package sk.seges.acris.security.server.spring.acl.service;

import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.acls.domain.DefaultPermissionFactory;
import org.springframework.security.acls.domain.ObjectIdentityImpl;
import org.springframework.security.acls.domain.PrincipalSid;
import org.springframework.security.acls.model.AccessControlEntry;
import org.springframework.security.acls.model.AclCache;
import org.springframework.security.acls.model.MutableAcl;
import org.springframework.security.acls.model.MutableAclService;
import org.springframework.security.acls.model.NotFoundException;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.acls.model.Sid;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;
import sk.seges.acris.security.acl.server.model.data.AclEntryData;
import sk.seges.acris.security.acl.server.model.data.AclSecuredClassDescriptionData;
import sk.seges.acris.security.acl.server.model.data.AclSecuredObjectIdentityData;
import sk.seges.acris.security.server.acl.service.api.AclManager;
import sk.seges.acris.security.server.core.acl.dao.api.IAclObjectIdentityDao;
import sk.seges.acris.security.server.core.acl.dao.api.IAclRecordDao;
import sk.seges.acris.security.server.core.acl.dao.api.IAclSecuredClassDescriptionDao;
import sk.seges.acris.security.server.core.annotation.RunAs;
import sk.seges.acris.security.server.spring.acl.domain.api.SpringAclSid;
import sk.seges.acris.security.server.spring.acl.domain.jpa.JpaSpringAclSid;
import sk.seges.acris.security.server.utils.SecuredClassHelper;
import sk.seges.acris.security.shared.exception.SecurityException;
import sk.seges.acris.security.shared.user_management.domain.Permission;
import sk.seges.corpis.server.domain.user.server.model.data.RoleData;
import sk.seges.corpis.server.domain.user.server.model.data.UserData;
import sk.seges.sesam.domain.IDomainObject;
import sk.seges.sesam.security.shared.domain.ISecuredObject;

@Transactional(propagation = Propagation.REQUIRES_NEW)
/* loaded from: input_file:sk/seges/acris/security/server/spring/acl/service/SpringAclMaintainer.class */
public class SpringAclMaintainer implements AclManager {
    private static final String ACL_MAINTAINER_ROLE = "ACL_MAINTENANCE_GENERAL_CHANGES";
    private static final String HIBERNATE_PROXY_CLASSNAME_SEPARATOR = "$$";

    @Autowired
    private DefaultPermissionFactory permissionFactory;

    @Autowired
    private MutableAclService aclService;

    @Autowired
    @Qualifier("aclRecordDao")
    private IAclRecordDao<?> aclEntryDao;

    @Autowired
    protected IAclObjectIdentityDao<?> aclObjectIdentityDao;

    @Autowired
    protected IAclSecuredClassDescriptionDao<?> aclSecuredClassDescriptionDao;
    protected AclCache aclCache;
    private static final Set<Class<?>> topParentClasses = new HashSet();
    private static final Logger logger = Logger.getLogger(SpringAclMaintainer.class);

    protected SpringAclSid createPrincipalSid(String str) {
        return new JpaSpringAclSid(str);
    }

    private SpringAclSid createPrincipalSid(Authentication authentication) {
        return new JpaSpringAclSid(authentication);
    }

    public void removeAclRecords(Class<? extends ISecuredObject<?>> cls, UserData userData) {
        removeAclRecords(cls, createPrincipalSid(userData.getUsername()));
    }

    public void removeAclRecords(Long l, String str, UserData userData) {
        removeAclRecords(l, str, createPrincipalSid(userData.getUsername()));
    }

