package edu.internet2.middleware.grouper.app.deprovisioning;

import edu.internet2.middleware.grouper.Group;
import edu.internet2.middleware.grouper.GroupFinder;
import edu.internet2.middleware.grouper.GrouperSession;
import edu.internet2.middleware.grouper.Member;
import edu.internet2.middleware.grouper.Membership;
import edu.internet2.middleware.grouper.MembershipFinder;
import edu.internet2.middleware.grouper.Stem;
import edu.internet2.middleware.grouper.attr.AttributeDef;
import edu.internet2.middleware.grouper.cfg.GrouperConfig;
import edu.internet2.middleware.grouper.exception.GrouperSessionException;
import edu.internet2.middleware.grouper.membership.MembershipResult;
import edu.internet2.middleware.grouper.misc.GrouperObject;
import edu.internet2.middleware.grouper.misc.GrouperSessionHandler;
import edu.internet2.middleware.grouper.privs.AccessPrivilege;
import edu.internet2.middleware.grouper.privs.AttributeDefPrivilege;
import edu.internet2.middleware.grouper.privs.NamingPrivilege;
import edu.internet2.middleware.grouper.privs.Privilege;
import edu.internet2.middleware.grouper.privs.PrivilegeHelper;
import edu.internet2.middleware.grouper.util.GrouperUtil;
import edu.internet2.middleware.grouperClient.collections.MultiKey;
import edu.internet2.middleware.grouperClient.util.ExpirableCache;
import edu.internet2.middleware.subject.Subject;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.apache.commons.logging.Log;

/* loaded from: input_file:WEB-INF/lib/grouper-5.0.1.jar:edu/internet2/middleware/grouper/app/deprovisioning/GrouperDeprovisioningLogic.class */
public class GrouperDeprovisioningLogic {
    private static final Log LOG = GrouperUtil.getLog(GrouperDeprovisioningLogic.class);
    private static ExpirableCache<Boolean, GrouperDeprovisioningCache> deprovisionedSubjectCache = null;
    private static long deprovisionedSubjectCacheLastRetrievedNanos = -1;
    private static GrouperDeprovisioningCache grouperDeprovisioningCacheFailsafe = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/grouper-5.0.1.jar:edu/internet2/middleware/grouper/app/deprovisioning/GrouperDeprovisioningLogic$GrouperDeprovisioningCache.class */
    public static class GrouperDeprovisioningCache {
        private Set<MultiKey> deprovisionedSubjectSet = null;
        private Map<MultiKey, Set<Subject>> deprovisionedSubjectSetMap = null;

        private GrouperDeprovisioningCache() {
        }

        public Set<MultiKey> getDeprovisionedSubjectSet() {
            return this.deprovisionedSubjectSet;
        }

        public void setDeprovisionedSubjectSet(Set<MultiKey> set) {
            this.deprovisionedSubjectSet = set;
        }

        public Map<MultiKey, Set<Subject>> getDeprovisionedSubjectSetMap() {
            return this.deprovisionedSubjectSetMap;
        }

        public void setDeprovisionedSubjectSetMap(Map<MultiKey, Set<Subject>> map) {
            this.deprovisionedSubjectSetMap = map;
        }
    }

    private static ExpirableCache<Boolean, GrouperDeprovisioningCache> deprovisionedSubjectCache() {
        if (deprovisionedSubjectCache == null) {
            deprovisionedSubjectCache = new ExpirableCache<>(GrouperConfig.retrieveConfig().propertyValueInt("deprovisioning.cacheMembersForMinutes", 5));
        }
        return deprovisionedSubjectCache;
    }

