package org.kuali.kfs.sec.document;

import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.apache.log4j.Logger;
import org.kuali.kfs.kns.document.MaintenanceDocument;
import org.kuali.kfs.krad.bo.DocumentHeader;
import org.kuali.kfs.krad.service.BusinessObjectService;
import org.kuali.kfs.krad.service.DocumentService;
import org.kuali.kfs.sec.businessobject.AbstractSecurityModelDefinition;
import org.kuali.kfs.sec.businessobject.SecurityDefinition;
import org.kuali.kfs.sec.businessobject.SecurityModel;
import org.kuali.kfs.sec.businessobject.SecurityModelDefinition;
import org.kuali.kfs.sec.businessobject.SecurityModelMember;
import org.kuali.kfs.sec.businessobject.SecurityPrincipal;
import org.kuali.kfs.sys.context.SpringContext;
import org.kuali.rice.core.api.criteria.PredicateFactory;
import org.kuali.rice.core.api.criteria.QueryByCriteria;
import org.kuali.rice.core.api.membership.MemberType;
import org.kuali.rice.kew.api.exception.WorkflowException;
import org.kuali.rice.kim.api.role.Role;
import org.kuali.rice.kim.api.role.RoleMember;
import org.kuali.rice.kim.api.role.RoleService;
import org.kuali.rice.kim.api.services.KimApiServiceLocator;
import org.springframework.util.ObjectUtils;

/* loaded from: input_file:WEB-INF/lib/kfs-core-2018-06-21-SNAPSHOT.jar:org/kuali/kfs/sec/document/SecurityModelMaintainableImpl.class */
public class SecurityModelMaintainableImpl extends AbstractSecurityModuleMaintainable {
    private static final Logger LOG = Logger.getLogger(SecurityModelMaintainableImpl.class);
    protected static volatile RoleService roleService;

    @Override // org.kuali.kfs.krad.maintenance.MaintainableImpl, org.kuali.kfs.krad.maintenance.Maintainable
    public void doRouteStatusChange(DocumentHeader documentHeader) {
        super.doRouteStatusChange(documentHeader);
        if (documentHeader.getWorkflowDocument().isProcessed()) {
            try {
                MaintenanceDocument maintenanceDocument = (MaintenanceDocument) ((DocumentService) SpringContext.getBean(DocumentService.class)).getByDocumentHeaderId(documentHeader.getDocumentNumber());
                SecurityModel securityModel = (SecurityModel) maintenanceDocument.getOldMaintainableObject().getBusinessObject();
                SecurityModel securityModel2 = (SecurityModel) maintenanceDocument.getNewMaintainableObject().getBusinessObject();
                boolean z = getMaintenanceAction().equalsIgnoreCase("New") || getMaintenanceAction().equalsIgnoreCase("Copy");
                boolean isInactivatingExistingSecurityModel = isInactivatingExistingSecurityModel(securityModel, securityModel2);
                if (!z && isInactivatingExistingSecurityModel) {
                    inactivateOldModelRole(securityModel, z);
                }
                if (securityModel2.isActive()) {
                    initializeModelRole(securityModel, securityModel2, z);
                }
            } catch (WorkflowException e) {
                String str = "caught exception while handling doRouteStatusChange -> documentService.getByDocumentHeaderId(" + documentHeader.getDocumentNumber() + "). ";
                LOG.error(str, e);
                throw new RuntimeException(str, e);
            }
        }
    }

    protected boolean isInactivatingExistingSecurityModel(SecurityModel securityModel, SecurityModel securityModel2) {
        return (securityModel == null || !securityModel.isActive() || securityModel2.isActive()) ? false : true;
    }

    protected void inactivateOldModelRole(SecurityModel securityModel, boolean z) {
        Role existingActiveModelRole = getExistingActiveModelRole(securityModel);
        boolean isActive = securityModel.isActive();
        try {
            securityModel.setActive(false);
            assignOrUpdateModelMembershipToDefinitionRoles(existingActiveModelRole, securityModel, securityModel, z);
            assignOrUpdateModelMembers(existingActiveModelRole, securityModel);
            inactivateModelRole(existingActiveModelRole);
            securityModel.setActive(isActive);
        } catch (Throwable th) {
            securityModel.setActive(isActive);
            throw th;
        }
    }

