package fr.ird.observe.entities;

import fr.ird.observe.dto.db.DataSourceUserDto;
import fr.ird.observe.dto.db.DataSourceUserRole;
import fr.ird.observe.dto.db.configuration.ObserveDataSourceConfiguration;
import fr.ird.observe.dto.db.configuration.ObserveDataSourceInformation;
import fr.ird.observe.security.Permission;
import io.ultreia.java4all.util.Version;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.nuiton.topia.persistence.BlobIdsIterator;
import org.nuiton.topia.persistence.TopiaConfigurationExtension;
import org.nuiton.topia.persistence.TopiaException;
import org.nuiton.topia.persistence.jdbc.JdbcHelper;
import org.nuiton.topia.persistence.jdbc.JdbcPostgresHelper;
import org.nuiton.topia.persistence.script.SqlScriptConsumer;
import org.nuiton.topia.persistence.script.SqlScriptWriter;
import org.nuiton.topia.service.migration.resources.MigrationVersionResourceProvider;
import org.nuiton.topia.service.migration.version.TMSVersion;
import org.nuiton.topia.service.sql.model.TopiaEntitySqlDescriptor;
import org.nuiton.topia.service.sql.model.TopiaEntitySqlDescriptors;
import org.nuiton.topia.service.sql.model.table.TopiaEntitySqlAssociationTable;

/* loaded from: input_file:fr/ird/observe/entities/SecurityHelper.class */
public class SecurityHelper {
    private static final String REVOKE_ON_TABLE_ALL_PATTERN = "REVOKE ALL ON %s.%s FROM %s CASCADE;";
    private static final String REVOKE_ON_LARGE_OBJECT_ALL_PATTERN = "REVOKE ALL ON LARGE OBJECT %s FROM %s CASCADE;";
    private static final String SET_ON_TABLE_OWNER_PATTERN = "ALTER TABLE %s.%s OWNER TO %s;";
    private static final String SET_ON_LARGE_OBJECT_OWNER_PATTERN = "ALTER LARGE OBJECT %s OWNER TO %s;";
    private static final String GRANT_ON_LARGE_OBJECT_READ_PATTERN = "GRANT SELECT ON LARGE OBJECT %s TO %s;";
    private static final String GRANT_ON_LARGE_OBJECT_ALL_PATTERN = "GRANT ALL ON LARGE OBJECT %s TO %s;";
    private static final String GRANT_ON_TABLE_READ_PATTERN = "GRANT SELECT ON %s.%s TO %s;";
    private static final String GRANT_ON_TABLE_ALL_PATTERN = "GRANT ALL ON %s.%s TO %s;";
    private static final String GRANT_ON_FUNCTION_PATTERN = "GRANT EXECUTE ON FUNCTION %s TO %s;";
    private static final String REVOKE_ON_SCHEMA_ALL_PATTERN = "REVOKE ALL ON SCHEMA %s FROM %s CASCADE;";
    private static final String REVOKE_ON_FUNCTIONS_PATTERN = "REVOKE EXECUTE ON FUNCTION %s FROM %s CASCADE;";
    private static final String GRANT_ON_SCHEMA_ALL_PATTERN = "GRANT USAGE ON SCHEMA %s TO %s;";
    private static final String SCHEMA_PUBLIC = "public";
    private final JdbcPostgresHelper jdbcHelper;
    private final Path temporaryDirectory;
    private final ToolkitTopiaApplicationContextSupport<?> applicationContext;
    public static final Set<String> WRITE_PRIVILEGES = new LinkedHashSet(Arrays.asList("DELETE", "UPDATE", "INSERT"));
    private static final Function<String, String> ESCAPE_STRING = str -> {
        return "\"" + str + "\"";
    };
    private static final Set<String> EXTRA_TABLES = new LinkedHashSet(List.of("tms_version", "tmsVersion"));
    private static final Set<String> FUNCTION_NAMES_PREFIXES = new LinkedHashSet(List.of("ST_MakePoint", "ST_SetSRID", "sync_", "tr_sync", "ot_enhanced_school_type", "observe_"));
    private static final Logger log = LogManager.getLogger(SecurityHelper.class);

