package de.deepamehta.plugins.accesscontrol;

import com.sun.jersey.spi.container.ContainerRequest;
import de.deepamehta.core.Association;
import de.deepamehta.core.AssociationType;
import de.deepamehta.core.DeepaMehtaObject;
import de.deepamehta.core.RelatedTopic;
import de.deepamehta.core.Topic;
import de.deepamehta.core.TopicType;
import de.deepamehta.core.Type;
import de.deepamehta.core.ViewConfiguration;
import de.deepamehta.core.model.ChildTopicsModel;
import de.deepamehta.core.model.SimpleValue;
import de.deepamehta.core.model.TopicModel;
import de.deepamehta.core.osgi.PluginActivator;
import de.deepamehta.core.service.DeepaMehtaEvent;
import de.deepamehta.core.service.EventListener;
import de.deepamehta.core.service.Inject;
import de.deepamehta.core.service.Transactional;
import de.deepamehta.core.service.event.AllPluginsActiveListener;
import de.deepamehta.core.service.event.IntroduceAssociationTypeListener;
import de.deepamehta.core.service.event.IntroduceTopicTypeListener;
import de.deepamehta.core.service.event.PostCreateAssociationListener;
import de.deepamehta.core.service.event.PostCreateTopicListener;
import de.deepamehta.core.service.event.PostUpdateTopicListener;
import de.deepamehta.core.service.event.PreSendAssociationTypeListener;
import de.deepamehta.core.service.event.PreSendTopicTypeListener;
import de.deepamehta.core.service.event.ResourceRequestFilterListener;
import de.deepamehta.core.service.event.ServiceRequestFilterListener;
import de.deepamehta.core.storage.spi.DeepaMehtaTransaction;
import de.deepamehta.core.util.DeepaMehtaUtils;
import de.deepamehta.core.util.JavaUtils;
import de.deepamehta.plugins.accesscontrol.event.PostLoginUserListener;
import de.deepamehta.plugins.accesscontrol.event.PostLogoutUserListener;
import de.deepamehta.plugins.accesscontrol.model.ACLEntry;
import de.deepamehta.plugins.accesscontrol.model.AccessControlList;
import de.deepamehta.plugins.accesscontrol.model.Credentials;
import de.deepamehta.plugins.accesscontrol.model.Operation;
import de.deepamehta.plugins.accesscontrol.model.Permissions;
import de.deepamehta.plugins.accesscontrol.model.UserRole;
import de.deepamehta.plugins.accesscontrol.service.AccessControlService;
import de.deepamehta.plugins.workspaces.service.WorkspacesService;
import java.util.Collection;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.codehaus.jettison.json.JSONObject;

@Produces({"application/json"})
@Path("/accesscontrol")
@Consumes({"application/json"})
/* loaded from: input_file:de/deepamehta/plugins/accesscontrol/AccessControlPlugin.class */
public class AccessControlPlugin extends PluginActivator implements AccessControlService, AllPluginsActiveListener, PostCreateTopicListener, PostCreateAssociationListener, PostUpdateTopicListener, IntroduceTopicTypeListener, IntroduceAssociationTypeListener, ServiceRequestFilterListener, ResourceRequestFilterListener, PreSendTopicTypeListener, PreSendAssociationTypeListener {
    private static final String AUTHENTICATION_REALM = "DeepaMehta";
    private static final String DEFAULT_USERNAME = "admin";
    private static final String DEFAULT_PASSWORD = "";

    @Inject
    private WorkspacesService wsService;

