package org.ametys.odf.rights;

import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.ametys.cms.repository.Content;
import org.ametys.core.group.GroupIdentity;
import org.ametys.core.right.AccessController;
import org.ametys.core.right.AccessExplanation;
import org.ametys.core.right.RightProfilesDAO;
import org.ametys.core.user.UserIdentity;
import org.ametys.odf.ProgramItem;
import org.ametys.odf.orgunit.OrgUnit;
import org.ametys.odf.rights.ODFRightHelper;
import org.ametys.plugins.core.impl.right.AbstractAccessController;
import org.ametys.plugins.repository.AmetysObject;
import org.ametys.plugins.repository.AmetysObjectResolver;
import org.ametys.runtime.i18n.I18nizableText;
import org.apache.avalon.framework.service.ServiceException;
import org.apache.avalon.framework.service.ServiceManager;
import org.apache.avalon.framework.service.Serviceable;
import org.apache.commons.lang.StringUtils;

/* loaded from: input_file:org/ametys/odf/rights/AbstractODFRoleAccessController.class */
public abstract class AbstractODFRoleAccessController extends AbstractAccessController implements Serviceable {
    private static final String __CMS_RIGHT_CONTEXT = "/cms";
    protected RightProfilesDAO _rightProfileDAO;
    protected ODFRightHelper _odfRightHelper;
    protected AmetysObjectResolver _resolver;
    protected ODFRoleAccessControllerHelper _roleAccessControllerHelper;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/ametys/odf/rights/AbstractODFRoleAccessController$PermissionDetails.class */
    public static final class PermissionDetails extends Record {
        private final AccessController.AccessResult result;
        private final Content object;
        private final boolean inherited;

        private PermissionDetails(AccessController.AccessResult accessResult, Content content, boolean z) {
            this.result = accessResult;
            this.object = content;
            this.inherited = z;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, PermissionDetails.class), PermissionDetails.class, "result;object;inherited", "FIELD:Lorg/ametys/odf/rights/AbstractODFRoleAccessController$PermissionDetails;->result:Lorg/ametys/core/right/AccessController$AccessResult;", "FIELD:Lorg/ametys/odf/rights/AbstractODFRoleAccessController$PermissionDetails;->object:Lorg/ametys/cms/repository/Content;", "FIELD:Lorg/ametys/odf/rights/AbstractODFRoleAccessController$PermissionDetails;->inherited:Z").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, PermissionDetails.class), PermissionDetails.class, "result;object;inherited", "FIELD:Lorg/ametys/odf/rights/AbstractODFRoleAccessController$PermissionDetails;->result:Lorg/ametys/core/right/AccessController$AccessResult;", "FIELD:Lorg/ametys/odf/rights/AbstractODFRoleAccessController$PermissionDetails;->object:Lorg/ametys/cms/repository/Content;", "FIELD:Lorg/ametys/odf/rights/AbstractODFRoleAccessController$PermissionDetails;->inherited:Z").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, PermissionDetails.class, Object.class), PermissionDetails.class, "result;object;inherited", "FIELD:Lorg/ametys/odf/rights/AbstractODFRoleAccessController$PermissionDetails;->result:Lorg/ametys/core/right/AccessController$AccessResult;", "FIELD:Lorg/ametys/odf/rights/AbstractODFRoleAccessController$PermissionDetails;->object:Lorg/ametys/cms/repository/Content;", "FIELD:Lorg/ametys/odf/rights/AbstractODFRoleAccessController$PermissionDetails;->inherited:Z").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public AccessController.AccessResult result() {
            return this.result;
        }

        public Content object() {
            return this.object;
        }

        public boolean inherited() {
            return this.inherited;
        }
    }

    public void service(ServiceManager serviceManager) throws ServiceException {
        this._rightProfileDAO = (RightProfilesDAO) serviceManager.lookup(RightProfilesDAO.ROLE);
        this._odfRightHelper = (ODFRightHelper) serviceManager.lookup(ODFRightHelper.ROLE);
        this._resolver = (AmetysObjectResolver) serviceManager.lookup(AmetysObjectResolver.ROLE);
        this._roleAccessControllerHelper = (ODFRoleAccessControllerHelper) serviceManager.lookup(ODFRoleAccessControllerHelper.ROLE);
    }

    public boolean isSupported(Object obj) {
        return (obj instanceof ProgramItem) || (obj instanceof OrgUnit) || ((obj instanceof String) && ((String) obj).startsWith(__CMS_RIGHT_CONTEXT));
    }

    protected Set<Content> _getParents(Content content, ODFRightHelper.PermissionContext permissionContext) {
        Stream<AmetysObject> stream = this._odfRightHelper.getParents(content, permissionContext).stream();
        Class<Content> cls = Content.class;
        Objects.requireNonNull(Content.class);
        Stream<AmetysObject> filter = stream.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<Content> cls2 = Content.class;
        Objects.requireNonNull(Content.class);
        return (Set) filter.map((v1) -> {
            return r1.cast(v1);
        }).collect(Collectors.toSet());
    }

