package org.nuiton.wikitty.services;

import com.arjuna.ats.arjuna.tools.log.LogConsole;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nuiton.i18n.I18n;
import org.nuiton.util.ApplicationConfig;
import org.nuiton.util.TimeLog;
import org.nuiton.wikitty.WikittyConfigOption;
import org.nuiton.wikitty.WikittyService;
import org.nuiton.wikitty.WikittyUtil;
import org.nuiton.wikitty.entities.Wikitty;
import org.nuiton.wikitty.entities.WikittyAuthorisation;
import org.nuiton.wikitty.entities.WikittyAuthorisationHelper;
import org.nuiton.wikitty.entities.WikittyExtension;
import org.nuiton.wikitty.entities.WikittyGroup;
import org.nuiton.wikitty.entities.WikittyGroupHelper;
import org.nuiton.wikitty.entities.WikittyImpl;
import org.nuiton.wikitty.entities.WikittyMetaExtensionUtil;
import org.nuiton.wikitty.entities.WikittyTokenHelper;
import org.nuiton.wikitty.entities.WikittyTreeNode;
import org.nuiton.wikitty.entities.WikittyUser;
import org.nuiton.wikitty.entities.WikittyUserHelper;
import org.nuiton.wikitty.search.Search;
import org.nuiton.wikitty.services.WikittyEvent;

/* loaded from: input_file:WEB-INF/lib/wikitty-api-3.2.jar:org/nuiton/wikitty/services/WikittyServiceSecurity.class */
public class WikittyServiceSecurity extends WikittyServiceDelegator {
    private static final Log log = LogFactory.getLog(WikittyServiceSecurity.class);
    private static final TimeLog timeLog = new TimeLog((Class<?>) WikittyServiceSecurity.class);
    protected transient String appAdminGroupId;

    public WikittyServiceSecurity(ApplicationConfig applicationConfig, WikittyService wikittyService) {
        super(wikittyService);
        this.appAdminGroupId = null;
        if (applicationConfig != null) {
            long optionAsInt = applicationConfig.getOptionAsInt(WikittyConfigOption.WIKITTY_SECURITY_TIME_TO_LOG_INFO.getKey());
            long optionAsInt2 = applicationConfig.getOptionAsInt(WikittyConfigOption.WIKITTY_SECURITY_TIME_TO_LOG_WARN.getKey());
            timeLog.setTimeToLogInfo(optionAsInt);
            timeLog.setTimeToLogWarn(optionAsInt2);
        }
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public void addWikittyServiceListener(WikittyListener wikittyListener, WikittyService.ServiceListenerType serviceListenerType) {
        getDelegate().addWikittyServiceListener(wikittyListener, serviceListenerType);
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public void removeWikittyServiceListener(WikittyListener wikittyListener, WikittyService.ServiceListenerType serviceListenerType) {
        getDelegate().addWikittyServiceListener(wikittyListener, serviceListenerType);
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public String login(String str, String str2) {
        long time = TimeLog.getTime();
        String str3 = getDelegate().findByCriteria(null, Collections.singletonList(Search.query().eq(WikittyUser.FQ_FIELD_WIKITTYUSER_LOGIN, str).criteria())).get(0);
        if (str3 == null) {
            throw new IllegalArgumentException(String.format("no such account '%s'", str));
        }
        Wikitty restore = WikittyServiceEnhanced.restore(getDelegate(), null, str3);
        if (!WikittyUserHelper.getPassword(restore).equals(str2)) {
            throw new SecurityException("bad password");
        }
        String genSecurityTokenId = WikittyUtil.genSecurityTokenId();
        WikittyImpl wikittyImpl = new WikittyImpl(genSecurityTokenId);
        WikittyTokenHelper.addExtension(wikittyImpl);
        WikittyTokenHelper.setUser(wikittyImpl, restore.getId());
        WikittyTokenHelper.setDate(wikittyImpl, new Date());
        getDelegate().store(null, Arrays.asList(wikittyImpl), false);
        if (log.isDebugEnabled()) {
            log.debug(String.format("token '%s' is for login '%s'", genSecurityTokenId, str));
        }
        timeLog.log(time, WikittyUser.FIELD_WIKITTYUSER_LOGIN);
        return genSecurityTokenId;
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public void logout(String str) {
        long time = TimeLog.getTime();
        if (str != null) {
            getDelegate().delete(str, Arrays.asList(str));
        }
        timeLog.log(time, "logout");
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public WikittyEvent clear(String str) {
        String userId = getUserId(str);
        if (isAppAdmin(str, userId)) {
            return getDelegate().clear(str);
        }
        throw new SecurityException(I18n._("user %s can't clear data", userId));
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public WikittyEvent replay(String str, List<WikittyEvent> list, boolean z) {
        long time = TimeLog.getTime();
        String userId = getUserId(str);
        for (WikittyEvent wikittyEvent : list) {
            if (wikittyEvent.getType().contains(WikittyEvent.WikittyEventType.CLEAR_WIKITTY) || wikittyEvent.getType().contains(WikittyEvent.WikittyEventType.CLEAR_EXTENSION)) {
                if (!isAppAdmin(str, userId)) {
                    throw new SecurityException(I18n._("user %s can't clear data", userId));
                }
                timeLog.log(time, "replay");
                return getDelegate().replay(str, list, z);
            }
            if (wikittyEvent.getType().contains(WikittyEvent.WikittyEventType.PUT_WIKITTY)) {
                checkStore(str, wikittyEvent.getWikitties().values());
            }
            if (wikittyEvent.getType().contains(WikittyEvent.WikittyEventType.REMOVE_WIKITTY)) {
                checkDelete(str, wikittyEvent.getRemoveDate().keySet());
            }
            if (wikittyEvent.getType().contains(WikittyEvent.WikittyEventType.PUT_EXTENSION)) {
                checkStoreExtension(str, wikittyEvent.getExtensions().values());
            }
            if (wikittyEvent.getType().contains(WikittyEvent.WikittyEventType.REMOVE_EXTENSION)) {
                checkDeleteExtension(str, wikittyEvent.getDeletedExtensions());
            }
        }
        timeLog.log(time, "replay");
        return getDelegate().replay(str, list, z);
    }

