package org.wso2.carbon.device.mgt.core.authorization;

import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.device.mgt.common.Device;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
import org.wso2.carbon.device.mgt.common.DeviceManagementException;
import org.wso2.carbon.device.mgt.common.EnrolmentInfo;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAuthorizationResult;
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
import org.wso2.carbon.device.mgt.core.internal.DeviceManagementDataHolder;
import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionUtils;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:plugins/org.wso2.carbon.device.mgt.core-1.0.3.jar:org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.class */
public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthorizationService {
    private static final String EMM_ADMIN_PERMISSION = "/device-mgt/admin-device-access";
    private static Log log = LogFactory.getLog(DeviceAccessAuthorizationServiceImpl.class);

    /* loaded from: input_file:plugins/org.wso2.carbon.device.mgt.core-1.0.3.jar:org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl$PermissionMethod.class */
    public static final class PermissionMethod {
        public static final String READ = "read";
        public static final String WRITE = "write";
        public static final String DELETE = "delete";
        public static final String ACTION = "action";
        public static final String UI_EXECUTE = "ui.execute";

        private PermissionMethod() {
            throw new AssertionError();
        }
    }

    public DeviceAccessAuthorizationServiceImpl() {
        try {
            addAdminPermissionToRegistry();
        } catch (PermissionManagementException e) {
            log.error("Unable to add the emm-admin permission to the registry.", e);
        }
    }

    @Override // org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService
    public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier) throws DeviceAccessAuthorizationException {
        String userName = getUserName();
        int tenantId = getTenantId();
        if (userName == null || userName.isEmpty()) {
            return !DeviceManagementDataHolder.getInstance().requireDeviceAuthorization(deviceIdentifier.getType());
        }
        try {
            boolean isAdminUser = isAdminUser(userName, tenantId);
            if (!isAdminUser) {
                try {
                    EnrolmentInfo enrolmentInfo = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().getDevice(deviceIdentifier).getEnrolmentInfo();
                    if (enrolmentInfo != null) {
                        if (userName.equalsIgnoreCase(enrolmentInfo.getOwner())) {
                            isAdminUser = true;
                        }
                    }
                } catch (DeviceManagementException e) {
                    throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + deviceIdentifier.getId() + " for the user : " + userName, (Exception) e);
                }
            }
            return isAdminUser;
        } catch (UserStoreException e2) {
            throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + deviceIdentifier.getId() + " for the user : " + userName, (Exception) e2);
        }
    }

    @Override // org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService
    public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> list) throws DeviceAccessAuthorizationException {
        DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult();
        String userName = getUserName();
        int tenantId = getTenantId();
        if (userName == null || userName.isEmpty()) {
            return deviceAuthorizationResult;
        }
        try {
            if (isAdminUser(userName, tenantId)) {
                deviceAuthorizationResult.setAuthorizedDevices(list);
            } else {
                try {
                    Map<String, String> ownershipOfDevices = getOwnershipOfDevices(DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().getDevicesOfUser(userName));
                    for (DeviceIdentifier deviceIdentifier : list) {
                        if (ownershipOfDevices.containsKey(deviceIdentifier.getId())) {
                            deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
                        } else {
                            deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier);
                        }
                    }
                } catch (DeviceManagementException e) {
                    throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " + userName, (Exception) e);
                }
            }
            return deviceAuthorizationResult;
        } catch (UserStoreException e2) {
            throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " + userName, (Exception) e2);
        }
    }

    @Override // org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService
    public boolean isUserAuthorized(DeviceIdentifier deviceIdentifier, String str) throws DeviceAccessAuthorizationException {
        int tenantId = getTenantId();
        if (str == null || str.isEmpty()) {
            return false;
        }
        try {
            boolean isAdminUser = isAdminUser(str, tenantId);
            if (!isAdminUser) {
                try {
                    EnrolmentInfo enrolmentInfo = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().getDevice(deviceIdentifier).getEnrolmentInfo();
                    if (enrolmentInfo != null) {
                        if (str.equalsIgnoreCase(enrolmentInfo.getOwner())) {
                            isAdminUser = true;
                        }
                    }
                } catch (DeviceManagementException e) {
                    throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + deviceIdentifier.getId() + " for the user : " + str, (Exception) e);
                }
            }
            return isAdminUser;
        } catch (UserStoreException e2) {
            throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " + deviceIdentifier.getId() + " for the user : " + str, (Exception) e2);
        }
    }

    @Override // org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService
    public DeviceAuthorizationResult isUserAuthorized(List<DeviceIdentifier> list, String str) throws DeviceAccessAuthorizationException {
        int tenantId = getTenantId();
        DeviceAuthorizationResult deviceAuthorizationResult = new DeviceAuthorizationResult();
        if (str == null || str.isEmpty()) {
            return null;
        }
        try {
            if (isAdminUser(str, tenantId)) {
                deviceAuthorizationResult.setAuthorizedDevices(list);
            } else {
                try {
                    for (DeviceIdentifier deviceIdentifier : list) {
                        EnrolmentInfo enrolmentInfo = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().getDevice(deviceIdentifier).getEnrolmentInfo();
                        if (enrolmentInfo == null || !str.equalsIgnoreCase(enrolmentInfo.getOwner())) {
                            deviceAuthorizationResult.addUnauthorizedDevice(deviceIdentifier);
                        } else {
                            deviceAuthorizationResult.addAuthorizedDevice(deviceIdentifier);
                        }
                    }
                } catch (DeviceManagementException e) {
                    throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " + str, (Exception) e);
                }
            }
            return deviceAuthorizationResult;
        } catch (UserStoreException e2) {
            throw new DeviceAccessAuthorizationException("Unable to authorize the access to devices for the user : " + str, (Exception) e2);
        }
    }

    private boolean isAdminUser(String str, int i) throws UserStoreException {
        UserRealm tenantUserRealm = DeviceManagementDataHolder.getInstance().getRealmService().getTenantUserRealm(i);
        if (tenantUserRealm == null || tenantUserRealm.getAuthorizationManager() == null) {
            return false;
        }
        return tenantUserRealm.getAuthorizationManager().isUserAuthorized(removeTenantDomain(str), PermissionUtils.getAbsolutePermissionPath(EMM_ADMIN_PERMISSION), PermissionMethod.UI_EXECUTE);
    }

    private String getUserName() {
        String username = CarbonContext.getThreadLocalCarbonContext().getUsername();
        if (username == null || username.isEmpty()) {
            return null;
        }
        return removeTenantDomain(username);
    }

    private String removeTenantDomain(String str) {
        return str.endsWith(CarbonContext.getThreadLocalCarbonContext().getTenantDomain()) ? str.substring(0, str.lastIndexOf("@")) : str;
    }

    private int getTenantId() {
        return CarbonContext.getThreadLocalCarbonContext().getTenantId();
    }

    private boolean addAdminPermissionToRegistry() throws PermissionManagementException {
        Permission permission = new Permission();
        permission.setPath(PermissionUtils.getAbsolutePermissionPath(EMM_ADMIN_PERMISSION));
        return PermissionUtils.putPermission(permission);
    }

    private Map<String, String> getOwnershipOfDevices(List<Device> list) {
        String owner;
        HashMap hashMap = new HashMap();
        for (Device device : list) {
            EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo();
            if (enrolmentInfo != null && (owner = enrolmentInfo.getOwner()) != null && !owner.isEmpty()) {
                hashMap.put(device.getDeviceIdentifier(), owner);
            }
        }
        return hashMap;
    }
}
