package sk.seges.acris.security.server.spring.acl.service;

import java.util.HashSet;
import java.util.Set;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.Authentication;
import org.springframework.security.acls.AccessControlEntry;
import org.springframework.security.acls.MutableAcl;
import org.springframework.security.acls.MutableAclService;
import org.springframework.security.acls.NotFoundException;
import org.springframework.security.acls.domain.DefaultPermissionFactory;
import org.springframework.security.acls.jdbc.AclCache;
import org.springframework.security.acls.objectidentity.ObjectIdentityImpl;
import org.springframework.security.acls.sid.PrincipalSid;
import org.springframework.security.acls.sid.Sid;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;
import sk.seges.acris.security.server.acl.dao.IAclRecordDao;
import sk.seges.acris.security.server.acl.service.api.AclManager;
import sk.seges.acris.security.server.core.acl.domain.api.AclEntry;
import sk.seges.acris.security.server.core.annotation.RunAs;
import sk.seges.acris.security.server.spring.acl.domain.api.SpringAclSid;
import sk.seges.acris.security.server.spring.acl.domain.dto.SpringAclSidDTO;
import sk.seges.acris.security.shared.domain.ISecuredObject;
import sk.seges.acris.security.shared.user_management.domain.Permission;
import sk.seges.acris.security.shared.user_management.domain.api.UserData;
import sk.seges.sesam.domain.IDomainObject;

@Transactional(propagation = Propagation.REQUIRES_NEW)
/* loaded from: input_file:sk/seges/acris/security/server/spring/acl/service/SpringAclMaintainer.class */
public class SpringAclMaintainer implements AclManager {
    private static final String ACL_MAINTAINER_ROLE = "ACL_MAINTENANCE_GENERAL_CHANGES";
    private static final String HIBERNATE_PROXY_CLASSNAME_SEPARATOR = "$$";
    private static final Set<Class> topParentClasses = new HashSet();

    @Autowired
    private DefaultPermissionFactory permissionFactory;

    @Autowired
    private MutableAclService aclService;

    @Autowired
    @Qualifier("aclRecordDao")
    private IAclRecordDao aclEntryDao;
    protected AclCache aclCache;

    protected SpringAclSid createPrincipalSid(String str) {
        return new SpringAclSidDTO(str);
    }

    private SpringAclSid createPrincipalSid(Authentication authentication) {
        return new SpringAclSidDTO(authentication);
    }

    public void removeAclRecords(Class<? extends ISecuredObject> cls, UserData userData) {
        removeAclRecords(cls, createPrincipalSid(userData.getUsername()));
    }

    public void removeAclRecords(ISecuredObject iSecuredObject, UserData userData) {
        removeAclRecords(iSecuredObject, createPrincipalSid(userData.getUsername()));
    }

    public void removeAclRecords(ISecuredObject iSecuredObject) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            throw new IllegalStateException("No authentication object is in security context. Unable to update ACL entries");
        }
        removeAclRecords(iSecuredObject, createPrincipalSid(authentication));
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW)
    public void removeSecuredObjectIdentity(ISecuredObject iSecuredObject) {
        Class<?> cls = iSecuredObject.getClass();
        while (true) {
            Class<?> cls2 = cls;
            if (isTopParentClass(cls2)) {
                return;
            }
            if (isHibernateProxy(cls2)) {
                cls = cls2.getSuperclass();
            } else {
                ObjectIdentityImpl objectIdentityImpl = new ObjectIdentityImpl(cls2, iSecuredObject.getId());
                this.aclCache.evictFromCache(objectIdentityImpl);
                this.aclService.deleteAcl(objectIdentityImpl, false);
                cls = cls2.getSuperclass();
            }
        }
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW)
    private void removeAclRecords(ISecuredObject iSecuredObject, SpringAclSid springAclSid) {
        Class<?> cls = iSecuredObject.getClass();
        while (true) {
            Class<?> cls2 = cls;
            if (isTopParentClass(cls2)) {
                return;
            }
            if (isHibernateProxy(cls2)) {
                cls = cls2.getSuperclass();
            } else {
                ObjectIdentityImpl objectIdentityImpl = new ObjectIdentityImpl(cls2, iSecuredObject.getId());
                this.aclEntryDao.deleteByIdentityIdAndSid(iSecuredObject, springAclSid, cls2.getName());
                this.aclCache.evictFromCache(objectIdentityImpl);
                this.aclService.readAclById(objectIdentityImpl);
                cls = cls2.getSuperclass();
            }
        }
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW)
    private void removeAclRecords(Class<? extends ISecuredObject> cls, SpringAclSid springAclSid) {
        Class<? extends ISecuredObject> cls2 = cls;
        while (true) {
            Class<? extends ISecuredObject> cls3 = cls2;
            if (isTopParentClass(cls3)) {
                return;
            }
            if (isHibernateProxy(cls3)) {
                cls2 = cls3.getSuperclass();
            } else {
                this.aclEntryDao.deleteByClassnameAndSid(cls3, springAclSid);
                for (AclEntry aclEntry : this.aclEntryDao.findByClassnameAndSid(cls3, springAclSid)) {
                    this.aclCache.evictFromCache(aclEntry.getObjectIdentity());
                    this.aclService.readAclById(aclEntry.getObjectIdentity());
                }
                cls2 = cls3.getSuperclass();
            }
        }
    }

