package org.opencastproject.assetmanager.impl;

import com.entwinemedia.fn.Prelude;
import com.entwinemedia.fn.data.Opt;
import java.util.List;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import org.opencastproject.assetmanager.api.Asset;
import org.opencastproject.assetmanager.api.Availability;
import org.opencastproject.assetmanager.api.Property;
import org.opencastproject.assetmanager.api.PropertyId;
import org.opencastproject.assetmanager.api.Snapshot;
import org.opencastproject.assetmanager.api.Value;
import org.opencastproject.assetmanager.api.Version;
import org.opencastproject.assetmanager.api.query.ADeleteQuery;
import org.opencastproject.assetmanager.api.query.AQueryBuilder;
import org.opencastproject.assetmanager.api.query.ASelectQuery;
import org.opencastproject.assetmanager.api.query.PropertyField;
import org.opencastproject.assetmanager.api.query.Target;
import org.opencastproject.mediapackage.MediaPackage;
import org.opencastproject.security.api.AccessControlEntry;
import org.opencastproject.security.api.AccessControlList;
import org.opencastproject.security.api.AuthorizationService;
import org.opencastproject.security.api.Role;
import org.opencastproject.security.api.SecurityService;
import org.opencastproject.security.api.UnauthorizedException;
import org.opencastproject.security.api.User;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/opencastproject/assetmanager/impl/AssetManagerWithSecurity.class */
public class AssetManagerWithSecurity extends AssetManagerDecorator<TieredStorageAssetManager> {
    private static final Logger logger = LoggerFactory.getLogger(AssetManagerWithSecurity.class);
    public static final String WRITE_ACTION = "write";
    public static final String READ_ACTION = "read";
    public static final String SECURITY_NAMESPACE = "org.opencastproject.assetmanager.security";
    private final AuthorizationService authSvc;
    private final SecurityService secSvc;
    private boolean includeAPIRoles;
    private boolean includeCARoles;
    private boolean includeUIRoles;
    private Predicate<Role> roleFilter;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/opencastproject/assetmanager/impl/AssetManagerWithSecurity$AdminRole.class */
    public enum AdminRole {
        GLOBAL,
        ORGANIZATION,
        NONE
    }

    public AssetManagerWithSecurity(TieredStorageAssetManager tieredStorageAssetManager, AuthorizationService authorizationService, SecurityService securityService, boolean z, boolean z2, boolean z3) {
        super(tieredStorageAssetManager);
        this.roleFilter = role -> {
            String name = role.getName();
            return (this.includeAPIRoles || !name.startsWith("ROLE_API_")) && (this.includeCARoles || !name.startsWith("ROLE_CAPTURE_AGENT_")) && (this.includeUIRoles || !name.startsWith("ROLE_UI_"));
        };
        this.authSvc = authorizationService;
        this.secSvc = securityService;
        this.includeAPIRoles = z;
        this.includeCARoles = z2;
        this.includeUIRoles = z3;
    }

    @Override // org.opencastproject.assetmanager.impl.AssetManagerDecorator
    public Snapshot takeSnapshot(String str, MediaPackage mediaPackage) {
        String obj = mediaPackage.getIdentifier().toString();
        boolean z = !snapshotExists(obj);
        if (z) {
            deleteProperties(obj);
        }
        if (!z && !isAuthorized(obj, WRITE_ACTION)) {
            return (Snapshot) Prelude.chuck(new UnauthorizedException("Not allowed to take snapshot of media package " + obj));
        }
        Snapshot takeSnapshot = super.takeSnapshot(str, mediaPackage);
        storeAclAsProperties(takeSnapshot, (AccessControlList) this.authSvc.getActiveAcl(mediaPackage).getA());
        return takeSnapshot;
    }

    @Override // org.opencastproject.assetmanager.impl.AssetManagerDecorator
    public void setAvailability(Version version, String str, Availability availability) {
        if (isAuthorized(str, WRITE_ACTION)) {
            super.setAvailability(version, str, availability);
        } else {
            Prelude.chuck(new UnauthorizedException("Not allowed to set availability of episode " + str));
        }
    }

    @Override // org.opencastproject.assetmanager.impl.AssetManagerDecorator
    public boolean setProperty(Property property) {
        String mediaPackageId = property.getId().getMediaPackageId();
        return isAuthorized(mediaPackageId, WRITE_ACTION) ? super.setProperty(property) : ((Boolean) Prelude.chuck(new UnauthorizedException("Not allowed to set property on episode " + mediaPackageId))).booleanValue();
    }

    @Override // org.opencastproject.assetmanager.impl.AssetManagerDecorator
    public Opt<Asset> getAsset(Version version, String str, String str2) {
        return isAuthorized(str, READ_ACTION) ? super.getAsset(version, str, str2) : (Opt) Prelude.chuck(new UnauthorizedException(String.format("Not allowed to read assets of snapshot %s, version=%s", str, version)));
    }

