package edu.internet2.middleware.grouper.privs;

import edu.internet2.middleware.grouper.Field;
import edu.internet2.middleware.grouper.FieldType;
import edu.internet2.middleware.grouper.Group;
import edu.internet2.middleware.grouper.GroupFinder;
import edu.internet2.middleware.grouper.GrouperSession;
import edu.internet2.middleware.grouper.Member;
import edu.internet2.middleware.grouper.MemberFinder;
import edu.internet2.middleware.grouper.Membership;
import edu.internet2.middleware.grouper.MembershipFinder;
import edu.internet2.middleware.grouper.Stem;
import edu.internet2.middleware.grouper.StemSave;
import edu.internet2.middleware.grouper.SubjectFinder;
import edu.internet2.middleware.grouper.attr.AttributeDef;
import edu.internet2.middleware.grouper.attr.assign.AttributeAssign;
import edu.internet2.middleware.grouper.attr.assign.AttributeAssignType;
import edu.internet2.middleware.grouper.attr.finder.AttributeDefFinder;
import edu.internet2.middleware.grouper.cache.EhcacheController;
import edu.internet2.middleware.grouper.cfg.GrouperConfig;
import edu.internet2.middleware.grouper.exception.AttributeDefNotFoundException;
import edu.internet2.middleware.grouper.exception.GroupNotFoundException;
import edu.internet2.middleware.grouper.exception.GrouperException;
import edu.internet2.middleware.grouper.exception.GrouperSessionException;
import edu.internet2.middleware.grouper.exception.InsufficientPrivilegeException;
import edu.internet2.middleware.grouper.exception.MembershipNotFoundException;
import edu.internet2.middleware.grouper.exception.SchemaException;
import edu.internet2.middleware.grouper.misc.E;
import edu.internet2.middleware.grouper.misc.GrouperDAOFactory;
import edu.internet2.middleware.grouper.misc.GrouperSessionHandler;
import edu.internet2.middleware.grouper.misc.GrouperStartup;
import edu.internet2.middleware.grouper.permissions.PermissionEntry;
import edu.internet2.middleware.grouper.pit.PITAttributeAssign;
import edu.internet2.middleware.grouper.subj.InternalSourceAdapter;
import edu.internet2.middleware.grouper.subj.LazySubject;
import edu.internet2.middleware.grouper.subj.SubjectBean;
import edu.internet2.middleware.grouper.subj.SubjectHelper;
import edu.internet2.middleware.grouper.util.GrouperUtil;
import edu.internet2.middleware.grouperClient.collections.MultiKey;
import edu.internet2.middleware.grouperClient.util.ExpirableCache;
import edu.internet2.middleware.subject.Subject;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.codehaus.groovy.syntax.Types;
import org.hibernate.resource.transaction.backend.jdbc.internal.JdbcResourceLocalTransactionCoordinatorBuilderImpl;

/* loaded from: input_file:WEB-INF/lib/grouper-4.0.1.jar:edu/internet2/middleware/grouper/privs/PrivilegeHelper.class */
public class PrivilegeHelper {
    private static final Log LOG = GrouperUtil.getLog(PrivilegeHelper.class);
    private static ExpirableCache<MultiKey, Boolean> wheelMemberCache = null;
    private static ThreadLocal<Boolean> inIsWheel = new ThreadLocal<>();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/grouper-4.0.1.jar:edu/internet2/middleware/grouper/privs/PrivilegeHelper$PrivilegeHelperWheelType.class */
    public enum PrivilegeHelperWheelType {
        admin,
        read,
        view
    }

    public static void main(String[] strArr) {
        GrouperStartup.startup();
        GrouperSession startRootSession = GrouperSession.startRootSession();
        Subject findByIdentifierAndSource = SubjectFinder.findByIdentifierAndSource("id.test.subject.0", JdbcResourceLocalTransactionCoordinatorBuilderImpl.SHORT_NAME, true);
        startRootSession.stop();
        new StemSave(GrouperSession.start(findByIdentifierAndSource)).assignName("unc:app:temp:base:hr:org").assignCreateParentStemsIfNotExist(true).save();
    }

    public static Collection<String> fieldIdsFromPrivileges(Collection<Privilege> collection) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        Iterator it = GrouperUtil.nonNull(collection).iterator();
        while (it.hasNext()) {
            linkedHashSet.add(((Privilege) it.next()).getField().getId());
        }
        return linkedHashSet;
    }

    public static boolean hasImmediatePrivilege(Group group, Subject subject, Privilege privilege) {
        try {
            MembershipFinder.findImmediateMembership(GrouperSession.staticGrouperSession(), group, subject, privilege.getField(), true);
            return true;
        } catch (MembershipNotFoundException e) {
            return false;
        }
    }

