package com.top_logic.element.boundsec.manager;

import com.top_logic.basic.CalledByReflection;
import com.top_logic.basic.CollectionUtil;
import com.top_logic.basic.DebugHelper;
import com.top_logic.basic.Logger;
import com.top_logic.basic.TLID;
import com.top_logic.basic.col.Mapping;
import com.top_logic.basic.col.Mappings;
import com.top_logic.basic.config.ConfiguredInstance;
import com.top_logic.basic.config.InstantiationContext;
import com.top_logic.basic.config.PolymorphicConfiguration;
import com.top_logic.basic.config.annotation.InstanceFormat;
import com.top_logic.basic.config.annotation.Name;
import com.top_logic.basic.config.annotation.defaults.InstanceDefault;
import com.top_logic.basic.util.Computation;
import com.top_logic.dob.MetaObject;
import com.top_logic.dob.meta.MOStructure;
import com.top_logic.element.boundsec.manager.rule.ExternalRoleProvider;
import com.top_logic.element.boundsec.manager.rule.RoleProvider;
import com.top_logic.element.boundsec.manager.rule.RoleRule;
import com.top_logic.element.meta.kbbased.WrapperMetaAttributeUtil;
import com.top_logic.knowledge.objects.InvalidLinkException;
import com.top_logic.knowledge.objects.KnowledgeAssociation;
import com.top_logic.knowledge.objects.KnowledgeItem;
import com.top_logic.knowledge.objects.KnowledgeItemUtil;
import com.top_logic.knowledge.objects.KnowledgeObject;
import com.top_logic.knowledge.security.SecurityStorage;
import com.top_logic.knowledge.service.CommitHandler;
import com.top_logic.knowledge.service.KnowledgeBase;
import com.top_logic.knowledge.service.StorageException;
import com.top_logic.knowledge.wrap.Wrapper;
import com.top_logic.knowledge.wrap.WrapperFactory;
import com.top_logic.model.TLClass;
import com.top_logic.model.TLStructuredTypePart;
import com.top_logic.tool.boundsec.BoundObject;
import com.top_logic.tool.boundsec.BoundRole;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:com/top_logic/element/boundsec/manager/ElementSecurityUpdateManager.class */
public class ElementSecurityUpdateManager implements ConfiguredInstance<Config> {
    protected SecurityStorage securityStorage;
    protected ElementAccessManager accessManager;
    private final LogHandler _logHandler;
    private final Config _config;

    /* loaded from: input_file:com/top_logic/element/boundsec/manager/ElementSecurityUpdateManager$Config.class */
    public interface Config extends PolymorphicConfiguration<ElementSecurityUpdateManager> {
        public static final String LOG_HANDLER = "log-handler";

        @InstanceFormat
        @Name(LOG_HANDLER)
        @InstanceDefault(NullLogHandler.class)
        LogHandler getLogHandler();
    }

    @CalledByReflection
    public ElementSecurityUpdateManager(InstantiationContext instantiationContext, Config config) {
        this._config = config;
        this._logHandler = getLogHandler(instantiationContext, config);
    }

    private LogHandler getLogHandler(InstantiationContext instantiationContext, Config config) {
        LogHandler logHandler = config.getLogHandler();
        if (logHandler == null) {
            String str = "LogHandler is not allowed to be null. Use " + NullLogHandler.class.getSimpleName() + " to disable logging.";
            instantiationContext.error(str, new NullPointerException(str));
        }
        return logHandler;
    }

    public void startUp(ElementAccessManager elementAccessManager, SecurityStorage securityStorage) {
        this.accessManager = elementAccessManager;
        this.securityStorage = securityStorage;
    }

    public void shutDown() {
    }

    /* renamed from: getConfig, reason: merged with bridge method [inline-methods] */
    public Config m7getConfig() {
        return this._config;
    }