    private static GrouperDeprovisioningCache grouperDeprovisioningCache(final boolean z) {
        final LinkedHashMap linkedHashMap = LOG.isDebugEnabled() ? new LinkedHashMap() : null;
        long nanoTime = System.nanoTime();
        GrouperDeprovisioningCache grouperDeprovisioningCache = null;
        try {
            try {
                GrouperDeprovisioningCache grouperDeprovisioningCache2 = deprovisionedSubjectCache().get(Boolean.TRUE);
                if (linkedHashMap != null) {
                    linkedHashMap.put("useCache", true);
                    linkedHashMap.put("grouperDeprovisioningCacheExists", Boolean.valueOf(grouperDeprovisioningCache2 != null));
                }
                if (z && grouperDeprovisioningCache2 != null) {
                    if (LOG.isDebugEnabled()) {
                        linkedHashMap.put("took", ((System.nanoTime() - nanoTime) / 1000000) + "ms");
                        linkedHashMap.put("finalCacheExists", Boolean.valueOf(grouperDeprovisioningCache2 != null));
                        if (grouperDeprovisioningCache2 != null) {
                            linkedHashMap.put("finalCacheSubjectSetExists", Boolean.valueOf(grouperDeprovisioningCache2.getDeprovisionedSubjectSet() != null));
                            linkedHashMap.put("finalCacheSubjectSetSize", Integer.valueOf(GrouperUtil.length(grouperDeprovisioningCache2.getDeprovisionedSubjectSet())));
                            linkedHashMap.put("finalCacheSubjectSetMapExists", Boolean.valueOf(grouperDeprovisioningCache2.getDeprovisionedSubjectSetMap() != null));
                            linkedHashMap.put("finalCacheSubjectSetMapSize", Integer.valueOf(GrouperUtil.length(grouperDeprovisioningCache2.getDeprovisionedSubjectSetMap())));
                        }
                        LOG.debug(GrouperUtil.mapToString(linkedHashMap));
                    }
                    return grouperDeprovisioningCache2;
                }
                if (linkedHashMap != null) {
                    linkedHashMap.put("failsafeCacheExists", Boolean.valueOf(grouperDeprovisioningCacheFailsafe != null));
                }
                if (!z || grouperDeprovisioningCacheFailsafe == null) {
                    if (linkedHashMap != null) {
                        linkedHashMap.put("gotCacheNotFromThread", true);
                    }
                    GrouperDeprovisioningCache grouperDeprovisioningCacheHelperAsRoot = grouperDeprovisioningCacheHelperAsRoot(z, linkedHashMap);
                    if (LOG.isDebugEnabled()) {
                        linkedHashMap.put("took", ((System.nanoTime() - nanoTime) / 1000000) + "ms");
                        linkedHashMap.put("finalCacheExists", Boolean.valueOf(grouperDeprovisioningCacheHelperAsRoot != null));
                        if (grouperDeprovisioningCacheHelperAsRoot != null) {
                            linkedHashMap.put("finalCacheSubjectSetExists", Boolean.valueOf(grouperDeprovisioningCacheHelperAsRoot.getDeprovisionedSubjectSet() != null));
                            linkedHashMap.put("finalCacheSubjectSetSize", Integer.valueOf(GrouperUtil.length(grouperDeprovisioningCacheHelperAsRoot.getDeprovisionedSubjectSet())));
                            linkedHashMap.put("finalCacheSubjectSetMapExists", Boolean.valueOf(grouperDeprovisioningCacheHelperAsRoot.getDeprovisionedSubjectSetMap() != null));
                            linkedHashMap.put("finalCacheSubjectSetMapSize", Integer.valueOf(GrouperUtil.length(grouperDeprovisioningCacheHelperAsRoot.getDeprovisionedSubjectSetMap())));
                        }
                        LOG.debug(GrouperUtil.mapToString(linkedHashMap));
                    }
                    return grouperDeprovisioningCacheHelperAsRoot;
                }
                final GrouperDeprovisioningCache[] grouperDeprovisioningCacheArr = {null};
                grouperDeprovisioningCacheArr[0] = grouperDeprovisioningCacheFailsafe;
                if (linkedHashMap != null) {
                    linkedHashMap.put("gettingCacheInThread", true);
                }
                Thread thread = new Thread(new Runnable() { // from class: edu.internet2.middleware.grouper.app.deprovisioning.GrouperDeprovisioningLogic.1
                    @Override // java.lang.Runnable
                    public void run() {
                        try {
                            grouperDeprovisioningCacheArr[0] = GrouperDeprovisioningLogic.grouperDeprovisioningCacheHelperAsRoot(z, linkedHashMap);
                        } catch (RuntimeException e) {
                            GrouperDeprovisioningLogic.LOG.error("Error refreshing deprovisioning cache", e);
