package de.deepamehta.plugins.accesscontrol;

import com.sun.jersey.spi.container.ContainerRequest;
import de.deepamehta.core.Association;
import de.deepamehta.core.AssociationType;
import de.deepamehta.core.ChildTopics;
import de.deepamehta.core.DeepaMehtaObject;
import de.deepamehta.core.RelatedTopic;
import de.deepamehta.core.Topic;
import de.deepamehta.core.TopicType;
import de.deepamehta.core.model.AssociationModel;
import de.deepamehta.core.model.ChildTopicsModel;
import de.deepamehta.core.model.SimpleValue;
import de.deepamehta.core.model.TopicModel;
import de.deepamehta.core.model.TopicRoleModel;
import de.deepamehta.core.osgi.PluginActivator;
import de.deepamehta.core.service.DeepaMehtaEvent;
import de.deepamehta.core.service.EventListener;
import de.deepamehta.core.service.Inject;
import de.deepamehta.core.service.Transactional;
import de.deepamehta.core.service.accesscontrol.AccessControlException;
import de.deepamehta.core.service.accesscontrol.Credentials;
import de.deepamehta.core.service.accesscontrol.Operation;
import de.deepamehta.core.service.accesscontrol.Permissions;
import de.deepamehta.core.service.accesscontrol.SharingMode;
import de.deepamehta.core.service.event.PostCreateAssociationListener;
import de.deepamehta.core.service.event.PostCreateTopicListener;
import de.deepamehta.core.service.event.PostUpdateAssociationListener;
import de.deepamehta.core.service.event.PostUpdateTopicListener;
import de.deepamehta.core.service.event.PreCreateTopicListener;
import de.deepamehta.core.service.event.PreGetAssociationListener;
import de.deepamehta.core.service.event.PreGetTopicListener;
import de.deepamehta.core.service.event.PreUpdateTopicListener;
import de.deepamehta.core.service.event.ResourceRequestFilterListener;
import de.deepamehta.core.service.event.ServiceRequestFilterListener;
import de.deepamehta.core.util.JavaUtils;
import de.deepamehta.plugins.accesscontrol.event.PostLoginUserListener;
import de.deepamehta.plugins.accesscontrol.event.PostLogoutUserListener;
import de.deepamehta.plugins.accesscontrol.service.AccessControlService;
import de.deepamehta.plugins.workspaces.service.WorkspacesService;
import java.util.Collection;
import java.util.Enumeration;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;

@Produces({"application/json"})
@Path("/accesscontrol")
@Consumes({"application/json"})
/* loaded from: input_file:de/deepamehta/plugins/accesscontrol/AccessControlPlugin.class */
public class AccessControlPlugin extends PluginActivator implements AccessControlService, PreCreateTopicListener, PreUpdateTopicListener, PreGetTopicListener, PreGetAssociationListener, PostCreateTopicListener, PostCreateAssociationListener, PostUpdateTopicListener, PostUpdateAssociationListener, ServiceRequestFilterListener, ResourceRequestFilterListener {
    private static final String AUTHENTICATION_REALM = "DeepaMehta";
    private static final String MEMBERSHIP_TYPE = "dm4.accesscontrol.membership";

    @Inject
    private WorkspacesService wsService;

    @Context
    private HttpServletRequest request;
    private Logger logger = Logger.getLogger(getClass().getName());
    private static final boolean READ_REQUIRES_LOGIN = Boolean.parseBoolean(System.getProperty("dm4.security.read_requires_login", "false"));
    private static final boolean WRITE_REQUIRES_LOGIN = Boolean.parseBoolean(System.getProperty("dm4.security.write_requires_login", "true"));
    private static final String SUBNET_FILTER = System.getProperty("dm4.security.subnet_filter", "127.0.0.1/32");
    private static String PROP_CREATOR = "dm4.accesscontrol.creator";
    private static String PROP_OWNER = "dm4.accesscontrol.owner";
    private static String PROP_MODIFIER = "dm4.accesscontrol.modifier";
    private static DeepaMehtaEvent POST_LOGIN_USER = new DeepaMehtaEvent(PostLoginUserListener.class) { // from class: de.deepamehta.plugins.accesscontrol.AccessControlPlugin.1
        public void deliver(EventListener eventListener, Object... objArr) {
            ((PostLoginUserListener) eventListener).postLoginUser((String) objArr[0]);
        }
    };
    private static DeepaMehtaEvent POST_LOGOUT_USER = new DeepaMehtaEvent(PostLogoutUserListener.class) { // from class: de.deepamehta.plugins.accesscontrol.AccessControlPlugin.2
        public void deliver(EventListener eventListener, Object... objArr) {
            ((PostLogoutUserListener) eventListener).postLogoutUser((String) objArr[0]);
        }
    };

