package ca.nrc.cadc.tap.permissions;

import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.IdentityManager;
import ca.nrc.cadc.cred.client.CredUtil;
import ca.nrc.cadc.reg.Standards;
import ca.nrc.cadc.reg.client.LocalAuthority;
import ca.nrc.cadc.tap.parser.ParserUtil;
import ca.nrc.cadc.tap.parser.navigator.ExpressionNavigator;
import ca.nrc.cadc.tap.parser.navigator.FromItemNavigator;
import ca.nrc.cadc.tap.parser.navigator.ReferenceNavigator;
import ca.nrc.cadc.tap.parser.navigator.SelectNavigator;
import ca.nrc.cadc.uws.server.RandomStringGenerator;
import java.security.AccessControlException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.Subject;
import net.sf.jsqlparser.expression.Expression;
import net.sf.jsqlparser.expression.LongValue;
import net.sf.jsqlparser.expression.Parenthesis;
import net.sf.jsqlparser.expression.StringValue;
import net.sf.jsqlparser.expression.operators.conditional.AndExpression;
import net.sf.jsqlparser.expression.operators.conditional.OrExpression;
import net.sf.jsqlparser.expression.operators.relational.EqualsTo;
import net.sf.jsqlparser.expression.operators.relational.ExpressionList;
import net.sf.jsqlparser.expression.operators.relational.InExpression;
import net.sf.jsqlparser.expression.operators.relational.IsNullExpression;
import net.sf.jsqlparser.schema.Column;
import net.sf.jsqlparser.schema.Table;
import net.sf.jsqlparser.statement.select.Join;
import net.sf.jsqlparser.statement.select.PlainSelect;
import net.sf.jsqlparser.statement.select.SelectExpressionItem;
import net.sf.jsqlparser.statement.select.SubSelect;
import org.apache.log4j.Logger;
import org.opencadc.gms.GroupClient;
import org.opencadc.gms.GroupURI;
import org.opencadc.gms.GroupUtil;

/* loaded from: input_file:ca/nrc/cadc/tap/permissions/TapSchemaReadAccessConverter.class */
public class TapSchemaReadAccessConverter extends SelectNavigator {
    private static final String schemaOwnerColumn = "owner_id";
    private static final String schemaReadAnonColumn = "read_anon";
    private static final String schemaReadOnlyGroupColumn = "read_only_group";
    private static final String schemaReadWriteGroupColumn = "read_write_group";
    private GroupClient gmsClient;
    private IdentityManager identityManager;
    private static Logger log = Logger.getLogger(TapSchemaReadAccessConverter.class);
    public static final AssetTable SCHEMAS_ASSET_TABLE = new AssetTable("tap_schema", "schemas", "schema_name");
    public static final AssetTable TABLES_ASSET_TABLE = new AssetTable("tap_schema", "tables", "table_name");
    public static final AssetTable COLUMNS_ASSET_TABLE = new AssetTable("tap_schema", "columns", "column_name");

    /* loaded from: input_file:ca/nrc/cadc/tap/permissions/TapSchemaReadAccessConverter$AssetTable.class */
    public static class AssetTable {
        public String schema;
        public String name;
        public String wholeName;
        public String keyColumn;

        AssetTable() {
        }

        AssetTable(String str, String str2, String str3) {
            this.schema = str;
            this.name = str2;
            this.wholeName = new String(str + "." + str2).toLowerCase();
            this.keyColumn = str3;
        }
    }

    public TapSchemaReadAccessConverter(IdentityManager identityManager) {
        super(new ExpressionNavigator(), new ReferenceNavigator(), new FromItemNavigator());
        this.identityManager = identityManager;
        this.gmsClient = GroupUtil.getGroupClient(new LocalAuthority().getServiceURI(Standards.GMS_GROUPS_01.toString()));
    }

    public void setGroupClient(GroupClient groupClient) {
        this.gmsClient = groupClient;
    }

    @Override // ca.nrc.cadc.tap.parser.navigator.SelectNavigator
    public void visit(PlainSelect plainSelect) {
        log.debug("start - visit(PlainSelect) " + plainSelect);
        super.visit(plainSelect);
        Expression accessControlExpression = accessControlExpression(plainSelect);
        if (accessControlExpression == null) {
            return;
        }
        Expression where = plainSelect.getWhere();
        if (where == null) {
            plainSelect.setWhere(accessControlExpression);
        } else {
            plainSelect.setWhere(new AndExpression(new Parenthesis(where), new Parenthesis(accessControlExpression)));
        }
        log.debug("end - visit(PlainSelect) " + plainSelect);
    }