    public LogHandler getLogHandler() {
        return this._logHandler;
    }

    public synchronized void handleSecurityUpdate(KnowledgeBase knowledgeBase, Map<TLID, Object> map, Map<TLID, Object> map2, final Map<TLID, Object> map3, CommitHandler commitHandler) {
        HashMap hashMap = new HashMap();
        final HashMap hashMap2 = new HashMap();
        HashMap hashMap3 = new HashMap();
        final HashMap hashMap4 = new HashMap();
        final HashSet hashSet = new HashSet();
        if (map2.isEmpty() && map3.isEmpty()) {
            return;
        }
        this.securityStorage.begin(commitHandler);
        handleAssociations(map2, hashMap, hashMap3, hashSet, true);
        knowledgeBase.withoutModifications(new Computation<Void>() { // from class: com.top_logic.element.boundsec.manager.ElementSecurityUpdateManager.1
            /* renamed from: run, reason: merged with bridge method [inline-methods] */
            public Void m8run() {
                ElementSecurityUpdateManager.this.handleAssociations(map3, hashMap2, hashMap4, hashSet, false);
                return null;
            }
        });
        handleInheritance(knowledgeBase, hashMap, hashMap2, hashMap3, hashMap4, map3.values());
        handleNewObjects(map2, hashMap);
        Map<BoundRole, Set<BoundObject>> mergeValuesByRole = mergeValuesByRole(hashMap);
        getLogHandler().logSecurityUpdate(map2, map3, hashMap, hashSet);
        long currentTimeMillis = System.currentTimeMillis();
        try {
            if (this.accessManager instanceof StorageAccessManager) {
                ((StorageAccessManager) this.accessManager).setInvalidObjects(hashSet, mergeValuesByRole);
            }
            try {
                this.securityStorage.removeObjects(map3);
            } catch (StorageException e) {
                Logger.error("Failed to remove security entries of removed objects.", e, this);
            }
            try {
                this.securityStorage.updateSecurity(hashMap);
            } catch (StorageException e2) {
                Logger.error("Failed to update security entries of changed objects.", e2, this);
            }
        } finally {
            if (this.accessManager instanceof StorageAccessManager) {
                ((StorageAccessManager) this.accessManager).removeInvalidObjects();
            }
            long currentTimeMillis2 = System.currentTimeMillis() - currentTimeMillis;
            if (currentTimeMillis2 > 3000) {
                Logger.warn("Incremental security update needed " + DebugHelper.getTime(currentTimeMillis2), ElementSecurityUpdateManager.class);
            }
        }
    }

    private void handleNewObjects(Map<TLID, Object> map, Map<RoleProvider, Collection<BoundObject>> map2) {
        Collection<RoleProvider> collection;
        Map<TLClass, Collection<RoleProvider>> resolvedMERules = this.accessManager.getResolvedMERules();
        Map<MetaObject, Collection<RoleProvider>> resolvedMORules = this.accessManager.getResolvedMORules();
        Iterator<Object> it = map.values().iterator();
        while (it.hasNext()) {
            Object next = it.next();
            if (next instanceof KnowledgeObject) {
                next = WrapperFactory.getWrapper((KnowledgeObject) next);
            }
            if (next instanceof BoundObject) {
                if ((next instanceof Wrapper) && (collection = resolvedMERules.get(((Wrapper) next).tType())) != null) {
                    Iterator<RoleProvider> it2 = collection.iterator();
                    while (it2.hasNext()) {
                        getOrCreateSet(map2, it2.next()).add((BoundObject) next);
                    }
                }
                if (next instanceof Wrapper) {
                    MOStructure tTable = ((Wrapper) next).tTable();
                    Collection<RoleProvider> collection2 = resolvedMORules.get(tTable);
                    if (collection2 != null) {
                        Iterator<RoleProvider> it3 = collection2.iterator();
                        while (it3.hasNext()) {
                            getOrCreateSet(map2, it3.next()).add((BoundObject) next);
                        }
                    }
                    Set<ExternalRoleProvider> affectedRoleRuleFactories = this.accessManager.getAffectedRoleRuleFactories(tTable.getName());
                    if (affectedRoleRuleFactories != null) {
                        Iterator<ExternalRoleProvider> it4 = affectedRoleRuleFactories.iterator();
                        while (it4.hasNext()) {
                            getOrCreateSet(map2, it4.next()).add((BoundObject) next);
                        }
                    }
                }
            }
        }
    }

