package org.opencrx.security.layer.application;

import java.util.Date;
import java.util.Iterator;
import java.util.List;
import javax.resource.ResourceException;
import javax.resource.cci.Interaction;
import javax.resource.cci.MappedRecord;
import org.opencrx.kernel.generic.OpenCrxException;
import org.opencrx.kernel.generic.SecurityKeys;
import org.opencrx.security.identity1.jmi1.Identity1Package;
import org.openmdx.application.dataprovider.cci.FilterProperty;
import org.openmdx.base.exception.ServiceException;
import org.openmdx.base.mof.cci.Model_1_0;
import org.openmdx.base.mof.spi.Model_1Factory;
import org.openmdx.base.naming.Path;
import org.openmdx.base.persistence.spi.PersistenceManagers;
import org.openmdx.base.query.ConditionType;
import org.openmdx.base.query.IsInCondition;
import org.openmdx.base.query.Quantifier;
import org.openmdx.base.resource.InteractionSpecs;
import org.openmdx.base.resource.Records;
import org.openmdx.base.resource.cci.RestFunction;
import org.openmdx.base.resource.spi.ResourceExceptions;
import org.openmdx.base.resource.spi.RestInteractionSpec;
import org.openmdx.base.rest.cci.MessageRecord;
import org.openmdx.base.rest.cci.ObjectRecord;
import org.openmdx.base.rest.cci.QueryFilterRecord;
import org.openmdx.base.rest.cci.QueryRecord;
import org.openmdx.base.rest.cci.RestConnection;
import org.openmdx.base.rest.cci.ResultRecord;
import org.openmdx.base.rest.spi.AbstractRestInteraction;
import org.openmdx.base.rest.spi.AbstractRestPort;
import org.openmdx.base.rest.spi.Facades;
import org.openmdx.base.rest.spi.Object_2Facade;
import org.openmdx.base.text.conversion.Base64;
import org.openmdx.kernel.exception.BasicException;

/* loaded from: input_file:org/opencrx/security/layer/application/OpenCrxSecurity_2.class */
public class OpenCrxSecurity_2 extends AbstractRestPort {
    protected final InteractionSpecs SUPER = InteractionSpecs.getRestInteractionSpecs(false);
    protected static final Path AUTHORIZATION_AUTHORITY = new Path("xri://@openmdx*org.openmdx.security.authorization1");
    protected static final Path REALM_AUTHORITY = new Path("xri://@openmdx*org.openmdx.security.realm1");
    protected static final Path IDENTITY_AUTHORITY = new Path(Identity1Package.AUTHORITY_XRI);
    protected static final Path PATH_PATTERN_PRINCIPALS = REALM_AUTHORITY.getDescendant(new String[]{"provider", ":*", "segment", ":*", "realm", ":*", "principal"});
    protected static final Path PATH_PATTERN_PRINCIPAL = PATH_PATTERN_PRINCIPALS.getDescendant(new String[]{":*"});
    protected static final Path PATH_PATTERN_REALM = REALM_AUTHORITY.getDescendant(new String[]{"provider", ":*", "segment", ":*", "realm", ":*"});
    protected static final Path PATH_PATTERN_REALM_COMPOSITES = REALM_AUTHORITY.getDescendant(new String[]{"provider", ":*", "segment", ":*", "realm", ":*", ":*"});
    protected static final Path PATH_PATTERN_SUBJECTS = IDENTITY_AUTHORITY.getDescendant(new String[]{"provider", ":*", "segment", ":*", "subject"});
    protected static final Path PATH_PATTERN_POLICIES = AUTHORIZATION_AUTHORITY.getDescendant(new String[]{"provider", ":*", "segment", ":*", "policy"});
    protected static final Path PATH_PATTERN_ROLES = AUTHORIZATION_AUTHORITY.getDescendant(new String[]{"provider", ":*", "segment", ":*", "policy", ":*", "role"});
    protected static final Path PATH_PATTERN_ROLE = PATH_PATTERN_ROLES.getDescendant(new String[]{":*"});

