package fi.oph.kouta.service;

import fi.oph.kouta.domain.Koulutustyyppi;
import fi.oph.kouta.domain.oid.OrganisaatioOid;
import fi.oph.kouta.domain.oid.RootOrganisaatioOid$;
import fi.oph.kouta.logging.Logging;
import fi.oph.kouta.security.Authorizable;
import fi.oph.kouta.security.Role;
import fi.oph.kouta.security.Role$Indexer$;
import fi.oph.kouta.servlet.Authenticated;
import scala.Function0;
import scala.Function1;
import scala.MatchError;
import scala.Option;
import scala.Predef$;
import scala.Some;
import scala.Tuple2;
import scala.Tuple4;
import scala.collection.Iterable;
import scala.collection.IterableView;
import scala.collection.IterableView$;
import scala.collection.Seq;
import scala.collection.SetLike;
import scala.collection.generic.GenericTraversableTemplate;
import scala.collection.immutable.C$colon$colon;
import scala.collection.immutable.Nil$;
import scala.collection.immutable.Set;
import scala.collection.immutable.Set$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxesRunTime;

/* compiled from: AuthorizationService.scala */
@ScalaSignature(bytes = "\u0006\u0001\u0005]ga\u0002\b\u0010!\u0003\r\t\u0001\u0007\u0005\u0006K\u0001!\tA\n\u0005\u0006U\u00011\ta\u000b\u0005\ta\u0001A)\u0019!C\tc!)A\t\u0001C\u0001\u000b\")1\u000e\u0001C\u0001Y\"9\u0011q\u0001\u0001\u0005\u0002\u0005%\u0001bBA \u0001\u0011\u0005\u0011\u0011\t\u0005\b\u0003/\u0002A\u0011AA-\u0011\u001d\ty\u0007\u0001C\u0001\u0003cBq!a\"\u0001\t#\tI\tC\u0004\u0002,\u0002!\t\"!,\t\u000f\u0005E\u0006\u0001\"\u0001\u00024\"9\u0011\u0011\u0019\u0001\u0005\u0002\u0005\r'\u0001F!vi\"|'/\u001b>bi&|gnU3sm&\u001cWM\u0003\u0002\u0011#\u000591/\u001a:wS\u000e,'B\u0001\n\u0014\u0003\u0015Yw.\u001e;b\u0015\t!R#A\u0002pa\"T\u0011AF\u0001\u0003M&\u001c\u0001aE\u0002\u00013}\u0001\"AG\u000f\u000e\u0003mQ\u0011\u0001H\u0001\u0006g\u000e\fG.Y\u0005\u0003=m\u0011a!\u00118z%\u00164\u0007C\u0001\u0011$\u001b\u0005\t#B\u0001\u0012\u0012\u0003\u001dawnZ4j]\u001eL!\u0001J\u0011\u0003\u000f1{wmZ5oO\u00061A%\u001b8ji\u0012\"\u0012a\n\t\u00035!J!!K\u000e\u0003\tUs\u0017\u000e^\u0001\u0014_J<\u0017M\\5tC\u0006$\u0018n\\*feZL7-Z\u000b\u0002YA\u0011QFL\u0007\u0002\u001f%\u0011qf\u0004\u0002\u0014\u001fJ<\u0017M\\5tC\u0006$\u0018n\\*feZL7-Z\u0001\rS:$W\r_3s%>dWm]\u000b\u0002eA\u00191g\u000f \u000f\u0005QJdBA\u001b9\u001b\u00051$BA\u001c\u0018\u0003\u0019a$o\\8u}%\tA$\u0003\u0002;7\u00059\u0001/Y2lC\u001e,\u0017B\u0001\u001f>\u0005\r\u0019V-\u001d\u0006\u0003um\u0001\"a\u0010\"\u000e\u0003\u0001S!!Q\t\u0002\u0011M,7-\u001e:jifL!a\u0011!