                        }
                    }
                });
                thread.start();
                GrouperUtil.threadJoin(thread, GrouperConfig.retrieveConfig().propertyValueInt("deprovisioning.cacheFailsafeSeconds", 10) * 1000);
                if (grouperDeprovisioningCacheArr[0] != null) {
                    if (linkedHashMap != null) {
                        linkedHashMap.put("gotCacheFromThread", true);
                    }
                    GrouperDeprovisioningCache grouperDeprovisioningCache3 = grouperDeprovisioningCacheArr[0];
                    GrouperDeprovisioningCache grouperDeprovisioningCache4 = grouperDeprovisioningCacheArr[0];
                    if (LOG.isDebugEnabled()) {
                        linkedHashMap.put("took", ((System.nanoTime() - nanoTime) / 1000000) + "ms");
                        linkedHashMap.put("finalCacheExists", Boolean.valueOf(grouperDeprovisioningCache3 != null));
                        if (grouperDeprovisioningCache3 != null) {
                            linkedHashMap.put("finalCacheSubjectSetExists", Boolean.valueOf(grouperDeprovisioningCache3.getDeprovisionedSubjectSet() != null));
                            linkedHashMap.put("finalCacheSubjectSetSize", Integer.valueOf(GrouperUtil.length(grouperDeprovisioningCache3.getDeprovisionedSubjectSet())));
                            linkedHashMap.put("finalCacheSubjectSetMapExists", Boolean.valueOf(grouperDeprovisioningCache3.getDeprovisionedSubjectSetMap() != null));
                            linkedHashMap.put("finalCacheSubjectSetMapSize", Integer.valueOf(GrouperUtil.length(grouperDeprovisioningCache3.getDeprovisionedSubjectSetMap())));
                        }
                        LOG.debug(GrouperUtil.mapToString(linkedHashMap));
                    }
                    return grouperDeprovisioningCache4;
                }
                if (linkedHashMap != null) {
                    linkedHashMap.put("gotCacheFromFailsafe", true);
                }
                GrouperDeprovisioningCache grouperDeprovisioningCache5 = grouperDeprovisioningCacheFailsafe;
                GrouperDeprovisioningCache grouperDeprovisioningCache6 = grouperDeprovisioningCacheFailsafe;
                if (LOG.isDebugEnabled()) {
                    linkedHashMap.put("took", ((System.nanoTime() - nanoTime) / 1000000) + "ms");
                    linkedHashMap.put("finalCacheExists", Boolean.valueOf(grouperDeprovisioningCache5 != null));
                    if (grouperDeprovisioningCache5 != null) {
                        linkedHashMap.put("finalCacheSubjectSetExists", Boolean.valueOf(grouperDeprovisioningCache5.getDeprovisionedSubjectSet() != null));
                        linkedHashMap.put("finalCacheSubjectSetSize", Integer.valueOf(GrouperUtil.length(grouperDeprovisioningCache5.getDeprovisionedSubjectSet())));
                        linkedHashMap.put("finalCacheSubjectSetMapExists", Boolean.valueOf(grouperDeprovisioningCache5.getDeprovisionedSubjectSetMap() != null));
                        linkedHashMap.put("finalCacheSubjectSetMapSize", Integer.valueOf(GrouperUtil.length(grouperDeprovisioningCache5.getDeprovisionedSubjectSetMap())));
                    }
                    LOG.debug(GrouperUtil.mapToString(linkedHashMap));
                }
                return grouperDeprovisioningCache6;
            } catch (RuntimeException e) {
                if (linkedHashMap != null) {
                    linkedHashMap.put("exception", ExceptionUtils.getStackTrace(e));
                }
                throw e;
            }
        } catch (Throwable th) {
            if (LOG.isDebugEnabled()) {
                linkedHashMap.put("took", ((System.nanoTime() - nanoTime) / 1000000) + "ms");
                linkedHashMap.put("finalCacheExists", Boolean.valueOf(0 != 0));
                if (0 != 0) {
                    linkedHashMap.put("finalCacheSubjectSetExists", Boolean.valueOf(grouperDeprovisioningCache.getDeprovisionedSubjectSet() != null));
                    linkedHashMap.put("finalCacheSubjectSetSize", Integer.valueOf(GrouperUtil.length(grouperDeprovisioningCache.getDeprovisionedSubjectSet())));
                    linkedHashMap.put("finalCacheSubjectSetMapExists", Boolean.valueOf(grouperDeprovisioningCache.getDeprovisionedSubjectSetMap() != null));
                    linkedHashMap.put("finalCacheSubjectSetMapSize", Integer.valueOf(GrouperUtil.length(grouperDeprovisioningCache.getDeprovisionedSubjectSetMap())));
                }
                LOG.debug(GrouperUtil.mapToString(linkedHashMap));
            }
            throw th;
        }
    }