    private void handleInheritance(KnowledgeBase knowledgeBase, final Map<RoleProvider, Collection<BoundObject>> map, final Map<RoleProvider, Collection<BoundObject>> map2, Map<BoundRole, Collection<Object>> map3, final Map<BoundRole, Collection<Object>> map4, final Collection<Object> collection) {
        for (Map.Entry<BoundRole, Collection<Object>> entry : map3.entrySet()) {
            BoundRole key = entry.getKey();
            Collection<Object> value = entry.getValue();
            for (RoleProvider roleProvider : this.accessManager.getRulesWithSourceRole(key, RoleProvider.Type.inheritance)) {
                Iterator<Object> it = value.iterator();
                while (it.hasNext()) {
                    Set<BoundObject> baseObjects = roleProvider.getBaseObjects(it.next());
                    if (!CollectionUtil.isEmptyOrNull(baseObjects)) {
                        getOrCreateSet(map, roleProvider).addAll(baseObjects);
                    }
                }
            }
        }
        knowledgeBase.withoutModifications(new Computation<Void>() { // from class: com.top_logic.element.boundsec.manager.ElementSecurityUpdateManager.2
            /* renamed from: run, reason: merged with bridge method [inline-methods] */
            public Void m9run() {
                ElementSecurityUpdateManager.this.handleDeletedRoles(map4, map);
                for (Map.Entry entry2 : map2.entrySet()) {
                    RoleProvider roleProvider2 = (RoleProvider) entry2.getKey();
                    Collection collection2 = (Collection) entry2.getValue();
                    for (RoleProvider roleProvider3 : ElementSecurityUpdateManager.this.accessManager.getRulesWithSourceRole(roleProvider2.getRole(), RoleProvider.Type.inheritance)) {
                        Iterator it2 = collection2.iterator();
                        while (it2.hasNext()) {
                            Iterator<BoundObject> it3 = roleProvider3.getBaseObjects((BoundObject) it2.next()).iterator();
                            BoundObject boundObject = null;
                            while (true) {
                                if (!it3.hasNext()) {
                                    break;
                                }
                                BoundObject next = it3.next();
                                if (!collection.contains(next.tHandle())) {
                                    boundObject = next;
                                    break;
                                }
                            }
                            if (boundObject != null) {
                                Collection orCreateSet = ElementSecurityUpdateManager.this.getOrCreateSet(map, roleProvider3);
                                orCreateSet.add(boundObject);
                                while (it3.hasNext()) {
                                    BoundObject next2 = it3.next();
                                    if (!collection.contains(next2.tHandle())) {
                                        orCreateSet.add(next2);
                                    }
                                }
                            }
                        }
                    }
                }
                return null;
            }
        });
        Map<RoleProvider, Collection<BoundObject>> map5 = map;
        int i = 0;
        while (!map5.isEmpty() && i < 50) {
            i++;
            HashMap hashMap = new HashMap();
            for (Map.Entry<RoleProvider, Collection<BoundObject>> entry2 : map5.entrySet()) {
                RoleProvider key2 = entry2.getKey();
                Collection<BoundObject> value2 = entry2.getValue();
                for (RoleProvider roleProvider2 : this.accessManager.getRulesWithSourceRole(key2.getRole(), RoleProvider.Type.inheritance)) {
                    Iterator<BoundObject> it2 = value2.iterator();
                    while (it2.hasNext()) {
                        Set<BoundObject> baseObjects2 = roleProvider2.getBaseObjects(it2.next());
                        if (!CollectionUtil.isEmptyOrNull(baseObjects2)) {
                            getOrCreateSet(hashMap, roleProvider2).addAll(baseObjects2);
                        }
                    }
                }
            }
            mergeMaps(hashMap, map);
            map5 = hashMap;
        }
        if (i > 40) {
            Logger.warn("Inheritance rules to deep: " + i + " RoleProviders: " + String.valueOf(Mappings.map(new Mapping<RoleProvider, String>() { // from class: com.top_logic.element.boundsec.manager.ElementSecurityUpdateManager.3
                public String map(RoleProvider roleProvider3) {
                    return roleProvider3.getId();
                }
            }, map5.keySet())), this);
        }
        mergeMaps(map2, map);
    }

    void handleDeletedRoles(Map<BoundRole, Collection<Object>> map, Map<RoleProvider, Collection<BoundObject>> map2) {
        for (Map.Entry<BoundRole, Collection<Object>> entry : map.entrySet()) {
            BoundRole key = entry.getKey();
            Collection<Object> value = entry.getValue();
            for (RoleProvider roleProvider : this.accessManager.getRulesWithSourceRole(key, RoleProvider.Type.inheritance)) {
                Iterator<Object> it = value.iterator();
                while (it.hasNext()) {
                    Set<BoundObject> baseObjects = roleProvider.getBaseObjects(it.next());
                    if (!CollectionUtil.isEmptyOrNull(baseObjects)) {
                        getOrCreateSet(map2, roleProvider).addAll(baseObjects);
                    }
                }
            }
        }
    }

    private void mergeMaps(Map<RoleProvider, Collection<BoundObject>> map, Map<RoleProvider, Collection<BoundObject>> map2) {
        for (Map.Entry<RoleProvider, Collection<BoundObject>> entry : map.entrySet()) {
            RoleProvider key = entry.getKey();
            Collection<BoundObject> value = entry.getValue();
            if (!CollectionUtil.isEmptyOrNull(value)) {
                getOrCreateSet(map2, key).addAll(value);
            }
        }
    }

