package de.mhus.osgi.sop.impl.aaa;

import de.mhus.lib.core.MLog;
import de.mhus.lib.core.MPassword;
import de.mhus.lib.core.MString;
import de.mhus.lib.core.security.Account;
import de.mhus.lib.core.security.AccountSource;
import de.mhus.lib.core.security.AuthorizationSource;
import de.mhus.lib.core.security.ModifyAccountApi;
import de.mhus.lib.core.security.ModifyAuthorizationApi;
import de.mhus.lib.core.security.ModifyCurrentAccountApi;
import de.mhus.lib.core.util.SoftHashMap;
import de.mhus.lib.errors.AccessDeniedException;
import de.mhus.lib.errors.MException;
import de.mhus.lib.errors.MRuntimeException;
import de.mhus.lib.errors.NotFoundException;
import de.mhus.osgi.sop.api.aaa.AaaContext;
import de.mhus.osgi.sop.api.aaa.AaaUtil;
import de.mhus.osgi.sop.api.aaa.AccessApi;
import de.mhus.osgi.sop.api.aaa.AccountGuest;
import de.mhus.osgi.sop.api.aaa.ModifyTrustApi;
import de.mhus.osgi.sop.api.aaa.Trust;
import de.mhus.osgi.sop.api.aaa.TrustSource;
import de.mhus.osgi.sop.impl.AaaContextImpl;
import de.mhus.osgi.sop.impl.ContextPool;
import de.mhus.osgi.sop.impl.aaa.util.AccountFile;
import java.util.Locale;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;

/* loaded from: input_file:de/mhus/osgi/sop/impl/aaa/AccessApiImpl.class */
public class AccessApiImpl extends MLog implements AccessApi {
    private static AaaContextImpl ROOT_CONTEXT = new RootContext();
    private static AaaContextImpl GUEST_CONTEXT = new GuestContext();
    protected SoftHashMap<String, Account> accountCache = new SoftHashMap<>();
    protected SoftHashMap<String, Trust> trustCache = new SoftHashMap<>();
    private AccountSource accountSource;
    private TrustSource trustSource;
    private AuthorizationSource authorizationSource;
    private boolean fallbackToGuest;
    protected static AccessApiImpl instance;

    @Activate
    public void activate(ComponentContext componentContext) {
        instance = this;
    }

    @Deactivate
    public void deactivate(ComponentContext componentContext) {
        instance = null;
    }

    public void process(AaaContext aaaContext) {
        if (aaaContext == null) {
            return;
        }
        ContextPool.getInstance().set((AaaContextImpl) aaaContext, true);
    }

    public AaaContext processUserSession(String str, Locale locale) {
        log().d(new Object[]{"user session", str});
        Account account = null;
        try {
            account = getAccount(str);
        } catch (MException e) {
            log().w(new Object[]{str, e});
        }
        if (account == null) {
            throw new AccessDeniedException(new Object[]{"null", str});
        }
        if (account.isValid()) {
            return process(account, null, false, locale);
        }
        throw new AccessDeniedException(new Object[]{"invalid", str});
    }

