package ch.elexis.core.services.internal;

import ch.elexis.core.ac.ACEAccessBitMap;
import ch.elexis.core.ac.ACEAccessBitMapConstraint;
import ch.elexis.core.ac.AccessControlList;
import ch.elexis.core.ac.AccessControlListUtil;
import ch.elexis.core.ac.EvaluatableACE;
import ch.elexis.core.ac.ObjectEvaluatableACE;
import ch.elexis.core.ac.Right;
import ch.elexis.core.ac.SystemCommandEvaluatableACE;
import ch.elexis.core.constants.ElexisSystemPropertyConstants;
import ch.elexis.core.model.IEncounter;
import ch.elexis.core.model.IInvoice;
import ch.elexis.core.model.IRole;
import ch.elexis.core.model.IUser;
import ch.elexis.core.services.IAccessControlService;
import ch.elexis.core.services.IContextService;
import ch.elexis.core.services.IStoreToStringService;
import ch.elexis.core.services.IUserService;
import ch.elexis.core.utils.CoreUtil;
import com.google.gson.Gson;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.apache.commons.lang3.StringUtils;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component
/* loaded from: input_file:ch/elexis/core/services/internal/RoleBasedAccessControlService.class */
public class RoleBasedAccessControlService implements IAccessControlService {

    @Reference
    private IContextService contextService;

    @Reference
    private IUserService userService;

    @Reference
    private IStoreToStringService storeToStringService;

    @Reference
    private Gson gson;
    private String[] aoboObjects = {"IEncounter", "IInvoice"};
    private Logger logger = LoggerFactory.getLogger(getClass());
    private Map<String, AccessControlList> roleAclMap = Collections.synchronizedMap(new HashMap());
    private Map<IUser, AccessControlList> userAclMap = Collections.synchronizedMap(new HashMap());
    private ThreadLocal<Boolean> privileged = ThreadLocal.withInitial(() -> {
        return Boolean.FALSE;
    });

    public boolean evaluate(EvaluatableACE evaluatableACE) {
        if (isPrivileged()) {
            return true;
        }
        Optional activeUser = this.contextService.getActiveUser();
        if (!activeUser.isPresent()) {
            this.logger.warn("No active user to evalute");
            return false;
        }
        if (!this.userAclMap.containsKey(activeUser.get())) {
            refresh((IUser) activeUser.get());
        }
        boolean evaluateACE = evaluateACE((IUser) activeUser.get(), this.userAclMap.get(activeUser.get()), evaluatableACE);
        if (ElexisSystemPropertyConstants.VERBOSE_ACL_NOTIFICATION && !evaluateACE) {
            this.logger.info("", new Throwable("(ACL " + System.currentTimeMillis() + ") User has no right [" + evaluatableACE.toString() + "]"));
        }
        return evaluateACE;
    }

    public void refresh(IUser iUser) {
        AccessControlList determineUserAccessControlList = determineUserAccessControlList(this.userService.getUserRoles(iUser));
        this.userAclMap.put(iUser, determineUserAccessControlList);
        if (determineUserAccessControlList.getRolesRepresented().isEmpty()) {
            this.logger.warn("ACE User=[{}] Empty Role Set", iUser.getId());
        } else {
            this.logger.info("ACE User=[{}] Roles=[{}]", iUser.getId(), determineUserAccessControlList.getRolesRepresented());
        }
    }

    public boolean isPrivileged() {
        if (this.privileged.get().booleanValue()) {
            return true;
        }
        return CoreUtil.isTestMode() && this.contextService.getNamed("testAccessControl").isEmpty();
    }

    private AccessControlList determineUserAccessControlList(List<IRole> list) {
        if (list.isEmpty()) {
            return new AccessControlList();
        }
        AccessControlList accessControlList = null;
        for (IRole iRole : list) {
            if (accessControlList == null) {
                accessControlList = getOrLoadRoleAccessControlList(iRole);
            } else {
                AccessControlList accessControlList2 = this.roleAclMap.get(iRole.getId().toLowerCase());
                if (accessControlList2 == null) {
                    accessControlList2 = getOrLoadRoleAccessControlList(iRole);
                }
                if (accessControlList2 != null) {
                    accessControlList = AccessControlListUtil.merge(accessControlList, accessControlList2);
                } else {
                    this.logger.warn("Unknown role [" + iRole.getId() + "]");
                }
            }
        }
        return accessControlList;
    }