\u0003\tI{G.Z\u0001\rS\u001a\fU\u000f\u001e5pe&TX\rZ\u000b\u0003\r.#2aR1g)\tAE\f\u0006\u0002J)B\u0011!j\u0013\u0007\u0001\t\u0015aEA1\u0001N\u0005\u0005\u0011\u0016C\u0001(R!\tQr*\u0003\u0002Q7\t9aj\u001c;iS:<\u0007C\u0001\u000eS\u0013\t\u00196DA\u0002B]fDQ!\u0016\u0003A\u0004Y\u000bQ\"Y;uQ\u0016tG/[2bi\u0016$\u0007CA,[\u001b\u0005A&BA-\u0012\u0003\u001d\u0019XM\u001d<mKRL!a\u0017-\u0003\u001b\u0005+H\u000f[3oi&\u001c\u0017\r^3e\u0011\u0019iF\u0001\"a\u0001=\u0006\ta\rE\u0002\u001b?&K!\u0001Y\u000e\u0003\u0011q\u0012\u0017P\\1nKzBQA\u0019\u0003A\u0002\r\fA\"Y;uQ>\u0014\u0018N_1cY\u0016\u0004\"a\u00103\n\u0005\u0015\u0004%\u0001D!vi\"|'/\u001b>bE2,\u0007\"B4\u0005\u0001\u0004A\u0017AE1vi\"|'/\u001b>bi&|gNU;mKN\u0004\"!L5\n\u0005)|!AE!vi\"|'/\u001b>bi&|gNU;mKN\f1e^5uQ\u0006+H\u000f[8sSj,Gm\u00115jY\u0012|%oZ1oSj\fG/[8o\u001f&$7/\u0006\u0002ncR)a.!\u0001\u0002\u0004Q\u0011qn\u001d\u000b\u0003aJ\u0004\"AS9\u0005\u000b1+!\u0019A'\t\u000bU+\u00019\u0001,\t\u000bu+\u0001\u0019\u0001;\u0011\ti)x\u000f]\u0005\u0003mn\u0011\u0011BR;oGRLwN\\\u0019\u0011\u0007MZ\u0004\u0010\u0005\u0002z}6\t!P\u0003\u0002|y\u0006\u0019q.\u001b3\u000b\u0005u\f\u0012A\u00023p[\u0006Lg.\u0003\u0002��u\nyqJ]4b]&\u001c\u0018-\u0019;j_>KG\rC\u0003|\u000b\u0001\u0007\u0001\u0010\u0003\u0004\u0002\u0006\u0015\u0001\rAM\u0001\u0006e>dWm]\u00017o&$\b.Q;uQ>\u0014\u0018N_3e\u0007\"LG\u000eZ(sO\u0006t\u0017N_1uS>tw*\u001b3t\u0003:$w\n\u001d9jY\u0006LGo\\:usf\u0004\u0018\u000e^\u000b\u0005\u0003\u0017\t\u0019\u0002\u0006\u0004\u0002\u000e\u0005m\u0012Q\b\u000b\u0005\u0003\u001f\t9\u0002\u0006\u0003\u0002\u0012\u0005U\u0001c\u0001&\u0002\u0014\u0011)AJ\u0002b\u0001\u001b\")QK\u0002a\u0002-\"1QL\u0002a\u0001\u00033\u0001bAG;\u0002\u001c\u0005E\u0001\u0003BA\u000f\u0003kqA!a\b\u000229!\u0011\u0011EA\u0017\u001d\u0011\t\u0019#a\u000b\u000f\t\u0005\u0015\u0012\u0011\u0006\b\u0004k\u0005\u001d\u0012\"\u0001\f\n\u0005Q)\u0012B\u0001\n\u0014\u0013\r\ty#E\u0001\u0007G2LWM\u001c;\n\u0007i\n\u0019DC\u0002\u00020EIA!a\u000e\u0002:\t9sJ]4b]&\u001c\u0018-\u0019;j_>KGm]!oI>\u0003\b/\u001b7bSR|7\u000f^=za&$h\t\\1u\u0015\rQ\u00141\u0007\u0005\u0006w\u001a\u0001\r\u0001\u001f\u0005\u0007\u0003\u000b1\u0001\u0019\u0001\u001a\u0002c]LG\u000f[!vi\"|'/\u001b>fI>\u0013x-\u00198ju\u0006$\u0018n\u001c8PS\u0012\u001c\u0018I\u001c3PaBLG.Y5u_N$\u00180\u001f9jiV!