package systems.dmx.accesscontrol;

import com.sun.jersey.spi.container.ContainerRequest;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import systems.dmx.accesscontrol.DeprecatedUserAccountMethods;
import systems.dmx.accesscontrol.event.PostLoginUser;
import systems.dmx.accesscontrol.event.PostLogoutUser;
import systems.dmx.config.ConfigCustomizer;
import systems.dmx.config.ConfigDef;
import systems.dmx.config.ConfigModRole;
import systems.dmx.config.ConfigService;
import systems.dmx.config.ConfigTarget;
import systems.dmx.core.Assoc;
import systems.dmx.core.AssocType;
import systems.dmx.core.DMXObject;
import systems.dmx.core.RelatedTopic;
import systems.dmx.core.Topic;
import systems.dmx.core.TopicType;
import systems.dmx.core.model.AssocModel;
import systems.dmx.core.model.AssocPlayerModel;
import systems.dmx.core.model.PlayerModel;
import systems.dmx.core.model.SimpleValue;
import systems.dmx.core.model.TopicModel;
import systems.dmx.core.osgi.PluginActivator;
import systems.dmx.core.service.ChangeReport;
import systems.dmx.core.service.DMXEvent;
import systems.dmx.core.service.EventListener;
import systems.dmx.core.service.Inject;
import systems.dmx.core.service.Transactional;
import systems.dmx.core.service.accesscontrol.AccessControlException;
import systems.dmx.core.service.accesscontrol.Credentials;
import systems.dmx.core.service.accesscontrol.Operation;
import systems.dmx.core.service.accesscontrol.Permissions;
import systems.dmx.core.service.event.CheckAssocReadAccess;
import systems.dmx.core.service.event.CheckAssocWriteAccess;
import systems.dmx.core.service.event.CheckTopicReadAccess;
import systems.dmx.core.service.event.CheckTopicWriteAccess;
import systems.dmx.core.service.event.PostCreateAssoc;
import systems.dmx.core.service.event.PostCreateTopic;
import systems.dmx.core.service.event.PostUpdateAssoc;
import systems.dmx.core.service.event.PostUpdateTopic;
import systems.dmx.core.service.event.PreCreateAssoc;
import systems.dmx.core.service.event.ServiceRequestFilter;
import systems.dmx.core.service.event.StaticResourceFilter;
import systems.dmx.core.util.DMXUtils;
import systems.dmx.core.util.IdList;
import systems.dmx.core.util.JavaUtils;
import systems.dmx.files.FilesService;
import systems.dmx.files.event.CheckDiskQuota;
import systems.dmx.workspaces.WorkspacesService;

@Produces({"application/json"})
@Path("/access-control")
@Consumes({"application/json"})
/* loaded from: input_file:systems/dmx/accesscontrol/AccessControlPlugin.class */
public class AccessControlPlugin extends PluginActivator implements AccessControlService, ConfigCustomizer, CheckTopicReadAccess, CheckTopicWriteAccess, CheckAssocReadAccess, CheckAssocWriteAccess, PreCreateAssoc, PostCreateTopic, PostCreateAssoc, PostUpdateTopic, PostUpdateAssoc, ServiceRequestFilter, StaticResourceFilter, CheckDiskQuota {
    private static final String AUTHENTICATION_REALM = "DMX";

    @Inject
    private WorkspacesService ws;

    @Inject
    private FilesService fs;

    @Inject
    private ConfigService cs;

    @Context
    private HttpServletRequest request;