    /* loaded from: input_file:org/opencrx/security/layer/application/OpenCrxSecurity_2$RestInteraction.class */
    public class RestInteraction extends AbstractRestInteraction {
        public RestInteraction(RestConnection restConnection) throws ResourceException {
            super(restConnection, OpenCrxSecurity_2.this.newDelegateInteraction(restConnection));
        }

        protected String getPrincipalName(RestInteractionSpec restInteractionSpec) throws ResourceException {
            List principalChain = PersistenceManagers.toPrincipalChain(getConnection().getMetaData().getUserName());
            if (principalChain.isEmpty()) {
                return null;
            }
            return (String) principalChain.get(0);
        }

        protected ResultRecord newResult() throws ResourceException {
            return Records.getRecordFactory().createIndexedRecord(ResultRecord.class);
        }

        protected MappedRecord newOperationResult(String str) throws ResourceException {
            return Records.getRecordFactory().createMappedRecord(str);
        }

        protected void touchRealm(RestInteractionSpec restInteractionSpec, Path path) throws ResourceException {
            if (path.size() < OpenCrxSecurity_2.PATH_PATTERN_REALM_COMPOSITES.size() || !path.getPrefix(OpenCrxSecurity_2.PATH_PATTERN_REALM_COMPOSITES.size()).isLike(OpenCrxSecurity_2.PATH_PATTERN_REALM_COMPOSITES)) {
                return;
            }
            try {
                ObjectRecord retrieveObject = retrieveObject(path.getPrefix(7), "all");
                if (retrieveObject != null) {
                    Object_2Facade asObject = Facades.asObject(retrieveObject.clone());
                    asObject.attributeValuesAsList("modifiedAt").clear();
                    asObject.attributeValuesAsList("modifiedAt").add(new Date());
                    super.update(OpenCrxSecurity_2.this.SUPER.UPDATE, retrieveObject, Records.getRecordFactory().createIndexedRecord(ResultRecord.class));
                }
            } catch (Exception e) {
                ServiceException serviceException = new ServiceException(e);
                if (-34 != serviceException.getExceptionCode() && -20 != serviceException.getExceptionCode()) {
                    throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e)));
                }
            }
        }

        protected boolean changePassword(RestInteractionSpec restInteractionSpec, ObjectRecord objectRecord, MappedRecord mappedRecord, MessageRecord messageRecord) throws ResourceException {
            try {
                Object_2Facade asObject = Facades.asObject(objectRecord);
                String encode = mappedRecord.get("oldPassword") != null ? Base64.encode((byte[]) mappedRecord.get("oldPassword")) : null;
                if (encode != null && !encode.equals(asObject.attributeValue("password"))) {
                    throw ResourceExceptions.initHolder(new ResourceException("old password verification mismatch", BasicException.newEmbeddedExceptionStack(OpenCrxException.DOMAIN, -2, new BasicException.Parameter[]{new BasicException.Parameter("credential", objectRecord)})));
                }
                ObjectRecord cloneObject = Object_2Facade.cloneObject(objectRecord);
                Object_2Facade asObject2 = Facades.asObject(cloneObject);
                asObject2.attributeValuesAsList("password").clear();
                asObject2.attributeValuesAsList("password").add(Base64.encode((byte[]) mappedRecord.get("password")));
                asObject2.attributeValuesAsList("modifiedAt").clear();
                asObject2.attributeValuesAsList("modifiedAt").add(new Date());
                messageRecord.setBody(newOperationResult("org:openmdx:base:Void"));
                return super.update(OpenCrxSecurity_2.this.SUPER.UPDATE, cloneObject, newResult());
            } catch (ServiceException e) {
                throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e)));
            }
        }

        public ObjectRecord retrieveObject(Path path, String str) throws ResourceException {
            ResultRecord newResult = newResult();
            QueryRecord newQuery = newQuery(path);
            newQuery.setFetchGroupName(str);
            super.get(OpenCrxSecurity_2.this.SUPER.GET, newQuery, newResult);
            if (newResult.isEmpty()) {
                return null;
            }
            return (ObjectRecord) newResult.get(0);
        }

