package ome.logic;

import com.google.common.base.Predicates;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterators;
import com.google.common.collect.Sets;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.persistence.PrimaryKeyJoinColumn;
import javax.persistence.Table;
import ome.annotations.NotNull;
import ome.annotations.PermitAll;
import ome.annotations.RolesAllowed;
import ome.api.IAdmin;
import ome.api.RawFileStore;
import ome.api.ServiceInterface;
import ome.api.local.LocalAdmin;
import ome.conditions.ApiUsageException;
import ome.conditions.AuthenticationException;
import ome.conditions.InternalException;
import ome.conditions.SecurityViolation;
import ome.conditions.ValidationException;
import ome.model.IGlobal;
import ome.model.IObject;
import ome.model.annotations.ExperimenterAnnotationLink;
import ome.model.annotations.FileAnnotation;
import ome.model.core.Image;
import ome.model.core.OriginalFile;
import ome.model.core.Pixels;
import ome.model.enums.AdminPrivilege;
import ome.model.enums.ChecksumAlgorithm;
import ome.model.internal.NamedValue;
import ome.model.internal.Permissions;
import ome.model.meta.Experimenter;
import ome.model.meta.ExperimenterGroup;
import ome.model.meta.GroupExperimenterMap;
import ome.parameters.Parameters;
import ome.security.ACLVoter;
import ome.security.AdminAction;
import ome.security.ChmodStrategy;
import ome.security.SecureAction;
import ome.security.auth.PasswordChangeException;
import ome.security.auth.PasswordProvider;
import ome.security.auth.PasswordUtil;
import ome.security.auth.RoleProvider;
import ome.security.basic.LightAdminPrivileges;
import ome.services.query.Definitions;
import ome.services.query.Query;
import ome.services.query.QueryParameterDef;
import ome.services.sessions.events.UserGroupUpdateEvent;
import ome.system.EventContext;
import ome.system.OmeroContext;
import ome.system.Roles;
import ome.system.SimpleEventContext;
import ome.tools.hibernate.QueryBuilder;
import ome.tools.hibernate.SecureMerge;
import ome.tools.hibernate.SessionFactory;
import ome.util.CBlock;
import ome.util.SqlAction;
import ome.util.Utils;
import ome.util.checksum.ChecksumProviderFactory;
import ome.util.checksum.ChecksumType;
import org.apache.commons.collections.CollectionUtils;
import org.hibernate.Criteria;
import org.hibernate.HibernateException;
import org.hibernate.Session;
import org.hibernate.criterion.Restrictions;
import org.slf4j.Logger;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.mail.MailSender;
import org.springframework.mail.SimpleMailMessage;
import org.springframework.orm.hibernate3.HibernateCallback;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.util.Assert;

@Transactional(readOnly = true)
/* loaded from: input_file:ome/logic/AdminImpl.class */
public class AdminImpl extends AbstractLevel2Service implements LocalAdmin, ApplicationContextAware {
    protected final SqlAction sql;
    protected final SessionFactory osf;
    protected final MailSender mailSender;
    protected final SimpleMailMessage templateMessage;
    protected final ACLVoter aclVoter;
    protected final PasswordProvider passwordProvider;
    protected final RoleProvider roleProvider;
    protected final PasswordUtil passwordUtil;
    protected final LdapImpl ldapUtil;
    protected final ChmodStrategy chmod;
    protected final ChecksumProviderFactory cpf;
    protected final LightAdminPrivileges adminPrivileges;
    protected OmeroContext context;
    protected static final String NSEXPERIMENTERPHOTO = "openmicroscopy.org/omero/experimenter/photo";

    /* loaded from: input_file:ome/logic/AdminImpl$BaseQ.class */
    static abstract class BaseQ<T> extends Query<T> {
        static Definitions defs = new Definitions(new QueryParameterDef("name", String.class, true), new QueryParameterDef("id", Long.class, true));

        public BaseQ(Parameters parameters) {
            super(defs, new Parameters().unique().addAll(parameters));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:ome/logic/AdminImpl$GroupQ.class */
    public static class GroupQ extends BaseQ<ExperimenterGroup> {
        public GroupQ(Parameters parameters) {
            super(parameters);
        }

        @Override // ome.services.query.Query
        protected void buildQuery(Session session) throws HibernateException, SQLException {
            QueryBuilder queryBuilder = new QueryBuilder();
            queryBuilder.select("g");
            queryBuilder.from("ExperimenterGroup", "g");
            queryBuilder.join("g.groupExperimenterMap", "m", true, true);
            queryBuilder.join("m.child", "user", true, true);
            queryBuilder.where();
            Object value = value("name");
            Object value2 = value("id");
            if (value != null) {
                queryBuilder.and("g.name = :name");
                queryBuilder.param("name", value);
            } else {
                if (value2 == null) {
                    throw new InternalException("Name and id are both null for group query.");
                }
                queryBuilder.and("g.id = :id");
                queryBuilder.param("id", value2);
            }
            setQuery(queryBuilder.query(session));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:ome/logic/AdminImpl$UserQ.class */
    public static class UserQ extends BaseQ<Experimenter> {
        public UserQ(Parameters parameters) {
            super(parameters);
        }

        @Override // ome.services.query.Query
        protected void buildQuery(Session session) throws HibernateException, SQLException {
            Criteria createCriteria = session.createCriteria(Experimenter.class);
            createCriteria.createCriteria("groupExperimenterMap", 1).createCriteria("parent", 1);
            if (value("name") != null) {
                createCriteria.add(Restrictions.eq("omeName", value("name")));
            } else {
                if (value("id") == null) {
                    throw new InternalException("Name and id are both null for user query.");
                }
                createCriteria.add(Restrictions.eq("id", value("id")));
            }
            setCriteria(createCriteria);
        }
    }

    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
        this.context = (OmeroContext) applicationContext;
    }

    public AdminImpl(SqlAction sqlAction, SessionFactory sessionFactory, MailSender mailSender, SimpleMailMessage simpleMailMessage, ACLVoter aCLVoter, PasswordProvider passwordProvider, RoleProvider roleProvider, LdapImpl ldapImpl, PasswordUtil passwordUtil, ChmodStrategy chmodStrategy, ChecksumProviderFactory checksumProviderFactory, LightAdminPrivileges lightAdminPrivileges) {
        this.sql = sqlAction;
        this.osf = sessionFactory;
        this.mailSender = mailSender;
        this.templateMessage = simpleMailMessage;
        this.aclVoter = aCLVoter;
        this.passwordProvider = passwordProvider;
        this.roleProvider = roleProvider;
        this.ldapUtil = ldapImpl;
        this.passwordUtil = passwordUtil;
        this.chmod = chmodStrategy;
        this.cpf = checksumProviderFactory;
        this.adminPrivileges = lightAdminPrivileges;
    }

    public Class<? extends ServiceInterface> getServiceInterface() {
        return IAdmin.class;
    }

