package org.graylog.security.shares;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.eventbus.EventBus;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import javax.inject.Inject;
import org.apache.shiro.subject.Subject;
import org.graylog.grn.GRN;
import org.graylog.grn.GRNRegistry;
import org.graylog.security.BuiltinCapabilities;
import org.graylog.security.Capability;
import org.graylog.security.DBGrantService;
import org.graylog.security.GrantDTO;
import org.graylog.security.entities.EntityDependencyPermissionChecker;
import org.graylog.security.entities.EntityDependencyResolver;
import org.graylog.security.entities.EntityDescriptor;
import org.graylog.security.events.EntitySharesUpdateEvent;
import org.graylog.security.shares.EntityShareResponse;
import org.graylog2.plugin.database.users.User;
import org.graylog2.plugin.rest.ValidationResult;

/* loaded from: input_file:org/graylog/security/shares/EntitySharesService.class */
public class EntitySharesService {
    private final DBGrantService grantService;
    private final EntityDependencyResolver entityDependencyResolver;
    private final EntityDependencyPermissionChecker entityDependencyPermissionChecker;
    private final GRNRegistry grnRegistry;
    private final GranteeService granteeService;
    private final EventBus serverEventBus;

    @Inject
    public EntitySharesService(DBGrantService dBGrantService, EntityDependencyResolver entityDependencyResolver, EntityDependencyPermissionChecker entityDependencyPermissionChecker, GRNRegistry gRNRegistry, GranteeService granteeService, EventBus eventBus) {
        this.grantService = dBGrantService;
        this.entityDependencyResolver = entityDependencyResolver;
        this.entityDependencyPermissionChecker = entityDependencyPermissionChecker;
        this.grnRegistry = gRNRegistry;
        this.granteeService = granteeService;
        this.serverEventBus = eventBus;
    }

    public EntityShareResponse prepareShare(GRN grn, EntityShareRequest entityShareRequest, User user, Subject subject) {
        Objects.requireNonNull(grn, "ownedEntity cannot be null");
        Objects.requireNonNull(entityShareRequest, "request cannot be null");
        Objects.requireNonNull(user, "sharingUser cannot be null");
        Objects.requireNonNull(subject, "sharingSubject cannot be null");
        GRN ofUser = this.grnRegistry.ofUser(user);
        Set<EntityShareResponse.AvailableGrantee> mo284getAvailableGrantees = this.granteeService.mo284getAvailableGrantees(user);
        Set<GRN> set = (Set) mo284getAvailableGrantees.stream().map((v0) -> {
            return v0.grn();
        }).collect(Collectors.toSet());
        Set<EntityShareResponse.ActiveShare> activeShares = getActiveShares(grn, user, set);
        return EntityShareResponse.builder().entity(grn.toString()).sharingUser(ofUser).availableGrantees(mo284getAvailableGrantees).availableCapabilities(getAvailableCapabilities()).activeShares(activeShares).selectedGranteeCapabilities(getSelectedGranteeCapabilities(activeShares, entityShareRequest)).missingPermissionsOnDependencies(checkMissingPermissionsOnDependencies(grn, ofUser, activeShares, entityShareRequest)).validationResult(validateRequest(grn, entityShareRequest, user, set)).build();
    }

