package ch.elexis.admin;

import ch.elexis.core.data.service.ContextServiceHolder;
import ch.elexis.core.jdt.NonNull;
import ch.elexis.core.jdt.Nullable;
import ch.elexis.core.model.IRole;
import ch.elexis.core.model.IUser;
import ch.elexis.data.PersistentObject;
import ch.elexis.data.Role;
import ch.elexis.data.User;
import ch.rgw.tools.JdbcLink;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Iterator;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:ch/elexis/admin/RoleBasedAccessControl.class */
public class RoleBasedAccessControl extends AbstractAccessControl {
    private static Logger log = LoggerFactory.getLogger(RoleBasedAccessControl.class);
    public static final String QUERY_RIGHT_FOR_USER = "SELECT COUNT(*) FROM RIGHTS_PER_USER WHERE USER_ID LIKE %s AND (";
    public static final String QUERY_RIGHT_FOR_ROLE = "SELECT COUNT(*) FROM RIGHTS_PER_ROLE WHERE ROLE_ID LIKE %s AND (";

    protected static boolean queryRightForUser(@NonNull User user, @NonNull ACE ace) {
        return queryRight(QUERY_RIGHT_FOR_USER, user.getWrappedId(), ace);
    }

    protected static boolean queryRightForRole(Role role, ACE ace) {
        return queryRight(QUERY_RIGHT_FOR_ROLE, role.getWrappedId(), ace);
    }

    protected static boolean queryRightForRoles(List<IRole> list, @NonNull ACE ace) {
        if (list == null) {
            return false;
        }
        Iterator<IRole> it = list.iterator();
        while (it.hasNext()) {
            if (queryRightForRole(Role.load(it.next().getId()), ace)) {
                return true;
            }
        }
        return false;
    }

    private static boolean queryRight(String str, String str2, ACE ace) {
        ResultSet query;
        StringBuilder sb = new StringBuilder(String.format(str, str2));
        List<ACE> parentChainIncludingSelf = ace.getParentChainIncludingSelf();
        for (int i = 0; i < parentChainIncludingSelf.size(); i++) {
            ACE ace2 = parentChainIncludingSelf.get(i);
            if (i > 0) {
                sb.append(" OR ");
            }
            sb.append(" RIGHT_ID = " + JdbcLink.wrap(ace2.getUniqueHashFromACE()));
        }
        sb.append(");");
        JdbcLink.Stm statement = PersistentObject.getConnection().getStatement();
        boolean z = false;
        try {
            try {
                query = statement.query(sb.toString());
            } catch (SQLException e) {
                log.error("Error querying access right ", e);
                PersistentObject.getConnection().releaseStatement(statement);
            }
            if (query.next()) {
                z = query.getInt(1) > 0;
                return z;
            }
            PersistentObject.getConnection().releaseStatement(statement);
            return false;
        } finally {
            PersistentObject.getConnection().releaseStatement(statement);
        }
    }

    @Override // ch.elexis.admin.AbstractAccessControl
    public boolean request(@Nullable ACE ace) {
        return request((User) null, ace);
    }

    @Override // ch.elexis.admin.AbstractAccessControl
    public boolean request(String str) {
        if (str == null || str.length() < 1) {
            return false;
        }
        return request(ACE.getACEByCanonicalName(str));
    }

    @Override // ch.elexis.admin.AbstractAccessControl
    public boolean request(@Nullable User user, @Nullable ACE ace) {
        if (ace == null) {
            return false;
        }
        if (user == null) {
            IUser iUser = (IUser) ContextServiceHolder.get().getActiveUser().orElse(null);
            if (iUser == null) {
                log.warn("ACE [{}]request on null user", ace, new Throwable());
                return false;
            }
            if (!iUser.isInternal()) {
                return iUser.isAdministrator() || queryRightForRoles(iUser.getRoles(), ace);
            }
            user = User.load(iUser.getId());
        }
        if (user.isAdministrator()) {
            return true;
        }
        return queryRightForUser(user, ace);
    }

    @Override // ch.elexis.admin.AbstractAccessControl
    public boolean request(@NonNull Role role, @Nullable ACE ace) {
        if (ace == null) {
            return false;
        }
        return queryRightForRole(role, ace);
    }

    @Override // ch.elexis.admin.AbstractAccessControl
    public void grant(Role role, ACE ace) {
        role.grantAccessRight(ace);
    }

    @Override // ch.elexis.admin.AbstractAccessControl
    public void revoke(Role role, ACE ace) {
        role.revokeAccessRight(ace);
    }

    @Override // ch.elexis.admin.AbstractAccessControl
    public void grant(String str, ACE ace) {
        grant(Role.load(str), ace);
    }
}
