package org.ametys.core.right;

import java.io.InputStream;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import org.ametys.core.datasource.ConnectionHelper;
import org.ametys.core.group.GroupDirectoryDAO;
import org.ametys.core.group.GroupIdentity;
import org.ametys.core.group.GroupListener;
import org.ametys.core.group.GroupManager;
import org.ametys.core.group.directory.GroupDirectory;
import org.ametys.core.group.directory.ModifiableGroupDirectory;
import org.ametys.core.right.AccessController;
import org.ametys.core.user.CurrentUserProvider;
import org.ametys.core.user.UserIdentity;
import org.ametys.core.user.UserListener;
import org.ametys.core.user.UserManager;
import org.ametys.core.user.directory.ModifiableUserDirectory;
import org.ametys.core.user.directory.UserDirectory;
import org.ametys.core.user.population.UserPopulation;
import org.ametys.core.user.population.UserPopulationDAO;
import org.ametys.plugins.core.authentication.LoginFormManager;
import org.ametys.plugins.core.schedule.Scheduler;
import org.ametys.runtime.i18n.I18nizableText;
import org.ametys.runtime.plugin.component.AbstractLogEnabled;
import org.ametys.runtime.request.RequestListener;
import org.ametys.runtime.request.RequestListenerManager;
import org.ametys.runtime.util.AmetysHomeHelper;
import org.apache.avalon.framework.activity.Initializable;
import org.apache.avalon.framework.component.Component;
import org.apache.avalon.framework.configuration.Configurable;
import org.apache.avalon.framework.configuration.Configuration;
import org.apache.avalon.framework.configuration.ConfigurationException;
import org.apache.avalon.framework.configuration.DefaultConfigurationBuilder;
import org.apache.avalon.framework.service.ServiceException;
import org.apache.avalon.framework.service.ServiceManager;
import org.apache.avalon.framework.service.Serviceable;
import org.apache.avalon.framework.thread.ThreadSafe;
import org.apache.commons.lang.StringUtils;
import org.apache.excalibur.source.Source;
import org.apache.excalibur.source.SourceResolver;

/* loaded from: input_file:org/ametys/core/right/RightManager.class */
public class RightManager extends AbstractLogEnabled implements UserListener, GroupListener, Serviceable, Configurable, Initializable, RequestListener, ThreadSafe, Component {
    public static final String ROLE = RightManager.class.getName();
    public static final String READER_PROFILE_ID = "READER";
    protected ServiceManager _manager;
    protected SourceResolver _resolver;
    protected RightsExtensionPoint _rightsEP;
    protected ProfileAssignmentStorageExtensionPoint _profileAssignmentStorageEP;
    protected RightContextConvertorExtensionPoint _rightContextConvertorEP;
    protected AccessControllerExtensionPoint _accessControllerEP;
    protected UserManager _userManager;
    protected GroupManager _groupManager;
    protected UserPopulationDAO _userPopulationDAO;
    protected GroupDirectoryDAO _groupDirectoryDAO;
    protected CurrentUserProvider _currentUserProvider;
    protected RightProfilesDAO _profilesDAO;
    private final ThreadLocal<Map<UserIdentity, Map<Set<String>, Map<Object, RightResult>>>> _cacheTL = new ThreadLocal<>();
    private final ThreadLocal<Map<UserIdentity, Map<Set<String>, RightResult>>> _cache2TL = new ThreadLocal<>();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.ametys.core.right.RightManager$1, reason: invalid class name */
    /* loaded from: input_file:org/ametys/core/right/RightManager$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$ametys$core$right$AccessController$AccessResult = new int[AccessController.AccessResult.values().length];

