package org.opencrx.kernel.layer.model;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.logging.Level;
import javax.jdo.JDOHelper;
import javax.jdo.PersistenceManager;
import javax.jdo.PersistenceManagerFactory;
import javax.jdo.Query;
import javax.resource.ResourceException;
import javax.resource.cci.Connection;
import javax.resource.cci.Interaction;
import javax.resource.cci.MappedRecord;
import org.opencrx.kernel.activity1.jmi1.Activity1Package;
import org.opencrx.kernel.generic.OpenCrxException;
import org.opencrx.kernel.generic.SecurityKeys;
import org.opencrx.kernel.home1.jmi1.Home1Package;
import org.opencrx.kernel.home1.jmi1.UserHome;
import org.opencrx.kernel.utils.Utils;
import org.opencrx.kernel.workflow.BulkActivityFollowUpWorkflow;
import org.opencrx.security.realm1.cci2.PrincipalGroupQuery;
import org.opencrx.security.realm1.jmi1.PrincipalGroup;
import org.openmdx.application.dataprovider.cci.AttributeSpecifier;
import org.openmdx.application.dataprovider.cci.FilterProperty;
import org.openmdx.base.dataprovider.cci.DataproviderRequestProcessor;
import org.openmdx.base.exception.ServiceException;
import org.openmdx.base.mof.cci.ModelElement_1_0;
import org.openmdx.base.mof.cci.Model_1_0;
import org.openmdx.base.mof.spi.Model_1Factory;
import org.openmdx.base.naming.Path;
import org.openmdx.base.persistence.cci.ConfigurableProperty;
import org.openmdx.base.persistence.cci.PersistenceHelper;
import org.openmdx.base.persistence.spi.PersistenceManagers;
import org.openmdx.base.query.ConditionType;
import org.openmdx.base.query.Quantifier;
import org.openmdx.base.resource.Records;
import org.openmdx.base.resource.cci.RestFunction;
import org.openmdx.base.resource.spi.ResourceExceptions;
import org.openmdx.base.resource.spi.RestInteractionSpec;
import org.openmdx.base.rest.cci.ConsumerRecord;
import org.openmdx.base.rest.cci.MessageRecord;
import org.openmdx.base.rest.cci.ObjectRecord;
import org.openmdx.base.rest.cci.QueryExtensionRecord;
import org.openmdx.base.rest.cci.QueryFilterRecord;
import org.openmdx.base.rest.cci.QueryRecord;
import org.openmdx.base.rest.cci.RequestRecord;
import org.openmdx.base.rest.cci.RestConnection;
import org.openmdx.base.rest.cci.ResultRecord;
import org.openmdx.base.rest.spi.AbstractRestInteraction;
import org.openmdx.base.rest.spi.AbstractRestPort;
import org.openmdx.base.rest.spi.DelegatingConsumerRecord;
import org.openmdx.base.rest.spi.Facades;
import org.openmdx.base.rest.spi.Object_2Facade;
import org.openmdx.kernel.exception.BasicException;
import org.openmdx.kernel.log.SysLog;
import org.openmdx.security.realm1.cci2.PrincipalQuery;
import org.openmdx.security.realm1.jmi1.Group;
import org.openmdx.security.realm1.jmi1.Permission;
import org.openmdx.security.realm1.jmi1.Principal;
import org.openmdx.security.realm1.jmi1.Realm;
import org.openmdx.security.realm1.jmi1.Role;

/* loaded from: input_file:org/opencrx/kernel/layer/model/AccessControl_2.class */
public class AccessControl_2 extends AbstractRestPort {
    protected static final String ALL_PERMISSION = "*";
    protected Path realmIdentity = null;
    protected Model_1_0 model = Model_1Factory.getModel();
    protected boolean useExtendedAccessLevelBasic = false;
    protected PersistenceManagerFactory pmf = null;
    private Map<String, DefaultRealm> cachedRealms = new ConcurrentHashMap();
    private static final long TTL_CACHED_OBJECTS = 60000;
    protected static final Path EXTENT_PATTERN = new Path("xri:@openmdx:**/provider/**/segment/**/extent");
    protected static final Path USER_HOME_PATH_PATTERN = new Path("xri://@openmdx*org.opencrx.kernel.home1/provider/:*/segment/:*/userHome/:*");
    protected static final ConcurrentMap<Path, Object[]> objectCache = new ConcurrentHashMap();
    protected static final ConcurrentMap<Path, Path> sharedAssociationToCompositeParentPathMap = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.opencrx.kernel.layer.model.AccessControl_2$1, reason: invalid class name */
    /* loaded from: input_file:org/opencrx/kernel/layer/model/AccessControl_2$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$openmdx$base$resource$cci$RestFunction = new int[RestFunction.values().length];

        static {
            try {
                $SwitchMap$org$openmdx$base$resource$cci$RestFunction[RestFunction.GET.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$openmdx$base$resource$cci$RestFunction[RestFunction.DELETE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$openmdx$base$resource$cci$RestFunction[RestFunction.PUT.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$openmdx$base$resource$cci$RestFunction[RestFunction.POST.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    /* loaded from: input_file:org/opencrx/kernel/layer/model/AccessControl_2$CachedPrincipal.class */
    public class CachedPrincipal {
        private final DefaultRealm realm;
        private long expiresAt;
        private final Path principalIdentity;
        private final Set<String[]> permissions;
        private final Set<String> allSupergroups;
        private Path primaryGroup;
        private Boolean disabled;
        private Set<String> allSubgroups = null;
        private final Set<String> isMemberOf = new TreeSet();

        protected void prefetchMemberOfPrincipals(Principal principal) {
            PersistenceManager persistenceManager = JDOHelper.getPersistenceManager(principal);
            Collection<Path> collection = (Collection) PersistenceHelper.getFeatureReplacingObjectById(principal, "isMemberOf");
            Query query = (PrincipalQuery) persistenceManager.newQuery(Principal.class);
            QueryExtensionRecord newQueryExtension = PersistenceHelper.newQueryExtension(query);
            String str = "v.object_id IN ('0'";
            String str2 = ",";
            for (Path path : collection) {
                str = str + str2 + "'principal/" + path.getSegment(2).toClassicRepresentation() + "/" + path.getSegment(4).toClassicRepresentation() + "/" + path.getSegment(6).toClassicRepresentation() + "/" + path.getLastSegment().toClassicRepresentation() + "'";
                str2 = ",";
            }
            newQueryExtension.setClause(str + ")");
            query.getFetchPlan().setGroup("all");
            query.getFetchPlan().setFetchSize(1000);
            ((Realm) persistenceManager.getObjectById(principal.refGetPath().getParent().getParent())).getPrincipal(query).size();
        }

        protected Set<String[]> getPermissions(Principal principal) {
            HashSet hashSet = new HashSet();
            Iterator it = (principal instanceof org.opencrx.security.realm1.jmi1.Principal ? ((org.opencrx.security.realm1.jmi1.Principal) principal).getGrantedRole() : principal instanceof PrincipalGroup ? ((PrincipalGroup) principal).getGrantedRole() : Collections.emptyList()).iterator();
            while (it.hasNext()) {
                for (Permission permission : ((Role) it.next()).getPermission()) {
                    Iterator it2 = permission.getAction().iterator();
                    while (it2.hasNext()) {
                        hashSet.add(new String[]{permission.getName(), (String) it2.next()});
                    }
                }
            }
            return hashSet;
        }

        public CachedPrincipal(DefaultRealm defaultRealm, Principal principal, long j) {
            this.realm = defaultRealm;
            this.principalIdentity = principal.refGetPath();
            this.disabled = principal.isDisabled();
            prefetchMemberOfPrincipals(principal);
            for (Group group : principal.getIsMemberOf()) {
                try {
                    if (!Boolean.TRUE.equals(group.isDisabled())) {
                        this.isMemberOf.add(group.refGetPath().getLastSegment().toString());
                    }
                } catch (Exception e) {
                    new ServiceException(e, OpenCrxException.DOMAIN, -23, "Unable to principal's group membership", new BasicException.Parameter[]{new BasicException.Parameter("principal", principal.refGetPath())}).log();
                }
            }
            PersistenceManager persistenceManager = JDOHelper.getPersistenceManager(principal);
            HashSet hashSet = new HashSet();
            hashSet.add(AccessControl_2.this.getQualifiedPrincipalName(principal.refGetPath()));
            HashSet hashSet2 = new HashSet();
            hashSet2.addAll(getPermissions(principal));
            for (Group group2 : principal.getIsMemberOf()) {
                try {
                    if (!Boolean.TRUE.equals(group2.isDisabled())) {
                        String qualifiedPrincipalName = AccessControl_2.this.getQualifiedPrincipalName(group2.refGetPath());
                        if (!hashSet.contains(qualifiedPrincipalName)) {
                            hashSet.addAll(defaultRealm.getPrincipal(qualifiedPrincipalName, persistenceManager).getAllSupergroups());
                        }
                        hashSet2.addAll(getPermissions((Principal) group2));
                    }
                } catch (Exception e2) {
                    new ServiceException(e2, OpenCrxException.DOMAIN, -23, "Unable to get principal's group membership", new BasicException.Parameter[]{new BasicException.Parameter("principal", principal.refGetPath())}).log();
                }
            }
            this.permissions = hashSet2;
            this.allSupergroups = hashSet;
            this.expiresAt = j;
        }

        public Path getIdentity() {
            return this.principalIdentity;
        }

        public DefaultRealm getRealm() {
            return this.realm;
        }

        public void setPrimaryGroup(Path path) {
            this.primaryGroup = path;
        }

