package ome.security.basic;

import ome.annotations.RevisionDate;
import ome.annotations.RevisionNumber;
import ome.conditions.GroupSecurityViolation;
import ome.conditions.InternalException;
import ome.conditions.SecurityViolation;
import ome.model.IObject;
import ome.model.internal.Details;
import ome.model.internal.Permissions;
import ome.model.meta.Experimenter;
import ome.model.meta.ExperimenterGroup;
import ome.security.ACLVoter;
import ome.security.SecurityFilter;
import ome.security.SystemTypes;
import ome.system.EventContext;
import ome.system.Roles;
import org.hibernate.Session;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.Assert;

@RevisionNumber("$Revision$")
@RevisionDate("$Date$")
/* loaded from: input_file:ome/security/basic/BasicACLVoter.class */
public class BasicACLVoter implements ACLVoter {
    private static final Logger log = LoggerFactory.getLogger(BasicACLVoter.class);
    protected final CurrentDetails currentUser;
    protected final SystemTypes sysTypes;
    protected final TokenHolder tokenHolder;
    protected final SecurityFilter securityFilter;
    protected final Roles roles;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:ome/security/basic/BasicACLVoter$Scope.class */
    public enum Scope {
        ANNOTATE(Permissions.Right.ANNOTATE),
        DELETE(Permissions.Right.WRITE),
        EDIT(Permissions.Right.WRITE),
        LINK(Permissions.Right.WRITE);

        final Permissions.Right right;

        Scope(Permissions.Right right) {
            this.right = right;
        }
    }

    public BasicACLVoter(CurrentDetails currentDetails, SystemTypes systemTypes, TokenHolder tokenHolder, SecurityFilter securityFilter) {
        this(currentDetails, systemTypes, tokenHolder, securityFilter, new Roles());
    }

    public BasicACLVoter(CurrentDetails currentDetails, SystemTypes systemTypes, TokenHolder tokenHolder, SecurityFilter securityFilter, Roles roles) {
        this.currentUser = currentDetails;
        this.sysTypes = systemTypes;
        this.securityFilter = securityFilter;
        this.tokenHolder = tokenHolder;
        this.roles = roles;
    }

    @Override // ome.security.ACLVoter
    public boolean allowChmod(IObject iObject) {
        return this.currentUser.isOwnerOrSupervisor(iObject);
    }

    @Override // ome.security.ACLVoter
    public boolean allowLoad(Session session, Class<? extends IObject> cls, Details details, long j) {
        Assert.notNull(cls);
        if (details == null || this.sysTypes.isSystemType(cls)) {
            return true;
        }
        boolean passesFilter = (this.sysTypes.isInSystemGroup(details) || this.sysTypes.isInUserGroup(details)) ? true : this.securityFilter.passesFilter(session, details, this.currentUser.current());
        if (this.currentUser.getCurrentEventContext().getCurrentGroupId().longValue() < 0) {
            ExperimenterGroup group = details.getGroup();
            if (group == null) {
                log.warn(String.format("Group null while loading %s:%s", cls.getName(), Long.valueOf(j)));
            }
            if (group != null) {
                Long id = group.getId();
                Permissions permissions = group.getDetails().getPermissions();
                if (permissions == null) {
                    log.warn(String.format("Permissions null for group %s while loading %s:%s", id, cls.getName(), Long.valueOf(j)));
                } else {
                    this.currentUser.current().setPermissionsForGroup(id, permissions);
                }
            }
        }
        return passesFilter;
    }

    @Override // ome.security.ACLVoter
    public void throwLoadViolation(IObject iObject) throws SecurityViolation {
        Assert.notNull(iObject);
        throw new SecurityViolation("Cannot read " + iObject);
    }

    @Override // ome.security.ACLVoter
    public boolean allowCreation(IObject iObject) {
        Assert.notNull(iObject);
        return this.tokenHolder.hasPrivilegedToken(iObject) || this.currentUser.getCurrentEventContext().isCurrentUserAdmin() || !(this.sysTypes.isSystemType(iObject.getClass()) || this.sysTypes.isInSystemGroup(iObject.getDetails()));
    }

    @Override // ome.security.ACLVoter
    public void throwCreationViolation(IObject iObject) throws SecurityViolation {
        Assert.notNull(iObject);
        if (!(this.sysTypes.isSystemType(iObject.getClass()) || this.sysTypes.isInSystemGroup(iObject.getDetails())) && this.currentUser.isGraphCritical(iObject.getDetails())) {
            throw new GroupSecurityViolation(iObject + "-insertion violates group-security.");
        }
        throw new SecurityViolation(iObject + " is a System-type, and may only be created through privileged APIs.");
    }

    @Override // ome.security.ACLVoter
    public boolean allowAnnotate(IObject iObject, Details details) {
        return 1 == allowUpdateOrDelete(this.currentUser.current(), iObject, details, Scope.ANNOTATE);
    }

    @Override // ome.security.ACLVoter
    public boolean allowUpdate(IObject iObject, Details details) {
        return 1 == allowUpdateOrDelete(this.currentUser.current(), iObject, details, Scope.EDIT);
    }

    @Override // ome.security.ACLVoter
    public void throwUpdateViolation(IObject iObject) throws SecurityViolation {
        Assert.notNull(iObject);
        if (!(this.sysTypes.isSystemType(iObject.getClass()) || this.sysTypes.isInSystemGroup(iObject.getDetails())) && this.currentUser.isGraphCritical(iObject.getDetails())) {
            throw new GroupSecurityViolation(iObject + "-modification violates group-security.");
        }
        throw new SecurityViolation("Updating " + iObject + " not allowed.");
    }

