package org.kuali.coeus.elasticsearch;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.collections4.CollectionUtils;
import org.joda.time.LocalDateTime;
import org.kuali.coeus.common.framework.auth.perm.DocumentLevelPermissionable;
import org.kuali.coeus.common.framework.unit.UnitService;
import org.kuali.coeus.elasticsearch.serializers.ElasticsearchDocumentSerializer;
import org.kuali.kra.infrastructure.Constants;
import org.kuali.rice.core.api.membership.MemberType;
import org.kuali.rice.coreservice.framework.parameter.ParameterService;
import org.kuali.rice.kim.api.group.GroupService;
import org.kuali.rice.kim.api.permission.PermissionService;
import org.kuali.rice.kim.api.role.RoleMembership;
import org.kuali.rice.kim.api.role.RoleService;
import org.springframework.beans.factory.annotation.Autowire;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Configurable;

@Configurable(autowire = Autowire.BY_TYPE)
/* loaded from: input_file:org/kuali/coeus/elasticsearch/ElasticsearchAccessControlServiceImpl.class */
public class ElasticsearchAccessControlServiceImpl implements ElasticsearchAccessControlService {
    private static final String DEFAULT_KIM_TYPE = "1";

    @Autowired
    private GroupService groupService;

    @Autowired
    private ParameterService parameterService;

    @Autowired
    private PermissionService permissionService;

    @Autowired
    private RoleService roleService;

    @Autowired
    private List<ElasticsearchDocumentSerializer> serializers;

    @Autowired
    private UnitService unitService;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/kuali/coeus/elasticsearch/ElasticsearchAccessControlServiceImpl$KimTypePartitionedRoleIds.class */
    public static final class KimTypePartitionedRoleIds {
        private final List<String> defaultRoleIds;
        private final List<String> qualifiedRoleIds;

        protected KimTypePartitionedRoleIds(List<String> list, List<String> list2) {
            this.defaultRoleIds = list;
            this.qualifiedRoleIds = list2;
        }

        public List<String> getDefaultRoleIds() {
            return this.defaultRoleIds;
        }

        public List<String> getQualifiedRoleIds() {
            return this.qualifiedRoleIds;
        }
    }

    @Override // org.kuali.coeus.elasticsearch.ElasticsearchAccessControlService
    public Set<String> getDocumentViewers(DocumentLevelPermissionable documentLevelPermissionable, Collection<String> collection) {
        if (documentLevelPermissionable == null || CollectionUtils.isEmpty(collection)) {
            return Collections.emptySet();
        }
        boolean booleanValue = this.parameterService.getParameterValueAsBoolean("KC-SYS", Constants.KC_ALL_PARAMETER_DETAIL_TYPE_CODE, ElasticsearchConstants.ELASTICSEARCH_INDEX_SKIP_DEFAULT_AND_UNIT_ROLES_PARAM, false).booleanValue();
        HashMap hashMap = new HashMap();
        hashMap.put(documentLevelPermissionable.getDocumentKey(), documentLevelPermissionable.getDocumentNumberForPermission());
        hashMap.put("documentNumber", documentLevelPermissionable.getDocumentNumber());
        if (!booleanValue) {
            hashMap.put("unitNumber", documentLevelPermissionable.getLeadUnitNumber());
        }
        KimTypePartitionedRoleIds roleIdsForPermissionPartitionedByDefaultKimType = getRoleIdsForPermissionPartitionedByDefaultKimType(documentLevelPermissionable.getNamespace(), collection);
        return (Set) Stream.concat(booleanValue ? Stream.empty() : this.roleService.getRoleMembers(roleIdsForPermissionPartitionedByDefaultKimType.getQualifiedRoleIds(), hashMap).stream(), this.roleService.getRoleMembers(roleIdsForPermissionPartitionedByDefaultKimType.getDefaultRoleIds(), Collections.emptyMap()).stream()).filter(this::isMembershipActive).flatMap(roleMembership -> {
            return getMembershipPrincipalIds(roleMembership.getType(), roleMembership.getMemberId(), new HashSet());
        }).collect(Collectors.toSet());
    }

    protected boolean isMembershipActive(RoleMembership roleMembership) {
        LocalDateTime now = LocalDateTime.now();
        LocalDateTime localDateTime = roleMembership.getActiveFromDate() != null ? roleMembership.getActiveFromDate().toLocalDateTime() : null;
        LocalDateTime localDateTime2 = roleMembership.getActiveToDate() != null ? roleMembership.getActiveToDate().toLocalDateTime() : null;
        return (localDateTime == null || localDateTime.isBefore(now)) && !(localDateTime2 != null && localDateTime2.isBefore(now));
    }

    protected Stream<String> getMembershipPrincipalIds(MemberType memberType, String str, Set<String> set) {
        if (memberType != MemberType.GROUP) {
            return Stream.of(str);
        }
        if (set.contains(str)) {
            return Stream.empty();
        }
        List members = this.groupService.getMembers(List.of(str));
        members.forEach(groupMember -> {
            set.add(groupMember.getMemberId());
        });
        return members.stream().flatMap(groupMember2 -> {
            return getMembershipPrincipalIds(groupMember2.getType(), groupMember2.getMemberId(), set);
        });
    }

    @Override // org.kuali.coeus.elasticsearch.ElasticsearchAccessControlService
    public Map<String, Set<String>> getViewableUnitsForUser(String str) {
        Set set = (Set) this.unitService.getUnits().stream().map((v0) -> {
            return v0.getUnitNumber();
        }).collect(Collectors.toSet());
        return (Map) this.serializers.stream().map(elasticsearchDocumentSerializer -> {
            return getUnitsForSerializer(elasticsearchDocumentSerializer, str, set);
        }).collect(org.kuali.coeus.sys.framework.util.CollectionUtils.entriesToMap());
    }

    protected Map.Entry<String, Set<String>> getUnitsForSerializer(ElasticsearchDocumentSerializer elasticsearchDocumentSerializer, String str, Set<String> set) {
        KimTypePartitionedRoleIds roleIdsForPermissionPartitionedByDefaultKimType = getRoleIdsForPermissionPartitionedByDefaultKimType(elasticsearchDocumentSerializer.getNamespace(), elasticsearchDocumentSerializer.getViewPermissions());
        return this.roleService.principalHasRole(str, roleIdsForPermissionPartitionedByDefaultKimType.getDefaultRoleIds(), Map.of()) ? org.kuali.coeus.sys.framework.util.CollectionUtils.entry(elasticsearchDocumentSerializer.getNamespace(), set) : org.kuali.coeus.sys.framework.util.CollectionUtils.entry(elasticsearchDocumentSerializer.getNamespace(), (Set) set.stream().filter(str2 -> {
            return this.roleService.principalHasRole(str, roleIdsForPermissionPartitionedByDefaultKimType.getQualifiedRoleIds(), Map.of("unitNumber", str2));
        }).collect(Collectors.toSet()));
    }

    protected KimTypePartitionedRoleIds getRoleIdsForPermissionPartitionedByDefaultKimType(String str, Collection<String> collection) {
        Set set = (Set) collection.stream().flatMap(str2 -> {
            return this.permissionService.getRoleIdsForPermission(str, str2).stream();
        }).collect(Collectors.toSet());
        List list = (List) this.roleService.getRoles(new ArrayList(set)).stream().filter(role -> {
            return "1".equals(role.getKimTypeId());
        }).map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toList());
        return new KimTypePartitionedRoleIds(list, (List) set.stream().filter(str3 -> {
            return !list.contains(str3);
        }).collect(Collectors.toList()));
    }
}