    protected boolean userIsAnonymousOrAppAdmin(String str, String str2) {
        boolean z = false;
        if (getAppAdminGroup(str) == null) {
            if (str == null) {
                z = true;
            }
        } else if (isAppAdmin(str, str2)) {
            z = true;
        }
        return z;
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public WikittyEvent store(String str, Collection<Wikitty> collection, boolean z) {
        long time = TimeLog.getTime();
        checkStore(str, collection);
        timeLog.log(time, "store");
        return getDelegate().store(str, collection, z);
    }

    protected void checkStore(String str, Collection<Wikitty> collection) {
        String userId = getUserId(str);
        for (Wikitty wikitty : collection) {
            if (wikitty != null) {
                Wikitty restore = WikittyServiceEnhanced.restore(getDelegate(), str, wikitty.getId());
                ArrayList arrayList = new ArrayList(wikitty.getExtensionNames());
                if (restore != null) {
                    arrayList.removeAll(restore.getExtensionNames());
                }
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    Wikitty restoreExtensionAuthorisation = restoreExtensionAuthorisation(str, (String) it.next());
                    if (!(restoreExtensionAuthorisation == null || canRead(str, userId, null, restoreExtensionAuthorisation))) {
                        throw new SecurityException(I18n._("user %s can't create instance of extension %s", userId, restoreExtensionAuthorisation));
                    }
                }
                if (restore != null) {
                    for (String str2 : wikitty.getDirty()) {
                        String extensionNameFromFQFieldName = WikittyUtil.getExtensionNameFromFQFieldName(str2);
                        if (log.isTraceEnabled()) {
                            log.trace(String.format("will update field %s from extension %s", str2, extensionNameFromFQFieldName));
                        }
                        if (!(WikittyAuthorisation.EXT_WIKITTYAUTHORISATION.equals(extensionNameFromFQFieldName) || WikittyAuthorisation.EXT_WIKITTYAUTHORISATION.equals(WikittyUtil.getMetaExtensionNameFromFQMetaExtensionName(extensionNameFromFQFieldName)) ? canAdmin(str, userId, extensionNameFromFQFieldName, wikitty) : canWrite(str, userId, extensionNameFromFQFieldName, wikitty))) {
                            throw new SecurityException(I18n._("user %s can't write field %s on wikitty %s", userId, str2, wikitty));
                        }
                    }
                } else {
                    continue;
                }
            }
        }
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public List<Wikitty> restore(String str, List<String> list) {
        String userId = getUserId(str);
        List<Wikitty> restore = getDelegate().restore(str, list);
        long time = TimeLog.getTime();
        for (Wikitty wikitty : restore) {
            if (wikitty != null) {
                refuseUnauthorizedRead(str, userId, wikitty);
            }
        }
        timeLog.log(time, "restore");
        return restore;
    }

