package de.sep.sesam.acl;

import de.sep.sesam.acl.IAclEnabledDao;
import de.sep.sesam.common.json.JsonUtil;
import de.sep.sesam.common.logging.ContextLogger;
import de.sep.sesam.common.logging.RecurringLogFilter;
import de.sep.sesam.model.AclPermission;
import de.sep.sesam.model.AclUser;
import de.sep.sesam.model.Acls;
import de.sep.sesam.model.Groups;
import de.sep.sesam.model.Locations;
import de.sep.sesam.model.MediaPools;
import de.sep.sesam.model.Schedules;
import de.sep.sesam.model.TaskGroups;
import de.sep.sesam.model.Terms;
import de.sep.sesam.model.Users;
import de.sep.sesam.model.core.AbstractSerializableObject;
import de.sep.sesam.model.core.defaults.DefaultUserNames;
import de.sep.sesam.model.core.interfaces.IAclEntity;
import de.sep.sesam.model.core.interfaces.IEntity;
import de.sep.sesam.model.core.interfaces.IEventsEntity;
import de.sep.sesam.model.filter.core.AbstractAclEnabledFilter;
import de.sep.sesam.model.type.AclGrantType;
import de.sep.sesam.model.type.AclPermissionType;
import de.sep.sesam.model.type.AclUserType;
import de.sep.sesam.rest.exceptions.ServiceException;
import de.sep.sesam.restapi.authentication.SessionContext;
import de.sep.sesam.restapi.core.acls.filter.AclsFilter;
import de.sep.sesam.restapi.dao.AclsDao;
import de.sep.sesam.restapi.dao.AclsDaoServer;
import de.sep.sesam.restapi.dao.DaoAccessor;
import de.sep.sesam.restapi.dao.DefaultsDaoServer;
import de.sep.sesam.restapi.dao.GroupsDaoServer;
import de.sep.sesam.restapi.dao.IGenericDao;
import de.sep.sesam.restapi.dao.LocationsDao;
import de.sep.sesam.restapi.dao.SchedulesDao;
import de.sep.sesam.restapi.service.impl.LoginServiceImpl;
import de.sep.sesam.restapi.v2.acls.model.DefaultAclProvider;
import de.sep.sesam.server.common.acl.AclObjectUtil;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.ForkJoinPool;
import java.util.concurrent.ForkJoinTask;
import java.util.concurrent.RecursiveTask;
import java.util.stream.Collectors;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.propertyeditors.CustomBooleanEditor;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:de/sep/sesam/acl/AclManager.class */
public final class AclManager {
    private static AclManager instance;
    private final transient ContextLogger logger = new ContextLogger(AclManager.class);
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:de/sep/sesam/acl/AclManager$FilterRecursiveAction.class */
    public static class FilterRecursiveAction<V extends IAclEntity<?>> extends RecursiveTask<List<V>> {
        private static final long serialVersionUID = -8544193901915812965L;
        private static final int THRESHOLD = 1000;
        private final SessionContext session;
        private final List<V> entities;
        private final String origin;
        private final AbstractAclEnabledFilter filter;
        private final transient ContextLogger logger;
        static final /* synthetic */ boolean $assertionsDisabled;

        public FilterRecursiveAction(SessionContext sessionContext, List<V> list, String str, AbstractAclEnabledFilter abstractAclEnabledFilter, ContextLogger contextLogger) {
            if (!$assertionsDisabled && sessionContext == null) {
                throw new AssertionError();
            }
            this.session = sessionContext;
            if (!$assertionsDisabled && list == null) {
                throw new AssertionError();
            }
            this.entities = list;
            if (!$assertionsDisabled && !StringUtils.isNotBlank(str)) {
                throw new AssertionError();
            }
            this.origin = str;
            this.filter = abstractAclEnabledFilter;
            if (!$assertionsDisabled && contextLogger == null) {
                throw new AssertionError();
            }
            this.logger = contextLogger;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // java.util.concurrent.RecursiveTask
        public List<V> compute() {
            ArrayList arrayList = new ArrayList();
            AclManager aclManager = AclManager.getInstance();
            if (!$assertionsDisabled && aclManager == null) {
                throw new AssertionError();
            }
            if (this.entities.size() > 1000) {
                return (List) ForkJoinTask.invokeAll(createSubtasks()).stream().map((v0) -> {
                    return v0.join();
                }).flatMap((v0) -> {
                    return v0.stream();
                }).collect(Collectors.toList());
            }
            try {
                for (V v : this.entities) {
                    if (aclManager.canRead(this.session, this.logger, v, this.origin)) {
                        if (this.filter != null) {
                            if (!this.filter.excludeNotWritable || aclManager.canWrite(this.session, this.logger, v, this.origin)) {
                                if (this.filter.excludeNotExecutable && !aclManager.canExecute(this.session, this.logger, v, this.origin)) {
                                }
                            }
                        }
                        arrayList.add(v);
                    }
                }
            } catch (ServiceException e) {
                this.logger.error("filter", e, new Object[0]);
            }
            return arrayList;
        }