    protected Role getExistingActiveModelRole(SecurityModel securityModel) {
        return getRoleService().getRoleByNamespaceCodeAndName("KFS-SEC", securityModel.getName());
    }

    protected void initializeModelRole(SecurityModel securityModel, SecurityModel securityModel2, boolean z) {
        Role createOrUpdateModelRole = createOrUpdateModelRole(securityModel2);
        assignOrUpdateModelMembershipToDefinitionRoles(createOrUpdateModelRole, securityModel, securityModel2, z);
        assignOrUpdateModelMembers(createOrUpdateModelRole, securityModel2);
    }

    protected Role getPotentiallyInactiveModelRole(SecurityModel securityModel) {
        if (securityModel.getRoleId() == null) {
            return null;
        }
        List<Role> results = getRoleService().findRoles(QueryByCriteria.Builder.fromPredicates(PredicateFactory.equal("id", securityModel.getRoleId()), PredicateFactory.equal("namespaceCode", "KFS-SEC"))).getResults();
        if (results.size() == 1) {
            return results.get(0);
        }
        return null;
    }

    protected String buildModelRoleId(SecurityModel securityModel) {
        return "KFS-SEC-" + securityModel.getId();
    }

    protected RoleService getRoleService() {
        if (roleService == null) {
            roleService = KimApiServiceLocator.getRoleService();
        }
        return roleService;
    }

    protected void setRoleService(RoleService roleService2) {
        roleService = roleService2;
    }

    protected Role createOrUpdateModelRole(SecurityModel securityModel) {
        Role createRole;
        Role potentiallyInactiveModelRole = getPotentiallyInactiveModelRole(securityModel);
        if (potentiallyInactiveModelRole != null) {
            Role.Builder create = Role.Builder.create(potentiallyInactiveModelRole);
            create.setActive(true);
            create.setName(securityModel.getName());
            create.setDescription(securityModel.getDescription());
            createRole = getRoleService().updateRole(create.build());
        } else {
            String buildModelRoleId = buildModelRoleId(securityModel);
            Role.Builder create2 = Role.Builder.create();
            create2.setId(buildModelRoleId);
            create2.setName(securityModel.getName());
            create2.setNamespaceCode("KFS-SEC");
            create2.setDescription(securityModel.getDescription());
            create2.setKimTypeId(getDefaultRoleTypeId());
            create2.setActive(true);
            createRole = getRoleService().createRole(create2.build());
        }
        securityModel.setRoleId(createRole.getId());
        return createRole;
    }

    protected void inactivateModelRole(Role role) {
        if (role != null) {
            Role.Builder create = Role.Builder.create(role);
            create.setActive(false);
            KimApiServiceLocator.getRoleService().updateRole(create.build());
        }
    }