    @Context
    private HttpServletRequest request;
    private Logger logger = Logger.getLogger(getClass().getName());
    private static final boolean READ_REQUIRES_LOGIN = Boolean.parseBoolean(System.getProperty("dm4.security.read_requires_login", "false"));
    private static final boolean WRITE_REQUIRES_LOGIN = Boolean.parseBoolean(System.getProperty("dm4.security.write_requires_login", "true"));
    private static final String SUBNET_FILTER = System.getProperty("dm4.security.subnet_filter", "127.0.0.1/32");
    private static final AccessControlList DEFAULT_INSTANCE_ACL = new AccessControlList(new ACLEntry(Operation.WRITE, UserRole.CREATOR, UserRole.OWNER, UserRole.MEMBER));
    private static final AccessControlList DEFAULT_TYPE_ACL = new AccessControlList(new ACLEntry(Operation.WRITE, UserRole.CREATOR, UserRole.OWNER, UserRole.MEMBER), new ACLEntry(Operation.CREATE, UserRole.CREATOR, UserRole.OWNER, UserRole.MEMBER));
    private static final AccessControlList DEFAULT_USER_ACCOUNT_ACL = new AccessControlList(new ACLEntry(Operation.WRITE, UserRole.CREATOR, UserRole.OWNER));
    private static String URI_CREATOR = "dm4.accesscontrol.creator";
    private static String URI_OWNER = "dm4.accesscontrol.owner";
    private static String URI_ACL = "dm4.accesscontrol.acl";
    private static DeepaMehtaEvent POST_LOGIN_USER = new DeepaMehtaEvent(PostLoginUserListener.class) { // from class: de.deepamehta.plugins.accesscontrol.AccessControlPlugin.1
        public void deliver(EventListener eventListener, Object... objArr) {
            ((PostLoginUserListener) eventListener).postLoginUser((String) objArr[0]);
        }
    };
    private static DeepaMehtaEvent POST_LOGOUT_USER = new DeepaMehtaEvent(PostLogoutUserListener.class) { // from class: de.deepamehta.plugins.accesscontrol.AccessControlPlugin.2
        public void deliver(EventListener eventListener, Object... objArr) {
            ((PostLogoutUserListener) eventListener).postLogoutUser((String) objArr[0]);
        }
    };

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @POST
    @Path("/login")
    public void login() {
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @POST
    @Path("/logout")
    public void logout() {
        _logout(this.request);
        if (READ_REQUIRES_LOGIN) {
            throw401Unauthorized();
        }
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Produces({"text/plain"})
    @Path("/user")
    public String getUsername() {
        try {
            HttpSession session = this.request.getSession(false);
            if (session == null) {
                return null;
            }
            return username(session);
        } catch (IllegalStateException e) {
            return null;
        }
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    public Topic getUsername(String str) {
        return this.dms.getTopic("dm4.accesscontrol.username", new SimpleValue(str));
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Path("/topic/{id}")
    public Permissions getTopicPermissions(@PathParam("id") long j) {
        return getPermissions((DeepaMehtaObject) this.dms.getTopic(j));
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Path("/association/{id}")
    public Permissions getAssociationPermissions(@PathParam("id") long j) {
        return getPermissions((DeepaMehtaObject) this.dms.getAssociation(j));
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    public String getCreator(DeepaMehtaObject deepaMehtaObject) {
        if (deepaMehtaObject.hasProperty(URI_CREATOR)) {
            return (String) deepaMehtaObject.getProperty(URI_CREATOR);
        }
        return null;
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    public void setCreator(DeepaMehtaObject deepaMehtaObject, String str) {
        try {
            deepaMehtaObject.setProperty(URI_CREATOR, str, true);
        } catch (Exception e) {
            throw new RuntimeException("Setting the creator of " + info(deepaMehtaObject) + " failed (username=" + str + ")", e);
        }
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    public String getOwner(DeepaMehtaObject deepaMehtaObject) {
        if (deepaMehtaObject.hasProperty(URI_OWNER)) {
            return (String) deepaMehtaObject.getProperty(URI_OWNER);
        }
        return null;
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    public void setOwner(DeepaMehtaObject deepaMehtaObject, String str) {
        try {
            deepaMehtaObject.setProperty(URI_OWNER, str, true);
        } catch (Exception e) {
            throw new RuntimeException("Setting the owner of " + info(deepaMehtaObject) + " failed (username=" + str + ")", e);
        }
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    public AccessControlList getACL(DeepaMehtaObject deepaMehtaObject) {
        try {
            return deepaMehtaObject.hasProperty(URI_ACL) ? new AccessControlList(new JSONObject((String) deepaMehtaObject.getProperty(URI_ACL))) : new AccessControlList(new ACLEntry[0]);
        } catch (Exception e) {
            throw new RuntimeException("Fetching the ACL of " + info(deepaMehtaObject) + " failed", e);
        }
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    public void setACL(DeepaMehtaObject deepaMehtaObject, AccessControlList accessControlList) {
        try {
            deepaMehtaObject.setProperty(URI_ACL, accessControlList.toJSON().toString(), false);
        } catch (Exception e) {
            throw new RuntimeException("Setting the ACL of " + info(deepaMehtaObject) + " failed", e);
        }
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @POST
    @Path("/user/{username}/workspace/{workspace_id}")
    @Transactional
    public void joinWorkspace(@PathParam("username") String str, @PathParam("workspace_id") long j) {
        joinWorkspace(getUsername(str), j);
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    public void joinWorkspace(Topic topic, long j) {
        try {
            this.wsService.assignToWorkspace(topic, j);
        } catch (Exception e) {
            throw new RuntimeException("Joining user " + topic + " to workspace " + j + " failed", e);
        }
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Path("/creator/{username}/topics")
    public Collection<Topic> getTopicsByCreator(@PathParam("username") String str) {
        return this.dms.getTopicsByProperty(URI_CREATOR, str);
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Path("/owner/{username}/topics")
    public Collection<Topic> getTopicsByOwner(@PathParam("username") String str) {
        return this.dms.getTopicsByProperty(URI_OWNER, str);
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Path("/creator/{username}/assocs")
    public Collection<Association> getAssociationsByCreator(@PathParam("username") String str) {
        return this.dms.getAssociationsByProperty(URI_CREATOR, str);
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Path("/owner/{username}/assocs")
    public Collection<Association> getAssociationsByOwner(@PathParam("username") String str) {
        return this.dms.getAssociationsByProperty(URI_OWNER, str);
    }

