package org.openanzo.datasource.services;

import java.io.IOException;
import java.io.Writer;
import java.util.Collections;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArraySet;
import org.openanzo.cache.ICacheProvider;
import org.openanzo.datasource.IAuthorizationService;
import org.openanzo.datasource.ICacheResultListener;
import org.openanzo.datasource.IGraphRolesExtender;
import org.openanzo.datasource.services.BaseDatasource;
import org.openanzo.exceptions.AnzoException;
import org.openanzo.exceptions.ExceptionConstants;
import org.openanzo.rdf.Constants;
import org.openanzo.rdf.URI;
import org.openanzo.rdf.utils.AnzoCollections;
import org.openanzo.rdf.utils.UriGenerator;
import org.openanzo.services.IAuthorizationEventListener;
import org.openanzo.services.IOperationContext;
import org.openanzo.services.Privilege;
import org.openanzo.services.serialization.IValueSetHandler;
import org.openanzo.services.serialization.WriterURIValueSetHandler;

/* loaded from: input_file:org/openanzo/datasource/services/BaseAuthorizationService.class */
public abstract class BaseAuthorizationService<T extends BaseDatasource<T>> extends BaseDatasourceComponent<T> implements IAuthorizationService<T> {
    protected CachedAuthorizationServiceStats stats;
    protected final AuthorizationCache cache;
    protected CopyOnWriteArraySet<IGraphRolesExtender> roleExtenders;

    protected BaseAuthorizationService(T t, ICacheProvider iCacheProvider) {
        super(t);
        this.roleExtenders = new CopyOnWriteArraySet<>();
        this.cache = iCacheProvider != null ? new AuthorizationCache(t.getName(), iCacheProvider) : null;
    }

    @Override // org.openanzo.services.IStatisticsProvider
    public CachedAuthorizationServiceStats getStatistics() {
        return this.stats;
    }

    @Override // org.openanzo.services.IStatisticsProvider
    public String getName() {
        return String.valueOf(getDatasource().getName()) + ",Service=AuthorizationService";
    }

    @Override // org.openanzo.services.IStatisticsProvider
    public String getDescription() {
        return "Authorization Service for " + getDatasource().getName();
    }

    @Override // org.openanzo.services.impl.BaseServiceComponent, org.openanzo.datasource.IDatasourceComponent
    public void start() {
        super.start();
        this.stats = new CachedAuthorizationServiceStats(IAuthorizationService.GET_ROLES_FOR_GRAPH);
        this.stats.setServiceName("AuthorizationService");
        this.stats.setEnabled(true);
    }

    @Override // org.openanzo.datasource.IDatasourceComponent
    public void reset() throws AnzoException {
        this.stats.reset();
        if (this.cache != null) {
            this.cache.flushCache();
        }
    }

    @Override // org.openanzo.services.IBaseAuthorizationService
    public Set<URI> getRolesForGraph(IOperationContext iOperationContext, URI uri, Privilege privilege) throws AnzoException {
        long j = 0;
        if (this.stats.isEnabled()) {
            j = System.currentTimeMillis();
        }
        readLockInterruptibly();
        try {
            logEntry();
            return getRolesForGraph(iOperationContext, uri, privilege, true);
        } finally {
            if (this.stats.isEnabled()) {
                this.stats.use(IAuthorizationService.GET_ROLES_FOR_GRAPH, System.currentTimeMillis() - j);
            }
            readUnlock();
            logExit();
        }
    }