    public AaaContext process(String str, Locale locale) {
        if (str == null) {
            throw new AccessDeniedException(new Object[]{"null"});
        }
        boolean z = false;
        String str2 = null;
        Account account = null;
        Trust trust = null;
        String[] split = str.split(",");
        if (split.length > 0 && split[0].equals("acc")) {
            String str3 = null;
            if (split.length > 2) {
                str2 = split[1];
                str3 = split[2];
            }
            if (split.length > 3) {
                z = split[3].equals("admin");
            }
            if (str2 == null || str3 == null) {
                throw new AccessDeniedException(new Object[]{"account or password not set"});
            }
            log().d(new Object[]{"account", str2});
            try {
                account = getAccount(str2);
            } catch (MException e) {
                log().w(new Object[]{str2, e});
            }
            if (account == null) {
                throw new AccessDeniedException(new Object[]{"null", str2});
            }
            if (!account.isActive()) {
                throw new AccessDeniedException(new Object[]{"disabled", str2});
            }
            if (!account.isValid()) {
                throw new AccessDeniedException(new Object[]{"invalid", str2});
            }
            if (!account.validatePassword(MPassword.decode(str3))) {
                throw new AccessDeniedException(new Object[]{"password", str2});
            }
        } else {
            if (split.length <= 0 || !split[0].equals("tru")) {
                throw new AccessDeniedException(new Object[]{"unknown ticket type", split[0]});
            }
            String str4 = null;
            String str5 = null;
            if (split.length > 3) {
                str4 = split[1];
                str5 = split[2];
                str2 = split[3];
            }
            if (split.length > 4) {
                z = split[4].equals("admin");
            }
            trust = getTrust(str4);
            if (trust == null) {
                throw new AccessDeniedException(new Object[]{"null", str2});
            }
            if (!trust.validateWithPassword(MPassword.decode(str5))) {
                throw new AccessDeniedException(new Object[]{"password", str2});
            }
            if (!trust.isValid()) {
                throw new AccessDeniedException(new Object[]{"invalid", str2});
            }
            try {
                account = getAccountUnsecure(str2);
            } catch (MException e2) {
                e2.printStackTrace();
            }
            if (account == null) {
                throw new AccessDeniedException(new Object[]{"null", str2});
            }
            if (!account.isValid()) {
                throw new AccessDeniedException(new Object[]{"invalid", str2});
            }
            if (!account.isActive()) {
                throw new AccessDeniedException(new Object[]{"disabled", str2});
            }
        }
        return process(account, trust, z, locale);
    }

    public AaaContext process(Account account, Trust trust, boolean z, Locale locale) {
        AaaContextImpl aaaContextImpl = null;
        try {
            aaaContextImpl = new AaaContextImpl(account, trust, z, locale);
        } catch (MException e) {
            e.printStackTrace();
        }
        if (aaaContextImpl == null) {
            throw new AccessDeniedException(new Object[]{"null"});
        }
        ContextPool.getInstance().set(aaaContextImpl, true);
        return aaaContextImpl;
    }

    protected synchronized Trust getTrust(String str) {
        if (str == null) {
            throw new AccessDeniedException(new Object[]{"null"});
        }
        Trust trust = (Trust) this.trustCache.get(str);
        if (trust != null && trust.isChanged()) {
            trust = null;
        }
        if (trust == null && this.trustSource != null) {
            trust = this.trustSource.findTrust(str);
            if (trust != null) {
                this.trustCache.put(str, trust);
            } else {
                log().w(new Object[]{"trust not found", str});
            }
        }
        if (trust != null) {
            return trust;
        }
        throw new AccessDeniedException(new Object[]{"trust not found", str});
    }

    public synchronized Account getAccount(String str) throws MException {
        if (str == null) {
            throw new AccessDeniedException(new Object[]{"null"});
        }
        AaaContext current = getCurrent();
        if (current == null || current.isAdminMode() || current.getAccountId().equals(str)) {
            return getAccountUnsecure(str);
        }
        throw new AccessDeniedException(new Object[]{"admin only"});
    }

    protected synchronized Account getAccountUnsecure(String str) throws MException {
        if (str == null || str.equals("?") || str.equals("")) {
            if (this.fallbackToGuest) {
                return GUEST_CONTEXT.getAccount();
            }
            throw new AccessDeniedException(new Object[]{"invalid account name", str});
        }
        if (str.equals("root")) {
            return ROOT_CONTEXT.getAccount();
        }
        Account account = (Account) this.accountCache.get(str);
        if (account != null && (account instanceof AccountFile) && ((AccountFile) account).isChanged()) {
            account = null;
            this.accountCache.remove(str);
        }
        if (account == null && this.accountSource != null) {
            account = this.accountSource.findAccount(str);
        }
        if (account != null) {
            return account;
        }
        if (isFallbackToGuest()) {
            return GUEST_CONTEXT.getAccount();
        }
        throw new NotFoundException(new Object[]{"account not found", str});
    }