    @Override // ome.api.local.LocalAdmin
    @RolesAllowed({"user"})
    public Experimenter userProxy(Long l) {
        if (l == null) {
            throw new ApiUsageException("Id argument cannot be null.");
        }
        return this.iQuery.get(Experimenter.class, l.longValue());
    }

    @Override // ome.api.local.LocalAdmin
    @RolesAllowed({"user"})
    public Experimenter userProxy(String str) {
        if (str == null) {
            throw new ApiUsageException("omeName argument cannot be null.");
        }
        Experimenter findByString = this.iQuery.findByString(Experimenter.class, "omeName", this.roleProvider.isIgnoreCaseLookup() ? str.toLowerCase() : str);
        if (findByString == null) {
            throw new ApiUsageException("No such experimenter: " + str);
        }
        return findByString;
    }

    @Override // ome.api.local.LocalAdmin
    @RolesAllowed({"user"})
    public ExperimenterGroup groupProxy(Long l) {
        if (l == null) {
            throw new ApiUsageException("Id argument cannot be null.");
        }
        return this.iQuery.get(ExperimenterGroup.class, l.longValue());
    }

    @Override // ome.api.local.LocalAdmin
    @RolesAllowed({"user"})
    public ExperimenterGroup groupProxy(String str) {
        if (str == null) {
            throw new ApiUsageException("groupName argument cannot be null.");
        }
        ExperimenterGroup findByString = this.iQuery.findByString(ExperimenterGroup.class, "name", str);
        if (findByString == null) {
            throw new ApiUsageException("No such group: " + str);
        }
        return findByString;
    }

    @RolesAllowed({"user"})
    public List<Long> getLeaderOfGroupIds(Experimenter experimenter) {
        Assert.notNull(experimenter);
        Assert.notNull(experimenter.getId());
        final QueryBuilder queryBuilder = new QueryBuilder();
        queryBuilder.select("g.id").from("ExperimenterGroup", "g");
        queryBuilder.join("g.groupExperimenterMap", "m", false, false);
        queryBuilder.where();
        queryBuilder.and("m.owner = true");
        queryBuilder.and("m.parent.id = g.id");
        queryBuilder.and("m.child.id = :id");
        queryBuilder.param("id", experimenter.getId());
        return (List) this.iQuery.execute(new HibernateCallback<List<Long>>() { // from class: ome.logic.AdminImpl.1
            /* renamed from: doInHibernate, reason: merged with bridge method [inline-methods] */
            public List<Long> m2doInHibernate(Session session) throws HibernateException, SQLException {
                return queryBuilder.query(session).list();
            }
        });
    }

    @RolesAllowed({"user"})
    public List<Long> getMemberOfGroupIds(Experimenter experimenter) {
        return getGroupField(experimenter, "id");
    }

    @Override // ome.api.local.LocalAdmin
    @RolesAllowed({"user"})
    public List<String> getUserRoles(Experimenter experimenter) {
        return getGroupField(experimenter, "name");
    }

    private List getGroupField(final Experimenter experimenter, final String str) {
        Assert.notNull(experimenter);
        Assert.notNull(experimenter.getId());
        return (List) this.iQuery.execute(new HibernateCallback() { // from class: ome.logic.AdminImpl.2
            public Object doInHibernate(Session session) throws HibernateException, SQLException {
                org.hibernate.Query createQuery = session.createQuery("select m.parent." + str + " from Experimenter e join e.groupExperimenterMap m where e.id = :id order by index(m)");
                createQuery.setParameter("id", experimenter.getId());
                return createQuery.list();
            }
        });
    }

    @Override // ome.api.local.LocalAdmin
    @RolesAllowed({"user"})
    public boolean canAnnotate(IObject iObject) {
        if (iObject == null) {
            throw new ApiUsageException("Argument cannot be null");
        }
        IObject iObject2 = this.iQuery.get(Utils.trueClass(iObject.getClass()), iObject.getId().longValue());
        return this.aclVoter.allowAnnotate(iObject2, iObject2.getDetails());
    }

    @RolesAllowed({"user"})
    public boolean canUpdate(IObject iObject) {
        if (iObject == null) {
            throw new ApiUsageException("Argument cannot be null");
        }
        IObject iObject2 = this.iQuery.get(Utils.trueClass(iObject.getClass()), iObject.getId().longValue());
        return this.aclVoter.allowUpdate(iObject2, iObject2.getDetails());
    }

    @RolesAllowed({"user"})
    public Experimenter getExperimenter(long j) {
        Experimenter experimenter = (Experimenter) this.iQuery.execute((Query) new UserQ(new Parameters().addId(Long.valueOf(j))));
        if (experimenter == null) {
            throw new ApiUsageException("No such experimenter: " + j);
        }
        return experimenter;
    }

    @RolesAllowed({"user"})
    public Experimenter lookupExperimenter(String str) {
        Experimenter experimenter = (Experimenter) this.iQuery.execute((Query) new UserQ(new Parameters().addString("name", this.roleProvider.isIgnoreCaseLookup() ? str.toLowerCase() : str)));
        if (experimenter == null) {
            throw new ApiUsageException("No such experimenter: " + str);
        }
        return experimenter;
    }

    @RolesAllowed({"user"})
    public List<Experimenter> lookupExperimenters() {
        return this.iQuery.findAllByQuery("select distinct e from Experimenter e left outer join fetch e.groupExperimenterMap m left outer join fetch m.parent g", null);
    }

    @RolesAllowed({"user"})
    public List<Map<String, Object>> lookupLdapAuthExperimenters() {
        return this.ldapUtil.lookupLdapAuthExperimenters();
    }

    @RolesAllowed({"user"})
    public String lookupLdapAuthExperimenter(long j) {
        return this.ldapUtil.lookupLdapAuthExperimenter(Long.valueOf(j));
    }

    @RolesAllowed({"user"})
    public ExperimenterGroup getGroup(long j) {
        ExperimenterGroup experimenterGroup = (ExperimenterGroup) this.iQuery.execute((Query) new GroupQ(new Parameters().addId(Long.valueOf(j))));
        if (experimenterGroup == null) {
            throw new ApiUsageException("No such group: " + j);
        }
        return experimenterGroup;
    }

    @RolesAllowed({"user"})
    public ExperimenterGroup lookupGroup(String str) {
        ExperimenterGroup experimenterGroup = (ExperimenterGroup) this.iQuery.execute((Query) new GroupQ(new Parameters().addString("name", str)));
        if (experimenterGroup == null) {
            throw new ApiUsageException("No such group: " + str);
        }
        return experimenterGroup;
    }