\u00111IA&)\u0019\t)%a\u0015\u0002VQ!\u0011qIA()\u0011\tI%!\u0014\u0011\u0007)\u000bY\u0005B\u0003M\u000f\t\u0007Q\nC\u0003V\u000f\u0001\u000fa\u000b\u0003\u0004^\u000f\u0001\u0007\u0011\u0011\u000b\t\u00075U\fY\"!\u0013\t\u000bm<\u0001\u0019\u0001=\t\u000b\u001d<\u0001\u0019\u00015\u0002q]LG\u000f[!vi\"|'/\u001b>fI>\u0013x-\u00198ju\u0006$\u0018n\u001c8PS\u0012\u001c\u0018I\u001c3SK2,g/\u00198u\u0017>,H.\u001e;vgRL\u0018\u0010\u001d9jgV!\u00111LA2)\u0019\ti&a\u001b\u0002nQ!\u0011qLA4)\u0011\t\t'!\u001a\u0011\u0007)\u000b\u0019\u0007B\u0003M\u0011\t\u0007Q\nC\u0003V\u0011\u0001\u000fa\u000b\u0003\u0004^\u0011\u0001\u0007\u0011\u0011\u000e\t\u00075U\fY\"!\u0019\t\u000bmD\u0001\u0019\u0001=\t\u000b\u001dD\u0001\u0019\u00015\u0002=]LG\u000f[!vi\"|'/\u001b>fI>\u0013x-\u00198ju\u0006$\u0018n\u001c8PS\u0012\u001cX\u0003BA:\u0003w\"b!!\u001e\u0002\u0004\u0006\u0015E\u0003BA<\u0003\u007f\"B!!\u001f\u0002~A\u0019!*a\u001f\u0005\u000b1K!\u0019A'\t\u000bUK\u00019\u0001,\t\ruK\u0001\u0019AAA!\u0015QRo^A=\u0011\u0015Y\u0018\u00021\u0001y\u0011\u00159\u0017\u00021\u0001i\u0003ia\u0017M_=GY\u0006$8\t[5mIJ,g.\u00118e!\u0006\u0014XM\u001c;t)\u0011\tY)a&\u0011\t\u00055\u0015\u0011\u0013\b\u0004[\u0005=\u0015B\u0001\u001e\u0010\u0013\u0011\t\u0019*!&\u0003W=\u0013x-\u00198jg\u0006\fG/[8PS\u0012\u001c\u0018I\u001c3PaBLG.Y5u_N$\u00180\u001f9ji\u001ac\u0017\r\u001e,jK^T!AO\b\t\u000f\u0005e%\u00021\u0001\u0002\u001c\u0006!qN]4t!\u0015\ti*!*y\u001d\u0011\ty*!)\u0011\u0005UZ\u0012bAAR7\u00051\u0001K]3eK\u001aLA!a*\u0002*\n\u00191+\u001a;\u000b\u0007\u0005\r6$\u0001\tmCjLh\t\\1u\u0007\"LG\u000e\u001a:f]R!\u00111RAX\u0011\u001d\tIj\u0003a\u0001\u00037\u000bQ\u0002[1t%>|G/Q2dKN\u001cH\u0003BA[\u0003\u007f#B!a.\u0002>B\u0019!$!/\n\u0007\u0005m6DA\u0004C_>dW-\u00198\t\u000bUc\u00019\u0001,\t\r\u0005\u0015A\u00021\u00013\u000399\u0018\u000e\u001e5S_>$\u0018iY2fgN,B!!2\u0002NR!\u0011qYAk)\u0011\tI-!5\u0015\t\u0005-\u0017q\u001a\t\u0004\u0015\u00065G!\u0002'\u000e\u0005\u0004i\u0005\"B+\u000e\u0001\b1\u0006bB/\u000e\t\u0003\u0007\u00111\u001b\t\u00055}\u000bY\r\u0003\u0004\u0002\u00065\u0001\rA\r")
/* loaded from: input_file:fi/oph/kouta/service/AuthorizationService.class */
public interface AuthorizationService extends Logging {
    OrganisaatioService organisaatioService();