        static {
            try {
                $SwitchMap$org$ametys$core$right$AccessController$AccessResult[AccessController.AccessResult.USER_DENIED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$ametys$core$right$AccessController$AccessResult[AccessController.AccessResult.GROUP_DENIED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$ametys$core$right$AccessController$AccessResult[AccessController.AccessResult.ANY_CONNECTED_DENIED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$ametys$core$right$AccessController$AccessResult[AccessController.AccessResult.ANONYMOUS_DENIED.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$ametys$core$right$AccessController$AccessResult[AccessController.AccessResult.USER_ALLOWED.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$ametys$core$right$AccessController$AccessResult[AccessController.AccessResult.GROUP_ALLOWED.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$ametys$core$right$AccessController$AccessResult[AccessController.AccessResult.ANY_CONNECTED_ALLOWED.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$ametys$core$right$AccessController$AccessResult[AccessController.AccessResult.ANONYMOUS_ALLOWED.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$ametys$core$right$AccessController$AccessResult[AccessController.AccessResult.UNKNOWN.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
        }
    }

    /* loaded from: input_file:org/ametys/core/right/RightManager$RightResult.class */
    public enum RightResult {
        RIGHT_ALLOW,
        RIGHT_DENY,
        RIGHT_UNKNOWN
    }

    public void service(ServiceManager serviceManager) throws ServiceException {
        this._manager = serviceManager;
        this._userManager = (UserManager) serviceManager.lookup(UserManager.ROLE);
        this._groupManager = (GroupManager) serviceManager.lookup(GroupManager.ROLE);
        this._userPopulationDAO = (UserPopulationDAO) serviceManager.lookup(UserPopulationDAO.ROLE);
        this._groupDirectoryDAO = (GroupDirectoryDAO) serviceManager.lookup(GroupDirectoryDAO.ROLE);
        this._rightsEP = (RightsExtensionPoint) serviceManager.lookup(RightsExtensionPoint.ROLE);
        this._profileAssignmentStorageEP = (ProfileAssignmentStorageExtensionPoint) serviceManager.lookup(ProfileAssignmentStorageExtensionPoint.ROLE);
        this._rightContextConvertorEP = (RightContextConvertorExtensionPoint) serviceManager.lookup(RightContextConvertorExtensionPoint.ROLE);
        this._accessControllerEP = (AccessControllerExtensionPoint) serviceManager.lookup(AccessControllerExtensionPoint.ROLE);
        this._resolver = (SourceResolver) this._manager.lookup(SourceResolver.ROLE);
        this._currentUserProvider = (CurrentUserProvider) this._manager.lookup(CurrentUserProvider.ROLE);
    }

    protected RightProfilesDAO _getProfileDAO() {
        try {
            if (this._profilesDAO == null) {
                this._profilesDAO = (RightProfilesDAO) this._manager.lookup(RightProfilesDAO.ROLE);
            }
            return this._profilesDAO;
        } catch (ServiceException e) {
            throw new RuntimeException("Failed to retrieve the DAO for profiles", e);
        }
    }

    public void initialize() throws Exception {
        Iterator<UserPopulation> it = this._userPopulationDAO.getUserPopulations(true).iterator();
        while (it.hasNext()) {
            for (UserDirectory userDirectory : it.next().getUserDirectories()) {
                if (userDirectory instanceof ModifiableUserDirectory) {
                    ((ModifiableUserDirectory) userDirectory).registerListener(this);
                }
            }
        }
        for (GroupDirectory groupDirectory : this._groupDirectoryDAO.getGroupDirectories()) {
            if (groupDirectory instanceof ModifiableGroupDirectory) {
                ((ModifiableGroupDirectory) groupDirectory).registerListener(this);
            }
        }
        ((RequestListenerManager) this._manager.lookup(RequestListenerManager.ROLE)).registerListener(this);
    }