        private Collection<FilterRecursiveAction<V>> createSubtasks() {
            if (!$assertionsDisabled && this.entities == null) {
                throw new AssertionError();
            }
            ArrayList arrayList = new ArrayList();
            int i = 0;
            int i2 = 1000;
            do {
                arrayList.add(new FilterRecursiveAction(this.session, this.entities.subList(i, i2), this.origin, this.filter, this.logger));
                i = i2;
                i2 = Math.min(i2 + 1000, this.entities.size());
            } while (i < i2);
            return arrayList;
        }

        static {
            $assertionsDisabled = !AclManager.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:de/sep/sesam/acl/AclManager$IDelegate.class */
    public interface IDelegate {
        boolean appliesForGrantTypeDeny(AclPermissionType aclPermissionType);

        boolean appliesForGrantTypeAllow(AclPermissionType aclPermissionType);
    }

    private AclManager() {
    }

    public static synchronized AclManager getInstance() {
        if (instance == null) {
            instance = new AclManager();
        }
        return instance;
    }

    public <T extends IAclEntity<?>> List<T> filter(SessionContext sessionContext, List<T> list, String str) throws ServiceException {
        return filter(sessionContext, list, str, null);
    }

    public <T extends IAclEntity<?>> List<T> filter(SessionContext sessionContext, List<T> list, String str, AbstractAclEnabledFilter abstractAclEnabledFilter) throws ServiceException {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        if (CollectionUtils.isEmpty(list)) {
            return list;
        }
        this.logger.start("filter", new Object[0]);
        if (sessionContext == null || sessionContext.getDaos() == null || getSessionUser(sessionContext) == null) {
            this.logger.success("filter", "(No valid session or session user found)");
            return list;
        }
        if (!hasApplicableAcls(sessionContext, list.get(0), str, true)) {
            this.logger.success("filter", "(No applicable ACL found)");
            return list;
        }
        List<T> list2 = (List) ForkJoinPool.commonPool().invoke(new FilterRecursiveAction(sessionContext, list, str, abstractAclEnabledFilter, this.logger));
        this.logger.success("filter", new Object[0]);
        return list2;
    }

    public void removeAcls(SessionContext sessionContext, String str, String str2) throws ServiceException {
        if (!$assertionsDisabled && str2 == null) {
            throw new AssertionError();
        }
        if (StringUtils.isBlank(str) || sessionContext == null || sessionContext.getDaos() == null) {
            return;
        }
        DaoAccessor daos = sessionContext.getDaos();
        if (!$assertionsDisabled && daos == null) {
            throw new AssertionError();
        }
        AclsFilter aclsFilter = new AclsFilter();
        aclsFilter.setObject(str);
        aclsFilter.setOrigin(str2);
        Iterator<Acls> it = ((AclsDaoServer) daos.getService(AclsDaoServer.class)).filter(aclsFilter).iterator();
        while (it.hasNext()) {
            ((AclsDaoServer) daos.getService(AclsDaoServer.class)).remove(it.next().getPK());
        }
    }