    private AccessControlList getOrLoadRoleAccessControlList(IRole iRole) {
        String lowerCase = iRole.getId().toLowerCase();
        if (!this.roleAclMap.containsKey(lowerCase)) {
            InputStream inputStream = null;
            if (iRole.isSystemRole()) {
                inputStream = AccessControlList.class.getClassLoader().getResourceAsStream("/rsc/acl/" + lowerCase + ".json");
            } else {
                String str = (String) iRole.getExtInfo("json");
                if (StringUtils.isNotBlank(str)) {
                    try {
                        inputStream = new ByteArrayInputStream(str.getBytes("UTF-8"));
                    } catch (UnsupportedEncodingException e) {
                        this.logger.error("Invalid role custom json acl [{}]", lowerCase, e);
                    }
                }
            }
            if (inputStream != null) {
                Optional<AccessControlList> readAccessControlList = readAccessControlList(inputStream);
                if (readAccessControlList.isPresent()) {
                    this.roleAclMap.put(lowerCase, readAccessControlList.get());
                } else {
                    this.logger.error("Error loading role acl [{}]", lowerCase);
                }
            } else {
                this.logger.warn("No role acl [{}] file", lowerCase);
            }
        }
        return this.roleAclMap.get(lowerCase);
    }

    public Optional<AccessControlList> readAccessControlList(InputStream inputStream) {
        Throwable th = null;
        try {
            try {
                InputStreamReader inputStreamReader = new InputStreamReader(inputStream);
                try {
                    Optional<AccessControlList> of = Optional.of((AccessControlList) this.gson.fromJson(inputStreamReader, AccessControlList.class));
                    if (inputStreamReader != null) {
                        inputStreamReader.close();
                    }
                    return of;
                } catch (Throwable th2) {
                    if (inputStreamReader != null) {
                        inputStreamReader.close();
                    }
                    throw th2;
                }
            } catch (Throwable th3) {
                if (0 == 0) {
                    th = th3;
                } else if (null != th3) {
                    th.addSuppressed(th3);
                }
                throw th;
            }
        } catch (Exception e) {
            this.logger.error("Error reading acl json", e);
            return Optional.empty();
        }
    }

    private boolean evaluateACE(IUser iUser, AccessControlList accessControlList, EvaluatableACE evaluatableACE) {
        if (!(evaluatableACE instanceof ObjectEvaluatableACE)) {
            if (evaluatableACE instanceof SystemCommandEvaluatableACE) {
                return evaluateSystemCommandACE(accessControlList, (SystemCommandEvaluatableACE) evaluatableACE);
            }
            return false;
        }
        ObjectEvaluatableACE objectEvaluatableACE = (ObjectEvaluatableACE) evaluatableACE;
        ACEAccessBitMap aCEAccessBitMap = (ACEAccessBitMap) accessControlList.getObject().get(objectEvaluatableACE.getObject());
        if (aCEAccessBitMap == null) {
            return false;
        }
        byte[] accessRightMap = aCEAccessBitMap.getAccessRightMap();
        byte[] requestedRightMap = objectEvaluatableACE.getRequestedRightMap();
        byte[] bArr = new byte[Right.values().length];
        short s = 0;
        for (int i = 0; i < bArr.length; i++) {
            if (accessRightMap[i] == 4) {
                accessRightMap[i] = 1;
                s = (short) (s | (1 << i));
            } else if (accessRightMap[i] == 2 || accessRightMap[i] == 1) {
                if (!StringUtils.isNotEmpty(objectEvaluatableACE.getStoreToString()) || !isAoboObject(objectEvaluatableACE.getObject())) {
                    accessRightMap[i] = 1;
                    s = (short) (s | (1 << i));
                } else if (evaluateAobo(iUser, objectEvaluatableACE)) {
                    accessRightMap[i] = 1;
                    s = (short) (s | (1 << i));
                } else {
                    accessRightMap[i] = 0;
                }
            }
            bArr[i] = (byte) (accessRightMap[i] & requestedRightMap[i]);
        }
        return (s & objectEvaluatableACE.getRequested()) == objectEvaluatableACE.getRequested();
    }