    public void configure(Configuration configuration) throws ConfigurationException {
        Configuration child = configuration.getChild("rights");
        String attribute = child.getAttribute(AmetysHomeHelper.AMETYS_HOME_CONFIG_DIR, (String) null);
        if (attribute == null) {
            configureRights(child);
            return;
        }
        try {
            try {
                Source resolveURI = this._resolver.resolveURI("context://" + attribute);
                if (resolveURI.exists()) {
                    InputStream inputStream = resolveURI.getInputStream();
                    Throwable th = null;
                    try {
                        try {
                            Configuration build = new DefaultConfigurationBuilder().build(inputStream);
                            if (inputStream != null) {
                                if (0 != 0) {
                                    try {
                                        inputStream.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                } else {
                                    inputStream.close();
                                }
                            }
                            configureRights(build);
                        } catch (Throwable th3) {
                            th = th3;
                            throw th3;
                        }
                    } catch (Throwable th4) {
                        if (inputStream != null) {
                            if (th != null) {
                                try {
                                    inputStream.close();
                                } catch (Throwable th5) {
                                    th.addSuppressed(th5);
                                }
                            } else {
                                inputStream.close();
                            }
                        }
                        throw th4;
                    }
                } else if (getLogger().isInfoEnabled()) {
                    getLogger().info("The optional external rights file '" + attribute + "' is missing.");
                }
                if (resolveURI != null) {
                    this._resolver.release(resolveURI);
                }
            } catch (Throwable th6) {
                if (0 != 0) {
                    this._resolver.release((Source) null);
                }
                throw th6;
            }
        } catch (Exception e) {
            String str = "An error occured while retriving external file '" + attribute + "'";
            getLogger().error(str, e);
            throw new ConfigurationException(str, configuration, e);
        }
    }

    private void configureRights(Configuration configuration) throws ConfigurationException {
        for (Configuration configuration2 : configuration.getChildren("right")) {
            String attribute = configuration2.getAttribute(Scheduler.KEY_RUNNABLE_ID, ConnectionHelper.DATABASE_UNKNOWN);
            String value = configuration2.getChild(Scheduler.KEY_RUNNABLE_LABEL).getValue(ConnectionHelper.DATABASE_UNKNOWN);
            I18nizableText i18nizableText = new I18nizableText("application", value);
            String value2 = configuration2.getChild(Scheduler.KEY_RUNNABLE_DESCRIPTION).getValue(ConnectionHelper.DATABASE_UNKNOWN);
            I18nizableText i18nizableText2 = new I18nizableText("application", value2);
            String value3 = configuration2.getChild("category").getValue(ConnectionHelper.DATABASE_UNKNOWN);
            I18nizableText i18nizableText3 = new I18nizableText("application", value3);
            if (attribute.length() == 0 || value.length() == 0 || value2.length() == 0 || value3.length() == 0) {
                String str = "Error in " + RightManager.class.getName() + " configuration: attribute 'id' and elements 'label', 'description' and 'category' are mandatory.";
                getLogger().error(str);
                throw new ConfigurationException(str, configuration);
            }
            this._rightsEP.addRight(attribute, i18nizableText, i18nizableText2, i18nizableText3);
        }
    }

    public RightResult currentUserHasRight(String str, Object obj) throws RightsException {
        return hasRight(this._currentUserProvider.getUser(), str, obj);
    }

    public RightResult hasRight(UserIdentity userIdentity, String str, Object obj) throws RightsException {
        if ((obj instanceof String) && StringUtils.equals((String) obj, "/admin") && StringUtils.equals(userIdentity.getPopulationId(), UserPopulationDAO.ADMIN_POPULATION_ID)) {
            return RightResult.RIGHT_ALLOW;
        }
        getLogger().debug("Try to determine if user '{}' has the right '{}' on the object context {}", new Object[]{userIdentity, str, obj});
        return _hasRight(userIdentity, _getProfileDAO().getProfilesWithRight(str), obj);
    }

