package io.imunity.upman.rest;

import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.transaction.Transactional;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.engine.api.AttributesManagement;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.authn.LoginSession;
import pl.edu.icm.unity.engine.api.project.RestGroupAuthorizationRole;
import pl.edu.icm.unity.exceptions.AuthorizationException;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.types.basic.AttributeExt;
import pl.edu.icm.unity.types.basic.EntityParam;

@Component
/* loaded from: input_file:io/imunity/upman/rest/UpmanRestAuthorizationManager.class */
class UpmanRestAuthorizationManager {
    private final AttributesManagement attrDao;

    @Autowired
    public UpmanRestAuthorizationManager(@Qualifier("insecure") AttributesManagement attributesManagement) {
        this.attrDao = attributesManagement;
    }

    @Transactional
    public void assertManagerAuthorization(String str) throws AuthorizationException {
        assertClientIsProjectManager(str, getClient().getEntityId());
    }

    private LoginSession getClient() throws AuthorizationException {
        LoginSession loginSession = InvocationContext.getCurrent().getLoginSession();
        if (loginSession == null) {
            throw new AuthorizationException("Access is denied. The client is not authenticated.");
        }
        if (loginSession.isUsedOutdatedCredential()) {
            throw new AuthorizationException("Access is denied. The client's credential is outdated and the only allowed operation is the credential update");
        }
        return loginSession;
    }

    private void assertClientIsProjectManager(String str, long j) throws AuthorizationException {
        if (!getAuthManagerAttribute(str, j).contains(RestGroupAuthorizationRole.manager)) {
            throw new AuthorizationException("Access is denied. The operation requires project management RESTAPI Role”");
        }
    }

    private Set<RestGroupAuthorizationRole> getAuthManagerAttribute(String str, long j) throws AuthorizationException {
        try {
            ArrayList arrayList = new ArrayList(this.attrDao.getAttributes(new EntityParam(Long.valueOf(j)), str, "sys:ProjectManagementRESTAPIRole"));
            HashSet hashSet = new HashSet();
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                Iterator it2 = ((AttributeExt) it.next()).getValues().iterator();
                while (it2.hasNext()) {
                    hashSet.add(RestGroupAuthorizationRole.valueOf((String) it2.next()));
                }
            }
            return hashSet;
        } catch (EngineException e) {
            AuthorizationException authorizationException = new AuthorizationException("Access is denied. The operation requires user [" + j + "] to be a member of the " + authorizationException + " group");
            throw authorizationException;
        }
    }
}