    public void postInstall() {
        this.logger.info("Creating \"admin\" user account");
        setupAccessControl(createUserAccount(new Credentials(DEFAULT_USERNAME, DEFAULT_PASSWORD)), DEFAULT_USER_ACCOUNT_ACL, DEFAULT_USERNAME);
    }

    public void init() {
        this.logger.info("Security settings:\ndm4.security.read_requires_login=" + READ_REQUIRES_LOGIN + "\ndm4.security.write_requires_login=" + WRITE_REQUIRES_LOGIN + "\ndm4.security.subnet_filter=\"" + SUBNET_FILTER + "\"");
    }

    public void allPluginsActive() {
        DeepaMehtaTransaction beginTx = this.dms.beginTx();
        try {
            try {
                assignToDefaultWorkspace(fetchDefaultUser(), "default user (\"admin\")");
                Topic fetchDefaultTopicmap = fetchDefaultTopicmap();
                if (fetchDefaultTopicmap != null) {
                    assignToDefaultWorkspace(fetchDefaultTopicmap, "default topicmap (\"untitled\")");
                    setupAccessControlForDefaultTopicmap(fetchDefaultTopicmap);
                }
                beginTx.success();
                beginTx.finish();
            } catch (Exception e) {
                this.logger.warning("ROLLBACK! (" + this + ")");
                throw new RuntimeException("Setting up " + this + " failed", e);
            }
        } catch (Throwable th) {
            beginTx.finish();
            throw th;
        }
    }

    public void postCreateTopic(Topic topic) {
        if (isUserAccount(topic)) {
            setupUserAccountAccessControl(topic);
        } else {
            setupDefaultAccessControl((DeepaMehtaObject) topic);
        }
        joinIfWorkspace(topic);
    }

    public void postCreateAssociation(Association association) {
        setupDefaultAccessControl((DeepaMehtaObject) association);
    }