    public static boolean canWrite(Set<String> set) {
        return set != null && set.containsAll(WRITE_PRIVILEGES);
    }

    public static boolean canRead(Set<String> set) {
        return (set == null || set.isEmpty()) ? false : true;
    }

    public static boolean isOwner(ObserveDataSourceConfiguration observeDataSourceConfiguration, JdbcPostgresHelper jdbcPostgresHelper) {
        if (observeDataSourceConfiguration.isLocal()) {
            return true;
        }
        return jdbcPostgresHelper.isOwner();
    }

    public static boolean isSuperUser(ObserveDataSourceConfiguration observeDataSourceConfiguration, JdbcPostgresHelper jdbcPostgresHelper) {
        if (observeDataSourceConfiguration.isLocal()) {
            return true;
        }
        return jdbcPostgresHelper.isSuperUser();
    }

    public static ObserveDataSourceInformation getDataSourceInformation(SecurityHelperModel securityHelperModel, ObserveDataSourceConfiguration observeDataSourceConfiguration, TopiaConfigurationExtension topiaConfigurationExtension, boolean z) {
        new JdbcHelper(topiaConfigurationExtension).runSelectOnString("SELECT 1;");
        JdbcPostgresHelper jdbcPostgresHelper = new JdbcPostgresHelper(topiaConfigurationExtension);
        boolean isOwner = isOwner(observeDataSourceConfiguration, jdbcPostgresHelper);
        boolean isSuperUser = isSuperUser(observeDataSourceConfiguration, jdbcPostgresHelper);
        LinkedList linkedList = new LinkedList();
        linkedList.add(Permission.READ_REFERENTIAL);
        if (observeDataSourceConfiguration.isLocal()) {
            linkedList.add(Permission.READ_DATA);
            linkedList.add(Permission.WRITE_DATA);
        }
        try {
            Version version = (Version) getVersion(jdbcPostgresHelper, "tms_version").map((v0) -> {
                return v0.toVersion();
            }).orElse(Version.VZERO);
            if (!observeDataSourceConfiguration.isLocal()) {
                Set tablePrivileges = jdbcPostgresHelper.getTablePrivileges(securityHelperModel.getDataTableSchemaName(), securityHelperModel.getDataTableTableName());
                boolean canRead = canRead(tablePrivileges);
                boolean canWrite = canWrite(tablePrivileges);
                boolean canWrite2 = canWrite(jdbcPostgresHelper.getTablePrivileges(securityHelperModel.getReferentialTableSchemaName(), securityHelperModel.getReferentialTableTableName()));
                if (canRead) {
                    linkedList.add(Permission.READ_DATA);
                }
                if (canWrite) {
                    linkedList.add(Permission.WRITE_DATA);
                }
                if (canWrite2) {
                    linkedList.add(Permission.WRITE_REFERENTIAL);
                }
            }
            Permission valueOf = Permission.valueOf(linkedList);
            log.debug(String.format("User permission: %s.", valueOf));
            return new ObserveDataSourceInformation(valueOf, isOwner, isSuperUser, securityHelperModel.getMinimumMigrationVersion(), version, MigrationVersionResourceProvider.get().getVersionsAfter(version));
        } catch (Exception e) {
            if (z) {
                return new ObserveDataSourceInformation(Permission.valueOf(linkedList), isOwner, isSuperUser, securityHelperModel.getMinimumMigrationVersion(), (Version) null, (List) null);
            }
            throw e;
        }
    }

    private static Optional<TMSVersion> getVersion(JdbcHelper jdbcHelper, String str) {
        try {
            String runSelectOnString = jdbcHelper.runSelectOnString(String.format("select version from %s", str));
            return Optional.ofNullable(runSelectOnString == null ? null : new TMSVersion(runSelectOnString));
        } catch (Exception e) {
            throw new TopiaException("Could not obtain version", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecurityHelper(ToolkitTopiaApplicationContextSupport<?> toolkitTopiaApplicationContextSupport) {
        this.applicationContext = (ToolkitTopiaApplicationContextSupport) Objects.requireNonNull(toolkitTopiaApplicationContextSupport);
        this.jdbcHelper = new JdbcPostgresHelper(toolkitTopiaApplicationContextSupport.getConfiguration());
        this.temporaryDirectory = toolkitTopiaApplicationContextSupport.getConfiguration().getTemporaryDirectory();
    }

