums.EventType;
import ome.model.internal.Details;
import ome.model.internal.GraphHolder;
import ome.model.internal.Permissions;
import ome.model.meta.Event;
import ome.model.meta.EventLog;
import ome.model.meta.Experimenter;
import ome.model.meta.ExperimenterGroup;
import ome.model.meta.GroupExperimenterMap;
import ome.security.AdminAction;
import ome.security.SecureAction;
import ome.security.SecurityFilter;
import ome.security.SecurityFilterHolder;
import ome.security.SecuritySystem;
import ome.security.SystemTypes;
import ome.security.basic.BasicSecurityWiring;
import ome.security.policy.DefaultPolicyService;
import ome.security.policy.PolicyService;
import ome.services.messages.EventLogMessage;
import ome.services.messages.EventLogsMessage;
import ome.services.sessions.SessionManager;
import ome.services.sessions.events.UserGroupUpdateEvent;
import ome.services.sessions.state.SessionCache;
import ome.services.sessions.stats.PerSessionStats;
import ome.services.sharing.ShareStore;
import ome.system.EventContext;
import ome.system.OmeroContext;
import ome.system.Principal;
import ome.system.Roles;
import ome.system.ServiceFactory;
import ome.tools.hibernate.ExtendedMetadata;
import org.hibernate.HibernateException;
import org.hibernate.Session;
import org.hibernate.proxy.HibernateProxy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.context.ApplicationListener;
import org.springframework.orm.hibernate3.HibernateCallback;
import org.springframework.util.Assert;

/* loaded from: input_file:ome/security/basic/BasicSecuritySystem.class */
public class BasicSecuritySystem implements SecuritySystem, ApplicationContextAware, ApplicationListener<EventLogMessage> {
    private static final Logger log = LoggerFactory.getLogger(BasicSecuritySystem.class);
    protected final OmeroInterceptor interceptor;
    protected final SystemTypes sysTypes;
    protected final CurrentDetails cd;
    protected final TokenHolder tokenHolder;
    protected final Roles roles;
    protected final SessionManager sessionManager;
    protected final ServiceFactory sf;
    protected final SecurityFilter filter;
    protected final PolicyService policyService;
    protected OmeroContext ctx;
    protected ShareStore store;

    public static BasicSecuritySystem selfConfigure(SessionManager sessionManager, ServiceFactory serviceFactory, SessionCache sessionCache) {
        CurrentDetails currentDetails = new CurrentDetails(sessionCache);
        SystemTypes systemTypes = new SystemTypes();
        OmeroInterceptor omeroInterceptor = new OmeroInterceptor(new Roles(), systemTypes, new ExtendedMetadata.Impl(), currentDetails, new TokenHolder(), new PerSessionStats(currentDetails));
        Roles roles = new Roles();
        return new BasicSecuritySystem(omeroInterceptor, systemTypes, currentDetails, sessionManager, roles, serviceFactory, new TokenHolder(), new SecurityFilterHolder(currentDetails, new OneGroupSecurityFilter(roles), new AllGroupsSecurityFilter(null, roles), new SharingSecurityFilter(roles, null)), new DefaultPolicyService());
    }

    public BasicSecuritySystem(OmeroInterceptor omeroInterceptor, SystemTypes systemTypes, CurrentDetails currentDetails, SessionManager sessionManager, Roles roles, ServiceFactory serviceFactory, TokenHolder tokenHolder, SecurityFilter securityFilter, PolicyService policyService) {
        this.sessionManager = sessionManager;
        this.policyService = policyService;
        this.tokenHolder = tokenHolder;
        this.interceptor = omeroInterceptor;
        this.sysTypes = systemTypes;
        this.filter = securityFilter;
        this.roles = roles;
        this.cd = currentDetails;
        this.sf = serviceFactory;
    }

    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
        this.ctx = (OmeroContext) applicationContext;
        this.store = (ShareStore) this.ctx.getBean("shareStore", ShareStore.class);
    }

    @Override // ome.security.SecuritySystem
    public void login(Principal principal) {
        this.cd.login(principal);
    }

    @Override // ome.security.SecuritySystem
    public int logout() {
        return this.cd.logout();
    }

    @Override // ome.security.SecuritySystem
    public boolean isReady() {
        return this.cd.isReady();
    }

