package rapture.kernel;

import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.log4j.Logger;
import rapture.common.CallingContext;
import rapture.common.api.EntitlementApi;
import rapture.common.model.RaptureEntitlement;
import rapture.common.model.RaptureEntitlementGroup;
import rapture.series.children.PathConstants;

/* loaded from: input_file:rapture/kernel/EntitlementUtilLockoutChecker.class */
class EntitlementUtilLockoutChecker {
    private Set<String> sensitiveEntitlementPaths = new HashSet();
    private EntitlementApi api;
    static Logger log = Logger.getLogger(EntitlementUtilLockoutChecker.class);
    private static Boolean raptureInternalsMode = false;

    /* JADX INFO: Access modifiers changed from: package-private */
    public EntitlementUtilLockoutChecker(EntitlementApi entitlementApi) {
        this.api = entitlementApi;
        this.sensitiveEntitlementPaths.add("/admin/ent/");
        this.sensitiveEntitlementPaths.add("/admin/main/");
    }

    public static void setRaptureInternalsMode(Boolean bool) {
        raptureInternalsMode = bool;
    }

    Boolean isEntitlementSensitive(String str) {
        if (!str.startsWith(PathConstants.PATH_SEPARATOR)) {
            str = PathConstants.PATH_SEPARATOR + str;
        }
        if (!str.endsWith(PathConstants.PATH_SEPARATOR)) {
            str = str + PathConstants.PATH_SEPARATOR;
        }
        Iterator<String> it = this.sensitiveEntitlementPaths.iterator();
        while (it.hasNext()) {
            if (str.startsWith(it.next())) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Boolean canAddGroupToEntitlement(CallingContext callingContext, String str, String str2) {
        if (giveFreePass(callingContext).booleanValue() || !isEntitlementSensitive(str).booleanValue() || str2 == null) {
            return true;
        }
        RaptureEntitlementGroup entitlementGroup = this.api.getEntitlementGroup(ContextFactory.getKernelUser(), str2);
        if (entitlementGroup != null && entitlementGroup.getUsers().contains(callingContext.getUser())) {
            return true;
        }
        RaptureEntitlement entitlement = this.api.getEntitlement(ContextFactory.getKernelUser(), str);
        if (entitlement != null) {
            return userHasAlternateAccess(callingContext.getUser(), str2, entitlement);
        }
        logLockoutProhibited(str, callingContext.getUser());
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Boolean canRemoveGroupFromEntitlement(CallingContext callingContext, String str, String str2) {
        if (giveFreePass(callingContext).booleanValue() || !isEntitlementSensitive(str).booleanValue()) {
            return true;
        }
        RaptureEntitlement entitlement = this.api.getEntitlement(ContextFactory.getKernelUser(), str);
        return Boolean.valueOf(isOnlyGroupForEntitlement(str2, entitlement).booleanValue() || userHasAlternateAccess(callingContext.getUser(), str2, entitlement).booleanValue());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Boolean canDeleteEntitlementGroup(CallingContext callingContext, String str) {
        if (giveFreePass(callingContext).booleanValue()) {
            return true;
        }
        for (RaptureEntitlement raptureEntitlement : this.api.findEntitlementsByGroup(ContextFactory.getKernelUser(), str)) {
            if (isEntitlementSensitive(raptureEntitlement.getName()).booleanValue() && !isOnlyGroupForEntitlement(str, raptureEntitlement).booleanValue() && !userHasAlternateAccess(callingContext.getUser(), str, raptureEntitlement).booleanValue()) {
                return false;
            }
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Boolean canRemoveUserFromEntitlementGroup(CallingContext callingContext, String str, String str2) {
        if (giveFreePass(callingContext).booleanValue() || !str2.equals(callingContext.getUser())) {
            return true;
        }
        for (RaptureEntitlement raptureEntitlement : this.api.findEntitlementsByGroup(ContextFactory.getKernelUser(), str)) {
            if (isEntitlementSensitive(raptureEntitlement.getName()).booleanValue() && !userHasAlternateAccess(str2, str, raptureEntitlement).booleanValue()) {
                return false;
            }
        }
        return true;
    }

    private Boolean isOnlyGroupForEntitlement(String str, RaptureEntitlement raptureEntitlement) {
        return Boolean.valueOf(raptureEntitlement.getGroups().size() == 1 && raptureEntitlement.getGroups().contains(str));
    }

    private Boolean userHasAlternateAccess(String str, String str2, RaptureEntitlement raptureEntitlement) {
        for (String str3 : raptureEntitlement.getGroups()) {
            if (!str3.equals(str2) && this.api.getEntitlementGroup(ContextFactory.getKernelUser(), str3).getUsers().contains(str)) {
                return true;
            }
        }
        logLockoutProhibited(raptureEntitlement.getName(), str);
        return false;
    }

    private Boolean giveFreePass(CallingContext callingContext) {
        return Boolean.valueOf(raptureInternalsMode.booleanValue() || callingContext.equals(ContextFactory.getKernelUser()));
    }

    private void logLockoutProhibited(String str, String str2) {
        log.info("Lockout prohibited: changes to " + str + " must be performed by a user who will retain access after the change is complete. Attempt by user " + str2 + " denied.");
    }
}
