package edu.internet2.middleware.grouper.hooks.examples;

import edu.internet2.middleware.grouper.Group;
import edu.internet2.middleware.grouper.GroupFinder;
import edu.internet2.middleware.grouper.GroupType;
import edu.internet2.middleware.grouper.GroupTypeFinder;
import edu.internet2.middleware.grouper.GroupTypeTuple;
import edu.internet2.middleware.grouper.GrouperSession;
import edu.internet2.middleware.grouper.cfg.GrouperConfig;
import edu.internet2.middleware.grouper.hooks.GroupTypeTupleHooks;
import edu.internet2.middleware.grouper.hooks.beans.HooksContext;
import edu.internet2.middleware.grouper.hooks.beans.HooksGroupTypeTupleBean;
import edu.internet2.middleware.grouper.hooks.logic.GrouperHookType;
import edu.internet2.middleware.grouper.hooks.logic.GrouperHooksUtils;
import edu.internet2.middleware.grouper.hooks.logic.HookVeto;
import edu.internet2.middleware.grouper.misc.GrouperCheckConfig;
import edu.internet2.middleware.grouper.privs.PrivilegeHelper;
import edu.internet2.middleware.grouper.util.GrouperUtil;
import edu.internet2.middleware.subject.Subject;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;

/* loaded from: input_file:WEB-INF/lib/grouper-5.0.3.jar:edu/internet2/middleware/grouper/hooks/examples/GroupTypeSecurityHook.class */
public class GroupTypeSecurityHook extends GroupTypeTupleHooks {
    private static final Log LOG = GrouperUtil.getLog(GroupTypeSecurityHook.class);
    private static boolean registered = false;
    private static boolean registeredSuccess = false;
    private static Map<String, String> groupTypeToGroupMap = new LinkedHashMap();
    private static Set<String> groupTypeWheelOnly = new LinkedHashSet();

    public static void clearHook() {
        registered = false;
        registeredSuccess = false;
        groupTypeToGroupMap.clear();
        groupTypeWheelOnly.clear();
    }

    public static void registerHookIfNecessary(boolean z) {
        if (!registered || z) {
            if (z && registeredSuccess) {
                return;
            }
            if (resetCacheSettings()) {
                registeredSuccess = true;
                LOG.debug("Registering hooks GroupTypeSecurityHook and AttributeSecurityFromTypeHook since configured in grouper.properties");
                GrouperHooksUtils.addHookManual(GrouperHookType.GROUP_TYPE_TUPLE.getPropertyFileKey(), GroupTypeSecurityHook.class);
                GrouperHooksUtils.addHookManual(GrouperHookType.ATTRIBUTE.getPropertyFileKey(), AttributeSecurityFromTypeHook.class);
            }
            registered = true;
        }
    }

    public static boolean resetCacheSettings() {
        Map nonNull = GrouperUtil.nonNull(GrouperCheckConfig.typeSecuritySettings());
        groupTypeToGroupMap.clear();
        groupTypeWheelOnly.clear();
        if (nonNull.size() <= 0) {
            return false;
        }
        for (String str : nonNull.keySet()) {
            Matcher matcher = GrouperCheckConfig.typeSecurityPattern.matcher(str);
            matcher.matches();
            String group = matcher.group(1);
            String group2 = matcher.group(2);
            if (StringUtils.equalsIgnoreCase("allowOnlyGroup", group2)) {
                String str2 = (String) nonNull.get(str);
                groupTypeToGroupMap.put(group, str2);
                LOG.debug("Registering and caching setting to secure group type '" + group + "' to be editable only be group name: '" + str2);
            } else {
                if (!StringUtils.equalsIgnoreCase("wheelOnly", group2)) {
                    throw new RuntimeException("Setting type: " + group2 + " not supported!");
                }
                groupTypeWheelOnly.add(group);
                LOG.debug("Registering and caching setting to secure group type '" + group + "' to be editable only by wheel group members");
            }
        }
        return true;
    }