    @RolesAllowed({"user"})
    public List<ExperimenterGroup> lookupGroups() {
        return this.iQuery.findAllByQuery("select distinct g from ExperimenterGroup g left outer join fetch g.groupExperimenterMap m left outer join fetch m.child u left outer join fetch u.groupExperimenterMap m2 left outer join fetch m2.parent", null);
    }

    @RolesAllowed({"user"})
    public Experimenter[] containedExperimenters(long j) {
        List findAllByQuery = this.iQuery.findAllByQuery("select distinct e from Experimenter as e join fetch e.groupExperimenterMap as map join fetch map.parent g where e.id in   (select m.child from GroupExperimenterMap m   where m.parent.id = :id )", new Parameters().addId(Long.valueOf(j)));
        return (Experimenter[]) findAllByQuery.toArray(new Experimenter[findAllByQuery.size()]);
    }

    @RolesAllowed({"user"})
    public ExperimenterGroup[] containedGroups(long j) {
        List findAllByQuery = this.iQuery.findAllByQuery("select distinct g from ExperimenterGroup as g join fetch g.groupExperimenterMap as map join fetch map.parent e left outer join fetch map.child u left outer join fetch u.groupExperimenterMap m2 where g.id in   (select m.parent from GroupExperimenterMap m   where m.child.id = :id )", new Parameters().addId(Long.valueOf(j)));
        return (ExperimenterGroup[]) findAllByQuery.toArray(new ExperimenterGroup[findAllByQuery.size()]);
    }

    @RolesAllowed({"system"})
    @Transactional(readOnly = false)
    public void synchronizeLoginCache() {
        Logger logger = getBeanHelper().getLogger();
        List<Map<String, Object>> lookupLdapAuthExperimenters = this.ldapUtil.lookupLdapAuthExperimenters();
        if (lookupLdapAuthExperimenters.size() > 0) {
            logger.info("Synchronizing " + lookupLdapAuthExperimenters.size() + " ldap user(s)");
        }
        for (Map<String, Object> map : lookupLdapAuthExperimenters) {
            String str = (String) map.get("dn");
            try {
                this.ldapUtil.synchronizeLdapUser(userProxy((Long) map.get("experimenter_id")).getOmeName());
            } catch (Exception e) {
                logger.error("synchronizeLdapUser:" + map, e);
            } catch (ApiUsageException e2) {
                logger.debug("User not found: " + str);
            }
        }
        this.context.publishEvent(new UserGroupUpdateEvent(this));
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void updateSelf(@NotNull Experimenter experimenter) {
        Experimenter experimenter2 = getExperimenter(getSecuritySystem().getEventContext().getCurrentUserId().longValue());
        experimenter2.setFirstName(experimenter.getFirstName());
        experimenter2.setMiddleName(experimenter.getMiddleName());
        experimenter2.setLastName(experimenter.getLastName());
        experimenter2.setEmail(experimenter.getEmail());
        experimenter2.setInstitution(experimenter.getInstitution());
        getSecuritySystem().runAsAdmin(new AdminAction() { // from class: ome.logic.AdminImpl.3
            @Override // ome.security.AdminAction
            public void runAsAdmin() {
                AdminImpl.this.iUpdate.flush();
            }
        });
        getBeanHelper().getLogger().info("Updated own user info: " + experimenter2.getOmeName());
    }

    public List<OriginalFile> getMyUserPhotos() {
        Parameters parameters = new Parameters();
        parameters.addId(getEventContext().getCurrentUserId());
        parameters.addString("ns", NSEXPERIMENTERPHOTO);
        return this.iQuery.findAllByQuery("select f from Experimenter e join e.annotationLinks l join l.child a join a.file f where e.id = :id and a.ns = :ns", parameters);
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public long uploadMyUserPhoto(String str, String str2, byte[] bArr) {
        IObject iObject;
        Long currentUserId = getEventContext().getCurrentUserId();
        List<OriginalFile> myUserPhotos = getMyUserPhotos();
        OriginalFile originalFile = null;
        if (myUserPhotos.size() > 0) {
            originalFile = myUserPhotos.get(0);
        }
        if (originalFile == null) {
            OriginalFile originalFile2 = new OriginalFile();
            originalFile2.setName(str);
            originalFile2.setPath(str);
            originalFile2.setSize(Long.valueOf(bArr.length));
            originalFile2.setHasher(new ChecksumAlgorithm("SHA1-160"));
            originalFile2.setHash(this.cpf.getProvider(ChecksumType.SHA1).putBytes(bArr).checksumAsString());
            originalFile2.setMimetype(str2);
            FileAnnotation fileAnnotation = new FileAnnotation();
            fileAnnotation.setNs(NSEXPERIMENTERPHOTO);
            fileAnnotation.setFile(originalFile2);
            IObject experimenterAnnotationLink = new ExperimenterAnnotationLink();
            experimenterAnnotationLink.link(new Experimenter(currentUserId, false), fileAnnotation);
            ExperimenterAnnotationLink saveAndReturnObject = this.iUpdate.saveAndReturnObject(experimenterAnnotationLink);
            FileAnnotation child = saveAndReturnObject.getChild();
            iObject = child.getFile();
            internalMoveToCommonSpace(iObject);
            internalMoveToCommonSpace(child);
            internalMoveToCommonSpace(saveAndReturnObject);
        } else {
            originalFile.setName(str);
            originalFile.setPath(str);
            originalFile.setMimetype(str2);
            iObject = (OriginalFile) this.iUpdate.saveAndReturnObject(originalFile);
        }
        RawFileStore rawFileStore = (RawFileStore) this.context.getBean("internal-ome.api.RawFileStore", RawFileStore.class);
        try {
            rawFileStore.setFileId(iObject.getId().longValue());
            rawFileStore.write(bArr, 0L, bArr.length);
            OriginalFile save = rawFileStore.save();
            rawFileStore.close();
            return save.getId().longValue();
        } catch (Throwable th) {
            rawFileStore.close();
            throw th;
        }
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void updateExperimenter(@NotNull Experimenter experimenter) {
        try {
            adminOrPiOfUser(experimenter);
            String omeName = experimenter.getOmeName();
            copyAndSaveExperimenter(experimenter);
            getBeanHelper().getLogger().info("Updated user info for " + omeName);
        } catch (SecurityViolation e) {
            if (!getEventContext().getCurrentUserId().equals(experimenter.getId())) {
                throw e;
            }
            updateSelf(experimenter);
        }
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void updateExperimenterWithPassword(@NotNull Experimenter experimenter, String str) {
        adminOrPiOfUser(experimenter);
        copyAndSaveExperimenter(experimenter);
        String omeName = userProxy(experimenter.getId()).getOmeName();
        changeUserPassword(omeName, str);
        getBeanHelper().getLogger().info("Updated user info and password for " + omeName);
    }