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @POST
    @Path("/login")
    public void login() {
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @POST
    @Path("/logout")
    public void logout() {
        _logout(this.request);
        if (READ_REQUIRES_LOGIN) {
            throw401Unauthorized();
        }
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Produces({"text/plain"})
    @Path("/user")
    public String getUsername() {
        try {
            HttpSession session = this.request.getSession(false);
            if (session == null) {
                return null;
            }
            return username(session);
        } catch (IllegalStateException e) {
            return null;
        }
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @POST
    @Path("/user_account")
    @Transactional
    public Topic createUserAccount(Credentials credentials) {
        try {
            String str = credentials.username;
            this.logger.info("Creating user account \"" + str + "\"");
            Topic createTopic = this.dms.createTopic(new TopicModel("dm4.accesscontrol.user_account", new ChildTopicsModel().put("dm4.accesscontrol.username", str).put("dm4.accesscontrol.password", credentials.password)));
            ChildTopics childTopics = createTopic.getChildTopics();
            RelatedTopic topic = childTopics.getTopic("dm4.accesscontrol.username");
            RelatedTopic topic2 = childTopics.getTopic("dm4.accesscontrol.password");
            Topic createWorkspace = this.wsService.createWorkspace(AccessControlService.DEFAULT_PRIVATE_WORKSPACE_NAME, (String) null, SharingMode.PRIVATE);
            setWorkspaceOwner(createWorkspace, str);
            long id = createWorkspace.getId();
            this.dms.getAccessControl().assignToWorkspace(createTopic, id);
            this.dms.getAccessControl().assignToWorkspace(topic2, id);
            this.wsService.assignToWorkspace(topic, this.wsService.getWorkspace(AccessControlService.SYSTEM_WORKSPACE_URI).getId());
            return topic;
        } catch (Exception e) {
            throw new RuntimeException("Creating user account \"" + credentials.username + "\" failed", e);
        }
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Path("/user/workspace")
    public Topic getPrivateWorkspace() {
        String username = getUsername();
        if (username == null) {
            throw new IllegalStateException("No user is logged in");
        }
        Topic assignedWorkspace = this.wsService.getAssignedWorkspace(getPasswordTopic(getUserAccount(getUsernameTopic(username))).getId());
        if (assignedWorkspace == null) {
            throw new RuntimeException("User \"" + username + "\" has no private workspace");
        }
        return assignedWorkspace;
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    public Topic getUsernameTopic(String str) {
        return this.dms.getTopic("dm4.accesscontrol.username", new SimpleValue(str));
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Produces({"text/plain"})
    @Path("/workspace/{workspace_id}/owner")
    public String getWorkspaceOwner(@PathParam("workspace_id") long j) {
        if (this.dms.hasProperty(j, PROP_OWNER)) {
            return (String) this.dms.getProperty(j, PROP_OWNER);
        }
        return null;
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    public void setWorkspaceOwner(Topic topic, String str) {
        try {
            topic.setProperty(PROP_OWNER, str, true);
        } catch (Exception e) {
            throw new RuntimeException("Setting the workspace owner of " + info((DeepaMehtaObject) topic) + " failed (username=" + str + ")", e);
        }
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @POST
    @Path("/user/{username}/workspace/{workspace_id}")
    @Transactional
    public void createMembership(@PathParam("username") String str, @PathParam("workspace_id") long j) {
        try {
            this.dms.createAssociation(new AssociationModel(MEMBERSHIP_TYPE, new TopicRoleModel(getUsernameTopicOrThrow(str).getId(), "dm4.core.default"), new TopicRoleModel(j, "dm4.core.default")));
        } catch (Exception e) {
            throw new RuntimeException("Creating membership for user \"" + str + "\" and workspace " + j + " failed", e);
        }
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    public boolean isMember(String str, long j) {
        return this.dms.getAccessControl().isMember(str, j);
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Path("/topic/{id}")
    public Permissions getTopicPermissions(@PathParam("id") long j) {
        return getPermissions(j);
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Path("/association/{id}")
    public Permissions getAssociationPermissions(@PathParam("id") long j) {
        return getPermissions(j);
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Produces({"text/plain"})
    @Path("/object/{id}/creator")
    public String getCreator(@PathParam("id") long j) {
        if (this.dms.hasProperty(j, PROP_CREATOR)) {
            return (String) this.dms.getProperty(j, PROP_CREATOR);
        }
        return null;
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Produces({"text/plain"})
    @Path("/object/{id}/modifier")
    public String getModifier(@PathParam("id") long j) {
        if (this.dms.hasProperty(j, PROP_MODIFIER)) {
            return (String) this.dms.getProperty(j, PROP_MODIFIER);
        }
        return null;
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Path("/creator/{username}/topics")
    public Collection<Topic> getTopicsByCreator(@PathParam("username") String str) {
        return this.dms.getTopicsByProperty(PROP_CREATOR, str);
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Path("/owner/{username}/topics")
    public Collection<Topic> getTopicsByOwner(@PathParam("username") String str) {
        return this.dms.getTopicsByProperty(PROP_OWNER, str);
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Path("/creator/{username}/assocs")
    public Collection<Association> getAssociationsByCreator(@PathParam("username") String str) {
        return this.dms.getAssociationsByProperty(PROP_CREATOR, str);
    }