    public AaaContext release(String str) {
        AaaContextImpl aaaContextImpl = (AaaContextImpl) getCurrentOrGuest();
        if (MString.isEmpty(str)) {
            return aaaContextImpl;
        }
        String str2 = null;
        String[] split = str.split(",");
        if (split.length <= 0 || !split[0].equals("acc")) {
            if (split.length <= 0 || !split[0].equals("tru")) {
                throw new AccessDeniedException(new Object[]{"unknown ticket type", split[0]});
            }
            if (split.length > 3) {
                str2 = split[3];
            }
        } else if (split.length > 2) {
            str2 = split[1];
        }
        log().d(new Object[]{"release", str2});
        try {
            return release(getAccountUnsecure(str2));
        } catch (MException e) {
            throw new MRuntimeException(new Object[]{"can't get account to release", str2, e});
        }
    }

    public AaaContext release(Account account) {
        String name = account.getName();
        ContextPool contextPool = ContextPool.getInstance();
        synchronized (contextPool) {
            AaaContextImpl current = contextPool.getCurrent();
            try {
                if (!MString.isEmpty(name) && current != null && current.getAccount() != null) {
                    if (name.equals(current.getAccount().getName())) {
                        AaaContextImpl parent = current.getParent();
                        contextPool.set(parent, false);
                        return parent;
                    }
                }
                return current;
            } catch (NullPointerException e) {
                e.printStackTrace();
                return current;
            }
        }
    }

    public AaaContext release(AaaContext aaaContext) {
        AaaContextImpl parent;
        if (aaaContext == null) {
            return null;
        }
        ContextPool contextPool = ContextPool.getInstance();
        synchronized (contextPool) {
            parent = ((AaaContextImpl) aaaContext).getParent();
            contextPool.set(parent, false);
        }
        return parent;
    }

    public void resetContext() {
        ContextPool contextPool = ContextPool.getInstance();
        synchronized (contextPool) {
            contextPool.set(null, false);
        }
    }

    public AaaContext getCurrent() {
        return ContextPool.getInstance().getCurrent();
    }

    public Account getCurrentAccount() throws MException {
        return getCurrentOrGuest().getAccount();
    }

    public AaaContext processAdminSession() {
        RootContext rootContext = new RootContext();
        ContextPool.getInstance().set(rootContext, true);
        return rootContext;
    }

    public boolean validatePassword(Account account, String str) {
        if (this.accountSource == null) {
            return false;
        }
        return account.validatePassword(str);
    }

    public String createTrustTicket(String str, AaaContext aaaContext) {
        Trust trust;
        if (this.trustSource == null || (trust = getTrust(str)) == null || aaaContext == null) {
            return null;
        }
        return "tru," + str + "," + trust.encodeWithPassword() + "," + aaaContext.getAccountId() + "," + (aaaContext.isAdminMode() ? "admin" : "");
    }

    @Reference(policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.OPTIONAL)
    public void addAccountSource(AccountSource accountSource) {
        this.accountSource = accountSource;
    }

    public void removeAccountSource(AccountSource accountSource) {
        this.accountSource = null;
    }

    public void setAccountSource(AccountSource accountSource) {
        this.accountSource = accountSource;
    }

    @Reference(policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.OPTIONAL)
    public void addTrustSource(TrustSource trustSource) {
        this.trustSource = trustSource;
    }

    public void removeTrustSource(TrustSource trustSource) {
        this.trustSource = null;
    }

    public void setTrustSource(TrustSource trustSource) {
        this.trustSource = trustSource;
    }