        public Path getPrimaryGroup() {
            return this.primaryGroup;
        }

        public Set<String> getIsMemberOf() {
            return this.isMemberOf;
        }

        public Set<String> getPermissions(String str) {
            HashSet hashSet = new HashSet();
            for (String[] strArr : this.permissions) {
                if (str.equals(strArr[1])) {
                    hashSet.add(strArr[0]);
                }
            }
            return hashSet;
        }

        public Set<String> getPermissions() {
            HashSet hashSet = new HashSet();
            for (String[] strArr : this.permissions) {
                hashSet.add(strArr[0] + SecurityKeys.PERMISSION_ACTION_SEPARATOR + strArr[1]);
            }
            return hashSet;
        }

        public long getExpiresAt() {
            return this.expiresAt;
        }

        public void setExpiresAt(long j) {
            this.expiresAt = j;
        }

        private List<PrincipalGroup> getSubgroups(PersistenceManager persistenceManager) throws ResourceException {
            Realm realm = (Realm) persistenceManager.getObjectById(this.realm.getRealmIdentity());
            PrincipalGroup principalGroup = (Principal) persistenceManager.getObjectById(this.principalIdentity);
            if ((principalGroup instanceof PrincipalGroup) && Boolean.TRUE.equals(principalGroup.isFinal())) {
                return Collections.emptyList();
            }
            PrincipalGroupQuery newQuery = persistenceManager.newQuery(PrincipalGroup.class);
            newQuery.forAllDisabled().isFalse();
            newQuery.thereExistsIsMemberOf().equalTo(principalGroup);
            return realm.getPrincipal(newQuery);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Set<String> getAllSubgroups(PersistenceManager persistenceManager) throws ResourceException {
            if (this.allSubgroups == null) {
                HashSet hashSet = new HashSet();
                hashSet.add(AccessControl_2.this.getQualifiedPrincipalName(this.principalIdentity));
                Iterator<PrincipalGroup> it = getSubgroups(persistenceManager).iterator();
                while (it.hasNext()) {
                    String qualifiedPrincipalName = AccessControl_2.this.getQualifiedPrincipalName(it.next().refGetPath());
                    if (!hashSet.contains(qualifiedPrincipalName)) {
                        CachedPrincipal principal = this.realm.getPrincipal(qualifiedPrincipalName, persistenceManager);
                        if (!Boolean.TRUE.equals(principal.isDisabled())) {
                            hashSet.addAll(principal.getAllSubgroups(persistenceManager));
                        }
                    }
                }
                this.allSubgroups = hashSet;
            }
            return this.allSubgroups;
        }

        public Set<String> getAllSupergroups() {
            return this.allSupergroups;
        }

        public String toString() {
            return getIdentity().toString();
        }

        public Boolean isDisabled() {
            return this.disabled;
        }
    }

    /* loaded from: input_file:org/opencrx/kernel/layer/model/AccessControl_2$CompletingConsumerRecord.class */
    public class CompletingConsumerRecord extends DelegatingConsumerRecord {
        private static final long serialVersionUID = 2835765933381645174L;
        private final ConsumerRecord delegate;

        public CompletingConsumerRecord(ConsumerRecord consumerRecord) {
            this.delegate = consumerRecord;
        }

        protected ConsumerRecord getDelegate() {
            return this.delegate;
        }

        public void accept(ObjectRecord objectRecord) {
            try {
                AccessControl_2.this.completeObject(objectRecord);
            } catch (Exception e) {
            }
            super.accept(objectRecord);
        }
    }

    /* loaded from: input_file:org/opencrx/kernel/layer/model/AccessControl_2$DefaultRealm.class */
    public class DefaultRealm {
        private final Path realmIdentity;
        private boolean isActive;
        private long cachedPrincipalsTTL;
        protected final Path ACTIVITY_CREATOR_IDENTITY_PATTERN = new Path("xri://@openmdx*org.opencrx.kernel.activity1/provider/:*/segment/:*/activityCreator/:*");
        private Map<String, CachedPrincipal> cachedPrincipals = new ConcurrentHashMap();

        public DefaultRealm(Path path) throws ResourceException {
            this.isActive = true;
            this.cachedPrincipalsTTL = 120000L;
            this.realmIdentity = path;
            this.isActive = true;
            if (System.getProperty(SecurityKeys.ENABLE_SECURITY_PROPERTY) != null) {
                this.isActive = "true".equals(System.getProperty(SecurityKeys.ENABLE_SECURITY_PROPERTY));
            }
            if (!this.isActive) {
                System.out.println("WARNING: AccessControl_1 is not active. Activate with system property org.opencrx.security.enable=true. Default is true.");
            }
            if (System.getProperty(SecurityKeys.REALM_REFRESH_RATE_MILLIS) != null) {
                this.cachedPrincipalsTTL = Long.valueOf(System.getProperty(SecurityKeys.REALM_REFRESH_RATE_MILLIS)).longValue();
            }
        }

        protected CachedPrincipal getPrincipal(String str, PersistenceManager persistenceManager) throws ResourceException {
            return getPrincipal(str, persistenceManager, true);
        }

        protected CachedPrincipal getPrincipal(String str, PersistenceManager persistenceManager, boolean z) throws ResourceException {
            if (str.indexOf(":") > 0) {
                str = str.substring(str.indexOf(":") + 1);
            }
            CachedPrincipal cachedPrincipal = this.cachedPrincipals.get(str);
            if (cachedPrincipal == null || System.currentTimeMillis() > cachedPrincipal.getExpiresAt()) {
                if (cachedPrincipal != null) {
                    cachedPrincipal.setExpiresAt(System.currentTimeMillis() + this.cachedPrincipalsTTL);
                }
                try {
                    CachedPrincipal cachedPrincipal2 = new CachedPrincipal(this, (Principal) persistenceManager.getObjectById(this.realmIdentity.getDescendant(new String[]{"principal", str})), System.currentTimeMillis() + this.cachedPrincipalsTTL);
                    cachedPrincipal = cachedPrincipal2;
                    this.cachedPrincipals.put(str, cachedPrincipal2);
                } catch (Exception e) {
                    if (z) {
                        new ServiceException(e).log();
                    }
                    this.cachedPrincipals.remove(str);
                }
            }
            if (cachedPrincipal != null || !z) {
                return cachedPrincipal;
            }
            SysLog.warning("principal not found", str);
            throw ResourceExceptions.initHolder(new ResourceException("principal not found", BasicException.newEmbeddedExceptionStack("DefaultDomain", -34, new BasicException.Parameter[]{new BasicException.Parameter("realm", this.realmIdentity), new BasicException.Parameter("principal", str)})));
        }

        public GetRunAsPrincipalResult getRunAsPrincipal(RequestRecord requestRecord, List<String> list, DataproviderRequestProcessor dataproviderRequestProcessor, PersistenceManager persistenceManager) throws ResourceException {
            try {
                CachedPrincipal principal = getPrincipal(list.get(0), persistenceManager);
                Path user = AccessControl_2.this.getUser(principal);
                HashSet hashSet = new HashSet();
                if (list.size() >= 2 && hasPermission(requestRecord, null, null, principal, user, SecurityKeys.Action.RUN_AS, hashSet, dataproviderRequestProcessor, persistenceManager)) {
                    boolean z = false;
                    for (String str : hashSet) {
                        if (str.indexOf("@") > 0) {
                            String substring = str.substring(str.indexOf("@") + 1);
                            if (substring.equals(list.get(1))) {
                                if (z) {
                                    SysLog.warning("Multiple runAs permissions found. Accepting first only.", Arrays.asList(list, principal, hashSet));
                                } else {
                                    CachedPrincipal principal2 = getPrincipal(substring, persistenceManager);
                                    Path user2 = AccessControl_2.this.getUser(principal2);
                                    SysLog.detail("Applying runAs permission", Arrays.asList(principal, user, principal2, user2));
                                    principal = principal2;
                                    user = user2;
                                    z = true;
                                }
                            }
                        } else if (!str.equals(AccessControl_2.ALL_PERMISSION)) {
                            SysLog.warning("Invalid format for runAs permission. Accepted format is 'authority@principal'. Ignoring.", Arrays.asList(principal, hashSet));
                        }
                    }
                }
                final CachedPrincipal cachedPrincipal = principal;
                final Path path = user;
                return new GetRunAsPrincipalResult() { // from class: org.opencrx.kernel.layer.model.AccessControl_2.DefaultRealm.1
                    @Override // org.opencrx.kernel.layer.model.AccessControl_2.GetRunAsPrincipalResult
                    public CachedPrincipal getPrincipal() {
                        return cachedPrincipal;
                    }