    private RightResult _hasRight(UserIdentity userIdentity, Set<String> set, Object obj) {
        if (obj == null) {
            RightResult _hasRightResultInSecondCache = _hasRightResultInSecondCache(userIdentity, set);
            if (_hasRightResultInSecondCache != null) {
                getLogger().debug("Find entry in cache2 for [{}, {}] => {}", new Object[]{userIdentity, set, _hasRightResultInSecondCache});
                return _hasRightResultInSecondCache;
            }
            getLogger().debug("Did not find entry in cache for [{}, {}, {}]", new Object[]{userIdentity, set, obj});
        } else {
            RightResult _hasRightResultInFirstCache = _hasRightResultInFirstCache(userIdentity, set, obj);
            if (_hasRightResultInFirstCache != null) {
                getLogger().debug("Find entry in cache for [{}, {}, {}] => {}", new Object[]{userIdentity, set, obj, _hasRightResultInFirstCache});
                return _hasRightResultInFirstCache;
            }
            getLogger().debug("Did not find entry in cache for [{}, {}, {}]", new Object[]{userIdentity, set, obj});
        }
        Set<GroupIdentity> _getGroups = _getGroups(userIdentity);
        if (obj != null) {
            RightResult _computeRight = _computeRight(_computeAccess(_getAccessResults(userIdentity, _getGroups, set, _getConvertedObjects(obj))));
            _putInFirstCache(userIdentity, set, obj, _computeRight);
            return _computeRight;
        }
        RightResult rightResult = this._profileAssignmentStorageEP.hasPermission(userIdentity, _getGroups, set) ? RightResult.RIGHT_ALLOW : RightResult.RIGHT_UNKNOWN;
        getLogger().debug("Right result found for [{}, {}] => {}", new Object[]{userIdentity, set, rightResult});
        _putInSecondCache(userIdentity, set, rightResult);
        return rightResult;
    }

    private RightResult _hasRightResultInFirstCache(UserIdentity userIdentity, Set<String> set, Object obj) {
        Map<UserIdentity, Map<Set<String>, Map<Object, RightResult>>> map = this._cacheTL.get();
        if (map == null) {
            map = new HashMap();
            this._cacheTL.set(map);
        }
        if (!map.containsKey(userIdentity)) {
            return null;
        }
        Map<Set<String>, Map<Object, RightResult>> map2 = map.get(userIdentity);
        if (!map2.containsKey(set)) {
            return null;
        }
        Map<Object, RightResult> map3 = map2.get(set);
        if (map3.containsKey(obj)) {
            return map3.get(obj);
        }
        return null;
    }

    private void _putInFirstCache(UserIdentity userIdentity, Set<String> set, Object obj, RightResult rightResult) {
        Map<UserIdentity, Map<Set<String>, Map<Object, RightResult>>> map = this._cacheTL.get();
        if (!map.containsKey(userIdentity)) {
            HashMap hashMap = new HashMap();
            HashMap hashMap2 = new HashMap();
            hashMap2.put(obj, rightResult);
            hashMap.put(set, hashMap2);
            map.put(userIdentity, hashMap);
            return;
        }
        Map<Set<String>, Map<Object, RightResult>> map2 = map.get(userIdentity);
        if (map2.containsKey(set)) {
            map2.get(set).put(obj, rightResult);
            return;
        }
        HashMap hashMap3 = new HashMap();
        hashMap3.put(obj, rightResult);
        map2.put(set, hashMap3);
    }

    private RightResult _hasRightResultInSecondCache(UserIdentity userIdentity, Set<String> set) {
        Map<UserIdentity, Map<Set<String>, RightResult>> map = this._cache2TL.get();
        if (map == null) {
            map = new HashMap();
            this._cache2TL.set(map);
        }
        if (!map.containsKey(userIdentity)) {
            return null;
        }
        Map<Set<String>, RightResult> map2 = map.get(userIdentity);
        if (map2.containsKey(set)) {
            return map2.get(set);
        }
        return null;
    }

    private void _putInSecondCache(UserIdentity userIdentity, Set<String> set, RightResult rightResult) {
        Map<UserIdentity, Map<Set<String>, RightResult>> map = this._cache2TL.get();
        if (map.containsKey(userIdentity)) {
            map.get(userIdentity).put(set, rightResult);
            return;
        }
        HashMap hashMap = new HashMap();
        hashMap.put(set, rightResult);
        map.put(userIdentity, hashMap);
    }