    private void copyAndSaveExperimenter(Experimenter experimenter) {
        Experimenter userProxy = userProxy(experimenter.getId());
        String omeName = userProxy.getOmeName();
        String omeName2 = experimenter.getOmeName();
        if (!omeName.equals(omeName2)) {
            Roles securityRoles = getSecurityRoles();
            ImmutableSet of = ImmutableSet.of(securityRoles.getRootName(), securityRoles.getGuestName());
            if (of.contains(omeName)) {
                throw new ValidationException("cannot change name of special experimenter '" + omeName + "'");
            }
            if (of.contains(omeName2)) {
                throw new ValidationException("cannot change name to special experimenter '" + omeName2 + "'");
            }
        }
        userProxy.setOmeName(omeName2);
        userProxy.setEmail(experimenter.getEmail());
        userProxy.setFirstName(experimenter.getFirstName());
        userProxy.setMiddleName(experimenter.getMiddleName());
        userProxy.setLastName(experimenter.getLastName());
        userProxy.setInstitution(experimenter.getInstitution());
        reallySafeSave(userProxy);
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void updateGroup(@NotNull ExperimenterGroup experimenterGroup) {
        adminOrPiOfGroups(this.adminPrivileges.getPrivilege("ModifyGroup"), experimenterGroup);
        Permissions permissions = experimenterGroup.getDetails().getPermissions();
        if (permissions != null) {
            changePermissions(experimenterGroup, permissions);
        }
        ExperimenterGroup group = getGroup(experimenterGroup.getId().longValue());
        String name = group.getName();
        String name2 = experimenterGroup.getName();
        if (!name.equals(name2)) {
            Roles securityRoles = getSecurityRoles();
            ImmutableSet of = ImmutableSet.of(securityRoles.getGuestGroupName(), securityRoles.getSystemGroupName(), securityRoles.getUserGroupName());
            if (of.contains(name)) {
                throw new ValidationException("cannot change name of special group '" + name + "'");
            }
            if (of.contains(name2)) {
                throw new ValidationException("cannot change name to special group '" + name2 + "'");
            }
            if (experimenterGroup.getId().equals(getEventContext().getCurrentGroupId())) {
                throw new ValidationException("cannot rename the current group context '" + name + "'");
            }
        }
        group.setName(name2);
        group.setDescription(experimenterGroup.getDescription());
        reallySafeSave(group);
        getBeanHelper().getLogger().info("Updated group info for " + experimenterGroup);
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public long createUser(Experimenter experimenter, String str) {
        return createExperimenter(experimenter, groupProxy(str), groupProxy(this.sec.getSecurityRoles().getUserGroupName()));
    }

    @RolesAllowed({"system"})
    @Transactional(readOnly = false)
    public long createSystemUser(Experimenter experimenter) {
        return createExperimenter(experimenter, groupProxy(this.sec.getSecurityRoles().getSystemGroupName()), groupProxy(this.sec.getSecurityRoles().getUserGroupName()));
    }

    private long createSystemUserWithPassword(Experimenter experimenter, String str) {
        return createExperimenterWithPassword(experimenter, str, groupProxy(this.sec.getSecurityRoles().getSystemGroupName()), groupProxy(this.sec.getSecurityRoles().getUserGroupName()));
    }

    private List<NamedValue> getRestrictedSystemUserConfig(Collection<AdminPrivilege> collection) {
        assertKnownPrivileges(collection);
        ArrayList arrayList = new ArrayList();
        Iterator it = LightAdminPrivileges.getAllPrivileges().iterator();
        while (it.hasNext()) {
            AdminPrivilege adminPrivilege = (AdminPrivilege) it.next();
            if (!collection.contains(adminPrivilege)) {
                arrayList.add(new NamedValue(this.adminPrivileges.getConfigNameForPrivilege(adminPrivilege), Boolean.toString(false)));
            }
        }
        return arrayList;
    }

    @RolesAllowed({"system"})
    @Transactional(readOnly = false)
    public long createRestrictedSystemUser(Experimenter experimenter, List<AdminPrivilege> list) {
        experimenter.setConfig(getRestrictedSystemUserConfig(list));
        return createSystemUser(experimenter);
    }

    @RolesAllowed({"system"})
    @Transactional(readOnly = false)
    public long createRestrictedSystemUserWithPassword(Experimenter experimenter, List<AdminPrivilege> list, String str) {
        experimenter.setConfig(getRestrictedSystemUserConfig(list));
        return createSystemUserWithPassword(experimenter, str);
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public long createExperimenter(Experimenter experimenter, ExperimenterGroup experimenterGroup, ExperimenterGroup... experimenterGroupArr) {
        adminOrPiOfNonUserGroups(experimenterGroup, experimenterGroupArr);
        long createExperimenter = this.roleProvider.createExperimenter(experimenter, experimenterGroup, experimenterGroupArr);
        changeUserPassword(experimenter.getOmeName(), " ");
        assertNoPrivilegeElevation(new Experimenter(Long.valueOf(createExperimenter), false), Collections.emptySet());
        getBeanHelper().getLogger().info("Created user with blank password: " + experimenter.getOmeName());
        return createExperimenter;
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public long createExperimenterWithPassword(Experimenter experimenter, String str, ExperimenterGroup experimenterGroup, ExperimenterGroup... experimenterGroupArr) {
        adminOrPiOfNonUserGroups(experimenterGroup, experimenterGroupArr);
        long createExperimenter = this.roleProvider.createExperimenter(experimenter, experimenterGroup, experimenterGroupArr);
        changeUserPassword(experimenter.getOmeName(), str);
        assertNoPrivilegeElevation(new Experimenter(Long.valueOf(createExperimenter), false), Collections.emptySet());
        getBeanHelper().getLogger().info("Created user with password: " + experimenter.getOmeName());
        return createExperimenter;
    }