                    @Override // org.opencrx.kernel.layer.model.AccessControl_2.GetRunAsPrincipalResult
                    public Path getUserIdentity() {
                        return path;
                    }
                };
            } catch (ServiceException e) {
                throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e)));
            }
        }

        protected Path getPrimaryGroup(CachedPrincipal cachedPrincipal, PersistenceManager persistenceManager) throws ResourceException {
            try {
                if (cachedPrincipal.getPrimaryGroup() == null) {
                    String xRISegment = cachedPrincipal.getIdentity().getSegment(2).toString();
                    String xRISegment2 = cachedPrincipal.getIdentity().getSegment(cachedPrincipal.getIdentity().size() - 3).toString();
                    String xRISegment3 = cachedPrincipal.getIdentity().getLastSegment().toString();
                    PrincipalGroup primaryGroup = ((UserHome) persistenceManager.getObjectById(new Path(Home1Package.AUTHORITY_XRI).getDescendant(new String[]{"provider", xRISegment, "segment", xRISegment2, "userHome", xRISegment3}))).getPrimaryGroup();
                    cachedPrincipal.setPrimaryGroup(primaryGroup == null ? getPrincipal(xRISegment3 + "." + SecurityKeys.GROUP_SUFFIX, persistenceManager).getIdentity() : getPrincipal(primaryGroup == null ? null : primaryGroup.refGetPath().getLastSegment().toString(), persistenceManager).getIdentity());
                }
                return cachedPrincipal.getPrimaryGroup();
            } catch (Exception e) {
                String xRISegment4 = cachedPrincipal.getIdentity().getLastSegment().toString();
                if (SecurityKeys.ROOT_PRINCIPAL.equals(xRISegment4)) {
                    return null;
                }
                try {
                    Path identity = getPrincipal(xRISegment4 + "." + SecurityKeys.GROUP_SUFFIX, persistenceManager).getIdentity();
                    cachedPrincipal.setPrimaryGroup(identity);
                    return identity;
                } catch (Exception e2) {
                    SysLog.warning("No primary group found for principal", xRISegment4);
                    return null;
                }
            }
        }

        protected SecurityKeys.Action getAccessControlAction(RestInteractionSpec restInteractionSpec, Object_2Facade object_2Facade) {
            switch (AnonymousClass1.$SwitchMap$org$openmdx$base$resource$cci$RestFunction[restInteractionSpec.getFunction().ordinal()]) {
                case 1:
                    return SecurityKeys.Action.READ;
                case 2:
                    return SecurityKeys.Action.DELETE;
                case 3:
                    if (object_2Facade.getValue().size() == 2 && object_2Facade.getPath().isLike(this.ACTIVITY_CREATOR_IDENTITY_PATTERN)) {
                        return SecurityKeys.Action.READ;
                    }
                    return SecurityKeys.Action.UPDATE;
                case 4:
                    return SecurityKeys.Action.UPDATE;
                default:
                    return SecurityKeys.Action.UPDATE;
            }
        }

        protected Map<String, CachedPrincipal> getImpliedPrincipals(CachedPrincipal cachedPrincipal, Path path, short s, PersistenceManager persistenceManager) {
            HashMap hashMap = new HashMap();
            if (!this.isActive || s == 4 || cachedPrincipal.getIdentity().getLastSegment().toString().equals(SecurityKeys.ROOT_PRINCIPAL)) {
                return null;
            }
            if (s >= 1) {
                try {
                    String qualifiedPrincipalName = AccessControl_2.this.getQualifiedPrincipalName(cachedPrincipal.getIdentity());
                    hashMap.put(qualifiedPrincipalName, getPrincipal(qualifiedPrincipalName, persistenceManager));
                } catch (Exception e) {
                    new ServiceException(e).log();
                }
                try {
                    String qualifiedPrincipalName2 = AccessControl_2.this.getQualifiedPrincipalName(path);
                    hashMap.put(qualifiedPrincipalName2, getPrincipal(qualifiedPrincipalName2, persistenceManager));
                } catch (Exception e2) {
                    new ServiceException(e2).log();
                }
            }
            if (s == 3 || s == 2) {
                if (AccessControl_2.this.useExtendedAccessLevelBasic) {
                    try {
                        Iterator<String> it = cachedPrincipal.getIsMemberOf().iterator();
                        while (it.hasNext()) {
                            CachedPrincipal principal = getPrincipal(it.next(), persistenceManager);
                            if (!Boolean.TRUE.equals(principal.isDisabled())) {
                                for (String str : principal.getAllSubgroups(persistenceManager)) {
                                    hashMap.put(str, getPrincipal(str, persistenceManager));
                                }
                            }
                        }
                    } catch (Exception e3) {
                        new ServiceException(e3).log();
                    }
                }
                try {
                    Iterator<String> it2 = cachedPrincipal.getIsMemberOf().iterator();
                    while (it2.hasNext()) {
                        CachedPrincipal principal2 = getPrincipal(it2.next(), persistenceManager);
                        if (!Boolean.TRUE.equals(principal2.isDisabled())) {
                            for (String str2 : principal2.getAllSupergroups()) {
                                hashMap.put(str2, getPrincipal(str2, persistenceManager));
                            }
                        }
                    }
                } catch (Exception e4) {
                    new ServiceException(e4).log();
                }
            }
            if (s == 3) {
                HashMap hashMap2 = new HashMap();
                Iterator it3 = hashMap.values().iterator();
                while (it3.hasNext()) {
                    try {
                        for (String str3 : ((CachedPrincipal) it3.next()).getAllSubgroups(persistenceManager)) {
                            hashMap2.put(str3, getPrincipal(str3, persistenceManager));
                        }
                    } catch (Exception e5) {
                        new ServiceException(e5).log();
                    }
                }
                hashMap.putAll(hashMap2);
                HashMap hashMap3 = new HashMap();
                Iterator it4 = hashMap.values().iterator();
                while (it4.hasNext()) {
                    try {
                        for (String str4 : ((CachedPrincipal) it4.next()).getAllSupergroups()) {
                            hashMap3.put(str4, getPrincipal(str4, persistenceManager));
                        }
                    } catch (Exception e6) {
                        new ServiceException(e6).log();
                    }
                }
                hashMap.putAll(hashMap3);
            }
            return hashMap;
        }

        protected Set<String> getPermissions(CachedPrincipal cachedPrincipal, Path path, short s, SecurityKeys.Action action, PersistenceManager persistenceManager) {
            HashSet hashSet = null;
            Map<String, CachedPrincipal> impliedPrincipals = getImpliedPrincipals(cachedPrincipal, path, s, persistenceManager);
            if (impliedPrincipals != null) {
                hashSet = new HashSet();
                hashSet.addAll(impliedPrincipals.keySet());
                for (CachedPrincipal cachedPrincipal2 : impliedPrincipals.values()) {
                    if (action == null) {
                        hashSet.addAll(cachedPrincipal2.getPermissions());
                    } else {
                        hashSet.addAll(cachedPrincipal2.getPermissions(action.getName()));
                    }
                }
            }
            if (hashSet == null || hashSet.contains(SecurityKeys.ROOT_ADMINISTRATORS_GROUP)) {
                return null;
            }
            return hashSet;
        }

        public Path getRealmIdentity() {
            return this.realmIdentity;
        }