    @Override // ome.security.SecuritySystem
    public boolean isSystemType(Class<? extends IObject> cls) {
        return this.sysTypes.isSystemType(cls);
    }

    public boolean isOwnerOrSupervisor(IObject iObject) {
        return this.cd.isOwnerOrSupervisor(iObject);
    }

    public void enableReadFilter(Object obj) {
        if (obj == null || !(obj instanceof Session)) {
            throw new ApiUsageException("The Object argument to enableReadFilter in the BasicSystemSecurity implementation must be a  non-null org.hibernate.Session.");
        }
        checkReady("enableReadFilter");
        EventContext eventContext = getEventContext();
        this.filter.enable((Session) obj, eventContext);
    }

    public void updateReadFilter(Session session) {
        this.filter.disable(session);
        enableReadFilter(session);
    }

    public void disableReadFilter(Object obj) {
        this.filter.disable((Session) obj);
    }

    @Override // ome.security.SecuritySystem
    public void disable(String... strArr) {
        if (strArr == null || strArr.length == 0) {
            throw new ApiUsageException("Ids should not be empty.");
        }
        this.cd.addAllDisabled(strArr);
    }

    @Override // ome.security.SecuritySystem
    public void enable(String... strArr) {
        if (strArr == null || strArr.length == 0) {
            this.cd.clearDisabled();
        }
        this.cd.removeAllDisabled(strArr);
    }

    @Override // ome.security.SecuritySystem
    public boolean isDisabled(String str) {
        if (str == null) {
            throw new ApiUsageException("Id should not be null.");
        }
        return this.cd.isDisabled(str);
    }

    @Override // ome.security.SecuritySystem
    public Details newTransientDetails(IObject iObject) throws ApiUsageException, SecurityViolation {
        checkReady("transientDetails");
        return this.interceptor.newTransientDetails(iObject);
    }

    @Override // ome.security.SecuritySystem
    public Details checkManagedDetails(IObject iObject, Details details) throws ApiUsageException, SecurityViolation {
        checkReady("managedDetails");
        return this.interceptor.checkManagedDetails(iObject, details);
    }

    @Override // ome.security.SecuritySystem
    public boolean isGraphCritical(Details details) {
        checkReady("isGraphCritical");
        return this.cd.isGraphCritical(details);
    }

    @Override // ome.security.SecuritySystem
    public void loadEventContext(boolean z) {
        loadEventContext(z, false);
    }

    public void loadEventContext(boolean z, boolean z2) {
        EventContext eventContext;
        ExperimenterGroup group;
        ExperimenterGroup experimenterGroup;
        Permissions permissions;
        LocalAdmin localAdmin = (LocalAdmin) this.sf.getAdminService();
        LocalUpdate localUpdate = (LocalUpdate) this.sf.getUpdateService();
        Principal clearAndCheckPrincipal = clearAndCheckPrincipal();
        EventContext currentEventContext = this.cd.getCurrentEventContext();
        if (currentEventContext instanceof BasicSecurityWiring.CloseOnNoSessionContext) {
            throw new SessionTimeoutException("closing", currentEventContext);
        }
        try {
            eventContext = this.sessionManager.getEventContext(clearAndCheckPrincipal);
        } catch (SessionTimeoutException e) {
            if (!z2) {
                throw e;
            }
            eventContext = (EventContext) e.sessionContext;
        }
        this.cd.checkAndInitialize(eventContext, localAdmin, this.store);
        EventContext currentEventContext2 = this.cd.getCurrentEventContext();
        Experimenter experimenter = z ? new Experimenter(currentEventContext2.getCurrentUserId(), false) : localAdmin.userProxy(currentEventContext2.getCurrentUserId());
        this.tokenHolder.setToken(experimenter.getGraphHolder());
        boolean z3 = false;
        Iterator it = currentEventContext2.getMemberOfGroupsList().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            } else if (this.roles.getSystemGroupId() == ((Long) it.next()).longValue()) {
                z3 = true;
                break;
            }
        }
        Long currentShareId = currentEventContext2.getCurrentShareId();
        Long currentGroupId = currentEventContext2.getCurrentGroupId();
        if (currentGroupId.longValue() >= 0) {
            currentGroupId.longValue();
            experimenterGroup = localAdmin.groupProxy(currentGroupId);
            group = experimenterGroup;
            permissions = experimenterGroup.getDetails().getPermissions();
            if (!z3 && !currentEventContext2.getMemberOfGroupsList().contains(currentGroupId) && !permissions.isGranted(Permissions.Role.WORLD, Permissions.Right.READ)) {
                throw new SecurityViolation(String.format("User %s is not a member of group %s and cannot login", currentEventContext2.getCurrentUserId(), currentGroupId));
            }
        } else {
            List memberOfGroupsList = currentEventContext2.getMemberOfGroupsList();
            long longValue = ((Long) memberOfGroupsList.get(0)).longValue();
            if (longValue == this.roles.getUserGroupId() && memberOfGroupsList.size() > 1) {
                longValue = ((Long) memberOfGroupsList.get(1)).longValue();
            }
            log.debug("Choice for event group: " + longValue);
            group = localAdmin.getGroup(longValue);
            experimenterGroup = new ExperimenterGroup(currentGroupId, false);
            permissions = Permissions.DUMMY;
        }
        long longValue2 = currentEventContext2.getCurrentSessionId().longValue();
        ome.model.meta.Session session = z ? new ome.model.meta.Session(Long.valueOf(longValue2), false) : this.sf.getQueryService().get(ome.model.meta.Session.class, longValue2);
        this.tokenHolder.setToken(experimenterGroup.getGraphHolder());
        this.cd.setValues(experimenter, experimenterGroup, permissions, z3, z, currentShareId);
        String eventType = clearAndCheckPrincipal.getEventType();
        if (eventType == null) {
            eventType = currentEventContext2.getCurrentEventType();
        }
        EventType eventType2 = new EventType(eventType);
        this.tokenHolder.setToken(eventType2.getGraphHolder());
        Event newEvent = this.cd.newEvent(session, eventType2, this.tokenHolder);
        this.tokenHolder.setToken(newEvent.getGraphHolder());
        if (z) {
            return;
        }
        if (newEvent.getExperimenterGroup().getId().longValue() < 0) {
            newEvent.setExperimenterGroup(group);
        }
        this.cd.updateEvent((Event) localUpdate.saveAndReturnObject(newEvent));
    }