    private static GrouperDeprovisioningCache grouperDeprovisioningCacheHelperAsRoot(boolean z, final Map<String, Object> map) {
        GrouperDeprovisioningCache grouperDeprovisioningCache;
        long nanoTime = System.nanoTime();
        try {
            final GrouperDeprovisioningCache[] grouperDeprovisioningCacheArr = {deprovisionedSubjectCache().get(Boolean.TRUE)};
            boolean z2 = grouperDeprovisioningCacheArr[0] != null;
            boolean z3 = deprovisionedSubjectCacheLastRetrievedNanos > nanoTime;
            if (map != null) {
                map.put("grouperDeprovisioningCacheHelperAsRoot", true);
                map.put("cacheHelperUseCache", Boolean.valueOf(z));
            }
            if (z2 && z3 && z) {
                if (map != null) {
                    map.put("cacheHelperEarlyExit", true);
                    map.put("cacheHelperHasCache", Boolean.valueOf(z2));
                    map.put("cacheHelperNewEnoughCache", Boolean.valueOf(z3));
                }
                GrouperDeprovisioningCache grouperDeprovisioningCache2 = grouperDeprovisioningCacheArr[0];
                if (map != null) {
                    map.put("cacheHelperTook", ((nanoTime - System.nanoTime()) / 1000000) + "ms");
                }
                return grouperDeprovisioningCache2;
            }
            synchronized (GrouperDeprovisioningLogic.class) {
                long nanoTime2 = System.nanoTime();
                grouperDeprovisioningCacheArr[0] = deprovisionedSubjectCache().get(Boolean.TRUE);
                boolean z4 = grouperDeprovisioningCacheArr[0] != null;
                boolean z5 = deprovisionedSubjectCacheLastRetrievedNanos > nanoTime2;
                if (!z4 || !z5 || !z) {
                    GrouperSession.internal_callbackRootGrouperSession(new GrouperSessionHandler() { // from class: edu.internet2.middleware.grouper.app.deprovisioning.GrouperDeprovisioningLogic.2
                        @Override // edu.internet2.middleware.grouper.misc.GrouperSessionHandler
                        public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
                            grouperDeprovisioningCacheArr[0] = new GrouperDeprovisioningCache();
                            grouperDeprovisioningCacheArr[0].setDeprovisionedSubjectSet(new HashSet());
                            grouperDeprovisioningCacheArr[0].setDeprovisionedSubjectSetMap(new HashMap());
                            MembershipFinder assignEnabled = new MembershipFinder().assignEnabled(true);
                            HashMap hashMap = new HashMap();
                            String retrieveDeprovisioningAdminGroupName = GrouperDeprovisioningSettings.retrieveDeprovisioningAdminGroupName();
                            int i = 1;
                            assignEnabled.addGroup(retrieveDeprovisioningAdminGroupName);
                            hashMap.put(retrieveDeprovisioningAdminGroupName, GrouperDeprovisioningLogic.multiKeyMapDeprovisioningAdmins());
                            for (GrouperDeprovisioningAffiliation grouperDeprovisioningAffiliation : GrouperDeprovisioningAffiliation.retrieveAllAffiliations().values()) {
                                assignEnabled.addGroup(grouperDeprovisioningAffiliation.getManagersGroupName());
                                hashMap.put(grouperDeprovisioningAffiliation.getManagersGroupName(), GrouperDeprovisioningLogic.multiKeyMapAffiliationAdmins(grouperDeprovisioningAffiliation.getLabel()));
                                i = i + 1 + 1;
