package org.squashtest.tm.service.internal.security;

import jakarta.validation.constraints.NotNull;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.jooq.DSLContext;
import org.jooq.Select;
import org.jooq.TableField;
import org.springframework.context.annotation.Lazy;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.acls.domain.PermissionFactory;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;
import org.squashtest.tm.api.security.acls.Permissions;
import org.squashtest.tm.api.security.acls.Roles;
import org.squashtest.tm.aspect.validation.NotNullValidatorAspect;
import org.squashtest.tm.domain.project.Project;
import org.squashtest.tm.jooq.domain.Tables;
import org.squashtest.tm.jooq.domain.tables.records.AclClassRecord;
import org.squashtest.tm.jooq.domain.tables.records.AclGroupPermissionRecord;
import org.squashtest.tm.jooq.domain.tables.records.CoreUserRecord;
import org.squashtest.tm.service.internal.dto.AccessPermission;
import org.squashtest.tm.service.security.PermissionEvaluationService;
import org.squashtest.tm.service.security.SecurityCheckableObject;
import org.squashtest.tm.service.security.UserContextService;

@Transactional(readOnly = true)
@Service("squashtest.core.security.PermissionEvaluationService")
/* loaded from: input_file:WEB-INF/lib/tm.service-11.0.0.mr3649-SNAPSHOT.jar:org/squashtest/tm/service/internal/security/AclPermissionEvaluationService.class */
public class AclPermissionEvaluationService implements PermissionEvaluationService {
    private static final String ACCESS_IS_DENIED = "Access is denied";
    private final UserContextService userContextService;
    private final AffirmativeBasedCompositePermissionEvaluator permissionEvaluator;
    private final PermissionFactory permissionFactory;
    private final DSLContext dslContext;

    public AclPermissionEvaluationService(UserContextService userContextService, @Lazy AffirmativeBasedCompositePermissionEvaluator affirmativeBasedCompositePermissionEvaluator, PermissionFactory permissionFactory, DSLContext dSLContext) {
        this.userContextService = userContextService;
        this.permissionEvaluator = affirmativeBasedCompositePermissionEvaluator;
        this.permissionFactory = permissionFactory;
        this.dslContext = dSLContext;
    }