    @RolesAllowed({"system"})
    @Transactional(readOnly = false)
    public long createGroup(ExperimenterGroup experimenterGroup) {
        if (!getCurrentAdminPrivilegesForSession().contains(this.adminPrivileges.getPrivilege("ModifyGroup"))) {
            throwNonAdminOrPi();
        }
        long createGroup = this.roleProvider.createGroup(experimenterGroup);
        getBeanHelper().getLogger().info("Created group: " + experimenterGroup.getName());
        return createGroup;
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void addGroups(Experimenter experimenter, ExperimenterGroup... experimenterGroupArr) {
        if (experimenterGroupArr == null || experimenterGroupArr.length == 0) {
            throw new ValidationException("Nothing to do.");
        }
        assertManaged(experimenter);
        for (ExperimenterGroup experimenterGroup : experimenterGroupArr) {
            assertManaged(experimenterGroup);
        }
        ImmutableSet copyOf = ImmutableSet.copyOf(getAdminPrivileges(experimenter));
        adminOrPiOfGroups(this.adminPrivileges.getPrivilege("ModifyGroupMembership"), experimenterGroupArr);
        this.roleProvider.addGroups(experimenter, experimenterGroupArr);
        assertNoPrivilegeElevation(experimenter, copyOf);
        getBeanHelper().getLogger().info(String.format("Added user %s to groups %s", userProxy(experimenter.getId()).getOmeName(), Arrays.asList(experimenterGroupArr)));
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void removeGroups(Experimenter experimenter, ExperimenterGroup... experimenterGroupArr) {
        if (experimenter == null || experimenterGroupArr == null) {
            return;
        }
        adminOrPiOfGroups(this.adminPrivileges.getPrivilege("ModifyGroupMembership"), experimenterGroupArr);
        Roles securityRoles = getSecurityRoles();
        boolean any = Iterators.any(Iterators.forArray(experimenterGroupArr), Predicates.or(securityRoles.IS_SYSTEM_GROUP, securityRoles.IS_USER_GROUP));
        if (any && securityRoles.isRootUser(experimenter)) {
            throw new ValidationException("experimenter '" + securityRoles.getRootName() + "' may not be removed from the '" + securityRoles.getSystemGroupName() + "' or '" + securityRoles.getUserGroupName() + "' group");
        }
        boolean equals = getEventContext().getCurrentUserId().equals(experimenter.getId());
        if (any && equals) {
            throw new ValidationException("experimenters may not remove themselves from the '" + securityRoles.getSystemGroupName() + "' or '" + securityRoles.getUserGroupName() + "' group");
        }
        Experimenter userProxy = userProxy(experimenter.getId());
        HashSet hashSet = new HashSet();
        Iterator it = userProxy.collectGroupExperimenterMap((CBlock) null).iterator();
        while (it.hasNext()) {
            hashSet.add(((GroupExperimenterMap) it.next()).parent().getId());
        }
        for (ExperimenterGroup experimenterGroup : experimenterGroupArr) {
            hashSet.remove(experimenterGroup.getId());
        }
        if (hashSet.isEmpty()) {
            throw new ValidationException("experimenter must remain a member of some group");
        }
        if (hashSet.equals(Collections.singleton(Long.valueOf(securityRoles.getUserGroupId())))) {
            throw new ValidationException("experimenter cannot be a member of only the '" + securityRoles.getUserGroupName() + "' group, a different default group is also required");
        }
        this.roleProvider.removeGroups(experimenter, experimenterGroupArr);
        getBeanHelper().getLogger().info(String.format("Removed user %s from groups %s", experimenter, experimenterGroupArr));
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void setDefaultGroup(Experimenter experimenter, ExperimenterGroup experimenterGroup) {
        if (experimenter == null || experimenterGroup == null) {
            return;
        }
        if (experimenterGroup.getId() == null) {
            throw new ApiUsageException("Group argument to setDefaultGroup must be managed (i.e. have an id)");
        }
        EventContext eventContext = getSecuritySystem().getEventContext();
        if ((!isAdmin() || !getCurrentAdminPrivilegesForSession().contains(this.adminPrivileges.getPrivilege("ModifyUser"))) && !eventContext.getCurrentUserId().equals(experimenter.getId())) {
            throw new SecurityViolation("User " + experimenter.getId() + " can only set own default group.");
        }
        Roles securityRoles = getSecuritySystem().getSecurityRoles();
        if (Long.valueOf(securityRoles.getUserGroupId()).equals(experimenterGroup.getId())) {
            throw new ApiUsageException("Cannot set default group to: " + securityRoles.getUserGroupName());
        }
        this.roleProvider.setDefaultGroup(experimenter, experimenterGroup);
        getBeanHelper().getLogger().info(String.format("Changing default group for %s to %s", experimenter, experimenterGroup));
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void setGroupOwner(ExperimenterGroup experimenterGroup, Experimenter experimenter) {
        adminOrPiOfGroups(this.adminPrivileges.getPrivilege("ModifyGroupMembership"), experimenterGroup);
        toggleGroupOwner(experimenterGroup, experimenter, Boolean.TRUE);
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void unsetGroupOwner(ExperimenterGroup experimenterGroup, Experimenter experimenter) {
        adminOrPiOfGroups(this.adminPrivileges.getPrivilege("ModifyGroupMembership"), experimenterGroup);
        toggleGroupOwner(experimenterGroup, experimenter, Boolean.FALSE);
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void addGroupOwners(ExperimenterGroup experimenterGroup, Experimenter... experimenterArr) {
        adminOrPiOfGroups(this.adminPrivileges.getPrivilege("ModifyGroupMembership"), experimenterGroup);
        for (Experimenter experimenter : experimenterArr) {
            toggleGroupOwner(experimenterGroup, experimenter, Boolean.TRUE);
        }
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void removeGroupOwners(ExperimenterGroup experimenterGroup, Experimenter... experimenterArr) {
        adminOrPiOfGroups(this.adminPrivileges.getPrivilege("ModifyGroupMembership"), experimenterGroup);
        for (Experimenter experimenter : experimenterArr) {
            toggleGroupOwner(experimenterGroup, experimenter, Boolean.FALSE);
        }
    }

    private void toggleGroupOwner(ExperimenterGroup experimenterGroup, Experimenter experimenter, Boolean bool) {
        if (experimenter == null || experimenterGroup == null) {
            return;
        }
        if (experimenterGroup.getId() == null) {
            throw new ApiUsageException("Group argument to setGroupOwner must be managed (i.e. have an id)");
        }
        if (experimenter.getId() == null) {
            throw new ApiUsageException("Owner argument to setGroupOwner must be managed (i.e. have an id)");
        }
        GroupExperimenterMap findLink = findLink(experimenterGroup, experimenter);
        if (findLink == null) {
            addGroups(experimenter, experimenterGroup);
            findLink = findLink(experimenterGroup, experimenter);
        }
        findLink.setOwner(bool);
        getSecuritySystem().runAsAdmin(new AdminAction() { // from class: ome.logic.AdminImpl.4
            @Override // ome.security.AdminAction
            public void runAsAdmin() {
                AdminImpl.this.iUpdate.flush();
            }
        });
        Logger logger = getBeanHelper().getLogger();
        Object[] objArr = new Object[3];
        objArr[0] = bool.booleanValue() ? "Setting" : "Unsetting";
        objArr[1] = experimenter.getId();
        objArr[2] = experimenterGroup.getId();
        logger.info(String.format("%s user %s as owner of group %s", objArr));
    }

    private GroupExperimenterMap findLink(ExperimenterGroup experimenterGroup, Experimenter experimenter) {
        return this.iQuery.findByQuery("select m from GroupExperimenterMap m where m.parent.id = :pid and m.child.id = :cid", new Parameters().addLong("pid", experimenterGroup.getId()).addLong("cid", experimenter.getId()));
    }

