package org.mycore.mir.authorization;

import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.persistence.EntityManager;
import javax.persistence.criteria.CriteriaBuilder;
import javax.persistence.criteria.CriteriaQuery;
import javax.persistence.criteria.Predicate;
import javax.persistence.criteria.Root;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.mycore.access.MCRAccessInterface;
import org.mycore.access.MCRAccessManager;
import org.mycore.access.strategies.MCRAccessCheckStrategy;
import org.mycore.access.strategies.MCRCreatorRuleStrategy;
import org.mycore.access.strategies.MCRObjectBaseStrategy;
import org.mycore.access.strategies.MCRObjectIDStrategy;
import org.mycore.backend.jpa.MCREntityManagerProvider;
import org.mycore.backend.jpa.access.MCRACCESS;
import org.mycore.backend.jpa.access.MCRACCESSPK_;
import org.mycore.backend.jpa.access.MCRACCESS_;
import org.mycore.common.MCRCache;
import org.mycore.common.MCRException;
import org.mycore.common.config.MCRConfiguration;
import org.mycore.common.config.MCRConfiguration2;
import org.mycore.common.xml.MCRXMLFunctions;
import org.mycore.datamodel.classifications2.MCRCategLinkReference;
import org.mycore.datamodel.classifications2.MCRCategLinkService;
import org.mycore.datamodel.classifications2.MCRCategLinkServiceFactory;
import org.mycore.datamodel.classifications2.MCRCategoryID;
import org.mycore.datamodel.metadata.MCRMetadataManager;
import org.mycore.datamodel.metadata.MCRObjectID;
import org.mycore.mir.authorization.accesskeys.MIRAccessKeyPair;
import org.mycore.mods.MCRMODSEmbargoUtils;
import org.mycore.pi.MCRPIManager;
import org.mycore.pi.MCRPIServiceManager;
import org.mycore.user2.MCRUser;
import org.mycore.user2.MCRUserManager;

/* loaded from: input_file:org/mycore/mir/authorization/MIRStrategy.class */
public class MIRStrategy implements MCRAccessCheckStrategy {
    public static final String EDIT_PI_ROLES = "MIR.Strategy.EditPIRoles";
    private static final long CACHE_TIME = 3600000;
    private final List<String> ACCESS_CLASSES = MCRConfiguration.instance().getStrings("MIR.Access.Strategy.Classifications", Arrays.asList("mir_access"));
    private final MCRCategLinkService LINK_SERVICE = MCRCategLinkServiceFactory.getInstance();
    private MCRAccessInterface ACCESS_IMPL = MCRAccessManager.getAccessImpl();
    private static final Pattern TYPE_PATTERN = Pattern.compile("[^_]+_([^_]+)_[0-9]+");
    private static final Logger LOGGER = LogManager.getLogger();
    private static final MCRObjectIDStrategy ID_STRATEGY = new MCRObjectIDStrategy();
    private static final MCRObjectBaseStrategy OBJECT_BASE_STRATEGY = new MCRObjectBaseStrategy();
    private static final MCRCreatorRuleStrategy CREATOR_STRATEGY = new MCRCreatorRuleStrategy();
    private static final MIRKeyStrategyHelper KEY_STRATEGY_HELPER = new MIRKeyStrategyHelper();
    private static final MCRCache<String, List<MCRCategoryID>> PERMISSION_CATEGORY_MAPPING_CACHE = new MCRCache<>(20, "MIRStrategy");

    /* loaded from: input_file:org/mycore/mir/authorization/MIRStrategy$PermissionIDType.class */
    private enum PermissionIDType {
        MCRObject,
        MCRDerivate,
        Other;

        public static PermissionIDType fromID(String str) {
            Matcher matcher = MIRStrategy.TYPE_PATTERN.matcher(str);
            return (matcher.find() && matcher.groupCount() == 1) ? "derivate".equals(matcher.group(1)) ? MCRDerivate : MCRObject : Other;
        }
    }

    public boolean checkPermission(String str, String str2) {
        LOGGER.debug("checkPermission({}, {})", str, str2);
        switch (PermissionIDType.fromID(str)) {
            case MCRObject:
                return checkObjectPermission(MCRObjectID.getInstance(str), str2);
            case MCRDerivate:
                return checkDerivatePermission(MCRObjectID.getInstance(str), str2);
            case Other:
                return checkOtherPermission(str, str2);
            default:
                throw new MCRException("Could not handle PermissionIDType: " + PermissionIDType.fromID(str));
        }
    }

