package eu.ehri.project.acl;

import com.google.common.base.Preconditions;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import com.tinkerpop.blueprints.Direction;
import com.tinkerpop.blueprints.Vertex;
import com.tinkerpop.frames.FramedGraph;
import com.tinkerpop.pipes.PipeFunction;
import eu.ehri.project.acl.GlobalPermissionSet;
import eu.ehri.project.acl.InheritedGlobalPermissionSet;
import eu.ehri.project.acl.InheritedItemPermissionSet;
import eu.ehri.project.core.GraphManager;
import eu.ehri.project.core.GraphManagerFactory;
import eu.ehri.project.exceptions.IntegrityError;
import eu.ehri.project.exceptions.PermissionDenied;
import eu.ehri.project.models.ContentType;
import eu.ehri.project.models.EntityClass;
import eu.ehri.project.models.Group;
import eu.ehri.project.models.Permission;
import eu.ehri.project.models.PermissionGrant;
import eu.ehri.project.models.base.Accessible;
import eu.ehri.project.models.base.Accessor;
import eu.ehri.project.models.base.PermissionGrantTarget;
import eu.ehri.project.models.base.PermissionScope;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Optional;
import java.util.Set;

/* loaded from: input_file:eu/ehri/project/acl/AclManager.class */
public final class AclManager {
    private final FramedGraph<?> graph;
    private final GraphManager manager;
    private final PermissionScope scope;
    private final Set<PermissionScope> scopes;
    private final LoadingCache<PermissionType, Permission> enumPermissionMap;
    private final LoadingCache<ContentTypes, ContentType> enumContentTypeMap;
    private final LoadingCache<Permission, PermissionType> permissionEnumMap;
    private final LoadingCache<ContentType, ContentTypes> contentTypeEnumMap;

    public AclManager(FramedGraph<?> framedGraph, PermissionScope permissionScope) {
        this.enumPermissionMap = CacheBuilder.newBuilder().build(new CacheLoader<PermissionType, Permission>() { // from class: eu.ehri.project.acl.AclManager.1
            public Permission load(PermissionType permissionType) throws Exception {
                return (Permission) AclManager.this.manager.getEntity(permissionType.getName(), Permission.class);
            }
        });
        this.enumContentTypeMap = CacheBuilder.newBuilder().build(new CacheLoader<ContentTypes, ContentType>() { // from class: eu.ehri.project.acl.AclManager.2
            public ContentType load(ContentTypes contentTypes) throws Exception {
                return (ContentType) AclManager.this.manager.getEntity(contentTypes.getName(), ContentType.class);
            }
        });
        this.permissionEnumMap = CacheBuilder.newBuilder().build(new CacheLoader<Permission, PermissionType>() { // from class: eu.ehri.project.acl.AclManager.3
            public PermissionType load(Permission permission) throws Exception {
                return PermissionType.withName(permission.getId());
            }
        });
        this.contentTypeEnumMap = CacheBuilder.newBuilder().build(new CacheLoader<ContentType, ContentTypes>() { // from class: eu.ehri.project.acl.AclManager.4
            public ContentTypes load(ContentType contentType) throws Exception {
                return ContentTypes.withName(contentType.getId());
            }
        });
        this.graph = framedGraph;
        this.manager = GraphManagerFactory.getInstance(framedGraph);
        this.scope = (PermissionScope) Optional.ofNullable(permissionScope).orElse(SystemScope.getInstance());
        this.scopes = getAllScopes();
    }

    public AclManager(FramedGraph<?> framedGraph) {
        this(framedGraph, SystemScope.getInstance());
    }

    public static boolean belongsToAdmin(Accessor accessor) {
        if (accessor.isAdmin()) {
            return true;
        }
        Iterator<Accessor> it = accessor.getParents().iterator();
        while (it.hasNext()) {
            if (belongsToAdmin(it.next())) {
                return true;
            }
        }
        return false;
    }

    public static boolean isAnonymous(Accessor accessor) {
        Preconditions.checkNotNull(accessor, "NULL accessor given.");
        return (accessor instanceof AnonymousAccessor) || accessor.getId().equals(Group.ANONYMOUS_GROUP_IDENTIFIER);
    }

    public boolean canAccess(Accessible accessible, Accessor accessor) {
        Preconditions.checkNotNull(accessible, "Entity is null");
        Preconditions.checkNotNull(accessor, "Accessor is null");
        return ((Boolean) getAclFilterFunction(accessor).compute(accessible.asVertex())).booleanValue();
    }

    public void removeAccessControl(Accessible accessible, Accessor accessor) {
        accessible.removeAccessor(accessor);
    }