    @Context
    private HttpServletResponse response;
    private final Map<String, AuthorizationMethod> authorizationMethods = new HashMap();
    private static final String ANONYMOUS_READ_ALLOWED = System.getProperty("dmx.security.anonymous_read_allowed", "ALL");
    private static final String ANONYMOUS_WRITE_ALLOWED = System.getProperty("dmx.security.anonymous_write_allowed", "NONE");
    private static final AnonymousAccessFilter accessFilter = new AnonymousAccessFilter(ANONYMOUS_READ_ALLOWED, ANONYMOUS_WRITE_ALLOWED);
    private static final String SUBNET_FILTER = System.getProperty("dmx.security.subnet_filter", "127.0.0.1/32");
    private static final boolean NEW_ACCOUNTS_ARE_ENABLED = Boolean.parseBoolean(System.getProperty("dmx.security.new_accounts_are_enabled", "true"));
    private static final String SITE_SALT = System.getProperty("dmx.security.site_salt", "");
    private static final boolean IS_PUBLIC_INSTALLATION = ANONYMOUS_READ_ALLOWED.equals("ALL");
    private static DMXEvent POST_LOGIN_USER = new DMXEvent(PostLoginUser.class) { // from class: systems.dmx.accesscontrol.AccessControlPlugin.1
        public void dispatch(EventListener eventListener, Object... objArr) {
            ((PostLoginUser) eventListener).postLoginUser((String) objArr[0]);
        }
    };
    private static DMXEvent POST_LOGOUT_USER = new DMXEvent(PostLogoutUser.class) { // from class: systems.dmx.accesscontrol.AccessControlPlugin.2
        public void dispatch(EventListener eventListener, Object... objArr) {
            ((PostLogoutUser) eventListener).postLogoutUser((String) objArr[0]);
        }
    };
    private static final Logger logger = Logger.getLogger(AccessControlPlugin.class.getName());