    private Set<Object> _getConvertedObjects(Object obj) {
        Stream<String> stream = this._rightContextConvertorEP.getExtensionsIds().stream();
        RightContextConvertorExtensionPoint rightContextConvertorExtensionPoint = this._rightContextConvertorEP;
        rightContextConvertorExtensionPoint.getClass();
        Set<Object> set = (Set) stream.map(rightContextConvertorExtensionPoint::getExtension).flatMap(rightContextConvertor -> {
            return rightContextConvertor.convert(obj).stream();
        }).collect(Collectors.toSet());
        set.add(obj);
        return set;
    }

    private Set<AccessController.AccessResult> _getAccessResults(UserIdentity userIdentity, Set<GroupIdentity> set, Set<String> set2, Set<Object> set3) {
        HashSet hashSet = new HashSet();
        for (Object obj : set3) {
            Iterator<String> it = this._accessControllerEP.getExtensionsIds().iterator();
            while (it.hasNext()) {
                AccessController extension = this._accessControllerEP.getExtension(it.next());
                if (extension.isSupported(obj)) {
                    hashSet.addAll((Collection) extension.getPermissions(userIdentity, set, set2, obj).values().stream().map((v0) -> {
                        return v0.getResult();
                    }).collect(Collectors.toSet()));
                } else {
                    hashSet.add(AccessController.AccessResult.UNKNOWN);
                }
            }
        }
        return hashSet;
    }

    private AccessController.AccessResult _computeAccess(Set<AccessController.AccessResult> set) {
        return set.stream().min(Comparator.naturalOrder()).orElse(AccessController.AccessResult.UNKNOWN);
    }

    private AccessController.AccessResult _computeAccess(AccessController.AccessResult... accessResultArr) {
        return (AccessController.AccessResult) Arrays.stream(accessResultArr).min(Comparator.naturalOrder()).orElse(AccessController.AccessResult.UNKNOWN);
    }

    private RightResult _computeRight(AccessController.AccessResult accessResult) {
        switch (AnonymousClass1.$SwitchMap$org$ametys$core$right$AccessController$AccessResult[accessResult.ordinal()]) {
            case LoginFormManager.TIME_ALLOWED /* 1 */:
            case 2:
            case 3:
            case 4:
                return RightResult.RIGHT_DENY;
            case 5:
            case 6:
            case 7:
            case 8:
                return RightResult.RIGHT_ALLOW;
            case 9:
            default:
                return RightResult.RIGHT_UNKNOWN;
        }
    }

    public RightResult hasAnonymousProfile(String str, Object obj) {
        Set<Object> _getConvertedObjects = _getConvertedObjects(obj);
        HashSet hashSet = new HashSet();
        hashSet.add(str);
        HashSet hashSet2 = new HashSet();
        for (Object obj2 : _getConvertedObjects) {
            Iterator<String> it = this._accessControllerEP.getExtensionsIds().iterator();
            while (it.hasNext()) {
                AccessController extension = this._accessControllerEP.getExtension(it.next());
                if (extension.isSupported(obj2)) {
                    AccessController.AccessResult permissionForAnonymous = extension.getPermissionForAnonymous(hashSet, obj2);
                    if (permissionForAnonymous.equals(AccessController.AccessResult.ANONYMOUS_DENIED)) {
                        return RightResult.RIGHT_DENY;
                    }
                    hashSet2.add(permissionForAnonymous);
                }
            }
        }
        return _computeRight(_computeAccess(hashSet2));
    }