    public static void flushCache() {
        WheelCache.flush();
        EhcacheController.ehcacheController().getCache(CachingAccessResolver.CACHE_HASPRIV).flush();
        EhcacheController.ehcacheController().getCache(CachingNamingResolver.CACHE_HASPRIV).flush();
        EhcacheController.ehcacheController().getCache(CachingAttrDefResolver.CACHE_HASPRIV).flush();
    }

    public static void resolveSubjects(Collection<GrouperPrivilege> collection, boolean z) {
        if (GrouperUtil.length(collection) == 0) {
            return;
        }
        ArrayList<GrouperPrivilege> arrayList = new ArrayList();
        for (GrouperPrivilege grouperPrivilege : collection) {
            if (grouperPrivilege.getSubject() instanceof LazySubject) {
                arrayList.add(grouperPrivilege);
            }
        }
        if (GrouperUtil.length(arrayList) == 0) {
            return;
        }
        if (z || GrouperUtil.length(arrayList) <= GrouperConfig.retrieveConfig().propertyValueInt("memberLengthAboveWhichDontResolveBatch", Types.PARAMETER_TERMINATORS)) {
            HashMap hashMap = new HashMap();
            HashSet hashSet = new HashSet();
            for (GrouperPrivilege grouperPrivilege2 : arrayList) {
                Subject subject = grouperPrivilege2.getSubject();
                SubjectBean subjectBean = new SubjectBean(subject.getId(), subject.getSourceId());
                hashSet.add(subjectBean);
                hashMap.put(subjectBean, grouperPrivilege2);
            }
            Map<SubjectBean, Subject> findBySubjectBeans = SubjectFinder.findBySubjectBeans(hashSet);
            for (SubjectBean subjectBean2 : findBySubjectBeans.keySet()) {
                ((GrouperPrivilege) hashMap.get(subjectBean2)).internalSetSubject(findBySubjectBeans.get(subjectBean2));
            }
        }
    }

    public static boolean canAdmin(GrouperSession grouperSession, Group group, Subject subject) {
        return grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.ADMIN);
    }

    public static boolean canAttrAdmin(GrouperSession grouperSession, AttributeDef attributeDef, Subject subject) {
        return grouperSession.getAttributeDefResolver().hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_ADMIN);
    }

    public static boolean canAttrRead(GrouperSession grouperSession, AttributeDef attributeDef, Subject subject) {
        AttributeDefResolver attributeDefResolver = grouperSession.getAttributeDefResolver();
        return attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_READ) || attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_ADMIN);
    }

    public static boolean canAttrView(GrouperSession grouperSession, AttributeDef attributeDef, Subject subject) {
        AttributeDefResolver attributeDefResolver = grouperSession.getAttributeDefResolver();
        return attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_VIEW) || attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_READ) || attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_UPDATE) || attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_ADMIN) || attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_DEF_ATTR_READ) || attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_DEF_ATTR_UPDATE) || attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_OPTIN) || attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_OPTOUT);
    }

    public static boolean canGroupAttrRead(GrouperSession grouperSession, Group group, Subject subject) {
        AccessResolver accessResolver = grouperSession.getAccessResolver();
        return accessResolver.hasPrivilege(group, subject, AccessPrivilege.GROUP_ATTR_READ) || accessResolver.hasPrivilege(group, subject, AccessPrivilege.ADMIN);
    }

    public static boolean canGroupAttrUpdate(GrouperSession grouperSession, Group group, Subject subject) {
        AccessResolver accessResolver = grouperSession.getAccessResolver();
        return accessResolver.hasPrivilege(group, subject, AccessPrivilege.GROUP_ATTR_UPDATE) || accessResolver.hasPrivilege(group, subject, AccessPrivilege.ADMIN);
    }

    public static boolean canAttrDefAttrRead(GrouperSession grouperSession, AttributeDef attributeDef, Subject subject) {
        AttributeDefResolver attributeDefResolver = grouperSession.getAttributeDefResolver();
        return attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_DEF_ATTR_READ) || attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_ADMIN);
    }

    public static boolean canAttrDefAttrUpdate(GrouperSession grouperSession, AttributeDef attributeDef, Subject subject) {
        AttributeDefResolver attributeDefResolver = grouperSession.getAttributeDefResolver();
        return attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_DEF_ATTR_UPDATE) || attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_ADMIN);
    }

    public static boolean canStemAttrRead(GrouperSession grouperSession, Stem stem, Subject subject) {
        NamingResolver namingResolver = grouperSession.getNamingResolver();
        return namingResolver.hasPrivilege(stem, subject, NamingPrivilege.STEM_ATTR_READ) || namingResolver.hasPrivilege(stem, subject, NamingPrivilege.STEM_ADMIN);
    }