    private Principal clearAndCheckPrincipal() {
        invalidateEventContext();
        if (this.cd.size() == 0) {
            throw new SecurityViolation("Principal is null. Not logged in to SecuritySystem.");
        }
        Principal last = this.cd.getLast();
        if (last.getName() == null) {
            throw new InternalException("Principal.name is null. Security system failure.");
        }
        return last;
    }

    public void addLog(String str, Class cls, Long l) {
        this.cd.addLog(str, cls, l);
    }

    public List<EventLog> getLogs() {
        return this.cd.getLogs();
    }

    public void clearLogs() {
        if (log.isDebugEnabled()) {
            log.debug("Clearing EventLogs.");
        }
        if (!getLogs().isEmpty()) {
            boolean z = false;
            ArrayListMultimap create = ArrayListMultimap.create();
            for (EventLog eventLog : getLogs()) {
                String entityType = eventLog.getEntityType();
                if (Experimenter.class.getName().equals(entityType) || ExperimenterGroup.class.getName().equals(entityType) || GroupExperimenterMap.class.getName().equals(entityType)) {
                    z = true;
                }
                create.put(entityType, eventLog);
            }
            if (this.ctx == null) {
                log.error("No context found for publishing");
            } else {
                if (z) {
                    this.ctx.publishEvent(new UserGroupUpdateEvent(this));
                }
                this.ctx.publishEvent(new EventLogsMessage(this, create));
            }
        }
        this.cd.clearLogs();
    }

    @Override // ome.security.SecuritySystem
    public void invalidateEventContext() {
        if (log.isDebugEnabled()) {
            log.debug("Invalidating current EventContext.");
        }
        this.cd.invalidateCurrentEventContext();
    }

    @Override // ome.security.SecuritySystem
    public <T extends IObject> T doAction(SecureAction secureAction, T... tArr) {
        Assert.notNull(tArr);
        Assert.notEmpty(tArr);
        Assert.notNull(secureAction);
        LocalQuery localQuery = (LocalQuery) this.sf.getQueryService();
        ArrayList arrayList = new ArrayList();
        for (T t : tArr) {
            if (t.getId() != null && !localQuery.contains(t)) {
                throw new SecurityViolation("Services are not allowed to call doAction() on non-Session-managed entities.");
            }
            if (t instanceof HibernateProxy) {
                arrayList.add(((IObject) ((HibernateProxy) t).getHibernateLazyInitializer().getImplementation()).getGraphHolder());
            }
            arrayList.add(t.getGraphHolder());
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            this.tokenHolder.setToken((GraphHolder) it.next());
        }
        try {
            T t2 = (T) secureAction.updateObject(tArr);
            Iterator it2 = arrayList.iterator();
            while (it2.hasNext()) {
                this.tokenHolder.clearToken((GraphHolder) it2.next());
            }
            return t2;
        } catch (Throwable th) {
            Iterator it3 = arrayList.iterator();
            while (it3.hasNext()) {
                this.tokenHolder.clearToken((GraphHolder) it3.next());
            }
            throw th;
        }
    }