    public RightResult hasAnyConnectedUserProfile(String str, Object obj) {
        Set<Object> _getConvertedObjects = _getConvertedObjects(obj);
        HashSet hashSet = new HashSet();
        hashSet.add(str);
        HashSet hashSet2 = new HashSet();
        for (Object obj2 : _getConvertedObjects) {
            Iterator<String> it = this._accessControllerEP.getExtensionsIds().iterator();
            while (it.hasNext()) {
                AccessController extension = this._accessControllerEP.getExtension(it.next());
                if (extension.isSupported(obj2)) {
                    AccessController.AccessResult permissionForAnyConnectedUser = extension.getPermissionForAnyConnectedUser(hashSet, obj2);
                    if (permissionForAnyConnectedUser.equals(AccessController.AccessResult.ANONYMOUS_DENIED)) {
                        return RightResult.RIGHT_DENY;
                    }
                    hashSet2.add(permissionForAnyConnectedUser);
                }
            }
        }
        return _computeRight(_computeAccess(hashSet2));
    }

    public boolean currentUserHasReaderRight(Object obj) {
        return hasReaderRight(this._currentUserProvider.getUser(), obj);
    }

    public boolean hasReaderRight(UserIdentity userIdentity, Object obj) {
        return ((obj instanceof String) && StringUtils.equals((String) obj, "/admin") && StringUtils.equals(userIdentity.getPopulationId(), UserPopulationDAO.ADMIN_POPULATION_ID)) || _hasRight(userIdentity, Collections.singleton(READER_PROFILE_ID), obj) == RightResult.RIGHT_ALLOW;
    }

    public boolean isRestricted(Object obj) {
        return false;
    }

    public boolean isAnyConnectedAllowed(Object obj) {
        return hasAnyConnectedUserProfile(READER_PROFILE_ID, obj) == RightResult.RIGHT_ALLOW;
    }

    public Set<UserIdentity> getAllowedUsers(String str, Object obj) throws RightsException {
        HashSet hashSet = new HashSet();
        Set<String> profilesWithRight = _getProfileDAO().getProfilesWithRight(str);
        Set<Object> _getConvertedObjects = _getConvertedObjects(obj);
        HashSet hashSet2 = new HashSet();
        HashSet hashSet3 = new HashSet();
        HashSet hashSet4 = new HashSet();
        HashSet hashSet5 = new HashSet();
        for (Object obj2 : _getConvertedObjects) {
            if ((obj2 instanceof String) && StringUtils.equals((String) obj2, "/admin")) {
                hashSet2.addAll((Collection) this._userManager.getUsers(UserPopulationDAO.ADMIN_POPULATION_ID).stream().map(user -> {
                    return user.getIdentity();
                }).collect(Collectors.toSet()));
            }
            Iterator<String> it = this._accessControllerEP.getExtensionsIds().iterator();
            while (it.hasNext()) {
                AccessController extension = this._accessControllerEP.getExtension(it.next());
                if (extension.isSupported(obj2)) {
                    Map<UserIdentity, AccessController.AccessResult> permissionsByUser = extension.getPermissionsByUser(profilesWithRight, obj2);
                    hashSet2.addAll((Set) permissionsByUser.entrySet().stream().filter(entry -> {
                        return AccessController.AccessResult.USER_ALLOWED.equals(entry.getValue());
                    }).map((v0) -> {
                        return v0.getKey();
                    }).collect(Collectors.toSet()));
                    hashSet3.addAll((Set) permissionsByUser.entrySet().stream().filter(entry2 -> {
                        return AccessController.AccessResult.USER_DENIED.equals(entry2.getValue());
                    }).map((v0) -> {
                        return v0.getKey();
                    }).collect(Collectors.toSet()));
                    Map<GroupIdentity, AccessController.AccessResult> permissionsByGroup = extension.getPermissionsByGroup(profilesWithRight, obj2);
                    hashSet4.addAll((Set) permissionsByGroup.entrySet().stream().filter(entry3 -> {
                        return AccessController.AccessResult.GROUP_ALLOWED.equals(entry3.getValue());
                    }).map((v0) -> {
                        return v0.getKey();
                    }).collect(Collectors.toSet()));
                    hashSet5.addAll((Set) permissionsByGroup.entrySet().stream().filter(entry4 -> {
                        return AccessController.AccessResult.GROUP_DENIED.equals(entry4.getValue());
                    }).map((v0) -> {
                        return v0.getKey();
                    }).collect(Collectors.toSet()));
                }
            }
        }
        Iterator it2 = hashSet4.iterator();
        while (it2.hasNext()) {
            hashSet.addAll(this._groupManager.getGroup((GroupIdentity) it2.next()).getUsers());
        }
        Iterator it3 = hashSet5.iterator();
        while (it3.hasNext()) {
            hashSet.removeAll(this._groupManager.getGroup((GroupIdentity) it3.next()).getUsers());
        }
        hashSet.addAll(hashSet2);
        hashSet.removeAll(hashSet3);
        return hashSet;
    }