        public boolean hasPermission(RequestRecord requestRecord, Object_2Facade object_2Facade, Object_2Facade object_2Facade2, CachedPrincipal cachedPrincipal, Path path, SecurityKeys.Action action, Set<String> set, DataproviderRequestProcessor dataproviderRequestProcessor, PersistenceManager persistenceManager) throws ResourceException {
            try {
                Path resourceIdentifier = requestRecord.getResourceIdentifier();
                if (object_2Facade == null && org.openmdx.base.rest.spi.ObjectRecord.isCompatible(requestRecord)) {
                    object_2Facade = Facades.asObject(requestRecord);
                }
                if (action == SecurityKeys.Action.DELETE) {
                    Set<String> hashSet = new HashSet();
                    if (object_2Facade.attributeValuesAsList("accessLevelDelete").isEmpty()) {
                        SysLog.error("Missing value for attribute 'accessLevelDelete'", object_2Facade);
                    } else {
                        hashSet = getPermissions(cachedPrincipal, path, ((Number) object_2Facade.attributeValue("accessLevelDelete")).shortValue(), action, persistenceManager);
                    }
                    if (hashSet != null) {
                        if (set != null) {
                            set.addAll(hashSet);
                        }
                        hashSet.retainAll(object_2Facade.attributeValuesAsList("owner"));
                        return !hashSet.isEmpty();
                    }
                    if (set == null) {
                        return true;
                    }
                    set.add(AccessControl_2.ALL_PERMISSION);
                    return true;
                }
                if (action == SecurityKeys.Action.UPDATE) {
                    Set<String> hashSet2 = new HashSet();
                    if (object_2Facade.attributeValuesAsList("accessLevelUpdate").isEmpty()) {
                        SysLog.error("Missing value for attribute 'accessLevelUpdate'", object_2Facade);
                    } else {
                        hashSet2 = getPermissions(cachedPrincipal, path, ((Number) object_2Facade.attributeValue("accessLevelUpdate")).shortValue(), action, persistenceManager);
                    }
                    if (hashSet2 != null) {
                        if (set != null) {
                            set.addAll(hashSet2);
                        }
                        hashSet2.retainAll(object_2Facade.attributeValuesAsList("owner"));
                        return !hashSet2.isEmpty();
                    }
                    if (set == null) {
                        return true;
                    }
                    set.add(AccessControl_2.ALL_PERMISSION);
                    return true;
                }
                if (action == SecurityKeys.Action.READ) {
                    new HashSet();
                    Set<String> permissions = getPermissions(cachedPrincipal, path, (object_2Facade2 == null || object_2Facade2.attributeValuesAsList("accessLevelBrowse").isEmpty()) ? ((Number) object_2Facade.attributeValue("accessLevelBrowse")).shortValue() : ((Number) object_2Facade2.attributeValue("accessLevelBrowse")).shortValue(), action, persistenceManager);
                    if (permissions != null) {
                        if (set != null) {
                            set.addAll(permissions);
                        }
                        permissions.retainAll(object_2Facade.attributeValuesAsList("owner"));
                        return !permissions.isEmpty();
                    }
                    if (set == null) {
                        return true;
                    }
                    set.add(AccessControl_2.ALL_PERMISSION);
                    return true;
                }
                if (action != SecurityKeys.Action.RUN_AS) {
                    SysLog.error("Unknown action", action.toString());
                    return false;
                }
                Set<String> permissions2 = getPermissions(cachedPrincipal, path, (short) 0, action, persistenceManager);
                if (permissions2 == null) {
                    if (set == null) {
                        return true;
                    }
                    set.add(AccessControl_2.ALL_PERMISSION);
                    return true;
                }
                Iterator<String> it = permissions2.iterator();
                while (it.hasNext()) {
                    String next = it.next();
                    boolean z = false;
                    if (next.startsWith("object:")) {
                        String[] split = next.substring(7, next.indexOf("@")).split("/");
                        if (split.length > 0) {
                            Path descendant = new Path("xri://@openmdx*" + split[0]).getDescendant(new String[]{"provider", resourceIdentifier.getSegment(2).toString(), "segment", resourceIdentifier.getSegment(4).toString()});
                            for (int i = 1; i < split.length; i++) {
                                descendant = descendant.getDescendant(new String[]{split[i]});
                            }
                            if (resourceIdentifier.isLike(descendant)) {
                                z = true;
                            } else if (object_2Facade != null && object_2Facade.getPath().startsWith(new Path(Activity1Package.AUTHORITY_XRI).getDescendant(new String[]{"provider", resourceIdentifier.getSegment(2).toString(), "segment", resourceIdentifier.getSegment(4).toString(), BulkActivityFollowUpWorkflow.OPTION_ACTIVITY}))) {
                                Object_2Facade object_2Facade3 = null;
                                if (resourceIdentifier.isLike(new Path(Activity1Package.AUTHORITY_XRI).getDescendant(new String[]{"provider", resourceIdentifier.getSegment(2).toString(), "segment", resourceIdentifier.getSegment(4).toString(), BulkActivityFollowUpWorkflow.OPTION_ACTIVITY, ":*"}))) {
                                    object_2Facade3 = object_2Facade;
                                } else {
                                    try {
                                        object_2Facade3 = Facades.asObject(AccessControl_2.this.retrieveObject(dataproviderRequestProcessor, object_2Facade.getPath().getPrefix(7), false));
                                    } catch (Exception e) {
                                    }
                                }
                                if (object_2Facade3 != null && object_2Facade3.attributeValue("lastAppliedCreator") != null && ((Path) object_2Facade3.attributeValue("lastAppliedCreator")).isLike(descendant)) {
                                    z = true;
                                }
                            }
                        }
                    } else if (next.startsWith("groupMembership:") && resourceIdentifier.startsWith(new Path(Activity1Package.AUTHORITY_XRI).getDescendant(new String[]{"provider", resourceIdentifier.getSegment(2).toString(), "segment", resourceIdentifier.getSegment(4).toString(), BulkActivityFollowUpWorkflow.OPTION_ACTIVITY})) && resourceIdentifier.size() >= 7) {
                        String[] split2 = next.substring(16, next.indexOf("@")).split("/");
                        if (split2.length > 0) {
                            Path descendant2 = new Path("xri://@openmdx*" + split2[0]).getDescendant(new String[]{"provider", resourceIdentifier.getSegment(2).toString(), "segment", resourceIdentifier.getSegment(4).toString()});
                            for (int i2 = 1; i2 < split2.length; i2++) {
                                descendant2 = descendant2.getDescendant(new String[]{split2[i2]});
                            }
                            Object_2Facade object_2Facade4 = null;
                            try {
                                object_2Facade4 = Facades.asObject(AccessControl_2.this.retrieveObject(dataproviderRequestProcessor, descendant2, false));
                            } catch (Exception e2) {
                            }
                            if (object_2Facade4 != null) {
                                Iterator it2 = AccessControl_2.this.findObjects(dataproviderRequestProcessor, resourceIdentifier.getPrefix(7).getDescendant(new String[]{"assignedGroup"})).iterator();
                                while (true) {
                                    if (!it2.hasNext()) {
                                        break;
                                    }
                                    Object_2Facade object_2Facade5 = null;
                                    try {
                                        object_2Facade5 = Facades.asObject((ObjectRecord) it2.next());
                                    } catch (Exception e3) {
                                    }
                                    if (object_2Facade5 != null && object_2Facade4.getPath().equals(object_2Facade5.attributeValue("activityGroup"))) {
                                        z = true;
                                        break;
                                    }
                                }
                            }
                        }
                    }
                    if (!z) {
                        it.remove();
                    }
                }
                if (set != null) {
                    set.addAll(permissions2);
                }
                return !permissions2.isEmpty();
            } catch (ServiceException e4) {
                throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e4)));
            }
        }

        public void restrictQuery(QueryRecord queryRecord, Object_2Facade object_2Facade, CachedPrincipal cachedPrincipal, Path path, PersistenceManager persistenceManager) throws ServiceException, ResourceException {
            Set<String> hashSet = new HashSet();
            if (object_2Facade.attributeValuesAsList("accessLevelBrowse").isEmpty()) {
                SysLog.error("Missing attribute value for accessLevelBrowse", object_2Facade);
            } else {
                hashSet = getPermissions(cachedPrincipal, path, ((Number) object_2Facade.attributeValue("accessLevelBrowse")).shortValue(), SecurityKeys.Action.READ, persistenceManager);
            }
            if (hashSet != null) {
                synchronized (((queryRecord.getQueryFilter() == null || queryRecord.getQueryFilter().getCondition() == null) ? Collections.emptyList() : queryRecord.getQueryFilter().getCondition())) {
                    boolean z = false;
                    Iterator it = FilterProperty.getFilterProperties(queryRecord.getQueryFilter()).iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        FilterProperty filterProperty = (FilterProperty) it.next();
                        if ("owner".equals(filterProperty.name()) && filterProperty.values().containsAll(hashSet)) {
                            z = true;
                            break;
                        }
                    }
                    if (!z) {
                        if (queryRecord.getQueryFilter() == null) {
                            queryRecord.setQueryFilter(Records.getRecordFactory().createMappedRecord(QueryFilterRecord.class));
                        }
                        queryRecord.getQueryFilter().getCondition().addAll(FilterProperty.toCondition(new FilterProperty[]{new FilterProperty(Quantifier.THERE_EXISTS.code(), "owner", ConditionType.IS_IN.code(), hashSet.toArray())}));
                    }
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/opencrx/kernel/layer/model/AccessControl_2$GetRunAsPrincipalResult.class */
    public interface GetRunAsPrincipalResult {
        CachedPrincipal getPrincipal();

        Path getUserIdentity();
    }

    /* loaded from: input_file:org/opencrx/kernel/layer/model/AccessControl_2$RestInteraction.class */
    public class RestInteraction extends AbstractRestInteraction {
        public RestInteraction(RestConnection restConnection) throws ResourceException {
            super(restConnection, AccessControl_2.this.newDelegateInteraction(restConnection));
        }

        protected String getOwningUserForNewObject(Path path, Object_2Facade object_2Facade, Object_2Facade object_2Facade2, DefaultRealm defaultRealm) throws ResourceException {
            String qualifiedPrincipalName;
            try {
                if (object_2Facade.getPath().size() > AccessControl_2.USER_HOME_PATH_PATTERN.size() && object_2Facade.getPath().getPrefix(AccessControl_2.USER_HOME_PATH_PATTERN.size()).isLike(AccessControl_2.USER_HOME_PATH_PATTERN) && !object_2Facade2.attributeValuesAsList("owner").isEmpty()) {
                    qualifiedPrincipalName = (String) object_2Facade2.attributeValue("owner");
                } else if (object_2Facade.attributeValuesAsList("owningUser").isEmpty()) {
                    qualifiedPrincipalName = object_2Facade.attributeValuesAsList("owner").isEmpty() ? path == null ? AccessControl_2.this.getQualifiedPrincipalName(object_2Facade.getPath(), "admin") : AccessControl_2.this.getQualifiedPrincipalName(path) : (String) object_2Facade.attributeValue("owner");
                } else {
                    qualifiedPrincipalName = AccessControl_2.this.getQualifiedPrincipalName((Path) object_2Facade.attributeValue("owningUser"));
                }
                return qualifiedPrincipalName;
            } catch (ServiceException e) {
                throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e)));
            }
        }

        protected Set<String> getOwningGroupsForNewObject(CachedPrincipal cachedPrincipal, Object_2Facade object_2Facade, Object_2Facade object_2Facade2, PersistenceManager persistenceManager) throws ResourceException {
            try {
                DefaultRealm realm = cachedPrincipal.getRealm();
                HashSet hashSet = new HashSet();
                if (object_2Facade.getAttributeValues("owningGroup") == null || object_2Facade.attributeValuesAsList("owningGroup").isEmpty()) {
                    Path primaryGroup = cachedPrincipal == null ? null : realm.getPrimaryGroup(cachedPrincipal, persistenceManager);
                    hashSet = new HashSet();
                    if (object_2Facade2 != null) {
                        ArrayList arrayList = new ArrayList(object_2Facade2.attributeValuesAsList("owner"));
                        if (object_2Facade2.getPath().size() == 5) {
                            arrayList.remove(AccessControl_2.this.getQualifiedPrincipalName(object_2Facade.getPath(), SecurityKeys.USER_GROUP_USERS));
                        }
                        if (!arrayList.isEmpty()) {
                            hashSet.addAll(arrayList.subList(1, arrayList.size()));
                        }
                    }
                    if (primaryGroup != null) {
                        hashSet.add(AccessControl_2.this.getQualifiedPrincipalName(primaryGroup));
                    } else if (hashSet.isEmpty()) {
                        hashSet.add(AccessControl_2.this.getQualifiedPrincipalName(object_2Facade.getPath(), SecurityKeys.USER_GROUP_UNASSIGNED));
                    }
                } else {
                    Iterator it = object_2Facade.attributeValuesAsList("owningGroup").iterator();
                    while (it.hasNext()) {
                        hashSet.add(AccessControl_2.this.getQualifiedPrincipalName((Path) it.next()));
                    }
                }
                return hashSet;
            } catch (ServiceException e) {
                throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e)));
            }
        }

