package com.sap.cds.services.impl.authorization;

import com.sap.cds.ql.CQL;
import com.sap.cds.ql.Predicate;
import com.sap.cds.ql.Select;
import com.sap.cds.ql.cqn.CqnPredicate;
import com.sap.cds.reflect.CdsKind;
import com.sap.cds.reflect.CdsModel;
import com.sap.cds.services.authorization.ActionAccessEventContext;
import com.sap.cds.services.authorization.AuthorizationService;
import com.sap.cds.services.authorization.CalcWhereConditionEventContext;
import com.sap.cds.services.authorization.EntityAccessEventContext;
import com.sap.cds.services.authorization.FunctionAccessEventContext;
import com.sap.cds.services.authorization.GetRestrictionEventContext;
import com.sap.cds.services.authorization.ServiceAccessEventContext;
import com.sap.cds.services.changeset.ChangeSetContextSPI;
import com.sap.cds.services.handler.EventHandler;
import com.sap.cds.services.handler.annotations.HandlerOrder;
import com.sap.cds.services.handler.annotations.On;
import com.sap.cds.services.handler.annotations.ServiceName;
import com.sap.cds.services.impl.authorization.PredicateResolver;
import com.sap.cds.services.impl.draft.ParentEntityLookup;
import com.sap.cds.services.impl.outbox.persistence.collectors.PartitionCollectorCoordinator;
import com.sap.cds.services.impl.utils.CdsServiceUtils;
import com.sap.cds.services.request.RequestContext;
import com.sap.cds.services.runtime.CdsRuntime;
import com.sap.cds.services.utils.CdsErrorStatuses;
import com.sap.cds.services.utils.ErrorStatusException;
import com.sap.cds.services.utils.StringUtils;
import com.sap.cds.services.utils.TenantAwareCache;
import com.sap.cds.services.utils.model.Privilege;
import com.sap.cds.services.utils.model.Restriction;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ServiceName(value = {"*"}, type = {AuthorizationService.class})
/* loaded from: input_file:com/sap/cds/services/impl/authorization/AuthorizationDefaultOnHandler.class */
public class AuthorizationDefaultOnHandler implements EventHandler {
    private static final Logger logger = LoggerFactory.getLogger(AuthorizationDefaultOnHandler.class);
    private final TenantAwareCache<RestrictionLookup, CdsModel> restrictionLookupCache;
    private final TenantAwareCache<PredicateLookup, CdsModel> predicateLookupCache;
    private final TenantAwareCache<ParentEntityLookup, CdsModel> parentEntityLookups;
    private final boolean isEmptyAttributeValuesAreRestricted;

    /* renamed from: com.sap.cds.services.impl.authorization.AuthorizationDefaultOnHandler$1, reason: invalid class name */
    /* loaded from: input_file:com/sap/cds/services/impl/authorization/AuthorizationDefaultOnHandler$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$sap$cds$reflect$CdsKind = new int[CdsKind.values().length];

        static {
            try {
                $SwitchMap$com$sap$cds$reflect$CdsKind[CdsKind.SERVICE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$sap$cds$reflect$CdsKind[CdsKind.ENTITY.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$sap$cds$reflect$CdsKind[CdsKind.ACTION.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$com$sap$cds$reflect$CdsKind[CdsKind.FUNCTION.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthorizationDefaultOnHandler(CdsRuntime cdsRuntime) {
        this.restrictionLookupCache = TenantAwareCache.create(() -> {
            return new RestrictionLookup();
        }, cdsRuntime);
        this.predicateLookupCache = TenantAwareCache.create(() -> {
            return new PredicateLookup();
        }, cdsRuntime);
        this.parentEntityLookups = TenantAwareCache.create(() -> {
            return new ParentEntityLookup(RequestContext.getCurrent(cdsRuntime).getModel());
        }, cdsRuntime);
        this.isEmptyAttributeValuesAreRestricted = cdsRuntime.getEnvironment().getCdsProperties().getSecurity().getAuthorization().isEmptyAttributeValuesAreRestricted();
    }