    protected void refuseUnauthorizedRead(String str, String str2, Wikitty wikitty) {
        if (wikitty != null) {
            for (String str3 : wikitty.getExtensionNames()) {
                if (!canRead(str, str2, str3, wikitty)) {
                    throw new SecurityException(I18n._("user %s can't read extension %s on wikitty %s, it may be due to a global policy on the wikitty", str2, str3, wikitty));
                }
            }
        }
    }

    protected boolean canRead(String str, String str2, String str3, Wikitty wikitty) {
        boolean z;
        boolean z2 = false;
        if (wikitty.hasMetaExtension(WikittyAuthorisation.EXT_WIKITTYAUTHORISATION, str3)) {
            z2 = isReader(str, str2, wikitty, str3) || canWrite(str, str2, str3, wikitty);
        }
        if (z2 || !wikitty.hasExtension(WikittyAuthorisation.EXT_WIKITTYAUTHORISATION)) {
            z = true;
        } else {
            z = isReader(str, str2, wikitty, null) || canWrite(str, str2, str3, wikitty);
        }
        return z;
    }

    protected boolean canWrite(String str, String str2, String str3, Wikitty wikitty) {
        boolean z;
        boolean z2 = false;
        if (wikitty.hasMetaExtension(WikittyAuthorisation.EXT_WIKITTYAUTHORISATION, str3)) {
            z2 = isWriter(str, str2, wikitty, str3) || canAdmin(str, str2, str3, wikitty);
        }
        if (z2 || !wikitty.hasExtension(WikittyAuthorisation.EXT_WIKITTYAUTHORISATION)) {
            z = true;
        } else {
            z = isWriter(str, str2, wikitty, null) || canAdmin(str, str2, str3, wikitty);
        }
        return z;
    }

    protected boolean canAdmin(String str, String str2, String str3, Wikitty wikitty) {
        boolean z = false;
        if (wikitty.hasMetaExtension(WikittyAuthorisation.EXT_WIKITTYAUTHORISATION, str3)) {
            z = isAdmin(str, str2, wikitty, str3) || isOwner(str, str2, wikitty, str3);
        }
        if (!z && wikitty.hasExtension(WikittyAuthorisation.EXT_WIKITTYAUTHORISATION)) {
            z = isAdmin(str, str2, wikitty, null) || isOwner(str, str2, wikitty, null);
        }
        if (!z) {
            z = isAppAdmin(str, str2);
        }
        return z;
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public WikittyEvent delete(String str, Collection<String> collection) {
        long time = TimeLog.getTime();
        checkDelete(str, collection);
        timeLog.log(time, LogConsole.delete);
        return getDelegate().delete(str, collection);
    }

    public void checkDelete(String str, Collection<String> collection) {
        String userId = getUserId(str);
        for (Wikitty wikitty : getDelegate().restore(str, new ArrayList(collection))) {
            if (wikitty != null) {
                for (String str2 : wikitty.getExtensionNames()) {
                    if (!canWrite(str, userId, str2, wikitty)) {
                        throw new SecurityException(I18n._("user %s doesn't have rights on extension %s on wikitty %s", userId, str2, wikitty));
                    }
                }
            }
        }
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public boolean canWrite(String str, Wikitty wikitty) {
        boolean z = true;
        String userId = getUserId(str);
        Iterator<String> it = wikitty.getExtensionNames().iterator();
        while (it.hasNext()) {
            z = z && isWriter(str, userId, wikitty, it.next());
            if (!z) {
                break;
            }
        }
        return z;
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public boolean canDelete(String str, String str2) {
        boolean z = true;
        Wikitty restore = WikittyServiceEnhanced.restore(getDelegate(), str, str2);
        if (restore != null) {
            String userId = getUserId(str);
            Iterator<String> it = restore.getExtensionNames().iterator();
            while (it.hasNext()) {
                z = z && isWriter(str, userId, restore, it.next());
                if (!z) {
                    break;
                }
            }
        }
        return z;
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public boolean canRead(String str, String str2) {
        boolean z = true;
        String userId = getUserId(str);
        Wikitty restore = WikittyServiceEnhanced.restore(getDelegate(), str, str2);
        Iterator<String> it = restore.getExtensionNames().iterator();
        while (it.hasNext()) {
            z = z && isReader(str, userId, restore, it.next());
            if (!z) {
                break;
            }
        }
        return z;
    }