    @RolesAllowed({"user"})
    public ExperimenterGroup getDefaultGroup(@NotNull long j) {
        ExperimenterGroup findByQuery = this.iQuery.findByQuery("select g from ExperimenterGroup g, Experimenter e join e.groupExperimenterMap m where e.id = :id and m.parent = g.id and g.name != :userGroup and index(m) = 0", new Parameters().addId(Long.valueOf(j)).addString("userGroup", this.sec.getSecurityRoles().getUserGroupName()));
        if (findByQuery == null) {
            throw new ValidationException("The user " + j + " has no default group set.");
        }
        return findByQuery;
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void deleteExperimenter(Experimenter experimenter) {
        adminOrPiOfUser(experimenter);
        final Experimenter userProxy = userProxy(experimenter.getId());
        if (this.sql.removePassword(userProxy.getId()) == 0) {
            getBeanHelper().getLogger().info("No password found for user " + userProxy.getOmeName() + ". Cannot delete.");
        }
        getSecuritySystem().runAsAdmin(new AdminAction() { // from class: ome.logic.AdminImpl.5
            @Override // ome.security.AdminAction
            public void runAsAdmin() {
                AdminImpl.this.iUpdate.deleteObject(userProxy);
            }
        });
        getBeanHelper().getLogger().info("Deleted user: " + userProxy.getOmeName());
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void deleteGroup(ExperimenterGroup experimenterGroup) {
        adminOrPiOfGroups(this.adminPrivileges.getPrivilege("ModifyGroup"), experimenterGroup);
        final ExperimenterGroup groupProxy = groupProxy(experimenterGroup.getId());
        getSecuritySystem().runAsAdmin(new AdminAction() { // from class: ome.logic.AdminImpl.6
            @Override // ome.security.AdminAction
            public void runAsAdmin() {
                AdminImpl.this.iUpdate.deleteObject(groupProxy);
            }
        });
        getBeanHelper().getLogger().info("Deleted group: " + groupProxy.getName());
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void changeOwner(IObject iObject, String str) {
        IObject iObject2 = this.iQuery.get(iObject.getClass(), iObject.getId().longValue());
        iObject2.getDetails().setOwner(userProxy(str));
        this.iUpdate.saveObject(iObject2);
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void changeGroup(IObject iObject, String str) {
        Image image = this.iQuery.get(iObject.getClass(), iObject.getId().longValue());
        ExperimenterGroup groupProxy = groupProxy(str);
        EventContext eventContext = getSecuritySystem().getEventContext();
        if (!eventContext.getCurrentUserId().equals(image.getDetails().getOwner().getId()) && !eventContext.isCurrentUserAdmin()) {
            throw new SecurityViolation("Cannot change group for:" + iObject);
        }
        if (getSecurityRoles().getUserGroupId() == groupProxy.getId().longValue()) {
            throw new SecurityViolation("Use moveToCommonSpace for moving to user group");
        }
        if (!eventContext.getMemberOfGroupsList().contains(groupProxy.getId())) {
            throw new SecurityViolation("Can't change to group; not a member of " + groupProxy.getId());
        }
        image.getDetails().setGroup(groupProxy);
        secureFlush(image);
        if (image instanceof Image) {
            Iterator iteratePixels = image.iteratePixels();
            while (iteratePixels.hasNext()) {
                Pixels pixels = (Pixels) iteratePixels.next();
                pixels.getDetails().setGroup(groupProxy);
                secureFlush(pixels);
            }
        }
        Map<String, Long> lockingIds = getLockingIds(image.getClass(), image.getId().longValue(), groupProxy.getId());
        Long l = lockingIds.get("*");
        if (l != null && l.longValue() > 0) {
            throw new SecurityViolation("Locks: " + lockingIds);
        }
    }

    private void secureFlush(IObject iObject) {
        getSecuritySystem().doAction(new SecureAction() { // from class: ome.logic.AdminImpl.7
            @Override // ome.security.SecureAction
            public <T extends IObject> T updateObject(T... tArr) {
                AdminImpl.this.iUpdate.flush();
                return null;
            }
        }, iObject);
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void changePermissions(IObject iObject, Permissions permissions) {
        this.osf.getSession();
        String permissions2 = permissions.toString();
        Object[] checks = this.chmod.getChecks(iObject, permissions2);
        this.chmod.chmod(iObject, permissions2);
        for (Object obj : checks) {
            this.chmod.check(iObject, obj);
        }
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void moveToCommonSpace(IObject... iObjectArr) {
        AdminPrivilege privilege = this.adminPrivileges.getPrivilege("ModifyGroup");
        for (IObject iObject : iObjectArr) {
            if (iObject != null) {
                IObject iObject2 = this.iQuery.get(Utils.trueClass(iObject.getClass()), iObject.getId().longValue());
                ExperimenterGroup group = iObject2.getDetails().getGroup();
                if (!group.getId().equals(Long.valueOf(getSecurityRoles().getUserGroupId()))) {
                    adminOrPiOfGroups(privilege, group);
                    internalMoveToCommonSpace(iObject2);
                }
            }
        }
    }

    @Override // ome.api.local.LocalAdmin
    public void internalMoveToCommonSpace(IObject iObject) {
        this.osf.getSession();
        iObject.getDetails().setGroup(groupProxy(Long.valueOf(getSecurityRoles().getUserGroupId())));
        secureFlush(iObject);
        getBeanHelper().getLogger().info("Moved object to common space: " + iObject);
    }

    public Map<String, Long> getLockingIds(IObject iObject) {
        return getLockingIds(iObject.getClass(), iObject.getId().longValue(), null);
    }

    @Override // ome.api.local.LocalAdmin
    public Map<String, Long> getLockingIds(Class<IObject> cls, long j, Long l) {
        return this.metadata.countLocks(this.osf.getSession(), Long.valueOf(j), this.metadata.getLockChecks(Utils.trueClass(cls)), l != null ? "and details.group.id <> " + l : "");
    }