    public static boolean canStemView(GrouperSession grouperSession, Stem stem, Subject subject) {
        NamingResolver namingResolver = grouperSession.getNamingResolver();
        return namingResolver.hasPrivilege(stem, subject, NamingPrivilege.STEM_ATTR_READ) || namingResolver.hasPrivilege(stem, subject, NamingPrivilege.STEM_ADMIN) || namingResolver.hasPrivilege(stem, subject, NamingPrivilege.STEM_ATTR_UPDATE) || namingResolver.hasPrivilege(stem, subject, NamingPrivilege.CREATE) || namingResolver.hasPrivilege(stem, subject, NamingPrivilege.STEM_VIEW);
    }

    public static boolean canStemAttrUpdate(GrouperSession grouperSession, Stem stem, Subject subject) {
        NamingResolver namingResolver = grouperSession.getNamingResolver();
        return namingResolver.hasPrivilege(stem, subject, NamingPrivilege.STEM_ATTR_UPDATE) || namingResolver.hasPrivilege(stem, subject, NamingPrivilege.STEM_ADMIN);
    }

    public static boolean canAttrUpdate(GrouperSession grouperSession, AttributeDef attributeDef, Subject subject) {
        AttributeDefResolver attributeDefResolver = grouperSession.getAttributeDefResolver();
        return attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_UPDATE) || attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_ADMIN);
    }

    public static boolean canAttrOptin(GrouperSession grouperSession, AttributeDef attributeDef, Subject subject) {
        AttributeDefResolver attributeDefResolver = grouperSession.getAttributeDefResolver();
        return attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_OPTIN) || attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_ADMIN) || attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_UPDATE);
    }

    public static boolean canAttrOptout(GrouperSession grouperSession, AttributeDef attributeDef, Subject subject) {
        AttributeDefResolver attributeDefResolver = grouperSession.getAttributeDefResolver();
        return attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_OPTOUT) || attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_ADMIN) || attributeDefResolver.hasPrivilege(attributeDef, subject, AttributeDefPrivilege.ATTR_UPDATE);
    }

    public static boolean canCreate(GrouperSession grouperSession, Stem stem, Subject subject) {
        return grouperSession.getNamingResolver().hasPrivilege(stem, subject, NamingPrivilege.CREATE) || grouperSession.getNamingResolver().hasPrivilege(stem, subject, NamingPrivilege.STEM_ADMIN);
    }

    public static boolean canOptin(GrouperSession grouperSession, Group group, Subject subject) {
        return grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.OPTIN) || grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.ADMIN) || grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.UPDATE);
    }

    public static boolean hasPrivilege(GrouperSession grouperSession, Stem stem, Subject subject, Set<Privilege> set) {
        Iterator<Privilege> it = set.iterator();
        while (it.hasNext()) {
            if (grouperSession.getNamingResolver().hasPrivilege(stem, subject, it.next())) {
                return true;
            }
        }
        return false;
    }

    public static boolean hasPrivilege(GrouperSession grouperSession, Group group, Subject subject, Set<Privilege> set) {
        Iterator<Privilege> it = set.iterator();
        while (it.hasNext()) {
            if (grouperSession.getAccessResolver().hasPrivilege(group, subject, it.next())) {
                return true;
            }
        }
        return false;
    }

    public static boolean canOptout(GrouperSession grouperSession, Group group, Subject subject) {
        return grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.OPTOUT) || grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.ADMIN) || grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.UPDATE);
    }

    public static boolean canRead(GrouperSession grouperSession, Group group, Subject subject) {
        return grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.READ) || grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.ADMIN);
    }

    public static boolean canStem(Stem stem, Subject subject) {
        return canStemAdmin(stem, subject);
    }

    public static boolean canStemAdmin(Stem stem, Subject subject) {
        return GrouperSession.staticGrouperSession().getNamingResolver().hasPrivilege(stem, subject, NamingPrivilege.STEM_ADMIN);
    }

    public static boolean canStem(GrouperSession grouperSession, Stem stem, Subject subject) {
        return canStemAdmin(grouperSession, stem, subject);
    }

    public static boolean canStemAdmin(GrouperSession grouperSession, Stem stem, Subject subject) {
        return grouperSession.getNamingResolver().hasPrivilege(stem, subject, NamingPrivilege.STEM_ADMIN);
    }

    public static boolean canUpdate(GrouperSession grouperSession, Group group, Subject subject) {
        return grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.UPDATE) || grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.ADMIN);
    }

