package org.ametys.plugins.workspaces.project.rights.accesscontroller;

import com.google.common.collect.Iterables;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.ametys.core.group.GroupIdentity;
import org.ametys.core.right.AccessController;
import org.ametys.core.right.RightManager;
import org.ametys.core.right.RightProfilesDAO;
import org.ametys.core.user.UserIdentity;
import org.ametys.plugins.workspaces.project.ProjectManager;
import org.ametys.plugins.workspaces.project.objects.Project;
import org.ametys.runtime.config.Config;
import org.ametys.web.WebHelper;
import org.ametys.web.repository.page.SitemapElement;
import org.ametys.web.repository.site.Site;
import org.ametys.web.repository.site.SiteManager;
import org.apache.avalon.framework.context.Context;
import org.apache.avalon.framework.context.ContextException;
import org.apache.avalon.framework.context.Contextualizable;
import org.apache.avalon.framework.service.ServiceException;
import org.apache.avalon.framework.service.ServiceManager;
import org.apache.avalon.framework.service.Serviceable;
import org.apache.cocoon.components.ContextHelper;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:org/ametys/plugins/workspaces/project/rights/accesscontroller/BackOfficeAccessController.class */
public class BackOfficeAccessController implements AccessController, Serviceable, Contextualizable {
    private static final String __BO_ACCESS_RIGHT_ID = "Plugins_Workspaces_Rights_Project_BOAccess";
    private String _adminProfileIdentifier;
    private RightProfilesDAO _rightProfileDAO;
    private Context _context;
    private SiteManager _siteManager;
    private ProjectManager _projectManager;
    private RightManager _rightManager;

    public void service(ServiceManager serviceManager) throws ServiceException {
        this._rightProfileDAO = (RightProfilesDAO) serviceManager.lookup(RightProfilesDAO.ROLE);
        this._siteManager = (SiteManager) serviceManager.lookup(SiteManager.ROLE);
        this._projectManager = (ProjectManager) serviceManager.lookup(ProjectManager.ROLE);
        this._rightManager = (RightManager) serviceManager.lookup(RightManager.ROLE);
    }

    public void contextualize(Context context) throws ContextException {
        this._context = context;
    }

    public boolean isSupported(Object obj) {
        return ((obj instanceof String) && ((String) obj).startsWith("/cms")) || (obj instanceof SitemapElement);
    }

    private Project _getProject(Object obj) {
        Site site = null;
        if (obj instanceof SitemapElement) {
            site = ((SitemapElement) obj).getSite();
        } else {
            String siteName = WebHelper.getSiteName(ContextHelper.getRequest(this._context));
            if (StringUtils.isNotBlank(siteName)) {
                site = this._siteManager.getSite(siteName);
            }
        }
        if (site != null) {
            return (Project) Iterables.getFirst(this._projectManager.getProjectsForSite(site), (Object) null);
        }
        return null;
    }

    private boolean _isRightInAdminProfile(String str) {
        if (str == null) {
            return true;
        }
        return _getRightsInAdminProfile().contains(str);
    }

    private boolean _hasBOAccessRight(UserIdentity userIdentity) {
        return this._rightManager.hasRight(userIdentity, __BO_ACCESS_RIGHT_ID, "/site/" + this._projectManager.getCatalogSiteName()) == RightManager.RightResult.RIGHT_ALLOW;
    }

    private synchronized List<String> _getRightsInAdminProfile() {
        if (this._adminProfileIdentifier == null) {
            this._adminProfileIdentifier = (String) Config.getInstance().getValue("workspaces.profile.managerdefault");
        }
        return this._rightProfileDAO.getRights(this._adminProfileIdentifier);
    }

    public AccessController.AccessResult getPermission(UserIdentity userIdentity, Set<GroupIdentity> set, String str, Object obj) {
        Project _getProject;
        return (_isRightInAdminProfile(str) && (_getProject = _getProject(obj)) != null && this._projectManager.isManager(_getProject, userIdentity) && _hasBOAccessRight(userIdentity)) ? AccessController.AccessResult.USER_ALLOWED : AccessController.AccessResult.UNKNOWN;
    }

    public AccessController.AccessResult getReadAccessPermission(UserIdentity userIdentity, Set<GroupIdentity> set, Object obj) {
        return getPermission(userIdentity, set, null, obj);
    }

    public Map<String, AccessController.AccessResult> getPermissionByRight(UserIdentity userIdentity, Set<GroupIdentity> set, Object obj) {
        Project _getProject = _getProject(obj);
        return (_getProject != null && this._projectManager.isManager(_getProject, userIdentity) && _hasBOAccessRight(userIdentity)) ? (Map) _getRightsInAdminProfile().stream().collect(Collectors.toMap(str -> {
            return str;
        }, str2 -> {
            return AccessController.AccessResult.USER_ALLOWED;
        })) : Map.of();
    }

    public AccessController.AccessResult getPermissionForAnonymous(String str, Object obj) {
        return AccessController.AccessResult.UNKNOWN;
    }

    public AccessController.AccessResult getReadAccessPermissionForAnonymous(Object obj) {
        return AccessController.AccessResult.UNKNOWN;
    }

    public AccessController.AccessResult getPermissionForAnyConnectedUser(String str, Object obj) {
        return AccessController.AccessResult.UNKNOWN;
    }

    public AccessController.AccessResult getReadAccessPermissionForAnyConnectedUser(Object obj) {
        return AccessController.AccessResult.UNKNOWN;
    }

    public Map<UserIdentity, AccessController.AccessResult> getPermissionByUser(String str, Object obj) {
        Project _getProject;
        return (!_isRightInAdminProfile(str) || (_getProject = _getProject(obj)) == null) ? Map.of() : (Map) Stream.of((Object[]) _getProject.getManagers()).distinct().filter(this::_hasBOAccessRight).collect(Collectors.toMap(userIdentity -> {
            return userIdentity;
        }, userIdentity2 -> {
            return AccessController.AccessResult.USER_ALLOWED;
        }));
    }

    public Map<UserIdentity, AccessController.AccessResult> getReadAccessPermissionByUser(Object obj) {
        return getPermissionByUser(null, obj);
    }

    public Map<GroupIdentity, AccessController.AccessResult> getPermissionByGroup(String str, Object obj) {
        return Map.of();
    }

    public Map<GroupIdentity, AccessController.AccessResult> getReadAccessPermissionByGroup(Object obj) {
        return Map.of();
    }

    public boolean hasUserAnyPermissionOnWorkspace(Set<Object> set, UserIdentity userIdentity, Set<GroupIdentity> set2, String str) {
        Project _getProject;
        return _isRightInAdminProfile(str) && set.contains("/cms") && (_getProject = _getProject("/cms")) != null && this._projectManager.isManager(_getProject, userIdentity) && _hasBOAccessRight(userIdentity);
    }

    public boolean hasUserAnyReadAccessPermissionOnWorkspace(Set<Object> set, UserIdentity userIdentity, Set<GroupIdentity> set2) {
        return hasUserAnyPermissionOnWorkspace(set, userIdentity, set2, null);
    }

    public boolean hasAnonymousAnyPermissionOnWorkspace(Set<Object> set, String str) {
        return false;
    }

    public boolean hasAnonymousAnyReadAccessPermissionOnWorkspace(Set<Object> set) {
        return false;
    }

    public boolean hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> set, String str) {
        return false;
    }

    public boolean hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace(Set<Object> set) {
        return false;
    }
}