    public <T extends IEntity<?>> List<Acls> getAcls(SessionContext sessionContext, T t, String str, boolean z) throws ServiceException {
        if (t == null || StringUtils.isBlank(str)) {
            return null;
        }
        Object obj = null;
        if (!z) {
            obj = t.getPK();
            if (obj == null) {
                return null;
            }
        }
        return getAcls(sessionContext, (SessionContext) t, obj != null ? obj.toString() : null, str);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v139, types: [de.sep.sesam.model.core.interfaces.IEntity] */
    /* JADX WARN: Type inference failed for: r0v178, types: [de.sep.sesam.model.core.interfaces.IEntity] */
    private <T extends IEntity<?>> List<Acls> getAcls(SessionContext sessionContext, T t, String str, String str2) throws ServiceException {
        if (StringUtils.isBlank(str2) || sessionContext == null || sessionContext.getDaos() == null || getSessionUser(sessionContext) == null) {
            return null;
        }
        DaoAccessor daos = sessionContext.getDaos();
        if (!$assertionsDisabled && daos == null) {
            throw new AssertionError();
        }
        ArrayList<Acls> arrayList = new ArrayList();
        if (StringUtils.isNotBlank(str)) {
            AclsFilter aclsFilter = new AclsFilter();
            aclsFilter.setObject(str);
            aclsFilter.setOrigin(str2);
            List<Acls> filter = ((AclsDaoServer) daos.getService(AclsDaoServer.class)).filter(aclsFilter);
            if (CollectionUtils.isNotEmpty(filter)) {
                arrayList.addAll(filter);
            } else {
                if (t == null) {
                    t = (IEntity) AclObjectUtil.getDaoEntity(str, str2);
                }
                Acls defaultAclFromDB = (((t instanceof Locations) && ((Locations) t).getParentId() == null) || (t instanceof MediaPools) || (t instanceof TaskGroups) || (t instanceof Schedules)) ? DefaultAclProvider.getDefaultAclFromDB((AclsDao) daos.getService(AclsDaoServer.class), LocationsDao.class.getSimpleName()) : null;
                if (defaultAclFromDB == null) {
                    defaultAclFromDB = DefaultAclProvider.getDefaultAcl(t, ((GroupsDaoServer) daos.getService(GroupsDaoServer.class)).getAll(), false);
                }
                if (defaultAclFromDB != null) {
                    arrayList.add(defaultAclFromDB);
                }
            }
        }
        String systemDefault = ((DefaultsDaoServer) daos.getService(DefaultsDaoServer.class)).getSystemDefault("gui.enable.acls.inheritance");
        boolean z = StringUtils.isBlank(systemDefault) || StringUtils.equals(systemDefault, CustomBooleanEditor.VALUE_1);
        if (arrayList.isEmpty() && z) {
            Object daoForOrigin = AclObjectUtil.getDaoForOrigin(str2);
            if (daoForOrigin instanceof IAclEnabledDao) {
                IAclEnabledDao iAclEnabledDao = (IAclEnabledDao) daoForOrigin;
                boolean bypassAcl = iAclEnabledDao.getBypassAcl();
                try {
                    iAclEnabledDao.setBypassAcl(true);
                    boolean z2 = !RecurringLogFilter.isSkip();
                    if (z2) {
                        RecurringLogFilter.skip();
                    }
                    if (t == null && (daoForOrigin instanceof IGenericDao) && StringUtils.isNotBlank(str)) {
                        t = ((IGenericDao) iAclEnabledDao).get(((IGenericDao) iAclEnabledDao).pkFromString(str));
                    }
                    if (t != null) {
                        try {
                            List<IAclEnabledDao.ParentObject> parentObjects = getParentObjects(sessionContext, iAclEnabledDao, t);
                            if (z2) {
                                RecurringLogFilter.done();
                            }
                            if (parentObjects != null) {
                                ArrayList arrayList2 = new ArrayList();
                                for (IAclEnabledDao.ParentObject parentObject : parentObjects) {
                                    String str3 = parentObject.object;
                                    String str4 = parentObject.origin;
                                    if (StringUtils.isBlank(str4)) {
                                        str4 = str2;
                                    }
                                    if (StringUtils.isNotBlank(str3)) {
                                        List<Acls> acls = getAcls(sessionContext, (SessionContext) null, str3, str4);
                                        if (CollectionUtils.isNotEmpty(acls)) {
                                            for (Acls acls2 : acls) {
                                                if (!arrayList2.contains(acls2)) {
                                                    arrayList2.add(acls2);
                                                }
                                            }
                                        }
                                    }
                                }
                                if (!arrayList2.isEmpty()) {
                                    arrayList.addAll(arrayList2);
                                }
                            }
                        } finally {
                            if (z2) {
                                RecurringLogFilter.done();
                            }
                        }
                    }
                } finally {
                    iAclEnabledDao.setBypassAcl(bypassAcl);
                }
            }
        }
        if (arrayList.isEmpty()) {
            Object daoForOrigin2 = AclObjectUtil.getDaoForOrigin(str2);
            if ((daoForOrigin2 instanceof IAclEnabledDao) && ((IAclEnabledDao) daoForOrigin2).isRootAclApplicable(t)) {
                Acls defaultAclFromDB2 = DefaultAclProvider.getDefaultAclFromDB((AclsDao) daos.getService(AclsDaoServer.class), LocationsDao.class.getSimpleName());
                if (defaultAclFromDB2 == null) {
                    defaultAclFromDB2 = DefaultAclProvider.getDefaultAcl(DefaultAclProvider.ROOT_LOCATION, ((GroupsDaoServer) daos.getService(GroupsDaoServer.class)).getAll(), true);
                }
                if (defaultAclFromDB2 != null) {
                    arrayList.add(defaultAclFromDB2);
                }
            }
        }
        if (CollectionUtils.isNotEmpty(arrayList)) {
            for (Acls acls3 : arrayList) {
                if (acls3.getUsers() == null && StringUtils.isNotBlank(acls3.getValue())) {
                    try {
                        acls3.setUsers(JsonUtil.readList(acls3.getValue(), AclUser.class));
                    } catch (IOException e) {
                    }
                }
            }
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        return Collections.unmodifiableList(arrayList);
    }

