package org.kuali.kfs.krad.workflow.authorizer;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.kuali.kfs.coreservice.framework.CoreFrameworkServiceLocator;
import org.kuali.kfs.kew.api.KewApiConstants;
import org.kuali.kfs.kew.api.doctype.DocumentTypePolicy;
import org.kuali.kfs.kew.doctype.bo.DocumentType;
import org.kuali.kfs.kew.framework.document.security.AuthorizableAction;
import org.kuali.kfs.kew.framework.document.security.Authorization;
import org.kuali.kfs.kew.framework.document.security.DocumentTypeAuthorizer;
import org.kuali.kfs.kew.routeheader.DocumentRouteHeaderValue;
import org.kuali.kfs.kim.api.permission.PermissionService;
import org.kuali.kfs.kim.api.services.KimApiServiceLocator;
import org.kuali.kfs.kns.datadictionary.DocumentEntry;
import org.kuali.kfs.kns.datadictionary.MaintenanceDocumentEntry;
import org.kuali.kfs.kns.document.MaintenanceDocument;
import org.kuali.kfs.krad.document.Document;
import org.kuali.kfs.krad.service.KRADServiceLocatorWeb;
import org.kuali.kfs.krad.util.KRADUtils;
import org.kuali.kfs.sys.KFSConstants;

/* loaded from: input_file:WEB-INF/lib/kfs-core-2023-09-06.jar:org/kuali/kfs/krad/workflow/authorizer/CfDocumentTypeAuthorizer.class */
public class CfDocumentTypeAuthorizer implements DocumentTypeAuthorizer {
    private static final Logger LOG = LogManager.getLogger();

    @Override // org.kuali.kfs.kew.framework.document.security.DocumentTypeAuthorizer
    public Authorization isActionAuthorized(AuthorizableAction authorizableAction, String str, DocumentType documentType, DocumentRouteHeaderValue documentRouteHeaderValue, Map<DocumentTypeAuthorizer.ActionArgument, Object> map) {
        switch (authorizableAction.type) {
            case INITIATION:
                return new Authorization(canInitiate(str, documentType));
            case SU_APPROVE_ACTION_REQUEST:
                return new Authorization(canSuperUserApproveSingleActionRequest(str, documentType, (Collection) map.get(DocumentTypeAuthorizer.ActionArgument.ROUTENODE_NAMES), (String) map.get(DocumentTypeAuthorizer.ActionArgument.DOCSTATUS)));
            case ACTION:
                switch (authorizableAction.workflowAction) {
                    case BLANKET_APPROVE:
                        return new Authorization(canBlanketApprove(str, documentRouteHeaderValue));
                    case SU_APPROVE:
                        return new Authorization(canSuperUserApproveDocument(str, documentType, (Collection) map.get(DocumentTypeAuthorizer.ActionArgument.ROUTENODE_NAMES), (String) map.get(DocumentTypeAuthorizer.ActionArgument.DOCSTATUS)));
                    case SU_DISAPPROVE:
                        return new Authorization(canSuperUserDisapproveDocument(str, documentType, (Collection) map.get(DocumentTypeAuthorizer.ActionArgument.ROUTENODE_NAMES), (String) map.get(DocumentTypeAuthorizer.ActionArgument.DOCSTATUS)));
                    case CANCEL:
                        return new Authorization(canCancel(str, documentRouteHeaderValue));
                    case RECALL:
                        return new Authorization(canRecall(str, documentRouteHeaderValue));
                    case ROUTE:
                        return new Authorization(canRoute(str, documentRouteHeaderValue));
                    case SAVE:
                        return new Authorization(canSave(str, documentRouteHeaderValue));
                    default:
                        throw new RuntimeException("Unknown document action check");
                }
            default:
                throw new RuntimeException("Unknown authorization check");
        }
    }

    public boolean canInitiate(String str, DocumentType documentType) {
        validatePrincipalId(str);
        validateDocumentType(documentType);
        Map<String, String> buildDocumentTypePermissionDetails = buildDocumentTypePermissionDetails(documentType, null, null, null);
        if (useKimPermission("KFS-SYS", "Initiate Document", buildDocumentTypePermissionDetails, true)) {
            return getPermissionService().isAuthorizedByTemplate(str, "KFS-SYS", "Initiate Document", buildDocumentTypePermissionDetails, new HashMap());
        }
        return true;
    }