    public void removeAclRecords(Long l, String str) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            throw new IllegalStateException("No authentication object is in security context. Unable to update ACL entries");
        }
        removeAclRecords(l, str, createPrincipalSid(authentication));
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW)
    public void removeSecuredObjectIdentity(Long l, String str) {
        removeAclRecords(l, str, (SpringAclSid) null);
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW)
    private void removeAclRecords(Long l, String str, SpringAclSid springAclSid) {
        Class<? extends ISecuredObject<?>> securedClass = SecuredClassHelper.getSecuredClass(str);
        while (true) {
            Class<? extends ISecuredObject<?>> cls = securedClass;
            if (isTopParentClass(cls)) {
                return;
            }
            if (isHibernateProxy(cls)) {
                securedClass = getSecuredSuperClass(cls);
            } else {
                ObjectIdentityImpl objectIdentityImpl = new ObjectIdentityImpl(cls, l);
                if (springAclSid != null) {
                    this.aclEntryDao.deleteByIdentityIdAndSid(l, cls, springAclSid, cls.getName());
                } else {
                    this.aclService.deleteAcl(objectIdentityImpl, false);
                }
                this.aclEntryDao.deleteByIdentityIdAndSid(l, cls, springAclSid);
                this.aclCache.evictFromCache(objectIdentityImpl);
                securedClass = getSecuredSuperClass(cls);
            }
        }
    }

    private Class<? extends ISecuredObject<?>> getSecuredSuperClass(Class<? extends ISecuredObject<?>> cls) {
        return cls.getSuperclass();
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW)
    private void removeAclRecords(Class<? extends ISecuredObject<?>> cls, SpringAclSid springAclSid) {
        Class<? extends ISecuredObject<?>> cls2 = cls;
        while (true) {
            Class<? extends ISecuredObject<?>> cls3 = cls2;
            if (isTopParentClass(cls3)) {
                return;
            }
            if (isHibernateProxy(cls3)) {
                cls2 = getSecuredSuperClass(cls3);
            } else {
                this.aclEntryDao.deleteByClassnameAndSid(cls3, springAclSid);
                for (AclEntryData aclEntryData : this.aclEntryDao.findByClassnameAndSid(cls3, springAclSid)) {
                    this.aclCache.evictFromCache(aclEntryData.getObjectIdentity());
                    this.aclService.readAclById(aclEntryData.getObjectIdentity());
                }
                cls2 = getSecuredSuperClass(cls3);
            }
        }
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW)
    public void removeAcl(ISecuredObject<?> iSecuredObject) {
        ObjectIdentityImpl objectIdentityImpl = new ObjectIdentityImpl(iSecuredObject.getSecuredClass(), iSecuredObject.getIdForACL());
        this.aclCache.evictFromCache(objectIdentityImpl);
        this.aclService.deleteAcl(objectIdentityImpl, false);
    }

    @RunAs(ACL_MAINTAINER_ROLE)
    public void setAclRecords(ISecuredObject<?> iSecuredObject, Permission[] permissionArr) {
        setAclRecords(iSecuredObject, getSidFromContext(), permissionArr);
    }

    @RunAs(ACL_MAINTAINER_ROLE)
    public void setAclRecords(ISecuredObject<?> iSecuredObject, Permission[] permissionArr, boolean z) {
        setAclRecords(iSecuredObject, getSidFromContext(), permissionArr, z);
    }

    @RunAs(ACL_MAINTAINER_ROLE)
    public void setAclRecords(ISecuredObject<?> iSecuredObject, UserData userData, Permission[] permissionArr) {
        setAclRecords(iSecuredObject, userData, permissionArr, true);
    }

    @RunAs(ACL_MAINTAINER_ROLE)
    public void setAclRecords(ISecuredObject<?> iSecuredObject, UserData userData, Permission[] permissionArr, boolean z) {
        setAclRecords(iSecuredObject, (Sid) new PrincipalSid(userData.getUsername()), permissionArr, z);
    }

    @RunAs(ACL_MAINTAINER_ROLE)
    public void setAclRecords(ISecuredObject<?> iSecuredObject, RoleData roleData, Permission[] permissionArr) {
        setAclRecords(iSecuredObject, roleData, permissionArr, true);
    }

    public void setAclRecords(ISecuredObject<?> iSecuredObject, RoleData roleData, Permission[] permissionArr, boolean z) {
        setAclRecords(iSecuredObject, (Sid) new PrincipalSid(roleData.getName()), permissionArr, z);
    }

    @RunAs(ACL_MAINTAINER_ROLE)
    public void setAclRecords(ISecuredObject<?> iSecuredObject, String str, Permission[] permissionArr) {
        setAclRecords(iSecuredObject, str, permissionArr, true);
    }