    private Users getSessionUser(SessionContext sessionContext) {
        if ($assertionsDisabled || sessionContext != null) {
            return sessionContext.getUser();
        }
        throw new AssertionError();
    }

    private List<Groups> getSessionGroups(SessionContext sessionContext) {
        if ($assertionsDisabled || sessionContext != null) {
            return sessionContext.getGroups();
        }
        throw new AssertionError();
    }

    public boolean isBypassACL(SessionContext sessionContext) {
        if (sessionContext == null || sessionContext.getDaos() == null || getSessionUser(sessionContext) == null) {
            return true;
        }
        DaoAccessor daos = sessionContext.getDaos();
        if (!$assertionsDisabled && daos == null) {
            throw new AssertionError();
        }
        Users sessionUser = getSessionUser(sessionContext);
        if (!$assertionsDisabled && sessionUser == null) {
            throw new AssertionError();
        }
        if (!LoginServiceImpl.isPolicyBasedPermissions()) {
            return StringUtils.equalsAny(sessionUser.getName(), DefaultUserNames.ADMIN_USER, "root", DefaultUserNames.SESAM_USER);
        }
        try {
            List<Groups> groupsByUser = ((GroupsDaoServer) daos.getService(GroupsDaoServer.class)).getGroupsByUser(sessionUser);
            if (groupsByUser != null) {
                Iterator<Groups> it = groupsByUser.iterator();
                while (it.hasNext()) {
                    if ("SUPERUSER".equals(it.next().getName())) {
                        return true;
                    }
                }
            }
            return false;
        } catch (ServiceException e) {
            return false;
        }
    }

    private <T extends IAclEntity<?>> boolean hasApplicableAcls(SessionContext sessionContext, T t, String str, boolean z) {
        this.logger.start("hasApplicableAcls", sessionContext, t, str);
        if (sessionContext == null || sessionContext.getDaos() == null || getSessionUser(sessionContext) == null) {
            this.logger.success("hasApplicableAcls", "(No valid session or session user found)");
            return true;
        }
        DaoAccessor daos = sessionContext.getDaos();
        if (!$assertionsDisabled && daos == null) {
            throw new AssertionError();
        }
        boolean z2 = true;
        try {
            String systemDefault = ((DefaultsDaoServer) daos.getService(DefaultsDaoServer.class)).getSystemDefault("enable_gui_acl");
            if (!StringUtils.equalsAnyIgnoreCase(systemDefault, "true", CustomBooleanEditor.VALUE_1)) {
                this.logger.debug("hasApplicableAcls", "Deny applicable ACLs because of 'enable_gui_acl' is set to " + systemDefault, new Object[0]);
                z2 = false;
            }
        } catch (ServiceException e) {
        }
        if (z2) {
            List<Acls> list = null;
            if (t != null) {
                try {
                    list = getAcls(sessionContext, (SessionContext) t, str, false);
                } catch (ServiceException e2) {
                }
            }
            z2 = CollectionUtils.isNotEmpty(list);
            if (z2) {
                Users sessionUser = getSessionUser(sessionContext);
                if (!$assertionsDisabled && sessionUser == null) {
                    throw new AssertionError();
                }
                List<Groups> sessionGroups = getSessionGroups(sessionContext);
                if (!$assertionsDisabled && sessionGroups == null) {
                    throw new AssertionError();
                }
                boolean checkForApplicableAclsInList = checkForApplicableAclsInList(list, sessionUser, sessionGroups);
                if (!checkForApplicableAclsInList && z) {
                    AclsFilter aclsFilter = new AclsFilter();
                    aclsFilter.setOrigin(str);
                    List<Acls> list2 = null;
                    try {
                        list2 = ((AclsDaoServer) daos.getService(AclsDaoServer.class)).filter(aclsFilter);
                    } catch (ServiceException e3) {
                    }
                    if (CollectionUtils.isNotEmpty(list2)) {
                        checkForApplicableAclsInList = checkForApplicableAclsInList(list2, sessionUser, sessionGroups);
                    }
                    if (!checkForApplicableAclsInList) {
                        Object daoForOrigin = AclObjectUtil.getDaoForOrigin(str);
                        List<String> parentOrigins = daoForOrigin instanceof IAclEnabledDao ? ((IAclEnabledDao) daoForOrigin).getParentOrigins() : null;
                        if (CollectionUtils.isNotEmpty(parentOrigins)) {
                            for (String str2 : parentOrigins) {
                                AclsFilter aclsFilter2 = new AclsFilter();
                                aclsFilter2.setOrigin(AclObjectUtil.parseOrigin(str2));
                                List<Acls> list3 = null;
                                try {
                                    list3 = ((AclsDaoServer) daos.getService(AclsDaoServer.class)).filter(aclsFilter2);
                                } catch (ServiceException e4) {
                                }
                                if (CollectionUtils.isNotEmpty(list3)) {
                                    checkForApplicableAclsInList = checkForApplicableAclsInList(list3, sessionUser, sessionGroups);
                                }
                                if (checkForApplicableAclsInList) {
                                    break;
                                }
                            }
                        }
                    }
                }
                z2 = checkForApplicableAclsInList;
            }
        }
        this.logger.success("hasApplicableAcls", Boolean.valueOf(z2));
        return z2;
    }