    public void postUpdateTopic(Topic topic, TopicModel topicModel, TopicModel topicModel2) {
        if (topic.getTypeUri().equals("dm4.accesscontrol.user_account")) {
            DeepaMehtaObject topic2 = topic.getChildTopics().getTopic("dm4.accesscontrol.username");
            DeepaMehtaObject topic3 = topic.getChildTopics().getTopic("dm4.accesscontrol.password");
            String simpleValue = topic2.getSimpleValue().toString();
            TopicModel topic4 = topicModel2.getChildTopicsModel().getTopic("dm4.accesscontrol.username", (TopicModel) null);
            String simpleValue2 = topic4 != null ? topic4.getSimpleValue().toString() : DEFAULT_PASSWORD;
            if (simpleValue.equals(simpleValue2)) {
                return;
            }
            if (!simpleValue2.equals(DEFAULT_PASSWORD)) {
                throw new RuntimeException("Changing a Username is not supported (tried \"" + simpleValue2 + "\" -> \"" + simpleValue + "\")");
            }
            this.logger.info("### Username has changed from \"" + simpleValue2 + "\" -> \"" + simpleValue + "\". Setting \"" + simpleValue + "\" as the new owner of 3 topics:\n    - User Account topic (ID " + topic.getId() + ")\n    - Username topic (ID " + topic2.getId() + ")\n    - Password topic (ID " + topic3.getId() + ")");
            setOwner(topic, simpleValue);
            setOwner(topic2, simpleValue);
            setOwner(topic3, simpleValue);
        }
    }

    public void introduceTopicType(TopicType topicType) {
        setupDefaultAccessControl((Type) topicType);
    }

    public void introduceAssociationType(AssociationType associationType) {
        setupDefaultAccessControl((Type) associationType);
    }

    public void serviceRequestFilter(ContainerRequest containerRequest) {
        requestFilter(this.request);
    }

    public void resourceRequestFilter(HttpServletRequest httpServletRequest) {
        requestFilter(httpServletRequest);
    }

    public void preSendTopicType(TopicType topicType) {
        if (topicType.getUri().equals("dm4.core.meta_meta_type")) {
            enrichWithPermissions(topicType, createPermissions(false, false));
        } else {
            enrichWithPermissions(topicType, getPermissions((Type) topicType));
        }
    }

    public void preSendAssociationType(AssociationType associationType) {
        enrichWithPermissions(associationType, getPermissions((Type) associationType));
    }

    private Topic createUserAccount(Credentials credentials) {
        return this.dms.createTopic(new TopicModel("dm4.accesscontrol.user_account", new ChildTopicsModel().put("dm4.accesscontrol.username", credentials.username).put("dm4.accesscontrol.password", credentials.password)));
    }

    private boolean isUserAccount(Topic topic) {
        String typeUri = topic.getTypeUri();
        return typeUri.equals("dm4.accesscontrol.user_account") || typeUri.equals("dm4.accesscontrol.username") || typeUri.equals("dm4.accesscontrol.password");
    }

    private Topic fetchDefaultUser() {
        return getUsernameOrThrow(DEFAULT_USERNAME);
    }

    private Topic getUsernameOrThrow(String str) {
        Topic username = getUsername(str);
        if (username == null) {
            throw new RuntimeException("User \"" + str + "\" does not exist");
        }
        return username;
    }

    private void joinIfWorkspace(Topic topic) {
        String username;
        if (!topic.getTypeUri().equals("dm4.workspaces.workspace") || (username = getUsername()) == null) {
            return;
        }
        joinWorkspace(username, topic.getId());
    }

    private void assignToDefaultWorkspace(Topic topic, String str) {
        String str2 = "### Assigning the " + str + " to the default workspace (\"DeepaMehta\")";
        try {
            List assignedWorkspaces = this.wsService.getAssignedWorkspaces(topic);
            if (assignedWorkspaces.size() != 0) {
                this.logger.info("### Assigning the " + str + " to a workspace ABORTED -- already assigned (" + DeepaMehtaUtils.topicNames(assignedWorkspaces) + ")");
                return;
            }
            this.logger.info(str2);
            this.wsService.assignToWorkspace(topic, this.wsService.getDefaultWorkspace().getId());
        } catch (Exception e) {
            throw new RuntimeException(str2 + " failed", e);
        }
    }

    private void setupAccessControlForDefaultTopicmap(Topic topic) {
        try {
            if (getCreator(topic) != null) {
                this.logger.info("### Setup access control for the default topicmap (\"untitled\") ABORTED -- already setup");
            } else {
                this.logger.info("### Setup access control for the default topicmap (\"untitled\")");
                setupAccessControl(topic, DEFAULT_INSTANCE_ACL, DEFAULT_USERNAME);
            }
        } catch (Exception e) {
            throw new RuntimeException("### Setup access control for the default topicmap (\"untitled\") failed", e);
        }
    }