    void handleAssociations(Map map, Map<RoleProvider, Collection<BoundObject>> map2, Map<BoundRole, Collection<Object>> map3, Set<BoundObject> set, boolean z) {
        for (Object obj : map.values()) {
            if (KnowledgeItemUtil.instanceOfKnowledgeAssociation(obj)) {
                KnowledgeAssociation knowledgeAssociation = (KnowledgeAssociation) obj;
                String name = knowledgeAssociation.tTable().getName();
                if (WrapperMetaAttributeUtil.isAttributeReferenceAssociation((KnowledgeItem) knowledgeAssociation)) {
                    handleAttributedAssociationChange(knowledgeAssociation, map2, z);
                    handleAssociationChange(knowledgeAssociation, map2, z);
                } else if ("hasRole".equals(name)) {
                    try {
                        Collection orCreateSet = getOrCreateSet(map3, WrapperFactory.getWrapper(knowledgeAssociation.getDestinationObject()));
                        BoundObject boundObject = (BoundObject) WrapperFactory.getWrapper(knowledgeAssociation.getSourceObject());
                        set.add(boundObject);
                        orCreateSet.add(boundObject);
                        if (z) {
                            try {
                                this.securityStorage.insert(knowledgeAssociation);
                            } catch (StorageException e) {
                                Logger.warn("Could not update hasRole association in security storage.", e, ElementSecurityUpdateManager.class);
                            }
                        } else {
                            this.securityStorage.remove(knowledgeAssociation);
                        }
                    } catch (InvalidLinkException e2) {
                    }
                } else {
                    handleAssociationChange(knowledgeAssociation, map2, z);
                }
            }
        }
    }

    private void handleAssociationChange(KnowledgeAssociation knowledgeAssociation, Map<RoleProvider, Collection<BoundObject>> map, boolean z) {
        try {
            String name = knowledgeAssociation.tTable().getName();
            Iterator<RoleProvider> it = this.accessManager.getRules(name).iterator();
            while (it.hasNext()) {
                RoleRule roleRule = (RoleRule) it.next();
                Set<BoundObject> traversRoleRuleBackwards = ElementAccessHelper.traversRoleRuleBackwards(roleRule, knowledgeAssociation);
                if (!CollectionUtil.isEmptyOrNull(traversRoleRuleBackwards)) {
                    getOrCreateSet(map, roleRule).addAll(traversRoleRuleBackwards);
                }
            }
            for (ExternalRoleProvider externalRoleProvider : this.accessManager.getAffectedRoleRuleFactories(name)) {
                Set<BoundObject> affectedObjects = externalRoleProvider.getAffectedObjects(knowledgeAssociation);
                if (!CollectionUtil.isEmptyOrNull(affectedObjects)) {
                    getOrCreateSet(map, externalRoleProvider).addAll(affectedObjects);
                }
            }
        } catch (Exception e) {
            Logger.error("Failed to handle " + (z ? "new" : "removed") + " meta attribute knowledge association: " + knowledgeAssociation.toString(), e, ElementSecurityUpdateManager.class);
        }
    }

    private void handleAttributedAssociationChange(KnowledgeAssociation knowledgeAssociation, Map<RoleProvider, Collection<BoundObject>> map, boolean z) {
        try {
            TLStructuredTypePart metaAttribute = WrapperMetaAttributeUtil.getMetaAttribute(knowledgeAssociation);
            for (RoleProvider roleProvider : this.accessManager.getRules(metaAttribute)) {
                if (roleProvider instanceof RoleRule) {
                    Set<BoundObject> traversRoleRuleBackwards = ElementAccessHelper.traversRoleRuleBackwards((RoleRule) roleProvider, metaAttribute, knowledgeAssociation);
                    if (!CollectionUtil.isEmptyOrNull(traversRoleRuleBackwards)) {
                        getOrCreateSet(map, roleProvider).addAll(traversRoleRuleBackwards);
                    }
                }
            }
        } catch (Exception e) {
            Logger.error("Failed to handle " + (z ? "new" : "removed") + " meta attribute knowledge association: " + knowledgeAssociation.toString(), e, this);
        }
    }

    private <U, V> Collection<V> getOrCreateSet(Map<U, Collection<V>> map, U u) {
        Collection<V> collection = map.get(u);
        if (collection == null) {
            collection = new HashSet();
            map.put(u, collection);
        }
        return collection;
    }

    private Map<BoundRole, Set<BoundObject>> mergeValuesByRole(Map<RoleProvider, Collection<BoundObject>> map) {
        HashMap hashMap = new HashMap();
        map.entrySet().iterator();
        for (Map.Entry<RoleProvider, Collection<BoundObject>> entry : map.entrySet()) {
            BoundRole role = entry.getKey().getRole();
            Set set = (Set) hashMap.get(role);
            if (set == null) {
                set = new HashSet();
                hashMap.put(role, set);
            }
            set.addAll(entry.getValue());
        }
        return hashMap;
    }
}