    @Override // de.deepamehta.plugins.accesscontrol.service.AccessControlService
    @GET
    @Path("/owner/{username}/assocs")
    public Collection<Association> getAssociationsByOwner(@PathParam("username") String str) {
        return this.dms.getAssociationsByProperty(PROP_OWNER, str);
    }

    public void init() {
        this.logger.info("Security settings:\ndm4.security.read_requires_login=" + READ_REQUIRES_LOGIN + "\ndm4.security.write_requires_login=" + WRITE_REQUIRES_LOGIN + "\ndm4.security.subnet_filter=\"" + SUBNET_FILTER + "\"");
    }

    public void preGetTopic(long j) {
        checkReadPermission(j);
    }

    public void preGetAssociation(long j) {
        checkReadPermission(j);
        long[] playerIds = this.dms.getPlayerIds(j);
        checkReadPermission(playerIds[0]);
        checkReadPermission(playerIds[1]);
    }

    public void preCreateTopic(TopicModel topicModel) {
        if (topicModel.getTypeUri().equals("dm4.accesscontrol.username")) {
            String simpleValue = topicModel.getSimpleValue().toString();
            if (getUsernameTopic(simpleValue) != null) {
                throw new RuntimeException("Username \"" + simpleValue + "\" exists already");
            }
        }
    }

    public void postCreateTopic(Topic topic) {
        String typeUri = topic.getTypeUri();
        if (typeUri.equals("dm4.workspaces.workspace")) {
            setWorkspaceOwner(topic);
        } else if (typeUri.equals("dm4.webclient.search")) {
            assignSearchTopic(topic);
        }
        setCreatorAndModifier(topic);
    }

    public void postCreateAssociation(Association association) {
        setCreatorAndModifier(association);
    }

    public void preUpdateTopic(Topic topic, TopicModel topicModel) {
        if (topic.getTypeUri().equals("dm4.accesscontrol.username")) {
            SimpleValue simpleValue = topicModel.getSimpleValue();
            String simpleValue2 = topic.getSimpleValue().toString();
            if (simpleValue != null && !simpleValue.toString().equals(simpleValue2)) {
                throw new RuntimeException("A Username can't be changed (tried \"" + simpleValue2 + "\" -> \"" + simpleValue + "\")");
            }
        }
    }

    public void postUpdateTopic(Topic topic, TopicModel topicModel, TopicModel topicModel2) {
        setModifier(topic);
    }

    public void postUpdateAssociation(Association association, AssociationModel associationModel) {
        if (isMembership(association.getModel())) {
            if (!isMembership(associationModel)) {
                this.wsService.assignToWorkspace(association, association.getTopicByType("dm4.workspaces.workspace").getId());
            }
        } else if (isMembership(associationModel)) {
        }
        setModifier(association);
    }

    public void serviceRequestFilter(ContainerRequest containerRequest) {
        requestFilter(this.request);
    }

    public void resourceRequestFilter(HttpServletRequest httpServletRequest) {
        requestFilter(httpServletRequest);
    }