        protected boolean checkPermission(RestInteractionSpec restInteractionSpec, Path path) throws ResourceException {
            String principalName = getPrincipalName(restInteractionSpec);
            boolean startsWith = principalName.startsWith("admin" + SecurityKeys.ID_SEPARATOR);
            if (!startsWith) {
                try {
                    Path descendant = ((path.startsWith(OpenCrxSecurity_2.REALM_AUTHORITY) || path.startsWith(OpenCrxSecurity_2.AUTHORIZATION_AUTHORITY)) && path.size() >= 7) ? OpenCrxSecurity_2.REALM_AUTHORITY.getDescendant(new String[]{"provider", path.getSegment(2).toString(), "segment", "Root", "realm", path.getSegment(6).toString(), "principal"}) : OpenCrxSecurity_2.REALM_AUTHORITY.getDescendant(new String[]{"provider", path.getSegment(2).toString(), "segment", "Root", "realm", path.getSegment(4).toString(), "principal"});
                    Object_2Facade asObject = Facades.asObject(retrieveObject(descendant.getDescendant(new String[]{principalName}), "all"));
                    if (asObject != null) {
                        startsWith = asObject.attributeValuesAsListContains("isMemberOf", descendant.getDescendant(new String[]{"Administrators"}));
                    }
                } catch (Exception e) {
                    new ServiceException(e).log();
                }
            }
            if (restInteractionSpec.getFunction() == RestFunction.GET) {
                return startsWith;
            }
            if (startsWith || (path.getParent().isLike(OpenCrxSecurity_2.PATH_PATTERN_PRINCIPALS) && path.getLastSegment().toString().equals(principalName))) {
                return startsWith;
            }
            throw ResourceExceptions.initHolder(new ResourceException("No permission for " + restInteractionSpec.getFunction().name() + " on object", BasicException.newEmbeddedExceptionStack(OpenCrxException.DOMAIN, 1000, new BasicException.Parameter[]{new BasicException.Parameter("object", path), new BasicException.Parameter("param0", path)})));
        }

        private boolean failForUnknownOperation(MessageRecord messageRecord) throws ResourceException {
            throw ResourceExceptions.initHolder(new ResourceException("unknown operation", BasicException.newEmbeddedExceptionStack("DefaultDomain", -2, new BasicException.Parameter[]{new BasicException.Parameter("xri", messageRecord.getResourceIdentifier()), new BasicException.Parameter("target", messageRecord.getTarget()), new BasicException.Parameter("id", messageRecord.getMessageId()), new BasicException.Parameter("operation", messageRecord.getTarget().getLastSegment().toString())})));
        }