    @Reference(policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.OPTIONAL)
    public void addAuthorizationSource(AuthorizationSource authorizationSource) {
        this.authorizationSource = authorizationSource;
    }

    public void removeAuthorizationSource(AuthorizationSource authorizationSource) {
        this.authorizationSource = null;
    }

    public void setAuthorizationSource(AuthorizationSource authorizationSource) {
        this.authorizationSource = authorizationSource;
    }

    public boolean hasGroupAccess(Account account, String str, String str2, String str3) {
        Boolean hasResourceAccess;
        if (account == null || this.authorizationSource == null || str == null) {
            return false;
        }
        Boolean hasResourceAccess2 = this.authorizationSource.hasResourceAccess(account, str + (str2 == null ? "" : "_" + str2));
        if (hasResourceAccess2 != null) {
            return hasResourceAccess2.booleanValue();
        }
        if (str2 == null) {
            return false;
        }
        return (!str2.equals("read") || (hasResourceAccess = this.authorizationSource.hasResourceAccess(account, str + "_modify")) == null) ? AaaUtil.hasAccess(account, str3) : hasResourceAccess.booleanValue();
    }

    public boolean hasResourceAccess(Account account, String str, String str2, String str3, String str4) {
        return hasGroupAccess(account, "res_" + str + "_" + str2, str3, str4);
    }

    public String getGroupAccessAcl(Account account, String str, String str2, String str3) {
        String resourceAccessAcl;
        if (account == null || this.authorizationSource == null || str == null) {
            return "";
        }
        String resourceAccessAcl2 = this.authorizationSource.getResourceAccessAcl(account, str + (str2 == null ? "" : "_" + str2));
        return resourceAccessAcl2 != null ? resourceAccessAcl2 : str2 == null ? "" : (!str2.equals("read") || (resourceAccessAcl = this.authorizationSource.getResourceAccessAcl(account, str + "_modify")) == null) ? str3 : resourceAccessAcl;
    }

    public String getResourceAccessAcl(Account account, String str, String str2, String str3, String str4) {
        return getGroupAccessAcl(account, "res_" + str + "_" + str2, str3, str4);
    }

    public String createUserTicket(String str, String str2) {
        return "acc," + str.replace(',', '_') + "," + str2.replace(',', '_');
    }

    public AaaContext getCurrentOrGuest() {
        AaaContextImpl current = ContextPool.getInstance().getCurrent();
        if (current == null) {
            current = GUEST_CONTEXT;
        }
        return current;
    }

    public AaaContext getGuestContext() {
        return GUEST_CONTEXT;
    }

    public AccountGuest getGuestAccount() {
        return GUEST_CONTEXT.getAccount();
    }

    public boolean hasGroupAccess(Account account, Class<?> cls, String str, String str2, String str3) {
        return hasGroupAccess(account, cls.getCanonicalName() + "_" + str, str2, str3);
    }

    public ModifyAccountApi getModifyAccountApi() {
        if (!AaaUtil.isCurrentAdmin()) {
            throw new AccessDeniedException(new Object[0]);
        }
        if (this.accountSource == null) {
            return null;
        }
        return this.accountSource.getModifyApi();
    }

    public ModifyAuthorizationApi getModifyAuthorizationApi() {
        if (!AaaUtil.isCurrentAdmin()) {
            throw new AccessDeniedException(new Object[0]);
        }
        if (this.authorizationSource == null) {
            return null;
        }
        return this.authorizationSource.getModifyApi();
    }

    public ModifyTrustApi getModifyTrustApi() {
        if (!AaaUtil.isCurrentAdmin()) {
            throw new AccessDeniedException(new Object[0]);
        }
        if (this.trustSource == null) {
            return null;
        }
        return this.trustSource.getModifyApi();
    }

    public ModifyCurrentAccountApi getModifyCurrentAccountApi() throws MException {
        if (this.accountSource == null) {
            return null;
        }
        Account currentAccount = getCurrentAccount();
        if (currentAccount.isSynthetic() || !currentAccount.isValid()) {
            return null;
        }
        return new ModifyCurrentAccount(currentAccount, this.accountSource);
    }

    public boolean isFallbackToGuest() {
        return this.fallbackToGuest;
    }

    public void setFallbackToGuest(boolean z) {
        this.fallbackToGuest = z;
    }
}