    private boolean checkForApplicableAclsInList(List<Acls> list, Users users, List<Groups> list2) {
        if (!$assertionsDisabled && users == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && list2 == null) {
            throw new AssertionError();
        }
        boolean z = false;
        if (CollectionUtils.isNotEmpty(list)) {
            for (int i = 0; i < list.size() && !z; i++) {
                Acls acls = list.get(i);
                if (!$assertionsDisabled && acls == null) {
                    throw new AssertionError();
                }
                this.logger.debug("checkForApplicableAclsInList", "Check if ACL ({0}) is applicable for user {1} and groups {2}", acls, users, list2);
                List<AclUser> users2 = acls.getUsers();
                if (users2 == null && StringUtils.isNotBlank(acls.getValue())) {
                    try {
                        users2 = JsonUtil.readList(acls.getValue(), AclUser.class);
                        acls.setUsers(users2);
                    } catch (IOException e) {
                    }
                }
                if (!CollectionUtils.isEmpty(users2)) {
                    ArrayList arrayList = new ArrayList(users2);
                    arrayList.sort(AclUser.sorter());
                    AclUser aclUser = null;
                    boolean z2 = true;
                    int i2 = 0;
                    while (true) {
                        if (i2 >= arrayList.size() || !z2) {
                            break;
                        }
                        AclUser aclUser2 = (AclUser) arrayList.get(i2);
                        if (aclUser2.getId() == null && AclUserType.GROUP.equals(aclUser2.getType())) {
                            aclUser = aclUser2;
                        } else if (aclUser2.getId() == null) {
                            continue;
                        } else if (AclUserType.USER.equals(aclUser2.getType())) {
                            Long l = null;
                            try {
                                l = Long.decode(aclUser2.getId());
                            } catch (NumberFormatException e2) {
                                this.logger.debug("checkForApplicableAclsInList", "Failed to decode user id ''{0}''", aclUser2.getId());
                            }
                            if (l != null) {
                                this.logger.debug("checkForApplicableAclsInList", "Check ACL user ID {0} to match user ID {1}.", l, users.getId());
                                if (l.equals(users.getId())) {
                                    z2 = false;
                                    z = true;
                                    break;
                                }
                            } else {
                                continue;
                            }
                        } else if (AclUserType.GROUP.equals(aclUser2.getType())) {
                            Long l2 = null;
                            try {
                                l2 = Long.decode(aclUser2.getId());
                            } catch (NumberFormatException e3) {
                                this.logger.debug("checkForApplicableAclsInList", "Failed to decode group id ''{0}''", aclUser2.getId());
                            }
                            if (l2 != null && CollectionUtils.isNotEmpty(list2)) {
                                Iterator<Groups> it = list2.iterator();
                                while (true) {
                                    if (it.hasNext()) {
                                        Groups next = it.next();
                                        this.logger.debug("checkForApplicableAclsInList", "Check ACL group ID {0} to match group ID {1}.", l2, next.getId());
                                        if (l2.equals(next.getId())) {
                                            z2 = false;
                                            z = true;
                                            break;
                                        }
                                    }
                                }
                            }
                        }
                        i2++;
                    }
                    if (z2) {
                        if (aclUser == null) {
                            aclUser = DefaultAclProvider.getAclEverybodyUser();
                        }
                        if (!$assertionsDisabled && aclUser == null) {
                            throw new AssertionError();
                        }
                        Iterator<AclPermission> it2 = aclUser.getPermissionsList().iterator();
                        while (true) {
                            if (!it2.hasNext()) {
                                break;
                            }
                            if (AclGrantType.DENY.equals(it2.next().getGrantType())) {
                                z = true;
                                break;
                            }
                        }
                    } else {
                        continue;
                    }
                }
            }
        }
        return z;
    }

