package ome.security.basic;

import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import ome.conditions.ApiUsageException;
import ome.conditions.GroupSecurityViolation;
import ome.conditions.InternalException;
import ome.conditions.SecurityViolation;
import ome.model.IObject;
import ome.model.core.OriginalFile;
import ome.model.internal.Details;
import ome.model.internal.Permissions;
import ome.model.meta.Experimenter;
import ome.model.meta.ExperimenterGroup;
import ome.model.meta.GroupExperimenterMap;
import ome.security.ACLVoter;
import ome.security.SecurityFilter;
import ome.security.SystemTypes;
import ome.security.policy.DefaultPolicyService;
import ome.security.policy.PolicyService;
import ome.services.sessions.SessionProvider;
import ome.services.util.ReadOnlyStatus;
import ome.system.EventContext;
import ome.system.Roles;
import ome.tools.hibernate.HibernateUtils;
import ome.util.PermDetails;
import org.apache.commons.collections.CollectionUtils;
import org.hibernate.Session;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.Assert;

/* loaded from: input_file:ome/security/basic/BasicACLVoter.class */
public class BasicACLVoter implements ACLVoter {
    private static final Logger log = LoggerFactory.getLogger(BasicACLVoter.class);
    protected final CurrentDetails currentUser;
    protected final SystemTypes sysTypes;
    protected final TokenHolder tokenHolder;
    protected final SecurityFilter securityFilter;
    protected final PolicyService policyService;
    protected final Roles roles;
    private Set<Class<? extends IObject>> chgrpPermittedClasses;
    private Set<Class<? extends IObject>> chownPermittedClasses;
    private final LightAdminPrivileges adminPrivileges;
    private final SessionProvider sessionProvider;
    private final boolean isReadOnlyDb;
    private final Set<String> managedRepoUuids;
    private final Set<String> scriptRepoUuids;
    private final String fileRepoSecretKey;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:ome/security/basic/BasicACLVoter$Scope.class */
    public enum Scope {
        ANNOTATE(Permissions.Right.ANNOTATE),
        DELETE(Permissions.Right.WRITE),
        EDIT(Permissions.Right.WRITE),
        LINK(Permissions.Right.WRITE),
        CHGRP(Permissions.Right.WRITE),
        CHOWN(Permissions.Right.WRITE);

        final Permissions.Right right;

        Scope(Permissions.Right right) {
            this.right = right;
        }
    }

    public BasicACLVoter(CurrentDetails currentDetails, SystemTypes systemTypes, TokenHolder tokenHolder, SecurityFilter securityFilter) {
        this(currentDetails, systemTypes, tokenHolder, securityFilter, new DefaultPolicyService(), new Roles());
    }

    public BasicACLVoter(CurrentDetails currentDetails, SystemTypes systemTypes, TokenHolder tokenHolder, SecurityFilter securityFilter, SessionProvider sessionProvider, ReadOnlyStatus readOnlyStatus) {
        this(currentDetails, systemTypes, tokenHolder, securityFilter, new DefaultPolicyService(), new Roles(), sessionProvider, readOnlyStatus);
    }

    @Deprecated
    public BasicACLVoter(CurrentDetails currentDetails, SystemTypes systemTypes, TokenHolder tokenHolder, SecurityFilter securityFilter, PolicyService policyService) {
        this(currentDetails, systemTypes, tokenHolder, securityFilter, policyService, new Roles());
    }

    public BasicACLVoter(CurrentDetails currentDetails, SystemTypes systemTypes, TokenHolder tokenHolder, SecurityFilter securityFilter, PolicyService policyService, Roles roles) {
        this(currentDetails, systemTypes, tokenHolder, securityFilter, policyService, roles, new LightAdminPrivileges(roles), null, new ReadOnlyStatus(false, false), new HashSet(), new HashSet(), UUID.randomUUID().toString());
        log.info("assuming read-write repository");
    }

    public BasicACLVoter(CurrentDetails currentDetails, SystemTypes systemTypes, TokenHolder tokenHolder, SecurityFilter securityFilter, PolicyService policyService, Roles roles, SessionProvider sessionProvider, ReadOnlyStatus readOnlyStatus) {
        this(currentDetails, systemTypes, tokenHolder, securityFilter, policyService, roles, new LightAdminPrivileges(roles), sessionProvider, readOnlyStatus, new HashSet(), new HashSet(), UUID.randomUUID().toString());
    }