    private boolean evaluateAobo(IUser iUser, ObjectEvaluatableACE objectEvaluatableACE) {
        List<String> aoboMandatorIds = getAoboMandatorIds(iUser);
        Optional loadFromString = this.storeToStringService.loadFromString(objectEvaluatableACE.getStoreToString());
        if (!loadFromString.isPresent()) {
            this.logger.warn("Could not load aobo object [{}]", objectEvaluatableACE.getStoreToString());
            return false;
        }
        String str = null;
        if (loadFromString.get() instanceof IEncounter) {
            if (((IEncounter) loadFromString.get()).getMandator() != null) {
                str = ((IEncounter) loadFromString.get()).getMandator().getId();
            }
        } else if (!(loadFromString.get() instanceof IInvoice)) {
            this.logger.warn("Unknown aobo object [{}]", objectEvaluatableACE.getStoreToString());
        } else if (((IInvoice) loadFromString.get()).getMandator() != null) {
            str = ((IInvoice) loadFromString.get()).getMandator().getId();
        }
        if (str != null) {
            return aoboMandatorIds.contains(str);
        }
        return true;
    }

    public String getSelfMandatorId() {
        Optional activeUser = this.contextService.getActiveUser();
        return (!activeUser.isPresent() || ((IUser) activeUser.get()).getAssignedContact() == null) ? "-1" : ((IUser) activeUser.get()).getAssignedContact().getId();
    }

    private List<String> getAoboMandatorIds(IUser iUser) {
        ArrayList arrayList = new ArrayList();
        if (iUser.getAssignedContact() != null) {
            arrayList.add(iUser.getAssignedContact().getId());
            this.userService.getExecutiveDoctorsWorkingFor(iUser, true).stream().forEach(iMandator -> {
                arrayList.add(iMandator.getId());
            });
        }
        return arrayList;
    }

    public List<String> getAoboMandatorIds() {
        Optional activeUser = this.contextService.getActiveUser();
        return activeUser.isPresent() ? getAoboMandatorIds((IUser) activeUser.get()) : Collections.emptyList();
    }

    public List<String> getAoboMandatorIdsForSqlIn() {
        ArrayList arrayList = new ArrayList();
        arrayList.add("-1");
        arrayList.addAll(getAoboMandatorIds());
        return arrayList;
    }

    private boolean isAoboObject(String str) {
        return Arrays.asList(this.aoboObjects).stream().filter(str2 -> {
            return str.endsWith(str2);
        }).findFirst().isPresent();
    }

    private boolean evaluateSystemCommandACE(AccessControlList accessControlList, SystemCommandEvaluatableACE systemCommandEvaluatableACE) {
        if (accessControlList.getSystemCommand().containsKey(systemCommandEvaluatableACE.getSystemCommandId())) {
            return ((ACEAccessBitMap) accessControlList.getSystemCommand().get(systemCommandEvaluatableACE.getSystemCommandId())).grants(Right.EXECUTE);
        }
        return false;
    }

    public void doPrivileged(Runnable runnable) {
        try {
            this.privileged.set(Boolean.TRUE);
            this.logger.trace("Executing priviledged [" + runnable + "]");
            runnable.run();
        } finally {
            this.privileged.set(Boolean.FALSE);
        }
    }

    public Optional<ACEAccessBitMapConstraint> isAoboOrSelf(ObjectEvaluatableACE objectEvaluatableACE) {
        if (!isPrivileged() && isAoboObject(objectEvaluatableACE.getObject())) {
            Optional activeUser = this.contextService.getActiveUser();
            if (activeUser.isPresent()) {
                if (!this.userAclMap.containsKey(activeUser.get())) {
                    refresh((IUser) activeUser.get());
                }
                ACEAccessBitMap aCEAccessBitMap = (ACEAccessBitMap) this.userAclMap.get(activeUser.get()).getObject().get(objectEvaluatableACE.getObject());
                if (aCEAccessBitMap != null) {
                    byte[] accessRightMap = aCEAccessBitMap.getAccessRightMap();
                    byte[] requestedRightMap = objectEvaluatableACE.getRequestedRightMap();
                    for (int i = 0; i < requestedRightMap.length; i++) {
                        if (requestedRightMap[i] == 1 && accessRightMap[i] == 1) {
                            return Optional.of(ACEAccessBitMapConstraint.SELF);
                        }
                        if (requestedRightMap[i] == 1 && accessRightMap[i] == 2) {
                            return Optional.of(ACEAccessBitMapConstraint.AOBO);
                        }
                    }
                }
            } else {
                this.logger.warn("No active user to test aobo");
            }
            return Optional.empty();
        }
        return Optional.empty();
    }
}