    public List<IAclEnabledDao.ParentObject> getParentObjects(SessionContext sessionContext, IAclEnabledDao iAclEnabledDao, IEntity<?> iEntity) throws ServiceException {
        if (!$assertionsDisabled && iAclEnabledDao == null) {
            throw new AssertionError();
        }
        List<IAclEnabledDao.ParentObject> list = null;
        if (iEntity != null) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (sessionContext != null) {
                try {
                    SecurityContextHolder.getContext().setAuthentication(sessionContext);
                    list = iAclEnabledDao.getParentObjects(iEntity);
                } catch (Throwable th) {
                    SecurityContextHolder.getContext().setAuthentication(authentication);
                    throw th;
                }
            }
            SecurityContextHolder.getContext().setAuthentication(authentication);
        }
        return list;
    }

    public <T extends IAclEntity<?>> boolean canRead(SessionContext sessionContext, T t, String str) throws ServiceException {
        return canRead(sessionContext, this.logger, t, str);
    }

    private <T extends IAclEntity<?>> boolean canRead(SessionContext sessionContext, ContextLogger contextLogger, T t, String str) throws ServiceException {
        return checkPermission(sessionContext, contextLogger, t, str, new IDelegate() { // from class: de.sep.sesam.acl.AclManager.1
            static final /* synthetic */ boolean $assertionsDisabled;

            @Override // de.sep.sesam.acl.AclManager.IDelegate
            public boolean appliesForGrantTypeDeny(AclPermissionType aclPermissionType) {
                if ($assertionsDisabled || aclPermissionType != null) {
                    return AclPermissionType.FULL_CONTROL.equals(aclPermissionType) || AclPermissionType.READ.equals(aclPermissionType) || AclPermissionType.READ_EXECUTE.equals(aclPermissionType);
                }
                throw new AssertionError();
            }

            @Override // de.sep.sesam.acl.AclManager.IDelegate
            public boolean appliesForGrantTypeAllow(AclPermissionType aclPermissionType) {
                if ($assertionsDisabled || aclPermissionType != null) {
                    return AclPermissionType.FULL_CONTROL.equals(aclPermissionType) || AclPermissionType.READ.equals(aclPermissionType) || AclPermissionType.READ_EXECUTE.equals(aclPermissionType);
                }
                throw new AssertionError();
            }

            static {
                $assertionsDisabled = !AclManager.class.desiredAssertionStatus();
            }
        });
    }

    public <T extends IAclEntity<?>> boolean canWrite(SessionContext sessionContext, T t, String str) throws ServiceException {
        return canWrite(sessionContext, this.logger, t, str);
    }

    private <T extends IAclEntity<?>> boolean canWrite(SessionContext sessionContext, ContextLogger contextLogger, T t, String str) throws ServiceException {
        return checkPermission(sessionContext, contextLogger, t, str, new IDelegate() { // from class: de.sep.sesam.acl.AclManager.2
            static final /* synthetic */ boolean $assertionsDisabled;

            @Override // de.sep.sesam.acl.AclManager.IDelegate
            public boolean appliesForGrantTypeDeny(AclPermissionType aclPermissionType) {
                if ($assertionsDisabled || aclPermissionType != null) {
                    return AclPermissionType.FULL_CONTROL.equals(aclPermissionType) || AclPermissionType.WRITE.equals(aclPermissionType);
                }
                throw new AssertionError();
            }