                                assignEnabled.addGroup(grouperDeprovisioningAffiliation.getUsersWhoHaveBeenDeprovisionedGroupName());
                                hashMap.put(grouperDeprovisioningAffiliation.getUsersWhoHaveBeenDeprovisionedGroupName(), GrouperDeprovisioningLogic.multiKeyMapAffiliationDeprovisionedGroup(grouperDeprovisioningAffiliation.getLabel()));
                                String groupNameMeansInAffiliation = grouperDeprovisioningAffiliation.getGroupNameMeansInAffiliation();
                                if (!StringUtils.isBlank(groupNameMeansInAffiliation)) {
                                    i++;
                                    assignEnabled.addGroup(groupNameMeansInAffiliation);
                                    hashMap.put(groupNameMeansInAffiliation, GrouperDeprovisioningLogic.multiKeyMapInAffiliationGroup(grouperDeprovisioningAffiliation));
                                }
                            }
                            if (map != null) {
                                map.put("cacheHelperGroupCount", Integer.valueOf(i));
                            }
                            MembershipResult findMembershipResult = assignEnabled.assignField(Group.getDefaultList()).findMembershipResult();
                            if (map != null) {
                                map.put("cacheHelperMembershipCount", Integer.valueOf(findMembershipResult.getMembershipsOwnersMembers().size()));
                            }
                            for (Object[] objArr : findMembershipResult.getMembershipsOwnersMembers()) {
                                MultiKey multiKey = (MultiKey) hashMap.get(((Group) objArr[1]).getName());
                                Member member = (Member) objArr[2];
                                grouperDeprovisioningCacheArr[0].getDeprovisionedSubjectSet().add(new MultiKey(multiKey.getKey(0), multiKey.getKey(1), member.getSubjectSourceId(), member.getSubjectId()));
                                Set<Subject> set = grouperDeprovisioningCacheArr[0].getDeprovisionedSubjectSetMap().get(multiKey);
                                if (set == null) {
                                    set = new HashSet();
                                    grouperDeprovisioningCacheArr[0].getDeprovisionedSubjectSetMap().put(multiKey, set);
                                }
                                set.add(member.getSubject());
                            }
                            GrouperDeprovisioningLogic.deprovisionedSubjectCache.put(Boolean.TRUE, grouperDeprovisioningCacheArr[0]);
                            GrouperDeprovisioningLogic.grouperDeprovisioningCacheFailsafe = grouperDeprovisioningCacheArr[0];
                            GrouperDeprovisioningLogic.deprovisionedSubjectCacheLastRetrievedNanos = System.nanoTime();
                            return null;
                        }
                    });
                } else if (map != null) {
                    map.put("cacheHelperEarlyExit", true);
                    map.put("cacheHelperHasCache", Boolean.valueOf(z4));
                    map.put("cacheHelperNewEnoughCache", Boolean.valueOf(z5));
                }
                grouperDeprovisioningCache = grouperDeprovisioningCacheArr[0];
            }
            return grouperDeprovisioningCache;
        } finally {
            if (map != null) {
                map.put("cacheHelperTook", ((nanoTime - System.nanoTime()) / 1000000) + "ms");
            }
        }
    }