    public BasicACLVoter(CurrentDetails currentDetails, SystemTypes systemTypes, TokenHolder tokenHolder, SecurityFilter securityFilter, PolicyService policyService, Roles roles, LightAdminPrivileges lightAdminPrivileges, SessionProvider sessionProvider, ReadOnlyStatus readOnlyStatus, Set<String> set, Set<String> set2, String str) {
        this.chgrpPermittedClasses = Collections.emptySet();
        this.chownPermittedClasses = Collections.emptySet();
        this.currentUser = currentDetails;
        this.sysTypes = systemTypes;
        this.securityFilter = securityFilter;
        this.tokenHolder = tokenHolder;
        this.roles = roles;
        this.policyService = policyService;
        this.adminPrivileges = lightAdminPrivileges;
        this.sessionProvider = sessionProvider;
        this.isReadOnlyDb = readOnlyStatus.isReadOnlyDb();
        this.managedRepoUuids = set;
        this.scriptRepoUuids = set2;
        this.fileRepoSecretKey = str;
    }

    @Override // ome.security.ACLVoter
    public boolean allowChmod(IObject iObject) {
        if (iObject == null) {
            throw new ApiUsageException("Object can't be null");
        }
        if (this.isReadOnlyDb) {
            return false;
        }
        Long nullSafeOwnerId = HibernateUtils.nullSafeOwnerId(iObject);
        Long id = iObject instanceof ExperimenterGroup ? iObject.getId() : HibernateUtils.nullSafeGroupId(iObject);
        EventContext currentEventContext = this.currentUser.getCurrentEventContext();
        if (currentEventContext.getCurrentUserId().equals(nullSafeOwnerId) || currentEventContext.getLeaderOfGroupsList().contains(id)) {
            return true;
        }
        if (!currentEventContext.isCurrentUserAdmin()) {
            return false;
        }
        Set currentAdminPrivileges = currentEventContext.getCurrentAdminPrivileges();
        if (this.sysTypes.isSystemType(iObject.getClass())) {
            if (iObject instanceof Experimenter) {
                return currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege("ModifyUser"));
            }
            if (iObject instanceof ExperimenterGroup) {
                return currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege("ModifyGroup"));
            }
            if (iObject instanceof GroupExperimenterMap) {
                return currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege("ModifyGroupMembership"));
            }
            return true;
        }
        if (!(iObject instanceof OriginalFile)) {
            return currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege("WriteOwned"));
        }
        String repo = ((OriginalFile) iObject).getRepo();
        if (repo != null) {
            if (this.managedRepoUuids.contains(repo)) {
                return currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege("WriteManagedRepo"));
            }
            if (this.scriptRepoUuids.contains(repo)) {
                return currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege("WriteScriptRepo"));
            }
        }
        return currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege("WriteFile"));
    }

    @Override // ome.security.ACLVoter
    public boolean allowLoad(Session session, Class<? extends IObject> cls, Details details, long j) {
        Assert.notNull(cls);
        EventContext current = this.currentUser.current();
        if (cls == ome.model.meta.Session.class) {
            ome.model.meta.Session findSessionById = this.sessionProvider.findSessionById(current.getCurrentSessionId().longValue(), session);
            Experimenter sudoer = findSessionById.getSudoer();
            if (sudoer == null) {
                sudoer = findSessionById.getOwner();
            }
            ome.model.meta.Session findSessionById2 = this.sessionProvider.findSessionById(j, session);
            Experimenter sudoer2 = findSessionById2.getSudoer();
            if (sudoer2 == null) {
                sudoer2 = findSessionById2.getOwner();
            }
            if (sudoer.getId().equals(sudoer2.getId())) {
                return true;
            }
            return current.getCurrentAdminPrivileges().contains(this.adminPrivileges.getPrivilege("ReadSession"));
        }
        if (details == null || this.sysTypes.isSystemType(cls)) {
            return true;
        }
        boolean passesFilter = (this.sysTypes.isInSystemGroup(details) || this.sysTypes.isInUserGroup(details)) ? true : this.securityFilter.passesFilter(session, details, current);
        if (current.getCurrentGroupId().longValue() < 0) {
            ExperimenterGroup group = details.getGroup();
            if (group == null) {
                log.warn(String.format("Group null while loading %s:%s", cls.getName(), Long.valueOf(j)));
            }
            if (group != null) {
                Long id = group.getId();
                Permissions permissions = group.getDetails().getPermissions();
                if (permissions == null) {
                    log.warn(String.format("Permissions null for group %s while loading %s:%s", id, cls.getName(), Long.valueOf(j)));
                } else {
                    current.setPermissionsForGroup(id, permissions);
                }
            }
        }
        return passesFilter;
    }

