package org.apache.directory.fortress.core.impl;

import java.io.Serializable;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.directory.fortress.annotation.AdminPermissionOperation;
import org.apache.directory.fortress.core.DelAccessMgr;
import org.apache.directory.fortress.core.GlobalErrIds;
import org.apache.directory.fortress.core.SecurityException;
import org.apache.directory.fortress.core.model.PermObj;
import org.apache.directory.fortress.core.model.Permission;
import org.apache.directory.fortress.core.model.Role;
import org.apache.directory.fortress.core.model.Session;
import org.apache.directory.fortress.core.model.User;
import org.apache.directory.fortress.core.model.UserAdminRole;
import org.apache.directory.fortress.core.util.Config;
import org.apache.directory.fortress.core.util.VUtil;

/* loaded from: input_file:WEB-INF/lib/fortress-core-3.0.1.jar:org/apache/directory/fortress/core/impl/DelAccessMgrImpl.class */
public class DelAccessMgrImpl extends AccessMgrImpl implements DelAccessMgr, Serializable {
    private final String CLS_NM = DelAccessMgrImpl.class.getName();
    private UserP userP = new UserP();
    private PermP permP = new PermP();
    private String SUPER_ADMIN = Config.getInstance().getProperty("superadmin.role", "fortress-core-super-admin");
    private String REST_ADMIN = Config.getInstance().getProperty("serviceadmin.role", "fortress-rest-admin");

    @Override // org.apache.directory.fortress.core.DelAccessMgr
    public boolean canAssign(Session session, User user, Role role) throws SecurityException {
        assertContext(this.CLS_NM, "canAssign", session, GlobalErrIds.USER_SESS_NULL);
        assertContext(this.CLS_NM, "canAssign", user, GlobalErrIds.USER_NULL);
        assertContext(this.CLS_NM, "canAssign", role, GlobalErrIds.ROLE_NULL);
        return checkUserRole(session, user, role);
    }

    @Override // org.apache.directory.fortress.core.DelAccessMgr
    public boolean canDeassign(Session session, User user, Role role) throws SecurityException {
        assertContext(this.CLS_NM, "canDeassign", session, GlobalErrIds.USER_SESS_NULL);
        assertContext(this.CLS_NM, "canDeassign", user, GlobalErrIds.USER_NULL);
        assertContext(this.CLS_NM, "canDeassign", role, GlobalErrIds.ROLE_NULL);
        return checkUserRole(session, user, role);
    }

    @Override // org.apache.directory.fortress.core.DelAccessMgr
    public boolean canGrant(Session session, Role role, Permission permission) throws SecurityException {
        assertContext(this.CLS_NM, "canGrant", session, GlobalErrIds.USER_SESS_NULL);
        assertContext(this.CLS_NM, "canGrant", permission, GlobalErrIds.PERM_OBJECT_NULL);
        assertContext(this.CLS_NM, "canGrant", role, GlobalErrIds.ROLE_NULL);
        return checkRolePermission(session, role, permission);
    }

    @Override // org.apache.directory.fortress.core.DelAccessMgr
    public boolean canRevoke(Session session, Role role, Permission permission) throws SecurityException {
        assertContext(this.CLS_NM, "canRevoke", session, GlobalErrIds.USER_SESS_NULL);
        assertContext(this.CLS_NM, "canRevoke", permission, GlobalErrIds.PERM_OBJECT_NULL);
        assertContext(this.CLS_NM, "canRevoke", role, GlobalErrIds.ROLE_NULL);
        return checkRolePermission(session, role, permission);
    }

    @Override // org.apache.directory.fortress.core.DelAccessMgr
    public boolean canAdd(Session session, User user) throws SecurityException {
        assertContext(this.CLS_NM, "canAssign", session, GlobalErrIds.USER_SESS_NULL);
        assertContext(this.CLS_NM, "canAssign", user, GlobalErrIds.USER_NULL);
        VUtil.assertNotNullOrEmpty(user.getOu(), GlobalErrIds.USER_OU_NULL, "canAssign");
        return checkUser(session, user, true);
    }

    @Override // org.apache.directory.fortress.core.DelAccessMgr
    public boolean canEdit(Session session, User user) throws SecurityException {
        assertContext(this.CLS_NM, "canAssign", session, GlobalErrIds.USER_SESS_NULL);
        assertContext(this.CLS_NM, "canAssign", user, GlobalErrIds.USER_NULL);
        return checkUser(session, user, false);
    }