    @Override // systems.dmx.accesscontrol.AccessControlService
    @Deprecated
    public Topic createUserAccount(Credentials credentials) {
        return (Topic) DeprecatedUserAccountMethods.call(getBundleContext(), deprecatedUserAccountMethods -> {
            return deprecatedUserAccountMethods.createUserAccount(credentials);
        });
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @Deprecated
    public Topic _createUserAccount(Credentials credentials) throws Exception {
        try {
            return (Topic) DeprecatedUserAccountMethods.call(getBundleContext(), deprecatedUserAccountMethods -> {
                return deprecatedUserAccountMethods._createUserAccount(credentials);
            });
        } catch (DeprecatedUserAccountMethods.CallableException e) {
            throw e.causeFromCallable;
        }
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @Deprecated
    public Topic createUsername(String str) {
        return (Topic) DeprecatedUserAccountMethods.call(getBundleContext(), deprecatedUserAccountMethods -> {
            return deprecatedUserAccountMethods.createUsername(str);
        });
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @POST
    @Path("/login")
    public void login() {
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @POST
    @Path("/logout")
    public void logout() {
        _logout(this.request);
        if (IS_PUBLIC_INSTALLATION) {
            return;
        }
        throw401Unauthorized(true);
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @GET
    @Produces({"text/plain"})
    @Path("/user")
    public String getUsername() {
        return this.dmx.getPrivilegedAccess().getUsername(this.request);
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @GET
    @Path("/username")
    public Topic getUsernameTopic() {
        return this.dmx.getPrivilegedAccess().getUsernameTopic(this.request);
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @GET
    @Path("/user/workspace")
    public Topic getPrivateWorkspace() {
        String username = getUsername();
        if (username == null) {
            throw new IllegalStateException("No user is logged in");
        }
        return this.dmx.getPrivilegedAccess().getPrivateWorkspace(username);
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    public void checkAdmin() {
        try {
            checkWriteAccess(getAdminWorkspaceId());
        } catch (Exception e) {
            throw new RuntimeException("User is not an administrator", e);
        }
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @GET
    @Path("/username/{username}")
    public Topic getUsernameTopic(@PathParam("username") String str) {
        return this.dmx.getPrivilegedAccess().getUsernameTopic(str);
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @GET
    @Produces({"text/plain"})
    @Path("/workspace/{workspaceId}/owner")
    public String getWorkspaceOwner(@PathParam("workspaceId") long j) {
        if (this.dmx.hasProperty(j, Constants.OWNER)) {
            return (String) this.dmx.getProperty(j, Constants.OWNER);
        }
        return null;
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    public void setWorkspaceOwner(Topic topic, String str) {
        try {
            topic.setProperty(Constants.OWNER, str, true);
        } catch (Exception e) {
            throw new RuntimeException("Setting the workspace owner of " + info((DMXObject) topic) + " failed (username=" + str + ")", e);
        }
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    public void enrichWithOwnerInfo(Topic topic) {
        topic.getChildTopics().getModel().set(Constants.OWNER, getWorkspaceOwner(topic.getId()));
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @GET
    @Path("/user/{username}/memberships")
    public List<RelatedTopic> getMemberships(@PathParam("username") String str) {
        try {
            return getUsernameTopic(str).getRelatedTopics(Constants.MEMBERSHIP, "dmx.core.default", "dmx.core.default", "dmx.workspaces.workspace");
        } catch (Exception e) {
            throw new RuntimeException("Getting memberships of user \"" + str + "\" failed", e);
        }
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @GET
    @Path("/workspace/{workspaceId}/memberships")
    public List<RelatedTopic> getMemberships(@PathParam("workspaceId") long j) {
        try {
            return this.dmx.getTopic(j).getRelatedTopics(Constants.MEMBERSHIP, "dmx.core.default", "dmx.core.default", Constants.USERNAME);
        } catch (Exception e) {
            throw new RuntimeException("Getting memberships of workspace " + j + " failed", e);
        }
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    public boolean isMember(String str, long j) {
        return this.dmx.getPrivilegedAccess().isMember(str, j);
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    public Assoc getMembership(String str, long j) {
        Topic usernameTopic = getUsernameTopic(str);
        if (usernameTopic == null) {
            throw new RuntimeException("Unknown username: \"" + str + "\"");
        }
        return this.dmx.getAssocBetweenTopicAndTopic(Constants.MEMBERSHIP, usernameTopic.getId(), j, "dmx.core.default", "dmx.core.default");
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @POST
    @Path("/user/{username}/workspace/{workspaceId}")
    @Transactional
    public void createMembership(@PathParam("username") String str, @PathParam("workspaceId") long j) {
        try {
            checkWorkspaceArg(j);
            this.dmx.getPrivilegedAccess().createMembership(str, j);
        } catch (Exception e) {
            throw new RuntimeException("Creating membership for user \"" + str + "\" and workspace " + j + " failed", e);
        }
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @Path("/user/{username}")
    @PUT
    @Transactional
    public List<RelatedTopic> bulkUpdateMemberships(@PathParam("username") String str, @QueryParam("addWorkspaceIds") IdList idList, @QueryParam("removeWorkspaceIds") IdList idList2) {
        try {
            ArrayList arrayList = new ArrayList();
            ArrayList arrayList2 = new ArrayList();
            if (idList2 != null) {
                Iterator it = idList2.iterator();
                while (it.hasNext()) {
                    long longValue = ((Long) it.next()).longValue();
                    if (deleteMembershipIfExists(str, longValue)) {
                        arrayList2.add(Long.valueOf(longValue));
                    }
                }
            }
            if (idList != null) {
                Iterator it2 = idList.iterator();
                while (it2.hasNext()) {
                    long longValue2 = ((Long) it2.next()).longValue();
                    if (!isMember(str, longValue2)) {
                        createMembership(str, longValue2);
                        arrayList.add(Long.valueOf(longValue2));
                    }
                }
            }
            logger.info("### User \"" + str + "\": workspaces added " + arrayList + ", workspaces removed " + arrayList2);
            return getMemberships(str);
        } catch (Exception e) {
            throw new RuntimeException("Bulk membership update for user \"" + str + "\" failed", e);
        }
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @Path("/workspace/{workspaceId}")
    @PUT
    @Transactional
    public List<RelatedTopic> bulkUpdateMemberships(@PathParam("workspaceId") long j, @QueryParam("addUserIds") IdList idList, @QueryParam("removeUserIds") IdList idList2) {
        try {
            ArrayList arrayList = new ArrayList();
            ArrayList arrayList2 = new ArrayList();
            if (idList2 != null) {
                Iterator it = idList2.iterator();
                while (it.hasNext()) {
                    String username = getUsername(((Long) it.next()).longValue());
                    if (deleteMembershipIfExists(username, j)) {
                        arrayList2.add(username);
                    }
                }
            }
            if (idList != null) {
                Iterator it2 = idList.iterator();
                while (it2.hasNext()) {
                    String username2 = getUsername(((Long) it2.next()).longValue());
                    if (!isMember(username2, j)) {
                        createMembership(username2, j);
                        arrayList.add(username2);
                    }
                }
            }
            logger.info("### Workspace " + j + ": users added " + arrayList + ", users removed " + arrayList2);
            return getMemberships(j);
        } catch (Exception e) {
            throw new RuntimeException("Bulk membership update for workspace " + j + " failed", e);
        }
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @GET
    @Path("/workspace/admin/id")
    public long getAdminWorkspaceId() {
        return this.dmx.getPrivilegedAccess().getAdminWorkspaceId();
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @GET
    @Path("/object/{id}")
    public Permissions getPermissions(@PathParam("id") long j) {
        return new Permissions().add(Operation.WRITE, hasPermission(getUsername(), Operation.WRITE, j));
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @GET
    @Produces({"text/plain"})
    @Path("/object/{id}/creator")
    public String getCreator(@PathParam("id") long j) {
        return this.dmx.getPrivilegedAccess().getCreator(j);
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @GET
    @Produces({"text/plain"})
    @Path("/object/{id}/modifier")
    public String getModifier(@PathParam("id") long j) {
        if (this.dmx.hasProperty(j, Constants.MODIFIER)) {
            return (String) this.dmx.getProperty(j, Constants.MODIFIER);
        }
        return null;
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    public void enrichWithUserInfo(DMXObject dMXObject) {
        long id = dMXObject.getId();
        dMXObject.getChildTopics().getModel().set(Constants.CREATOR, getCreator(id)).set(Constants.MODIFIER, getModifier(id));
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @GET
    @Path("/user/{username}/workspaces")
    public Collection<Topic> getWorkspacesByOwner(@PathParam("username") String str) {
        try {
            List<Topic> topicsByProperty = this.dmx.getTopicsByProperty(Constants.OWNER, str);
            for (Topic topic : topicsByProperty) {
                if (!topic.getTypeUri().equals("dmx.workspaces.workspace")) {
                    throw new RuntimeException("Consistency check failed: topic " + topic.getId() + " is not a Workspace, but a \"" + topic.getTypeUri() + "\"");
                }
            }
            return topicsByProperty;
        } catch (Exception e) {
            throw new RuntimeException("Getting workspaces owned by user \"" + str + "\" failed", e);
        }
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @GET
    @Path("/creator/{username}/topics")
    public Collection<Topic> getTopicsByCreator(@PathParam("username") String str) {
        return this.dmx.getTopicsByProperty(Constants.CREATOR, str);
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @GET
    @Path("/creator/{username}/assocs")
    public Collection<Assoc> getAssocsByCreator(@PathParam("username") String str) {
        return this.dmx.getAssocsByProperty(Constants.CREATOR, str);
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    @GET
    @Path("/methods")
    public Set<String> getAuthorizationMethods() {
        return this.authorizationMethods.keySet();
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    public void registerAuthorizationMethod(String str, AuthorizationMethod authorizationMethod) {
        if (this.authorizationMethods.containsKey(str)) {
            throw new RuntimeException("Authorization method \"" + str + "\" already registered");
        }
        logger.info("Registering authorization method \"" + str + "\"");
        this.authorizationMethods.put(str, authorizationMethod);
    }

