package net.n2oapp.framework.access.data;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiPredicate;
import java.util.stream.Collectors;
import net.n2oapp.criteria.dataset.DataSet;
import net.n2oapp.criteria.filters.Filter;
import net.n2oapp.framework.access.exception.AccessDeniedException;
import net.n2oapp.framework.access.exception.UnauthorizedException;
import net.n2oapp.framework.access.metadata.Security;
import net.n2oapp.framework.access.metadata.SecurityFilters;
import net.n2oapp.framework.access.metadata.accesspoint.model.N2oObjectFilter;
import net.n2oapp.framework.access.simple.PermissionApi;
import net.n2oapp.framework.api.context.ContextProcessor;
import net.n2oapp.framework.api.criteria.Restriction;
import net.n2oapp.framework.api.user.UserContext;

/* loaded from: input_file:net/n2oapp/framework/access/data/SecurityProvider.class */
public class SecurityProvider {
    private PermissionApi permissionApi;
    private boolean strictFiltering;

    public SecurityProvider(PermissionApi permissionApi, boolean z) {
        this.permissionApi = permissionApi;
        this.strictFiltering = z;
    }

    public void checkAccess(Security security, UserContext userContext) {
        if (security == null || security.getSecurityMap() == null) {
            return;
        }
        Iterator<Security.SecurityObject> it = security.getSecurityMap().values().iterator();
        while (it.hasNext()) {
            check(userContext, it.next());
        }
    }

    public List<Restriction> collectRestrictions(SecurityFilters securityFilters, UserContext userContext) {
        if (securityFilters == null) {
            return Collections.emptyList();
        }
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        if (securityFilters.getPermitAllFilters() != null) {
            hashSet.addAll(securityFilters.getPermitAllFilters());
        }
        if (securityFilters.getRemovePermitAllFilters() != null) {
            hashSet2.addAll(securityFilters.getRemovePermitAllFilters());
        }
        if (this.permissionApi.hasAuthentication(userContext)) {
            if (securityFilters.getAuthenticatedFilters() != null) {
                hashSet.addAll(securityFilters.getAuthenticatedFilters());
            }
            if (securityFilters.getRemoveAuthenticatedFilters() != null) {
                hashSet2.addAll(securityFilters.getRemoveAuthenticatedFilters());
            }
        } else {
            if (securityFilters.getAnonymousFilters() != null) {
                hashSet.addAll(securityFilters.getAnonymousFilters());
            }
            if (securityFilters.getRemoveAnonymousFilters() != null) {
                hashSet2.addAll(securityFilters.getRemoveAnonymousFilters());
            }
        }
        if (securityFilters.getRoleFilters() != null) {
            securityFilters.getRoleFilters().keySet().stream().filter(str -> {
                return this.permissionApi.hasRole(userContext, str);
            }).forEach(str2 -> {
                hashSet.addAll(securityFilters.getRoleFilters().get(str2));
            });
        }
        if (securityFilters.getRemoveRoleFilters() != null) {
            securityFilters.getRemoveRoleFilters().keySet().stream().filter(str3 -> {
                return this.permissionApi.hasRole(userContext, str3);
            }).forEach(str4 -> {
                hashSet2.addAll(securityFilters.getRemoveRoleFilters().get(str4));
            });
        }
        if (securityFilters.getPermissionFilters() != null) {
            securityFilters.getPermissionFilters().keySet().stream().filter(str5 -> {
                return this.permissionApi.hasPermission(userContext, str5);
            }).forEach(str6 -> {
                hashSet.addAll(securityFilters.getPermissionFilters().get(str6));
            });
        }
        if (securityFilters.getRemovePermissionFilters() != null) {
            securityFilters.getRemovePermissionFilters().keySet().stream().filter(str7 -> {
                return this.permissionApi.hasPermission(userContext, str7);
            }).forEach(str8 -> {
                hashSet2.addAll(securityFilters.getRemovePermissionFilters().get(str8));
            });
        }
        if (securityFilters.getUserFilters() != null) {
            securityFilters.getUserFilters().keySet().stream().filter(str9 -> {
                return this.permissionApi.hasUsername(userContext, str9);
            }).forEach(str10 -> {
                hashSet.addAll(securityFilters.getUserFilters().get(str10));
            });
        }
        if (securityFilters.getRemoveUserFilters() != null) {
            securityFilters.getRemoveUserFilters().keySet().stream().filter(str11 -> {
                return this.permissionApi.hasUsername(userContext, str11);
            }).forEach(str12 -> {
                hashSet2.addAll(securityFilters.getRemoveUserFilters().get(str12));
            });
        }
        hashSet.removeIf(n2oObjectFilter -> {
            return hashSet2.contains(n2oObjectFilter.getId());
        });
        return (List) hashSet.stream().map(this::restriction).collect(Collectors.toList());
    }