    @Override // org.apache.directory.fortress.core.impl.AccessMgrImpl, org.apache.directory.fortress.core.AccessMgr
    public boolean checkAccess(Session session, Permission permission) throws SecurityException {
        assertContext(this.CLS_NM, "checkAccess", permission, GlobalErrIds.PERM_NULL);
        VUtil.assertNotNullOrEmpty(permission.getOpName(), GlobalErrIds.PERM_OPERATION_NULL, "checkAccess");
        VUtil.assertNotNullOrEmpty(permission.getObjName(), GlobalErrIds.PERM_OBJECT_NULL, "checkAccess");
        assertContext(this.CLS_NM, "checkAccess", session, GlobalErrIds.USER_SESS_NULL);
        permission.setAdmin(true);
        return super.checkAccess(session, permission);
    }

    @Override // org.apache.directory.fortress.core.DelAccessMgr
    public void addActiveRole(Session session, UserAdminRole userAdminRole) throws SecurityException {
        int indexOf;
        assertContext(this.CLS_NM, "addActiveRole", session, GlobalErrIds.USER_SESS_NULL);
        assertContext(this.CLS_NM, "addActiveRole", userAdminRole, GlobalErrIds.ARLE_NULL);
        userAdminRole.setUserId(session.getUserId());
        List<UserAdminRole> adminRoles = session.getAdminRoles();
        if (adminRoles != null && adminRoles.contains(userAdminRole)) {
            throw new SecurityException(GlobalErrIds.ARLE_ALREADY_ACTIVE, getFullMethodName(this.CLS_NM, "addActiveRole") + " User [" + session.getUserId() + "] Role [" + userAdminRole.getName() + "] role already activated.");
        }
        List<UserAdminRole> adminRoles2 = this.userP.read(session.getUser(), true).getAdminRoles();
        if (!CollectionUtils.isNotEmpty(adminRoles2) || (indexOf = adminRoles2.indexOf(userAdminRole)) == -1) {
            throw new SecurityException(GlobalErrIds.ARLE_ACTIVATE_FAILED, getFullMethodName(this.CLS_NM, "addActiveRole") + " Admin Role [" + userAdminRole.getName() + "] User [" + session.getUserId() + "] adminRole not authorized for user.");
        }
        SDUtil.getInstance().validateDSD(session, userAdminRole);
        session.setRole(adminRoles2.get(indexOf));
    }

    @Override // org.apache.directory.fortress.core.DelAccessMgr
    public void dropActiveRole(Session session, UserAdminRole userAdminRole) throws SecurityException {
        assertContext(this.CLS_NM, "dropActiveRole", session, GlobalErrIds.USER_SESS_NULL);
        assertContext(this.CLS_NM, "dropActiveRole", userAdminRole, GlobalErrIds.ARLE_NULL);
        userAdminRole.setUserId(session.getUserId());
        List<UserAdminRole> adminRoles = session.getAdminRoles();
        VUtil.assertNotNull(adminRoles, GlobalErrIds.ARLE_DEACTIVE_FAILED, "dropActiveRole");
        if (adminRoles.indexOf(userAdminRole) == -1) {
            throw new SecurityException(GlobalErrIds.ARLE_NOT_ACTIVE, "dropActiveRole" + " Admin Role [" + userAdminRole.getName() + "] User [" + session.getUserId() + "], not previously activated");
        }
        adminRoles.remove(userAdminRole);
    }

    @Override // org.apache.directory.fortress.core.DelAccessMgr
    @AdminPermissionOperation
    public List<UserAdminRole> sessionAdminRoles(Session session) throws SecurityException {
        VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, this.CLS_NM + ".sessionAdminRoles");
        setEntitySession(this.CLS_NM, "sessionAdminRoles", session);
        return session.getAdminRoles();
    }

    @Override // org.apache.directory.fortress.core.DelAccessMgr
    @AdminPermissionOperation
    public Set<String> authorizedAdminRoles(Session session) throws SecurityException {
        assertContext(this.CLS_NM, "authorizedAdminRoles", session, GlobalErrIds.USER_SESS_NULL);
        assertContext(this.CLS_NM, "authorizedAdminRoles", session.getUser(), GlobalErrIds.USER_NULL);
        setEntitySession(this.CLS_NM, "authorizedAdminRoles", session);
        return AdminRoleUtil.getInheritedRoles(session.getAdminRoles(), this.contextId);
    }

    @Override // org.apache.directory.fortress.core.impl.AccessMgrImpl, org.apache.directory.fortress.core.AccessMgr
    @AdminPermissionOperation
    public List<Permission> sessionPermissions(Session session) throws SecurityException {
        assertContext(this.CLS_NM, "sessionPermissions", session, GlobalErrIds.USER_SESS_NULL);
        VUtil.getInstance().validateConstraints(session, VUtil.ConstraintType.USER, false);
        VUtil.getInstance().validateConstraints(session, VUtil.ConstraintType.ROLE, false);
        setEntitySession(this.CLS_NM, "sessionPermissions", session);
        return this.permP.search(session, true);
    }