    @Override // systems.dmx.accesscontrol.AccessControlService
    public void unregisterAuthorizationMethod(String str) {
        logger.info("Unregistering authorization method \"" + str + "\"");
        this.authorizationMethods.remove(str);
    }

    public void preInstall() {
        this.cs.registerConfigDef(new ConfigDef(ConfigTarget.TYPE_INSTANCES, Constants.USERNAME, this.mf.newTopicModel(Constants.LOGIN_ENABLED, new SimpleValue(NEW_ACCOUNTS_ARE_ENABLED)), ConfigModRole.ADMIN, this));
    }

    public void shutdown() {
        if (this.cs != null) {
            this.cs.unregisterConfigDef(Constants.LOGIN_ENABLED);
        }
    }

    public TopicModel getConfigValue(Topic topic) {
        if (!topic.getTypeUri().equals(Constants.USERNAME)) {
            throw new RuntimeException("Unexpected configurable topic: " + topic);
        }
        if (topic.getSimpleValue().toString().equals("admin")) {
            return this.mf.newTopicModel(Constants.LOGIN_ENABLED, new SimpleValue(true));
        }
        return null;
    }

    public void checkTopicReadAccess(long j) {
        checkReadAccess(j);
    }

    public void checkTopicWriteAccess(long j) {
        checkWriteAccess(j);
    }

    public void checkAssocReadAccess(long j) {
        checkReadAccess(j);
        List playerModels = this.dmx.getPlayerModels(j);
        checkReadAccess((PlayerModel) playerModels.get(0));
        checkReadAccess((PlayerModel) playerModels.get(1));
    }