    private Restriction restriction(N2oObjectFilter n2oObjectFilter) {
        return new Restriction(n2oObjectFilter.getFieldId(), n2oObjectFilter.isArray() ? Arrays.asList(n2oObjectFilter.getValues()) : n2oObjectFilter.getValue(), n2oObjectFilter.getType());
    }

    public void checkRestrictions(DataSet dataSet, SecurityFilters securityFilters, UserContext userContext) {
        List<Restriction> collectRestrictions = collectRestrictions(securityFilters, userContext);
        ContextProcessor contextProcessor = new ContextProcessor(userContext);
        for (Restriction restriction : collectRestrictions) {
            Object obj = dataSet.get(restriction.getFieldId());
            if (obj != null || this.strictFiltering) {
                Object resolve = contextProcessor.resolve(restriction.getValue());
                if (resolve != null && !new Filter(resolve, restriction.getType()).check(obj)) {
                    throw new AccessDeniedException("Access denied by field " + restriction.getFieldId());
                }
            }
        }
    }

    private void check(UserContext userContext, Security.SecurityObject securityObject) {
        if (securityObject.getDenied() != null && securityObject.getDenied().booleanValue()) {
            throw new UnauthorizedException();
        }
        if (securityObject.getPermitAll() == null || !securityObject.getPermitAll().booleanValue()) {
            if (!this.permissionApi.hasAuthentication(userContext)) {
                if (securityObject.getAnonymous() == null || !securityObject.getAnonymous().booleanValue()) {
                    throw new UnauthorizedException();
                }
                return;
            }
            if (securityObject.getAuthenticated() == null || !securityObject.getAuthenticated().booleanValue()) {
                if (securityObject.getAnonymous() != null && securityObject.getAnonymous().booleanValue()) {
                    throw new AccessDeniedException();
                }
                Set<String> roles = securityObject.getRoles();
                PermissionApi permissionApi = this.permissionApi;
                Objects.requireNonNull(permissionApi);
                if (checkAccessList(userContext, roles, permissionApi::hasRole)) {
                    return;
                }
                Set<String> permissions = securityObject.getPermissions();
                PermissionApi permissionApi2 = this.permissionApi;
                Objects.requireNonNull(permissionApi2);
                if (checkAccessList(userContext, permissions, permissionApi2::hasPermission)) {
                    return;
                }
                Set<String> usernames = securityObject.getUsernames();
                PermissionApi permissionApi3 = this.permissionApi;
                Objects.requireNonNull(permissionApi3);
                if (!checkAccessList(userContext, usernames, permissionApi3::hasUsername)) {
                    throw new AccessDeniedException();
                }
            }
        }
    }

    private boolean checkAccessList(UserContext userContext, Set<String> set, BiPredicate<UserContext, String> biPredicate) {
        if (set == null) {
            return false;
        }
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (biPredicate.test(userContext, it.next())) {
                return true;
            }
        }
        return false;
    }
}