    private boolean checkUser(Session session, User user, boolean z) throws SecurityException {
        boolean z2 = false;
        List<UserAdminRole> adminRoles = session.getAdminRoles();
        if (CollectionUtils.isNotEmpty(adminRoles)) {
            User read = !z ? this.userP.read(user, false) : user;
            Iterator<UserAdminRole> it = adminRoles.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                UserAdminRole next = it.next();
                if (next.getName().equalsIgnoreCase(this.SUPER_ADMIN)) {
                    z2 = true;
                    break;
                }
                Set<String> osUSet = next.getOsUSet();
                if (CollectionUtils.isNotEmpty(osUSet)) {
                    TreeSet treeSet = new TreeSet(String.CASE_INSENSITIVE_ORDER);
                    for (String str : osUSet) {
                        treeSet.add(str);
                        treeSet.addAll(UsoUtil.getInstance().getDescendants(str, this.contextId));
                    }
                    if (treeSet.contains(read.getOu())) {
                        z2 = true;
                        break;
                    }
                }
            }
        }
        return z2;
    }

    private boolean checkUserRole(Session session, User user, Role role) throws SecurityException {
        boolean z = false;
        List<UserAdminRole> adminRoles = session.getAdminRoles();
        if (CollectionUtils.isNotEmpty(adminRoles)) {
            User read = this.userP.read(user, false);
            Iterator<UserAdminRole> it = adminRoles.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                UserAdminRole next = it.next();
                if (next.getName().equalsIgnoreCase(this.SUPER_ADMIN)) {
                    z = true;
                    break;
                }
                Set<String> osUSet = next.getOsUSet();
                if (CollectionUtils.isNotEmpty(osUSet)) {
                    TreeSet treeSet = new TreeSet(String.CASE_INSENSITIVE_ORDER);
                    for (String str : osUSet) {
                        treeSet.add(str);
                        treeSet.addAll(UsoUtil.getInstance().getDescendants(str, this.contextId));
                    }
                    if (treeSet.contains(read.getOu())) {
                        if (next.getName().equalsIgnoreCase(this.REST_ADMIN)) {
                            z = true;
                            break;
                        }
                        if (next.getBeginRange() != null && next.getEndRange() != null && !next.getBeginRange().equalsIgnoreCase(next.getEndRange())) {
                            Set<String> ascendants = RoleUtil.getInstance().getAscendants(next.getBeginRange(), next.getEndRange(), next.isEndInclusive(), this.contextId);
                            if (next.isBeginInclusive()) {
                                ascendants.add(next.getBeginRange());
                            }
                            if (CollectionUtils.isNotEmpty(ascendants) && ascendants.contains(role.getName())) {
                                z = true;
                                break;
                            }
                        } else if (next.getBeginRange() != null && next.getBeginRange().equalsIgnoreCase(role.getName())) {
                            z = true;
                            break;
                        }
                    } else {
                        continue;
                    }
                }
            }
        }
        return z;
    }

    private boolean checkRolePermission(Session session, Role role, Permission permission) throws SecurityException {
        boolean z = false;
        List<UserAdminRole> adminRoles = session.getAdminRoles();
        if (CollectionUtils.isNotEmpty(adminRoles)) {
            PermObj permObj = new PermObj(permission.getObjName());
            permObj.setContextId(this.contextId);
            PermObj read = this.permP.read(permObj);
            Iterator<UserAdminRole> it = adminRoles.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                UserAdminRole next = it.next();
                if (next.getName().equalsIgnoreCase(this.SUPER_ADMIN)) {
                    z = true;
                    break;
                }
                Set<String> osPSet = next.getOsPSet();
                if (CollectionUtils.isNotEmpty(osPSet)) {
                    TreeSet treeSet = new TreeSet(String.CASE_INSENSITIVE_ORDER);
                    for (String str : osPSet) {
                        treeSet.add(str);
                        treeSet.addAll(PsoUtil.getInstance().getDescendants(str, this.contextId));
                    }
                    if (treeSet.contains(read.getOu())) {
                        if (next.getName().equalsIgnoreCase(this.REST_ADMIN)) {
                            z = true;
                            break;
                        }
                        if (next.getBeginRange() != null && next.getEndRange() != null && !next.getBeginRange().equalsIgnoreCase(next.getEndRange())) {
                            Set<String> ascendants = RoleUtil.getInstance().getAscendants(next.getBeginRange(), next.getEndRange(), next.isEndInclusive(), this.contextId);
                            if (next.isBeginInclusive()) {
                                ascendants.add(next.getBeginRange());
                            }
                            if (CollectionUtils.isNotEmpty(ascendants) && ascendants.contains(role.getName())) {
                                z = true;
                                break;
                            }
                        } else if (next.getBeginRange() != null && next.getBeginRange().equalsIgnoreCase(role.getName())) {
                            z = true;
                            break;
                        }
                    } else {
                        continue;
                    }
                }
            }
        }
        return z;
    }
}