    public static boolean canView(GrouperSession grouperSession, Group group, Subject subject) {
        return grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.VIEW) || grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.READ) || grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.ADMIN) || grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.UPDATE) || grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.GROUP_ATTR_READ) || grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.GROUP_ATTR_UPDATE) || grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.OPTIN) || grouperSession.getAccessResolver().hasPrivilege(group, subject, AccessPrivilege.OPTOUT);
    }

    public static Set canViewGroups(GrouperSession grouperSession, Set set) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        Iterator it = set.iterator();
        while (it.hasNext()) {
            Group group = (Group) it.next();
            if (canView(grouperSession, group, grouperSession.getSubject())) {
                linkedHashSet.add(group);
            }
        }
        return linkedHashSet;
    }

    public static boolean canViewMembership(GrouperSession grouperSession, Membership membership) {
        try {
            if (FieldType.NAMING.equals(membership.getList().getType())) {
                dispatch(grouperSession, membership.getStem(), grouperSession.getSubject(), membership.getList().getReadPriv());
                return true;
            }
            if (FieldType.ACCESS.equals(membership.getList().getType())) {
                dispatch(grouperSession, membership.getOwnerGroup(), grouperSession.getSubject(), membership.getList().getReadPriv());
                return true;
            }
            if (FieldType.ATTRIBUTE_DEF.equals(membership.getList().getType())) {
                dispatch(grouperSession, membership.getAttributeDef(), grouperSession.getSubject(), membership.getList().getReadPriv());
                return true;
            }
            if (!FieldType.LIST.equals(membership.getList().getType())) {
                throw new RuntimeException("Invalid field type: " + membership.getList().getType());
            }
            if (canRead(grouperSession, membership.getOwnerGroup(), grouperSession.getSubject())) {
                return true;
            }
            Member internal_findBySubject = MemberFinder.internal_findBySubject(grouperSession.getSubject(), null, false);
            if (internal_findBySubject == null || !internal_findBySubject.getUuid().equals(membership.getMemberUuid())) {
                return false;
            }
            if (canOptin(grouperSession, membership.getOwnerGroup(), grouperSession.getSubject()) || canOptout(grouperSession, membership.getOwnerGroup(), grouperSession.getSubject())) {
                return true;
            }
            return GrouperConfig.retrieveConfig().propertyValueBoolean("grouper.membership.allowSelfRead", false) && canView(grouperSession, membership.getOwnerGroup(), grouperSession.getSubject());
        } catch (InsufficientPrivilegeException e) {
            return false;
        }
    }

    public static Set<Membership> canViewMemberships(GrouperSession grouperSession, Collection<Membership> collection) {
        if (collection == null) {
            return null;
        }
        Membership.retrieveGroups(collection);
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (Membership membership : collection) {
            if (canViewMembership(grouperSession, membership)) {
                linkedHashSet.add(membership);
            }
        }
        return linkedHashSet;
    }

    public static boolean canViewMembers(GrouperSession grouperSession, Group group, Field field) {
        try {
            dispatch(grouperSession, group, grouperSession.getSubject(), field.getReadPriv());
            return true;
        } catch (InsufficientPrivilegeException e) {
            return false;
        } catch (SchemaException e2) {
            throw new RuntimeException("Problem viewing members: " + (grouperSession == null ? null : GrouperUtil.subjectToString(grouperSession.getSubject())) + ", " + (group == null ? null : group.getName()) + ", " + (field == null ? null : field.getName()), e2);
        }
    }

    public static void dispatch(GrouperSession grouperSession, Group group, Subject subject, Privilege privilege) throws InsufficientPrivilegeException, SchemaException {
        boolean z = false;
        String str = "";
        if (!Privilege.isAccess(privilege)) {
            throw new SchemaException("access privileges only apply to groups");
        }
        if (privilege.equals(AccessPrivilege.ADMIN)) {
            z = canAdmin(grouperSession, group, subject);
            if (!z) {
                str = E.CANNOT_ADMIN;
            }
        } else if (privilege.equals(AccessPrivilege.OPTIN)) {
            z = canOptin(grouperSession, group, subject);
            if (!z) {
                str = E.CANNOT_OPTIN;
            }
        } else if (privilege.equals(AccessPrivilege.OPTOUT)) {
            z = canOptout(grouperSession, group, subject);
            if (!z) {
                str = E.CANNOT_OPTOUT;
            }
        } else if (privilege.equals(AccessPrivilege.READ)) {
            z = canRead(grouperSession, group, subject);
            if (!z) {
                str = "subject " + subject.getId() + " cannot READ group: " + group.getName();
            }
        } else if (privilege.equals(AccessPrivilege.GROUP_ATTR_READ)) {
            z = canGroupAttrRead(grouperSession, group, subject);
            if (!z) {
                str = "subject " + subject.getId() + " cannot GROUP_ATTR_READ group: " + group.getName();
            }
        } else if (privilege.equals(AccessPrivilege.GROUP_ATTR_UPDATE)) {
            z = canGroupAttrUpdate(grouperSession, group, subject);
            if (!z) {
                str = "subject " + subject.getId() + " cannot GROUP_ATTR_UPDATE group: " + group.getName();
            }
        } else if (privilege.equals(AccessPrivilege.VIEW)) {
            z = canView(grouperSession, group, subject);
            if (!z) {
                str = E.CANNOT_VIEW;
            }
        } else if (privilege.equals(AccessPrivilege.UPDATE)) {
            z = canUpdate(grouperSession, group, subject);
            if (!z) {
                str = E.CANNOT_UPDATE;
            }
        } else {
            if (!privilege.equals(AccessPrivilege.SYSTEM)) {
                throw new SchemaException("unknown privilege: " + privilege);
            }
            str = "system maintained: " + privilege;
        }
        if (!z) {
            throw new InsufficientPrivilegeException(str);
        }
    }