    protected ODFRightHelper.PermissionContext _getPermissionContext(Content content) {
        return new ODFRightHelper.PermissionContext(content);
    }

    public AccessController.AccessResult getPermission(UserIdentity userIdentity, Set<GroupIdentity> set, String str, Object obj) {
        if (!(obj instanceof String)) {
            return _getPermission(userIdentity, set, str, (Content) obj, _getPermissionContext((Content) obj));
        }
        if (this._roleAccessControllerHelper.hasODFRoleOnAnyProgramItem(userIdentity, _getRoleAttributePath()) && _getRightsInTargetProfile().contains(str)) {
            return AccessController.AccessResult.USER_ALLOWED;
        }
        return AccessController.AccessResult.UNKNOWN;
    }

    private AccessController.AccessResult _getPermission(UserIdentity userIdentity, Set<GroupIdentity> set, String str, Content content, ODFRightHelper.PermissionContext permissionContext) {
        if (_getRightsInTargetProfile().contains(str) && _getLocalAllowedUsers(content).contains(userIdentity)) {
            return AccessController.AccessResult.USER_ALLOWED;
        }
        AccessController.AccessResult accessResult = AccessController.AccessResult.UNKNOWN;
        Set<Content> _getParents = _getParents(content, permissionContext);
        if (_getParents != null) {
            Iterator<Content> it = _getParents.iterator();
            while (it.hasNext()) {
                accessResult = AccessController.AccessResult.merge(new AccessController.AccessResult[]{accessResult, _getPermission(userIdentity, set, str, it.next(), permissionContext)});
            }
        }
        return accessResult;
    }

    protected synchronized List<String> _getRightsInTargetProfile() {
        String _getTargetProfileId = _getTargetProfileId();
        return StringUtils.isNotBlank(_getTargetProfileId) ? this._rightProfileDAO.getRights(_getTargetProfileId) : List.of();
    }

    protected abstract String _getTargetProfileId();

    protected Set<UserIdentity> _getAllowedUsers(Content content, ODFRightHelper.PermissionContext permissionContext) {
        Set<UserIdentity> _getLocalAllowedUsers = _getLocalAllowedUsers(content);
        Set<Content> _getParents = _getParents(content, permissionContext);
        if (_getParents != null) {
            Iterator<Content> it = _getParents.iterator();
            while (it.hasNext()) {
                _getLocalAllowedUsers.addAll(_getAllowedUsers(it.next(), permissionContext));
            }
        }
        return _getLocalAllowedUsers;
    }

    protected abstract Set<UserIdentity> _getLocalAllowedUsers(Content content);

    public AccessController.AccessResult getReadAccessPermission(UserIdentity userIdentity, Set<GroupIdentity> set, Object obj) {
        return AccessController.AccessResult.UNKNOWN;
    }

    public Map<String, AccessController.AccessResult> getPermissionByRight(UserIdentity userIdentity, Set<GroupIdentity> set, Object obj) {
        if (obj instanceof String) {
            if (this._roleAccessControllerHelper.hasODFRoleOnAnyProgramItem(userIdentity, _getRoleAttributePath())) {
                return (Map) _getRightsInTargetProfile().stream().collect(Collectors.toMap(str -> {
                    return str;
                }, str2 -> {
                    return AccessController.AccessResult.USER_ALLOWED;
                }));
            }
        } else if (_getAllowedUsers((Content) obj, _getPermissionContext((Content) obj)).contains(userIdentity)) {
            return (Map) _getRightsInTargetProfile().stream().collect(Collectors.toMap(str3 -> {
                return str3;
            }, str4 -> {
                return AccessController.AccessResult.USER_ALLOWED;
            }));
        }
        return Map.of();
    }

    protected abstract String _getRoleAttributePath();

    public AccessController.AccessResult getPermissionForAnonymous(String str, Object obj) {
        return AccessController.AccessResult.UNKNOWN;
    }

    public AccessController.AccessResult getReadAccessPermissionForAnonymous(Object obj) {
        return AccessController.AccessResult.UNKNOWN;
    }

    public AccessController.AccessResult getPermissionForAnyConnectedUser(String str, Object obj) {
        return AccessController.AccessResult.UNKNOWN;
    }

    public AccessController.AccessResult getReadAccessPermissionForAnyConnectedUser(Object obj) {
        return AccessController.AccessResult.UNKNOWN;
    }

    public Map<UserIdentity, AccessController.AccessResult> getPermissionByUser(String str, Object obj) {
        Set<UserIdentity> _getAllowedUsers;
        return ((obj instanceof Content) && _getRightsInTargetProfile().contains(str) && (_getAllowedUsers = _getAllowedUsers((Content) obj, _getPermissionContext((Content) obj))) != null) ? (Map) _getAllowedUsers.stream().collect(Collectors.toMap(userIdentity -> {
            return userIdentity;
        }, userIdentity2 -> {
            return AccessController.AccessResult.USER_ALLOWED;
        })) : Map.of();
    }

