package org.duracloud.account.security.vote;

import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import org.aopalliance.intercept.MethodInvocation;
import org.duracloud.account.db.model.AccountRights;
import org.duracloud.account.db.model.DuracloudUser;
import org.duracloud.account.db.model.Role;
import org.duracloud.account.db.repo.DuracloudRepoMgr;
import org.duracloud.account.db.util.DuracloudUserService;
import org.duracloud.account.security.domain.SecuredRule;
import org.duracloud.common.error.DuraCloudRuntimeException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.core.Authentication;

/* loaded from: input_file:org/duracloud/account/security/vote/UserAccessDecisionVoter.class */
public class UserAccessDecisionVoter extends BaseAccessDecisionVoter {
    private Logger log;
    private final int ACCT_ID_INDEX = 0;
    private final int USER_ID_INDEX = 0;
    private final int USER_NAME_INDEX = 0;
    private final int OTHER_USER_ID_INDEX = 1;
    private final int NEW_ROLES_INDEX = 2;

    public UserAccessDecisionVoter(DuracloudRepoMgr duracloudRepoMgr) {
        super(duracloudRepoMgr);
        this.log = LoggerFactory.getLogger(UserAccessDecisionVoter.class);
        this.ACCT_ID_INDEX = 0;
        this.USER_ID_INDEX = 0;
        this.USER_NAME_INDEX = 0;
        this.OTHER_USER_ID_INDEX = 1;
        this.NEW_ROLES_INDEX = 2;
    }

    @Override // org.duracloud.account.security.vote.BaseAccessDecisionVoter
    protected Class<?> getTargetService() {
        return DuracloudUserService.class;
    }

    @Override // org.duracloud.account.security.vote.BaseAccessDecisionVoter
    protected int voteImpl(Authentication authentication, MethodInvocation methodInvocation, Collection<ConfigAttribute> collection, Object[] objArr, DuracloudUser duracloudUser, SecuredRule securedRule, String str, SecuredRule.Scope scope) {
        int i = -1;
        Collection<String> userRoles = getUserRoles(authentication);
        if (scope.equals(SecuredRule.Scope.ANY)) {
            i = voteHasRole(str, userRoles);
        } else if (scope.equals(SecuredRule.Scope.SELF_ID)) {
            if (hasVote(voteHasRole(str, userRoles))) {
                i = voteMyUserId(duracloudUser, getUserIdArg(objArr));
            }
        } else if (scope.equals(SecuredRule.Scope.SELF_NAME)) {
            if (hasVote(voteHasRole(str, userRoles))) {
                i = voteMyUsername(duracloudUser, getUsernameArg(objArr));
            }
        } else if (scope.equals(SecuredRule.Scope.SELF_ACCT)) {
            i = voteUserHasRoleOnAccount(duracloudUser, str, getAccountIdArg(objArr));
        } else if (scope.equals(SecuredRule.Scope.SELF_ACCT_PEER)) {
            Long accountIdArg = getAccountIdArg(objArr);
            if (hasVote(voteUserHasRoleOnAccount(duracloudUser, str, accountIdArg))) {
                i = voteUserHasRoleOnAcctToManageOther(duracloudUser.getId(), accountIdArg, getOtherUserIdArg(objArr));
            }
        } else {
            if (!scope.equals(SecuredRule.Scope.SELF_ACCT_PEER_UPDATE)) {
                String str2 = "Invalid scope: " + scope;
                this.log.error(str2);
                throw new DuraCloudRuntimeException(str2);
            }
            Long accountIdArg2 = getAccountIdArg(objArr);
            Long otherUserIdArg = getOtherUserIdArg(objArr);
            Set<Role> otherRolesArg = getOtherRolesArg(objArr);
            i = hasVote(voteUserHasRoleOnAccount(duracloudUser, str, accountIdArg2)) ? voteUserHasRoleOnAcctToUpdateOthersRoles(duracloudUser.getId(), accountIdArg2, otherUserIdArg, otherRolesArg) : voteUserIsCreatingNewAcct(duracloudUser, accountIdArg2, otherUserIdArg, otherRolesArg);
        }
        return castVote(i, methodInvocation);
    }

    private int voteUserHasRoleOnAcctToManageOther(Long l, Long l2, Long l3) {
        this.log.trace("Voting if user {} has roles on acct {} to manage {}.", new Object[]{l, l2, l3});
        AccountRights userRightsForAcct = getUserRightsForAcct(l, l2);
        AccountRights userRightsForAcct2 = getUserRightsForAcct(l3, l2);
        if (null != userRightsForAcct && null != userRightsForAcct2) {
            return voteRolesAreSufficientToUpdateOther(userRightsForAcct.getRoles(), userRightsForAcct2.getRoles());
        }
        this.log.warn("No rights found for users {}, {} on acct {}", new Object[]{l, l3, l2});
        return -1;
    }

    private int voteUserIsCreatingNewAcct(DuracloudUser duracloudUser, Long l, Long l2, Set<Role> set) {
        return (hasVote(voteMyUserId(duracloudUser, l2)) && accountIsEmpty(l) && isOwner(set)) ? 1 : -1;
    }

    private boolean accountIsEmpty(Long l) {
        return numUsersForAccount(l) == 0;
    }

    private boolean isOwner(Set<Role> set) {
        return set.contains(Role.ROLE_OWNER);
    }

    private Set<Role> getOtherRolesArg(Object[] objArr) {
        if (objArr.length <= 2) {
            this.log.error("Illegal number of args: " + objArr.length);
        }
        HashSet hashSet = new HashSet();
        Object[] objArr2 = (Object[]) objArr[2];
        if (null != objArr2 && objArr2.length > 0) {
            for (Object obj : objArr2) {
                hashSet.add((Role) obj);
            }
        }
        return hashSet;
    }

    private Long getOtherUserIdArg(Object[] objArr) {
        if (objArr.length <= 1) {
            this.log.error("Illegal number of args: " + objArr.length);
        }
        return (Long) objArr[1];
    }

    private Long getUserIdArg(Object[] objArr) {
        if (objArr.length <= 0) {
            this.log.error("Illegal number of args: " + objArr.length);
        }
        return (Long) objArr[0];
    }

    private String getUsernameArg(Object[] objArr) {
        if (objArr.length <= 0) {
            this.log.error("Illegal number of args: " + objArr.length);
        }
        return (String) objArr[0];
    }

    private Long getAccountIdArg(Object[] objArr) {
        if (objArr.length <= 0) {
            this.log.error("Illegal number of args: " + objArr.length);
        }
        return (Long) objArr[0];
    }
}