        private ObjectRecord getCachedObject(DataproviderRequestProcessor dataproviderRequestProcessor, Path path) throws ResourceException {
            ObjectRecord objectRecord;
            ConcurrentMap<Path, Object[]> objectCache = AccessControl_2.getObjectCache();
            Iterator<Map.Entry<Path, Object[]>> it = objectCache.entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry<Path, Object[]> next = it.next();
                if (next != null) {
                    try {
                        if (next.getValue() == null) {
                            it.remove();
                        } else {
                            Long l = (Long) next.getValue()[1];
                            if (l == null || l.longValue() < System.currentTimeMillis()) {
                                it.remove();
                            }
                        }
                    } catch (Exception e) {
                    }
                }
            }
            Object[] objArr = objectCache.get(path);
            if (objArr == null) {
                SysLog.log(Level.FINE, "retrieveObject {0}", new Object[]{path});
                objectRecord = AccessControl_2.this.retrieveObject(dataproviderRequestProcessor, path, true);
                addToObjectCache(objectRecord);
            } else {
                objectRecord = (ObjectRecord) objArr[0];
            }
            return objectRecord;
        }

        private void addToObjectCache(ObjectRecord objectRecord) throws ResourceException {
            try {
                Object_2Facade asObject = Facades.asObject(objectRecord);
                if (asObject.getObjectClass() != null) {
                    AccessControl_2.getObjectCache().put(asObject.getPath(), new Object[]{Object_2Facade.cloneObject(objectRecord), new Long(System.currentTimeMillis() + AccessControl_2.TTL_CACHED_OBJECTS)});
                } else {
                    SysLog.error("Missing object class. Object not added to cache", asObject.getPath());
                }
            } catch (ServiceException e) {
                throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e)));
            }
        }

        public boolean create(RestInteractionSpec restInteractionSpec, ObjectRecord objectRecord, ResultRecord resultRecord) throws ResourceException {
            PersistenceManager readOnlyPersistenceManager = AccessControl_2.this.getReadOnlyPersistenceManager(SecurityKeys.ROOT_PRINCIPAL);
            DataproviderRequestProcessor newDelegateRequestProcessor = AccessControl_2.this.newDelegateRequestProcessor((RestConnection) getConnection());
            try {
                try {
                    Path resourceIdentifier = objectRecord.getResourceIdentifier();
                    DefaultRealm realm = AccessControl_2.this.getRealm(objectRecord, getPrincipalChain(), readOnlyPersistenceManager);
                    GetRunAsPrincipalResult runAsPrincipal = realm.getRunAsPrincipal(objectRecord, getPrincipalChain(), newDelegateRequestProcessor, readOnlyPersistenceManager);
                    CachedPrincipal principal = runAsPrincipal.getPrincipal();
                    Path userIdentity = runAsPrincipal.getUserIdentity();
                    Object_2Facade object_2Facade = null;
                    if (resourceIdentifier.size() >= 7) {
                        MappedRecord cachedObject = getCachedObject(newDelegateRequestProcessor, resourceIdentifier.getPrefix(resourceIdentifier.size() - 2));
                        object_2Facade = Facades.asObject(cachedObject);
                        if (AccessControl_2.this.isSecureObject(cachedObject) && !realm.hasPermission(objectRecord, object_2Facade, null, principal, userIdentity, realm.getAccessControlAction(restInteractionSpec, object_2Facade), null, newDelegateRequestProcessor, readOnlyPersistenceManager)) {
                            throw ResourceExceptions.initHolder(new ResourceException("No permission to create object.", BasicException.newEmbeddedExceptionStack(OpenCrxException.DOMAIN, OpenCrxException.AUTHORIZATION_FAILURE_CREATE, new BasicException.Parameter[]{new BasicException.Parameter("object", resourceIdentifier), new BasicException.Parameter("param0", resourceIdentifier), new BasicException.Parameter("param1", principal.getIdentity().getSegment(6).toString() + ":" + principal.getIdentity().getLastSegment().toString())})));
                        }
                    }
                    if (AccessControl_2.this.isSecureObject((MappedRecord) objectRecord)) {
                        Object_2Facade asObject = Facades.asObject(objectRecord);
                        String owningUserForNewObject = getOwningUserForNewObject(userIdentity, asObject, object_2Facade, realm);
                        asObject.attributeValuesAsList("owner").clear();
                        asObject.attributeValuesAsList("owner").add(owningUserForNewObject);
                        asObject.attributeValuesAsList("owner").addAll(getOwningGroupsForNewObject(principal, asObject, object_2Facade, readOnlyPersistenceManager));
                        asObject.getValue().keySet().remove("owningUser");
                        asObject.getValue().keySet().remove("owningGroup");
                        for (String str : Arrays.asList("accessLevelBrowse", "accessLevelUpdate", "accessLevelDelete")) {
                            if (asObject.attributeValuesAsList(str).size() != 1 || ((Number) asObject.attributeValue(str)).shortValue() == 0) {
                                asObject.attributeValuesAsList(str).clear();
                                asObject.attributeValuesAsList(str).add(new Short("accessLevelBrowse".equals(str) ? (short) 3 : (short) 2));
                            }
                        }
                    }
                    if (super.create(restInteractionSpec, objectRecord, resultRecord)) {
                        addToObjectCache(objectRecord);
                    }
                    AccessControl_2.this.completeReply(resultRecord);
                    if (readOnlyPersistenceManager != null) {
                        readOnlyPersistenceManager.close();
                    }
                    return true;
                } catch (ServiceException e) {
                    throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e)));
                }
            } catch (Throwable th) {
                if (readOnlyPersistenceManager != null) {
                    readOnlyPersistenceManager.close();
                }
                throw th;
            }
        }

        protected void restrictQuery(PersistenceManager persistenceManager, DataproviderRequestProcessor dataproviderRequestProcessor, DefaultRealm defaultRealm, RestInteractionSpec restInteractionSpec, QueryRecord queryRecord) throws ResourceException, ServiceException {
            Path resourceIdentifier = queryRecord.getResourceIdentifier();
            GetRunAsPrincipalResult runAsPrincipal = defaultRealm.getRunAsPrincipal(queryRecord, getPrincipalChain(), dataproviderRequestProcessor, persistenceManager);
            CachedPrincipal principal = runAsPrincipal.getPrincipal();
            Path userIdentity = runAsPrincipal.getUserIdentity();
            Object_2Facade asObject = Facades.asObject(getCachedObject(dataproviderRequestProcessor, resourceIdentifier.getParent()));
            if (AccessControl_2.this.model.containsSharedAssociation(resourceIdentifier)) {
                Object_2Facade object_2Facade = null;
                Path path = null;
                Iterator<Map.Entry<Path, Path>> it = AccessControl_2.sharedAssociationToCompositeParentPathMap.entrySet().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    Map.Entry<Path, Path> next = it.next();
                    if (resourceIdentifier.isLike(next.getKey())) {
                        path = next.getValue();
                        break;
                    }
                }
                if (path != null) {
                    object_2Facade = Facades.asObject(getCachedObject(dataproviderRequestProcessor, path));
                } else {
                    Long size = queryRecord.getSize();
                    Long position = queryRecord.getPosition();
                    ResultRecord createIndexedRecord = Records.getRecordFactory().createIndexedRecord("org:openmdx:kernel:ResultSet");
                    queryRecord.setSize(1L);
                    queryRecord.setPosition(0L);
                    super.find(restInteractionSpec, queryRecord, createIndexedRecord);
                    if (!createIndexedRecord.isEmpty()) {
                        Path parent = Object_2Facade.getPath((ObjectRecord) createIndexedRecord.get(0)).getParent().getParent();
                        object_2Facade = Facades.asObject(getCachedObject(dataproviderRequestProcessor, parent));
                        queryRecord.setPosition(position);
                        queryRecord.setSize(size);
                        createIndexedRecord.clear();
                        if (parent.size() == 5) {
                            Path prefix = resourceIdentifier.getPrefix(5);
                            for (int i = 5; i < resourceIdentifier.size(); i++) {
                                prefix = i % 2 == 0 ? prefix.getChild(":*") : prefix.getChild(resourceIdentifier.getSegment(i).toString());
                            }
                            AccessControl_2.sharedAssociationToCompositeParentPathMap.put(prefix, parent);
                        }
                    }
                }
                if (object_2Facade != null) {
                    defaultRealm.restrictQuery(queryRecord, object_2Facade, principal, userIdentity, persistenceManager);
                }
            }
            defaultRealm.restrictQuery(queryRecord, asObject, principal, userIdentity, persistenceManager);
        }