    @HandlerOrder(11000)
    @On
    protected void defaultGetRestriction(GetRestrictionEventContext getRestrictionEventContext) {
        Restriction lookupFunctionRestriction;
        switch (AnonymousClass1.$SwitchMap$com$sap$cds$reflect$CdsKind[getRestrictionEventContext.getKind().ordinal()]) {
            case 1:
                lookupFunctionRestriction = ((RestrictionLookup) this.restrictionLookupCache.findOrCreate()).retrieveServiceRestriction(getRestrictionEventContext.getModel(), getRestrictionEventContext.getName());
                break;
            case PartitionCollectorCoordinator.OUTBOX_MESSAGE_PARTITIONS /* 2 */:
                lookupFunctionRestriction = ((RestrictionLookup) this.restrictionLookupCache.findOrCreate()).retrieveEntityRestriction(getRestrictionEventContext.getModel(), getRestrictionEventContext.getName());
                break;
            case 3:
                lookupFunctionRestriction = ((RestrictionLookup) this.restrictionLookupCache.findOrCreate()).lookupActionRestriction(getRestrictionEventContext.getModel(), getRestrictionEventContext.getName(), getRestrictionEventContext.getEventName());
                break;
            case 4:
                lookupFunctionRestriction = ((RestrictionLookup) this.restrictionLookupCache.findOrCreate()).lookupFunctionRestriction(getRestrictionEventContext.getModel(), getRestrictionEventContext.getName(), getRestrictionEventContext.getEventName());
                break;
            default:
                throw new ErrorStatusException(CdsErrorStatuses.UNSUPPORTED_RESTRICTION, new Object[]{getRestrictionEventContext.getName(), getRestrictionEventContext.getKind()});
        }
        getRestrictionEventContext.setResult(lookupFunctionRestriction);
    }

    @HandlerOrder(11000)
    @On
    protected void defaultHasServiceAccess(ServiceAccessEventContext serviceAccessEventContext) {
        String accessEventName = serviceAccessEventContext.getAccessEventName();
        boolean z = true;
        Restriction serviceRestriction = RestrictionUtils.getServiceRestriction(serviceAccessEventContext.getService(), serviceAccessEventContext.getAccessServiceName(), accessEventName);
        if (serviceRestriction != null) {
            z = RestrictionUtils.passesRestriction(serviceRestriction, serviceAccessEventContext.getUserInfo(), accessEventName);
        }
        serviceAccessEventContext.setResult(z);
    }

    @HandlerOrder(11000)
    @On
    protected void defaultHasEntityAccess(EntityAccessEventContext entityAccessEventContext) {
        ChangeSetContextSPI changeSetContext = entityAccessEventContext.getChangeSetContext();
        entityAccessEventContext.setResult((changeSetContext == null || !changeSetContext.hasChangeSetMember("PersistenceService$Default")) ? ((Boolean) entityAccessEventContext.getCdsRuntime().changeSetContext().run(changeSetContext2 -> {
            return Boolean.valueOf(defaultHasEntityAccessImpl(entityAccessEventContext));
        })).booleanValue() : defaultHasEntityAccessImpl(entityAccessEventContext));
    }

    protected boolean defaultHasEntityAccessImpl(EntityAccessEventContext entityAccessEventContext) {
        CqnPredicate authorizationCondition;
        String accessEventName = entityAccessEventContext.getAccessEventName();
        String accessEntityName = entityAccessEventContext.getAccessEntityName();
        AuthorizationEntity resolve = AuthorizationEntity.resolve(entityAccessEventContext, cdsEntity -> {
            return ((ParentEntityLookup) this.parentEntityLookups.findOrCreate()).lookupParent(cdsEntity);
        });
        if (resolve.getAuthorizationEntity() == null) {
            logger.debug("No authorization entity found when sending event '{}' to entity '{}'", accessEventName, accessEntityName);
            return false;
        }
        String qualifiedName = resolve.getAuthorizationEntity().getQualifiedName();
        Restriction entityRestriction = RestrictionUtils.getEntityRestriction(entityAccessEventContext.getService(), qualifiedName, accessEventName);
        if (entityRestriction != null && !RestrictionUtils.passesRestriction(entityRestriction, entityAccessEventContext.getUserInfo(), accessEventName)) {
            if (qualifiedName.equals(accessEntityName)) {
                logger.debug("No authorization to send event '{}' to entity '{}'", accessEventName, accessEntityName);
                return false;
            }
            logger.debug("No authorization to send event '{}' to entity '{}' because of authorization entity '{}'", new Object[]{accessEventName, accessEntityName, qualifiedName});
            return false;
        }
        if (qualifiedName.equals(accessEntityName) || resolve.getAuthorizationPath() == null || resolve.isDraft() || (authorizationCondition = resolve.authorizationCondition(resolve.getAuthorizationEntity(), accessEventName)) == null || CdsServiceUtils.getDefaultPersistenceService(entityAccessEventContext).run(Select.from(resolve.getAuthorizationPath()).where(authorizationCondition), new Object[0]).first().isPresent()) {
            return true;
        }
        logger.debug("No authorization to send event '{}' to entity '{}' because of instance '{}'", new Object[]{accessEventName, accessEntityName, resolve.getAuthorizationPath()});
        return false;
    }

