package ca.nrc.cadc.ac.server.ldap;

import ca.nrc.cadc.ac.Group;
import ca.nrc.cadc.ac.GroupAlreadyExistsException;
import ca.nrc.cadc.ac.GroupNotFoundException;
import ca.nrc.cadc.ac.Role;
import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.UserNotFoundException;
import ca.nrc.cadc.ac.client.GroupMemberships;
import ca.nrc.cadc.ac.server.GroupDetailSelector;
import ca.nrc.cadc.ac.server.GroupPersistence;
import ca.nrc.cadc.auth.AuthMethod;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.DNPrincipal;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.net.TransientException;
import ca.nrc.cadc.profiler.Profiler;
import ca.nrc.cadc.util.ObjectUtil;
import java.security.AccessControlException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import javax.security.auth.Subject;
import org.apache.log4j.Logger;
import org.opencadc.auth.PosixGroup;

/* loaded from: input_file:ca/nrc/cadc/ac/server/ldap/LdapGroupPersistence.class */
public class LdapGroupPersistence extends LdapPersistence implements GroupPersistence {
    private static final Logger log = Logger.getLogger(LdapGroupPersistence.class);
    private GroupDetailSelector detailSelector;

    public void setDetailSelector(GroupDetailSelector groupDetailSelector) {
        this.detailSelector = groupDetailSelector;
    }

    @Override // ca.nrc.cadc.ac.server.GroupPersistence
    public void destroy() {
    }

    @Override // ca.nrc.cadc.ac.server.GroupPersistence
    public Collection<PosixGroup> getGroupNames() throws TransientException, AccessControlException {
        return getGroupNames(null, null);
    }

    public Collection<PosixGroup> getGroupNames(List<String> list, List<Integer> list2) throws TransientException, AccessControlException {
        checkAuthenticatedWithAccount(AuthenticationUtil.getCurrentSubject());
        LdapConnections ldapConnections = new LdapConnections(this);
        try {
            LdapGroupDAO ldapGroupDAO = new LdapGroupDAO(ldapConnections, new LdapUserDAO(ldapConnections));
            if (list == null && list2 == null) {
                Collection<PosixGroup> groupNames = ldapGroupDAO.getGroupNames();
                ldapConnections.releaseConnections();
                return groupNames;
            }
            ArrayList arrayList = new ArrayList();
            if (list != null) {
                Iterator<String> it = list.iterator();
                while (it.hasNext()) {
                    try {
                        Group group = ldapGroupDAO.getGroup(it.next(), false);
                        arrayList.add(new PosixGroup(group.gid, group.getID()));
                    } catch (GroupNotFoundException e) {
                        log.debug("skip: " + e);
                    }
                }
            }
            if (list2 != null) {
                Iterator<Integer> it2 = list2.iterator();
                while (it2.hasNext()) {
                    try {
                        Group group2 = ldapGroupDAO.getGroup(it2.next().intValue());
                        arrayList.add(new PosixGroup(group2.gid, group2.getID()));
                    } catch (GroupNotFoundException e2) {
                        log.warn("skip: " + e2);
                    }
                }
            }
            return arrayList;
        } finally {
            ldapConnections.releaseConnections();
        }
    }

    @Override // ca.nrc.cadc.ac.server.GroupPersistence
    public Group getGroup(String str) throws GroupNotFoundException, TransientException, AccessControlException {
        return getGroup(str, true);
    }

    @Override // ca.nrc.cadc.ac.server.GroupPersistence
    public Group getGroup(String str, boolean z) throws GroupNotFoundException, TransientException, AccessControlException {
        Subject currentSubject = AuthenticationUtil.getCurrentSubject();
        boolean z2 = !z || isMember(currentSubject, str) || isAdmin(currentSubject, str);
        LdapConnections ldapConnections = new LdapConnections(this);
        try {
            Group group = new LdapGroupDAO(ldapConnections, new LdapUserDAO(ldapConnections)).getGroup(str, true);
            if (z2 || isOwner(currentSubject, group)) {
                return group;
            }
            throw new AccessControlException("permission denied");
        } finally {
            ldapConnections.releaseConnections();
        }
    }

