package org.jasig.portal.security.provider;

import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jasig.portal.AuthorizationException;
import org.jasig.portal.groups.GroupsException;
import org.jasig.portal.groups.IGroupMember;
import org.jasig.portal.security.IAuthorizationPrincipal;
import org.jasig.portal.security.IAuthorizationService;
import org.jasig.portal.security.IPermission;
import org.jasig.portal.security.IPermissionPolicy;

/* loaded from: input_file:org/jasig/portal/security/provider/AnyUnblockedGrantPermissionPolicy.class */
public class AnyUnblockedGrantPermissionPolicy implements IPermissionPolicy {
    protected final Log log = LogFactory.getLog(getClass());

    @Override // org.jasig.portal.security.IPermissionPolicy
    public boolean doesPrincipalHavePermission(IAuthorizationService iAuthorizationService, IAuthorizationPrincipal iAuthorizationPrincipal, String str, String str2, String str3) throws AuthorizationException {
        if (iAuthorizationService == null || iAuthorizationPrincipal == null || str == null || str2 == null) {
            this.log.error("Null argument to AnyUnblockedGrantPermissionPolicy doesPrincipalHavePermission() method should not be possible.  This is indicative of a potentially serious bug in the permissions and authorization infrastructure. service= [" + iAuthorizationService + "] principal = [" + iAuthorizationPrincipal + "] owner = [" + str + "] activity = [" + str2 + "] target = [" + str3 + "]");
            return false;
        }
        Set<IPermission> activePermissions = activePermissions(iAuthorizationService.getPermissionsForPrincipal(iAuthorizationPrincipal, str, str2, str3));
        if (containsType(activePermissions, IPermission.PERMISSION_TYPE_DENY)) {
            if (!this.log.isTraceEnabled()) {
                return false;
            }
            this.log.trace("Principal [" + iAuthorizationPrincipal + "] is explicitly denied permission to perform activity [" + str2 + "] on target [" + str3 + "] under permission owning system [" + str + "].");
            return false;
        }
        if (containsType(activePermissions, IPermission.PERMISSION_TYPE_GRANT)) {
            if (!this.log.isTraceEnabled()) {
                return true;
            }
            this.log.trace("Principal [" + iAuthorizationPrincipal + "] is granted permission to perform activity [" + str2 + "] on target [" + str3 + "] under permission owning system [" + str + "] because this principal has an excplicit GRANT and does not have an exlicit DENY.");
            return true;
        }
        try {
            boolean hasUnblockedPathToGrant = hasUnblockedPathToGrant(iAuthorizationService, iAuthorizationPrincipal, str, str2, str3, new HashSet(100));
            if (this.log.isTraceEnabled()) {
                if (hasUnblockedPathToGrant) {
                    this.log.trace("Principal [" + iAuthorizationPrincipal + "] is granted permission to perform activity [" + str2 + "] on target [" + str3 + "] under permission owning system [" + str + "] because this principal has an unblocked path to a GRANT.");
                } else {
                    this.log.trace("Principal [" + iAuthorizationPrincipal + "] is denied permission to perform activity [" + str2 + "] on target [" + str3 + "] under permission owning system [" + str + "] because this principal does not have an unblocked path to a GRANT.");
                }
            }
            return hasUnblockedPathToGrant;
        } catch (Exception e) {
            this.log.error("Error searching for unblocked path to grant for principal [" + iAuthorizationPrincipal + "]", e);
            return false;
        }
    }

    private boolean hasUnblockedPathToGrant(IAuthorizationService iAuthorizationService, IAuthorizationPrincipal iAuthorizationPrincipal, String str, String str2, String str3, Set<IGroupMember> set) throws GroupsException {
        if (this.log.isTraceEnabled()) {
            this.log.trace("Searching for unblocked path to GRANT for principal [" + iAuthorizationPrincipal + "] to [" + str2 + "] on target [" + str3 + "] having already checked [" + set + "]");
        }
        IGroupMember groupMember = iAuthorizationService.getGroupMember(iAuthorizationPrincipal);
        if (set.contains(groupMember)) {
            if (!this.log.isTraceEnabled()) {
                return false;
            }
            this.log.trace("Declining to re-examine principal [" + iAuthorizationPrincipal + "] for permission to [" + str2 + "] on [" + str3 + "] because this group is among already checked groups [" + set + "]");
            return false;
        }
        set.add(groupMember);
        Iterator containingGroups = groupMember.getContainingGroups();
        while (containingGroups.hasNext()) {
            IGroupMember iGroupMember = (IGroupMember) containingGroups.next();
            if (iGroupMember != null) {
                try {
                    IAuthorizationPrincipal newPrincipal = iAuthorizationService.newPrincipal(iGroupMember);
                    Set<IPermission> activePermissions = activePermissions(iAuthorizationService.getPermissionsForPrincipal(newPrincipal, str, str2, str3));
                    boolean containsType = containsType(activePermissions, IPermission.PERMISSION_TYPE_DENY);
                    if (containsType(activePermissions, IPermission.PERMISSION_TYPE_GRANT) && !containsType) {
                        if (!this.log.isTraceEnabled()) {
                            return true;
                        }
                        this.log.trace("Found unblocked path to this permission set including a GRANT: [" + activePermissions + "]");
                        return true;
                    }
                    if (!containsType && hasUnblockedPathToGrant(iAuthorizationService, newPrincipal, str, str2, str3, set)) {
                        return true;
                    }
                } catch (Exception e) {
                    this.log.error("Error evaluating permissions of parent group [" + iGroupMember + "]", e);
                }
            }
        }
        return false;
    }

    private Set<IPermission> activePermissions(IPermission[] iPermissionArr) {
        Date date = new Date();
        HashSet hashSet = new HashSet(1);
        for (IPermission iPermission : iPermissionArr) {
            if ((iPermission.getEffective() == null || !iPermission.getEffective().after(date)) && (iPermission.getExpires() == null || iPermission.getExpires().after(date))) {
                hashSet.add(iPermission);
            }
        }
        return hashSet;
    }

    private boolean containsType(Set<IPermission> set, String str) {
        if (set == null) {
            throw new IllegalArgumentException("Cannot check null set for contents.");
        }
        if (str == null) {
            throw new IllegalArgumentException("Cannot search for type null.");
        }
        for (IPermission iPermission : set) {
            if (iPermission != null && str.equals(iPermission.getType())) {
                return true;
            }
        }
        return false;
    }
}
