package org.kuali.rice.kew.doctype.service.impl;

import java.util.Iterator;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.kuali.rice.kew.docsearch.DocSearchDTO;
import org.kuali.rice.kew.doctype.DocumentTypeSecurity;
import org.kuali.rice.kew.doctype.SecurityAttribute;
import org.kuali.rice.kew.doctype.SecuritySession;
import org.kuali.rice.kew.doctype.service.DocumentSecurityService;
import org.kuali.rice.kew.routeheader.DocumentRouteHeaderValue;
import org.kuali.rice.kew.service.KEWServiceLocator;
import org.kuali.rice.kew.user.UserUtils;
import org.kuali.rice.kew.util.KEWConstants;
import org.kuali.rice.kew.web.KeyValue;
import org.kuali.rice.kew.web.session.Authentication;
import org.kuali.rice.kew.web.session.UserSession;
import org.kuali.rice.kim.bo.Group;
import org.kuali.rice.kim.bo.Person;
import org.kuali.rice.kim.bo.types.dto.AttributeSet;
import org.kuali.rice.kim.service.KIMServiceLocator;

/* loaded from: input_file:WEB-INF/lib/rice-impl-1.0.3.3.jar:org/kuali/rice/kew/doctype/service/impl/DocumentSecurityServiceImpl.class */
public class DocumentSecurityServiceImpl implements DocumentSecurityService {
    public static final Logger LOG = Logger.getLogger(DocumentSecurityServiceImpl.class);

    @Override // org.kuali.rice.kew.doctype.service.DocumentSecurityService
    public boolean docSearchAuthorized(UserSession userSession, DocSearchDTO docSearchDTO, SecuritySession securitySession) {
        return checkAuthorization(userSession, securitySession, docSearchDTO.getDocTypeName(), docSearchDTO.getRouteHeaderId(), docSearchDTO.getInitiatorWorkflowId());
    }

    @Override // org.kuali.rice.kew.doctype.service.DocumentSecurityService
    public boolean routeLogAuthorized(UserSession userSession, DocumentRouteHeaderValue documentRouteHeaderValue, SecuritySession securitySession) {
        return checkAuthorization(userSession, securitySession, documentRouteHeaderValue.getDocumentType().getName(), documentRouteHeaderValue.getRouteHeaderId(), documentRouteHeaderValue.getInitiatorWorkflowId());
    }

    protected boolean checkAuthorization(UserSession userSession, SecuritySession securitySession, String str, Long l, String str2) {
        try {
            DocumentTypeSecurity documentTypeSecurity = getDocumentTypeSecurity(userSession, str, securitySession);
            if (documentTypeSecurity == null || !documentTypeSecurity.isActive() || isAdmin(securitySession)) {
                return true;
            }
            Iterator<SecurityAttribute> it = documentTypeSecurity.getSecurityAttributes().iterator();
            while (it.hasNext()) {
                Boolean docSearchAuthorized = it.next().docSearchAuthorized(userSession.getPerson(), str, l, str2);
                if (docSearchAuthorized != null) {
                    return docSearchAuthorized.booleanValue();
                }
            }
            return checkStandardAuthorization(documentTypeSecurity, userSession, str, l, str2, securitySession);
        } catch (Exception e) {
            LOG.warn("Not able to retrieve DocumentTypeSecurity from remote system for doctype: " + str, e);
            return false;
        }
    }

    protected boolean isAdmin(SecuritySession securitySession) {
        if (securitySession.getUserSession() == null) {
            return false;
        }
        return KIMServiceLocator.getIdentityManagementService().isAuthorized(securitySession.getUserSession().getPrincipalId(), "KR-WKFLW", KEWConstants.PermissionNames.UNRESTRICTED_DOCUMENT_SEARCH, new AttributeSet(), new AttributeSet());
    }