    public EntityShareResponse updateEntityShares(GRN grn, EntityShareRequest entityShareRequest, User user) {
        Objects.requireNonNull(grn, "ownedEntity cannot be null");
        Objects.requireNonNull(entityShareRequest, "request cannot be null");
        Objects.requireNonNull(user, "sharingUser cannot be null");
        ImmutableMap<GRN, Capability> orElse = entityShareRequest.selectedGranteeCapabilities().orElse(ImmutableMap.of());
        String name = user.getName();
        GRN ofUser = this.grnRegistry.ofUser(user);
        Set<EntityShareResponse.AvailableGrantee> mo284getAvailableGrantees = this.granteeService.mo284getAvailableGrantees(user);
        Set<GRN> set = (Set) mo284getAvailableGrantees.stream().map((v0) -> {
            return v0.grn();
        }).collect(Collectors.toSet());
        List<GrantDTO> forTargetExcludingGrantee = this.grantService.getForTargetExcludingGrantee(grn, ofUser);
        forTargetExcludingGrantee.removeIf(grantDTO -> {
            return !set.contains(grantDTO.grantee());
        });
        EntityShareResponse.Builder missingPermissionsOnDependencies = EntityShareResponse.builder().entity(grn.toString()).sharingUser(ofUser).availableGrantees(mo284getAvailableGrantees).availableCapabilities(getAvailableCapabilities()).missingPermissionsOnDependencies(checkMissingPermissionsOnDependencies(grn, ofUser, ImmutableSet.of(), entityShareRequest));
        EntitySharesUpdateEvent.Builder entity = EntitySharesUpdateEvent.builder().user(user).entity(grn);
        ValidationResult validateRequest = validateRequest(grn, entityShareRequest, user, set);
        if (validateRequest.failed()) {
            ImmutableSet<EntityShareResponse.ActiveShare> activeShares = getActiveShares(grn, user, set);
            return missingPermissionsOnDependencies.activeShares(activeShares).selectedGranteeCapabilities(getSelectedGranteeCapabilities(activeShares, entityShareRequest)).validationResult(validateRequest).build();
        }
        forTargetExcludingGrantee.stream().filter(grantDTO2 -> {
            return entityShareRequest.grantees().contains(grantDTO2.grantee());
        }).forEach(grantDTO3 -> {
            Capability capability = (Capability) orElse.get(grantDTO3.grantee());
            if (grantDTO3.capability().equals(capability)) {
                return;
            }
            this.grantService.save(grantDTO3.toBuilder().capability(capability).updatedBy(name).updatedAt(ZonedDateTime.now(ZoneOffset.UTC)).build());
            entity.addUpdates(grantDTO3.grantee(), capability, grantDTO3.capability());
        });
        orElse.forEach((grn2, capability) -> {
            if (forTargetExcludingGrantee.stream().noneMatch(grantDTO4 -> {
                return grantDTO4.grantee().equals(grn2);
            })) {
                this.grantService.create(GrantDTO.builder().grantee(grn2).capability(capability).target(grn).build(), user);
                entity.addCreates(grn2, capability);
            }
        });
        forTargetExcludingGrantee.forEach(grantDTO4 -> {
            if (orElse.containsKey(grantDTO4.grantee())) {
                return;
            }
            this.grantService.delete(grantDTO4.id());
            entity.addDeletes(grantDTO4.grantee(), grantDTO4.capability());
        });
        postUpdateEvent(entity.build());
        ImmutableSet<EntityShareResponse.ActiveShare> activeShares2 = getActiveShares(grn, user, set);
        return missingPermissionsOnDependencies.activeShares(activeShares2).selectedGranteeCapabilities(getSelectedGranteeCapabilities(activeShares2, entityShareRequest)).build();
    }

    private void postUpdateEvent(EntitySharesUpdateEvent entitySharesUpdateEvent) {
        this.serverEventBus.post(entitySharesUpdateEvent);
    }