    private static MultiKey multiKeyMapInAffiliationGroup(GrouperDeprovisioningAffiliation grouperDeprovisioningAffiliation) {
        return new MultiKey(grouperDeprovisioningAffiliation.getLabel(), "inAffiliationGroup");
    }

    private static MultiKey multiKeyMapAffiliationDeprovisionedGroup(String str) {
        return new MultiKey(str, "deprovisionedGroup");
    }

    private static MultiKey multiKeyMapAffiliationAdmins(String str) {
        return new MultiKey(str, "deprovisioningAdmins");
    }

    private static MultiKey multiKeySetAffiliationAdmins(String str, Subject subject) {
        return new MultiKey(str, "deprovisioningAdmins", subject.getSourceId(), subject.getId());
    }

    private static MultiKey multiKeyMapDeprovisioningAdmins() {
        return new MultiKey((Object) null, "deprovisioningAdmins");
    }

    public static Set<Subject> deprovisionedSubjectsForAffiliation(String str, boolean z) {
        if (!GrouperDeprovisioningSettings.deprovisioningEnabled()) {
            return new HashSet();
        }
        GrouperDeprovisioningCache grouperDeprovisioningCache = grouperDeprovisioningCache(z);
        return GrouperUtil.nonNull((Set) grouperDeprovisioningCache.getDeprovisionedSubjectSetMap().get(multiKeyMapAffiliationDeprovisionedGroup(str)));
    }

    public static boolean deprovisionedSubject(Subject subject, String str, boolean z) {
        if (!GrouperDeprovisioningSettings.deprovisioningEnabled()) {
            return false;
        }
        GrouperDeprovisioningCache grouperDeprovisioningCache = grouperDeprovisioningCache(z);
        return grouperDeprovisioningCache.getDeprovisionedSubjectSet().contains(multiKeySetAffiliationDeprovisionedGroup(str, subject));
    }

    public static boolean deprovisionedSubject(Subject subject, boolean z) {
        if (!GrouperDeprovisioningSettings.deprovisioningEnabled()) {
            return false;
        }
        Iterator<GrouperDeprovisioningAffiliation> it = GrouperDeprovisioningAffiliation.retrieveAllAffiliations().values().iterator();
        while (it.hasNext()) {
            if (deprovisionedSubject(subject, it.next().getLabel(), z)) {
                return true;
            }
        }
        return false;
    }

    public static void updateLastCertifiedDate(GrouperObject grouperObject, Date date) {
        GrouperDeprovisioningOverallConfiguration retrieveConfiguration = GrouperDeprovisioningOverallConfiguration.retrieveConfiguration(grouperObject, true);
        Iterator<String> it = retrieveConfiguration.getAffiliationToConfiguration().keySet().iterator();
        while (it.hasNext()) {
            GrouperDeprovisioningConfiguration grouperDeprovisioningConfiguration = retrieveConfiguration.getAffiliationToConfiguration().get(it.next());
            if (grouperDeprovisioningConfiguration.isHasDatabaseConfiguration() && grouperDeprovisioningConfiguration.getOriginalConfig().isDeprovision()) {
                grouperDeprovisioningConfiguration.getNewConfig().setCertifiedDate(date);
                grouperDeprovisioningConfiguration.storeConfiguration();
            }
        }
    }

    public static void removeAccess(final Membership membership) {
        GrouperSession.callbackGrouperSession(GrouperSession.staticGrouperSession().internal_getRootSession(), new GrouperSessionHandler() { // from class: edu.internet2.middleware.grouper.app.deprovisioning.GrouperDeprovisioningLogic.3
            @Override // edu.internet2.middleware.grouper.misc.GrouperSessionHandler
            public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
                Subject subject = Membership.this.getMember().getSubject();
                Group ownerGroup = Membership.this.getOwnerGroupId() != null ? Membership.this.getOwnerGroup() : null;
                if (ownerGroup != null) {
                    GrouperDeprovisioningLogic.removeAccess(ownerGroup, subject);
                }
                AttributeDef ownerAttributeDef = Membership.this.getOwnerAttrDefId() != null ? Membership.this.getOwnerAttributeDef() : null;
                if (ownerAttributeDef != null) {
                    GrouperDeprovisioningLogic.removeAccess(ownerAttributeDef, subject);
                }
                Stem ownerStem = Membership.this.getOwnerStemId() != null ? Membership.this.getOwnerStem() : null;
                if (ownerStem == null) {
                    return null;
                }
                GrouperDeprovisioningLogic.removeAccess(ownerStem, subject);
                return null;
            }
        });
    }

