package com.top_logic.element.boundsec.manager;

import com.top_logic.base.cluster.ClusterManager;
import com.top_logic.basic.CalledByReflection;
import com.top_logic.basic.CollectionUtil;
import com.top_logic.basic.Logger;
import com.top_logic.basic.TLID;
import com.top_logic.basic.col.TypedAnnotatable;
import com.top_logic.basic.config.InstantiationContext;
import com.top_logic.basic.config.PolymorphicConfiguration;
import com.top_logic.basic.config.annotation.Name;
import com.top_logic.basic.config.annotation.defaults.ImplementationClassDefault;
import com.top_logic.basic.config.annotation.defaults.ItemDefault;
import com.top_logic.basic.module.ServiceDependencies;
import com.top_logic.basic.sql.ConnectionPoolRegistry;
import com.top_logic.basic.thread.ThreadContext;
import com.top_logic.element.boundsec.manager.ElementAccessManager;
import com.top_logic.knowledge.security.SecurityStorage;
import com.top_logic.knowledge.service.CommitHandler;
import com.top_logic.knowledge.service.KnowledgeBase;
import com.top_logic.knowledge.service.StorageException;
import com.top_logic.knowledge.wrap.WrapperFactory;
import com.top_logic.knowledge.wrap.person.Person;
import com.top_logic.tool.boundsec.BoundObject;
import com.top_logic.tool.boundsec.BoundRole;
import com.top_logic.tool.boundsec.wrap.BoundedRole;
import com.top_logic.tool.boundsec.wrap.Group;
import com.top_logic.util.TLContext;
import com.top_logic.util.Utils;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;

@ServiceDependencies({ConnectionPoolRegistry.Module.class, ClusterManager.Module.class})
/* loaded from: input_file:com/top_logic/element/boundsec/manager/StorageAccessManager.class */
public class StorageAccessManager extends ElementAccessManager {
    private static final TypedAnnotatable.Property<RoleComputation> PERSON_ROLE_CACHE = TypedAnnotatable.property(RoleComputation.class, "personRoleCache");
    private final SecurityStorage securityStorage;
    private final ElementSecurityUpdateManager securityUpdateManager;
    protected boolean started;
    protected Collection<BoundObject> invalidObjects;
    protected Map<BoundRole, Set<BoundObject>> invalidObjectsByRole;
    private final RebuildStrategy _rebuildStrategy;
    protected final boolean rebuildAfterStartup;
    protected boolean resetOnInit;
    protected boolean skipRebuildOnStartup;
    private final boolean usePersonRoleCache;

    /* loaded from: input_file:com/top_logic/element/boundsec/manager/StorageAccessManager$Config.class */
    public interface Config extends ElementAccessManager.Config {
        public static final String REBUILD_STRATEGY = "rebuild-strategy";
        public static final String RESET_ON_INIT = "reset-on-init";
        public static final String REBUILD_AFTER_STARTUP = "rebuild-after-startup";
        public static final String SKIP_REBUILD_ON_STARTUP = "skip-rebuild-on-startup";
        public static final String USE_PERSON_ROLE_CACHE = "use-person-role-cache";
        public static final String STORAGE = "storage";
        public static final String UPDATE_MANAGER = "update-manager";

        @Name(REBUILD_STRATEGY)
        RebuildStrategy getRebuildStrategy();

        @Name(RESET_ON_INIT)
        boolean getResetOnInit();

        @Name(REBUILD_AFTER_STARTUP)
        boolean getRebuildAfterStartup();

        @Name(SKIP_REBUILD_ON_STARTUP)
        boolean getSkipRebuildOnStartup();

        @Name(USE_PERSON_ROLE_CACHE)
        boolean getUsePersonRoleCache();

        @ImplementationClassDefault(SecurityStorage.class)
        @Name(STORAGE)
        @ItemDefault
        PolymorphicConfiguration<SecurityStorage> getStorage();

        @ImplementationClassDefault(ElementSecurityUpdateManager.class)
        @Name(UPDATE_MANAGER)
        @ItemDefault
        PolymorphicConfiguration<ElementSecurityUpdateManager> getUpdateManager();
    }