    private boolean hasRoleOrPermissionOnObject(String str, Permission permission, Object obj) {
        if (this.userContextService.hasRole(str)) {
            return true;
        }
        return this.permissionEvaluator.hasPermission(this.userContextService.getAuthentication(), obj, permission);
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public boolean hasRoleOrPermissionOnObject(String str, String str2, Object obj) {
        return hasRoleOrPermissionOnObject(str, this.permissionFactory.buildFromName(str2), obj);
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public boolean hasPermissionOnObject(String str, Object obj) {
        return this.permissionEvaluator.hasPermission(this.userContextService.getAuthentication(), obj, this.permissionFactory.buildFromName(str));
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public void checkPermission(SecurityCheckableObject... securityCheckableObjectArr) {
        if (this.userContextService.hasRole(Roles.ROLE_ADMIN)) {
            return;
        }
        for (SecurityCheckableObject securityCheckableObject : securityCheckableObjectArr) {
            if (!hasPermissionOnObject(securityCheckableObject.getPermission(), securityCheckableObject.getObject())) {
                throw new AccessDeniedException(ACCESS_IS_DENIED);
            }
        }
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public void checkPermission(List<Long> list, String str, String str2) {
        if (this.userContextService.hasRole(Roles.ROLE_ADMIN)) {
            return;
        }
        Iterator<Long> it = list.iterator();
        while (it.hasNext()) {
            if (!hasPermissionOnObject(str, it.next(), str2)) {
                throw new AccessDeniedException(ACCESS_IS_DENIED);
            }
        }
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public void checkPermission(Collection<?> collection, String str) {
        if (this.userContextService.hasRole(Roles.ROLE_ADMIN)) {
            return;
        }
        Iterator<?> it = collection.iterator();
        while (it.hasNext()) {
            if (!hasPermissionOnObject(str, it.next())) {
                throw new AccessDeniedException(ACCESS_IS_DENIED);
            }
        }
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public void checkAtLeastOneProjectManagementPermissionOrAdmin() {
        if (this.userContextService.hasRole(Roles.ROLE_ADMIN) || this.userContextService.hasRole(Roles.ROLE_INFRASTRUCTURE_ADMIN)) {
            return;
        }
        checkAtLeastOneProjectManagementPermissionOrAdmin(fetchPartyIdsFromLogin(this.userContextService.getUsername()));
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public void checkAtLeastOneProjectImportPermissionOrAdmin() {
        if (this.userContextService.hasRole(Roles.ROLE_ADMIN)) {
            return;
        }
        checkHasAtLeastOneManagementPermission(fetchPartyIdsFromLogin(this.userContextService.getUsername()), Permissions.IMPORT);
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public void checkAtLeastOneProjectManagementPermissionOrAdmin(List<Long> list) {
        if (this.userContextService.hasRole(Roles.ROLE_ADMIN)) {
            return;
        }
        checkHasAtLeastOneManagementPermission(list, Permissions.MANAGE_PROJECT);
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public void checkAtLeastOneMilestoneManagementPermissionOrAdmin() {
        if (this.userContextService.hasRole(Roles.ROLE_ADMIN)) {
            return;
        }
        checkAtLeastOneMilestoneManagementPermissionOrAdmin(fetchPartyIdsFromLogin(this.userContextService.getUsername()));
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public void checkAtLeastOneMilestoneManagementPermissionOrAdmin(List<Long> list) {
        if (this.userContextService.hasRole(Roles.ROLE_ADMIN)) {
            return;
        }
        checkHasAtLeastOneManagementPermission(list, Permissions.MANAGE_MILESTONE);
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public void checkAtLeastOneClearanceManagementPermissionOrAdmin() {
        if (this.userContextService.hasRole(Roles.ROLE_ADMIN)) {
            return;
        }
        checkAtLeastOneClearanceManagementPermissionOrAdmin(fetchPartyIdsFromLogin(this.userContextService.getUsername()));
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public void checkAtLeastOneClearanceManagementPermissionOrAdmin(List<Long> list) {
        if (this.userContextService.hasRole(Roles.ROLE_ADMIN)) {
            return;
        }
        checkHasAtLeastOneManagementPermission(list, Permissions.MANAGE_PROJECT_CLEARANCE);
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public Set<AccessPermission> findAccessPermissions() {
        return findAccessPermissions(fetchPartyIdsFromLogin(this.userContextService.getUsername()));
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public Set<AccessPermission> findAccessPermissions(List<Long> list) {
        Map fetchGroups = this.dslContext.select(Tables.ACL_GROUP_PERMISSION.ACL_GROUP_ID, Tables.ACL_GROUP_PERMISSION.PERMISSION_MASK).from(Tables.ACL_GROUP_PERMISSION).join(Tables.ACL_RESPONSIBILITY_SCOPE_ENTRY).on(Tables.ACL_RESPONSIBILITY_SCOPE_ENTRY.ACL_GROUP_ID.eq(Tables.ACL_GROUP_PERMISSION.ACL_GROUP_ID)).where(Tables.ACL_RESPONSIBILITY_SCOPE_ENTRY.PARTY_ID.in(list)).and(Tables.ACL_GROUP_PERMISSION.PERMISSION_MASK.in((Set) Arrays.stream(AccessPermission.valuesCustom()).map(accessPermission -> {
            return Integer.valueOf(accessPermission.getPermissionWithMask().getMask());
        }).collect(Collectors.toUnmodifiableSet()))).groupBy(Tables.ACL_GROUP_PERMISSION.ACL_GROUP_ID, Tables.ACL_GROUP_PERMISSION.PERMISSION_MASK).fetchGroups(Tables.ACL_GROUP_PERMISSION.ACL_GROUP_ID, Tables.ACL_GROUP_PERMISSION.PERMISSION_MASK);
        return fetchGroups.isEmpty() ? Collections.emptySet() : fetchGroups.values().stream().allMatch(list2 -> {
            return list2.contains(Integer.valueOf(Permissions.WRITE_AS_AUTOMATION.getMask())) && !list2.contains(Integer.valueOf(Permissions.WRITE_AS_FUNCTIONAL.getMask()));
        }) ? Collections.singleton(AccessPermission.WRITE_AS_AUTOMATION) : (Set) fetchGroups.values().stream().flatMap((v0) -> {
            return v0.stream();
        }).map((v0) -> {
            return AccessPermission.findByMask(v0);
        }).collect(Collectors.toSet());
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public boolean hasRoleOrPermissionOnObject(String str, String str2, Long l, String str3) {
        if (this.userContextService.hasRole(str)) {
            return true;
        }
        return hasPermissionOnObject(str2, l, str3);
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public boolean hasRoleOrPermissionOnObject(String[] strArr, String str, Long l, String str2) {
        for (String str3 : strArr) {
            if (this.userContextService.hasRole(str3)) {
                return true;
            }
        }
        return hasPermissionOnObject(str, l, str2);
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public boolean canRead(Object obj) {
        return hasRoleOrPermissionOnObject(Roles.ROLE_ADMIN, "READ", obj);
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    @Transactional(propagation = Propagation.SUPPORTS)
    public boolean hasRole(String str) {
        return this.userContextService.hasRole(str);
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public boolean hasMoreThanRead(Object obj) {
        boolean findPermission;
        if (this.userContextService.hasRole(Roles.ROLE_ADMIN)) {
            findPermission = true;
        } else {
            findPermission = findPermission(Permissions.getAllPermissionNames(), obj, this.userContextService.getAuthentication());
        }
        return findPermission;
    }