    public static void dispatch(GrouperSession grouperSession, Stem stem, Subject subject, Privilege privilege) throws InsufficientPrivilegeException, SchemaException {
        boolean canStemAdmin;
        String str = "";
        if (!Privilege.isNaming(privilege)) {
            throw new SchemaException("naming privileges only apply to stems");
        }
        if (privilege.equals(NamingPrivilege.CREATE)) {
            canStemAdmin = canCreate(grouperSession, stem, subject);
            if (!canStemAdmin) {
                str = E.CANNOT_CREATE;
            }
        } else if (privilege.equals(NamingPrivilege.STEM) || privilege.equals(NamingPrivilege.STEM_ADMIN)) {
            canStemAdmin = canStemAdmin(stem, subject);
            if (!canStemAdmin) {
                str = E.CANNOT_STEM_ADMIN;
            }
        } else if (privilege.equals(NamingPrivilege.STEM_ATTR_READ)) {
            canStemAdmin = canStemAttrRead(grouperSession, stem, subject);
            if (!canStemAdmin) {
                str = "subject " + subject.getId() + " cannot STEM_ATTR_READ stem: " + stem.getName();
            }
        } else if (privilege.equals(NamingPrivilege.STEM_VIEW)) {
            canStemAdmin = canStemView(grouperSession, stem, subject);
            if (!canStemAdmin) {
                str = "subject " + subject.getId() + " cannot STEM_VIEW stem: " + stem.getName();
            }
        } else {
            if (!privilege.equals(NamingPrivilege.STEM_ATTR_UPDATE)) {
                throw new SchemaException("unknown privilege: " + privilege);
            }
            canStemAdmin = canStemAttrUpdate(grouperSession, stem, subject);
            if (!canStemAdmin) {
                str = "subject " + subject.getId() + " cannot STEM_ATTR_UPDATE stem: " + stem.getName();
            }
        }
        if (!canStemAdmin) {
            throw new InsufficientPrivilegeException(str);
        }
    }

    public static void dispatch(GrouperSession grouperSession, AttributeDef attributeDef, Subject subject, Privilege privilege) throws InsufficientPrivilegeException, SchemaException {
        boolean canAttrView;
        String str = "";
        if (!Privilege.isAttributeDef(privilege)) {
            throw new SchemaException("attributeDef privileges only apply to attributeDefs");
        }
        if (privilege.equals(AttributeDefPrivilege.ATTR_ADMIN)) {
            canAttrView = canAttrAdmin(grouperSession, attributeDef, subject);
            if (!canAttrView) {
                str = E.CANNOT_ATTR_ADMIN;
            }
        } else if (privilege.equals(AttributeDefPrivilege.ATTR_OPTIN)) {
            canAttrView = canAttrOptin(grouperSession, attributeDef, subject);
            if (!canAttrView) {
                str = E.CANNOT_ATTR_OPTIN;
            }
        } else if (privilege.equals(AttributeDefPrivilege.ATTR_OPTOUT)) {
            canAttrView = canAttrOptout(grouperSession, attributeDef, subject);
            if (!canAttrView) {
                str = E.CANNOT_ATTR_OPTOUT;
            }
        } else if (privilege.equals(AttributeDefPrivilege.ATTR_READ)) {
            canAttrView = canAttrRead(grouperSession, attributeDef, subject);
            if (!canAttrView) {
                str = E.CANNOT_ATTR_READ;
            }
        } else if (privilege.equals(AttributeDefPrivilege.ATTR_UPDATE)) {
            canAttrView = canAttrUpdate(grouperSession, attributeDef, subject);
            if (!canAttrView) {
                str = E.CANNOT_ATTR_UPDATE;
            }
        } else if (privilege.equals(AttributeDefPrivilege.ATTR_DEF_ATTR_READ)) {
            canAttrView = canAttrDefAttrRead(grouperSession, attributeDef, subject);
            if (!canAttrView) {
                str = "subject " + subject.getId() + " cannot ATTR_DEF_ATTR_READ stem: " + attributeDef.getName();
            }
        } else if (privilege.equals(AttributeDefPrivilege.ATTR_DEF_ATTR_UPDATE)) {
            canAttrView = canAttrDefAttrUpdate(grouperSession, attributeDef, subject);
            if (!canAttrView) {
                str = "subject " + subject.getId() + " cannot ATTR_DEF_ATTR_UPDATE stem: " + attributeDef.getName();
            }
        } else {
            if (!privilege.equals(AttributeDefPrivilege.ATTR_VIEW)) {
                throw new SchemaException("unknown privilege: " + privilege);
            }
            canAttrView = canAttrView(grouperSession, attributeDef, subject);
            if (!canAttrView) {
                str = E.CANNOT_ATTR_VIEW;
            }
        }
        if (canAttrView) {
        } else {
            throw new InsufficientPrivilegeException(str + ", attributeDef: " + (attributeDef == null ? null : attributeDef.getName()) + ", " + GrouperUtil.subjectToString(subject));
        }
    }