    default Seq<Role> indexerRoles() {
        return new C$colon$colon(Role$Indexer$.MODULE$, Nil$.MODULE$);
    }

    default <R> R ifAuthorized(Authorizable authorizable, AuthorizationRules authorizationRules, Function0<R> function0, Authenticated authenticated) {
        if (authorizationRules == null) {
            throw new MatchError(authorizationRules);
        }
        Tuple4 tuple4 = new Tuple4(authorizationRules.requiredRoles(), BoxesRunTime.boxToBoolean(authorizationRules.allowAccessToParentOrganizations()), authorizationRules.overridingAuthorizationRule(), authorizationRules.additionalAuthorizedOrganisaatioOids());
        Seq<Role> seq = (Seq) tuple4._1();
        boolean unboxToBoolean = BoxesRunTime.unboxToBoolean(tuple4._2());
        Option option = (Option) tuple4._3();
        Seq<OrganisaatioOid> seq2 = (Seq) tuple4._4();
        AuthorizationRule authorizationRule = option instanceof Some ? (AuthorizationRule) ((Some) option).value() : AuthorizedToAnyOfGivenOrganizationsRule$.MODULE$;
        Set<OrganisaatioOid> organizationsForRoles = authenticated.session().getOrganizationsForRoles(seq);
        if (organizationsForRoles.isEmpty()) {
            throw new RoleAuthorizationFailedException(seq, authenticated.session().roles());
        }
        if (organizationsForRoles.contains(RootOrganisaatioOid$.MODULE$) || authorized$1(allAuthorizedOidsAndOppilaitostyypit$1(unboxToBoolean, organizationsForRoles), authorizationRule, authorizable, seq2, organizationsForRoles)) {
            return function0.mo9272apply();
        }
        throw OrganizationAuthorizationFailedException$.MODULE$.apply(authorizationRule.authorizedOrganisations(authorizable, seq2).distinct(), organizationsForRoles, authorizationRule.organizationsAuthorizationMode());
    }

    default <R> R withAuthorizedChildOrganizationOids(OrganisaatioOid organisaatioOid, Seq<Role> seq, Function1<Seq<OrganisaatioOid>, R> function1, Authenticated authenticated) {
        return (R) withAuthorizedOrganizationOids(organisaatioOid, new AuthorizationRules(seq, AuthorizationRules$.MODULE$.apply$default$2(), AuthorizationRules$.MODULE$.apply$default$3(), AuthorizationRules$.MODULE$.apply$default$4()), function1, authenticated);
    }

    default <R> R withAuthorizedChildOrganizationOidsAndOppilaitostyypit(OrganisaatioOid organisaatioOid, Seq<Role> seq, Function1<Tuple2<Seq<OrganisaatioOid>, Seq<Koulutustyyppi>>, R> function1, Authenticated authenticated) {
        return (R) withAuthorizedOrganizationOidsAndOppilaitostyypit(organisaatioOid, new AuthorizationRules(seq, AuthorizationRules$.MODULE$.apply$default$2(), AuthorizationRules$.MODULE$.apply$default$3(), AuthorizationRules$.MODULE$.apply$default$4()), function1, authenticated);
    }

    default <R> R withAuthorizedOrganizationOidsAndOppilaitostyypit(final OrganisaatioOid organisaatioOid, AuthorizationRules authorizationRules, Function1<Tuple2<Seq<OrganisaatioOid>, Seq<Koulutustyyppi>>, R> function1, Authenticated authenticated) {
        final AuthorizationService authorizationService = null;
        return (R) ifAuthorized(new Authorizable(authorizationService, organisaatioOid) { // from class: fi.oph.kouta.service.AuthorizationService$$anon$1
            private final OrganisaatioOid organisaatioOid;

            @Override // fi.oph.kouta.security.Authorizable
            public OrganisaatioOid organisaatioOid() {
                return this.organisaatioOid;
            }

            {
                this.organisaatioOid = organisaatioOid;
            }
        }, authorizationRules, () -> {
            Tuple2<Seq<OrganisaatioOid>, Seq<Koulutustyyppi>> allChildAndParentOidsWithKoulutustyypitFlat = authorizationRules.allowAccessToParentOrganizations() ? this.organisaatioService().getAllChildAndParentOidsWithKoulutustyypitFlat(organisaatioOid) : this.organisaatioService().getAllChildOidsAndKoulutustyypitFlat(organisaatioOid);
            if (allChildAndParentOidsWithKoulutustyypitFlat != null && allChildAndParentOidsWithKoulutustyypitFlat.mo8894_1().isEmpty()) {
                throw OrganizationAuthorizationFailedException$.MODULE$.apply(organisaatioOid);
            }
            if (allChildAndParentOidsWithKoulutustyypitFlat != null) {
                return function1.mo8913apply(new Tuple2(allChildAndParentOidsWithKoulutustyypitFlat.mo8894_1(), allChildAndParentOidsWithKoulutustyypitFlat.mo8893_2()));
            }
            throw new MatchError(allChildAndParentOidsWithKoulutustyypitFlat);
        }, authenticated);
    }