    protected void checkStoreExtension(String str, Collection<WikittyExtension> collection) {
        String userId = getUserId(str);
        if (isAppAdmin(str, userId)) {
            return;
        }
        for (WikittyExtension wikittyExtension : collection) {
            Wikitty restoreExtensionAuthorisation = restoreExtensionAuthorisation(str, wikittyExtension.getName());
            if (restoreExtensionAuthorisation != null && !canWrite(str, userId, null, restoreExtensionAuthorisation)) {
                throw new SecurityException(I18n._("user %s don't have write right for extension %s", userId, wikittyExtension));
            }
        }
    }

    protected void checkDeleteExtension(String str, Collection<String> collection) {
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public WikittyEvent storeExtension(String str, Collection<WikittyExtension> collection) {
        long time = TimeLog.getTime();
        checkStoreExtension(str, collection);
        timeLog.log(time, "storeExtension");
        return getDelegate().storeExtension(str, collection);
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public WikittyEvent deleteExtension(String str, Collection<String> collection) {
        long time = TimeLog.getTime();
        checkDeleteExtension(str, collection);
        timeLog.log(time, "deleteExtension");
        return getDelegate().deleteExtension(str, collection);
    }

    private void checkRestoreTreeNode(String str, String str2, WikittyTreeNode wikittyTreeNode) {
        refuseUnauthorizedRead(str, str2, WikittyUtil.getWikitty(getDelegate(), str, wikittyTreeNode));
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public WikittyEvent deleteTree(String str, String str2) {
        Wikitty restore = WikittyServiceEnhanced.restore(getDelegate(), str, str2);
        long time = TimeLog.getTime();
        checkStore(str, Collections.singletonList(restore));
        timeLog.log(time, "deleteTree");
        return getDelegate().deleteTree(str, str2);
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public Wikitty restoreVersion(String str, String str2, String str3) {
        Wikitty restoreVersion = getDelegate().restoreVersion(str, str2, str3);
        long time = TimeLog.getTime();
        refuseUnauthorizedRead(str, getUserId(str), restoreVersion);
        timeLog.log(time, "restoreVersion");
        return restoreVersion;
    }

    @Override // org.nuiton.wikitty.services.WikittyServiceDelegator, org.nuiton.wikitty.WikittyService
    public void syncSearchEngine(String str) {
        long time = TimeLog.getTime();
        if (!isAppAdmin(str, getUserId(str))) {
            throw new SecurityException(I18n._("user %s can't sync search engine", getUserId(str)));
        }
        timeLog.log(time, "syncSearchEngine");
        getDelegate().syncSearchEngine(str);
    }

    protected String getUserId(String str) {
        String str2 = null;
        if (str != null) {
            Wikitty restore = WikittyServiceEnhanced.restore(getDelegate(), str, str);
            if (restore == null) {
                throw new SecurityException("bad (obsolete ?) token");
            }
            str2 = WikittyTokenHelper.getUser(restore);
        }
        return str2;
    }

    protected boolean isReader(String str, String str2, Wikitty wikitty, String str3) {
        return isMember(str, str2, wikitty, WikittyUtil.getMetaFieldName(WikittyAuthorisation.EXT_WIKITTYAUTHORISATION, str3, WikittyAuthorisation.FIELD_WIKITTYAUTHORISATION_READER), true);
    }