    private Topic fetchDefaultTopicmap() {
        return this.dms.getTopic("uri", new SimpleValue("dm4.topicmaps.default_topicmap"));
    }

    private void requestFilter(HttpServletRequest httpServletRequest) {
        this.logger.fine("##### " + httpServletRequest.getMethod() + " " + ((Object) httpServletRequest.getRequestURL()) + "\n      ##### \"Authorization\"=\"" + httpServletRequest.getHeader("Authorization") + "\"\n      ##### " + info(httpServletRequest.getSession(false)));
        checkRequestOrigin(httpServletRequest);
        checkAuthorization(httpServletRequest);
    }

    private void checkRequestOrigin(HttpServletRequest httpServletRequest) {
        String remoteAddr = httpServletRequest.getRemoteAddr();
        boolean isInRange = JavaUtils.isInRange(remoteAddr, SUBNET_FILTER);
        this.logger.fine("Remote address=\"" + remoteAddr + "\", dm4.security.subnet_filter=\"" + SUBNET_FILTER + "\" => " + (isInRange ? "ALLOWED" : "FORBIDDEN"));
        if (isInRange) {
            return;
        }
        throw403Forbidden();
    }

    private void checkAuthorization(HttpServletRequest httpServletRequest) {
        boolean z;
        if (httpServletRequest.getSession(false) != null) {
            z = true;
        } else {
            String header = httpServletRequest.getHeader("Authorization");
            if (header != null) {
                z = tryLogin(new Credentials(header), httpServletRequest);
            } else {
                z = !isLoginRequired(httpServletRequest);
            }
        }
        if (z) {
            return;
        }
        throw401Unauthorized();
    }

    private boolean isLoginRequired(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getMethod().equals("GET") ? READ_REQUIRES_LOGIN : WRITE_REQUIRES_LOGIN;
    }

    private boolean tryLogin(Credentials credentials, HttpServletRequest httpServletRequest) {
        String str = credentials.username;
        if (!checkCredentials(credentials)) {
            this.logger.info("##### Logging in as \"" + str + "\" => FAILED!");
            return false;
        }
        this.logger.info("##### Logging in as \"" + str + "\" => SUCCESSFUL!");
        _login(str, httpServletRequest);
        return true;
    }

    private boolean checkCredentials(Credentials credentials) {
        Topic username = getUsername(credentials.username);
        if (username == null) {
            return false;
        }
        return matches(username, credentials.password);
    }

    private void _login(String str, HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession();
        session.setAttribute("username", str);
        this.logger.info("##### Creating new " + info(session));
        this.dms.fireEvent(POST_LOGIN_USER, new Object[]{str});
    }

    private void _logout(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        String username = username(session);
        this.logger.info("##### Logging out from " + info(session));
        session.invalidate();
        this.dms.fireEvent(POST_LOGOUT_USER, new Object[]{username});
    }

    private boolean matches(Topic topic, String str) {
        return password(fetchUserAccount(topic)).equals(str);
    }

    private Topic fetchUserAccount(Topic topic) {
        RelatedTopic relatedTopic = topic.getRelatedTopic("dm4.core.composition", "dm4.core.child", "dm4.core.parent", "dm4.accesscontrol.user_account");
        if (relatedTopic == null) {
            throw new RuntimeException("Data inconsistency: there is no User Account topic for username \"" + topic.getSimpleValue() + "\" (username=" + topic + ")");
        }
        return relatedTopic;
    }

    private String username(HttpSession httpSession) {
        String str = (String) httpSession.getAttribute("username");
        if (str == null) {
            throw new RuntimeException("Session data inconsistency: \"username\" attribute is missing");
        }
        return str;
    }

    private String password(Topic topic) {
        return topic.getChildTopics().getString("dm4.accesscontrol.password");
    }

    private void throw401Unauthorized() {
        throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", (READ_REQUIRES_LOGIN ? "Basic" : "xBasic") + " realm=" + AUTHENTICATION_REALM).header("Content-Type", "text/html").entity("You're not authorized. Sorry.").build());
    }