    public boolean canRoute(String str, DocumentRouteHeaderValue documentRouteHeaderValue) {
        validatePrincipalId(str);
        validateDocument(documentRouteHeaderValue);
        DocumentType documentType = documentRouteHeaderValue.getDocumentType();
        String docRouteStatus = documentRouteHeaderValue.getDocRouteStatus();
        String initiatorWorkflowId = documentRouteHeaderValue.getInitiatorWorkflowId();
        validateDocumentType(documentType);
        validateDocumentStatus(docRouteStatus);
        validatePrincipalId(initiatorWorkflowId);
        if (!documentType.isPolicyDefined(DocumentTypePolicy.INITIATOR_MUST_ROUTE)) {
            Map<String, String> buildDocumentTypePermissionDetails = buildDocumentTypePermissionDetails(documentType, docRouteStatus, null, null);
            Map<String, String> buildDocumentRoleQualifiers = buildDocumentRoleQualifiers(documentRouteHeaderValue, buildDocumentTypePermissionDetails.get("routeNodeName"));
            LOG.debug("Permission details values: {}", buildDocumentTypePermissionDetails);
            LOG.debug("Role qualifiers values: {}", buildDocumentRoleQualifiers);
            if (useKimPermission(KFSConstants.CoreModuleNamespaces.WORKFLOW, "Route Document", buildDocumentTypePermissionDetails, true)) {
                return getPermissionService().isAuthorizedByTemplate(str, KFSConstants.CoreModuleNamespaces.WORKFLOW, "Route Document", buildDocumentTypePermissionDetails, buildDocumentRoleQualifiers);
            }
        }
        if (documentType.getInitiatorMustRoutePolicy().getPolicyValue().booleanValue()) {
            return executeInitiatorPolicyCheck(str, initiatorWorkflowId, docRouteStatus);
        }
        return true;
    }

    protected boolean canSuperUserApproveSingleActionRequest(String str, DocumentType documentType, Collection<String> collection, String str2) {
        validatePrincipalId(str);
        validateDocumentType(documentType);
        List<Map<String, String>> buildDocumentTypePermissionDetailsForNodes = buildDocumentTypePermissionDetailsForNodes(documentType, collection, str2, null);
        PermissionService permissionService = getPermissionService();
        Iterator<Map<String, String>> it = buildDocumentTypePermissionDetailsForNodes.iterator();
        while (it.hasNext()) {
            if (permissionService.isAuthorizedByTemplate(str, KFSConstants.CoreModuleNamespaces.WORKFLOW, KewApiConstants.SUPER_USER_APPROVE_SINGLE_ACTION_REQUEST, it.next(), new HashMap())) {
                return true;
            }
        }
        return false;
    }

    protected boolean canSuperUserApproveDocument(String str, DocumentType documentType, Collection<String> collection, String str2) {
        validatePrincipalId(str);
        validateDocumentType(documentType);
        List<Map<String, String>> buildDocumentTypePermissionDetailsForNodes = buildDocumentTypePermissionDetailsForNodes(documentType, collection, str2, null);
        PermissionService permissionService = getPermissionService();
        Iterator<Map<String, String>> it = buildDocumentTypePermissionDetailsForNodes.iterator();
        while (it.hasNext()) {
            if (permissionService.isAuthorizedByTemplate(str, KFSConstants.CoreModuleNamespaces.WORKFLOW, KewApiConstants.SUPER_USER_APPROVE_DOCUMENT, it.next(), new HashMap())) {
                return true;
            }
        }
        return false;
    }

