package com.appiancorp.designdeployments.service;

import com.appiancorp.common.config.LegacyServiceProvider;
import com.appiancorp.designdeployments.persistence.Deployment;
import com.appiancorp.designdeployments.persistence.DeploymentAppDao;
import com.appiancorp.exceptions.InsufficientPrivilegesException;
import com.appiancorp.features.FeatureToggleClient;
import com.appiancorp.security.auth.SecurityContextProvider;
import com.appiancorp.security.auth.SpringSecurityContextHelper;
import com.appiancorp.security.user.service.KdbRdbmsIdBinder;
import com.appiancorp.suite.cfg.DesignDeploymentConfiguration;
import com.appiancorp.suiteapi.common.exceptions.ErrorCode;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/appiancorp/designdeployments/service/DeploymentServiceSecurity.class */
public class DeploymentServiceSecurity {
    public static final Logger LOG = LoggerFactory.getLogger(DeploymentServiceSecurity.class);
    private final SecurityContextProvider scp;
    private final KdbRdbmsIdBinder binder;
    private DesignDeploymentConfiguration designDeploymentConfiguration;
    private final DeploymentAppDao deploymentAppDao;
    private final LegacyServiceProvider legacyServiceProvider;
    private final FeatureToggleClient featureToggleClient;

    @FunctionalInterface
    /* loaded from: input_file:com/appiancorp/designdeployments/service/DeploymentServiceSecurity$CanAccessDeploymentFunction.class */
    public interface CanAccessDeploymentFunction {
        boolean canAccessDeployment();
    }

    /* loaded from: input_file:com/appiancorp/designdeployments/service/DeploymentServiceSecurity$Role.class */
    public enum Role {
        ADMINISTRATOR(3),
        EDITOR(2),
        VIEWER(1),
        DENY(0);

        private final int accessLevel;

        Role(int i) {
            this.accessLevel = i;
        }

        public int getAccessLevel() {
            return this.accessLevel;
        }
    }

    public DeploymentServiceSecurity(SecurityContextProvider securityContextProvider, LegacyServiceProvider legacyServiceProvider, KdbRdbmsIdBinder kdbRdbmsIdBinder, DesignDeploymentConfiguration designDeploymentConfiguration, DeploymentAppDao deploymentAppDao, FeatureToggleClient featureToggleClient) {
        this.scp = securityContextProvider;
        this.binder = kdbRdbmsIdBinder;
        this.designDeploymentConfiguration = designDeploymentConfiguration;
        this.deploymentAppDao = deploymentAppDao;
        this.legacyServiceProvider = legacyServiceProvider;
        this.featureToggleClient = featureToggleClient;
    }

    DesignDeploymentConfiguration getDesignDeploymentConfiguration() {
        return this.designDeploymentConfiguration;
    }

    void setDesignDeploymentConfiguration(DesignDeploymentConfiguration designDeploymentConfiguration) {
        this.designDeploymentConfiguration = designDeploymentConfiguration;
    }

    public void checkSufficientPrivileges(Deployment deployment, Role role) throws InsufficientPrivilegesException {
        boolean z = false;
        if (role == Role.ADMINISTRATOR && hasAdminAccess(deployment)) {
            z = true;
        } else if (role == Role.EDITOR && hasEditorAccess(deployment)) {
            z = true;
        } else if (role == Role.VIEWER && hasViewerAccess(deployment)) {
            z = true;
        }
        if (!z) {
            throw buildInsufficientPrivilegesException(this.scp.get().getUserRef().getUsername(), deployment.getId());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Role getAccessLevelRole(Deployment deployment) {
        return isSysAdmin() ? Role.ADMINISTRATOR : deployment.getType().isManualAdminWithoutPackage() ? Role.DENY : isDeploymentReviewer() ? Role.ADMINISTRATOR : isAdminSettingsDeploymentWithoutPackage(deployment) ? Role.DENY : getAccessLevelRoleWithinApplications(deployment);
    }

    private boolean isAdminSettingsDeploymentWithoutPackage(Deployment deployment) {
        return deployment.hasAdminSettings() && isDeploymentWithoutPackage(deployment);
    }

    private boolean isDeploymentWithoutPackage(Deployment deployment) {
        return deployment.getDeploymentApps() == null || deployment.getDeploymentApps().isEmpty();
    }

    private Role getAccessLevelRoleWithinApplications(Deployment deployment) {
        List list = (List) deployment.getDeploymentApps().stream().map(deploymentApp -> {
            return deploymentApp.getAppUuid();
        }).collect(Collectors.toList());
        Map map = (Map) SpringSecurityContextHelper.runAsAdmin(() -> {
            return getExistentApplicationIdToUuidMap((String[]) list.toArray(new String[0]));
        });
        if (list.size() == map.size()) {
            try {
                return getStrictestRoleFromAccessLevels(this.legacyServiceProvider.getContentService().getAccessLevel((Long[]) map.keySet().toArray(new Long[0]), 64));
            } catch (Exception e) {
                LOG.error(e.getMessage(), e);
            }
        }
        return Role.DENY;
    }

    private Role getStrictestRoleFromAccessLevels(Integer[] numArr) {
        int i = 3;
        for (Integer num : numArr) {
            if (num.intValue() < i) {
                i = num.intValue();
            }
        }
        switch (i) {
            case 1:
                return Role.VIEWER;
            case 2:
                return Role.EDITOR;
            case 3:
                return Role.ADMINISTRATOR;
            default:
                return Role.DENY;
        }
    }