    private void throw403Forbidden() {
        throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).header("Content-Type", "text/html").entity("Access is forbidden. Sorry.").build());
    }

    private void setupDefaultAccessControl(DeepaMehtaObject deepaMehtaObject) {
        setupAccessControl(deepaMehtaObject, DEFAULT_INSTANCE_ACL);
    }

    private void setupDefaultAccessControl(Type type) {
        try {
            String username = getUsername();
            if (username == null) {
                username = DEFAULT_USERNAME;
                setupViewConfigAccessControl(type.getViewConfig());
            }
            setupAccessControl(type, DEFAULT_TYPE_ACL, username);
        } catch (Exception e) {
            throw new RuntimeException("Setting up access control for " + info((DeepaMehtaObject) type) + " failed (" + type + ")", e);
        }
    }

    private void setupUserAccountAccessControl(Topic topic) {
        setupAccessControl(topic, DEFAULT_USER_ACCOUNT_ACL);
    }

    private void setupViewConfigAccessControl(ViewConfiguration viewConfiguration) {
        Iterator it = viewConfiguration.getConfigTopics().iterator();
        while (it.hasNext()) {
            setupAccessControl((Topic) it.next(), DEFAULT_INSTANCE_ACL, DEFAULT_USERNAME);
        }
    }

    private void setupAccessControl(DeepaMehtaObject deepaMehtaObject, AccessControlList accessControlList) {
        try {
            String username = getUsername();
            if (username == null) {
                this.logger.fine("Setting up access control for " + info(deepaMehtaObject) + " ABORTED -- no user is logged in");
            } else {
                setupAccessControl(deepaMehtaObject, accessControlList, username);
            }
        } catch (Exception e) {
            throw new RuntimeException("Setting up access control for " + info(deepaMehtaObject) + " failed (" + deepaMehtaObject + ")", e);
        }
    }

    private void setupAccessControl(DeepaMehtaObject deepaMehtaObject, AccessControlList accessControlList, String str) {
        setCreator(deepaMehtaObject, str);
        setOwner(deepaMehtaObject, str);
        setACL(deepaMehtaObject, accessControlList);
    }

    private Permissions getPermissions(DeepaMehtaObject deepaMehtaObject) {
        return createPermissions(hasPermission(getUsername(), Operation.WRITE, deepaMehtaObject));
    }

    private Permissions getPermissions(Type type) {
        String username = getUsername();
        return createPermissions(hasPermission(username, Operation.WRITE, type), hasPermission(username, Operation.CREATE, type));
    }

    private boolean hasPermission(String str, Operation operation, DeepaMehtaObject deepaMehtaObject) {
        try {
            this.logger.fine("Determining permission for " + userInfo(str) + " to " + operation + " " + info(deepaMehtaObject));
            for (UserRole userRole : getACL(deepaMehtaObject).getUserRoles(operation)) {
                this.logger.fine("There is an ACL entry for user role " + userRole);
                if (userOccupiesRole(str, userRole, deepaMehtaObject)) {
                    this.logger.fine("=> ALLOWED");
                    return true;
                }
            }
            this.logger.fine("=> DENIED");
            return false;
        } catch (Exception e) {
            throw new RuntimeException("Determining permission for " + info(deepaMehtaObject) + " failed (" + userInfo(str) + ", operation=" + operation + ")", e);
        }
    }

    private boolean userOccupiesRole(String str, UserRole userRole, DeepaMehtaObject deepaMehtaObject) {
        switch (userRole) {
            case EVERYONE:
                return true;
            case USER:
                return str != null;
            case MEMBER:
                return str != null && userIsMember(str, deepaMehtaObject);
            case OWNER:
                return str != null && userIsOwner(str, deepaMehtaObject);
            case CREATOR:
                return str != null && userIsCreator(str, deepaMehtaObject);
            default:
                throw new RuntimeException(userRole + " is an unsupported user role");
        }
    }