    @Override // ome.security.SecuritySystem
    public void runAsAdmin(AdminAction adminAction) {
        runAsAdmin(null, adminAction);
    }

    @Override // ome.security.SecuritySystem
    public void runAsAdmin(final ExperimenterGroup experimenterGroup, final AdminAction adminAction) {
        Assert.notNull(adminAction);
        checkReady("runAsAdmin");
        ((LocalQuery) this.sf.getQueryService()).execute(new HibernateCallback() { // from class: ome.security.basic.BasicSecuritySystem.1
            public Object doInHibernate(Session session) throws HibernateException, SQLException {
                BasicEventContext current = BasicSecuritySystem.this.cd.current();
                boolean isCurrentUserAdmin = current.isCurrentUserAdmin();
                ExperimenterGroup group = current.getGroup();
                try {
                    current.setAdmin(true);
                    if (experimenterGroup != null) {
                        current.setGroup(experimenterGroup, experimenterGroup.getDetails().getPermissions());
                    }
                    BasicSecuritySystem.this.disable(MergeEventListener.MERGE_EVENT);
                    BasicSecuritySystem.this.enableReadFilter(session);
                    adminAction.runAsAdmin();
                    current.setAdmin(isCurrentUserAdmin);
                    if (experimenterGroup != null) {
                        current.setGroup(group, group.getDetails().getPermissions());
                    }
                    BasicSecuritySystem.this.enable(MergeEventListener.MERGE_EVENT);
                    BasicSecuritySystem.this.enableReadFilter(session);
                    return null;
                } catch (Throwable th) {
                    current.setAdmin(isCurrentUserAdmin);
                    if (experimenterGroup != null) {
                        current.setGroup(group, group.getDetails().getPermissions());
                    }
                    BasicSecuritySystem.this.enable(MergeEventListener.MERGE_EVENT);
                    BasicSecuritySystem.this.enableReadFilter(session);
                    throw th;
                }
            }
        });
    }

    public void copyToken(IObject iObject, IObject iObject2) {
        this.tokenHolder.copyToken(iObject, iObject2);
    }

    @Override // ome.security.SecuritySystem
    public boolean hasPrivilegedToken(IObject iObject) {
        return this.tokenHolder.hasPrivilegedToken(iObject);
    }

    @Override // ome.security.SecuritySystem
    public void checkRestriction(String str, IObject iObject) {
        this.policyService.checkRestriction(str, iObject);
    }

    @Override // ome.security.SecuritySystem
    public Roles getSecurityRoles() {
        return this.roles;
    }

    @Override // ome.security.SecuritySystem
    public EventContext getEventContext(boolean z) {
        EventContext currentEventContext = this.cd.getCurrentEventContext();
        if (z) {
            currentEventContext = this.sessionManager.reload(currentEventContext.getCurrentSessionUuid());
        }
        return currentEventContext;
    }

    @Override // ome.security.SecuritySystem
    public EventContext getEventContext() {
        return getEventContext(false);
    }

    @Override // ome.security.SecuritySystem
    public Long getEffectiveUID() {
        EventContext eventContext = getEventContext();
        Long currentShareId = eventContext.getCurrentShareId();
        if (currentShareId == null) {
            return eventContext.getCurrentUserId();
        }
        if (currentShareId.longValue() < 0) {
            return null;
        }
        return this.sf.getQueryService().get(ome.model.meta.Session.class, currentShareId.longValue()).getOwner().getId();
    }

    protected void checkReady(String str) {
        if (!isReady()) {
            throw new ApiUsageException("The security system is not ready.\nCannot execute: " + str);
        }
    }

    public void onApplicationEvent(EventLogMessage eventLogMessage) {
        if (eventLogMessage != null) {
            Iterator<Long> it = eventLogMessage.entityIds.iterator();
            while (it.hasNext()) {
                addLog(eventLogMessage.action, eventLogMessage.entityType, it.next());
            }
        }
    }
}