            @Override // de.sep.sesam.acl.AclManager.IDelegate
            public boolean appliesForGrantTypeAllow(AclPermissionType aclPermissionType) {
                if ($assertionsDisabled || aclPermissionType != null) {
                    return AclPermissionType.FULL_CONTROL.equals(aclPermissionType) || AclPermissionType.WRITE.equals(aclPermissionType);
                }
                throw new AssertionError();
            }

            static {
                $assertionsDisabled = !AclManager.class.desiredAssertionStatus();
            }
        });
    }

    public <T extends IAclEntity<?>> boolean canExecute(SessionContext sessionContext, T t, String str) throws ServiceException {
        return canExecute(sessionContext, this.logger, t, str);
    }

    private <T extends IAclEntity<?>> boolean canExecute(SessionContext sessionContext, ContextLogger contextLogger, T t, String str) throws ServiceException {
        return checkPermission(sessionContext, contextLogger, t, str, new IDelegate() { // from class: de.sep.sesam.acl.AclManager.3
            static final /* synthetic */ boolean $assertionsDisabled;

            @Override // de.sep.sesam.acl.AclManager.IDelegate
            public boolean appliesForGrantTypeDeny(AclPermissionType aclPermissionType) {
                if ($assertionsDisabled || aclPermissionType != null) {
                    return AclPermissionType.FULL_CONTROL.equals(aclPermissionType) || AclPermissionType.READ_EXECUTE.equals(aclPermissionType);
                }
                throw new AssertionError();
            }

            @Override // de.sep.sesam.acl.AclManager.IDelegate
            public boolean appliesForGrantTypeAllow(AclPermissionType aclPermissionType) {
                if ($assertionsDisabled || aclPermissionType != null) {
                    return AclPermissionType.FULL_CONTROL.equals(aclPermissionType) || AclPermissionType.READ_EXECUTE.equals(aclPermissionType);
                }
                throw new AssertionError();
            }

            static {
                $assertionsDisabled = !AclManager.class.desiredAssertionStatus();
            }
        });
    }