    @Override // ome.security.ACLVoter
    public boolean allowDelete(IObject iObject, Details details) {
        return 1 == allowUpdateOrDelete(this.currentUser.current(), iObject, details, Scope.DELETE);
    }

    @Override // ome.security.ACLVoter
    public void throwDeleteViolation(IObject iObject) throws SecurityViolation {
        Assert.notNull(iObject);
        throw new SecurityViolation("Deleting " + iObject + " not allowed.");
    }

    boolean owner(Long l, EventContext eventContext) {
        return l != null && l.equals(eventContext.getCurrentUserId());
    }

    boolean owner(Details details, EventContext eventContext) {
        Long id = details.getOwner() == null ? null : details.getOwner().getId();
        return id != null && id.equals(eventContext.getCurrentUserId());
    }

    boolean member(Long l, EventContext eventContext) {
        return l != null && eventContext.getMemberOfGroupsList().contains(l);
    }

    boolean member(Details details, EventContext eventContext) {
        return member(details.getGroup() == null ? null : details.getGroup().getId(), eventContext);
    }

    boolean leader(Long l, EventContext eventContext) {
        return l != null && eventContext.getLeaderOfGroupsList().contains(l);
    }

    boolean leader(Details details, EventContext eventContext) {
        return leader(details.getGroup() == null ? null : details.getGroup().getId(), eventContext);
    }

    private int allowUpdateOrDelete(BasicEventContext basicEventContext, IObject iObject, Details details, Scope... scopeArr) {
        int i = 0;
        if (iObject == null) {
            throw new IllegalArgumentException("null object");
        }
        boolean z = this.sysTypes.isSystemType(iObject.getClass()) || this.sysTypes.isInSystemGroup(iObject.getDetails());
        boolean z2 = z || this.sysTypes.isInUserGroup(iObject.getDetails());
        if (this.tokenHolder.hasPrivilegedToken(iObject)) {
            return 1;
        }
        if (!z2 && this.currentUser.isGraphCritical(details)) {
            Boolean bool = null;
            Long currentUserId = basicEventContext.getCurrentUserId();
            for (int i2 = 0; i2 < scopeArr.length; i2++) {
                if (scopeArr[i2].equals(Scope.LINK) || scopeArr[i2].equals(Scope.ANNOTATE)) {
                    if (bool == null) {
                        bool = Boolean.valueOf(objectBelongsToUser(iObject, currentUserId));
                    }
                    if (!bool.booleanValue()) {
                        scopeArr[i2] = null;
                    }
                }
            }
        }
        if (basicEventContext.isCurrentUserAdmin()) {
            for (int i3 = 0; i3 < scopeArr.length; i3++) {
                if (scopeArr[i3] != null) {
                    i |= 1 << i3;
                }
            }
            return i;
        }
        if (z) {
            return 0;
        }
        if (details == null) {
            throw new InternalException("trustedDetails are null!");
        }
        Permissions currentGroupPermissions = basicEventContext.getCurrentGroupPermissions();
        if (currentGroupPermissions == null || currentGroupPermissions == Permissions.DUMMY) {
            if (details.getGroup() != null) {
                Long id = details.getGroup().getId();
                currentGroupPermissions = basicEventContext.getPermissionsForGroup(id);
                if (currentGroupPermissions == null && id.equals(Long.valueOf(this.roles.getUserGroupId()))) {
                    currentGroupPermissions = new Permissions(Permissions.EMPTY);
                }
            }
            if (currentGroupPermissions == null) {
                throw new InternalException("Permissions are null! Security system failure -- refusing to continue. The Permissions should be set to a default value.");
            }
        }
        boolean owner = owner(details, (EventContext) basicEventContext);
        boolean leader = leader(details, (EventContext) basicEventContext);
        boolean member = member(details, (EventContext) basicEventContext);
        for (int i4 = 0; i4 < scopeArr.length; i4++) {
            Scope scope = scopeArr[i4];
            if (scope != null) {
                if (leader) {
                    i |= 1 << i4;
                } else if (currentGroupPermissions.isGranted(Permissions.Role.WORLD, scope.right)) {
                    i |= 1 << i4;
                } else if (owner && currentGroupPermissions.isGranted(Permissions.Role.USER, scope.right)) {
                    i |= 1 << i4;
                } else if (member && currentGroupPermissions.isGranted(Permissions.Role.GROUP, scope.right)) {
                    i |= 1 << i4;
                }
            }
        }
        return i;
    }

    public EventContext getEventContext() {
        return this.currentUser.getCurrentEventContext();
    }

    public void postProcess(IObject iObject) {
        if (iObject.isLoaded()) {
            Details details = iObject.getDetails();
            this.currentUser.applyContext(details, !(iObject instanceof ExperimenterGroup));
            BasicEventContext current = this.currentUser.current();
            Permissions permissions = details.getPermissions();
            int allowUpdateOrDelete = allowUpdateOrDelete(current, iObject, details, Scope.LINK, Scope.EDIT, Scope.DELETE, Scope.ANNOTATE);
            Permissions permissions2 = new Permissions(permissions);
            permissions2.copyRestrictions(allowUpdateOrDelete);
            details.setPermissions(permissions2);
        }
    }

    private boolean objectBelongsToUser(IObject iObject, Long l) {
        Experimenter owner = iObject.getDetails().getOwner();
        if (owner != null) {
            return l.equals(owner.getId());
        }
        if (iObject.getId() == null) {
            return true;
        }
        throw new NullPointerException("Null owner for " + iObject);
    }
}