    public static Privilege[] getAccessPrivileges(Privilege[] privilegeArr) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (Privilege privilege : privilegeArr) {
            if (Privilege.isAccess(privilege)) {
                linkedHashSet.add(privilege);
            }
        }
        return (Privilege[]) linkedHashSet.toArray(new Privilege[0]);
    }

    public static Privilege[] getAttributeDefPrivileges(Privilege[] privilegeArr) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (Privilege privilege : privilegeArr) {
            if (Privilege.isAttributeDef(privilege)) {
                linkedHashSet.add(privilege);
            }
        }
        return (Privilege[]) linkedHashSet.toArray(new Privilege[0]);
    }

    public static Privilege[] getNamingPrivileges(Privilege[] privilegeArr) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (Privilege privilege : privilegeArr) {
            if (Privilege.isNaming(privilege)) {
                linkedHashSet.add(privilege);
            }
        }
        return (Privilege[]) linkedHashSet.toArray(new Privilege[0]);
    }

    public static boolean isRoot(GrouperSession grouperSession) {
        return SubjectHelper.eq(grouperSession.getSubject(), SubjectFinder.findRootSubject()) ? true : isWheel(grouperSession);
    }

    public static boolean isSystemSubject(Subject subject) {
        return SubjectHelper.eq(subject, SubjectFinder.findRootSubject());
    }

    private static boolean isWheelType(final Subject subject, final PrivilegeHelperWheelType privilegeHelperWheelType) {
        boolean propertyValueBoolean;
        String propertyValueString;
        if (GrouperUtil.booleanValue(inIsWheel.get(), false)) {
            return false;
        }
        inIsWheel.set(true);
        try {
            switch (privilegeHelperWheelType) {
                case admin:
                    propertyValueBoolean = GrouperConfig.retrieveConfig().propertyValueBoolean(GrouperConfig.PROP_USE_WHEEL_GROUP, false);
                    propertyValueString = GrouperConfig.retrieveConfig().propertyValueString(GrouperConfig.PROP_WHEEL_GROUP);
                    break;
                case read:
                    propertyValueBoolean = GrouperConfig.retrieveConfig().propertyValueBoolean("groups.wheel.readonly.use", false);
                    propertyValueString = GrouperConfig.retrieveConfig().propertyValueString("groups.wheel.readonly.group");
                    break;
                case view:
                    propertyValueBoolean = GrouperConfig.retrieveConfig().propertyValueBoolean("groups.wheel.viewonly.use", false);
                    propertyValueString = GrouperConfig.retrieveConfig().propertyValueString("groups.wheel.viewonly.group");
                    break;
                default:
                    throw new RuntimeException("Invalid type: '" + privilegeHelperWheelType + "'");
            }
            if (!propertyValueBoolean) {
                inIsWheel.remove();
                return false;
            }
            MultiKey multiKey = new MultiKey(privilegeHelperWheelType, subject.getSourceId(), subject.getId());
            Boolean bool = wheelMemberCache().get(multiKey);
            if (bool != null) {
                boolean booleanValue = bool.booleanValue();
                inIsWheel.remove();
                return booleanValue;
            }
            final String str = propertyValueString;
            Boolean bool2 = (Boolean) GrouperSession.internal_callbackRootGrouperSession(new GrouperSessionHandler() { // from class: edu.internet2.middleware.grouper.privs.PrivilegeHelper.1
                @Override // edu.internet2.middleware.grouper.misc.GrouperSessionHandler
                public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
                    try {
                        return Boolean.valueOf(GroupFinder.findByName(grouperSession, str, true).hasMember(subject));
                    } catch (GroupNotFoundException e) {
                        throw new GrouperException("Cant find wheel " + privilegeHelperWheelType + " group: " + str, e);
                    }
                }
            });
            wheelMemberCache.put(multiKey, bool2);
            boolean booleanValue2 = bool2.booleanValue();
            inIsWheel.remove();
            return booleanValue2;
        } catch (Throwable th) {
            inIsWheel.remove();
            throw th;
        }
    }

