package co.pishfa.security.service.handler;

import co.pishfa.accelerate.persistence.query.QueryBuilder;
import co.pishfa.security.entity.authentication.Domain;
import co.pishfa.security.entity.authentication.Identity;
import co.pishfa.security.entity.authentication.User;
import co.pishfa.security.entity.authorization.AccessLevel;
import co.pishfa.security.entity.authorization.BaseSecuredEntity;
import co.pishfa.security.entity.authorization.Permission;
import co.pishfa.security.entity.authorization.PermissionDef;
import co.pishfa.security.entity.authorization.PermissionDefParam;
import co.pishfa.security.exception.AuthorizationException;
import co.pishfa.security.repo.DomainRepo;

@ScopeHandler("domains")
/* loaded from: input_file:co/pishfa/security/service/handler/DomainsPermissionHandler.class */
public class DomainsPermissionHandler implements PermissionScopeHandler<BaseSecuredEntity> {
    @Override // co.pishfa.security.service.handler.PermissionScopeHandler
    public boolean check(Identity identity, BaseSecuredEntity baseSecuredEntity, String str, Permission permission) throws AuthorizationException {
        return checkDomain(identity, baseSecuredEntity) && checkSecurityLevel(identity, baseSecuredEntity) && checkAccessLevel(permission.getDefinition(), baseSecuredEntity);
    }

    protected boolean checkAccessLevel(PermissionDef permissionDef, BaseSecuredEntity baseSecuredEntity) {
        return baseSecuredEntity.getAccessLevel() == null || computeRequiredLevel(permissionDef).getLevel() <= baseSecuredEntity.getAccessLevel().getLevel();
    }

    private AccessLevel computeRequiredLevel(PermissionDef permissionDef) {
        PermissionDefParam param = permissionDef.getParam("requiredLevel");
        AccessLevel accessLevel = AccessLevel.READ_WRITE;
        if (param != null) {
            accessLevel = AccessLevel.valueOf(param.getValue());
        }
        return accessLevel;
    }

    protected boolean checkSecurityLevel(Identity identity, BaseSecuredEntity baseSecuredEntity) {
        if (baseSecuredEntity.getSecurityLevel() != null) {
            return identity.getUser().getCurrentLevel() != null && identity.getUser().getCurrentLevel().getLevel() >= baseSecuredEntity.getSecurityLevel().getLevel();
        }
        return true;
    }

    protected boolean checkDomain(Identity identity, BaseSecuredEntity baseSecuredEntity) {
        if (baseSecuredEntity.getDomain() != null) {
            return baseSecuredEntity.getDomain().containedIn(identity.getUser().getDomain());
        }
        return true;
    }

    @Override // co.pishfa.security.service.handler.PermissionScopeHandler
    public void addConditions(Identity identity, Permission permission, QueryBuilder<BaseSecuredEntity> queryBuilder) {
        queryBuilder.append(" and e.securityLevel <= :user_sec_level ");
        queryBuilder.append(" and e.accessLevel >= :perm_req_level ");
        User user = identity.getUser();
        addDomainConditions(queryBuilder, user.getDomain());
        queryBuilder.with("user_sec_level", user.getCurrentLevel());
        queryBuilder.with("perm_req_level", computeRequiredLevel(permission.getDefinition()));
    }

    protected void addDomainConditions(QueryBuilder<BaseSecuredEntity> queryBuilder, Domain domain) {
        if (domain == null) {
            queryBuilder.append(" and e.domain.id = :shared_id ");
        } else {
            queryBuilder.append(" and (e.domain.id = :shared_id or e.domain.code between :domain_start and :domain_end) ").with("domain_start", Long.valueOf(domain.getScopeStart())).with("domain_end", Long.valueOf(domain.getScopeEnd()));
        }
        queryBuilder.with("shared_id", DomainRepo.getInstance().getSharedDomainId());
    }
}