    @CalledByReflection
    public StorageAccessManager(InstantiationContext instantiationContext, Config config) {
        super(instantiationContext, config);
        this.started = false;
        this.invalidObjectsByRole = new HashMap();
        this._rebuildStrategy = config.getRebuildStrategy();
        this.resetOnInit = config.getResetOnInit();
        this.rebuildAfterStartup = config.getRebuildAfterStartup();
        this.skipRebuildOnStartup = config.getSkipRebuildOnStartup();
        this.usePersonRoleCache = config.getUsePersonRoleCache();
        this.securityStorage = createSecurityStorage(instantiationContext, config);
        this.securityUpdateManager = createUpdateManager(instantiationContext, config);
    }

    private SecurityStorage createSecurityStorage(InstantiationContext instantiationContext, Config config) {
        SecurityStorage securityStorage = (SecurityStorage) instantiationContext.getInstance(config.getStorage());
        if (securityStorage == null) {
            instantiationContext.error("SecurityStorage is not allowed to be null.");
        }
        return securityStorage;
    }

    private ElementSecurityUpdateManager createUpdateManager(InstantiationContext instantiationContext, Config config) {
        ElementSecurityUpdateManager elementSecurityUpdateManager = (ElementSecurityUpdateManager) instantiationContext.getInstance(config.getUpdateManager());
        if (elementSecurityUpdateManager == null) {
            instantiationContext.error("SecurityUpdateManager is not allowed to be null.");
        }
        return elementSecurityUpdateManager;
    }

    @Override // com.top_logic.element.boundsec.manager.ElementAccessManager
    /* renamed from: getConfig, reason: merged with bridge method [inline-methods] */
    public Config mo6getConfig() {
        return (Config) super.mo6getConfig();
    }

    public final SecurityStorage getSecurityStorage() {
        return this.securityStorage;
    }

    public void setInvalidObjects(Collection<BoundObject> collection, Map<BoundRole, Set<BoundObject>> map) {
        this.invalidObjects = collection;
        this.invalidObjectsByRole = map;
    }

    public void removeInvalidObjects() {
        this.invalidObjects = null;
        this.invalidObjectsByRole = null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final List<TLID> getSecurityParentIDs(BoundObject boundObject) {
        return getSecurityParentIDs(Collections.singletonList(boundObject));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<TLID> getSecurityParentIDs(Collection<? extends BoundObject> collection) {
        ArrayList arrayList = new ArrayList();
        for (BoundObject boundObject : collection) {
            while (true) {
                BoundObject boundObject2 = boundObject;
                if (boundObject2 != null) {
                    arrayList.add(boundObject2.getID());
                    boundObject = boundObject2.getSecurityParent();
                }
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<TLID> getGroupIDs(Person person) {
        List<Group> groups = getGroups(person);
        WrapperFactory.toObjectNamesInline(groups);
        return groups;
    }

    @Override // com.top_logic.element.boundsec.manager.ElementAccessManager
    public Set<BoundRole> getRoles(Person person, BoundObject boundObject) {
        if (this.securityStorage.isRebuilding()) {
            switch (rebuildStrategy()) {
                case BLOCK:
                    waitForRebuilding();
                    break;
                case COMPUTE:
                    return super.getRoles(person, boundObject);
                case DENY:
                    return new HashSet();
            }
        }
        return getRoleComputation(person).getRoles(boundObject);
    }

    public boolean hasRole(Person person, BoundObject boundObject, Collection<BoundedRole> collection) {
        if (isSuperUser(person)) {
            return true;
        }
        if (this.securityStorage.isRebuilding()) {
            switch (rebuildStrategy()) {
                case BLOCK:
                    waitForRebuilding();
                    break;
                case COMPUTE:
                    return super.hasRole(person, boundObject, collection);
                case DENY:
                    return false;
            }
        }
        return getRoleComputation(person).hasRole(boundObject, collection);
    }

    public <T extends BoundObject> Collection<T> getAllowedBusinessObjects(Person person, Collection<BoundedRole> collection, Collection<T> collection2) {
        if (isSuperUser(person)) {
            return collection2;
        }
        if (CollectionUtil.isEmptyOrNull(collection)) {
            return Collections.emptyList();
        }
        if (this.securityStorage.isRebuilding()) {
            switch (rebuildStrategy()) {
                case BLOCK:
                    waitForRebuilding();
                    break;
                case COMPUTE:
                    return super.getAllowedBusinessObjects(person, collection, collection2);
                case DENY:
                    return new ArrayList(0);
            }
        }
        return getRoleComputation(person).getAllowedBusinessObjects(collection, collection2);
    }

    protected RebuildStrategy rebuildStrategy() {
        switch (this._rebuildStrategy) {
            case BLOCK:
                if (!SecurityStorage.isCurrentReloadingThread()) {
                    return RebuildStrategy.BLOCK;
                }
                Logger.warn("Can not block, because caller is the rebuilding thread. Blocking would cause dead-lock.", StorageAccessManager.class);
                return RebuildStrategy.COMPUTE;
            default:
                return this._rebuildStrategy;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.top_logic.element.boundsec.manager.ElementAccessManager
    public void startUp() {
        super.startUp();
        this.securityStorage.startUp(this);
        this.securityUpdateManager.startUp(this, this.securityStorage);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.top_logic.element.boundsec.manager.ElementAccessManager
    public void shutDown() {
        this.securityUpdateManager.shutDown();
        this.securityStorage.shutDown();
        super.shutDown();
    }