        protected boolean delete(RestInteractionSpec restInteractionSpec, ObjectRecord objectRecord) throws ResourceException {
            try {
                checkPermission(restInteractionSpec, objectRecord.getResourceIdentifier());
                Path path = Facades.asObject(objectRecord).getPath();
                if (path.isLike(OpenCrxSecurity_2.PATH_PATTERN_PRINCIPAL)) {
                    QueryRecord newQuery = newQuery(OpenCrxSecurity_2.REALM_AUTHORITY.getDescendant(new String[]{"provider", path.getSegment(2).toString(), "segment", path.getSegment(4).toString(), "realm", path.getSegment(6).toString(), "principal"}));
                    newQuery.setQueryFilter(Records.getRecordFactory().createMappedRecord(QueryFilterRecord.class));
                    newQuery.getQueryFilter().getCondition().addAll(FilterProperty.toCondition(new FilterProperty[]{new FilterProperty(Quantifier.THERE_EXISTS.code(), "isMemberOf", ConditionType.IS_IN.code(), new Object[]{path})}));
                    newQuery.setSize(10L);
                    ResultRecord newResult = newResult();
                    super.find(OpenCrxSecurity_2.this.SUPER.GET, newQuery, newResult);
                    if (!newResult.isEmpty()) {
                        throw ResourceExceptions.initHolder(new ResourceException("Unable to remove principal. Reason: referenced by Principal::isMemberOf", BasicException.newEmbeddedExceptionStack(OpenCrxException.DOMAIN, -2, new BasicException.Parameter[]{new BasicException.Parameter("xri", path), new BasicException.Parameter("references", newResult)})));
                    }
                }
                if (path.isLike(OpenCrxSecurity_2.PATH_PATTERN_ROLE)) {
                    QueryRecord newQuery2 = newQuery(OpenCrxSecurity_2.REALM_AUTHORITY.getDescendant(new String[]{"provider", path.getSegment(2).toString(), "segment", path.getSegment(4).toString(), "realm", path.getSegment(6).toString(), "principal"}));
                    newQuery2.setQueryFilter(Records.getRecordFactory().createMappedRecord(QueryFilterRecord.class));
                    newQuery2.getQueryFilter().getCondition().addAll(FilterProperty.toCondition(new FilterProperty[]{new FilterProperty(Quantifier.THERE_EXISTS.code(), "grantedRole", ConditionType.IS_IN.code(), new Object[]{path})}));
                    newQuery2.setSize(10L);
                    ResultRecord newResult2 = newResult();
                    super.find(OpenCrxSecurity_2.this.SUPER.GET, newQuery2, newResult2);
                    if (!newResult2.isEmpty()) {
                        throw ResourceExceptions.initHolder(new ResourceException("Unable to remove role. Reason: referenced by Principal::grantedRole", BasicException.newEmbeddedExceptionStack(OpenCrxException.DOMAIN, -2, new BasicException.Parameter[]{new BasicException.Parameter("xri", path), new BasicException.Parameter("references", newResult2)})));
                    }
                }
                touchRealm(restInteractionSpec, objectRecord.getResourceIdentifier());
                return super.delete(restInteractionSpec, objectRecord);
            } catch (ServiceException e) {
                throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e)));
            }
        }

        public boolean create(RestInteractionSpec restInteractionSpec, ObjectRecord objectRecord, ResultRecord resultRecord) throws ResourceException {
            checkPermission(restInteractionSpec, objectRecord.getResourceIdentifier());
            OpenCrxSecurity_2.this.setDerivedAttributes(objectRecord);
            touchRealm(restInteractionSpec, objectRecord.getResourceIdentifier());
            return super.create(restInteractionSpec, objectRecord, resultRecord);
        }

        public boolean update(RestInteractionSpec restInteractionSpec, ObjectRecord objectRecord, ResultRecord resultRecord) throws ResourceException {
            try {
                checkPermission(restInteractionSpec, objectRecord.getResourceIdentifier());
                if (objectRecord.getValue().containsKey("isMemberOf")) {
                    touchRealm(restInteractionSpec, objectRecord.getResourceIdentifier());
                }
                try {
                    return super.update(restInteractionSpec, objectRecord, resultRecord);
                } catch (Exception e) {
                    ServiceException serviceException = new ServiceException(e);
                    if (serviceException.getExceptionCode() != -20 || !objectRecord.getResourceIdentifier().isLike(OpenCrxSecurity_2.PATH_PATTERN_REALM)) {
                        throw serviceException;
                    }
                    if (resultRecord == null) {
                        return true;
                    }
                    resultRecord.add(objectRecord);
                    return true;
                }
            } catch (ServiceException e2) {
                throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e2)));
            }
        }

        protected boolean get(RestInteractionSpec restInteractionSpec, QueryRecord queryRecord, ResultRecord resultRecord) throws ResourceException {
            checkPermission(restInteractionSpec, queryRecord.getResourceIdentifier());
            return super.get(restInteractionSpec, queryRecord, resultRecord);
        }