        public boolean find(RestInteractionSpec restInteractionSpec, QueryRecord queryRecord, ResultRecord resultRecord) throws ResourceException {
            PersistenceManager readOnlyPersistenceManager = AccessControl_2.this.getReadOnlyPersistenceManager(SecurityKeys.ROOT_PRINCIPAL);
            DataproviderRequestProcessor newDelegateRequestProcessor = AccessControl_2.this.newDelegateRequestProcessor((RestConnection) getConnection());
            try {
                try {
                    Path resourceIdentifier = queryRecord.getResourceIdentifier();
                    DefaultRealm realm = AccessControl_2.this.getRealm(queryRecord, getPrincipalChain(), readOnlyPersistenceManager);
                    MappedRecord cachedObject = getCachedObject(newDelegateRequestProcessor, resourceIdentifier.getParent());
                    if (AccessControl_2.this.isSecureObject(AccessControl_2.this.getReferencedType(resourceIdentifier, FilterProperty.getFilterProperties(queryRecord.getQueryFilter()))) && AccessControl_2.this.isSecureObject(cachedObject)) {
                        restrictQuery(readOnlyPersistenceManager, newDelegateRequestProcessor, realm, restInteractionSpec, queryRecord);
                        super.find(restInteractionSpec, queryRecord, resultRecord);
                    } else {
                        super.find(restInteractionSpec, queryRecord, resultRecord);
                    }
                    if (resultRecord != null && "all".equals(queryRecord.getFetchGroupName())) {
                        Iterator it = resultRecord.iterator();
                        while (it.hasNext()) {
                            ObjectRecord objectRecord = (ObjectRecord) it.next();
                            if (objectRecord.getResourceIdentifier().size() <= 7) {
                                SysLog.log(Level.FINE, "addToObjectCache {0}", new Object[]{objectRecord.getResourceIdentifier()});
                                addToObjectCache(objectRecord);
                            }
                        }
                    }
                    AccessControl_2.this.completeReply(resultRecord);
                    if (readOnlyPersistenceManager != null) {
                        readOnlyPersistenceManager.close();
                    }
                    return true;
                } catch (ServiceException e) {
                    throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e)));
                }
            } catch (Throwable th) {
                if (readOnlyPersistenceManager != null) {
                    readOnlyPersistenceManager.close();
                }
                throw th;
            }
        }

        protected boolean consume(RestInteractionSpec restInteractionSpec, QueryRecord queryRecord, ConsumerRecord consumerRecord) throws ResourceException {
            PersistenceManager readOnlyPersistenceManager = AccessControl_2.this.getReadOnlyPersistenceManager(SecurityKeys.ROOT_PRINCIPAL);
            try {
                try {
                    restrictQuery(readOnlyPersistenceManager, AccessControl_2.this.newDelegateRequestProcessor((RestConnection) getConnection()), AccessControl_2.this.getRealm(queryRecord, getPrincipalChain(), readOnlyPersistenceManager), restInteractionSpec, queryRecord);
                    boolean consume = super.consume(restInteractionSpec, queryRecord, new CompletingConsumerRecord(consumerRecord));
                    if (readOnlyPersistenceManager != null) {
                        readOnlyPersistenceManager.close();
                    }
                    return consume;
                } catch (ServiceException e) {
                    throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e)));
                }
            } catch (Throwable th) {
                if (readOnlyPersistenceManager != null) {
                    readOnlyPersistenceManager.close();
                }
                throw th;
            }
        }

        public boolean get(RestInteractionSpec restInteractionSpec, QueryRecord queryRecord, ResultRecord resultRecord) throws ResourceException {
            PersistenceManager readOnlyPersistenceManager = AccessControl_2.this.getReadOnlyPersistenceManager(SecurityKeys.ROOT_PRINCIPAL);
            DataproviderRequestProcessor newDelegateRequestProcessor = AccessControl_2.this.newDelegateRequestProcessor((RestConnection) getConnection());
            try {
                try {
                    Path resourceIdentifier = queryRecord.getResourceIdentifier();
                    Model_1_0 model = Model_1Factory.getModel();
                    DefaultRealm realm = AccessControl_2.this.getRealm(queryRecord, getPrincipalChain(), readOnlyPersistenceManager);
                    GetRunAsPrincipalResult runAsPrincipal = realm.getRunAsPrincipal(queryRecord, getPrincipalChain(), newDelegateRequestProcessor, readOnlyPersistenceManager);
                    CachedPrincipal principal = runAsPrincipal.getPrincipal();
                    Path userIdentity = runAsPrincipal.getUserIdentity();
                    try {
                        queryRecord.setFetchGroupName("all");
                    } catch (Exception e) {
                    }
                    super.get(restInteractionSpec, queryRecord, resultRecord);
                    if (resultRecord.isEmpty()) {
                        return true;
                    }
                    if (resourceIdentifier.size() >= 7) {
                        MappedRecord cachedObject = getCachedObject(newDelegateRequestProcessor, resourceIdentifier.getPrefix(resourceIdentifier.size() - 2));
                        Object_2Facade asObject = Facades.asObject(cachedObject);
                        if (AccessControl_2.this.isSecureObject(model.getTypes(resourceIdentifier)[2]) && AccessControl_2.this.isSecureObject(cachedObject)) {
                            if (!realm.hasPermission(queryRecord, Facades.asObject((ObjectRecord) resultRecord.get(0)), asObject, principal, userIdentity, realm.getAccessControlAction(restInteractionSpec, asObject), null, newDelegateRequestProcessor, readOnlyPersistenceManager)) {
                                throw ResourceExceptions.initHolder(new ResourceException("No permission to access requested object.", BasicException.newEmbeddedExceptionStack(OpenCrxException.DOMAIN, OpenCrxException.AUTHORIZATION_FAILURE_READ, new BasicException.Parameter[]{new BasicException.Parameter("object", resourceIdentifier), new BasicException.Parameter("param0", resourceIdentifier.toXRI()), new BasicException.Parameter("param1", principal.getIdentity().getSegment(6).toString() + ":" + principal.getIdentity().getLastSegment().toString()), new BasicException.Parameter("param2", userIdentity.toXRI())})));
                            }
                            AccessControl_2.this.completeReply(resultRecord);
                            if (readOnlyPersistenceManager != null) {
                                readOnlyPersistenceManager.close();
                            }
                            return true;
                        }
                    }
                    AccessControl_2.this.completeReply(resultRecord);
                    if (readOnlyPersistenceManager != null) {
                        readOnlyPersistenceManager.close();
                    }
                    return true;
                } catch (ServiceException e2) {
                    throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e2)));
                }
            } finally {
                if (readOnlyPersistenceManager != null) {
                    readOnlyPersistenceManager.close();
                }
            }
        }

        public boolean delete(RestInteractionSpec restInteractionSpec, ObjectRecord objectRecord) throws ResourceException {
            PersistenceManager readOnlyPersistenceManager = AccessControl_2.this.getReadOnlyPersistenceManager(SecurityKeys.ROOT_PRINCIPAL);
            DataproviderRequestProcessor newDelegateRequestProcessor = AccessControl_2.this.newDelegateRequestProcessor((RestConnection) getConnection());
            try {
                try {
                    Path resourceIdentifier = objectRecord.getResourceIdentifier();
                    DefaultRealm realm = AccessControl_2.this.getRealm(objectRecord, getPrincipalChain(), readOnlyPersistenceManager);
                    GetRunAsPrincipalResult runAsPrincipal = realm.getRunAsPrincipal(objectRecord, getPrincipalChain(), newDelegateRequestProcessor, readOnlyPersistenceManager);
                    CachedPrincipal principal = runAsPrincipal.getPrincipal();
                    Path userIdentity = runAsPrincipal.getUserIdentity();
                    MappedRecord retrieveObject = AccessControl_2.this.retrieveObject(newDelegateRequestProcessor, resourceIdentifier, true);
                    if (AccessControl_2.this.isSecureObject(retrieveObject)) {
                        Object_2Facade asObject = Facades.asObject(retrieveObject);
                        if (!realm.hasPermission(objectRecord, asObject, null, principal, userIdentity, realm.getAccessControlAction(restInteractionSpec, asObject), null, newDelegateRequestProcessor, readOnlyPersistenceManager)) {
                            throw ResourceExceptions.initHolder(new ResourceException("No permission to delete requested object.", BasicException.newEmbeddedExceptionStack(OpenCrxException.DOMAIN, OpenCrxException.AUTHORIZATION_FAILURE_DELETE, new BasicException.Parameter[]{new BasicException.Parameter("object", resourceIdentifier), new BasicException.Parameter("param0", resourceIdentifier.toXRI()), new BasicException.Parameter("param1", principal.getIdentity().getSegment(6).toString() + ":" + principal.getIdentity().getLastSegment().toString()), new BasicException.Parameter("param2", userIdentity.toXRI())})));
                        }
                    }
                    AccessControl_2.objectCache.remove(resourceIdentifier);
                    boolean delete = super.delete(restInteractionSpec, objectRecord);
                    if (readOnlyPersistenceManager != null) {
                        readOnlyPersistenceManager.close();
                    }
                    return delete;
                } catch (ServiceException e) {
                    throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e)));
                }
            } catch (Throwable th) {
                if (readOnlyPersistenceManager != null) {
                    readOnlyPersistenceManager.close();
                }
                throw th;
            }
        }