    @PermitAll
    @Transactional(readOnly = false)
    public void reportForgottenPassword(final String str, final String str2) throws AuthenticationException {
        if (str == null) {
            throw new IllegalArgumentException("Unexpected null username.");
        }
        if (str2 == null) {
            throw new IllegalArgumentException("Unexpected null e-mail.");
        }
        this.sec.runAsAdmin(new AdminAction() { // from class: ome.logic.AdminImpl.8
            @Override // ome.security.AdminAction
            public void runAsAdmin() {
                Experimenter findByString = AdminImpl.this.iQuery.findByString(Experimenter.class, "omeName", str);
                if (findByString == null) {
                    throw new AuthenticationException("Unknown user.");
                }
                if (findByString.getEmail() == null) {
                    throw new AuthenticationException("User has no email address.");
                }
                if (!findByString.getEmail().equals(str2)) {
                    throw new AuthenticationException("Email address does not match.");
                }
                if (AdminImpl.this.passwordUtil.getDnById(findByString.getId())) {
                    throw new AuthenticationException("User is authenticated by LDAP server you cannot reset this password.");
                }
                long systemGroupId = AdminImpl.this.getSecurityRoles().getSystemGroupId();
                Iterator it = findByString.linkedExperimenterGroupList().iterator();
                while (it.hasNext()) {
                    if (((ExperimenterGroup) it.next()).getId().longValue() == systemGroupId) {
                        throw new ApiUsageException("Cannot reset password of administrators. Have another administrator set the new password.");
                    }
                }
                String generateRandomPasswd = AdminImpl.this.passwordUtil.generateRandomPasswd();
                AdminImpl.this.sendEmail(findByString, generateRandomPasswd);
                AdminImpl.this._changePassword(findByString.getOmeName(), generateRandomPasswd);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void sendEmail(Experimenter experimenter, String str) {
        SimpleMailMessage simpleMailMessage = new SimpleMailMessage(this.templateMessage);
        simpleMailMessage.setSubject("OMERO - Reset password");
        simpleMailMessage.setTo(experimenter.getEmail());
        simpleMailMessage.setText("Dear " + experimenter.getFirstName() + " " + experimenter.getLastName() + " (" + experimenter.getOmeName() + ") your new password is: " + str);
        try {
            this.mailSender.send(simpleMailMessage);
            getBeanHelper().getLogger().info("sent new password for {} to {}", experimenter.getOmeName(), experimenter.getEmail());
        } catch (Exception e) {
            throw new RuntimeException("Exception: " + e.getMessage() + ". Password was not changed because email could not be sent to user:" + experimenter.getOmeName() + ". Please turn on the debug mode in omero.properties by the: omero.mail.debug=true");
        }
    }

    @PermitAll
    @Transactional(readOnly = false)
    public void changeExpiredCredentials(String str, String str2, String str3) throws AuthenticationException {
        throw new UnsupportedOperationException();
    }

    @RolesAllowed({"user", "HasPassword"})
    @Transactional(readOnly = false)
    public void changePassword(String str) {
        _changePassword(getSecuritySystem().getEventContext().getCurrentUserName(), str);
    }

    @RolesAllowed({"user"})
    @Transactional(readOnly = false)
    public void changePasswordWithOldPassword(String str, String str2) {
        String currentUserName = getSecuritySystem().getEventContext().getCurrentUserName();
        if (!checkPassword(currentUserName, str, false)) {
            throw new SecurityViolation("Old password is invalid");
        }
        _changePassword(currentUserName, str2);
    }

    @RolesAllowed({"user", "HasPassword"})
    @Transactional(readOnly = false)
    public void changeUserPassword(String str, String str2) {
        Experimenter userProxy = userProxy(str);
        adminOrPiOfUser(userProxy);
        Set<AdminPrivilege> currentAdminPrivilegesForSession = getCurrentAdminPrivilegesForSession();
        Iterator<AdminPrivilege> it = getAdminPrivileges(userProxy).iterator();
        while (it.hasNext()) {
            if (!currentAdminPrivilegesForSession.contains(it.next())) {
                throw new SecurityViolation("Cannot change the password of a more privileged user.");
            }
        }
        _changePassword(str, str2);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void _changePassword(String str, String str2) {
        try {
            this.passwordProvider.changePassword(str, str2);
            getBeanHelper().getLogger().info("Changed password for user: " + str);
        } catch (PasswordChangeException e) {
            throw new SecurityViolation("PasswordChangeException: " + e.getMessage());
        }
    }

    @Override // ome.api.local.LocalAdmin
    public boolean checkPassword(String str, String str2, boolean z) {
        Boolean checkPassword = this.passwordProvider.checkPassword(str, str2, z);
        if (checkPassword != null) {
            return checkPassword.booleanValue();
        }
        getBeanHelper().getLogger().warn("Password provider returned null: " + this.passwordProvider);
        return false;
    }

    @RolesAllowed({"user"})
    public List<Experimenter> getAdminsWithPrivileges(List<AdminPrivilege> list) {
        assertKnownPrivileges(list);
        ArrayList arrayList = new ArrayList();
        Iterator iterateGroupExperimenterMap = getGroup(getSecurityRoles().getSystemGroupId()).iterateGroupExperimenterMap();
        while (iterateGroupExperimenterMap.hasNext()) {
            boolean z = true;
            Experimenter userProxy = userProxy(((GroupExperimenterMap) iterateGroupExperimenterMap.next()).getChild().getId());
            List<AdminPrivilege> adminPrivileges = getAdminPrivileges(userProxy);
            Iterator<AdminPrivilege> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (!adminPrivileges.contains(it.next())) {
                    z = false;
                    break;
                }
            }
            if (z) {
                arrayList.add(userProxy);
            }
        }
        return arrayList;
    }

    @RolesAllowed({"user"})
    public List<AdminPrivilege> getCurrentAdminPrivileges() {
        return new ArrayList(getCurrentAdminPrivilegesForSession());
    }

    @RolesAllowed({"user"})
    public List<AdminPrivilege> getAdminPrivileges(Experimenter experimenter) {
        if (!getMemberOfGroupIds(experimenter).contains(Long.valueOf(getSecurityRoles().getSystemGroupId()))) {
            return Collections.emptyList();
        }
        List<NamedValue> config = userProxy(experimenter.getId()).getConfig();
        ArrayList arrayList = new ArrayList((Collection) LightAdminPrivileges.getAllPrivileges());
        if (CollectionUtils.isNotEmpty(config)) {
            for (NamedValue namedValue : config) {
                if (!Boolean.parseBoolean(namedValue.getValue())) {
                    arrayList.remove(this.adminPrivileges.getPrivilegeForConfigName(namedValue.getName()));
                }
            }
        }
        return arrayList;
    }

