package fi.vm.sade.security;

import fi.vm.sade.generic.service.exception.NotAuthorizedException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/generic-common-9.4-SNAPSHOT.jar:fi/vm/sade/security/OrganisationHierarchyAuthorizer.class */
public class OrganisationHierarchyAuthorizer {
    public static final int MAX_CACHE_SIZE = 10000;
    public static final String ANY_ROLE = "*";

    @Autowired
    private OidProvider oidProvider;
    private static final Logger LOGGER = LoggerFactory.getLogger(OrganisationHierarchyAuthorizer.class);
    private static Map<String, List<String>> cache = SimpleCache.buildCache(10000);

    public OrganisationHierarchyAuthorizer() {
    }

    public OrganisationHierarchyAuthorizer(OidProvider oidProvider) {
        this.oidProvider = oidProvider;
    }

    public void checkAccess(Authentication authentication, String str, String[] strArr) throws NotAuthorizedException {
        if (authentication == null) {
            throw new NotAuthorizedException("checkAccess failed, currentUser is null");
        }
        checkAccess(toStringRoles(authentication.getAuthorities()), str, strArr);
    }

    public void checkAccess(List<String> list, String str, String[] strArr) throws NotAuthorizedException {
        List<String> selfAndParentOidsCached = getSelfAndParentOidsCached(str);
        if (selfAndParentOidsCached == null || selfAndParentOidsCached.size() == 0) {
            throw new NotAuthorizedException("checkAccess failed, no targetOrganisationAndParentsOids null");
        }
        if (strArr == null || strArr.length == 0) {
            throw new NotAuthorizedException("checkAccess failed, no requiredRoles given");
        }
        for (String str2 : strArr) {
            for (String str3 : selfAndParentOidsCached) {
                for (String str4 : list) {
                    if (roleMatchesToAuthority(str2, str4) && authorityIsTargetedToOrganisation(str4, str3)) {
                        return;
                    }
                }
            }
        }
        throw new NotAuthorizedException("Not authorized! targetOrganisationAndParentsOids: " + selfAndParentOidsCached + ", requiredRoles: " + Arrays.asList(strArr) + ", userRoles: " + list);
    }

    public void checkAccess(Authentication authentication, String[] strArr) throws NotAuthorizedException {
        if (authentication == null) {
            throw new NotAuthorizedException("checkAccess failed, currentUser is null");
        }
        if (strArr == null || strArr.length == 0) {
            throw new NotAuthorizedException("checkAccess failed, no requiredRoles given");
        }
        for (String str : strArr) {
            Iterator<? extends GrantedAuthority> it = authentication.getAuthorities().iterator();
            while (it.hasNext()) {
                if (roleMatchesToAuthority(str, it.next().getAuthority())) {
                    return;
                }
            }
        }
        throw new NotAuthorizedException("Not authorized! currentUser: " + authentication + ", requiredRoles: " + Arrays.asList(strArr));
    }

    private List<String> getSelfAndParentOidsCached(String str) {
        List<String> list = cache.get(str);
        if (list == null) {
            list = this.oidProvider.getSelfAndParentOids(str);
            cache.put(str, list);
        }
        return list;
    }

    private static boolean roleMatchesToAuthority(String str, String str2) {
        if ("*".equals(str)) {
            return true;
        }
        return str2.contains(stripRolePrefix(str));
    }

    private static String stripRolePrefix(String str) {
        return str.replace("APP_", "").replace("ROLE_", "");
    }

    private static boolean authorityIsTargetedToOrganisation(String str, String str2) {
        return str.endsWith(str2);
    }

    public static OrganisationHierarchyAuthorizer createMockAuthorizer(final String str, final String[] strArr) {
        return new OrganisationHierarchyAuthorizer(new OidProvider() { // from class: fi.vm.sade.security.OrganisationHierarchyAuthorizer.1
            @Override // fi.vm.sade.security.OidProvider
            public List<String> getSelfAndParentOids(String str2) {
                return str.equals(str2) ? Arrays.asList(str2) : Arrays.asList(strArr).contains(str2) ? Arrays.asList(str2, str) : new ArrayList();
            }
        });
    }

    public static String getOrganisaatioTheUserHasPermissionTo(String... strArr) {
        return getOrganisaatioTheUserHasPermissionTo(SecurityContextHolder.getContext().getAuthentication(), strArr);
    }

    public static String getOrganisaatioTheUserHasPermissionTo(Authentication authentication, String... strArr) {
        return getOrganisaatioTheUserHasPermissionTo(toStringRoles(authentication.getAuthorities()), strArr);
    }

    private static List<String> toStringRoles(Collection<? extends GrantedAuthority> collection) {
        ArrayList arrayList = new ArrayList();
        Iterator<? extends GrantedAuthority> it = collection.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getAuthority());
        }
        return arrayList;
    }

    public static String getOrganisaatioTheUserHasPermissionTo(List<String> list, String... strArr) {
        int lastIndexOf;
        List asList = Arrays.asList(strArr);
        HashSet hashSet = new HashSet();
        for (String str : list) {
            if (!str.endsWith("READ") && !str.endsWith("READ_UPDATE") && !str.endsWith("CRUD") && (lastIndexOf = str.lastIndexOf("_")) != -1 && asList.contains(str.substring(0, lastIndexOf))) {
                hashSet.add(str.substring(lastIndexOf + 1));
            }
        }
        if (hashSet.isEmpty()) {
            LOGGER.warn("user does not have role " + asList + " to any organisaatios, userRoles: " + list);
            return null;
        }
        if (hashSet.size() > 1) {
            throw new RuntimeException("not supported: user has role " + asList + " to more than 1 organisaatios: " + hashSet);
        }
        return (String) hashSet.iterator().next();
    }
}
