package org.molgenis.security.permission;

import com.google.common.collect.Lists;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.molgenis.auth.User;
import org.molgenis.auth.UserAuthority;
import org.molgenis.auth.UserAuthorityFactory;
import org.molgenis.auth.UserAuthorityMetaData;
import org.molgenis.data.DataService;
import org.molgenis.data.meta.model.EntityType;
import org.molgenis.security.core.runas.RunAsSystemProxy;
import org.molgenis.security.core.utils.SecurityUtils;
import org.molgenis.security.user.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/molgenis-security-3.0.0.jar:org/molgenis/security/permission/PermissionSystemServiceImpl.class */
public class PermissionSystemServiceImpl implements PermissionSystemService {
    private final UserService userService;
    private final UserAuthorityFactory userAuthorityFactory;
    private final RoleHierarchy roleHierarchy;
    private final DataService dataService;

    @Autowired
    public PermissionSystemServiceImpl(UserService userService, UserAuthorityFactory userAuthorityFactory, RoleHierarchy roleHierarchy, DataService dataService) {
        this.userService = (UserService) Objects.requireNonNull(userService);
        this.userAuthorityFactory = (UserAuthorityFactory) Objects.requireNonNull(userAuthorityFactory);
        this.roleHierarchy = (RoleHierarchy) Objects.requireNonNull(roleHierarchy);
        this.dataService = (DataService) Objects.requireNonNull(dataService);
    }

    @Override // org.molgenis.security.permission.PermissionSystemService
    public void giveUserWriteMetaPermissions(EntityType entityType) {
        giveUserWriteMetaPermissions(Collections.singleton(entityType));
    }

    @Override // org.molgenis.security.permission.PermissionSystemService
    public void giveUserWriteMetaPermissions(Collection<EntityType> collection) {
        if (SecurityUtils.currentUserIsSuOrSystem()) {
            return;
        }
        SecurityContext context = SecurityContextHolder.getContext();
        RunAsSystemProxy.runAsSystem(() -> {
            giveUserEntityPermissionsAsSystem(context, collection);
        });
    }

    private void giveUserEntityPermissionsAsSystem(SecurityContext securityContext, Collection<EntityType> collection) {
        Collection<GrantedAuthority> grantedAuthorities = getGrantedAuthorities(collection);
        updateUserAuthorities(securityContext, grantedAuthorities);
        updateSecurityContext(securityContext, grantedAuthorities);
    }

    private Collection<GrantedAuthority> getGrantedAuthorities(Collection<EntityType> collection) {
        return (Collection) collection.stream().map(this::toGrantedAuthority).collect(Collectors.toList());
    }

    private GrantedAuthority toGrantedAuthority(EntityType entityType) {
        return new SimpleGrantedAuthority(SecurityUtils.AUTHORITY_ENTITY_PREFIX + org.molgenis.security.core.Permission.WRITEMETA.toString() + '_' + entityType.getId());
    }

    private void updateUserAuthorities(SecurityContext securityContext, Collection<GrantedAuthority> collection) {
        User user = this.userService.getUser(SecurityUtils.getUsername(securityContext.getAuthentication()));
        this.dataService.add(UserAuthorityMetaData.USER_AUTHORITY, (Stream) collection.stream().map(grantedAuthority -> {
            UserAuthority create = this.userAuthorityFactory.create();
            create.setUser(user);
            create.setRole(grantedAuthority.getAuthority());
            return create;
        }));
    }

    private void updateSecurityContext(SecurityContext securityContext, Collection<? extends GrantedAuthority> collection) {
        Collection<? extends GrantedAuthority> reachableGrantedAuthorities = this.roleHierarchy.getReachableGrantedAuthorities(collection);
        ArrayList newArrayList = Lists.newArrayList(securityContext.getAuthentication().getAuthorities());
        newArrayList.addAll(reachableGrantedAuthorities);
        Authentication authentication = securityContext.getAuthentication();
        securityContext.setAuthentication(new UsernamePasswordAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), newArrayList));
    }
}
