package org.hawkular.accounts.api.internal.impl;

import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.UUID;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.security.PermitAll;
import javax.ejb.Stateless;
import javax.enterprise.inject.Produces;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import org.hawkular.accounts.api.AccessDeniedException;
import org.hawkular.accounts.api.OrganizationMembershipService;
import org.hawkular.accounts.api.OrganizationService;
import org.hawkular.accounts.api.PersonaResourceRoleService;
import org.hawkular.accounts.api.PersonaService;
import org.hawkular.accounts.api.ResourceService;
import org.hawkular.accounts.api.RoleService;
import org.hawkular.accounts.api.UserService;
import org.hawkular.accounts.api.model.HawkularUser;
import org.hawkular.accounts.api.model.Organization;
import org.hawkular.accounts.api.model.OrganizationMembership;
import org.hawkular.accounts.api.model.Persona;
import org.hawkular.accounts.api.model.PersonaResourceRole;
import org.hawkular.accounts.api.model.Resource;
import org.hawkular.accounts.api.model.Role;

@PermitAll
@Stateless
/* loaded from: input_file:WEB-INF/lib/hawkular-accounts-api-2.0.32.Final.jar:org/hawkular/accounts/api/internal/impl/PersonaServiceImpl.class */
public class PersonaServiceImpl implements PersonaService {
    MsgLogger logger = MsgLogger.LOGGER;

    @Inject
    OrganizationMembershipService membershipService;

    @Inject
    OrganizationService organizationService;

    @Inject
    UserService userService;

    @Inject
    ResourceService resourceService;

    @Inject
    RoleService roleService;

    @Inject
    PersonaResourceRoleService personaResourceRoleService;

    @Inject
    private HttpServletRequest httpRequest;

    @Override // org.hawkular.accounts.api.PersonaService
    public Persona getById(UUID uuid) {
        return get(uuid.toString());
    }

    @Override // org.hawkular.accounts.api.PersonaService
    public Persona get(String str) {
        if (null == str) {
            throw new IllegalArgumentException("The provided Persona ID is invalid (null).");
        }
        UUID fromString = UUID.fromString(str);
        Persona byId = this.userService.getById(fromString);
        if (null == byId) {
            byId = this.organizationService.getById(fromString);
        }
        return byId;
    }

    @Override // org.hawkular.accounts.api.PersonaService
    public Set<Role> getEffectiveRolesForResource(Persona persona, Resource resource) {
        if (null == persona) {
            throw new IllegalArgumentException("Missing persona (null).");
        }
        if (null == resource) {
            throw new IllegalArgumentException("Missing resource (null).");
        }
        this.logger.determiningEffectiveRolesForPersonaOnResource(persona.getId(), resource.getId());
        List<PersonaResourceRole> byPersonaAndResource = this.personaResourceRoleService.getByPersonaAndResource(persona, resource);
        this.logger.numOfDirectRolesOnResource(persona.getId(), resource.getId(), byPersonaAndResource.size());
        if (byPersonaAndResource.size() != 0) {
            HashSet hashSet = new HashSet(byPersonaAndResource.size());
            hashSet.addAll((Collection) byPersonaAndResource.stream().map((v0) -> {
                return v0.getRole();
            }).collect(Collectors.toSet()));
            hashSet.addAll((Collection) byPersonaAndResource.stream().map(personaResourceRole -> {
                return this.roleService.getImplicitUserRoles(personaResourceRole.getRole());
            }).flatMap((v0) -> {
                return v0.stream();
            }).collect(Collectors.toSet()));
            this.logger.totalEffectiveRolesOnResourceWithImplicitRoles(persona.getId(), resource.getId(), hashSet.size());
            return hashSet;
        }
        this.logger.noDirectRolesOnResource(persona.getId(), resource.getId());
        List<Organization> organizationsForPersona = this.organizationService.getOrganizationsForPersona(persona);
        HashSet hashSet2 = new HashSet();
        for (Organization organization : organizationsForPersona) {
            this.logger.checkingIndirectRolesViaOrganization(persona.getId(), resource.getId(), organization.getId());
            List<OrganizationMembership> personaMembershipsForOrganization = this.membershipService.getPersonaMembershipsForOrganization(persona, organization);
            Set<Role> effectiveRolesForResource = getEffectiveRolesForResource(organization, resource);
            Stream flatMap = personaMembershipsForOrganization.stream().map(organizationMembership -> {
                Set<Role> implicitUserRoles = this.roleService.getImplicitUserRoles(organizationMembership.getRole());
                implicitUserRoles.add(organizationMembership.getRole());
                return implicitUserRoles;
            }).flatMap((v0) -> {
                return v0.stream();
            });
            effectiveRolesForResource.getClass();
            Set set = (Set) flatMap.filter((v1) -> {
                return r1.contains(v1);
            }).collect(Collectors.toSet());
            this.logger.numOfEffectiveRolesViaOrganization(persona.getId(), resource.getId(), organization.getId(), set.size());
            hashSet2.addAll(set);
        }
        this.logger.totalEffectiveRolesOnResource(persona.getId(), resource.getId(), hashSet2.size());
        return hashSet2;
    }

    @Override // org.hawkular.accounts.api.PersonaService
    @Produces
    public Persona getCurrent() {
        String header = this.httpRequest.getHeader("Hawkular-Persona");
        if (header == null || header.isEmpty()) {
            return this.userService.getCurrent();
        }
        Persona persona = get(header);
        if (null == persona) {
            throw new AccessDeniedException("Invalid personaId [" + header + "].");
        }
        if (isAllowedToImpersonate(this.userService.getCurrent(), persona)) {
            return persona;
        }
        throw new AccessDeniedException("User is not allowed to impersonate this persona.");
    }

    @Override // org.hawkular.accounts.api.PersonaService
    public boolean isAllowedToImpersonate(HawkularUser hawkularUser, Persona persona) {
        Set<Role> effectiveRolesForResource;
        if (hawkularUser.equals(persona)) {
            return true;
        }
        return ((persona instanceof HawkularUser) || (effectiveRolesForResource = getEffectiveRolesForResource(hawkularUser, this.resourceService.getById(persona.getIdAsUUID()))) == null || effectiveRolesForResource.size() <= 0) ? false : true;
    }
}