    @RunAs(ACL_MAINTAINER_ROLE)
    public void setAclRecords(ISecuredObject<?> iSecuredObject, String str, Permission[] permissionArr, boolean z) {
        setAclRecords(iSecuredObject, (Sid) new PrincipalSid(str), permissionArr, z);
    }

    @RunAs(ACL_MAINTAINER_ROLE)
    public void resetAclRecords(Class<? extends ISecuredObject<?>> cls, Long l, UserData userData, Permission[] permissionArr) {
        resetAclRecords(cls, l, (Sid) new PrincipalSid(userData.getUsername()), permissionArr);
    }

    @RunAs(ACL_MAINTAINER_ROLE)
    public void resetAclRecords(Class<? extends ISecuredObject<?>> cls, Long l, RoleData roleData, Permission[] permissionArr) {
        resetAclRecords(cls, l, (Sid) new PrincipalSid(roleData.getName()), permissionArr);
    }

    @RunAs(ACL_MAINTAINER_ROLE)
    public void resetAclRecords(Class<? extends ISecuredObject<?>> cls, Long l, String str, Permission[] permissionArr) {
        resetAclRecords(cls, l, (Sid) new PrincipalSid(str), permissionArr);
    }

    private void resetAclRecords(Class<? extends ISecuredObject<?>> cls, Long l, Sid sid, Permission[] permissionArr) {
        AclSecuredObjectIdentityData parentObjectIdentity = getParentObjectIdentity(cls, l);
        if (parentObjectIdentity == null) {
            throw new SecurityException("Could not update acl entry for aclId: " + l + " sid: " + sid + " cause acl object identity not found!");
        }
        try {
            MutableAcl readAclById = this.aclService.readAclById(new ObjectIdentityImpl(parentObjectIdentity.getJavaType(), l));
            int i = 0;
            for (Permission permission : permissionArr) {
                i |= permission.getMask();
            }
            for (int i2 = 0; i2 < readAclById.getEntries().size(); i2++) {
                readAclById.deleteAce(i2);
            }
            readAclById.insertAce(0, this.permissionFactory.buildFromMask(i), sid, true);
            readAclById.setOwner(sid);
            this.aclService.updateAcl(readAclById);
        } catch (NotFoundException e) {
            throw new SecurityException("Could not update acl entry for aclId: " + l + " sid: " + sid + " cause acl object identity not found!", e);
        }
    }

    private AclSecuredObjectIdentityData getParentObjectIdentity(Class<? extends ISecuredObject<?>> cls, Long l) {
        AclSecuredClassDescriptionData load = this.aclSecuredClassDescriptionDao.load(cls.getName());
        AclSecuredObjectIdentityData findByObjectId = this.aclObjectIdentityDao.findByObjectId(load == null ? -1L : ((Long) load.getId()).longValue(), l.longValue());
        return (findByObjectId == null || findByObjectId.getParentObject() == null) ? findByObjectId : findByObjectId.getParentObject();
    }

    @RunAs(ACL_MAINTAINER_ROLE)
    public List<String> loadSidNames(ISecuredObject<?> iSecuredObject) {
        Long idForACL = iSecuredObject.getIdForACL();
        Class securedClass = iSecuredObject.getSecuredClass();
        AclSecuredClassDescriptionData load = this.aclSecuredClassDescriptionDao.load(securedClass);
        AclSecuredObjectIdentityData findByObjectId = this.aclObjectIdentityDao.findByObjectId(load == null ? -1L : ((Long) load.getId()).longValue(), idForACL.longValue());
        if (findByObjectId == null) {
            throw new SecurityException("Could not find acl entry for aclId: " + idForACL + " class: " + securedClass.getName() + " cause acl object identity not found!");
        }
        try {
            MutableAcl readAclById = this.aclService.readAclById(new ObjectIdentityImpl(findByObjectId.getJavaType(), idForACL));
            ArrayList arrayList = new ArrayList();
            Iterator it = readAclById.getEntries().iterator();
            while (it.hasNext()) {
                arrayList.add(((AccessControlEntry) it.next()).getSid().getPrincipal());
            }
            return arrayList;
        } catch (NotFoundException e) {
            throw new SecurityException("Could not find acl entry for aclId: " + idForACL + " class: " + securedClass.getName() + " cause acl object identity not found!");
        }
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW)
    private void setAclRecords(ISecuredObject<?> iSecuredObject, Sid sid, Permission[] permissionArr) {
        setAclRecords(iSecuredObject, sid, permissionArr, true);
    }