    @RunAs(ACL_MAINTAINER_ROLE)
    public void setAclRecords(ISecuredObject iSecuredObject, Permission[] permissionArr) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            throw new IllegalStateException("No authentication object is in security context. Unable to update ACL entries");
        }
        setAclRecords(iSecuredObject, (Sid) new PrincipalSid(authentication), permissionArr);
    }

    @RunAs(ACL_MAINTAINER_ROLE)
    public void setAclRecords(ISecuredObject iSecuredObject, UserData userData, Permission[] permissionArr) {
        setAclRecords(iSecuredObject, (Sid) new PrincipalSid(userData.getUsername()), permissionArr);
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW)
    private void setAclRecords(ISecuredObject iSecuredObject, Sid sid, Permission[] permissionArr) {
        MutableAcl createAcl;
        Class<?> cls = iSecuredObject.getClass();
        while (true) {
            Class<?> cls2 = cls;
            if (isTopParentClass(cls2)) {
                return;
            }
            if (isHibernateProxy(cls2)) {
                cls = cls2.getSuperclass();
            } else {
                ObjectIdentityImpl objectIdentityImpl = new ObjectIdentityImpl(cls2, iSecuredObject.getId());
                try {
                    createAcl = (MutableAcl) this.aclService.readAclById(objectIdentityImpl);
                } catch (NotFoundException e) {
                    createAcl = this.aclService.createAcl(objectIdentityImpl);
                }
                int i = 0;
                for (Permission permission : permissionArr) {
                    i |= permission.getMask();
                }
                boolean z = false;
                boolean z2 = false;
                int i2 = 0;
                AccessControlEntry[] entries = createAcl.getEntries();
                int length = entries.length;
                int i3 = 0;
                while (true) {
                    if (i3 >= length) {
                        break;
                    }
                    AccessControlEntry accessControlEntry = entries[i3];
                    if (accessControlEntry.getSid().equals(sid)) {
                        org.springframework.security.acls.Permission permission2 = accessControlEntry.getPermission();
                        if ((permission2.getMask() & i) > 0) {
                            z = true;
                            if (permission2.getMask() == i) {
                                z2 = true;
                            }
                        }
                    }
                    i2++;
                    i3++;
                }
                if (!z) {
                    createAcl.insertAce(0, this.permissionFactory.buildFromMask(i), sid, true);
                } else if (!z2) {
                    createAcl.deleteAce(i2);
                    createAcl.insertAce(0, this.permissionFactory.buildFromMask(i), sid, true);
                }
                this.aclService.updateAcl(createAcl);
                cls = cls2.getSuperclass();
            }
        }
    }

    public void setAclCache(AclCache aclCache) {
        this.aclCache = aclCache;
    }

    private boolean isHibernateProxy(Class cls) {
        return cls.getName().contains(HIBERNATE_PROXY_CLASSNAME_SEPARATOR);
    }

    private boolean isTopParentClass(Class cls) {
        return topParentClasses.contains(cls);
    }

    static {
        topParentClasses.add(Object.class);
        topParentClasses.add(IDomainObject.class);
    }
}