    private <T extends IAclEntity<?>> boolean checkPermission(SessionContext sessionContext, ContextLogger contextLogger, T t, String str, IDelegate iDelegate) throws ServiceException {
        if (!$assertionsDisabled && contextLogger == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && iDelegate == null) {
            throw new AssertionError();
        }
        contextLogger.start("checkPermission", new Object[0]);
        if (t == null || StringUtils.isBlank(str)) {
            return false;
        }
        if (isBypassACL(sessionContext) || isExcluded(t)) {
            contextLogger.success("checkPermission", "(ACL check by passed or item excluded)");
            return true;
        }
        if (sessionContext == null || sessionContext.getDaos() == null || getSessionUser(sessionContext) == null) {
            contextLogger.success("checkPermission", "(No valid session or session user found)");
            return true;
        }
        DaoAccessor daos = sessionContext.getDaos();
        if (!$assertionsDisabled && daos == null) {
            throw new AssertionError();
        }
        String str2 = null;
        Object pk = t.getPK();
        if (pk != null) {
            str2 = pk.toString();
            if (pk instanceof AbstractSerializableObject) {
                try {
                    str2 = JsonUtil.toString(pk);
                } catch (Exception e) {
                }
            }
        }
        List<Acls> acls = getAcls(sessionContext, (SessionContext) t, str2, str);
        if (CollectionUtils.isEmpty(acls)) {
            contextLogger.success("checkPermission", "(No ACLs found for item " + t.getPK() + " of origin " + str);
            return true;
        }
        boolean z = true;
        for (int i = 0; i < acls.size() && z; i++) {
            List<AclUser> users = acls.get(i).getUsers();
            if (!CollectionUtils.isEmpty(users)) {
                ArrayList arrayList = new ArrayList(users);
                arrayList.sort(AclUser.sorter());
                AclUser aclUser = null;
                boolean z2 = true;
                ArrayList arrayList2 = null;
                for (int i2 = 0; i2 < arrayList.size() && z2; i2++) {
                    AclUser aclUser2 = (AclUser) arrayList.get(i2);
                    if (aclUser2.getId() == null && AclUserType.GROUP.equals(aclUser2.getType())) {
                        aclUser = aclUser2;
                    } else if (aclUser2.getId() != null) {
                        if (AclUserType.USER.equals(aclUser2.getType())) {
                            Long l = null;
                            try {
                                l = Long.decode(aclUser2.getId());
                            } catch (NumberFormatException e2) {
                            }
                            if (l != null && l.equals(getSessionUser(sessionContext).getId())) {
                                z2 = false;
                                Iterator<AclPermission> it = aclUser2.getPermissionsList().iterator();
                                while (true) {
                                    if (it.hasNext()) {
                                        AclPermission next = it.next();
                                        if (!AclGrantType.DENY.equals(next.getGrantType()) || !iDelegate.appliesForGrantTypeDeny(next.getType())) {
                                            if (AclGrantType.ALLOW.equals(next.getGrantType()) && iDelegate.appliesForGrantTypeAllow(next.getType())) {
                                                z = true;
                                                break;
                                            }
                                        } else {
                                            z = false;
                                            break;
                                        }
                                    }
                                }
                            }
                        } else if (AclUserType.GROUP.equals(aclUser2.getType())) {
                            Long l2 = null;
                            try {
                                l2 = Long.decode(aclUser2.getId());
                            } catch (NumberFormatException e3) {
                            }
                            List<Groups> sessionGroups = getSessionGroups(sessionContext);
                            if (l2 != null && CollectionUtils.isNotEmpty(sessionGroups)) {
                                if (arrayList2 == null) {
                                    arrayList2 = new ArrayList(sessionGroups);
                                }
                                Iterator<Groups> it2 = sessionGroups.iterator();
                                while (true) {
                                    if (it2.hasNext()) {
                                        Groups next2 = it2.next();
                                        if (l2.equals(next2.getId())) {
                                            arrayList2.remove(next2);
                                            if (arrayList2.isEmpty()) {
                                                z2 = false;
                                            }
                                            Iterator<AclPermission> it3 = aclUser2.getPermissionsList().iterator();
                                            while (true) {
                                                if (it3.hasNext()) {
                                                    AclPermission next3 = it3.next();
                                                    if (!AclGrantType.DENY.equals(next3.getGrantType()) || !iDelegate.appliesForGrantTypeDeny(next3.getType())) {
                                                        if (AclGrantType.ALLOW.equals(next3.getGrantType()) && iDelegate.appliesForGrantTypeAllow(next3.getType())) {
                                                            z = true;
                                                            break;
                                                        }
                                                    } else {
                                                        z = false;
                                                        break;
                                                    }
                                                }
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
                if (z2) {
                    if (aclUser == null) {
                        aclUser = DefaultAclProvider.getAclEverybodyUser();
                    }
                    if (!$assertionsDisabled && aclUser == null) {
                        throw new AssertionError();
                    }
                    Iterator<AclPermission> it4 = aclUser.getPermissionsList().iterator();
                    while (true) {
                        if (it4.hasNext()) {
                            AclPermission next4 = it4.next();
                            if (!AclGrantType.DENY.equals(next4.getGrantType()) || !iDelegate.appliesForGrantTypeDeny(next4.getType())) {
                                if (AclGrantType.ALLOW.equals(next4.getGrantType()) && iDelegate.appliesForGrantTypeAllow(next4.getType())) {
                                    z = true;
                                    break;
                                }
                            } else {
                                z = false;
                                break;
                            }
                        }
                    }
                } else {
                    continue;
                }
            }
        }
        contextLogger.success("checkPermission", "User " + getSessionUser(sessionContext).getId() + " has evaluated access for item " + t.getPK() + " of origin " + str + " -> " + z);
        return z;
    }

    private <T extends IAclEntity<?>> boolean isExcluded(T t) {
        boolean z = false;
        if (t instanceof Schedules) {
            z = StringUtils.startsWithAny(((Schedules) t).getName(), SchedulesDao.IMMEDIATE_SCHEDULE_PREFIX, SchedulesDao.RESTART_SCHEDULE_PREFIX, SchedulesDao.DELAYED_SCHEDULE_PREFIX);
        } else if (t instanceof IEventsEntity) {
            z = StringUtils.startsWithAny(((IEventsEntity) t).getName(), SchedulesDao.IMMEDIATE_SCHEDULE_PREFIX, SchedulesDao.RESTART_SCHEDULE_PREFIX, SchedulesDao.DELAYED_SCHEDULE_PREFIX) || StringUtils.startsWithAny(((IEventsEntity) t).getScheduleName(), SchedulesDao.IMMEDIATE_SCHEDULE_PREFIX, SchedulesDao.RESTART_SCHEDULE_PREFIX, SchedulesDao.DELAYED_SCHEDULE_PREFIX);
        } else if (t instanceof Terms) {
            z = StringUtils.startsWithAny(((Terms) t).getSchedule(), SchedulesDao.IMMEDIATE_SCHEDULE_PREFIX, SchedulesDao.RESTART_SCHEDULE_PREFIX, SchedulesDao.DELAYED_SCHEDULE_PREFIX);
        }
        return z;
    }

    static {
        $assertionsDisabled = !AclManager.class.desiredAssertionStatus();
    }
}