        protected boolean update(RestInteractionSpec restInteractionSpec, ObjectRecord objectRecord, ResultRecord resultRecord) throws ResourceException {
            PersistenceManager readOnlyPersistenceManager = AccessControl_2.this.getReadOnlyPersistenceManager(SecurityKeys.ROOT_PRINCIPAL);
            DataproviderRequestProcessor newDelegateRequestProcessor = AccessControl_2.this.newDelegateRequestProcessor((RestConnection) getConnection());
            try {
                try {
                    Path resourceIdentifier = objectRecord.getResourceIdentifier();
                    DefaultRealm realm = AccessControl_2.this.getRealm(objectRecord, getPrincipalChain(), readOnlyPersistenceManager);
                    Object_2Facade asObject = Facades.asObject(objectRecord);
                    GetRunAsPrincipalResult runAsPrincipal = realm.getRunAsPrincipal(objectRecord, getPrincipalChain(), newDelegateRequestProcessor, readOnlyPersistenceManager);
                    CachedPrincipal principal = runAsPrincipal.getPrincipal();
                    Path userIdentity = runAsPrincipal.getUserIdentity();
                    MappedRecord retrieveObject = AccessControl_2.this.retrieveObject(newDelegateRequestProcessor, resourceIdentifier, true);
                    if (AccessControl_2.this.isSecureObject(retrieveObject)) {
                        Object_2Facade asObject2 = Facades.asObject(retrieveObject);
                        if (!realm.hasPermission(objectRecord, asObject2, null, principal, userIdentity, realm.getAccessControlAction(restInteractionSpec, asObject), null, newDelegateRequestProcessor, readOnlyPersistenceManager)) {
                            throw ResourceExceptions.initHolder(new ResourceException("No permission to update requested object.", BasicException.newEmbeddedExceptionStack(OpenCrxException.DOMAIN, 1000, new BasicException.Parameter[]{new BasicException.Parameter("object", resourceIdentifier), new BasicException.Parameter("param0", resourceIdentifier.toXRI()), new BasicException.Parameter("param1", principal.getIdentity().getSegment(6).toString() + ":" + principal.getIdentity().getLastSegment().toString()), new BasicException.Parameter("param2", userIdentity.toXRI())})));
                        }
                        ArrayList arrayList = new ArrayList();
                        arrayList.add(asObject.attributeValuesAsList("owningUser").isEmpty() ? asObject2.attributeValuesAsList("owner").isEmpty() ? userIdentity == null ? AccessControl_2.this.getQualifiedPrincipalName(asObject.getPath(), "admin") : AccessControl_2.this.getQualifiedPrincipalName(userIdentity) : (String) asObject2.attributeValue("owner") : AccessControl_2.this.getQualifiedPrincipalName((Path) asObject.attributeValue("owningUser")));
                        HashSet hashSet = new HashSet();
                        if (asObject.getAttributeValues("owningGroup") != null) {
                            for (Path path : asObject.attributeValuesAsList("owningGroup")) {
                                if (path != null) {
                                    hashSet.add(AccessControl_2.this.getQualifiedPrincipalName(path));
                                }
                            }
                        } else if (asObject2.attributeValuesAsList("owner").size() > 1) {
                            hashSet.addAll(asObject2.attributeValuesAsList("owner").subList(1, asObject2.attributeValuesAsList("owner").size()));
                        }
                        arrayList.addAll(hashSet);
                        if (!asObject2.attributeValuesAsList("owner").containsAll(arrayList) || !arrayList.containsAll(asObject2.attributeValuesAsList("owner"))) {
                            asObject.attributeValuesAsList("owner").clear();
                            asObject.attributeValuesAsList("owner").addAll(arrayList);
                        }
                        asObject.getValue().keySet().remove("owningUser");
                        asObject.getValue().keySet().remove("owningGroup");
                    }
                    AccessControl_2.objectCache.remove(resourceIdentifier);
                    super.update(restInteractionSpec, objectRecord, resultRecord);
                    AccessControl_2.this.completeReply(resultRecord);
                    if (readOnlyPersistenceManager != null) {
                        readOnlyPersistenceManager.close();
                    }
                    return true;
                } catch (ServiceException e) {
                    throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e)));
                }
            } catch (Throwable th) {
                if (readOnlyPersistenceManager != null) {
                    readOnlyPersistenceManager.close();
                }
                throw th;
            }
        }

        protected boolean invoke(RestInteractionSpec restInteractionSpec, MessageRecord messageRecord, MessageRecord messageRecord2) throws ResourceException {
            PersistenceManager readOnlyPersistenceManager = AccessControl_2.this.getReadOnlyPersistenceManager(SecurityKeys.ROOT_PRINCIPAL);
            DataproviderRequestProcessor newDelegateRequestProcessor = AccessControl_2.this.newDelegateRequestProcessor((RestConnection) getConnection());
            String xRISegment = messageRecord.getTarget().getLastSegment().toString();
            try {
                try {
                    Path resourceIdentifier = messageRecord.getResourceIdentifier();
                    DefaultRealm realm = AccessControl_2.this.getRealm(messageRecord, getPrincipalChain(), readOnlyPersistenceManager);
                    if (!"checkPermissions".equals(xRISegment)) {
                        boolean invoke = super.invoke(restInteractionSpec, messageRecord, messageRecord2);
                        if (readOnlyPersistenceManager != null) {
                            readOnlyPersistenceManager.close();
                        }
                        return invoke;
                    }
                    String str = (String) messageRecord.getBody().get("principalName");
                    CachedPrincipal principal = str != null ? realm.getPrincipal(str, readOnlyPersistenceManager) : null;
                    if (principal == null) {
                        throw ResourceExceptions.initHolder(new ResourceException("Requested principal not found.", BasicException.newEmbeddedExceptionStack(OpenCrxException.DOMAIN, OpenCrxException.AUTHORIZATION_FAILURE_MISSING_PRINCIPAL, new BasicException.Parameter[]{new BasicException.Parameter("principal", str), new BasicException.Parameter("param0", str), new BasicException.Parameter("param1", AccessControl_2.this.realmIdentity)})));
                    }
                    Path path = messageRecord.getBody().get("objectIdentity") != null ? new Path((String) messageRecord.getBody().get("objectIdentity")) : resourceIdentifier.getPrefix(resourceIdentifier.size() - 2);
                    if (path.size() < 5) {
                        throw ResourceExceptions.initHolder(new ResourceException("Can not invoke checkPermissions on this object", BasicException.newEmbeddedExceptionStack("DefaultDomain", -2, new BasicException.Parameter[]{new BasicException.Parameter("path", resourceIdentifier), new BasicException.Parameter("principal", str), new BasicException.Parameter("param0", str), new BasicException.Parameter("param1", AccessControl_2.this.realmIdentity)})));
                    }
                    Path user = AccessControl_2.this.getUser(principal);
                    Object_2Facade asObject = path.size() >= 7 ? Facades.asObject(getCachedObject(newDelegateRequestProcessor, resourceIdentifier.getPrefix(resourceIdentifier.size() - 2))) : null;
                    Object_2Facade asObject2 = Facades.asObject(AccessControl_2.this.retrieveObject(newDelegateRequestProcessor, path, true));
                    messageRecord2.setBody(AccessControl_2.this.newOperationResult("org:opencrx:kernel:base:CheckPermissionsResult"));
                    MappedRecord body = messageRecord2.getBody();
                    TreeSet treeSet = new TreeSet();
                    TreeSet treeSet2 = new TreeSet();
                    boolean hasPermission = realm.hasPermission(messageRecord, asObject2, asObject, principal, user, SecurityKeys.Action.READ, treeSet2, newDelegateRequestProcessor, readOnlyPersistenceManager);
                    Iterator<String> it = treeSet2.iterator();
                    while (it.hasNext()) {
                        treeSet.add(it.next() + SecurityKeys.PERMISSION_ACTION_SEPARATOR + SecurityKeys.Action.READ.getName());
                    }
                    body.put("grantedPermissionsRead", treeSet2);
                    body.put("hasReadPermission", Boolean.valueOf(hasPermission));
                    TreeSet treeSet3 = new TreeSet();
                    boolean hasPermission2 = realm.hasPermission(messageRecord, asObject2, asObject, principal, user, SecurityKeys.Action.DELETE, treeSet3, newDelegateRequestProcessor, readOnlyPersistenceManager);
                    Iterator<String> it2 = treeSet3.iterator();
                    while (it2.hasNext()) {
                        treeSet.add(it2.next() + SecurityKeys.PERMISSION_ACTION_SEPARATOR + SecurityKeys.Action.DELETE.getName());
                    }
                    body.put("grantedPermissionsDelete", treeSet3);
                    body.put("hasDeletePermission", Boolean.valueOf(hasPermission2));
                    TreeSet treeSet4 = new TreeSet();
                    boolean hasPermission3 = realm.hasPermission(messageRecord, asObject2, asObject, principal, user, SecurityKeys.Action.UPDATE, treeSet4, newDelegateRequestProcessor, readOnlyPersistenceManager);
                    Iterator<String> it3 = treeSet4.iterator();
                    while (it3.hasNext()) {
                        treeSet.add(it3.next() + SecurityKeys.PERMISSION_ACTION_SEPARATOR + SecurityKeys.Action.UPDATE.getName());
                    }
                    body.put("grantedPermissionsUpdate", treeSet4);
                    body.put("hasUpdatePermission", Boolean.valueOf(hasPermission3));
                    Set<String> permissions = realm.getPermissions(principal, user, asObject2.attributeValuesAsList("accessLevelBrowse").isEmpty() ? (short) 2 : ((Number) asObject2.attributeValue("accessLevelBrowse")).shortValue(), null, readOnlyPersistenceManager);
                    if (permissions != null) {
                        for (String str2 : permissions) {
                            if (str2.indexOf(SecurityKeys.PERMISSION_ACTION_SEPARATOR) > 0) {
                                treeSet.add(str2);
                            }
                        }
                    }
                    body.put("grantedPermissionsAll", treeSet);
                    if (readOnlyPersistenceManager != null) {
                        readOnlyPersistenceManager.close();
                    }
                    return true;
                } catch (ServiceException e) {
                    throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e)));
                }
            } catch (Throwable th) {
                if (readOnlyPersistenceManager != null) {
                    readOnlyPersistenceManager.close();
                }
                throw th;
            }
        }
    }