    public void setAccessors(Accessible accessible, Collection<Accessor> collection) {
        HashSet newHashSet = Sets.newHashSet(collection);
        HashSet newHashSet2 = Sets.newHashSet();
        for (Accessor accessor : accessible.getAccessors()) {
            if (!newHashSet.contains(accessor)) {
                newHashSet2.add(accessor);
            }
        }
        Iterator it = newHashSet2.iterator();
        while (it.hasNext()) {
            accessible.removeAccessor((Accessor) it.next());
        }
        Iterator<Accessor> it2 = collection.iterator();
        while (it2.hasNext()) {
            accessible.addAccessor(it2.next());
        }
    }

    public InheritedItemPermissionSet getInheritedItemPermissions(Accessible accessible, Accessor accessor) {
        InheritedItemPermissionSet.Builder builder = new InheritedItemPermissionSet.Builder(accessor.getId(), getItemPermissions(accessor, accessible));
        for (Accessor accessor2 : accessor.getAllParents()) {
            builder.withInheritedPermissions(accessor2.getId(), getItemPermissions(accessor2, accessible));
        }
        return builder.build();
    }

    public void setItemPermissions(Accessible accessible, Accessor accessor, Set<PermissionType> set) throws PermissionDenied {
        checkNoGrantOnAdminOrAnon(accessor);
        for (PermissionType permissionType : PermissionType.values()) {
            if (set.contains(permissionType)) {
                grantPermission(accessible, permissionType, accessor);
            } else {
                revokePermission(accessible, permissionType, accessor);
            }
        }
    }

    public InheritedGlobalPermissionSet getInheritedGlobalPermissions(Accessor accessor) {
        InheritedGlobalPermissionSet.Builder builder = new InheritedGlobalPermissionSet.Builder(accessor.getId(), getGlobalPermissions(accessor));
        for (Accessor accessor2 : accessor.getParents()) {
            builder.withInheritedPermissions(accessor2.getId(), getGlobalPermissions(accessor2));
        }
        return builder.build();
    }

    public GlobalPermissionSet getGlobalPermissions(Accessor accessor) {
        return belongsToAdmin(accessor) ? getAdminPermissions() : getAccessorPermissions(accessor);
    }

    public void setPermissionMatrix(Accessor accessor, GlobalPermissionSet globalPermissionSet) throws PermissionDenied {
        checkNoGrantOnAdminOrAnon(accessor);
        Map<ContentTypes, Collection<PermissionType>> asMap = globalPermissionSet.asMap();
        for (ContentTypes contentTypes : ContentTypes.values()) {
            Accessible accessible = (ContentType) this.enumContentTypeMap.getUnchecked(contentTypes);
            Collection<PermissionType> newHashSet = asMap.containsKey(contentTypes) ? asMap.get(contentTypes) : Sets.newHashSet();
            for (PermissionType permissionType : PermissionType.values()) {
                if (newHashSet.contains(permissionType)) {
                    grantPermission(accessible, permissionType, accessor);
                } else {
                    revokePermission(accessible, permissionType, accessor);
                }
            }
        }
    }

    public PermissionGrant grantPermission(PermissionGrantTarget permissionGrantTarget, PermissionType permissionType, Accessor accessor) {
        assertNoGrantOnAdminOrAnon(accessor);
        Optional<PermissionGrant> findPermission = findPermission(permissionGrantTarget, permissionType, accessor);
        if (findPermission.isPresent()) {
            return findPermission.get();
        }
        PermissionGrant createPermissionGrant = createPermissionGrant();
        accessor.addPermissionGrant(createPermissionGrant);
        createPermissionGrant.setPermission(vertexForPermission(permissionType));
        createPermissionGrant.addTarget(permissionGrantTarget);
        if (!isSystemScope()) {
            createPermissionGrant.setScope(this.scope);
        }
        return createPermissionGrant;
    }

    public void revokePermission(Accessible accessible, PermissionType permissionType, Accessor accessor) {
        findPermission(accessible, permissionType, accessor).ifPresent(permissionGrant -> {
            this.manager.deleteVertex(permissionGrant.asVertex());
        });
    }

    public void revokePermissionGrant(PermissionGrant permissionGrant) {
        this.manager.deleteVertex(permissionGrant.asVertex());
    }

    public PipeFunction<Vertex, Boolean> getContentTypeFilterFunction() {
        HashSet newHashSet = Sets.newHashSet();
        for (ContentTypes contentTypes : ContentTypes.values()) {
            newHashSet.add(contentTypes.getName());
        }
        return vertex -> {
            return Boolean.valueOf(vertex != null && newHashSet.contains(this.manager.getType(vertex)));
        };
    }