    default <R> R withAuthorizedOrganizationOidsAndRelevantKoulutustyyppis(OrganisaatioOid organisaatioOid, AuthorizationRules authorizationRules, Function1<Tuple2<Seq<OrganisaatioOid>, Seq<Koulutustyyppi>>, R> function1, Authenticated authenticated) {
        return (R) withAuthorizedOrganizationOidsAndOppilaitostyypit(organisaatioOid, authorizationRules, tuple2 -> {
            return function1.mo8913apply(tuple2);
        }, authenticated);
    }

    default <R> R withAuthorizedOrganizationOids(OrganisaatioOid organisaatioOid, AuthorizationRules authorizationRules, Function1<Seq<OrganisaatioOid>, R> function1, Authenticated authenticated) {
        return (R) withAuthorizedOrganizationOidsAndOppilaitostyypit(organisaatioOid, authorizationRules, tuple2 -> {
            if (tuple2 != null) {
                return function1.mo8913apply((Seq) tuple2.mo8894_1());
            }
            throw new MatchError(tuple2);
        }, authenticated);
    }

    default IterableView<Tuple2<Seq<OrganisaatioOid>, Seq<Koulutustyyppi>>, Iterable<?>> lazyFlatChildrenAndParents(Set<OrganisaatioOid> set) {
        return (IterableView) set.view().map(organisaatioOid -> {
            return this.organisaatioService().getAllChildAndParentOidsWithKoulutustyypitFlat(organisaatioOid);
        }, IterableView$.MODULE$.canBuildFrom());
    }

    default IterableView<Tuple2<Seq<OrganisaatioOid>, Seq<Koulutustyyppi>>, Iterable<?>> lazyFlatChildren(Set<OrganisaatioOid> set) {
        return (IterableView) set.view().map(organisaatioOid -> {
            return this.organisaatioService().getAllChildOidsAndKoulutustyypitFlat(organisaatioOid);
        }, IterableView$.MODULE$.canBuildFrom());
    }

    default boolean hasRootAccess(Seq<Role> seq, Authenticated authenticated) {
        return seq.exists(role -> {
            return BoxesRunTime.boxToBoolean($anonfun$hasRootAccess$1(authenticated, role));
        });
    }

    default <R> R withRootAccess(Seq<Role> seq, Function0<R> function0, Authenticated authenticated) {
        if (hasRootAccess(seq, authenticated)) {
            return function0.mo9272apply();
        }
        throw OrganizationAuthorizationFailedException$.MODULE$.apply(new C$colon$colon(RootOrganisaatioOid$.MODULE$, Nil$.MODULE$), Nil$.MODULE$, OrganizationAuthorizationFailedException$.MODULE$.apply$default$3());
    }

    private default boolean userBelongsToOwnerOrganisation$1(Set set, Authorizable authorizable) {
        return ((SetLike) ((GenericTraversableTemplate) set.map(organisaatioOid -> {
            OrganisaatioService organisaatioService = this.organisaatioService();
            return organisaatioService.getAllChildOidsFlat(organisaatioOid, organisaatioService.getAllChildOidsFlat$default$2());
        }, Set$.MODULE$.canBuildFrom())).flatten2(Predef$.MODULE$.$conforms())).contains(authorizable.organisaatioOid());
    }

    private default boolean authorized$1(IterableView iterableView, AuthorizationRule authorizationRule, Authorizable authorizable, Seq seq, Set set) {
        return authorizationRule.isAuthorized(authorizable, seq, iterableView, userBelongsToOwnerOrganisation$1(set, authorizable));
    }

    private default IterableView allAuthorizedOidsAndOppilaitostyypit$1(boolean z, Set set) {
        return z ? lazyFlatChildrenAndParents(set) : lazyFlatChildren(set);
    }

    static /* synthetic */ boolean $anonfun$hasRootAccess$2(Set set) {
        return set.contains(RootOrganisaatioOid$.MODULE$);
    }

    static /* synthetic */ boolean $anonfun$hasRootAccess$1(Authenticated authenticated, Role role) {
        return authenticated.session().roleMap().get(role).exists(set -> {
            return BoxesRunTime.boxToBoolean($anonfun$hasRootAccess$2(set));
        });
    }

    static void $init$(AuthorizationService authorizationService) {
    }
}