    public void checkAssocWriteAccess(long j) {
        checkWriteAccess(j);
    }

    public void postCreateTopic(Topic topic) {
        if (topic.getTypeUri().equals("dmx.workspaces.workspace")) {
            setWorkspaceOwner(topic);
        }
        setCreatorAndModifier(topic);
    }

    public void preCreateAssoc(AssocModel assocModel) {
        PlayerModel[] assocAutoTyping = DMXUtils.assocAutoTyping(assocModel, Constants.USERNAME, "dmx.workspaces.workspace", Constants.MEMBERSHIP, "dmx.core.default", "dmx.core.default", playerModelArr -> {
            try {
                checkWriteAccess(playerModelArr[1].getId());
                return true;
            } catch (AccessControlException e) {
                return false;
            }
        });
        if (assocAutoTyping != null) {
            assocModel.getChildTopics().setRef("dmx.workspaces.workspace#dmx.workspaces.workspace_assignment", assocAutoTyping[1].getId());
        }
    }

    public void postCreateAssoc(Assoc assoc) {
        setCreatorAndModifier(assoc);
    }

    public void postUpdateTopic(Topic topic, ChangeReport changeReport, TopicModel topicModel) {
        setModifier(topic);
    }

    public void postUpdateAssoc(Assoc assoc, ChangeReport changeReport, AssocModel assocModel) {
        setModifier(assoc);
    }

    public void serviceRequestFilter(ContainerRequest containerRequest) {
        requestFilter(this.request, this.response);
    }

    public void staticResourceFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        requestFilter(httpServletRequest, httpServletResponse);
    }

    public void checkDiskQuota(String str, long j, long j2) {
        if (j2 < 0) {
            logger.info("### Checking disk quota of " + userInfo(str) + " SKIPPED -- disk quota is disabled");
            return;
        }
        long occupiedSpace = getOccupiedSpace(str);
        boolean z = occupiedSpace + j <= j2;
        logger.info("### File size: " + j + " bytes, " + userInfo(str) + " occupies " + occupiedSpace + " bytes, disk quota: " + j2 + " bytes => QUOTA " + (z ? "OK" : "EXCEEDED"));
        if (!z) {
            throw new RuntimeException("Disk quota of " + userInfo(str) + " exceeded, diskQuota=" + j2 + " bytes, occupiedSpace=" + occupiedSpace + " bytes, fileSize=" + j + " bytes");
        }
    }

    private void checkWorkspaceArg(long j) {
        Topic topic = this.dmx.getTopic(j);
        String typeUri = topic.getTypeUri();
        if (!typeUri.equals("dmx.workspaces.workspace")) {
            throw new IllegalArgumentException("Topic " + j + " is not a Workspace (but a \"" + typeUri + "\")");
        }
        topic.checkWriteAccess();
    }

    private String getUsername(long j) {
        Topic topic = this.dmx.getTopic(j);
        String typeUri = topic.getTypeUri();
        if (typeUri.equals(Constants.USERNAME)) {
            return topic.getSimpleValue().toString();
        }
        throw new IllegalArgumentException("Topic " + j + " is not a Username (but a \"" + typeUri + "\")");
    }

    private boolean deleteMembershipIfExists(String str, long j) {
        Assoc membership = getMembership(str, j);
        if (membership == null) {
            return false;
        }
        membership.delete();
        return true;
    }

    private long getOccupiedSpace(String str) {
        long j = 0;
        Iterator it = this.dmx.getTopicsByType("dmx.files.file").iterator();
        while (it.hasNext()) {
            long id = ((Topic) it.next()).getId();
            if (getCreator(id).equals(str)) {
                try {
                    j += this.fs.getFile(id).length();
                } catch (Exception e) {
                }
            }
        }
        return j;
    }

    private void requestFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        logger.fine("##### " + httpServletRequest.getMethod() + " " + ((Object) httpServletRequest.getRequestURL()) + "\n      ##### \"Authorization\"=\"" + httpServletRequest.getHeader("Authorization") + "\"\n      ##### " + info(httpServletRequest.getSession(false)));
        checkRequestOrigin(httpServletRequest);
        if (username(getSession(httpServletRequest, httpServletResponse)) == null) {
            checkAuthorization(httpServletRequest);
        }
    }

    private HttpSession getSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null) {
            session = httpServletRequest.getSession();
            httpServletResponse.setHeader("Set-Cookie", httpServletResponse.getHeader("Set-Cookie") + ";SameSite=Strict");
            logger.fine("### Creating " + info(session) + ", response=" + httpServletResponse);
        }
        return session;
    }