    public Set<DataSourceUserDto> getUsers() {
        checkConfig();
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        TopiaConfigurationExtension configuration = this.applicationContext.getConfiguration();
        if (configuration.isH2Configuration()) {
            return linkedHashSet;
        }
        for (String str : this.jdbcHelper.getRoles()) {
            DataSourceUserDto dataSourceUserDto = new DataSourceUserDto();
            dataSourceUserDto.setName(str);
            if (configuration.getJdbcConnectionUser().equals(str)) {
                dataSourceUserDto.setRole(DataSourceUserRole.ADMINISTRATOR);
            } else {
                dataSourceUserDto.setRole(DataSourceUserRole.UNUSED);
            }
            linkedHashSet.add(dataSourceUserDto);
        }
        return linkedHashSet;
    }

    public void applySecurity(Set<DataSourceUserDto> set) {
        checkConfig();
        if (set == null) {
            throw new NullPointerException("users can not be null");
        }
        try {
            Path createTempFile = Files.createTempFile(this.temporaryDirectory, "topia-sql-script-", ".sql", new FileAttribute[0]);
            Path resolve = createTempFile.getParent().resolve(createTempFile.toFile().getName().replace(".sql", ".blob-ids"));
            try {
                SqlScriptWriter of = SqlScriptWriter.of(createTempFile);
                try {
                    createSecurityScript(set, of, resolve);
                    log.info(String.format("Generate security script %d statements(s) at %s", Long.valueOf(of.getStatementCount()), createTempFile));
                    if (of != null) {
                        of.close();
                    }
                    this.jdbcHelper.consume(SqlScriptConsumer.of(createTempFile));
                } finally {
                }
            } catch (IOException e) {
                throw new TopiaException(String.format("Can't generate security script at %s", createTempFile), e);
            }
        } catch (IOException e2) {
            throw new IllegalStateException("Can't create temporary path", e2);
        }
    }

    private void checkConfig() {
        if (this.applicationContext.getConfiguration().isH2Configuration()) {
            throw new IllegalArgumentException("Can't use security helper on local datasource...");
        }
    }