    @Override // ca.nrc.cadc.ac.server.GroupPersistence
    public Group addGroup(Group group) throws GroupAlreadyExistsException, TransientException, AccessControlException, UserNotFoundException, GroupNotFoundException {
        Subject currentSubject = AuthenticationUtil.getCurrentSubject();
        checkAuthenticatedWithAccount(currentSubject);
        Principal user = getUser(currentSubject);
        LdapConnections ldapConnections = new LdapConnections(this);
        try {
            LdapUserDAO ldapUserDAO = new LdapUserDAO(ldapConnections);
            ObjectUtil.setField(group, ldapUserDAO.getAugmentedUser(user, false), "owner");
            Group addGroup = new LdapGroupDAO(ldapConnections, ldapUserDAO).addGroup(group);
            ldapConnections.releaseConnections();
            return addGroup;
        } catch (Throwable th) {
            ldapConnections.releaseConnections();
            throw th;
        }
    }

    @Override // ca.nrc.cadc.ac.server.GroupPersistence
    public void deleteGroup(String str) throws GroupNotFoundException, TransientException, AccessControlException {
        Subject currentSubject = AuthenticationUtil.getCurrentSubject();
        LdapConnections ldapConnections = new LdapConnections(this);
        try {
            LdapGroupDAO ldapGroupDAO = new LdapGroupDAO(ldapConnections, new LdapUserDAO(ldapConnections));
            if (!isOwner(currentSubject, ldapGroupDAO.getGroup(str, false))) {
                throw new AccessControlException("permission denied");
            }
            ldapGroupDAO.deleteGroup(str);
        } finally {
            ldapConnections.releaseConnections();
        }
    }

    @Override // ca.nrc.cadc.ac.server.GroupPersistence
    public Group modifyGroup(Group group) throws GroupNotFoundException, TransientException, AccessControlException, UserNotFoundException {
        Subject currentSubject = AuthenticationUtil.getCurrentSubject();
        boolean isAdmin = isAdmin(currentSubject, group.getID().getName());
        LdapConnections ldapConnections = new LdapConnections(this);
        try {
            LdapGroupDAO ldapGroupDAO = new LdapGroupDAO(ldapConnections, new LdapUserDAO(ldapConnections));
            if (!isAdmin && isOwner(currentSubject, ldapGroupDAO.getGroup(group.getID().getName(), false))) {
                isAdmin = true;
            }
            if (!isAdmin) {
                throw new AccessControlException("permission denied");
            }
            Group modifyGroup = ldapGroupDAO.modifyGroup(group);
            ldapConnections.releaseConnections();
            return modifyGroup;
        } catch (Throwable th) {
            ldapConnections.releaseConnections();
            throw th;
        }
    }

    @Override // ca.nrc.cadc.ac.server.GroupPersistence
    public Collection<Group> getGroups(Role role, String str) throws UserNotFoundException, GroupNotFoundException, TransientException, AccessControlException {
        Subject currentSubject = AuthenticationUtil.getCurrentSubject();
        LdapConnections ldapConnections = new LdapConnections(this);
        try {
            try {
                LdapGroupDAO ldapGroupDAO = new LdapGroupDAO(ldapConnections, new LdapUserDAO(ldapConnections));
                Profiler profiler = new Profiler(LdapGroupPersistence.class);
                if (Role.OWNER.equals(role)) {
                    Collection<Group> ownerGroups = ldapGroupDAO.getOwnerGroups(getInternalID(currentSubject), str);
                    profiler.checkpoint("get owner groups");
                    ldapConnections.releaseConnections();
                    return ownerGroups;
                }
                List<Group> groupCache = getGroupCache(currentSubject, role);
                log.debug("getGroups  " + role + ": " + groupCache.size());
                ArrayList arrayList = new ArrayList(groupCache.size());
                String name = currentSubject.getPrincipals(HttpPrincipal.class).size() == 1 ? ((HttpPrincipal) currentSubject.getPrincipals(HttpPrincipal.class).iterator().next()).getName() : null;
                for (Group group : groupCache) {
                    if (name != null && group.getID().getName().equals(name)) {
                        log.debug("Filtering out posix group: " + name);
                    } else if (str == null || group.getID().getName().equalsIgnoreCase(str)) {
                        if (this.detailSelector == null || !this.detailSelector.isDetailedSearch(group, role)) {
                            arrayList.add(group);
                        } else {
                            try {
                                Group group2 = ldapGroupDAO.getGroup(group.getID().getName(), false);
                                log.debug("role " + role + " loaded: " + group2);
                                arrayList.add(group2);
                            } catch (GroupNotFoundException e) {
                                log.error("group: " + group.getID() + " in cache but not found", e);
                            }
                        }
                    }
                }
                profiler.checkpoint("get membership groups");
                ldapConnections.releaseConnections();
                return arrayList;
            } catch (TransientException e2) {
                log.error("getGroups fail", e2);
                throw e2;
            }
        } catch (Throwable th) {
            ldapConnections.releaseConnections();
            throw th;
        }
    }