    public static void vetoIfNecessary(String str, String str2, String str3) throws HookVeto {
        GrouperSession staticGrouperSession = GrouperSession.staticGrouperSession();
        String str4 = str;
        GrouperSession staticGrouperSession2 = GrouperSession.staticGrouperSession();
        try {
            Subject subject = staticGrouperSession.getSubject();
            GroupType findByUuid = GroupTypeFinder.findByUuid(str2, true);
            String str5 = groupTypeToGroupMap.get(findByUuid.getName());
            String name = findByUuid.getName();
            boolean z = !StringUtils.isBlank(str5);
            boolean contains = groupTypeWheelOnly.contains(name);
            if (LOG.isDebugEnabled()) {
                try {
                    str4 = StringUtils.defaultIfEmpty(GroupFinder.findByUuid(staticGrouperSession2.internal_getRootSession(), str, true).getName(), str4);
                } catch (Exception e) {
                }
            }
            if (!z && !contains) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Allowing since cant find rule for groupType: " + name + ", " + str3 + ", on group: " + str4 + " only have rules for wheel: " + GrouperUtil.setToString(groupTypeWheelOnly) + ", and groups: " + GrouperUtil.mapToString(groupTypeToGroupMap));
                    return;
                }
                return;
            }
            if (z) {
                Group findByName = GroupFinder.findByName(staticGrouperSession2.internal_getRootSession(), str5, false);
                if (findByName == null) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Cant find group: " + str5 + " which holds security for type: " + name);
                    }
                } else if (findByName.hasMember(subject)) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Allowed to edit type: " + name + " on group: " + str4 + " since user: " + GrouperUtil.subjectToString(subject) + " is in group: " + str5);
                        return;
                    }
                    return;
                }
            }
            if (!PrivilegeHelper.isWheel(staticGrouperSession2) && !PrivilegeHelper.isRoot(staticGrouperSession2)) {
                throw new HookVeto("cantEditTypeNotInGroup", "Not allowed to edit type: " + name + ", " + str3 + " since the user " + GrouperUtil.subjectToString(subject) + " is not in group: " + str5);
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Allowed to edit type: " + name + " on group: " + str4 + " since user: " + GrouperUtil.subjectToString(subject) + " is in group: " + str5);
            }
        } catch (Exception e2) {
            if (e2 instanceof HookVeto) {
                HookVeto hookVeto = (HookVeto) e2;
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Veto for " + str3 + " on group: " + str4 + " based on session subject: " + GrouperUtil.subjectToString(null) + ": " + hookVeto.getReason());
                }
                throw ((HookVeto) e2);
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Error finding if veto for " + str3 + " on group: " + str4 + " for subject: " + GrouperUtil.subjectToString(null), e2);
            }
            if (!(e2 instanceof RuntimeException)) {
                throw new RuntimeException(e2);
            }
            throw ((RuntimeException) e2);
        }
    }

    public static String groupNameFromAndGroupAttributeName(String str) {
        int i = 0;
        while (true) {
            String propertyValueString = GrouperConfig.retrieveConfig().propertyValueString("grouperIncludeExclude.requireGroup.name." + i);
            if (StringUtils.isBlank(propertyValueString)) {
                throw new RuntimeException("Cant find config entry for andGroup attribute name: " + str + ", e.g. config name: grouperIncludeExclude.requireGroup.name.{i}");
            }
            if (StringUtils.equals(str, propertyValueString)) {
                return GrouperConfig.retrieveConfig().propertyValueString("grouperIncludeExclude.requireGroup.group." + i);
            }
            i++;
        }
    }

    @Override // edu.internet2.middleware.grouper.hooks.GroupTypeTupleHooks
    public void groupTypeTuplePostDelete(HooksContext hooksContext, HooksGroupTypeTupleBean hooksGroupTypeTupleBean) {
        groupTypeTupleHelper(hooksGroupTypeTupleBean, "removing type");
    }

    @Override // edu.internet2.middleware.grouper.hooks.GroupTypeTupleHooks
    public void groupTypeTuplePostInsert(HooksContext hooksContext, HooksGroupTypeTupleBean hooksGroupTypeTupleBean) {
        groupTypeTupleHelper(hooksGroupTypeTupleBean, "adding type");
    }

    private void groupTypeTupleHelper(HooksGroupTypeTupleBean hooksGroupTypeTupleBean, String str) {
        GroupTypeTuple groupTypeTuple = hooksGroupTypeTupleBean.getGroupTypeTuple();
        vetoIfNecessary(groupTypeTuple.getGroupUuid(), groupTypeTuple.getTypeUuid(), str);
    }

    public static boolean isRegisteredSuccess() {
        return registeredSuccess;
    }
}