    private Expression accessControlExpression(PlainSelect plainSelect) {
        ArrayList arrayList = new ArrayList();
        for (Table table : ParserUtil.getFromTableList(plainSelect)) {
            String lowerCase = table.getWholeTableName().toLowerCase();
            log.debug("check: " + lowerCase);
            if (SCHEMAS_ASSET_TABLE.wholeName.equals(lowerCase)) {
                arrayList.add(schemasAccessControlExpression(table));
            } else if (TABLES_ASSET_TABLE.wholeName.equals(lowerCase)) {
                arrayList.add(tablesAccessControlExpression(table));
            } else if (COLUMNS_ASSET_TABLE.wholeName.equals(lowerCase)) {
                arrayList.add(columnsAccessControlExpression(table));
            } else {
                log.debug("not an asset table: " + lowerCase);
            }
        }
        if (arrayList.size() > 0) {
            return combineAndExpressions(arrayList);
        }
        return null;
    }

    private Expression schemasAccessControlExpression(Table table) {
        return new OrExpression(publicByKeyColumn(new Column(table, SCHEMAS_ASSET_TABLE.keyColumn)), accessControlWhereClause(table));
    }

    private Expression tablesAccessControlExpression(Table table) {
        PlainSelect plainSelect = new PlainSelect();
        SelectExpressionItem selectExpressionItem = new SelectExpressionItem();
        Table table2 = new Table(SCHEMAS_ASSET_TABLE.schema, SCHEMAS_ASSET_TABLE.name);
        selectExpressionItem.setExpression(new Column(table2, SCHEMAS_ASSET_TABLE.keyColumn));
        plainSelect.setSelectItems(Arrays.asList(selectExpressionItem));
        plainSelect.setFromItem(table2);
        plainSelect.setWhere(accessControlWhereClause(table2));
        SubSelect subSelect = new SubSelect();
        subSelect.setSelectBody(plainSelect);
        InExpression inExpression = new InExpression();
        inExpression.setLeftExpression(useTableAliasIfExists(new Column(table, SCHEMAS_ASSET_TABLE.keyColumn)));
        inExpression.setItemsList(subSelect);
        return new OrExpression(publicByKeyColumn(new Column(table, TABLES_ASSET_TABLE.keyColumn)), inExpression);
    }

    private Expression columnsAccessControlExpression(Table table) {
        PlainSelect plainSelect = new PlainSelect();
        SelectExpressionItem selectExpressionItem = new SelectExpressionItem();
        Table table2 = new Table(TABLES_ASSET_TABLE.schema, TABLES_ASSET_TABLE.name);
        RandomStringGenerator randomStringGenerator = new RandomStringGenerator(8);
        table2.setAlias(randomStringGenerator.getID());
        selectExpressionItem.setExpression(useTableAliasIfExists(new Column(table2, TABLES_ASSET_TABLE.keyColumn)));
        plainSelect.setSelectItems(Arrays.asList(selectExpressionItem));
        plainSelect.setFromItem(table2);
        Join join = new Join();
        Table table3 = new Table(SCHEMAS_ASSET_TABLE.schema, SCHEMAS_ASSET_TABLE.name);
        table3.setAlias(randomStringGenerator.getID());
        join.setRightItem(table3);
        EqualsTo equalsTo = new EqualsTo();
        equalsTo.setLeftExpression(useTableAliasIfExists(new Column(table2, SCHEMAS_ASSET_TABLE.keyColumn)));
        equalsTo.setRightExpression(useTableAliasIfExists(new Column(table3, SCHEMAS_ASSET_TABLE.keyColumn)));
        join.setOnExpression(equalsTo);
        plainSelect.setJoins(Arrays.asList(join));
        plainSelect.setWhere(accessControlWhereClause(table3));
        SubSelect subSelect = new SubSelect();
        subSelect.setSelectBody(plainSelect);
        InExpression inExpression = new InExpression();
        inExpression.setLeftExpression(useTableAliasIfExists(new Column(table, TABLES_ASSET_TABLE.keyColumn)));
        inExpression.setItemsList(subSelect);
        return new OrExpression(publicByKeyColumn(new Column(table, COLUMNS_ASSET_TABLE.keyColumn)), inExpression);
    }

    private Expression accessControlWhereClause(Table table) {
        OrExpression orExpression = null;
        OrExpression orExpression2 = new OrExpression(publicByNullOwner(table), publicByPublicTrue(table));
        if (isAuthenticated()) {
            OrExpression authorizedByOwner = authorizedByOwner(table);
            List<String> list = null;
            log.debug("gmsClient: " + this.gmsClient);
            if (this.gmsClient != null) {
                list = getGroupIDs(this.gmsClient);
            }
            orExpression = (list == null || list.size() <= 0) ? authorizedByOwner : new OrExpression(authorizedByOwner, new OrExpression(authorizedByReadGroup(table, list), authorizedByReadWriteGroup(table, list)));
        }
        return orExpression != null ? new OrExpression(orExpression2, orExpression) : orExpression2;
    }