    public static void removeAccess(final Group group, final Subject subject) {
        GrouperSession.callbackGrouperSession(GrouperSession.staticGrouperSession().internal_getRootSession(), new GrouperSessionHandler() { // from class: edu.internet2.middleware.grouper.app.deprovisioning.GrouperDeprovisioningLogic.4
            @Override // edu.internet2.middleware.grouper.misc.GrouperSessionHandler
            public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
                Group.this.deleteMember(subject, false);
                Iterator<Privilege> it = AccessPrivilege.ALL_PRIVILEGES.iterator();
                while (it.hasNext()) {
                    Group.this.revokePriv(subject, it.next(), false);
                }
                return null;
            }
        });
    }

    public static void removeAccess(final AttributeDef attributeDef, final Subject subject) {
        GrouperSession.callbackGrouperSession(GrouperSession.staticGrouperSession().internal_getRootSession(), new GrouperSessionHandler() { // from class: edu.internet2.middleware.grouper.app.deprovisioning.GrouperDeprovisioningLogic.5
            @Override // edu.internet2.middleware.grouper.misc.GrouperSessionHandler
            public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
                Iterator<Privilege> it = AttributeDefPrivilege.ALL_PRIVILEGES.iterator();
                while (it.hasNext()) {
                    AttributeDef.this.getPrivilegeDelegate().revokePriv(subject, it.next(), false);
                }
                return null;
            }
        });
    }

    public static void removeAccess(final Stem stem, final Subject subject) {
        GrouperSession.callbackGrouperSession(GrouperSession.staticGrouperSession().internal_getRootSession(), new GrouperSessionHandler() { // from class: edu.internet2.middleware.grouper.app.deprovisioning.GrouperDeprovisioningLogic.6
            @Override // edu.internet2.middleware.grouper.misc.GrouperSessionHandler
            public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
                Iterator<Privilege> it = NamingPrivilege.ALL_PRIVILEGES.iterator();
                while (it.hasNext()) {
                    Stem.this.revokePriv(subject, it.next(), false);
                }
                return null;
            }
        });
    }

    public static boolean allowedToDeprovision(Subject subject) {
        if (GrouperDeprovisioningSettings.deprovisioningEnabled()) {
            return PrivilegeHelper.isWheelOrRoot(subject) || GrouperUtil.length(GrouperDeprovisioningAffiliation.retrieveAffiliationsForUserManager(subject)) > 0;
        }
        return false;
    }

    private static MultiKey multiKeySetAffiliationDeprovisionedGroup(String str, Subject subject) {
        return new MultiKey(str, "deprovisionedGroup", subject.getSourceId(), subject.getId());
    }

    private static MultiKey multiKeySetDeprovisioningAdmins(Subject subject) {
        return new MultiKey(null, "deprovisioningAdmins", subject.getSourceId(), subject.getId());
    }

    private static MultiKey multiKeySetInAffiliationGroup(String str, Subject subject) {
        return new MultiKey(str, "inAffiliationGroup", subject.getSourceId(), subject.getId());
    }

    public static boolean affiliationAdmin(Subject subject, String str, boolean z, boolean z2, boolean z3) {
        if (!GrouperDeprovisioningSettings.deprovisioningEnabled()) {
            return false;
        }
        GrouperDeprovisioningCache grouperDeprovisioningCache = grouperDeprovisioningCache(z3);
        if (grouperDeprovisioningCache.getDeprovisionedSubjectSet().contains(multiKeySetAffiliationAdmins(str, subject))) {
            return true;
        }
        if (z) {
            if (grouperDeprovisioningCache.getDeprovisionedSubjectSet().contains(multiKeySetDeprovisioningAdmins(subject))) {
                return true;
            }
        }
        return z2 && PrivilegeHelper.isWheelOrRoot(subject);
    }

    public static Set<String> affiliationsToDeprovision(GrouperObject grouperObject) {
        TreeSet treeSet = new TreeSet();
        for (GrouperDeprovisioningConfiguration grouperDeprovisioningConfiguration : GrouperDeprovisioningOverallConfiguration.retrieveConfiguration(grouperObject, true).getAffiliationToConfiguration().values()) {
            if (grouperDeprovisioningConfiguration.getOriginalConfig() != null && grouperDeprovisioningConfiguration.getOriginalConfig().isDeprovision()) {
                treeSet.add(grouperDeprovisioningConfiguration.getOriginalConfig().getAffiliationString());
            }
        }
        return treeSet;
    }