    private void checkRequestOrigin(HttpServletRequest httpServletRequest) {
        String remoteAddr = httpServletRequest.getRemoteAddr();
        boolean isInRange = JavaUtils.isInRange(remoteAddr, SUBNET_FILTER);
        logger.fine("Remote address=\"" + remoteAddr + "\", dmx.security.subnet_filter=\"" + SUBNET_FILTER + "\" => " + (isInRange ? "ALLOWED" : "FORBIDDEN"));
        if (isInRange) {
            return;
        }
        throw403Forbidden();
    }

    private void checkAuthorization(HttpServletRequest httpServletRequest) {
        boolean isAnonymousAccessAllowed;
        String header = httpServletRequest.getHeader("Authorization");
        if (header != null) {
            Credentials credentials = new Credentials(header);
            isAnonymousAccessAllowed = tryLogin(credentials, getAuthorizationMethod(credentials), httpServletRequest);
        } else {
            isAnonymousAccessAllowed = accessFilter.isAnonymousAccessAllowed(httpServletRequest);
        }
        if (isAnonymousAccessAllowed) {
            return;
        }
        throw401Unauthorized(!IS_PUBLIC_INSTALLATION);
    }

    private AuthorizationMethod getAuthorizationMethod(Credentials credentials) {
        AuthorizationMethod authorizationMethod = null;
        if (!credentials.methodName.equals("Basic")) {
            logger.info("authMethodName: \"" + credentials.methodName + "\"");
            authorizationMethod = getAuthorizationMethod(credentials.methodName);
        }
        return authorizationMethod;
    }

    private AuthorizationMethod getAuthorizationMethod(String str) {
        AuthorizationMethod authorizationMethod = this.authorizationMethods.get(str);
        if (authorizationMethod == null) {
            throw new RuntimeException("Authorization method \"" + str + "\" is unknown");
        }
        return authorizationMethod;
    }

    private boolean tryLogin(Credentials credentials, AuthorizationMethod authorizationMethod, HttpServletRequest httpServletRequest) {
        String str = credentials.username;
        Topic checkCredentials = checkCredentials(credentials, authorizationMethod);
        if (checkCredentials == null || !getLoginEnabled(checkCredentials)) {
            logger.info("##### Logging in as \"" + str + "\" => FAILED!");
            return false;
        }
        logger.info("##### Logging in as \"" + str + "\" => SUCCESSFUL!");
        _login(str, httpServletRequest);
        return true;
    }

    private Topic checkCredentials(Credentials credentials, AuthorizationMethod authorizationMethod) {
        return authorizationMethod == null ? this.dmx.getPrivilegedAccess().checkCredentials(credentials) : authorizationMethod.checkCredentials(credentials);
    }

    private boolean getLoginEnabled(Topic topic) {
        return this.dmx.getPrivilegedAccess().getConfigTopic(Constants.LOGIN_ENABLED, topic.getId()).getSimpleValue().booleanValue();
    }

    private void _login(String str, HttpServletRequest httpServletRequest) {
        httpServletRequest.getSession(false).setAttribute("username", str);
        this.dmx.fireEvent(POST_LOGIN_USER, new Object[]{str});
    }

    private void _logout(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        String username = username(session);
        logger.info("##### Logging out as \"" + username + "\"");
        logger.fine("##### Detaching username from " + info(session));
        session.removeAttribute("username");
        this.dmx.fireEvent(POST_LOGOUT_USER, new Object[]{username});
    }

    private String username(HttpSession httpSession) {
        return this.dmx.getPrivilegedAccess().username(httpSession);
    }

    private void throw401Unauthorized(boolean z) {
        throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", (z ? "Basic" : "xBasic") + " realm=" + AUTHENTICATION_REALM).header("Content-Type", "text/html").entity("You're not authorized. Sorry.").build());
    }

    private void throw403Forbidden() {
        throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).header("Content-Type", "text/html").entity("Access is forbidden. Sorry.").build());
    }

    private void setCreatorAndModifier(DMXObject dMXObject) {
        try {
            String username = getUsername();
            if (username == null) {
                logger.fine("Setting the creator/modifier of " + info(dMXObject) + " SKIPPED -- no user is logged in");
            } else {
                setCreatorAndModifier(dMXObject, username);
            }
        } catch (Exception e) {
            throw new RuntimeException("Setting the creator/modifier of " + info(dMXObject) + " failed", e);
        }
    }