    boolean canAccessDeployment(Deployment deployment, Role role) {
        List<String> deploymentAppUuids = getDeploymentAppUuids(deployment);
        return !(getFeatureToggleClient().isFeatureEnabled("ae.streamlined-devops.api-admin-settings") && deployment.hasAdminSettings() && deploymentAppUuids.isEmpty()) && getAccessibleApplicationUuids((String[]) deploymentAppUuids.toArray(new String[0]), (!canViewManualDeployment(deployment, this.scp.get().getUserUuid()) || role != Role.EDITOR) ? role : Role.VIEWER).size() >= deploymentAppUuids.size();
    }

    boolean canViewManualDeployment(Deployment deployment, String str) {
        Deployment.Type type = deployment.getType();
        return type.isManual() && !type.isManualAdminWithoutPackage() && str.equals(deployment.getRequesterUuid());
    }

    FeatureToggleClient getFeatureToggleClient() {
        return this.featureToggleClient;
    }

    public boolean isDeploymentReviewer() {
        Integer reviewerGroup = getDesignDeploymentConfiguration().getReviewerGroup();
        if (reviewerGroup != null) {
            return ((Set) this.binder.fromRdbmsGroupRefToK(this.scp.get().getMemberGroupRefs()).values().stream().map((v0) -> {
                return v0.getId();
            }).collect(Collectors.toSet())).contains(Long.valueOf(reviewerGroup.longValue()));
        }
        return false;
    }

    public boolean isSysAdminOrReviewer() {
        return isSysAdmin() || isDeploymentReviewer();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isSysAdmin() {
        return this.scp.get().isSysAdmin();
    }

    private boolean hasViewerAccess(Deployment deployment) {
        return hasAccess(deployment, () -> {
            return canAccessDeployment(deployment, Role.VIEWER);
        });
    }

    private boolean hasEditorAccess(Deployment deployment) {
        return hasAccess(deployment, () -> {
            return canAccessDeployment(deployment, Role.EDITOR);
        });
    }

    boolean hasAccess(Deployment deployment, CanAccessDeploymentFunction canAccessDeploymentFunction) {
        if (isSysAdmin()) {
            return true;
        }
        if (deployment.getType().isManualAdminWithoutPackage()) {
            return false;
        }
        return isDeploymentWithoutPackage(deployment) ? isDeploymentReviewer() : isDeploymentReviewer() || canAccessDeploymentFunction.canAccessDeployment();
    }

    private boolean hasAdminAccess(Deployment deployment) {
        return isSysAdmin() || canAccessDeployment(deployment, Role.ADMINISTRATOR);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<Long> getDeploymentIds(Set<Long> set, boolean z) {
        return set.isEmpty() ? Collections.emptySet() : getDeploymentIdsForApplicationUser(this.deploymentAppDao.getAppUuidToDeploymentIdsMap(set));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<Long> getDeploymentIds(boolean z) {
        return getDeploymentIdsForApplicationUser(this.deploymentAppDao.getAppUuidToDeploymentIdsMap());
    }

    private Set<Long> getDeploymentIdsForApplicationUser(Map<String, List<Long>> map) {
        List<String> accessibleApplicationUuids = getAccessibleApplicationUuids((String[]) map.keySet().toArray(new String[0]), Role.VIEWER);
        HashSet hashSet = new HashSet();
        accessibleApplicationUuids.forEach(str -> {
            hashSet.addAll((List) map.get(str));
        });
        return hashSet;
    }

    List<String> getAccessibleApplicationUuids(String[] strArr, Role role) {
        if (role == null) {
            return new ArrayList();
        }
        Map map = (Map) SpringSecurityContextHelper.runAsAdmin(() -> {
            return getExistentApplicationIdToUuidMap(strArr);
        });
        ArrayList arrayList = new ArrayList();
        try {
            Long[] lArr = (Long[]) map.keySet().toArray(new Long[0]);
            Boolean[] canAdministrate = (role == Role.ADMINISTRATOR || role == Role.EDITOR) ? this.legacyServiceProvider.getContentService().canAdministrate(lArr) : this.legacyServiceProvider.getContentService().canView(lArr);
            for (int i = 0; i < canAdministrate.length; i++) {
                if (canAdministrate[i].booleanValue()) {
                    arrayList.add(map.get(lArr[i]));
                }
            }
        } catch (Exception e) {
            LOG.error(e.getMessage(), e);
        }
        return arrayList;
    }

    private Map<Long, String> getExistentApplicationIdToUuidMap(String[] strArr) {
        Long[] idsByUuid = this.legacyServiceProvider.getContentService().getIdsByUuid(strArr);
        HashMap hashMap = new HashMap();
        for (int i = 0; i < idsByUuid.length; i++) {
            Long l = idsByUuid[i];
            if (l != null) {
                hashMap.put(l, strArr[i]);
            }
        }
        return hashMap;
    }

    private InsufficientPrivilegesException buildInsufficientPrivilegesException(String str, Object obj) {
        return new InsufficientPrivilegesException(str, obj, ErrorCode.DESIGN_DEPLOYMENT_INSUFFICIENT_PRIVILEGES, new Object[]{obj});
    }

    List<String> getDeploymentAppUuids(Deployment deployment) {
        return (List) deployment.getDeploymentApps().stream().map(deploymentApp -> {
            return deploymentApp.getAppUuid();
        }).collect(Collectors.toList());
    }
}