    private boolean checkObjectPermission(MCRObjectID mCRObjectID, String str) {
        LOGGER.debug("checkObjectPermission({}, {})", mCRObjectID, str);
        boolean hasRegisteredPI = hasRegisteredPI(mCRObjectID);
        if ("deletedb".equalsIgnoreCase(str) && hasRegisteredPI && !canEditPI()) {
            return false;
        }
        if (KEY_STRATEGY_HELPER.checkObjectPermission(mCRObjectID, str)) {
            return true;
        }
        String mCRObjectID2 = mCRObjectID.toString();
        if (ID_STRATEGY.hasRuleMapping(mCRObjectID2, str)) {
            LOGGER.debug("Found match in ID strategy for {} on {}.", str, mCRObjectID);
            return ID_STRATEGY.checkPermission(mCRObjectID2, str);
        }
        if (!CREATOR_STRATEGY.isCreatorRuleAvailable(mCRObjectID2, str)) {
            return ((Boolean) getAccessCategory(mCRObjectID, mCRObjectID.getTypeId(), str).map(mCRCategoryID -> {
                LOGGER.debug("using access rule defined for category: " + mCRCategoryID);
                return Boolean.valueOf(this.ACCESS_IMPL.checkPermission(mCRObjectID.getTypeId() + ":" + mCRCategoryID.toString(), str));
            }).orElseGet(() -> {
                LOGGER.debug("Using BASE strategy as fallback for {} on {}.", str, mCRObjectID);
                return Boolean.valueOf(OBJECT_BASE_STRATEGY.checkPermission(mCRObjectID2, str));
            })).booleanValue();
        }
        LOGGER.debug("Found match in CREATOR strategy for {} on {}.", str, mCRObjectID);
        return CREATOR_STRATEGY.checkPermission(mCRObjectID2, str);
    }

    private boolean canEditPI() {
        Stream stream = (Stream) MCRConfiguration2.getOrThrow(EDIT_PI_ROLES, MCRConfiguration2::splitValue);
        MCRUser currentUser = MCRUserManager.getCurrentUser();
        Objects.requireNonNull(currentUser);
        return stream.anyMatch(currentUser::isUserInRole);
    }

    private boolean checkDerivatePermission(MCRObjectID mCRObjectID, String str) {
        LOGGER.debug("checkDerivatePermission({}, {})", mCRObjectID, str);
        String mCRObjectID2 = mCRObjectID.toString();
        MCRObjectID objectId = MCRMetadataManager.getObjectId(mCRObjectID, 10L, TimeUnit.MINUTES);
        if (("writedb".equalsIgnoreCase(str) || "deletedb".equalsIgnoreCase(str)) && hasRegisteredPI(objectId) && !canEditPI()) {
            return false;
        }
        if (MIRAccessKeyPair.PERMISSION_READ.equals(str) && !MCRXMLFunctions.isDisplayedEnabledDerivate(mCRObjectID.toString()) && !checkObjectPermission(mCRObjectID, "writedb")) {
            LOGGER.debug("Derivate {} is hidden and User has no write permission!", mCRObjectID);
            return false;
        }
        if (objectId == null) {
            LOGGER.debug("Derivate {} is an orphan. Cannot apply rules for MCRObject.", mCRObjectID);
            return OBJECT_BASE_STRATEGY.checkPermission(mCRObjectID2, str);
        }
        String embargo = MCRMODSEmbargoUtils.getEmbargo(objectId);
        if (MIRAccessKeyPair.PERMISSION_READ.equals(str) && embargo != null && !MCRMODSEmbargoUtils.isCurrentUserCreator(objectId) && !MCRAccessManager.checkPermission("embargo") && !KEY_STRATEGY_HELPER.checkObjectPermission(objectId, MIRAccessKeyPair.PERMISSION_READ)) {
            LOGGER.debug("Derivate {} has embargo {} and current user is not creator and doesn't has {} POOLPRIVILEGE", mCRObjectID, embargo, "embargo");
            return false;
        }
        if (ID_STRATEGY.hasRuleMapping(mCRObjectID2, str)) {
            LOGGER.debug("Found match in ID strategy for {} on {}.", str, mCRObjectID);
            return ID_STRATEGY.checkPermission(mCRObjectID2, str);
        }
        if (!CREATOR_STRATEGY.isCreatorRuleAvailable(objectId.toString(), str)) {
            return ((Boolean) getAccessCategory(objectId, mCRObjectID.getTypeId(), str).map(mCRCategoryID -> {
                LOGGER.debug("using access rule defined for category: " + mCRCategoryID);
                return Boolean.valueOf(this.ACCESS_IMPL.checkPermission(mCRObjectID.getTypeId() + ":" + mCRCategoryID.toString(), str));
            }).orElseGet(() -> {
                if (OBJECT_BASE_STRATEGY.hasRuleMapping(mCRObjectID2, str)) {
                    return Boolean.valueOf(OBJECT_BASE_STRATEGY.checkPermission(mCRObjectID2, str));
                }
                LOGGER.debug("No rule for base strategy found, check against object {}.", objectId);
                return Boolean.valueOf(checkObjectPermission(objectId, str));
            })).booleanValue();
        }
        LOGGER.debug("Found match in CREATOR strategy for {} on {}.", str, mCRObjectID);
        return CREATOR_STRATEGY.checkPermission(objectId.toString(), str);
    }