    public void setAclRecords(Class<? extends ISecuredObject<?>> cls, Long l, UserData userData, Permission[] permissionArr) {
        setAclRecords(cls, l, null, new PrincipalSid(userData.getUsername()), permissionArr, false);
    }

    private void setAclRecords(ISecuredObject<?> iSecuredObject, Sid sid, Permission[] permissionArr, boolean z) {
        setAclRecords(iSecuredObject.getSecuredClass(), iSecuredObject.getIdForACL(), iSecuredObject.getParent(), sid, permissionArr, z);
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW)
    private void setAclRecords(Class<?> cls, Long l, ISecuredObject<?> iSecuredObject, Sid sid, Permission[] permissionArr, boolean z) {
        MutableAcl createAcl;
        while (isHibernateProxy(cls)) {
            cls = cls.getSuperclass();
        }
        ObjectIdentityImpl objectIdentityImpl = new ObjectIdentityImpl(cls, l);
        try {
            createAcl = (MutableAcl) this.aclService.readAclById(objectIdentityImpl);
        } catch (NotFoundException e) {
            createAcl = this.aclService.createAcl(objectIdentityImpl);
        }
        int i = 0;
        for (Permission permission : permissionArr) {
            i |= permission.getMask();
        }
        if (iSecuredObject == null || !z) {
            boolean z2 = false;
            int i2 = 0;
            Iterator it = createAcl.getEntries().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                AccessControlEntry accessControlEntry = (AccessControlEntry) it.next();
                if (accessControlEntry.getSid().equals(sid)) {
                    org.springframework.security.acls.model.Permission permission2 = accessControlEntry.getPermission();
                    if ((permission2.getMask() & i) > 0) {
                        z2 = true;
                        if (permission2.getMask() == i) {
                        }
                    } else {
                        i2++;
                    }
                } else {
                    i2++;
                }
            }
            if (z2) {
                createAcl.deleteAce(i2);
                createAcl.insertAce(i2, this.permissionFactory.buildFromMask(i), sid, true);
            } else {
                createAcl.insertAce(0, this.permissionFactory.buildFromMask(i), sid, true);
            }
        } else {
            MutableAcl orCreateParentAcl = getOrCreateParentAcl(iSecuredObject, sid, permissionArr, new ObjectIdentityImpl(iSecuredObject.getSecuredClass(), iSecuredObject.getIdForACL()));
            createAcl.setParent(orCreateParentAcl);
            if (orCreateParentAcl.getEntries() == null || orCreateParentAcl.getEntries().size() <= 0) {
                orCreateParentAcl.insertAce(0, this.permissionFactory.buildFromMask(i), sid, true);
                this.aclService.updateAcl(orCreateParentAcl);
            }
        }
        this.aclService.updateAcl(createAcl);
    }

    private MutableAcl getOrCreateParentAcl(ISecuredObject<?> iSecuredObject, Sid sid, Permission[] permissionArr, ObjectIdentity objectIdentity) {
        try {
            return this.aclService.readAclById(objectIdentity);
        } catch (NotFoundException e) {
            logger.info("No parent with aclId: " + objectIdentity.getIdentifier().toString() + " and class: " + objectIdentity.getClass().getName() + " not exist, it will be created! ");
            setAclRecords(iSecuredObject, sid, permissionArr);
            return getOrCreateParentAcl(iSecuredObject, sid, permissionArr, objectIdentity);
        }
    }

    public void setAclCache(AclCache aclCache) {
        this.aclCache = aclCache;
    }

    private boolean isHibernateProxy(Class<?> cls) {
        return cls.getName().contains(HIBERNATE_PROXY_CLASSNAME_SEPARATOR);
    }

    private boolean isTopParentClass(Class<?> cls) {
        return topParentClasses.contains(cls);
    }

    private Sid getSidFromContext() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            throw new IllegalStateException("No authentication object is in security context. Unable to update ACL entries");
        }
        return new PrincipalSid(authentication);
    }

    static {
        topParentClasses.add(Object.class);
        topParentClasses.add(IDomainObject.class);
    }
}