    public static PipeFunction<Vertex, Boolean> getAclFilterFunction(Accessor accessor) {
        Preconditions.checkNotNull(accessor, "Accessor is null");
        if (belongsToAdmin(accessor)) {
            return noopFilterFunction();
        }
        HashSet<Vertex> allAccessors = getAllAccessors(accessor);
        return vertex -> {
            Iterable vertices = vertex.getVertices(Direction.OUT, new String[]{"access"});
            if (vertices.iterator().hasNext() && !isPromoted(vertex)) {
                Iterator it = vertices.iterator();
                while (it.hasNext()) {
                    if (allAccessors.contains((Vertex) it.next())) {
                        return true;
                    }
                }
                return false;
            }
            return true;
        };
    }

    public boolean hasPermission(ContentTypes contentTypes, PermissionType permissionType, Accessor accessor) {
        return hasPermission(contentTypes, permissionType, accessor, this.scopes);
    }

    public boolean hasPermission(Accessible accessible, PermissionType permissionType, Accessor accessor) {
        HashSet newHashSet = Sets.newHashSet(this.scopes);
        Iterator<PermissionScope> it = accessible.getPermissionScopes().iterator();
        while (it.hasNext()) {
            newHashSet.add(it.next());
        }
        if (hasPermission(getContentType(this.manager.getEntityClass(accessible)), permissionType, accessor, newHashSet)) {
            return true;
        }
        return hasScopedPermission(accessible, permissionType, accessor, newHashSet);
    }

    public AclManager withScope(PermissionScope permissionScope) {
        return new AclManager(this.graph, permissionScope);
    }

    public PermissionScope getScope() {
        return this.scope;
    }

    private boolean hasPermission(ContentTypes contentTypes, PermissionType permissionType, Accessor accessor, Collection<PermissionScope> collection) {
        return belongsToAdmin(accessor) || hasScopedPermission((ContentType) this.enumContentTypeMap.getUnchecked(contentTypes), permissionType, accessor, collection);
    }

    private boolean hasScopedPermission(PermissionGrantTarget permissionGrantTarget, PermissionType permissionType, Accessor accessor, Collection<PermissionScope> collection) {
        for (PermissionGrant permissionGrant : accessor.getPermissionGrants()) {
            if (enumForPermission(permissionGrant.getPermission()).contains(permissionType)) {
                Iterator<PermissionGrantTarget> it = permissionGrant.getTargets().iterator();
                while (it.hasNext()) {
                    if (permissionGrantTarget.equals(it.next()) && (permissionGrant.getScope() == null || collection.contains(permissionGrant.getScope()))) {
                        return true;
                    }
                }
            }
        }
        Iterator<Accessor> it2 = accessor.getParents().iterator();
        while (it2.hasNext()) {
            if (hasScopedPermission(permissionGrantTarget, permissionType, it2.next(), collection)) {
                return true;
            }
        }
        return false;
    }

    private Permission vertexForPermission(PermissionType permissionType) {
        return (Permission) this.enumPermissionMap.getUnchecked(permissionType);
    }

    private PermissionType enumForPermission(Permission permission) {
        return (PermissionType) this.permissionEnumMap.getUnchecked(permission);
    }

    private List<PermissionType> getItemPermissions(Accessor accessor, Accessible accessible) {
        if (belongsToAdmin(accessor)) {
            return ImmutableList.copyOf(PermissionType.values());
        }
        ArrayList newArrayList = Lists.newArrayList();
        HashSet newHashSet = Sets.newHashSet(accessible.getPermissionScopes());
        PermissionGrantTarget permissionGrantTarget = (PermissionGrantTarget) accessible.as(PermissionGrantTarget.class);
        for (PermissionGrant permissionGrant : accessor.getPermissionGrants()) {
            if (Iterables.contains(permissionGrant.getTargets(), permissionGrantTarget)) {
                newArrayList.add(enumForPermission(permissionGrant.getPermission()));
            } else if (permissionGrant.getScope() != null && hasContentTypeTargets(permissionGrant) && newHashSet.contains(permissionGrant.getScope())) {
                newArrayList.add(enumForPermission(permissionGrant.getPermission()));
            }
        }
        return newArrayList;
    }

    private Optional<PermissionGrant> findPermission(PermissionGrantTarget permissionGrantTarget, PermissionType permissionType, Accessor accessor) {
        PermissionGrantTarget permissionGrantTarget2 = (PermissionGrantTarget) permissionGrantTarget.as(PermissionGrantTarget.class);
        Permission permission = (Permission) this.enumPermissionMap.getUnchecked(permissionType);
        for (PermissionGrant permissionGrant : accessor.getPermissionGrants()) {
            if (isInScope(permissionGrant) && Iterables.contains(permissionGrant.getTargets(), permissionGrantTarget2) && permissionGrant.getPermission().equals(permission)) {
                return Optional.of(permissionGrant);
            }
        }
        return Optional.empty();
    }