    private void createSecurityScript(Set<DataSourceUserDto> set, SqlScriptWriter sqlScriptWriter, Path path) throws IOException {
        Set<String> linkedHashSet = new LinkedHashSet<>();
        linkedHashSet.add(SCHEMA_PUBLIC);
        linkedHashSet.addAll(this.applicationContext.getMetadataModel().getSchemaNames());
        List tables = this.jdbcHelper.getTables(linkedHashSet, EXTRA_TABLES);
        if (tables.isEmpty()) {
            return;
        }
        String str = getUserNamesByRole(set, DataSourceUserRole.ADMINISTRATOR).get(0);
        List<String> userNamesByRole = getUserNamesByRole(set, DataSourceUserRole.TECHNICAL);
        List<String> userNamesByRole2 = getUserNamesByRole(set, DataSourceUserRole.USER);
        List<String> userNamesByRole3 = getUserNamesByRole(set, DataSourceUserRole.REFERENTIAL);
        List<String> userNamesByRole4 = getUserNamesByRole(set, DataSourceUserRole.UNUSED);
        if (log.isInfoEnabled()) {
            log.info(String.format("Will apply security on %d table(s).", Integer.valueOf(tables.size())));
            log.info(" - administrator : " + str);
            log.info(" - technical     : " + userNamesByRole);
            log.info(" - user          : " + userNamesByRole2);
            log.info(" - referential   : " + userNamesByRole3);
        }
        List<Pair<String, String>> referentielTables = getReferentielTables(tables);
        Set<String> linkedHashSet2 = new LinkedHashSet<>();
        Iterator<String> it = FUNCTION_NAMES_PREFIXES.iterator();
        while (it.hasNext()) {
            linkedHashSet2.addAll(this.jdbcHelper.getPostgisFunctions(it.next()));
        }
        String apply = ESCAPE_STRING.apply(str);
        Set<String> escapedNames = escapedNames(userNamesByRole);
        Set<String> escapedNames2 = escapedNames(userNamesByRole2);
        Set<String> escapedNames3 = escapedNames(userNamesByRole3);
        Set<String> escapedNames4 = escapedNames(userNamesByRole4);
        BlobIdsIterator newBlobIdsIterator = this.applicationContext.newBlobIdsIterator(path);
        HashSet hashSet = new HashSet();
        hashSet.add(SCHEMA_PUBLIC);
        hashSet.addAll(escapedNames3);
        hashSet.addAll(escapedNames2);
        hashSet.addAll(escapedNames4);
        String join = String.join(",", hashSet);
        addOnTablesForRole(REVOKE_ON_TABLE_ALL_PATTERN, sqlScriptWriter, tables, join);
        addOnSchemaForRole(REVOKE_ON_SCHEMA_ALL_PATTERN, sqlScriptWriter, linkedHashSet, join);
        addOnFunctionForRole(REVOKE_ON_FUNCTIONS_PATTERN, sqlScriptWriter, linkedHashSet2, join);
        addOnLargeObjectForRole(REVOKE_ON_LARGE_OBJECT_ALL_PATTERN, sqlScriptWriter, newBlobIdsIterator, join);
        addOnTablesForRole(SET_ON_TABLE_OWNER_PATTERN, sqlScriptWriter, tables, apply);
        addOnSchemaForRole(GRANT_ON_SCHEMA_ALL_PATTERN, sqlScriptWriter, linkedHashSet, apply);
        addOnSchemaForRole(GRANT_ON_FUNCTION_PATTERN, sqlScriptWriter, linkedHashSet2, apply);
        addOnLargeObjectForRole(SET_ON_LARGE_OBJECT_OWNER_PATTERN, sqlScriptWriter, newBlobIdsIterator, apply);
        addOnLargeObjectForRole(GRANT_ON_LARGE_OBJECT_ALL_PATTERN, sqlScriptWriter, newBlobIdsIterator, apply);
        if (!escapedNames.isEmpty()) {
            String join2 = String.join(",", escapedNames);
            addOnTablesForRole(GRANT_ON_TABLE_ALL_PATTERN, sqlScriptWriter, tables, join2);
            addOnSchemaForRole(GRANT_ON_SCHEMA_ALL_PATTERN, sqlScriptWriter, linkedHashSet, join2);
            addOnSchemaForRole(GRANT_ON_FUNCTION_PATTERN, sqlScriptWriter, linkedHashSet2, join2);
            addOnLargeObjectForRole(GRANT_ON_LARGE_OBJECT_ALL_PATTERN, sqlScriptWriter, newBlobIdsIterator, join2);
        }
        if (!escapedNames2.isEmpty()) {
            String join3 = String.join(",", escapedNames2);
            addOnTablesForRole(GRANT_ON_TABLE_READ_PATTERN, sqlScriptWriter, tables, join3);
            addOnSchemaForRole(GRANT_ON_SCHEMA_ALL_PATTERN, sqlScriptWriter, linkedHashSet, join3);
            addOnSchemaForRole(GRANT_ON_FUNCTION_PATTERN, sqlScriptWriter, linkedHashSet2, join3);
            addOnLargeObjectForRole(GRANT_ON_LARGE_OBJECT_READ_PATTERN, sqlScriptWriter, newBlobIdsIterator, join3);
        }
        if (escapedNames3.isEmpty()) {
            return;
        }
        String join4 = String.join(",", escapedNames3);
        addOnTablesForRole(GRANT_ON_TABLE_READ_PATTERN, sqlScriptWriter, referentielTables, join4);
        addOnSchemaForRole(GRANT_ON_SCHEMA_ALL_PATTERN, sqlScriptWriter, linkedHashSet, join4);
        addOnSchemaForRole(GRANT_ON_FUNCTION_PATTERN, sqlScriptWriter, linkedHashSet2, join4);
    }

    private List<String> getUserNamesByRole(Set<DataSourceUserDto> set, DataSourceUserRole dataSourceUserRole) {
        return (List) set.stream().filter(dataSourceUserDto -> {
            return dataSourceUserDto.getRole() == dataSourceUserRole;
        }).map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toList());
    }