    @Override // ome.security.ACLVoter
    public void throwLoadViolation(IObject iObject) throws SecurityViolation {
        Assert.notNull(iObject);
        throw new SecurityViolation("Cannot read " + iObject);
    }

    @Override // ome.security.ACLVoter
    public boolean allowCreation(IObject iObject) {
        Assert.notNull(iObject);
        if (this.isReadOnlyDb) {
            return false;
        }
        boolean isSystemType = this.sysTypes.isSystemType(iObject.getClass());
        EventContext currentEventContext = this.currentUser.getCurrentEventContext();
        if (this.tokenHolder.hasPrivilegedToken(iObject)) {
            return true;
        }
        if (!isSystemType) {
            if (currentEventContext.getCurrentUserId().longValue() == this.roles.getGuestId()) {
                return false;
            }
            if (!(iObject instanceof OriginalFile)) {
                return true;
            }
            OriginalFile originalFile = (OriginalFile) iObject;
            return originalFile.getRepo() == null || originalFile.getName().startsWith(this.fileRepoSecretKey);
        }
        if (!currentEventContext.isCurrentUserAdmin()) {
            return false;
        }
        Set currentAdminPrivileges = currentEventContext.getCurrentAdminPrivileges();
        if (iObject instanceof Experimenter) {
            return currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege("ModifyUser"));
        }
        if (iObject instanceof ExperimenterGroup) {
            return currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege("ModifyGroup"));
        }
        if (iObject instanceof GroupExperimenterMap) {
            return currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege("ModifyGroupMembership"));
        }
        return true;
    }

    @Override // ome.security.ACLVoter
    public void throwCreationViolation(IObject iObject) throws SecurityViolation {
        Assert.notNull(iObject);
        if (this.sysTypes.isSystemType(iObject.getClass())) {
            throw new SecurityViolation(iObject + " is a System-type, and may be created only through privileged APIs.");
        }
        if ((iObject instanceof OriginalFile) && ((OriginalFile) iObject).getRepo() != null) {
            throw new SecurityViolation("cannot set repo property of " + iObject + " via ORM");
        }
        if (!this.currentUser.isGraphCritical(iObject.getDetails())) {
            throw new SecurityViolation("not permitted to create " + iObject);
        }
        throw new GroupSecurityViolation(iObject + "-insertion violates group-security.");
    }

    @Override // ome.security.ACLVoter
    public boolean allowAnnotate(IObject iObject, Details details) {
        return 1 == allowUpdateOrDelete(this.currentUser.current(), iObject, details, Scope.ANNOTATE);
    }

    @Override // ome.security.ACLVoter
    public boolean allowUpdate(IObject iObject, Details details) {
        return 1 == allowUpdateOrDelete(this.currentUser.current(), iObject, details, Scope.EDIT);
    }

    @Override // ome.security.ACLVoter
    public void throwUpdateViolation(IObject iObject) throws SecurityViolation {
        Assert.notNull(iObject);
        if (!this.sysTypes.isSystemType(iObject.getClass()) && this.currentUser.isGraphCritical(iObject.getDetails())) {
            throw new GroupSecurityViolation(iObject + "-modification violates group-security.");
        }
        throw new SecurityViolation("Updating " + iObject + " not allowed.");
    }

    @Override // ome.security.ACLVoter
    public boolean allowDelete(IObject iObject, Details details) {
        return 1 == allowUpdateOrDelete(this.currentUser.current(), iObject, details, Scope.DELETE);
    }

    @Override // ome.security.ACLVoter
    public void throwDeleteViolation(IObject iObject) throws SecurityViolation {
        Assert.notNull(iObject);
        throw new SecurityViolation("Deleting " + iObject + " not allowed.");
    }

    boolean owner(Long l, EventContext eventContext) {
        return l != null && l.equals(eventContext.getCurrentUserId());
    }

    boolean owner(Details details, EventContext eventContext) {
        Long id = details.getOwner() == null ? null : details.getOwner().getId();
        return id != null && id.equals(eventContext.getCurrentUserId());
    }

    boolean member(Long l, EventContext eventContext) {
        return l != null && eventContext.getMemberOfGroupsList().contains(l);
    }

    boolean member(Details details, EventContext eventContext) {
        return member(details.getGroup() == null ? null : details.getGroup().getId(), eventContext);
    }

    boolean leader(Long l, EventContext eventContext) {
        return l != null && eventContext.getLeaderOfGroupsList().contains(l);
    }