    private boolean hasRegisteredPI(MCRObjectID mCRObjectID) {
        return MCRPIServiceManager.getInstance().getServiceList().stream().anyMatch(mCRPIService -> {
            return MCRPIManager.getInstance().getCreatedIdentifiers(mCRObjectID, mCRPIService.getType(), mCRPIService.getServiceID()).stream().anyMatch(mCRPIRegistrationInfo -> {
                return mCRPIService.isRegistered(mCRObjectID, mCRPIRegistrationInfo.getAdditional());
            });
        });
    }

    private boolean checkOtherPermission(String str, String str2) {
        return ID_STRATEGY.checkPermission(str, str2);
    }

    private Optional<MCRCategoryID> getAccessCategory(MCRObjectID mCRObjectID, String str, String str2) {
        List<MCRCategoryID> accessMappedCategories = getAccessMappedCategories(str, str2, this.ACCESS_CLASSES);
        MCRCategLinkReference mCRCategLinkReference = new MCRCategLinkReference(mCRObjectID);
        return accessMappedCategories.stream().peek(mCRCategoryID -> {
            LOGGER.info("Checking if {} is in category {}.", mCRObjectID, mCRCategoryID);
        }).filter(mCRCategoryID2 -> {
            return this.LINK_SERVICE.isInCategory(mCRCategLinkReference, mCRCategoryID2);
        }).findFirst();
    }

    private static List<MCRCategoryID> getAccessMappedCategories(String str, String str2, List<String> list) {
        List<MCRCategoryID> list2 = (List) PERMISSION_CATEGORY_MAPPING_CACHE.getIfUpToDate(str + "_" + str2, System.currentTimeMillis() - CACHE_TIME);
        if (list2 != null) {
            return list2;
        }
        EntityManager currentEntityManager = MCREntityManagerProvider.getCurrentEntityManager();
        CriteriaBuilder criteriaBuilder = currentEntityManager.getCriteriaBuilder();
        CriteriaQuery createQuery = criteriaBuilder.createQuery(String.class);
        Root from = createQuery.from(MCRACCESS.class);
        createQuery.select(from.get(MCRACCESS_.key).get(MCRACCESSPK_.objid)).where(new Predicate[]{criteriaBuilder.like(from.get(MCRACCESS_.key).get(MCRACCESSPK_.objid), str + ":%"), criteriaBuilder.equal(from.get(MCRACCESS_.key).get(MCRACCESSPK_.acpool), str2)});
        List<MCRCategoryID> generateMCRCategoryIDList = generateMCRCategoryIDList(str, currentEntityManager.createQuery(createQuery).getResultList(), list);
        PERMISSION_CATEGORY_MAPPING_CACHE.put(str + "_" + str2, generateMCRCategoryIDList);
        return generateMCRCategoryIDList;
    }

    private static List<MCRCategoryID> generateMCRCategoryIDList(String str, List<String> list, List<String> list2) {
        return (List) list.stream().map(str2 -> {
            return str2.substring((str + ":").length());
        }).map(MCRCategoryID::fromString).filter(mCRCategoryID -> {
            return list2.contains(mCRCategoryID.getRootID());
        }).sorted((mCRCategoryID2, mCRCategoryID3) -> {
            return list2.indexOf(mCRCategoryID2.getRootID()) - list2.indexOf(mCRCategoryID3.getRootID());
        }).collect(Collectors.toList());
    }
}