    private Expression publicByKeyColumn(Column column) {
        Column useTableAliasIfExists = useTableAliasIfExists(column);
        IsNullExpression isNullExpression = new IsNullExpression();
        isNullExpression.setLeftExpression(useTableAliasIfExists);
        return isNullExpression;
    }

    private Expression publicByNullOwner(Table table) {
        Column useTableAliasIfExists = useTableAliasIfExists(new Column(table, schemaOwnerColumn));
        IsNullExpression isNullExpression = new IsNullExpression();
        isNullExpression.setLeftExpression(useTableAliasIfExists);
        return isNullExpression;
    }

    private Expression publicByPublicTrue(Table table) {
        Column useTableAliasIfExists = useTableAliasIfExists(new Column(table, schemaOwnerColumn));
        IsNullExpression isNullExpression = new IsNullExpression();
        isNullExpression.setNot(true);
        isNullExpression.setLeftExpression(useTableAliasIfExists);
        Column useTableAliasIfExists2 = useTableAliasIfExists(new Column(table, schemaReadAnonColumn));
        EqualsTo equalsTo = new EqualsTo();
        equalsTo.setLeftExpression(useTableAliasIfExists2);
        equalsTo.setRightExpression(new LongValue("1"));
        return new Parenthesis(new AndExpression(isNullExpression, equalsTo));
    }

    private Expression authorizedByOwner(Table table) {
        Column useTableAliasIfExists = useTableAliasIfExists(new Column(table, schemaOwnerColumn));
        EqualsTo equalsTo = new EqualsTo();
        equalsTo.setLeftExpression(useTableAliasIfExists);
        equalsTo.setRightExpression(new StringValue("'" + this.identityManager.toOwner(AuthenticationUtil.getCurrentSubject()) + "'"));
        return equalsTo;
    }

    private Expression authorizedByReadGroup(Table table, List<String> list) {
        Column useTableAliasIfExists = useTableAliasIfExists(new Column(table, schemaReadOnlyGroupColumn));
        InExpression inExpression = new InExpression();
        inExpression.setLeftExpression(useTableAliasIfExists);
        inExpression.setItemsList(createStringExpressionList(list));
        return inExpression;
    }

    private Expression authorizedByReadWriteGroup(Table table, List<String> list) {
        Column useTableAliasIfExists = useTableAliasIfExists(new Column(table, schemaReadWriteGroupColumn));
        InExpression inExpression = new InExpression();
        inExpression.setLeftExpression(useTableAliasIfExists);
        inExpression.setItemsList(createStringExpressionList(list));
        return inExpression;
    }

    private static ExpressionList createStringExpressionList(List<String> list) {
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(new StringValue("'" + it.next() + "'"));
        }
        ExpressionList expressionList = new ExpressionList();
        expressionList.setExpressions(arrayList);
        return expressionList;
    }

    private static Expression combineAndExpressions(List<Expression> list) {
        Expression expression = null;
        for (Expression expression2 : list) {
            expression = expression == null ? expression2 : new AndExpression(new Parenthesis(expression), new Parenthesis(expression2));
        }
        return expression;
    }

    private static Column useTableAliasIfExists(Column column) {
        Column column2;
        Table table = column.getTable();
        if (table == null) {
            column2 = column;
        } else {
            String alias = table.getAlias();
            column2 = (alias == null || alias.equals("")) ? column : new Column(new Table((String) null, alias), column.getColumnName());
        }
        return column2;
    }

    private boolean isAuthenticated() {
        Subject currentSubject = AuthenticationUtil.getCurrentSubject();
        return (currentSubject == null || currentSubject.getPrincipals() == null || currentSubject.getPrincipals().size() <= 0) ? false : true;
    }

    private List<String> getGroupIDs(GroupClient groupClient) throws AccessControlException {
        ArrayList arrayList = new ArrayList();
        try {
            if (ensureCredentials()) {
                GroupClient groupClient2 = groupClient;
                if (groupClient2 == null) {
                    log.debug("Constructing new GMS Client");
                    groupClient2 = GroupUtil.getGroupClient(new LocalAuthority().getServiceURI(Standards.GMS_GROUPS_01.toString()));
                }
                Iterator it = groupClient2.getMemberships().iterator();
                while (it.hasNext()) {
                    arrayList.add(((GroupURI) it.next()).toString());
                }
            }
            return arrayList;
        } catch (CertificateException e) {
            throw new RuntimeException("failed to find group memberships (invalid proxy certficate)", e);
        }
    }

    boolean ensureCredentials() throws AccessControlException, CertificateExpiredException, CertificateNotYetValidException {
        return CredUtil.checkCredentials();
    }
}