    public Set<String> getUserRights(UserIdentity userIdentity, Object obj) throws RightsException {
        Set<Object> _getConvertedObjects = _getConvertedObjects(obj);
        if (_getConvertedObjects.contains("/admin") && StringUtils.equals(userIdentity.getPopulationId(), UserPopulationDAO.ADMIN_POPULATION_ID)) {
            return this._rightsEP.getExtensionsIds();
        }
        Map<String, RightResult> map = (Map) _getAccessResultByProfile(userIdentity, _getGroups(userIdentity), _getConvertedObjects).entrySet().stream().collect(Collectors.toMap(entry -> {
            return (String) entry.getKey();
        }, entry2 -> {
            return _computeRight((AccessController.AccessResult) entry2.getValue());
        }));
        Set<String> _getAllowedProfiles = _getAllowedProfiles(map);
        Set<String> _getDeniedProfiles = _getDeniedProfiles(map);
        HashSet hashSet = new HashSet();
        Iterator<String> it = _getAllowedProfiles.iterator();
        while (it.hasNext()) {
            hashSet.addAll(_getProfileDAO().getRights(getProfile(it.next())));
        }
        Iterator<String> it2 = _getDeniedProfiles.iterator();
        while (it2.hasNext()) {
            hashSet.removeAll(_getProfileDAO().getRights(getProfile(it2.next())));
        }
        return hashSet;
    }

    private Map<String, AccessController.AccessResult> _getAccessResultByProfile(UserIdentity userIdentity, Set<GroupIdentity> set, Set<Object> set2) {
        HashMap hashMap = new HashMap();
        for (Object obj : set2) {
            Iterator<String> it = this._accessControllerEP.getExtensionsIds().iterator();
            while (it.hasNext()) {
                AccessController extension = this._accessControllerEP.getExtension(it.next());
                if (extension.isSupported(obj)) {
                    Map<String, AccessController.AccessResult> permissionsByProfile = extension.getPermissionsByProfile(userIdentity, set, obj);
                    for (String str : permissionsByProfile.keySet()) {
                        if (hashMap.containsKey(str)) {
                            hashMap.put(str, _computeAccess((AccessController.AccessResult) hashMap.get(str), permissionsByProfile.get(str)));
                        } else {
                            hashMap.put(str, permissionsByProfile.get(str));
                        }
                    }
                }
            }
        }
        return hashMap;
    }

    private Set<String> _getAllowedProfiles(Map<String, RightResult> map) {
        return (Set) map.entrySet().stream().filter(entry -> {
            return RightResult.RIGHT_ALLOW.equals(entry.getValue());
        }).map((v0) -> {
            return v0.getKey();
        }).collect(Collectors.toSet());
    }

    private Set<String> _getDeniedProfiles(Map<String, RightResult> map) {
        return (Set) map.entrySet().stream().filter(entry -> {
            return RightResult.RIGHT_DENY.equals(entry.getValue());
        }).map((v0) -> {
            return v0.getKey();
        }).collect(Collectors.toSet());
    }

    public Profile addProfile(String str) throws RightsException {
        return addProfile(str, null);
    }