    boolean findPermission(Set<String> set, Object obj, Authentication authentication) {
        for (String str : set) {
            try {
                if (!Permissions.READ.name().equals(str) && this.permissionEvaluator.hasPermission(authentication, obj, str)) {
                    return true;
                }
            } catch (IllegalArgumentException e) {
                if (!Arrays.asList("Unknown permission 'RESERVED_ON'", "Unknown permission 'RESERVED_OFF'", "Unknown permission 'THIRTY_TWO_RESERVED_OFF'").contains(e.getMessage())) {
                    throw e;
                }
            }
        }
        return false;
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public boolean hasPermissionOnObject(String str, Long l, String str2) {
        return this.permissionEvaluator.hasPermission(this.userContextService.getAuthentication(), l, str2, this.permissionFactory.buildFromName(str));
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public Map<String, Boolean> hasRoleOrPermissionsOnObject(String str, String[] strArr, Object obj) {
        boolean hasRole = this.userContextService.hasRole(str);
        HashMap hashMap = new HashMap(strArr.length);
        for (String str2 : strArr) {
            hashMap.put(str2, Boolean.valueOf(hasRole || hasPermissionOnObject(str2, obj)));
        }
        return hashMap;
    }

    @Override // org.squashtest.tm.service.security.PermissionEvaluationService
    public Collection<String> permissionsOn(@NotNull String str, long j) {
        NotNullValidatorAspect.aspectOf().ajc$before$org_squashtest_tm_aspect_validation_NotNullValidatorAspect$1$53d01289(str);
        ArrayList arrayList = new ArrayList();
        Set<String> allPermissionNames = Permissions.getAllPermissionNames();
        if (this.userContextService.hasRole(Roles.ROLE_ADMIN)) {
            return allPermissionNames;
        }
        for (String str2 : allPermissionNames) {
            if (hasPermissionOnObject(str2, Long.valueOf(j), str)) {
                arrayList.add(str2);
            }
        }
        return arrayList;
    }

    private void checkHasAtLeastOneManagementPermission(List<Long> list, Permissions permissions) {
        if (!this.dslContext.fetchExists(this.dslContext.select(Tables.ACL_RESPONSIBILITY_SCOPE_ENTRY.ID).from(Tables.ACL_RESPONSIBILITY_SCOPE_ENTRY).join(Tables.ACL_GROUP_PERMISSION).on(Tables.ACL_RESPONSIBILITY_SCOPE_ENTRY.ACL_GROUP_ID.eq(Tables.ACL_GROUP_PERMISSION.ACL_GROUP_ID)).join(Tables.ACL_CLASS).on(Tables.ACL_GROUP_PERMISSION.CLASS_ID.eq(Tables.ACL_CLASS.ID)).where(Tables.ACL_RESPONSIBILITY_SCOPE_ENTRY.PARTY_ID.in(list)).and(Tables.ACL_GROUP_PERMISSION.PERMISSION_MASK.eq((TableField<AclGroupPermissionRecord, Integer>) Integer.valueOf(permissions.getMask()))).and(Tables.ACL_CLASS.CLASSNAME.eq((TableField<AclClassRecord, String>) Project.class.getName())))) {
            throw new AccessDeniedException("Only users with management rights can perform this action");
        }
    }

    private List<Long> fetchPartyIdsFromLogin(String str) {
        return this.dslContext.select(Tables.CORE_USER.PARTY_ID).from(Tables.CORE_USER).where(Tables.CORE_USER.LOGIN.eq((TableField<CoreUserRecord, String>) str)).union((Select) this.dslContext.select(Tables.CORE_TEAM_MEMBER.TEAM_ID).from(Tables.CORE_TEAM_MEMBER).join(Tables.CORE_USER).on(Tables.CORE_TEAM_MEMBER.USER_ID.eq(Tables.CORE_USER.PARTY_ID)).where(Tables.CORE_USER.LOGIN.eq((TableField<CoreUserRecord, String>) str))).fetchInto(Long.class);
    }
}