    boolean leader(Details details, EventContext eventContext) {
        return leader(details.getGroup() == null ? null : details.getGroup().getId(), eventContext);
    }

    private int allowUpdateOrDelete(BasicEventContext basicEventContext, IObject iObject, Details details, Scope... scopeArr) {
        int i = 0;
        if (iObject == null) {
            throw new IllegalArgumentException("null object");
        }
        if (this.isReadOnlyDb) {
            return 0;
        }
        if (details == null) {
            throw new InternalException("trustedDetails are null!");
        }
        boolean isSystemType = this.sysTypes.isSystemType(iObject.getClass());
        boolean z = isSystemType || this.sysTypes.isInUserGroup(details);
        if (this.tokenHolder.hasPrivilegedToken(iObject)) {
            return 1;
        }
        if (!z && this.currentUser.isGraphCritical(details)) {
            Boolean bool = null;
            Long currentUserId = basicEventContext.getCurrentUserId();
            for (int i2 = 0; i2 < scopeArr.length; i2++) {
                if (scopeArr[i2].equals(Scope.LINK) || scopeArr[i2].equals(Scope.ANNOTATE)) {
                    if (bool == null) {
                        bool = Boolean.valueOf(objectBelongsToUser(iObject, currentUserId));
                    }
                    if (!bool.booleanValue()) {
                        scopeArr[i2] = null;
                    }
                }
            }
        }
        Set currentAdminPrivileges = basicEventContext.getCurrentAdminPrivileges();
        if (LightAdminPrivileges.getAllPrivileges().equals(currentAdminPrivileges)) {
            for (int i3 = 0; i3 < scopeArr.length; i3++) {
                if (scopeArr[i3] != null) {
                    i |= 1 << i3;
                }
            }
            return i;
        }
        boolean z2 = (iObject instanceof OriginalFile) && "Directory".equals(((OriginalFile) iObject).getMimetype());
        Permissions permissions = null;
        if (details.getGroup() != null) {
            Long id = details.getGroup().getId();
            permissions = (z2 || this.roles.getUserGroupId() != id.longValue()) ? basicEventContext.getPermissionsForGroup(id) : new Permissions(Permissions.PRIVATE);
        }
        if (permissions == null && this.roles.getUserGroupId() != basicEventContext.getCurrentGroupId().longValue()) {
            permissions = basicEventContext.getCurrentGroupPermissions();
        }
        if (permissions == null || permissions == Permissions.DUMMY) {
            permissions = new Permissions(Permissions.EMPTY);
        }
        boolean owner = owner(details, (EventContext) basicEventContext);
        boolean leader = leader(details, (EventContext) basicEventContext);
        boolean member = member(details, (EventContext) basicEventContext);
        for (int i4 = 0; i4 < scopeArr.length; i4++) {
            Scope scope = scopeArr[i4];
            if (scope != null) {
                boolean z3 = false;
                if (!isSystemType) {
                    if (basicEventContext.getCurrentUserId().longValue() == this.roles.getGuestId()) {
                        return 0;
                    }
                    if (iObject instanceof OriginalFile) {
                        String repo = ((OriginalFile) iObject).getRepo();
                        if (repo == null) {
                            if (currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege(scope == Scope.DELETE ? "DeleteFile" : "WriteFile"))) {
                                z3 = true;
                            }
                        } else if (this.managedRepoUuids.contains(repo)) {
                            if (currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege(scope == Scope.DELETE ? "DeleteManagedRepo" : "WriteManagedRepo"))) {
                                z3 = true;
                            }
                        } else if (this.scriptRepoUuids.contains(repo)) {
                            if (currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege(scope == Scope.DELETE ? "DeleteScriptRepo" : "WriteScriptRepo"))) {
                                z3 = true;
                            }
                        } else if (currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege(scope == Scope.DELETE ? "DeleteFile" : "WriteFile"))) {
                            z3 = true;
                        }
                    } else if (currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege(scope == Scope.DELETE ? "DeleteOwned" : "WriteOwned"))) {
                        z3 = true;
                    }
                } else if (iObject instanceof Experimenter) {
                    if (currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege("ModifyUser"))) {
                        z3 = true;
                    }
                } else if (iObject instanceof ExperimenterGroup) {
                    if (currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege("ModifyGroup"))) {
                        z3 = true;
                    }
                } else if (iObject instanceof GroupExperimenterMap) {
                    if (currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege("ModifyGroupMembership"))) {
                        z3 = true;
                    }
                } else if (basicEventContext.isCurrentUserAdmin()) {
                    z3 = true;
                }
                boolean z4 = scopeArr[i4].equals(Scope.LINK) || scopeArr[i4].equals(Scope.ANNOTATE);
                if (z3) {
                    i |= 1 << i4;
                } else if (isSystemType) {
                    if (z4) {
                        i |= 1 << i4;
                    }
                } else if (leader) {
                    i |= 1 << i4;
                } else {
                    if (permissions == null) {
                        throw new InternalException("Permissions are null! Security system failure -- refusing to continue. The Permissions should be set to a default value.");
                    }
                    if (permissions.isGranted(Permissions.Role.WORLD, scope.right)) {
                        i |= 1 << i4;
                    } else if (owner && permissions.isGranted(Permissions.Role.USER, scope.right)) {
                        i |= 1 << i4;
                    } else if (member && permissions.isGranted(Permissions.Role.GROUP, scope.right)) {
                        i |= 1 << i4;
                    } else if (z4 && (this.sysTypes.isInSystemGroup(details) || (this.sysTypes.isInUserGroup(details) && !z2))) {
                        i |= 1 << i4;
                    }
                }
            }
        }
        return i;
    }

