package com.orientechnologies.orient.core.metadata.security;

import com.orientechnologies.orient.core.db.document.ODatabaseDocument;
import com.orientechnologies.orient.core.db.record.OIdentifiable;
import com.orientechnologies.orient.core.exception.OConfigurationException;
import com.orientechnologies.orient.core.exception.OSecurityException;
import com.orientechnologies.orient.core.hook.ODocumentHookAbstract;
import com.orientechnologies.orient.core.hook.ORecordHook;
import com.orientechnologies.orient.core.metadata.schema.OImmutableClass;
import com.orientechnologies.orient.core.metadata.security.ORule;
import com.orientechnologies.orient.core.record.impl.ODocument;
import com.orientechnologies.orient.core.record.impl.ODocumentInternal;
import java.util.Set;
import org.fusesource.jansi.AnsiRenderer;

/* loaded from: input_file:WEB-INF/lib/orientdb-core-2.2.0.jar:com/orientechnologies/orient/core/metadata/security/ORestrictedAccessHook.class */
public class ORestrictedAccessHook extends ODocumentHookAbstract {
    public ORestrictedAccessHook(ODatabaseDocument oDatabaseDocument) {
        super(oDatabaseDocument);
    }

    @Override // com.orientechnologies.orient.core.hook.ORecordHook
    public ORecordHook.DISTRIBUTED_EXECUTION_MODE getDistributedExecutionMode() {
        return ORecordHook.DISTRIBUTED_EXECUTION_MODE.BOTH;
    }

    @Override // com.orientechnologies.orient.core.hook.ODocumentHookAbstract
    public ORecordHook.RESULT onRecordBeforeCreate(ODocument oDocument) {
        OImmutableClass immutableSchemaClass = ODocumentInternal.getImmutableSchemaClass(oDocument);
        if (immutableSchemaClass != null && immutableSchemaClass.isRestricted()) {
            String custom = immutableSchemaClass.getCustom("onCreate.fields");
            if (custom == null) {
                custom = ORestrictedOperation.ALLOW_ALL.getFieldName();
            }
            String[] split = custom.split(AnsiRenderer.CODE_LIST_SEPARATOR);
            String custom2 = immutableSchemaClass.getCustom("onCreate.identityType");
            if (custom2 == null) {
                custom2 = "user";
            }
            OIdentifiable oIdentifiable = null;
            if (custom2.equals("user")) {
                OSecurityUser user = this.database.getUser();
                if (user != null) {
                    oIdentifiable = user.getIdentity();
                }
            } else {
                if (!custom2.equals("role")) {
                    throw new OConfigurationException("Wrong custom field 'onCreate.identityType' in class '" + immutableSchemaClass.getName() + "' with value '" + custom2 + "'. Supported ones are: 'user', 'role'");
                }
                Set<? extends OSecurityRole> roles = this.database.getUser().getRoles();
                if (!roles.isEmpty()) {
                    oIdentifiable = roles.iterator().next().getIdentity();
                }
            }
            if (oIdentifiable != null) {
                for (String str : split) {
                    this.database.getMetadata().getSecurity().allowIdentity(oDocument, str, oIdentifiable);
                }
                return ORecordHook.RESULT.RECORD_CHANGED;
            }
        }
        return ORecordHook.RESULT.RECORD_NOT_CHANGED;
    }

    @Override // com.orientechnologies.orient.core.hook.ODocumentHookAbstract
    public ORecordHook.RESULT onRecordBeforeRead(ODocument oDocument) {
        return isAllowed(oDocument, ORestrictedOperation.ALLOW_READ, false) ? ORecordHook.RESULT.RECORD_NOT_CHANGED : ORecordHook.RESULT.SKIP;
    }

    @Override // com.orientechnologies.orient.core.hook.ODocumentHookAbstract
    public ORecordHook.RESULT onRecordBeforeUpdate(ODocument oDocument) {
        if (isAllowed(oDocument, ORestrictedOperation.ALLOW_UPDATE, true)) {
            return ORecordHook.RESULT.RECORD_NOT_CHANGED;
        }
        throw new OSecurityException("Cannot update record " + oDocument.getIdentity() + ": the resource has restricted access");
    }

    @Override // com.orientechnologies.orient.core.hook.ODocumentHookAbstract
    public ORecordHook.RESULT onRecordBeforeDelete(ODocument oDocument) {
        if (isAllowed(oDocument, ORestrictedOperation.ALLOW_DELETE, true)) {
            return ORecordHook.RESULT.RECORD_NOT_CHANGED;
        }
        throw new OSecurityException("Cannot delete record " + oDocument.getIdentity() + ": the resource has restricted access");
    }

    protected boolean isAllowed(ODocument oDocument, ORestrictedOperation oRestrictedOperation, boolean z) {
        OImmutableClass immutableSchemaClass = ODocumentInternal.getImmutableSchemaClass(oDocument);
        if (immutableSchemaClass == null || !immutableSchemaClass.isRestricted() || this.database.getUser() == null) {
            return true;
        }
        if (this.database.getUser().isRuleDefined(ORule.ResourceGeneric.BYPASS_RESTRICTED, null) && this.database.getUser().checkIfAllowed(ORule.ResourceGeneric.BYPASS_RESTRICTED, null, ORole.PERMISSION_READ) != null) {
            return true;
        }
        ODocument oDocument2 = z ? (ODocument) this.database.load(oDocument.getIdentity()) : oDocument;
        if (oDocument2 == null) {
            return false;
        }
        return this.database.getMetadata().getSecurity().isAllowed((Set) oDocument2.field(ORestrictedOperation.ALLOW_ALL.getFieldName()), (Set) oDocument2.field(oRestrictedOperation.getFieldName()));
    }
}