    protected boolean canSuperUserDisapproveDocument(String str, DocumentType documentType, Collection<String> collection, String str2) {
        validatePrincipalId(str);
        validateDocumentType(documentType);
        List<Map<String, String>> buildDocumentTypePermissionDetailsForNodes = buildDocumentTypePermissionDetailsForNodes(documentType, collection, str2, null);
        PermissionService permissionService = getPermissionService();
        Iterator<Map<String, String>> it = buildDocumentTypePermissionDetailsForNodes.iterator();
        while (it.hasNext()) {
            if (permissionService.isAuthorizedByTemplate(str, KFSConstants.CoreModuleNamespaces.WORKFLOW, KewApiConstants.SUPER_USER_DISAPPROVE_DOCUMENT, it.next(), new HashMap())) {
                return true;
            }
        }
        return false;
    }

    public boolean canCancel(String str, DocumentRouteHeaderValue documentRouteHeaderValue) {
        validatePrincipalId(str);
        validateDocument(documentRouteHeaderValue);
        DocumentType documentType = documentRouteHeaderValue.getDocumentType();
        String docRouteStatus = documentRouteHeaderValue.getDocRouteStatus();
        String initiatorWorkflowId = documentRouteHeaderValue.getInitiatorWorkflowId();
        List<String> currentNodeNames = documentRouteHeaderValue.getCurrentNodeNames();
        validateDocumentType(documentType);
        validateRouteNodeNames(currentNodeNames);
        validateDocumentStatus(docRouteStatus);
        validatePrincipalId(initiatorWorkflowId);
        if (!documentType.isPolicyDefined(DocumentTypePolicy.INITIATOR_MUST_CANCEL)) {
            boolean z = false;
            for (Map<String, String> map : buildDocumentTypePermissionDetailsForNodes(documentType, currentNodeNames, docRouteStatus, null)) {
                Map<String, String> buildDocumentRoleQualifiers = buildDocumentRoleQualifiers(documentRouteHeaderValue, map.get("routeNodeName"));
                if (useKimPermission(KFSConstants.CoreModuleNamespaces.WORKFLOW, "Cancel Document", map, true)) {
                    z = true;
                    if (getPermissionService().isAuthorizedByTemplate(str, KFSConstants.CoreModuleNamespaces.WORKFLOW, "Cancel Document", map, buildDocumentRoleQualifiers)) {
                        return true;
                    }
                }
            }
            if (z) {
                return false;
            }
        }
        if (documentType.getInitiatorMustCancelPolicy().getPolicyValue().booleanValue()) {
            return executeInitiatorPolicyCheck(str, initiatorWorkflowId, docRouteStatus);
        }
        return true;
    }

    public boolean canRecall(String str, DocumentRouteHeaderValue documentRouteHeaderValue) {
        validatePrincipalId(str);
        validateDocument(documentRouteHeaderValue);
        DocumentType documentType = documentRouteHeaderValue.getDocumentType();
        String docRouteStatus = documentRouteHeaderValue.getDocRouteStatus();
        String appDocStatus = documentRouteHeaderValue.getAppDocStatus();
        List<String> currentNodeNames = documentRouteHeaderValue.getCurrentNodeNames();
        validateDocumentType(documentType);
        validateRouteNodeNames(currentNodeNames);
        validateDocumentStatus(docRouteStatus);
        List<Map<String, String>> buildDocumentTypePermissionDetailsForNodes = buildDocumentTypePermissionDetailsForNodes(documentType, currentNodeNames, docRouteStatus, null);
        if (StringUtils.isNotBlank(appDocStatus)) {
            Iterator<Map<String, String>> it = buildDocumentTypePermissionDetailsForNodes.iterator();
            while (it.hasNext()) {
                it.next().put("appDocStatus", appDocStatus);
            }
        }
        boolean z = false;
        for (Map<String, String> map : buildDocumentTypePermissionDetailsForNodes) {
            Map<String, String> buildDocumentRoleQualifiers = buildDocumentRoleQualifiers(documentRouteHeaderValue, map.get("routeNodeName"));
            if (useKimPermission(KFSConstants.CoreModuleNamespaces.WORKFLOW, KewApiConstants.RECALL_PERMISSION, map, false) && getPermissionService().isPermissionDefinedByTemplate(KFSConstants.CoreModuleNamespaces.WORKFLOW, KewApiConstants.RECALL_PERMISSION, map)) {
                z = true;
                if (getPermissionService().isAuthorizedByTemplate(str, KFSConstants.CoreModuleNamespaces.WORKFLOW, KewApiConstants.RECALL_PERMISSION, map, buildDocumentRoleQualifiers)) {
                    return true;
                }
            }
        }
        return z ? false : false;
    }

