package org.duracloud.account.security.vote;

import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.aopalliance.intercept.MethodInvocation;
import org.duracloud.account.db.model.AccountRights;
import org.duracloud.account.db.model.DuracloudUser;
import org.duracloud.account.db.model.Role;
import org.duracloud.account.db.repo.DuracloudRepoMgr;
import org.duracloud.account.security.domain.SecuredRule;
import org.duracloud.common.error.DuraCloudRuntimeException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;

/* loaded from: input_file:org/duracloud/account/security/vote/BaseAccessDecisionVoter.class */
public abstract class BaseAccessDecisionVoter implements AccessDecisionVoter<MethodInvocation> {
    protected Logger log = LoggerFactory.getLogger(BaseAccessDecisionVoter.class);
    private DuracloudRepoMgr repoMgr;

    public BaseAccessDecisionVoter(DuracloudRepoMgr duracloudRepoMgr) {
        this.repoMgr = duracloudRepoMgr;
    }

    protected abstract Class<?> getTargetService();

    public boolean supports(ConfigAttribute configAttribute) {
        this.log.trace("supports attribute{}", configAttribute.getAttribute());
        return true;
    }

    public boolean supports(Class<?> cls) {
        this.log.trace("supports {}", cls.getName());
        return MethodInvocation.class.isAssignableFrom(cls);
    }

    protected boolean supportsTarget(MethodInvocation methodInvocation) {
        Class<?>[] interfaces = methodInvocation.getThis().getClass().getInterfaces();
        if (null == interfaces || interfaces.length == 0) {
            return false;
        }
        for (Class<?> cls : interfaces) {
            if (cls.equals(getTargetService())) {
                return true;
            }
        }
        return false;
    }

    protected SecuredRule getRule(Collection<ConfigAttribute> collection) {
        if (null == collection || collection.size() != 1) {
            throw new DuraCloudRuntimeException("Invalid security att " + collection);
        }
        return new SecuredRule(collection.iterator().next().getAttribute());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Collection<String> getUserRoles(Authentication authentication) {
        HashSet hashSet = new HashSet();
        Iterator it = authentication.getAuthorities().iterator();
        while (it.hasNext()) {
            hashSet.add(((GrantedAuthority) it.next()).getAuthority());
        }
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public int voteHasRole(String str, Collection<String> collection) {
        return collection.contains(str) ? 1 : -1;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public int voteUserHasRoleOnAccount(DuracloudUser duracloudUser, String str, Long l) {
        this.log.trace("Does user {} have role {} on acct {}?", new Object[]{duracloudUser.getId(), str, l});
        AccountRights userRightsForAcct = getUserRightsForAcct(duracloudUser.getId(), l);
        if (null == userRightsForAcct) {
            return -1;
        }
        Set roles = userRightsForAcct.getRoles();
        this.log.trace("Roles found: {}", roles);
        if (roles == null || roles.size() <= 0) {
            return -1;
        }
        Iterator it = roles.iterator();
        while (it.hasNext()) {
            if (str.equals(((Role) it.next()).authority().getAuthority())) {
                return 1;
            }
        }
        return -1;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public int voteUserHasRoleOnAcctToUpdateOthersRoles(Long l, Long l2, Long l3, Set<Role> set) {
        this.log.trace("Voting if user {} has roles on acct {} to manage {}.", new Object[]{l, l2, l3});
        AccountRights userRightsForAcct = getUserRightsForAcct(l, l2);
        AccountRights userRightsForAcct2 = getUserRightsForAcct(l3, l2);
        if (null == userRightsForAcct || null == userRightsForAcct2) {
            this.log.warn("No rights found for users {}, {} on acct {}", new Object[]{l, l3, l2});
            return -1;
        }
        boolean hasVote = hasVote(voteRolesAreSufficientToUpdateOther(userRightsForAcct.getRoles(), userRightsForAcct2.getRoles()));
        boolean hasVote2 = hasVote(voteRolesAreSufficientToUpdateOther(userRightsForAcct.getRoles(), set));
        this.log.trace("Are {} sufficient to update both {} and {}?", new Object[]{userRightsForAcct.getRoles(), userRightsForAcct2.getRoles(), set});
        return (hasVote && hasVote2) ? 1 : -1;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public int voteRolesAreSufficientToUpdateOther(Set<Role> set, Set<Role> set2) {
        if (null == set || null == set2) {
            this.log.warn("Null roles one or more {}, {}", set, set2);
            return -1;
        }
        Role highestRole = Role.highestRole(set2);
        if (null == highestRole) {
            this.log.warn("No highest role found for {}", set2);
            return -1;
        }
        boolean contains = set.contains(highestRole);
        this.log.trace("Roles {} has permission to manage other {}", set, highestRole);
        return contains ? 1 : -1;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean hasVote(int i) {
        return i == 1;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public int numUsersForAccount(Long l) {
        HashSet hashSet = new HashSet(this.repoMgr.getRightsRepo().findByAccountId(l));
        if (null != hashSet) {
            return hashSet.size();
        }
        return 0;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AccountRights getUserRightsForAcct(Long l, Long l2) {
        return this.repoMgr.getRightsRepo().findByAccountIdAndUserId(l2, l);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set<AccountRights> getAllUserRightsForAcct(Long l) {
        return new HashSet(this.repoMgr.getRightsRepo().findByAccountId(l));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public int voteMyUserId(DuracloudUser duracloudUser, Long l) {
        return duracloudUser.getId().equals(l) ? 1 : -1;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public int voteMyUsername(DuracloudUser duracloudUser, String str) {
        return duracloudUser.getUsername().equals(str) ? 1 : -1;
    }

    protected DuracloudUser getCurrentUser(Authentication authentication) {
        Object principal = authentication.getPrincipal();
        if (!(principal instanceof String)) {
            return (DuracloudUser) principal;
        }
        this.log.trace("Unknown user {}", principal);
        DuracloudUser duracloudUser = new DuracloudUser();
        duracloudUser.setUsername((String) principal);
        return duracloudUser;
    }

    protected String asString(int i) {
        switch (i) {
            case -1:
                return "ACCESS_DENIED";
            case 0:
                return "ACCESS_ABSTAIN";
            case 1:
                return "ACCESS_GRANTED";
            default:
                return "unknown";
        }
    }

    public final int vote(Authentication authentication, MethodInvocation methodInvocation, Collection<ConfigAttribute> collection) {
        if (!supportsTarget(methodInvocation)) {
            return castVote(0, methodInvocation);
        }
        Object[] arguments = methodInvocation.getArguments();
        DuracloudUser currentUser = getCurrentUser(authentication);
        if (currentUser.isRootUser()) {
            return 1;
        }
        SecuredRule rule = getRule(collection);
        return voteImpl(authentication, methodInvocation, collection, arguments, currentUser, rule, rule.getRole().name(), rule.getScope());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public int castVote(int i, MethodInvocation methodInvocation) {
        String name = methodInvocation.getMethod().getName();
        this.log.trace("{}.{}() = {}", new Object[]{methodInvocation.getThis().getClass().getSimpleName(), name, asString(i)});
        return i;
    }

    protected abstract int voteImpl(Authentication authentication, MethodInvocation methodInvocation, Collection<ConfigAttribute> collection, Object[] objArr, DuracloudUser duracloudUser, SecuredRule securedRule, String str, SecuredRule.Scope scope);

    public /* bridge */ /* synthetic */ int vote(Authentication authentication, Object obj, Collection collection) {
        return vote(authentication, (MethodInvocation) obj, (Collection<ConfigAttribute>) collection);
    }
}