    protected boolean isWriter(String str, String str2, Wikitty wikitty, String str3) {
        String metaFieldName = WikittyUtil.getMetaFieldName(WikittyAuthorisation.EXT_WIKITTYAUTHORISATION, str3, WikittyAuthorisation.FIELD_WIKITTYAUTHORISATION_WRITER);
        log.trace("meta field name " + metaFieldName);
        return isMember(str, str2, wikitty, metaFieldName);
    }

    protected boolean isAdmin(String str, String str2, Wikitty wikitty, String str3) {
        return isMember(str, str2, wikitty, WikittyUtil.getMetaFieldName(WikittyAuthorisation.EXT_WIKITTYAUTHORISATION, str3, WikittyAuthorisation.FIELD_WIKITTYAUTHORISATION_ADMIN));
    }

    protected boolean isOwner(String str, String str2, Wikitty wikitty, String str3) {
        String metaFieldName = WikittyUtil.getMetaFieldName(WikittyAuthorisation.EXT_WIKITTYAUTHORISATION, str3, WikittyAuthorisation.FIELD_WIKITTYAUTHORISATION_OWNER);
        String fieldAsString = wikitty.getFieldAsString(WikittyUtil.getExtensionNameFromFQFieldName(metaFieldName), WikittyUtil.getFieldNameFromFQFieldName(metaFieldName));
        return fieldAsString == null ? false : fieldAsString.equals(str2);
    }

    protected boolean isMember(String str, String str2, Wikitty wikitty, String str3) {
        return isMember(str, str2, wikitty, str3, false);
    }

    protected boolean isMember(String str, String str2, Wikitty wikitty, String str3, boolean z) {
        String parent;
        Set<String> fieldAsSet = wikitty.getFieldAsSet(WikittyUtil.getExtensionNameFromFQFieldName(str3), WikittyUtil.getFieldNameFromFQFieldName(str3), String.class);
        boolean isMember = (fieldAsSet == null || fieldAsSet.isEmpty()) ? z : isMember(str, str2, fieldAsSet);
        if (!isMember && (parent = WikittyAuthorisationHelper.getParent(wikitty)) != null) {
            isMember = isMember(str, str2, WikittyServiceEnhanced.restore(getDelegate(), str, parent), str3);
        }
        return isMember;
    }

    protected boolean isAppAdmin(String str, String str2) {
        boolean z = true;
        Wikitty appAdminGroup = getAppAdminGroup(str);
        if (appAdminGroup != null) {
            z = isMember(str, str2, WikittyGroupHelper.getMembers(appAdminGroup));
        }
        return z;
    }

    protected Wikitty getAppAdminGroup(String str) {
        Wikitty restore = WikittyServiceEnhanced.restore(getDelegate(), str, this.appAdminGroupId);
        if (restore == null) {
            this.appAdminGroupId = getDelegate().findByCriteria(str, Collections.singletonList(Search.query().eq(WikittyGroup.FQ_FIELD_WIKITTYGROUP_NAME, "WikittyAppAdmin").criteria())).get(0);
            restore = WikittyServiceEnhanced.restore(getDelegate(), str, this.appAdminGroupId);
        }
        return restore;
    }

    protected boolean isMember(String str, String str2, Set<String> set) {
        if (set == null) {
            return false;
        }
        for (String str3 : set) {
            if (StringUtils.equals(str3, str2)) {
                return true;
            }
            Wikitty restore = WikittyServiceEnhanced.restore(getDelegate(), str, str3);
            if (WikittyGroupHelper.hasExtension(restore)) {
                return isMember(str, str2, WikittyGroupHelper.getMembers(restore));
            }
        }
        return false;
    }

    protected Wikitty restoreExtensionAuthorisation(String str, WikittyExtension wikittyExtension) {
        return restoreExtensionAuthorisation(str, wikittyExtension.getName());
    }

    protected Wikitty restoreExtensionAuthorisation(String str, String str2) {
        Wikitty restore = WikittyServiceEnhanced.restore(getDelegate(), str, WikittyMetaExtensionUtil.generateId(WikittyAuthorisation.EXT_WIKITTYAUTHORISATION, str2));
        if (restore == null) {
            log.debug(str2 + " has no authorization attached");
        }
        return restore;
    }
}