    @Override // com.top_logic.element.boundsec.manager.ElementAccessManager
    public boolean reload() {
        boolean reload = super.reload() & this.securityStorage.reload();
        this.dirty = false;
        return reload;
    }

    public void initSecurityAfterStartup() {
        if (this.resetOnInit || this.dirty || this.securityStorage.isDirty()) {
            if (this.skipRebuildOnStartup) {
                Logger.warn("Skipping rebuilding of SecurityStorage as configured. Security could be inconsistent.", StorageAccessManager.class);
                return;
            }
            if (this.rebuildAfterStartup) {
                RebuildStorageAfterStartupThread.rebuildAfterStartup();
            } else {
                this.securityStorage.reload();
            }
            this.dirty = false;
        }
    }

    private void waitForRebuilding() {
        while (this.securityStorage.isRebuilding()) {
            try {
                Logger.info("Waiting for rebuilding security storage.", StorageAccessManager.class);
                Thread.sleep(1000L);
            } catch (InterruptedException e) {
            }
        }
    }

    @Override // com.top_logic.element.boundsec.manager.ElementAccessManager
    public void handleSecurityUpdate(KnowledgeBase knowledgeBase, Map<TLID, Object> map, Map<TLID, Object> map2, Map<TLID, Object> map3, CommitHandler commitHandler) {
        if (this.securityStorage.isAutoUpdate()) {
            if (this.securityStorage.isRebuilding()) {
                if (this._rebuildStrategy != RebuildStrategy.BLOCK || ThreadContext.isAdmin()) {
                    Logger.warn("A data change is about to be commited while security storage is rebuilding. Security could be inconsistent.", StorageAccessManager.class);
                } else {
                    waitForRebuilding();
                }
            }
            super.handleSecurityUpdate(knowledgeBase, map, map2, map3, commitHandler);
            doHandleSecurityUpdate(knowledgeBase, map, map2, map3, commitHandler);
        }
    }

    protected void doHandleSecurityUpdate(KnowledgeBase knowledgeBase, Map<TLID, Object> map, Map<TLID, Object> map2, Map<TLID, Object> map3, CommitHandler commitHandler) {
        this.securityUpdateManager.handleSecurityUpdate(knowledgeBase, map, map2, map3, commitHandler);
    }

    @Override // com.top_logic.element.boundsec.manager.ElementAccessManager
    public Collection<Group> getGroups(BoundObject boundObject, BoundRole boundRole) {
        if (this.securityStorage.isRebuilding() || !this.securityStorage.isAutoUpdate() || isInvalid(boundObject, boundRole)) {
            return super.getGroups(boundObject, boundRole);
        }
        try {
            return this.securityStorage.getGroups(boundObject, boundRole);
        } catch (StorageException e) {
            Logger.error("Unable to get groups from security storage. Executing manually...", e, this);
            return super.getGroups(boundObject, boundRole);
        }
    }

    private boolean isInvalid(BoundObject boundObject, BoundRole boundRole) {
        Set<BoundObject> set;
        if (this.invalidObjects == null || !this.invalidObjects.contains(boundObject)) {
            return (this.invalidObjectsByRole == null || (set = this.invalidObjectsByRole.get(boundRole)) == null || !set.contains(boundObject)) ? false : true;
        }
        return true;
    }

    private RoleComputation getRoleComputation(Person person) {
        TLContext context = TLContext.getContext();
        if (context != null) {
            Person currentPersonWrapper = context.getCurrentPersonWrapper();
            if (Utils.equals(currentPersonWrapper, person)) {
                RoleComputation roleComputation = (RoleComputation) context.get(PERSON_ROLE_CACHE);
                if (roleComputation == null) {
                    roleComputation = createRoleComputation(currentPersonWrapper, true);
                    context.set(PERSON_ROLE_CACHE, roleComputation);
                }
                return roleComputation;
            }
        }
        return createRoleComputation(person, false);
    }

    protected RoleComputation createRoleComputation(Person person, boolean z) {
        return (z && this.usePersonRoleCache) ? new PersonRoleCache(person, this) : new SimpleRoleComputation(person, this);
    }
}