    public Interaction getInteraction(RestConnection restConnection) throws ResourceException {
        return new RestInteraction(restConnection);
    }

    protected Path getUserIdentity(CachedPrincipal cachedPrincipal) {
        return getUserIdentity(cachedPrincipal.getIdentity().getSegment(6).toString(), cachedPrincipal.getIdentity().getLastSegment().toString());
    }

    protected Path getUserIdentity(String str) {
        String substring;
        String substring2;
        int indexOf = str.indexOf(":");
        if (indexOf < 0) {
            SysLog.error("FATAL: object has illegal formatted owner (<realm segment>:<subject name>): " + str);
            substring = "Root";
            substring2 = str;
        } else {
            substring = str.substring(0, indexOf);
            substring2 = str.substring(indexOf + 1);
        }
        return getUserIdentity(substring, substring2);
    }

    protected Path getUserIdentity(String str, String str2) {
        if ("admin".equals(str2) || "loader".equals(str2)) {
            str2 = str2 + SecurityKeys.ID_SEPARATOR + str;
        }
        if (!str2.endsWith(SecurityKeys.USER_SUFFIX)) {
            str2 = str2 + ".User";
        }
        return this.realmIdentity.getParent().getDescendant(new String[]{str, "principal", str2});
    }

    protected Path getUser(CachedPrincipal cachedPrincipal) throws ServiceException {
        return getUserIdentity(cachedPrincipal);
    }

    protected Path getGroupIdentity(Path path, String str) {
        String substring;
        String substring2;
        int indexOf = str.indexOf(":");
        if (indexOf < 0) {
            System.err.println("FATAL: object has illegal formatted owner (<realm segment>:<subject name>): " + str + "; path=" + path.toXRI());
            substring = "Root";
            substring2 = str;
        } else {
            substring = str.substring(0, indexOf);
            substring2 = str.substring(indexOf + 1);
        }
        return this.realmIdentity.getParent().getDescendant(new String[]{substring, "principal", substring2});
    }

    protected String getQualifiedPrincipalName(Path path, String str) {
        return path.getSegment(4).toString() + ":" + str;
    }

    protected String getQualifiedPrincipalName(Path path) {
        return path.getSegment(6).toString() + ":" + path.getLastSegment().toString();
    }

    protected DataproviderRequestProcessor newDelegateRequestProcessor(RestConnection restConnection) throws ResourceException {
        return new DataproviderRequestProcessor(PersistenceManagers.toPrincipalChain(restConnection.getMetaData().getUserName()), getDelegate());
    }

    protected PersistenceManager getReadOnlyPersistenceManager(String str) throws ResourceException {
        try {
            if (this.pmf == null) {
                HashMap hashMap = new HashMap();
                hashMap.put(ConfigurableProperty.ContainerManaged.qualifiedName(), Boolean.FALSE);
                this.pmf = Utils.getPersistenceManagerFactory(hashMap);
            }
            return this.pmf.getPersistenceManager(str, (String) null);
        } catch (ServiceException e) {
            throw new ResourceException(e);
        }
    }

    protected ObjectRecord retrieveObject(DataproviderRequestProcessor dataproviderRequestProcessor, Path path, boolean z) throws ResourceException {
        org.openmdx.base.rest.spi.QueryRecord queryRecord = new org.openmdx.base.rest.spi.QueryRecord();
        queryRecord.setResourceIdentifier(path);
        queryRecord.setFetchGroupName("all");
        QueryFilterRecord createMappedRecord = Records.getRecordFactory().createMappedRecord(QueryFilterRecord.class);
        createMappedRecord.getOrderSpecifier().addAll(AttributeSpecifier.toOrderSpecifier(new AttributeSpecifier[]{new AttributeSpecifier("owner")}));
        queryRecord.setQueryFilter(createMappedRecord);
        return dataproviderRequestProcessor.addGetRequest(queryRecord);
    }

    protected MappedRecord newOperationResult(String str) throws ResourceException {
        return Records.getRecordFactory().createMappedRecord(str);
    }

    protected ResultRecord findObjects(DataproviderRequestProcessor dataproviderRequestProcessor, Path path) throws ResourceException {
        return dataproviderRequestProcessor.addFindRequest(path);
    }

    protected void completeOwningUserAndGroup(ObjectRecord objectRecord) throws ResourceException {
        try {
            Object_2Facade asObject = Facades.asObject(objectRecord);
            asObject.getValue().keySet().remove("owningUser");
            asObject.getValue().keySet().remove("owningGroup");
            if (!asObject.attributeValuesAsList("owner").isEmpty()) {
                if (((String) asObject.attributeValue("owner")) == null) {
                    SysLog.error("Values of attribute owner are corrupt. Element at index 0 (owning user) is missing. Fix the database", objectRecord);
                } else {
                    asObject.attributeValuesAsList("owningUser").add(getUserIdentity((String) asObject.attributeValue("owner")));
                }
            }
            for (int i = 1; i < asObject.attributeValuesAsList("owner").size(); i++) {
                asObject.attributeValuesAsList("owningGroup").add(getGroupIdentity(asObject.getPath(), (String) asObject.attributeValuesAsList("owner").get(i)));
            }
        } catch (ServiceException e) {
            throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e)));
        }
    }

    protected void completeObject(ObjectRecord objectRecord) throws ResourceException {
        completeOwningUserAndGroup(objectRecord);
    }

    protected void completeReply(ResultRecord resultRecord) throws ResourceException {
        if (resultRecord != null) {
            Iterator it = resultRecord.iterator();
            while (it.hasNext()) {
                completeObject((ObjectRecord) it.next());
            }
        }
    }

    protected boolean isPrincipalGroup(MappedRecord mappedRecord) throws ServiceException {
        return this.model.isSubtypeOf(Object_2Facade.getObjectClass(mappedRecord), SecurityKeys.PRINCIPAL_TYPE_GROUP);
    }

    protected boolean isSecureObject(MappedRecord mappedRecord) throws ResourceException {
        try {
            String objectClass = Object_2Facade.getObjectClass(mappedRecord);
            if (objectClass != null) {
                return this.model.isSubtypeOf(objectClass, "org:opencrx:kernel:base:SecureObject");
            }
            SysLog.error("Undefined object class", Object_2Facade.getPath(mappedRecord));
            return true;
        } catch (ServiceException e) {
            throw ResourceExceptions.initHolder(new ResourceException(BasicException.newEmbeddedExceptionStack(e)));
        }
    }

    protected boolean isSecureObject(ModelElement_1_0 modelElement_1_0) throws ServiceException {
        return this.model.isSubtypeOf(modelElement_1_0, "org:opencrx:kernel:base:SecureObject");
    }

    protected List<String> getPrincipalChain(Connection connection) throws ResourceException {
        return PersistenceManagers.toPrincipalChain(connection.getMetaData().getUserName());
    }

    protected DefaultRealm newRealm(Path path) throws ResourceException {
        return new DefaultRealm(path);
    }

    protected DefaultRealm getRealm(RequestRecord requestRecord, List<String> list, PersistenceManager persistenceManager) throws ResourceException {
        Path resourceIdentifier = requestRecord.getResourceIdentifier();
        String str = list.get(0);
        String xRISegment = SecurityKeys.ROOT_PRINCIPAL.equals(str) ? "Root" : resourceIdentifier.getSegment(4).toString();
        if (this.cachedRealms.get(xRISegment) == null) {
            this.cachedRealms.put(xRISegment, newRealm(this.realmIdentity.getParent().getChild(xRISegment)));
        }
        DefaultRealm defaultRealm = this.cachedRealms.get(xRISegment);
        CachedPrincipal principal = defaultRealm.getPrincipal(str, persistenceManager);
        if (principal == null) {
            throw ResourceExceptions.initHolder(new ResourceException("Requested principal not found.", BasicException.newEmbeddedExceptionStack(OpenCrxException.DOMAIN, OpenCrxException.AUTHORIZATION_FAILURE_MISSING_PRINCIPAL, new BasicException.Parameter[]{new BasicException.Parameter("principal", list), new BasicException.Parameter("param0", list), new BasicException.Parameter("param1", this.realmIdentity)})));
        }
        SysLog.detail("Requesting principal", principal);
        return defaultRealm;
    }

    protected ModelElement_1_0 getReferencedType(Path path, List<FilterProperty> list) throws ServiceException {
        boolean z = false;
        if (list != null && path.isLike(EXTENT_PATTERN)) {
            for (FilterProperty filterProperty : list) {
                if ("identity".equals(filterProperty.name())) {
                    if (filterProperty.values().size() > 1) {
                        throw new ServiceException("DefaultDomain", -36, "at most one value allowed for filter property 'identity'", new BasicException.Parameter[]{new BasicException.Parameter("filter", list)});
                    }
                    z = true;
                    path = new Path(filterProperty.values().iterator().next().toString());
                }
            }
            if (!z) {
                throw new ServiceException("DefaultDomain", -36, "extent lookups require at least a filter value for property 'identity'", new BasicException.Parameter[]{new BasicException.Parameter("filter", list)});
            }
        }
        return this.model.getTypes(path)[2];
    }

    protected static ConcurrentMap<Path, Object[]> getObjectCache() {
        return objectCache;
    }

    public Path getRealmIdentity() {
        return this.realmIdentity;
    }

    public void setRealmIdentity(Path path) {
        this.realmIdentity = path;
    }

    public boolean isUseExtendedAccessLevelBasic() {
        return this.useExtendedAccessLevelBasic;
    }

    public void setUseExtendedAccessLevelBasic(boolean z) {
        this.useExtendedAccessLevelBasic = z;
    }
}