    public Profile addProfile(String str, String str2) throws RightsException {
        return addProfile(UUID.randomUUID().toString(), str, str2);
    }

    public Profile addProfile(String str, String str2, String str3) throws RightsException {
        if (getProfile(str) != null) {
            throw new RightsException(String.format("The profile of id %s already exists. Thus the profile cannot be added.", str));
        }
        Profile profile = new Profile(str, str2, str3);
        _getProfileDAO().addProfile(profile);
        return profile;
    }

    public Profile getProfile(String str) throws RightsException {
        return _getProfileDAO().getProfile(str);
    }

    public List<Profile> getAllProfiles() throws RightsException {
        return _getProfileDAO().getProfiles();
    }

    public List<Profile> getProfiles() throws RightsException {
        return getProfiles(null);
    }

    public List<Profile> getProfiles(String str) throws RightsException {
        return _getProfileDAO().getProfiles(str);
    }

    public void removeProfile(String str) {
        if (READER_PROFILE_ID.equals(str)) {
            throw new RightsException("You cannot remove the system profile 'READER'");
        }
        _getProfileDAO().deleteProfile(str);
        Stream<String> stream = this._profileAssignmentStorageEP.getExtensionsIds().stream();
        ProfileAssignmentStorageExtensionPoint profileAssignmentStorageExtensionPoint = this._profileAssignmentStorageEP;
        profileAssignmentStorageExtensionPoint.getClass();
        stream.map(profileAssignmentStorageExtensionPoint::getExtension).forEach(profileAssignmentStorage -> {
            profileAssignmentStorage.removeProfile(str);
        });
    }

    @Override // org.ametys.core.user.UserListener
    public void userRemoved(UserIdentity userIdentity) {
        Stream<String> stream = this._profileAssignmentStorageEP.getExtensionsIds().stream();
        ProfileAssignmentStorageExtensionPoint profileAssignmentStorageExtensionPoint = this._profileAssignmentStorageEP;
        profileAssignmentStorageExtensionPoint.getClass();
        stream.map(profileAssignmentStorageExtensionPoint::getExtension).forEach(profileAssignmentStorage -> {
            profileAssignmentStorage.removeUser(userIdentity);
        });
    }

    @Override // org.ametys.core.user.UserListener
    public void userAdded(UserIdentity userIdentity) {
    }

    @Override // org.ametys.core.user.UserListener
    public void userUpdated(UserIdentity userIdentity) {
    }

    @Override // org.ametys.core.group.GroupListener
    public void groupRemoved(GroupIdentity groupIdentity) {
        Stream<String> stream = this._profileAssignmentStorageEP.getExtensionsIds().stream();
        ProfileAssignmentStorageExtensionPoint profileAssignmentStorageExtensionPoint = this._profileAssignmentStorageEP;
        profileAssignmentStorageExtensionPoint.getClass();
        stream.map(profileAssignmentStorageExtensionPoint::getExtension).forEach(profileAssignmentStorage -> {
            profileAssignmentStorage.removeGroup(groupIdentity);
        });
    }

    @Override // org.ametys.core.group.GroupListener
    public void groupAdded(GroupIdentity groupIdentity) {
    }

    @Override // org.ametys.core.group.GroupListener
    public void groupUpdated(GroupIdentity groupIdentity) {
    }

    @Override // org.ametys.runtime.request.RequestListener
    public void requestStarted(HttpServletRequest httpServletRequest) {
    }

    @Override // org.ametys.runtime.request.RequestListener
    public void requestEnded(HttpServletRequest httpServletRequest) {
        if (this._cacheTL.get() != null) {
            this._cacheTL.set(null);
        }
        if (this._cache2TL.get() != null) {
            this._cache2TL.set(null);
        }
    }

    private Set<GroupIdentity> _getGroups(UserIdentity userIdentity) {
        return userIdentity == null ? Collections.EMPTY_SET : this._groupManager.getUserGroups(userIdentity.getLogin(), userIdentity.getPopulationId());
    }
}