    private PermissionGrant createPermissionGrant() {
        try {
            return (PermissionGrant) this.graph.frame(this.manager.createVertex(EntityClass.PERMISSION_GRANT.getIdGen().generateId(Lists.newArrayList(), null), EntityClass.PERMISSION_GRANT, Maps.newHashMap()), PermissionGrant.class);
        } catch (IntegrityError e) {
            e.printStackTrace();
            throw new RuntimeException("Something very unlikely has occurred because two supposedly-random numbers have collided. Trying again should fix this.");
        }
    }

    private void checkNoGrantOnAdminOrAnon(Accessor accessor) throws PermissionDenied {
        if (accessor.isAdmin() || accessor.isAnonymous()) {
            throw new PermissionDenied("Unable to grant or revoke permissions to system accounts.");
        }
    }

    private void assertNoGrantOnAdminOrAnon(Accessor accessor) {
        if (accessor.isAdmin() || accessor.isAnonymous()) {
            throw new RuntimeException("Unable to grant or revoke permissions to system accounts.");
        }
    }

    private static HashSet<Vertex> getAllAccessors(Accessor accessor) {
        HashSet<Vertex> newHashSet = Sets.newHashSet();
        if (!isAnonymous(accessor)) {
            Iterator<Accessor> it = accessor.getAllParents().iterator();
            while (it.hasNext()) {
                newHashSet.add(it.next().asVertex());
            }
            newHashSet.add(accessor.asVertex());
        }
        return newHashSet;
    }

    private GlobalPermissionSet getAccessorPermissions(Accessor accessor) {
        GlobalPermissionSet.Builder newBuilder = GlobalPermissionSet.newBuilder();
        for (PermissionGrant permissionGrant : accessor.getPermissionGrants()) {
            PermissionScope scope = permissionGrant.getScope();
            if (scope == null || this.scopes.contains(scope)) {
                for (PermissionGrantTarget permissionGrantTarget : permissionGrant.getTargets()) {
                    if (this.manager.getEntityClass(permissionGrantTarget).equals(EntityClass.CONTENT_TYPE)) {
                        ContentType contentType = (ContentType) permissionGrantTarget.as(ContentType.class);
                        Permission permission = permissionGrant.getPermission();
                        if (permission != null) {
                            newBuilder.set((ContentTypes) this.contentTypeEnumMap.getUnchecked(contentType), (PermissionType) this.permissionEnumMap.getUnchecked(permission));
                        }
                    }
                }
            }
        }
        return newBuilder.build();
    }

    private GlobalPermissionSet getAdminPermissions() {
        GlobalPermissionSet.Builder newBuilder = GlobalPermissionSet.newBuilder();
        for (ContentTypes contentTypes : ContentTypes.values()) {
            newBuilder.set(contentTypes, PermissionType.values());
        }
        return newBuilder.build();
    }

    private static PipeFunction<Vertex, Boolean> noopFilterFunction() {
        return vertex -> {
            return true;
        };
    }

    private HashSet<PermissionScope> getAllScopes() {
        HashSet<PermissionScope> newHashSet = Sets.newHashSet(this.scope.getPermissionScopes());
        if (!isSystemScope()) {
            newHashSet.add(this.scope);
        }
        return newHashSet;
    }

    private boolean isSystemScope() {
        return this.scope.equals(SystemScope.INSTANCE);
    }

    private boolean isInScope(PermissionGrant permissionGrant) {
        return (isSystemScope() && permissionGrant.getScope() == null) || (permissionGrant.getScope() != null && Iterables.contains(this.scopes, permissionGrant.getScope()));
    }

    private ContentTypes getContentType(EntityClass entityClass) {
        try {
            return ContentTypes.withName(entityClass.getName());
        } catch (NoSuchElementException e) {
            throw new RuntimeException(String.format("No content type found for type: '%s'", entityClass.getName()), e);
        }
    }

    private boolean hasContentTypeTargets(PermissionGrant permissionGrant) {
        Iterator<PermissionGrantTarget> it = permissionGrant.getTargets().iterator();
        while (it.hasNext()) {
            if (!this.manager.getEntityClass(it.next()).equals(EntityClass.CONTENT_TYPE)) {
                return false;
            }
        }
        return true;
    }

    private static boolean isPromoted(Vertex vertex) {
        int size = Iterables.size(vertex.getEdges(Direction.OUT, new String[]{"promotedBy"}));
        return size > 0 && size > Iterables.size(vertex.getEdges(Direction.OUT, new String[]{"demotedBy"}));
    }
}