    private Topic getUserAccount(Topic topic) {
        return topic.getRelatedTopic("dm4.core.composition", "dm4.core.child", "dm4.core.parent", "dm4.accesscontrol.user_account");
    }

    private Topic getPasswordTopic(Topic topic) {
        return topic.getChildTopics().getTopic("dm4.accesscontrol.password");
    }

    private Topic getUsernameTopicOrThrow(String str) {
        Topic usernameTopic = getUsernameTopic(str);
        if (usernameTopic == null) {
            throw new RuntimeException("User \"" + str + "\" does not exist");
        }
        return usernameTopic;
    }

    private boolean isMembership(AssociationModel associationModel) {
        return associationModel.getTypeUri().equals(MEMBERSHIP_TYPE);
    }

    private void assignSearchTopic(Topic topic) {
        try {
            this.wsService.assignToWorkspace(topic, (getUsername() != null ? getPrivateWorkspace() : this.wsService.getWorkspace("dm4.workspaces.deepamehta")).getId());
        } catch (Exception e) {
            throw new RuntimeException("Assigning search topic to workspace failed", e);
        }
    }

    private void requestFilter(HttpServletRequest httpServletRequest) {
        this.logger.fine("##### " + httpServletRequest.getMethod() + " " + ((Object) httpServletRequest.getRequestURL()) + "\n      ##### \"Authorization\"=\"" + httpServletRequest.getHeader("Authorization") + "\"\n      ##### " + info(httpServletRequest.getSession(false)));
        checkRequestOrigin(httpServletRequest);
        checkAuthorization(httpServletRequest);
    }

    private void checkRequestOrigin(HttpServletRequest httpServletRequest) {
        String remoteAddr = httpServletRequest.getRemoteAddr();
        boolean isInRange = JavaUtils.isInRange(remoteAddr, SUBNET_FILTER);
        this.logger.fine("Remote address=\"" + remoteAddr + "\", dm4.security.subnet_filter=\"" + SUBNET_FILTER + "\" => " + (isInRange ? "ALLOWED" : "FORBIDDEN"));
        if (isInRange) {
            return;
        }
        throw403Forbidden();
    }

    private void checkAuthorization(HttpServletRequest httpServletRequest) {
        boolean z;
        if (httpServletRequest.getSession(false) != null) {
            z = true;
        } else {
            String header = httpServletRequest.getHeader("Authorization");
            if (header != null) {
                z = tryLogin(new Credentials(header), httpServletRequest);
            } else {
                z = !isLoginRequired(httpServletRequest);
            }
        }
        if (z) {
            return;
        }
        throw401Unauthorized();
    }

    private boolean isLoginRequired(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getMethod().equals("GET") ? READ_REQUIRES_LOGIN : WRITE_REQUIRES_LOGIN;
    }

    private boolean tryLogin(Credentials credentials, HttpServletRequest httpServletRequest) {
        String str = credentials.username;
        if (!checkCredentials(credentials)) {
            this.logger.info("##### Logging in as \"" + str + "\" => FAILED!");
            return false;
        }
        this.logger.info("##### Logging in as \"" + str + "\" => SUCCESSFUL!");
        _login(str, httpServletRequest);
        return true;
    }

    private boolean checkCredentials(Credentials credentials) {
        return this.dms.getAccessControl().checkCredentials(credentials);
    }

    private void _login(String str, HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession();
        session.setAttribute("username", str);
        this.logger.info("##### Creating new " + info(session));
        this.dms.fireEvent(POST_LOGIN_USER, new Object[]{str});
    }

    private void _logout(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        String username = username(session);
        this.logger.info("##### Logging out from " + info(session));
        session.invalidate();
        this.dms.fireEvent(POST_LOGOUT_USER, new Object[]{username});
    }

    private String username(HttpSession httpSession) {
        String str = (String) httpSession.getAttribute("username");
        if (str == null) {
            throw new RuntimeException("Session data inconsistency: \"username\" attribute is missing");
        }
        return str;
    }

    private void throw401Unauthorized() {
        throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", (READ_REQUIRES_LOGIN ? "Basic" : "xBasic") + " realm=" + AUTHENTICATION_REALM).header("Content-Type", "text/html").entity("You're not authorized. Sorry.").build());
    }