    public Set<URI> getRolesForGraph(IOperationContext iOperationContext, URI uri, Privilege privilege, boolean z) throws AnzoException {
        IOperationContext startOperation = startOperation(iOperationContext, false);
        try {
            try {
                if (uri == null) {
                    throw new AnzoException(ExceptionConstants.SERVER.MISSING_ARG, "namedGraphUri", IAuthorizationService.GET_ROLES_FOR_GRAPH);
                }
                if (privilege == null) {
                    throw new AnzoException(ExceptionConstants.SERVER.MISSING_ARG, "privilege", IAuthorizationService.GET_ROLES_FOR_GRAPH);
                }
                Set<URI> rolesForGraph = this.cache != null ? this.cache.getRolesForGraph(uri, privilege) : null;
                if (rolesForGraph == null) {
                    if (this.stats.isEnabled()) {
                        this.stats.getRolesForGraphCacheMiss.increment();
                    }
                    rolesForGraph = getRolesForGraphInternal(startOperation, uri, privilege);
                    if (this.cache != null) {
                        this.cache.cacheRolesForGraph(uri, privilege, rolesForGraph);
                    }
                } else if (this.stats.isEnabled()) {
                    this.stats.getRolesForGraphCacheHit.increment();
                }
                Iterator<IGraphRolesExtender> it = this.roleExtenders.iterator();
                while (it.hasNext()) {
                    rolesForGraph.addAll(it.next().getRolesForGraph(startOperation, uri, privilege));
                }
                if (!z || startOperation.getOperationPrincipal().isSysadmin() || uri.equals(Constants.GRAPHS.GRAPHS_DATASET) || uri.equals(Constants.GRAPHS.METADATA_GRAPHS_DATASET)) {
                    return rolesForGraph;
                }
                URI generateMetadataGraphUri = UriGenerator.isMetadataGraphUri(uri) ? uri : UriGenerator.generateMetadataGraphUri(uri);
                if (AnzoCollections.memberOf((privilege == Privilege.READ && generateMetadataGraphUri.equals(uri)) ? rolesForGraph : getRolesForGraph(startOperation, generateMetadataGraphUri, Privilege.READ, false), startOperation.getOperationPrincipal().getRoles())) {
                    if (this.auditLog != null) {
                        this.auditLog.graphAccess("AuthorizationService", getDatasource().getInstanceURI(), uri, startOperation);
                    }
                    return rolesForGraph;
                }
                if (!UriGenerator.isMetadataGraphUri(uri) && AnzoCollections.memberOf(rolesForGraph, startOperation.getOperationPrincipal().getRoles())) {
                    return Collections.singleton(startOperation.getOperationPrincipal().getUserURI());
                }
                if (this.auditLog != null) {
                    this.auditLog.graphAccessError("AuthorizationService", getDatasource().getInstanceURI(), uri, startOperation);
                }
                throw new AnzoException(ExceptionConstants.DATASOURCE.NO_READ_ERROR, generateMetadataGraphUri.toString());
            } catch (Error | RuntimeException e) {
                startOperation.setOperationHasRuntimeException();
                throw e;
            }
        } finally {
            startOperation.setComplete(true);
            endOperation(startOperation);
        }
    }

    private void getRolesForGraph(IOperationContext iOperationContext, URI uri, Privilege privilege, IValueSetHandler<URI> iValueSetHandler) throws AnzoException {
        try {
            iValueSetHandler.start();
            Iterator<URI> it = getRolesForGraph(iOperationContext, uri, privilege, true).iterator();
            while (it.hasNext()) {
                iValueSetHandler.handleValue(it.next());
            }
            iValueSetHandler.end();
        } catch (IOException e) {
            throw new AnzoException(ExceptionConstants.IO.WRITE_ERROR, e, new String[0]);
        }
    }

    @Override // org.openanzo.datasource.IAuthorizationService
    public void getRolesForGraph(IOperationContext iOperationContext, URI uri, Privilege privilege, Writer writer, String str) throws AnzoException {
        getRolesForGraph(iOperationContext, uri, privilege, new WriterURIValueSetHandler(writer, str));
    }

    protected abstract Set<URI> getRolesForGraphInternal(IOperationContext iOperationContext, URI uri, Privilege privilege) throws AnzoException;

    @Override // org.openanzo.datasource.services.BaseDatasourceComponent
    public ICacheResultListener getCacheResultListener() {
        return this.cache;
    }

    public IAuthorizationEventListener getAuthorizationEventListener() {
        return this.cache;
    }

    public void registerGraphRolesExtender(IGraphRolesExtender iGraphRolesExtender) {
        this.roleExtenders.add(iGraphRolesExtender);
    }

    public void unregisterGraphRolesExtender(IGraphRolesExtender iGraphRolesExtender) {
        this.roleExtenders.remove(iGraphRolesExtender);
    }
}