    public static Set<Subject> subjectsWhoAreDeprovisionedInRelationToOwner(GrouperObject grouperObject, boolean z) {
        HashSet hashSet = new HashSet();
        Iterator<DeprovisionedSubject> it = subjectsWhoAreDeprovisionedInRelationToOwnerWithAffiliations(grouperObject, z).iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getSubject());
        }
        return hashSet;
    }

    public static Set<DeprovisionedSubject> subjectsWhoAreDeprovisionedInRelationToOwnerWithAffiliations(GrouperObject grouperObject, boolean z) {
        Set<String> affiliationsToDeprovision = affiliationsToDeprovision(grouperObject);
        HashMap hashMap = new HashMap();
        for (String str : GrouperUtil.nonNull((Set) affiliationsToDeprovision)) {
            for (Subject subject : deprovisionedSubjectsForAffiliation(str, z)) {
                DeprovisionedSubject deprovisionedSubject = (DeprovisionedSubject) hashMap.get(subject);
                if (deprovisionedSubject == null) {
                    deprovisionedSubject = new DeprovisionedSubject();
                    deprovisionedSubject.setSubject(subject);
                    deprovisionedSubject.setAffiliations(new TreeSet());
                    hashMap.put(subject, deprovisionedSubject);
                }
                deprovisionedSubject.getAffiliations().add(str);
            }
        }
        Iterator it = hashMap.entrySet().iterator();
        while (it.hasNext()) {
            Subject subject2 = (Subject) ((Map.Entry) it.next()).getKey();
            for (String str2 : GrouperUtil.nonNull((Set) affiliationsToDeprovision)) {
                if (!deprovisionedSubject(subject2, str2, z) && inAffiliationGroup(subject2, str2, z)) {
                    it.remove();
                }
            }
        }
        return new HashSet(hashMap.values());
    }

    public static boolean inAffiliationGroup(Subject subject, String str, boolean z) {
        if (!GrouperDeprovisioningSettings.deprovisioningEnabled()) {
            return false;
        }
        GrouperDeprovisioningCache grouperDeprovisioningCache = grouperDeprovisioningCache(z);
        return grouperDeprovisioningCache.getDeprovisionedSubjectSet().contains(multiKeySetInAffiliationGroup(str, subject));
    }

    public static boolean shouldAddSubject(GrouperSession grouperSession, Group group, Subject subject) {
        Group findByName;
        Map<String, GrouperDeprovisioningAffiliation> retrieveAllAffiliations = GrouperDeprovisioningAffiliation.retrieveAllAffiliations();
        GrouperDeprovisioningOverallConfiguration retrieveConfiguration = GrouperDeprovisioningOverallConfiguration.retrieveConfiguration(group, true);
        for (String str : affiliationsToDeprovision(group)) {
            if (deprovisionedSubjectsForAffiliation(str, true).contains(subject)) {
                if (!retrieveConfiguration.getAffiliationToConfiguration().get(str).getOriginalConfig().isAutoChangeLoader()) {
                    return true;
                }
                boolean z = false;
                Set<String> affiliationsToDeprovision = affiliationsToDeprovision(group);
                affiliationsToDeprovision.remove(str);
                Iterator<String> it = affiliationsToDeprovision.iterator();
                while (it.hasNext()) {
                    GrouperDeprovisioningAffiliation grouperDeprovisioningAffiliation = retrieveAllAffiliations.get(it.next());
                    if (StringUtils.isNotBlank(grouperDeprovisioningAffiliation.getGroupNameMeansInAffiliation()) && (findByName = GroupFinder.findByName(grouperSession, grouperDeprovisioningAffiliation.getGroupNameMeansInAffiliation(), false)) != null && findByName.hasMember(subject)) {
                        z = true;
                    }
                }
                if (!z) {
                    return false;
                }
            }
        }
        return true;
    }
}