    private void throw403Forbidden() {
        throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).header("Content-Type", "text/html").entity("Access is forbidden. Sorry.").build());
    }

    private void setCreatorAndModifier(DeepaMehtaObject deepaMehtaObject) {
        try {
            String username = getUsername();
            if (username == null) {
                this.logger.fine("Setting the creator/modifier of " + info(deepaMehtaObject) + " ABORTED -- no user is logged in");
            } else {
                setCreatorAndModifier(deepaMehtaObject, username);
            }
        } catch (Exception e) {
            throw new RuntimeException("Setting the creator/modifier of " + info(deepaMehtaObject) + " failed", e);
        }
    }

    private void setCreatorAndModifier(DeepaMehtaObject deepaMehtaObject, String str) {
        setCreator(deepaMehtaObject, str);
        setModifier(deepaMehtaObject, str);
    }

    private void setCreator(DeepaMehtaObject deepaMehtaObject, String str) {
        try {
            deepaMehtaObject.setProperty(PROP_CREATOR, str, true);
        } catch (Exception e) {
            throw new RuntimeException("Setting the creator of " + info(deepaMehtaObject) + " failed (username=" + str + ")", e);
        }
    }

    private void setModifier(DeepaMehtaObject deepaMehtaObject) {
        String username = getUsername();
        if (username == null) {
            return;
        }
        setModifier(deepaMehtaObject, username);
    }

    private void setModifier(DeepaMehtaObject deepaMehtaObject, String str) {
        deepaMehtaObject.setProperty(PROP_MODIFIER, str, false);
    }

    private void setWorkspaceOwner(Topic topic) {
        String username = getUsername();
        if (username == null) {
            return;
        }
        setWorkspaceOwner(topic, username);
    }

    private void checkReadPermission(long j) {
        if (!inRequestScope()) {
            this.logger.fine("### Object " + j + " is accessed by \"System\" -- READ permission is granted");
            return;
        }
        String username = getUsername();
        if (!hasPermission(username, Operation.READ, j)) {
            throw new AccessControlException(userInfo(username) + " has no READ permission for object " + j);
        }
    }

    private Permissions getPermissions(long j) {
        return new Permissions().add(Operation.WRITE, hasPermission(getUsername(), Operation.WRITE, j));
    }

    private boolean hasPermission(String str, Operation operation, long j) {
        return this.dms.getAccessControl().hasPermission(str, operation, j);
    }

    private boolean inRequestScope() {
        try {
            this.request.getMethod();
            return true;
        } catch (IllegalStateException e) {
            return false;
        }
    }

    private String info(DeepaMehtaObject deepaMehtaObject) {
        if (deepaMehtaObject instanceof TopicType) {
            return "topic type \"" + deepaMehtaObject.getUri() + "\" (id=" + deepaMehtaObject.getId() + ")";
        }
        if (deepaMehtaObject instanceof AssociationType) {
            return "association type \"" + deepaMehtaObject.getUri() + "\" (id=" + deepaMehtaObject.getId() + ")";
        }
        if (deepaMehtaObject instanceof Topic) {
            return "topic " + deepaMehtaObject.getId() + " (typeUri=\"" + deepaMehtaObject.getTypeUri() + "\", uri=\"" + deepaMehtaObject.getUri() + "\")";
        }
        if (deepaMehtaObject instanceof Association) {
            return "association " + deepaMehtaObject.getId() + " (typeUri=\"" + deepaMehtaObject.getTypeUri() + "\")";
        }
        throw new RuntimeException("Unexpected object: " + deepaMehtaObject);
    }

    private String userInfo(String str) {
        return "user " + (str != null ? "\"" + str + "\"" : "<anonymous>");
    }

    private String info(HttpSession httpSession) {
        return "session" + (httpSession != null ? " " + httpSession.getId() + " (username=" + username(httpSession) + ")" : ": null");
    }

    private String info(HttpServletRequest httpServletRequest) {
        StringBuilder sb = new StringBuilder();
        sb.append("    " + httpServletRequest.getMethod() + " " + httpServletRequest.getRequestURI() + "\n");
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String str = (String) headerNames.nextElement();
            sb.append("\n    " + str + ":");
            Enumeration headers = httpServletRequest.getHeaders(str);
            while (headers.hasMoreElements()) {
                sb.append(" " + ((String) headers.nextElement()));
            }
        }
        return sb.toString();
    }
}