    public static boolean isWheel(GrouperSession grouperSession) {
        if (grouperSession.isConsiderIfWheelMember()) {
            return isWheelType(grouperSession.getSubject(), PrivilegeHelperWheelType.admin);
        }
        return false;
    }

    public static boolean isWheelOrRootOrViewonlyRoot(Subject subject) {
        if (isWheelOrRootOrReadonlyRoot(subject)) {
            return true;
        }
        return isWheelType(subject, PrivilegeHelperWheelType.view);
    }

    public static boolean isWheelOrRootOrReadonlyRoot(Subject subject) {
        if (isWheelOrRoot(subject)) {
            return true;
        }
        return isWheelType(subject, PrivilegeHelperWheelType.read);
    }

    private static ExpirableCache<MultiKey, Boolean> wheelMemberCache() {
        if (wheelMemberCache == null) {
            wheelMemberCache = new ExpirableCache<>(GrouperConfig.retrieveConfig().propertyValueInt("wheel.member.cache.seconds", 10));
            wheelMemberCache.registerDatabaseClearableCache(PrivilegeHelper.class.getName() + ".wheelMemberCache");
        }
        return wheelMemberCache;
    }

    public static void wheelMemberCacheClear() {
        wheelMemberCache().clear();
        wheelMemberCache().notifyDatabaseOfChanges();
    }

    public static boolean isWheelOrRoot(Subject subject) {
        if (StringUtils.equals(subject.getSourceId(), InternalSourceAdapter.ID) && StringUtils.equals(subject.getId(), GrouperConfig.ROOT)) {
            return true;
        }
        if (GrouperSession.staticGrouperSession().isConsiderIfWheelMember()) {
            return isWheelType(subject, PrivilegeHelperWheelType.admin);
        }
        return false;
    }

    public static boolean canMoveStems(Subject subject) {
        String propertyValueString = GrouperConfig.retrieveConfig().propertyValueString("security.stem.groupAllowedToMoveStem");
        if (!StringUtils.isNotBlank(propertyValueString) || isWheelOrRoot(subject)) {
            return true;
        }
        Group findByName = GroupFinder.findByName(GrouperSession.staticGrouperSession().internal_getRootSession(), propertyValueString, false);
        return findByName != null && findByName.hasMember(subject);
    }

    public static boolean canCopyStems(Subject subject) {
        String propertyValueString = GrouperConfig.retrieveConfig().propertyValueString("security.stem.groupAllowedToCopyStem");
        if (!StringUtils.isNotBlank(propertyValueString) || isWheelOrRoot(subject)) {
            return true;
        }
        Group findByName = GroupFinder.findByName(GrouperSession.staticGrouperSession().internal_getRootSession(), propertyValueString, false);
        return findByName != null && findByName.hasMember(subject);
    }

    public static boolean canRenameStems(Subject subject) {
        String propertyValueString = GrouperConfig.retrieveConfig().propertyValueString("security.stem.groupAllowedToRenameStem");
        if (!StringUtils.isNotBlank(propertyValueString) || isWheelOrRoot(subject)) {
            return true;
        }
        Group findByName = GroupFinder.findByName(GrouperSession.staticGrouperSession().internal_getRootSession(), propertyValueString, false);
        return findByName != null && findByName.hasMember(subject);
    }

    public static boolean hasPrivilege(GrouperSession grouperSession, AttributeDef attributeDef, Subject subject, Set<Privilege> set) {
        Iterator<Privilege> it = set.iterator();
        while (it.hasNext()) {
            if (grouperSession.getAttributeDefResolver().hasPrivilege(attributeDef, subject, it.next())) {
                return true;
            }
        }
        return false;
    }

    public static Set<AttributeDef> canViewAttributeDefs(GrouperSession grouperSession, Collection<AttributeDef> collection) {
        if (collection == null) {
            return null;
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (AttributeDef attributeDef : collection) {
            try {
                dispatch(grouperSession, attributeDef, grouperSession.getSubject(), AttributeDefPrivilege.ATTR_VIEW);
                linkedHashSet.add(attributeDef);
            } catch (InsufficientPrivilegeException e) {
            }
        }
        return linkedHashSet;
    }