    @Override // ca.nrc.cadc.ac.server.GroupPersistence
    public SortedSet<String> getMemberEmailsForGroup(String str) throws GroupNotFoundException, TransientException, AccessControlException {
        checkAuthenticatedWithAccount(AuthenticationUtil.getCurrentSubject());
        LdapConnections ldapConnections = new LdapConnections(this);
        try {
            TreeSet treeSet = new TreeSet();
            Iterator it = new LdapGroupDAO(ldapConnections, new LdapUserDAO(ldapConnections)).getGroup(str, true).getUserMembers().iterator();
            while (it.hasNext()) {
                String str2 = ((User) it.next()).personalDetails.email;
                if (str2 != null) {
                    treeSet.add(str2);
                }
            }
            return treeSet;
        } finally {
            ldapConnections.releaseConnections();
        }
    }

    private List<Group> getGroupCache(Subject subject, Role role) {
        if (subject == null || AuthMethod.ANON.equals(AuthenticationUtil.getAuthMethod(subject))) {
            throw new AccessControlException("Caller is not authenticated");
        }
        Set privateCredentials = subject.getPrivateCredentials(GroupMemberships.class);
        if (privateCredentials == null || privateCredentials.isEmpty()) {
            throw new RuntimeException("BUG: no GroupMemberships cache in Subject");
        }
        return ((GroupMemberships) privateCredentials.iterator().next()).getMemberships(role);
    }

    private boolean isMember(Subject subject, String str) {
        Iterator<Group> it = getGroupCache(subject, Role.MEMBER).iterator();
        while (it.hasNext()) {
            if (it.next().getID().getName().equalsIgnoreCase(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean isAdmin(Subject subject, String str) {
        Iterator<Group> it = getGroupCache(subject, Role.ADMIN).iterator();
        while (it.hasNext()) {
            if (it.next().getID().getName().equalsIgnoreCase(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean isOwner(Subject subject, Group group) {
        if (subject == null || AuthMethod.ANON.equals(AuthenticationUtil.getAuthMethod(subject))) {
            throw new AccessControlException("Caller is not authenticated");
        }
        for (Principal principal : subject.getPrincipals()) {
            Iterator it = group.getOwner().getIdentities().iterator();
            while (it.hasNext()) {
                if (AuthenticationUtil.equals(principal, (Principal) it.next())) {
                    return true;
                }
            }
        }
        return false;
    }

    private DNPrincipal getInternalID(Subject subject) {
        if (subject == null || AuthMethod.ANON.equals(AuthenticationUtil.getAuthMethod(subject))) {
            throw new AccessControlException("Caller is not authenticated");
        }
        Set principals = subject.getPrincipals(DNPrincipal.class);
        if (principals.isEmpty()) {
            return null;
        }
        return (DNPrincipal) principals.iterator().next();
    }

    private Principal getUser(Subject subject) {
        if (subject == null || AuthMethod.ANON.equals(AuthenticationUtil.getAuthMethod(subject))) {
            throw new AccessControlException("Caller is not authenticated");
        }
        Set privateCredentials = subject.getPrivateCredentials(GroupMemberships.class);
        if (privateCredentials == null || privateCredentials.isEmpty()) {
            throw new RuntimeException("BUG: no GroupMemberships cache in Subject");
        }
        return ((GroupMemberships) privateCredentials.iterator().next()).getUserID();
    }

    private void checkAuthenticatedWithAccount(Subject subject) {
        if (subject == null || AuthMethod.ANON.equals(AuthenticationUtil.getAuthMethod(subject))) {
            throw new AccessControlException("Caller is not authenticated");
        }
        if (subject.getPrincipals(HttpPrincipal.class).isEmpty()) {
            throw new AccessControlException("Caller does not have authorized account");
        }
    }
}