    @Override // org.opencastproject.assetmanager.impl.AssetManagerDecorator
    public AQueryBuilder createQuery() {
        return new AQueryBuilderDecorator(super.createQuery()) { // from class: org.opencastproject.assetmanager.impl.AssetManagerWithSecurity.1
            @Override // org.opencastproject.assetmanager.impl.AQueryBuilderDecorator
            public ASelectQuery select(Target... targetArr) {
                switch (AnonymousClass2.$SwitchMap$org$opencastproject$assetmanager$impl$AssetManagerWithSecurity$AdminRole[AssetManagerWithSecurity.this.isAdmin().ordinal()]) {
                    case 1:
                        return super.select(targetArr);
                    case 2:
                        return super.select(targetArr).where(AssetManagerWithSecurity.this.restrictToUsersOrganization());
                    default:
                        return super.select(targetArr).where(AssetManagerWithSecurity.this.mkAuthPredicate(AssetManagerWithSecurity.READ_ACTION));
                }
            }

            @Override // org.opencastproject.assetmanager.impl.AQueryBuilderDecorator
            public ADeleteQuery delete(String str, Target target) {
                switch (AnonymousClass2.$SwitchMap$org$opencastproject$assetmanager$impl$AssetManagerWithSecurity$AdminRole[AssetManagerWithSecurity.this.isAdmin().ordinal()]) {
                    case 1:
                        return super.delete(str, target);
                    case 2:
                        return super.delete(str, target).where(AssetManagerWithSecurity.this.restrictToUsersOrganization());
                    default:
                        return super.delete(str, target).where(AssetManagerWithSecurity.this.mkAuthPredicate(AssetManagerWithSecurity.WRITE_ACTION));
                }
            }
        };
    }

    @Override // org.opencastproject.assetmanager.impl.AssetManagerDecorator
    public List<Property> selectProperties(String str, String str2) {
        return isAuthorized(str, READ_ACTION) ? super.selectProperties(str, str2) : (List) Prelude.chuck(new UnauthorizedException(String.format("Not allowed to read properties of event %s", str)));
    }

    private AQueryBuilder q() {
        return this.delegate.createQuery();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public org.opencastproject.assetmanager.api.query.Predicate mkAuthPredicate(String str) {
        AQueryBuilder q = q();
        return ((org.opencastproject.assetmanager.api.query.Predicate) this.secSvc.getUser().getRoles().stream().filter(this.roleFilter).map(role -> {
            return mkSecurityProperty(q, role.getName(), str).eq(true);
        }).reduce((v0, v1) -> {
            return v0.or(v1);
        }).orElseGet(() -> {
            return q.always().not();
        })).and(restrictToUsersOrganization());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public org.opencastproject.assetmanager.api.query.Predicate restrictToUsersOrganization() {
        return q().organizationId().eq(this.secSvc.getUser().getOrganization().getId());
    }

    private boolean isAuthorized(String str, String str2) {
        switch (isAdmin()) {
            case GLOBAL:
                logger.debug("Access granted since user is global admin");
                return true;
            case ORGANIZATION:
                logger.debug("User is organization admin. Checking organization. Checking organization ID of asset.");
                return snapshotExists(str, this.secSvc.getOrganization().getId());
            default:
                logger.debug("Non admin user. Checking organization.");
                if (!snapshotExists(str, this.secSvc.getOrganization().getId())) {
                    return false;
                }
                logger.debug("Non admin user. Checking ACL rules.");
                List list = (List) this.secSvc.getUser().getRoles().parallelStream().filter(this.roleFilter).map(role -> {
                    return mkPropertyName(role.getName(), str2);
                }).collect(Collectors.toList());
                return super.selectProperties(str, SECURITY_NAMESPACE).parallelStream().map(property -> {
                    return property.getId().getName();
                }).anyMatch(str3 -> {
                    return list.parallelStream().anyMatch(str3 -> {
                        return str3.equals(str3);
                    });
                });
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AdminRole isAdmin() {
        User user = this.secSvc.getUser();
        return user.hasRole("ROLE_ADMIN") ? AdminRole.GLOBAL : (user.hasRole(this.secSvc.getOrganization().getAdminRole()) || user.hasRole("ROLE_CAPTURE_AGENT")) ? AdminRole.ORGANIZATION : AdminRole.NONE;
    }

    private void storeAclAsProperties(Snapshot snapshot, AccessControlList accessControlList) {
        String obj = snapshot.getMediaPackage().getIdentifier().toString();
        super.deleteProperties(obj, SECURITY_NAMESPACE);
        for (AccessControlEntry accessControlEntry : accessControlList.getEntries()) {
            super.setProperty(Property.mk(PropertyId.mk(obj, SECURITY_NAMESPACE, mkPropertyName(accessControlEntry)), Value.mk(Boolean.valueOf(accessControlEntry.isAllow()))));
        }
    }

    private PropertyField<Boolean> mkSecurityProperty(AQueryBuilder aQueryBuilder, String str, String str2) {
        return aQueryBuilder.property(Value.BOOLEAN, SECURITY_NAMESPACE, mkPropertyName(str, str2));
    }

    private String mkPropertyName(AccessControlEntry accessControlEntry) {
        return mkPropertyName(accessControlEntry.getRole(), accessControlEntry.getAction());
    }

    private String mkPropertyName(String str, String str2) {
        return str + " | " + str2;
    }
}