    protected boolean checkStandardAuthorization(DocumentTypeSecurity documentTypeSecurity, UserSession userSession, String str, Long l, String str2, SecuritySession securitySession) {
        Person person = userSession.getPerson();
        LOG.debug("auth check user=" + person.getPrincipalId() + " docId=" + l);
        if (documentTypeSecurity.getInitiatorOk() != null && documentTypeSecurity.getInitiatorOk().booleanValue() && StringUtils.equals(str2, person.getPrincipalId())) {
            return true;
        }
        List<String> allowedRoles = documentTypeSecurity.getAllowedRoles();
        List<String> disallowedRoles = documentTypeSecurity.getDisallowedRoles();
        if ((allowedRoles != null && !allowedRoles.isEmpty()) || (disallowedRoles != null && !disallowedRoles.isEmpty())) {
            Boolean bool = securitySession.getPassesRoleSecurity().get(str);
            if (bool == null) {
                Boolean valueOf = Boolean.valueOf(isRoleAuthenticated(allowedRoles, disallowedRoles, userSession, securitySession));
                securitySession.getPassesRoleSecurity().put(str, valueOf);
                if (valueOf.booleanValue()) {
                    return true;
                }
            } else if (bool.booleanValue()) {
                return true;
            }
        }
        List<Group> workgroups = documentTypeSecurity.getWorkgroups();
        if (workgroups != null) {
            for (Group group : workgroups) {
                if (isWorkgroupAuthenticated(group.getNamespaceCode(), group.getGroupName(), securitySession)) {
                    return true;
                }
            }
        }
        List<KeyValue> searchableAttributes = documentTypeSecurity.getSearchableAttributes();
        if (searchableAttributes != null) {
            for (KeyValue keyValue : searchableAttributes) {
                String str3 = keyValue.getkey();
                String idValue = UserUtils.getIdValue(keyValue.getvalue(), person);
                if (!StringUtils.isEmpty(idValue) && KEWServiceLocator.getRouteHeaderService().hasSearchableAttributeValue(l, str3, idValue)) {
                    return true;
                }
            }
        }
        if (documentTypeSecurity.getRouteLogAuthenticatedOk() != null && documentTypeSecurity.getRouteLogAuthenticatedOk().booleanValue() && (StringUtils.equals(str2, person.getPrincipalId()) || KEWServiceLocator.getActionTakenService().hasUserTakenAction(person.getPrincipalId(), l) || KEWServiceLocator.getActionRequestService().doesPrincipalHaveRequest(person.getPrincipalId(), l))) {
            return true;
        }
        LOG.debug("user not authorized");
        return false;
    }

    protected DocumentTypeSecurity getDocumentTypeSecurity(UserSession userSession, String str, SecuritySession securitySession) {
        if (securitySession == null) {
            securitySession = new SecuritySession(userSession);
        }
        DocumentTypeSecurity documentTypeSecurity = securitySession.getDocumentTypeSecurity().get(str);
        if (documentTypeSecurity == null) {
            documentTypeSecurity = KEWServiceLocator.getDocumentTypeService().findByName(str).getDocumentTypeSecurity();
            securitySession.getDocumentTypeSecurity().put(str, documentTypeSecurity);
        }
        return documentTypeSecurity;
    }

    protected boolean isWorkgroupAuthenticated(String str, String str2, SecuritySession securitySession) {
        String str3 = String.valueOf(str.trim()) + ":" + str2.trim();
        Boolean bool = securitySession.getAuthenticatedWorkgroups().get(str3);
        if (bool != null) {
            return bool.booleanValue();
        }
        boolean isMemberOfGroupWithName = securitySession.getUserSession().isMemberOfGroupWithName(str, str2);
        securitySession.getAuthenticatedWorkgroups().put(str3, Boolean.valueOf(isMemberOfGroupWithName));
        return isMemberOfGroupWithName;
    }

    protected boolean isRoleAuthenticated(List<String> list, List<String> list2, UserSession userSession, SecuritySession securitySession) {
        boolean z = false;
        boolean z2 = false;
        Iterator it = userSession.getAuthentications().iterator();
        while (it.hasNext()) {
            String authority = ((Authentication) it.next()).getAuthority();
            if (list2.contains(authority)) {
                z = true;
            }
            if (list.contains(authority)) {
                z2 = true;
            }
        }
        if (z2) {
            return true;
        }
        return !z && list.isEmpty();
    }
}