    private boolean userIsMember(String str, DeepaMehtaObject deepaMehtaObject) {
        Topic usernameOrThrow = getUsernameOrThrow(str);
        List<RelatedTopic> assignedWorkspaces = this.wsService.getAssignedWorkspaces(deepaMehtaObject);
        this.logger.fine(info(deepaMehtaObject) + " is assigned to " + assignedWorkspaces.size() + " workspaces");
        for (RelatedTopic relatedTopic : assignedWorkspaces) {
            if (this.wsService.isAssignedToWorkspace(usernameOrThrow, relatedTopic.getId())) {
                this.logger.fine(userInfo(str) + " IS member of workspace " + relatedTopic);
                return true;
            }
            this.logger.fine(userInfo(str) + " is NOT member of workspace " + relatedTopic);
        }
        return false;
    }

    private boolean userIsOwner(String str, DeepaMehtaObject deepaMehtaObject) {
        String owner = getOwner(deepaMehtaObject);
        this.logger.fine("The owner is " + userInfo(owner));
        return owner != null && owner.equals(str);
    }

    private boolean userIsCreator(String str, DeepaMehtaObject deepaMehtaObject) {
        String creator = getCreator(deepaMehtaObject);
        this.logger.fine("The creator is " + userInfo(creator));
        return creator != null && creator.equals(str);
    }

    private void enrichWithPermissions(Type type, Permissions permissions) {
        ChildTopicsModel permissions2 = permissions(type);
        permissions2.put(Operation.WRITE.uri, permissions.get(Operation.WRITE.uri));
        permissions2.put(Operation.CREATE.uri, permissions.get(Operation.CREATE.uri));
    }

    private ChildTopicsModel permissions(DeepaMehtaObject deepaMehtaObject) {
        ChildTopicsModel childTopicsModel;
        TopicModel topic = deepaMehtaObject.getChildTopics().getModel().getTopic("dm4.accesscontrol.permissions", (TopicModel) null);
        if (topic != null) {
            childTopicsModel = topic.getChildTopicsModel();
        } else {
            childTopicsModel = new ChildTopicsModel();
            deepaMehtaObject.getChildTopics().getModel().put("dm4.accesscontrol.permissions", childTopicsModel);
        }
        return childTopicsModel;
    }

    private Permissions createPermissions(boolean z) {
        return new Permissions().add(Operation.WRITE, z);
    }

    private Permissions createPermissions(boolean z, boolean z2) {
        return createPermissions(z).add(Operation.CREATE, z2);
    }

    private String info(DeepaMehtaObject deepaMehtaObject) {
        if (deepaMehtaObject instanceof TopicType) {
            return "topic type \"" + deepaMehtaObject.getUri() + "\" (id=" + deepaMehtaObject.getId() + ")";
        }
        if (deepaMehtaObject instanceof AssociationType) {
            return "association type \"" + deepaMehtaObject.getUri() + "\" (id=" + deepaMehtaObject.getId() + ")";
        }
        if (deepaMehtaObject instanceof Topic) {
            return "topic " + deepaMehtaObject.getId() + " (typeUri=\"" + deepaMehtaObject.getTypeUri() + "\", uri=\"" + deepaMehtaObject.getUri() + "\")";
        }
        if (deepaMehtaObject instanceof Association) {
            return "association " + deepaMehtaObject.getId() + " (typeUri=\"" + deepaMehtaObject.getTypeUri() + "\")";
        }
        throw new RuntimeException("Unexpected object: " + deepaMehtaObject);
    }

    private String userInfo(String str) {
        return "user " + (str != null ? "\"" + str + "\"" : "<anonymous>");
    }

    private String info(HttpSession httpSession) {
        return "session" + (httpSession != null ? " " + httpSession.getId() + " (username=" + username(httpSession) + ")" : ": null");
    }

    private String info(HttpServletRequest httpServletRequest) {
        StringBuilder sb = new StringBuilder();
        sb.append("    " + httpServletRequest.getMethod() + " " + httpServletRequest.getRequestURI() + "\n");
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String str = (String) headerNames.nextElement();
            sb.append("\n    " + str + ":");
            Enumeration headers = httpServletRequest.getHeaders(str);
            while (headers.hasMoreElements()) {
                sb.append(" " + ((String) headers.nextElement()));
            }
        }
        return sb.toString();
    }
}