    private Set<String> escapedNames(List<String> list) {
        return (Set) list.stream().map(ESCAPE_STRING).collect(Collectors.toSet());
    }

    private List<Pair<String, String>> getReferentielTables(Collection<Pair<String, String>> collection) {
        List<Pair<String, String>> tables = getTables(collection, this.applicationContext.getSqlService().getModel().getReplicationOrderWithStandaloneDescriptors());
        if (log.isInfoEnabled()) {
            StringBuilder sb = new StringBuilder();
            sb.append("Detected ").append(tables.size()).append(" referentiel tables.");
            if (log.isDebugEnabled()) {
                Iterator<Pair<String, String>> it = tables.iterator();
                while (it.hasNext()) {
                    sb.append("\n - ").append(it.next());
                }
            }
            ArrayList arrayList = new ArrayList(collection);
            arrayList.removeAll(tables);
            sb.append("Detected ").append(arrayList.size()).append(" data tables.");
            if (log.isDebugEnabled()) {
                Iterator it2 = arrayList.iterator();
                while (it2.hasNext()) {
                    sb.append("\n - ").append((Pair) it2.next());
                }
            }
            log.info(sb.toString());
        }
        return tables;
    }

    private List<Pair<String, String>> getTables(Iterable<Pair<String, String>> iterable, TopiaEntitySqlDescriptors topiaEntitySqlDescriptors) {
        ArrayList arrayList = new ArrayList();
        for (Pair<String, String> pair : iterable) {
            String str = (String) pair.getRight();
            String str2 = null;
            Iterator it = topiaEntitySqlDescriptors.iterator();
            while (it.hasNext()) {
                TopiaEntitySqlDescriptor topiaEntitySqlDescriptor = (TopiaEntitySqlDescriptor) it.next();
                String tableName = topiaEntitySqlDescriptor.getTable().getTableName();
                if (str.equalsIgnoreCase(tableName) || str.startsWith(tableName + "_")) {
                    str2 = tableName;
                    break;
                }
                Iterator it2 = topiaEntitySqlDescriptor.getAssociations().iterator();
                while (it2.hasNext()) {
                    String tableName2 = ((TopiaEntitySqlAssociationTable) it2.next()).getTableName();
                    if (str.equalsIgnoreCase(tableName2) || str.startsWith(tableName2 + "_")) {
                        str2 = tableName2;
                        break;
                    }
                }
            }
            if (str2 == null) {
                Iterator<String> it3 = EXTRA_TABLES.iterator();
                while (true) {
                    if (!it3.hasNext()) {
                        break;
                    }
                    String next = it3.next();
                    if (str.equalsIgnoreCase(next)) {
                        str2 = next;
                        break;
                    }
                }
            }
            if (str2 != null && !arrayList.contains(pair)) {
                arrayList.add(pair);
            }
        }
        Collections.sort(arrayList);
        return arrayList;
    }

    private void addOnTablesForRole(String str, SqlScriptWriter sqlScriptWriter, Iterable<Pair<String, String>> iterable, String str2) {
        for (Pair<String, String> pair : iterable) {
            sqlScriptWriter.writeSql(String.format(str, pair.getLeft(), pair.getRight(), str2));
        }
    }

    private void addOnSchemaForRole(String str, SqlScriptWriter sqlScriptWriter, Set<String> set, String str2) {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            sqlScriptWriter.writeSql(String.format(str, it.next(), str2));
        }
    }

    private void addOnLargeObjectForRole(String str, SqlScriptWriter sqlScriptWriter, BlobIdsIterator blobIdsIterator, String str2) throws IOException {
        while (blobIdsIterator.hasNext()) {
            try {
                sqlScriptWriter.writeSql(String.format(str, blobIdsIterator.next(), str2));
            } catch (Throwable th) {
                if (blobIdsIterator != null) {
                    try {
                        blobIdsIterator.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        if (blobIdsIterator != null) {
            blobIdsIterator.close();
        }
    }

    private void addOnFunctionForRole(String str, SqlScriptWriter sqlScriptWriter, Set<String> set, String str2) {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            sqlScriptWriter.writeSql(String.format(str, it.next(), str2));
        }
    }
}