    @HandlerOrder(11000)
    @On
    protected void defaultHasFunctionAccess(FunctionAccessEventContext functionAccessEventContext) {
        boolean z = true;
        Restriction functionRestriction = RestrictionUtils.getFunctionRestriction(functionAccessEventContext.getService(), functionAccessEventContext.getEntityName(), functionAccessEventContext.getFunctionName());
        if (functionRestriction != null) {
            z = RestrictionUtils.passesRestriction(functionRestriction, functionAccessEventContext.getUserInfo(), Privilege.PredefinedGrant.ALL.toString());
        }
        functionAccessEventContext.setResult(z);
    }

    @HandlerOrder(11000)
    @On
    protected void defaultHasActionAccess(ActionAccessEventContext actionAccessEventContext) {
        boolean z = true;
        Restriction actionRestriction = RestrictionUtils.getActionRestriction(actionAccessEventContext.getService(), actionAccessEventContext.getEntityName(), actionAccessEventContext.getActionName());
        if (actionRestriction != null) {
            z = RestrictionUtils.passesRestriction(actionRestriction, actionAccessEventContext.getUserInfo(), Privilege.PredefinedGrant.ALL.toString());
        }
        actionAccessEventContext.setResult(z);
    }

    @HandlerOrder(11000)
    @On
    protected void defaultCalcWhereCondition(CalcWhereConditionEventContext calcWhereConditionEventContext) {
        Restriction entityRestriction;
        String eventName = calcWhereConditionEventContext.getEventName();
        String entityName = calcWhereConditionEventContext.getEntityName();
        Predicate predicate = null;
        if (!calcWhereConditionEventContext.getUserInfo().isPrivileged() && (entityRestriction = RestrictionUtils.getEntityRestriction(calcWhereConditionEventContext.getService(), entityName, eventName)) != null) {
            Iterator it = ((List) RestrictionUtils.passingPrivilegesOfRestriction(entityRestriction, calcWhereConditionEventContext.getUserInfo(), eventName).collect(Collectors.toList())).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Privilege privilege = (Privilege) it.next();
                Predicate predicate2 = null;
                if (!StringUtils.isEmpty(privilege.getCxnWhereCondition())) {
                    try {
                        logger.debug("Resolving 'where' condition '{}'", privilege.getCxnWhereCondition());
                        predicate2 = ((PredicateLookup) this.predicateLookupCache.findOrCreate()).resolvePredicate(privilege.getCxnWhereCondition(), calcWhereConditionEventContext.getUserInfo(), this.isEmptyAttributeValuesAreRestricted);
                    } catch (PredicateResolver.MultipleAttributeValuesNotSupportedException e) {
                        logger.debug("No authorization to send event '{}' to entity '{}' because user {} has multiple values for attribute '{}' (filter resource '{}')", new Object[]{eventName, entityName, calcWhereConditionEventContext.getUserInfo().getName(), e.getAttributeName(), e.getResourceName(), e});
                        throw new ErrorStatusException(CdsErrorStatuses.EVENT_FORBIDDEN_UNSUPPORTED_USER_ATTRIBUTES, new Object[]{eventName, entityName, e.getAttributeName(), e});
                    } catch (Exception e2) {
                        throw new ErrorStatusException(CdsErrorStatuses.INVALID_WHERE_CONDITION, new Object[]{privilege.getCxnWhereCondition(), entityName, eventName, calcWhereConditionEventContext.getUserInfo().getName(), e2});
                    }
                } else if (!StringUtils.isEmpty(privilege.getWhereCondition())) {
                    throw new ErrorStatusException(CdsErrorStatuses.INCONSISTENT_WHERE_CONDITION, new Object[]{privilege.getWhereCondition(), entityName});
                }
                if (predicate2 == null) {
                    predicate = null;
                    break;
                }
                predicate = predicate != null ? CQL.or(predicate, predicate2) : predicate2;
            }
        }
        calcWhereConditionEventContext.setResult(predicate);
    }
}