    private ValidationResult validateRequest(GRN grn, EntityShareRequest entityShareRequest, User user, Set<GRN> set) {
        ValidationResult validationResult = new ValidationResult();
        List<GrantDTO> forTarget = this.grantService.getForTarget(grn);
        List<GrantDTO> forTargetExcludingGrantee = this.grantService.getForTargetExcludingGrantee(grn, this.grnRegistry.ofUser(user));
        if (!entityShareRequest.selectedGranteeCapabilities().isPresent()) {
            return validationResult;
        }
        ImmutableMap<GRN, Capability> immutableMap = entityShareRequest.selectedGranteeCapabilities().get();
        if (!immutableMap.containsValue(Capability.OWN) && !forTarget.stream().noneMatch(grantDTO -> {
            return grantDTO.capability().equals(Capability.OWN);
        })) {
            ArrayList arrayList = new ArrayList();
            forTargetExcludingGrantee.stream().filter(grantDTO2 -> {
                return grantDTO2.capability().equals(Capability.OWN);
            }).forEach(grantDTO3 -> {
                if (immutableMap.containsKey(grantDTO3.grantee())) {
                    if (((Capability) immutableMap.get(grantDTO3.grantee())).equals(Capability.OWN)) {
                        return;
                    }
                    arrayList.add(grantDTO3.grantee());
                } else if (set.contains(grantDTO3.grantee())) {
                    arrayList.add(grantDTO3.grantee());
                }
            });
            if (forTarget.stream().filter(grantDTO4 -> {
                return grantDTO4.capability().equals(Capability.OWN);
            }).map((v0) -> {
                return v0.grantee();
            }).anyMatch(grn2 -> {
                return !arrayList.contains(grn2);
            })) {
                return validationResult;
            }
            validationResult.addError(EntityShareRequest.SELECTED_GRANTEE_CAPABILITIES, String.format(Locale.US, "Removing the following owners <%s> will leave the entity ownerless.", arrayList));
            validationResult.addContext(EntityShareRequest.SELECTED_GRANTEE_CAPABILITIES, (Iterable) arrayList.stream().map((v0) -> {
                return Objects.toString(v0);
            }).collect(Collectors.toSet()));
            return validationResult;
        }
        return validationResult;
    }

    private Map<GRN, Capability> getSelectedGranteeCapabilities(ImmutableSet<EntityShareResponse.ActiveShare> immutableSet, EntityShareRequest entityShareRequest) {
        return !entityShareRequest.selectedGranteeCapabilities().isPresent() ? (Map) immutableSet.stream().collect(Collectors.toMap((v0) -> {
            return v0.grantee();
        }, (v0) -> {
            return v0.capability();
        })) : entityShareRequest.selectedGranteeCapabilities().get();
    }

    private ImmutableSet<EntityShareResponse.ActiveShare> getActiveShares(GRN grn, User user, Set<GRN> set) {
        return (ImmutableSet) this.grantService.getForTargetExcludingGrantee(grn, this.grnRegistry.ofUser(user)).stream().filter(grantDTO -> {
            return set.contains(grantDTO.grantee());
        }).map(grantDTO2 -> {
            return EntityShareResponse.ActiveShare.create(this.grnRegistry.newGRN("grant", grantDTO2.id()).toString(), grantDTO2.grantee(), grantDTO2.capability());
        }).collect(ImmutableSet.toImmutableSet());
    }

    private ImmutableSet<EntityShareResponse.AvailableCapability> getAvailableCapabilities() {
        return (ImmutableSet) BuiltinCapabilities.allSharingCapabilities().stream().map(capabilityDescriptor -> {
            return EntityShareResponse.AvailableCapability.create(capabilityDescriptor.capability().toId(), capabilityDescriptor.title());
        }).collect(ImmutableSet.toImmutableSet());
    }

    private ImmutableMap<GRN, Collection<EntityDescriptor>> checkMissingPermissionsOnDependencies(GRN grn, GRN grn2, ImmutableSet<EntityShareResponse.ActiveShare> immutableSet, EntityShareRequest entityShareRequest) {
        return this.entityDependencyPermissionChecker.check(grn2, this.entityDependencyResolver.resolve(grn), !entityShareRequest.selectedGranteeCapabilities().isPresent() ? (Set) immutableSet.stream().map((v0) -> {
            return v0.grantee();
        }).collect(Collectors.toSet()) : entityShareRequest.selectedGranteeCapabilities().orElse(ImmutableMap.of()).keySet()).asMap();
    }
}
