package sernet.verinice.hibernate;

import java.sql.SQLException;
import java.util.Iterator;
import java.util.List;
import org.apache.log4j.Logger;
import org.hibernate.HibernateException;
import org.hibernate.Session;
import org.hibernate.criterion.DetachedCriteria;
import org.springframework.orm.hibernate3.HibernateCallback;
import sernet.gs.service.SecurityException;
import sernet.verinice.interfaces.IAuthService;
import sernet.verinice.interfaces.IBaseDao;
import sernet.verinice.model.common.CnATreeElement;
import sernet.verinice.model.common.Permission;
import sernet.verinice.model.common.configuration.Configuration;
import sernet.verinice.service.IConfigurationService;

/* loaded from: input_file:sernet/verinice/hibernate/SecureTreeElementDao.class */
public class SecureTreeElementDao extends TreeElementDao<CnATreeElement, Integer> {
    private final Logger log;
    private IAuthService authService;
    private IBaseDao<Configuration, Integer> configurationDao;
    private IBaseDao<Permission, Integer> permissionDao;
    private IConfigurationService configurationService;

    @Override // sernet.verinice.hibernate.HibernateDao
    public List<CnATreeElement> findByCriteria(DetachedCriteria detachedCriteria) {
        String username = getAuthService().getUsername();
        if (isPermissionHandlingNeeded(username)) {
            enableFilter();
        }
        List<CnATreeElement> findByCriteria = super.findByCriteria(detachedCriteria);
        if (isPermissionHandlingNeeded(username)) {
            disableFilter();
        }
        return findByCriteria;
    }

    public void enableFilter() {
        if (!hasAdminRole(this.authService.getRoles())) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Enabling security access filter for user: " + this.authService.getUsername());
            }
            setAccessFilterEnabled(true);
        }
        setScopeFilterEnabled(true);
    }

    public void disableFilter() {
        if (!hasAdminRole(this.authService.getRoles())) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Disabling security access filter.");
            }
            setAccessFilterEnabled(false);
        }
        setScopeFilterEnabled(false);
    }

    private void setScopeFilterEnabled(boolean z) {
        if (!getConfigurationService().isScopeOnly(this.authService.getUsername()) || !z) {
            getHibernateTemplate().execute(new HibernateCallback() { // from class: sernet.verinice.hibernate.SecureTreeElementDao.1
                public Object doInHibernate(Session session) throws HibernateException, SQLException {
                    session.disableFilter("scopeFilter");
                    return null;
                }
            });
        } else {
            getHibernateTemplate().enableFilter("scopeFilter").setParameter("scopeId", getConfigurationService().getScopeId(this.authService.getUsername()));
        }
    }

    private void setAccessFilterEnabled(boolean z) {
        if (!z) {
            getHibernateTemplate().execute(new HibernateCallback() { // from class: sernet.verinice.hibernate.SecureTreeElementDao.2
                public Object doInHibernate(Session session) throws HibernateException, SQLException {
                    session.disableFilter("userAccessReadFilter");
                    return null;
                }
            });
        } else {
            getHibernateTemplate().enableFilter("userAccessReadFilter").setParameterList("currentRoles", getConfigurationService().getRoles(this.authService.getUsername())).setParameter("readAllowed", Boolean.TRUE);
        }
    }

    public SecureTreeElementDao(Class<CnATreeElement> cls) {
        super(cls);
        this.log = Logger.getLogger(SecureTreeElementDao.class);
    }

    @Override // sernet.verinice.hibernate.HibernateDao
    public void delete(CnATreeElement cnATreeElement) {
        checkRights(cnATreeElement);
        super.delete((SecureTreeElementDao) cnATreeElement);
    }

    @Override // sernet.verinice.hibernate.HibernateDao
    public CnATreeElement merge(CnATreeElement cnATreeElement) {
        return (CnATreeElement) super.merge((SecureTreeElementDao) cnATreeElement);
    }

    @Override // sernet.verinice.hibernate.TreeElementDao
    public CnATreeElement merge(CnATreeElement cnATreeElement, boolean z) {
        if (cnATreeElement.getDbId() != null) {
            checkRights(cnATreeElement);
        }
        return (CnATreeElement) super.merge((SecureTreeElementDao) cnATreeElement, z);
    }