    public boolean canBlanketApprove(String str, DocumentRouteHeaderValue documentRouteHeaderValue) {
        boolean isAuthorizedByTemplate;
        validatePrincipalId(str);
        validateDocument(documentRouteHeaderValue);
        DocumentType documentType = documentRouteHeaderValue.getDocumentType();
        String initiatorWorkflowId = documentRouteHeaderValue.getInitiatorWorkflowId();
        String docRouteStatus = documentRouteHeaderValue.getDocRouteStatus();
        validateDocumentType(documentType);
        validateDocumentStatus(docRouteStatus);
        validatePrincipalId(initiatorWorkflowId);
        if (documentType.isBlanketApproveGroupDefined()) {
            boolean z = true;
            if (documentType.getInitiatorMustBlanketApprovePolicy().getPolicyValue().booleanValue()) {
                z = executeInitiatorPolicyCheck(str, initiatorWorkflowId, docRouteStatus);
            }
            isAuthorizedByTemplate = z && documentType.isBlanketApprover(str);
        } else {
            isAuthorizedByTemplate = getPermissionService().isAuthorizedByTemplate(str, KFSConstants.CoreModuleNamespaces.WORKFLOW, "Blanket Approve Document", buildDocumentTypePermissionDetails(documentType, docRouteStatus, null, null), new HashMap());
        }
        return isAuthorizedByTemplate;
    }

    public boolean canSave(String str, DocumentRouteHeaderValue documentRouteHeaderValue) {
        validatePrincipalId(str);
        validateDocument(documentRouteHeaderValue);
        DocumentType documentType = documentRouteHeaderValue.getDocumentType();
        String docRouteStatus = documentRouteHeaderValue.getDocRouteStatus();
        String initiatorWorkflowId = documentRouteHeaderValue.getInitiatorWorkflowId();
        List<String> currentNodeNames = documentRouteHeaderValue.getCurrentNodeNames();
        validateDocumentType(documentType);
        validateRouteNodeNames(currentNodeNames);
        validateDocumentStatus(docRouteStatus);
        validatePrincipalId(initiatorWorkflowId);
        if (!documentType.isPolicyDefined(DocumentTypePolicy.INITIATOR_MUST_SAVE)) {
            boolean z = false;
            for (Map<String, String> map : buildDocumentTypePermissionDetailsForNodes(documentType, currentNodeNames, docRouteStatus, null)) {
                Map<String, String> buildDocumentRoleQualifiers = buildDocumentRoleQualifiers(documentRouteHeaderValue, map.get("routeNodeName"));
                if (useKimPermission(KFSConstants.CoreModuleNamespaces.WORKFLOW, "Save Document", map, true)) {
                    z = true;
                    if (getPermissionService().isAuthorizedByTemplate(str, KFSConstants.CoreModuleNamespaces.WORKFLOW, "Save Document", map, buildDocumentRoleQualifiers)) {
                        return true;
                    }
                }
            }
            if (z) {
                return false;
            }
        }
        if (documentType.getInitiatorMustSavePolicy().getPolicyValue().booleanValue()) {
            return executeInitiatorPolicyCheck(str, initiatorWorkflowId, docRouteStatus);
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<String, String> buildDocumentTypePermissionDetails(DocumentType documentType, String str, String str2, String str3) {
        HashMap hashMap = new HashMap();
        if (documentType != null) {
            hashMap.put("documentTypeName", documentType.getName());
        }
        if (StringUtils.isNotBlank(str)) {
            hashMap.put("routeStatusCode", str);
        }
        if ("I".equals(str) || "S".equals(str)) {
            hashMap.put("routeNodeName", "PreRoute");
        } else if (StringUtils.isNotBlank(str3)) {
            hashMap.put("routeNodeName", str3);
        }
        if (StringUtils.isNotBlank(str2)) {
            hashMap.put("actionRequestCd", str2);
        }
        return hashMap;
    }