    @Override // ome.security.ACLVoter
    public Set<String> restrictions(IObject iObject) {
        return this.policyService.listActiveRestrictions(iObject);
    }

    @Override // ome.security.ACLVoter
    public void setPermittedClasses(Map<Integer, Set<Class<? extends IObject>>> map) {
        Set<Class<? extends IObject>> set = map.get(4);
        Set<Class<? extends IObject>> set2 = map.get(5);
        if (CollectionUtils.isNotEmpty(set)) {
            this.chgrpPermittedClasses = set;
        }
        if (CollectionUtils.isNotEmpty(set2)) {
            this.chownPermittedClasses = set2;
        }
    }

    private int addChgrpChownRestrictionBits(Class<? extends IObject> cls, Details details, int i) {
        if (this.isReadOnlyDb) {
            return i;
        }
        EventContext currentEventContext = this.currentUser.getCurrentEventContext();
        Set currentAdminPrivileges = currentEventContext.getCurrentAdminPrivileges();
        boolean contains = currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege("Chgrp"));
        boolean contains2 = currentAdminPrivileges.contains(this.adminPrivileges.getPrivilege("Chown"));
        if (contains || (details.getOwner() != null && currentEventContext.getCurrentUserId().equals(details.getOwner().getId()))) {
            i |= 16;
        }
        if (contains2 || (details.getGroup() != null && currentEventContext.getLeaderOfGroupsList().contains(details.getGroup().getId()))) {
            i |= 32;
        }
        if ((i & 16) > 0 && !this.chgrpPermittedClasses.isEmpty()) {
            boolean z = false;
            Iterator<Class<? extends IObject>> it = this.chgrpPermittedClasses.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (it.next().isAssignableFrom(cls)) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                i &= -17;
            }
        }
        if ((i & 32) > 0 && !this.chownPermittedClasses.isEmpty()) {
            boolean z2 = false;
            Iterator<Class<? extends IObject>> it2 = this.chownPermittedClasses.iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                if (it2.next().isAssignableFrom(cls)) {
                    z2 = true;
                    break;
                }
            }
            if (!z2) {
                i &= -33;
            }
        }
        return i;
    }

    @Override // ome.security.ACLVoter
    public void postProcess(IObject iObject) {
        if (iObject.isLoaded()) {
            if (iObject instanceof PermDetails) {
                iObject = ((PermDetails) iObject).getInternalContext();
                if (!iObject.isLoaded()) {
                    return;
                }
            }
            Details details = iObject.getDetails();
            this.currentUser.applyContext(details, !(iObject instanceof ExperimenterGroup));
            BasicEventContext current = this.currentUser.current();
            Permissions permissions = details.getPermissions();
            int addChgrpChownRestrictionBits = addChgrpChownRestrictionBits(iObject.getClass(), details, allowUpdateOrDelete(current, iObject, details, Scope.LINK, Scope.EDIT, Scope.DELETE, Scope.ANNOTATE));
            Permissions permissions2 = new Permissions(permissions);
            permissions2.copyRestrictions(addChgrpChownRestrictionBits, restrictions(iObject));
            details.setPermissions(permissions2);
        }
    }

    private boolean objectBelongsToUser(IObject iObject, Long l) {
        Experimenter owner = iObject.getDetails().getOwner();
        if (owner != null) {
            return l.equals(owner.getId());
        }
        if (iObject.getId() == null) {
            return true;
        }
        throw new NullPointerException("Null owner for " + iObject);
    }
}