    @Override // sernet.verinice.hibernate.TreeElementDao
    public void checkRights(CnATreeElement cnATreeElement, String str) {
        if (this.log.isDebugEnabled()) {
            this.log.debug("Checking rights for entity: " + cnATreeElement + " and username: " + str);
        }
        if (isPermissionHandlingNeeded(str)) {
            logPermissionInfo(cnATreeElement, str);
        }
    }

    private void logPermissionInfo(CnATreeElement cnATreeElement, String str) {
        String[] dynamicRoles = getDynamicRoles(str);
        if (dynamicRoles == null) {
            this.log.error("Role array is null for user: " + str);
        }
        if (!hasAdminRole(dynamicRoles)) {
            StringBuilder sb = new StringBuilder();
            for (int i = 0; i < dynamicRoles.length; i++) {
                sb.append("'").append(dynamicRoles[i].replace("\\", "\\\\")).append("'");
                if (i < dynamicRoles.length - 1) {
                    sb.append(",");
                }
            }
            String str2 = "select p.dbId from Permission p where p.cnaTreeElement.dbId = ? and p.role in (" + sb.toString() + ") and p.writeAllowed = ?";
            Object[] objArr = {cnATreeElement.getDbId(), Boolean.TRUE};
            if (this.log.isDebugEnabled()) {
                this.log.debug("checkRights, hql: " + str2);
                this.log.debug("checkRights, entity db-id: " + cnATreeElement.getDbId());
            }
            List findByQuery = getPermissionDao().findByQuery(str2, objArr);
            if (this.log.isDebugEnabled()) {
                this.log.debug("checkRights, permission ids: ");
                Iterator it = findByQuery.iterator();
                while (it.hasNext()) {
                    this.log.debug((Integer) it.next());
                }
            }
            if ((findByQuery == null) | findByQuery.isEmpty()) {
                String str3 = "User: " + str + " has no right to write CnATreeElement with id: " + cnATreeElement.getDbId();
                this.log.warn(str3);
                throw new SecurityException(str3);
            }
        }
        if (!isScopeOnly(str) || cnATreeElement.getScopeId().equals(getConfigurationService().getScopeId(str))) {
            return;
        }
        String str4 = "User: " + str + " has no right to write CnATreeElement with id: " + cnATreeElement.getDbId();
        this.log.warn(str4);
        throw new SecurityException(str4);
    }

    private boolean isPermissionHandlingNeeded(String str) {
        return getAuthService().isPermissionHandlingNeeded() && !getAuthService().getAdminUsername().equals(str);
    }

    private boolean isScopeOnly(String str) {
        return getConfigurationService().isScopeOnly(str);
    }

    @Override // sernet.verinice.hibernate.TreeElementDao
    public void checkRights(CnATreeElement cnATreeElement) {
        checkRights(cnATreeElement, getAuthService().getUsername());
    }

    private boolean hasAdminRole(String[] strArr) {
        if (strArr == null) {
            return false;
        }
        for (String str : strArr) {
            if ("ROLE_ADMIN".equals(str)) {
                return true;
            }
        }
        return false;
    }

    private String[] getDynamicRoles(String str) {
        return getConfigurationService().getRoles(str);
    }

    public void setAuthService(IAuthService iAuthService) {
        this.authService = iAuthService;
    }

    public IAuthService getAuthService() {
        return this.authService;
    }

    public void setConfigurationDao(IBaseDao<Configuration, Integer> iBaseDao) {
        this.configurationDao = iBaseDao;
    }

    public IBaseDao<Configuration, Integer> getConfigurationDao() {
        return this.configurationDao;
    }

    public void setPermissionDao(IBaseDao<Permission, Integer> iBaseDao) {
        this.permissionDao = iBaseDao;
    }

    public IBaseDao<Permission, Integer> getPermissionDao() {
        return this.permissionDao;
    }

    public IConfigurationService getConfigurationService() {
        return this.configurationService;
    }

    public void setConfigurationService(IConfigurationService iConfigurationService) {
        this.configurationService = iConfigurationService;
    }
}