    @RolesAllowed({"system"})
    @Transactional(readOnly = false)
    public void setAdminPrivileges(Experimenter experimenter, List<AdminPrivilege> list) {
        List<NamedValue> config;
        assertKnownPrivileges(list);
        ImmutableSet copyOf = ImmutableSet.copyOf(getAdminPrivileges(experimenter));
        HashSet hashSet = new HashSet((Collection) LightAdminPrivileges.getAllPrivileges());
        hashSet.removeAll(list);
        if (experimenter.getId().longValue() == getSecurityRoles().getRootId() && !hashSet.isEmpty()) {
            throw new ApiUsageException("cannot remove light administrator privileges from the root user");
        }
        IObject userProxy = userProxy(experimenter.getId());
        if (userProxy.getConfig() == null) {
            config = new ArrayList();
            userProxy.setConfig(config);
        } else {
            config = userProxy.getConfig();
            for (NamedValue namedValue : config) {
                AdminPrivilege privilegeForConfigName = this.adminPrivileges.getPrivilegeForConfigName(namedValue.getName());
                if (privilegeForConfigName != null) {
                    boolean contains = list.contains(privilegeForConfigName);
                    if (contains != Boolean.parseBoolean(namedValue.getValue())) {
                        namedValue.setValue(Boolean.toString(contains));
                    }
                    hashSet.remove(privilegeForConfigName);
                }
            }
        }
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            config.add(new NamedValue(this.adminPrivileges.getConfigNameForPrivilege((AdminPrivilege) it.next()), Boolean.toString(false)));
        }
        this.iUpdate.saveObject(userProxy);
        assertNoPrivilegeElevation(userProxy, copyOf);
    }

    @PermitAll
    public Roles getSecurityRoles() {
        return getSecuritySystem().getSecurityRoles();
    }

    @PermitAll
    public EventContext getEventContext() {
        return new SimpleEventContext(getSecuritySystem().getEventContext(true));
    }

    @Override // ome.api.local.LocalAdmin
    public EventContext getEventContextQuiet() {
        return new SimpleEventContext(getSecuritySystem().getEventContext(false));
    }

    protected void assertManaged(IObject iObject) {
        if (iObject == null) {
            throw new ApiUsageException("Argument may not be null.");
        }
        if (iObject.getId() == null) {
            throw new ApiUsageException(iObject.getClass().getName() + " has no id.");
        }
    }

    private Set<String> classes() {
        return getExtendedMetadata().getClasses();
    }

    private String table(String str) {
        try {
            Class<?> cls = Class.forName(str);
            if (IGlobal.class.isAssignableFrom(cls) || cls.getAnnotation(Table.class) == null || cls.getAnnotation(PrimaryKeyJoinColumn.class) != null) {
                return null;
            }
            return cls.getAnnotation(Table.class).name();
        } catch (Exception e) {
            throw new InternalException("Miss configuration. Should never happen.");
        }
    }

    private void reallySafeSave(IObject iObject) {
        final Session session = this.osf.getSession();
        this.sec.doAction(new SecureMerge(session), iObject);
        this.sec.runAsAdmin(new AdminAction() { // from class: ome.logic.AdminImpl.9
            @Override // ome.security.AdminAction
            public void runAsAdmin() {
                session.flush();
            }
        });
    }

    private boolean isAdmin() {
        return getEventContext().isCurrentUserAdmin();
    }

    private boolean isPiOf(Experimenter experimenter) {
        if (experimenter == null) {
            return true;
        }
        List<Long> memberOfGroupIds = getMemberOfGroupIds(experimenter);
        Iterator it = getEventContext().getLeaderOfGroupsList().iterator();
        while (it.hasNext()) {
            if (memberOfGroupIds.contains((Long) it.next())) {
                return true;
            }
        }
        return false;
    }

    private boolean isPiOf(ExperimenterGroup experimenterGroup) {
        if (experimenterGroup == null) {
            return true;
        }
        return getEventContext().getLeaderOfGroupsList().contains(experimenterGroup.getId());
    }

    private void throwNonAdminOrPi() {
        throw new SecurityViolation("Current user is neither admin nor group-leader for the given user(s)/group(s)");
    }

    private void adminOrPiOfUser(Experimenter experimenter) {
        if ((isAdmin() && getCurrentAdminPrivilegesForSession().contains(this.adminPrivileges.getPrivilege("ModifyUser"))) || isPiOf(experimenter)) {
            return;
        }
        throwNonAdminOrPi();
    }

    private void adminOrPiOfGroups(AdminPrivilege adminPrivilege, ExperimenterGroup... experimenterGroupArr) {
        if (isAdmin() && getCurrentAdminPrivilegesForSession().contains(adminPrivilege)) {
            return;
        }
        for (ExperimenterGroup experimenterGroup : experimenterGroupArr) {
            if (!isPiOf(experimenterGroup)) {
                throwNonAdminOrPi();
            }
        }
    }

    private void adminOrPiOfNonUserGroups(ExperimenterGroup experimenterGroup, ExperimenterGroup... experimenterGroupArr) {
        HashSet hashSet = new HashSet();
        for (ExperimenterGroup experimenterGroup2 : experimenterGroupArr) {
            if (!experimenterGroup2.getId().equals(Long.valueOf(getSecurityRoles().getUserGroupId()))) {
                hashSet.add(experimenterGroup2);
            }
        }
        AdminPrivilege privilege = this.adminPrivileges.getPrivilege("ModifyUser");
        adminOrPiOfGroups(privilege, experimenterGroup);
        adminOrPiOfGroups(privilege, (ExperimenterGroup[]) hashSet.toArray(new ExperimenterGroup[0]));
    }

    private void assertKnownPrivileges(Iterable<AdminPrivilege> iterable) {
        for (AdminPrivilege adminPrivilege : iterable) {
            if (this.adminPrivileges.getPrivilege(adminPrivilege.getValue()) == null) {
                throw new ApiUsageException("unknown light administrator privilege: " + adminPrivilege.getValue());
            }
        }
    }

    private void assertNoPrivilegeElevation(Experimenter experimenter, Set<AdminPrivilege> set) {
        if (!Sets.difference(Sets.difference(ImmutableSet.copyOf(getAdminPrivileges(experimenter)), set), getCurrentAdminPrivilegesForSession()).isEmpty()) {
            throw new SecurityViolation("cannot give administrator privileges that current user does not have");
        }
    }

    private Set<AdminPrivilege> getCurrentAdminPrivilegesForSession() {
        return isAdmin() ? getEventContextQuiet().getCurrentAdminPrivileges() : Collections.emptySet();
    }
}