    public Map<UserIdentity, AccessController.AccessResult> getReadAccessPermissionByUser(Object obj) {
        return Map.of();
    }

    public Map<GroupIdentity, AccessController.AccessResult> getPermissionByGroup(String str, Object obj) {
        return Map.of();
    }

    public Map<GroupIdentity, AccessController.AccessResult> getReadAccessPermissionByGroup(Object obj) {
        return Map.of();
    }

    public boolean hasUserAnyPermissionOnWorkspace(Set<Object> set, UserIdentity userIdentity, Set<GroupIdentity> set2, String str) {
        Stream<Object> stream = set.stream();
        Class<String> cls = String.class;
        Objects.requireNonNull(String.class);
        Stream<Object> filter = stream.filter(cls::isInstance);
        Class<String> cls2 = String.class;
        Objects.requireNonNull(String.class);
        if (filter.map(cls2::cast).anyMatch(str2 -> {
            return str2.startsWith(__CMS_RIGHT_CONTEXT);
        }) && this._roleAccessControllerHelper.hasODFRoleOnAnyProgramItem(userIdentity, _getRoleAttributePath())) {
            return _getRightsInTargetProfile().contains(str);
        }
        return false;
    }

    public boolean hasUserAnyReadAccessPermissionOnWorkspace(Set<Object> set, UserIdentity userIdentity, Set<GroupIdentity> set2) {
        return false;
    }

    public boolean hasAnonymousAnyPermissionOnWorkspace(Set<Object> set, String str) {
        return false;
    }

    public boolean hasAnonymousAnyReadAccessPermissionOnWorkspace(Set<Object> set) {
        return false;
    }

    public boolean hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> set, String str) {
        return false;
    }

    public boolean hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace(Set<Object> set) {
        return false;
    }

    public AccessExplanation explainPermission(UserIdentity userIdentity, Set<GroupIdentity> set, String str, Object obj) {
        if (!(obj instanceof String)) {
            return _buildExplanation(_getPermissionDetails(userIdentity, set, str, (Content) obj, _getPermissionContext((Content) obj)));
        }
        if (this._roleAccessControllerHelper.hasODFRoleOnAnyProgramItem(userIdentity, _getRoleAttributePath()) && _getRightsInTargetProfile().contains(str)) {
            return new AccessExplanation(getId(), AccessController.AccessResult.USER_ALLOWED, new I18nizableText("plugin.odf", "PLUGINS_ODF_ROLE_ACCESS_CONTROLLER_GENERAL_EXPLANATION", Map.of("role", _getRoleLabel())));
        }
        return AccessController.getDefaultAccessExplanation(getId(), AccessController.AccessResult.UNKNOWN);
    }

    private PermissionDetails _getPermissionDetails(UserIdentity userIdentity, Set<GroupIdentity> set, String str, Content content, ODFRightHelper.PermissionContext permissionContext) {
        if (_getRightsInTargetProfile().contains(str) && _getLocalAllowedUsers(content).contains(userIdentity)) {
            return new PermissionDetails(AccessController.AccessResult.USER_ALLOWED, content, false);
        }
        PermissionDetails permissionDetails = new PermissionDetails(AccessController.AccessResult.UNKNOWN, content, false);
        Set<Content> _getParents = _getParents(content, permissionContext);
        if (_getParents != null) {
            Iterator<Content> it = _getParents.iterator();
            while (it.hasNext()) {
                PermissionDetails _getPermissionDetails = _getPermissionDetails(userIdentity, set, str, it.next(), permissionContext);
                AccessController.AccessResult result = _getPermissionDetails.result();
                if (result != AccessController.AccessResult.UNKNOWN && AccessController.AccessResult.merge(new AccessController.AccessResult[]{result, permissionDetails.result()}) == result) {
                    permissionDetails = _getPermissionDetails.inherited() ? _getPermissionDetails : new PermissionDetails(result, _getPermissionDetails.object(), true);
                }
            }
        }
        return permissionDetails;
    }

    private AccessExplanation _buildExplanation(PermissionDetails permissionDetails) {
        if (AccessController.AccessResult.UNKNOWN.equals(permissionDetails.result())) {
            return AccessController.getDefaultAccessExplanation(getId(), AccessController.AccessResult.UNKNOWN);
        }
        Map of = Map.of("title", new I18nizableText(permissionDetails.object().getTitle()), "role", _getRoleLabel());
        return new AccessExplanation(getId(), permissionDetails.result(), permissionDetails.inherited() ? new I18nizableText("plugin.odf", "PLUGINS_ODF_ROLE_ACCESS_CONTROLLER_INHERITED_EXPLANATION", of) : new I18nizableText("plugin.odf", "PLUGINS_ODF_ROLE_ACCESS_CONTROLLER_EXPLANATION", of));
    }

    protected abstract I18nizableText _getRoleLabel();
}