    public static boolean canViewAttributeAssign(GrouperSession grouperSession, AttributeAssign attributeAssign, boolean z) {
        if (attributeAssign == null) {
            throw new NullPointerException("attribute assign is null");
        }
        try {
            dispatch(grouperSession, attributeAssign.getAttributeDef(), grouperSession.getSubject(), AttributeDefPrivilege.ATTR_READ);
            AttributeAssignType attributeAssignType = attributeAssign.getAttributeAssignType();
            switch (attributeAssignType) {
                case group:
                    dispatch(grouperSession, attributeAssign.getOwnerGroup(), grouperSession.getSubject(), AccessPrivilege.GROUP_ATTR_READ);
                    return true;
                case stem:
                    return canStemAttrRead(grouperSession, attributeAssign.getOwnerStem(), grouperSession.getSubject()) || canStemAdmin(grouperSession, attributeAssign.getOwnerStem(), grouperSession.getSubject());
                case member:
                    return true;
                case attr_def:
                    dispatch(grouperSession, attributeAssign.getOwnerAttributeDef(), grouperSession.getSubject(), AttributeDefPrivilege.ATTR_DEF_ATTR_READ);
                    return true;
                case imm_mem:
                    dispatch(grouperSession, attributeAssign.getOwnerImmediateMembership().getOwnerGroup(), grouperSession.getSubject(), AccessPrivilege.READ);
                    return true;
                case any_mem:
                    dispatch(grouperSession, attributeAssign.getOwnerGroup(), grouperSession.getSubject(), AccessPrivilege.READ);
                    return true;
                case any_mem_asgn:
                case attr_def_asgn:
                case group_asgn:
                case imm_mem_asgn:
                case mem_asgn:
                case stem_asgn:
                    return !z || canViewAttributeAssign(grouperSession, attributeAssign.getOwnerAttributeAssign(), z);
                default:
                    throw new RuntimeException("Not expecting attributeAssignType: " + attributeAssignType);
            }
        } catch (AttributeDefNotFoundException e) {
            return false;
        } catch (InsufficientPrivilegeException e2) {
            return false;
        }
    }

    public static Set<AttributeAssign> canViewAttributeAssigns(GrouperSession grouperSession, Collection<AttributeAssign> collection, boolean z) {
        if (collection == null) {
            return null;
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (AttributeAssign attributeAssign : collection) {
            if (canViewAttributeAssign(grouperSession, attributeAssign, z)) {
                linkedHashSet.add(attributeAssign);
            }
        }
        return linkedHashSet;
    }

    public static Set<PermissionEntry> canViewPermissions(GrouperSession grouperSession, Collection<PermissionEntry> collection) {
        if (collection == null) {
            return null;
        }
        if (isWheelOrRoot(grouperSession.getSubject())) {
            return new LinkedHashSet(collection);
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (PermissionEntry permissionEntry : collection) {
            if (permissionEntry.isActive() && canGroupAttrRead(grouperSession, GrouperDAOFactory.getFactory().getGroup().findByUuid(permissionEntry.getRoleId(), true), grouperSession.getSubject()) && canAttrRead(grouperSession, AttributeDefFinder.findByIdAsRoot(permissionEntry.getAttributeDefId(), true), grouperSession.getSubject())) {
                linkedHashSet.add(permissionEntry);
            }
        }
        return linkedHashSet;
    }

    public static Set<PITAttributeAssign> canViewPITAttributeAssigns(GrouperSession grouperSession, Collection<PITAttributeAssign> collection, boolean z) {
        if (collection == null) {
            return null;
        }
        if (isWheelOrRoot(grouperSession.getSubject())) {
            return new LinkedHashSet(collection);
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (PITAttributeAssign pITAttributeAssign : collection) {
            if (pITAttributeAssign.isActive() && canViewAttributeAssign(grouperSession, GrouperDAOFactory.getFactory().getAttributeAssign().findById(pITAttributeAssign.getSourceId(), true), z)) {
                linkedHashSet.add(pITAttributeAssign);
            }
        }
        return linkedHashSet;
    }

    public static boolean hasImmediatePrivilege(Stem stem, Subject subject, Privilege privilege) {
        try {
            MembershipFinder.findImmediateMembership(GrouperSession.staticGrouperSession(), stem, subject, privilege.getField(), true);
            return true;
        } catch (MembershipNotFoundException e) {
            return false;
        }
    }

    public static boolean hasImmediatePrivilege(AttributeDef attributeDef, Subject subject, Privilege privilege) {
        try {
            MembershipFinder.findImmediateMembership(GrouperSession.staticGrouperSession(), attributeDef, subject, privilege.getField(), true);
            return true;
        } catch (MembershipNotFoundException e) {
            return false;
        }
    }
}