    private void setCreatorAndModifier(DMXObject dMXObject, String str) {
        setCreator(dMXObject, str);
        setModifier(dMXObject, str);
    }

    private void setCreator(DMXObject dMXObject, String str) {
        try {
            dMXObject.setProperty(Constants.CREATOR, str, true);
        } catch (Exception e) {
            throw new RuntimeException("Setting the creator of " + info(dMXObject) + " failed (username=" + str + ")", e);
        }
    }

    private void setModifier(DMXObject dMXObject) {
        String username = getUsername();
        if (username == null) {
            return;
        }
        setModifier(dMXObject, username);
    }

    private void setModifier(DMXObject dMXObject, String str) {
        dMXObject.setProperty(Constants.MODIFIER, str, false);
    }

    private void setWorkspaceOwner(Topic topic) {
        String username = getUsername();
        if (username == null) {
            return;
        }
        setWorkspaceOwner(topic, username);
    }

    private void checkReadAccess(PlayerModel playerModel) {
        long id = playerModel.getId();
        if (playerModel instanceof AssocPlayerModel) {
            checkAssocReadAccess(id);
        } else {
            checkReadAccess(id);
        }
    }

    private void checkReadAccess(long j) {
        checkAccess(Operation.READ, j);
    }

    private void checkWriteAccess(long j) {
        checkAccess(Operation.WRITE, j);
    }

    private void checkAccess(Operation operation, long j) {
        if (!inRequestScope()) {
            logger.fine("### Object " + j + " is accessed by \"System\" -- " + operation + " permission is granted");
            return;
        }
        String username = getUsername();
        if (!hasPermission(username, operation, j)) {
            throw new AccessControlException(userInfo(username) + " has no " + operation + " permission for object " + j);
        }
    }

    private boolean hasPermission(String str, Operation operation, long j) {
        return this.dmx.getPrivilegedAccess().hasPermission(str, operation, j);
    }

    private boolean inRequestScope() {
        return this.dmx.getPrivilegedAccess().inRequestScope(this.request);
    }

    private String info(DMXObject dMXObject) {
        if (dMXObject instanceof TopicType) {
            return "topic type \"" + dMXObject.getUri() + "\" (id=" + dMXObject.getId() + ")";
        }
        if (dMXObject instanceof AssocType) {
            return "association type \"" + dMXObject.getUri() + "\" (id=" + dMXObject.getId() + ")";
        }
        if (dMXObject instanceof Topic) {
            return "topic " + dMXObject.getId() + " (typeUri=\"" + dMXObject.getTypeUri() + "\", uri=\"" + dMXObject.getUri() + "\")";
        }
        if (dMXObject instanceof Assoc) {
            return "association " + dMXObject.getId() + " (typeUri=\"" + dMXObject.getTypeUri() + "\")";
        }
        throw new RuntimeException("Unexpected object: " + dMXObject);
    }

    private String userInfo(String str) {
        return "user " + (str != null ? "\"" + str + "\"" : "<anonymous>");
    }

    private String info(HttpSession httpSession) {
        return "session" + (httpSession != null ? " " + httpSession.getId() + " (username=" + username(httpSession) + ")" : ": null");
    }

    private String info(HttpServletRequest httpServletRequest) {
        StringBuilder sb = new StringBuilder();
        sb.append("    " + httpServletRequest.getMethod() + " " + httpServletRequest.getRequestURI() + "\n");
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String str = (String) headerNames.nextElement();
            sb.append("\n    " + str + ":");
            Enumeration headers = httpServletRequest.getHeaders(str);
            while (headers.hasMoreElements()) {
                sb.append(" " + ((String) headers.nextElement()));
            }
        }
        return sb.toString();
    }

    static {
        logger.info("Security config:\n  dmx.security.anonymous_read_allowed = " + accessFilter.dumpReadSetting() + "\n  dmx.security.anonymous_write_allowed = " + accessFilter.dumpWriteSetting() + "\n  dmx.security.subnet_filter = " + SUBNET_FILTER + "\n  dmx.security.new_accounts_are_enabled = " + NEW_ACCOUNTS_ARE_ENABLED);
    }
}