        protected boolean invoke(RestInteractionSpec restInteractionSpec, MessageRecord messageRecord, MessageRecord messageRecord2) throws ResourceException {
            Path resourceIdentifier = messageRecord.getResourceIdentifier();
            checkPermission(restInteractionSpec, resourceIdentifier);
            String xRISegment = resourceIdentifier.getSegment(resourceIdentifier.size() - 2).toString();
            ObjectRecord retrieveObject = retrieveObject(resourceIdentifier.getPrefix(resourceIdentifier.size() - 2), "all");
            if (retrieveObject == null) {
                return super.invoke(restInteractionSpec, messageRecord, messageRecord2);
            }
            String recordName = retrieveObject.getValue().getRecordName();
            MappedRecord body = messageRecord.getBody();
            if ("org:openmdx:security:authentication1:Password".equals(recordName) && "change".equals(xRISegment)) {
                return changePassword(restInteractionSpec, retrieveObject, body, messageRecord2);
            }
            return failForUnknownOperation(messageRecord);
        }

        protected boolean find(RestInteractionSpec restInteractionSpec, QueryRecord queryRecord, ResultRecord resultRecord) throws ResourceException {
            Path resourceIdentifier = queryRecord.getResourceIdentifier();
            boolean checkPermission = checkPermission(restInteractionSpec, queryRecord.getResourceIdentifier());
            String principalName = getPrincipalName(restInteractionSpec);
            if (resourceIdentifier.isLike(OpenCrxSecurity_2.PATH_PATTERN_PRINCIPALS)) {
                boolean z = false;
                Iterator it = FilterProperty.getFilterProperties(queryRecord.getQueryFilter()).iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if ("subject".equals(((FilterProperty) it.next()).name())) {
                        z = true;
                        break;
                    }
                }
                if (!z && !principalName.equals(SecurityKeys.ROOT_PRINCIPAL) && !checkPermission) {
                    queryRecord.getQueryFilter().getCondition().add(new IsInCondition(Quantifier.THERE_EXISTS, "object_class", true, new Object[]{SecurityKeys.PRINCIPAL_TYPE_GROUP, SecurityKeys.PRINCIPAL_TYPE_USER}));
                }
            } else if (resourceIdentifier.isLike(OpenCrxSecurity_2.PATH_PATTERN_SUBJECTS)) {
                if (!principalName.equals(SecurityKeys.ROOT_PRINCIPAL)) {
                    queryRecord.getQueryFilter().getCondition().add(new IsInCondition(Quantifier.FOR_ALL, "object_class", true, new Object[0]));
                }
            } else if (resourceIdentifier.isLike(OpenCrxSecurity_2.PATH_PATTERN_POLICIES) && !principalName.equals(SecurityKeys.ROOT_PRINCIPAL)) {
                queryRecord.getQueryFilter().getCondition().add(new IsInCondition(Quantifier.FOR_ALL, "object_class", true, new Object[0]));
            }
            return super.find(restInteractionSpec, queryRecord, resultRecord);
        }
    }

    public Interaction getInteraction(RestConnection restConnection) throws ResourceException {
        return new RestInteraction(restConnection);
    }

    public void setDerivedAttributes(ObjectRecord objectRecord) throws ResourceException {
        Model_1_0 model = Model_1Factory.getModel();
        try {
            Object_2Facade asObject = Facades.asObject(objectRecord);
            if (model.objectIsSubtypeOf(objectRecord, "org:openmdx:security:realm1:Principal") || model.objectIsSubtypeOf(objectRecord, "org:openmdx:security:realm1:Realm") || model.objectIsSubtypeOf(objectRecord, "org:openmdx:security:realm1:Role") || model.objectIsSubtypeOf(objectRecord, "org:openmdx:security:realm1:Policy")) {
                if (asObject.attributeValue("name") == null || ((String) asObject.attributeValue("name")).isEmpty()) {
                    asObject.attributeValuesAsList("name").clear();
                    asObject.attributeValuesAsList("name").add(asObject.getPath().getLastSegment().toString());
                }
            } else if (model.objectIsSubtypeOf(objectRecord, "org:openmdx:security:realm1:Credential")) {
                asObject.attributeValuesAsList("id").clear();
                asObject.attributeValuesAsList("id").add(asObject.getPath().getLastSegment().toString());
            }
        } catch (ServiceException e) {
            throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e)));
        }
    }
}