    protected List<Map<String, String>> buildDocumentTypePermissionDetailsForNodes(DocumentType documentType, Collection<String> collection, String str, String str2) {
        ArrayList arrayList = new ArrayList();
        if (collection.isEmpty()) {
            arrayList.add(buildDocumentTypePermissionDetails(documentType, str, str2, null));
        } else {
            Iterator<String> it = collection.iterator();
            while (it.hasNext()) {
                arrayList.add(buildDocumentTypePermissionDetails(documentType, str, str2, it.next()));
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<String, String> buildDocumentRoleQualifiers(DocumentRouteHeaderValue documentRouteHeaderValue, String str) {
        HashMap hashMap = new HashMap();
        hashMap.put("documentNumber", documentRouteHeaderValue.getDocumentId());
        if (StringUtils.isNotBlank(documentRouteHeaderValue.getDocRouteStatus())) {
            hashMap.put("routeStatusCode", documentRouteHeaderValue.getDocRouteStatus());
            if ("I".equals(documentRouteHeaderValue.getDocRouteStatus()) || "S".equals(documentRouteHeaderValue.getDocRouteStatus())) {
                hashMap.put("routeNodeName", "PreRoute");
            } else {
                hashMap.put("routeNodeName", str);
            }
        }
        hashMap.put("documentTypeName", documentRouteHeaderValue.getDocumentType().getName());
        DocumentEntry documentEntry = KRADServiceLocatorWeb.getDocumentDictionaryService().getDocumentEntry(documentRouteHeaderValue.getDocumentType().getName());
        if (documentEntry != null) {
            Class<? extends Document> documentClass = documentEntry.getDocumentClass();
            hashMap.put("namespaceCode", MaintenanceDocument.class.isAssignableFrom(documentClass) ? KRADUtils.getNamespaceCode(((MaintenanceDocumentEntry) documentEntry).getDataObjectClass()) : KRADUtils.getNamespaceCode(documentClass));
        }
        return hashMap;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean useKimPermission(String str, String str2, Map<String, String> map, boolean z) {
        Boolean bool = true;
        if (z) {
            bool = CoreFrameworkServiceLocator.getParameterService().getParameterValueAsBoolean(KFSConstants.CoreModuleNamespaces.WORKFLOW, "All", KewApiConstants.KIM_PRIORITY_ON_DOC_TYP_PERMS_IND);
        }
        if (bool == null || bool.booleanValue()) {
            return getPermissionService().isPermissionDefinedByTemplate(str, str2, map);
        }
        return false;
    }

    private boolean executeInitiatorPolicyCheck(String str, String str2, String str3) {
        return str.equals(str2) || !("S".equals(str3) || "I".equals(str3));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validatePrincipalId(String str) {
        if (StringUtils.isBlank(str)) {
            throw new IllegalArgumentException("Invalid principal ID, value was empty");
        }
    }

    protected void validateDocument(DocumentRouteHeaderValue documentRouteHeaderValue) {
        if (documentRouteHeaderValue == null) {
            throw new IllegalArgumentException("document cannot be null");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateDocumentType(DocumentType documentType) {
        if (documentType == null) {
            throw new IllegalArgumentException("DocumentType cannot be null");
        }
    }

    protected void validateRouteNodeNames(List<String> list) {
        if (list.isEmpty()) {
            return;
        }
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            if (StringUtils.isBlank(it.next())) {
                throw new IllegalArgumentException("List of route node names contained an invalid route node name, value was empty");
            }
        }
    }

    protected void validateDocumentStatus(String str) {
        if (StringUtils.isBlank(str)) {
            throw new IllegalArgumentException("Invalid document status, value was empty");
        }
        if (!KewApiConstants.DOCUMENT_STATUSES.containsKey(str)) {
            throw new IllegalArgumentException("Invalid document status was given, value was: " + str);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PermissionService getPermissionService() {
        return KimApiServiceLocator.getPermissionService();
    }
}