    protected void assignOrUpdateModelMembershipToDefinitionRoles(Role role, SecurityModel securityModel, SecurityModel securityModel2, boolean z) {
        RoleService roleService2 = KimApiServiceLocator.getRoleService();
        if (role == null) {
            LOG.error("Model Role does not exist for SecurityModel: " + securityModel2);
            throw new RuntimeException("Model Role does not exist for SecurityModel: " + securityModel2);
        }
        for (SecurityModelDefinition securityModelDefinition : securityModel2.getModelDefinitions()) {
            SecurityDefinition securityDefinition = securityModelDefinition.getSecurityDefinition();
            Role role2 = roleService2.getRole(securityDefinition.getRoleId());
            if (role2 == null) {
                LOG.error("Definition Role does not exist for SecurityModelDefinition: " + securityDefinition);
                throw new RuntimeException("Definition Role does not exist for SecurityModelDefinition: " + securityDefinition);
            }
            RoleMember roleMember = null;
            if (!z) {
                AbstractSecurityModelDefinition abstractSecurityModelDefinition = null;
                Iterator<SecurityModelDefinition> it = securityModel.getModelDefinitions().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    SecurityModelDefinition next = it.next();
                    if (ObjectUtils.nullSafeEquals(next.getModelDefinitionId(), securityModelDefinition.getModelDefinitionId())) {
                        abstractSecurityModelDefinition = next;
                        break;
                    }
                }
                if (abstractSecurityModelDefinition != null) {
                    roleMember = getRoleMembershipForMemberType(role2.getId(), role.getId(), MemberType.ROLE.getCode(), getRoleQualifiersFromSecurityModelDefinition(abstractSecurityModelDefinition));
                }
            }
            boolean z2 = securityModel2.isActive() && securityModelDefinition.isActive();
            if (roleMember != null && !z2) {
                roleService2.removeRoleFromRole(roleMember.getMemberId(), role2.getNamespaceCode(), role2.getName(), roleMember.getAttributes());
            }
            if (z2) {
                if (roleMember == null) {
                    roleService2.assignRoleToRole(role.getId(), role2.getNamespaceCode(), role2.getName(), getRoleQualifiersFromSecurityModelDefinition(securityModelDefinition));
                } else {
                    RoleMember.Builder create = RoleMember.Builder.create(roleMember);
                    create.setActiveToDate(null);
                    create.setAttributes(getRoleQualifiersFromSecurityModelDefinition(securityModelDefinition));
                    roleService2.updateRoleMember(create.build());
                }
            }
        }
    }

    protected void assignOrUpdateModelMembers(Role role, SecurityModel securityModel) {
        if (role == null) {
            String str = "Data problem with access security. KIM Role backing the security model is missing.  SecurityModel: " + securityModel;
            LOG.error(str);
            throw new RuntimeException(str);
        }
        for (SecurityModelMember securityModelMember : securityModel.getModelMembers()) {
            updateSecurityModelRoleMember(role, securityModelMember, securityModelMember.getMemberTypeCode(), securityModelMember.getMemberId(), new HashMap(0));
            createPrincipalSecurityRecords(securityModelMember.getMemberId(), securityModelMember.getMemberTypeCode());
        }
    }

    protected void createPrincipalSecurityRecords(String str, String str2) {
        HashSet<String> hashSet = new HashSet();
        if (MemberType.PRINCIPAL.getCode().equals(str2)) {
            hashSet.add(str);
        } else if (MemberType.ROLE.getCode().equals(str2)) {
            Role role = KimApiServiceLocator.getRoleService().getRole(str);
            hashSet.addAll(KimApiServiceLocator.getRoleService().getRoleMemberPrincipalIds(role.getNamespaceCode(), role.getName(), null));
        } else if (MemberType.GROUP.getCode().equals(str2)) {
            hashSet.addAll(KimApiServiceLocator.getGroupService().getMemberPrincipalIds(str));
        }
        BusinessObjectService businessObjectService = (BusinessObjectService) SpringContext.getBean(BusinessObjectService.class);
        for (String str3 : hashSet) {
            if (((SecurityPrincipal) businessObjectService.findBySinglePrimaryKey(SecurityPrincipal.class, str3)) == null) {
                SecurityPrincipal securityPrincipal = new SecurityPrincipal();
                securityPrincipal.setPrincipalId(str3);
                businessObjectService.save((BusinessObjectService) securityPrincipal);
            }
        }
    }

    protected boolean isDefinitionInModel(String str, SecurityModel securityModel) {
        Iterator<SecurityModelDefinition> it = securityModel.getModelDefinitions().iterator();
        while (it.hasNext()) {
            if (StringUtils.equalsIgnoreCase(str, it.next().getSecurityDefinition().getName())) {
                return true;
            }
        }
        return false;
    }

    @Override // org.kuali.kfs.kns.maintenance.KualiMaintainableImpl, org.kuali.kfs.kns.maintenance.Maintainable
    public void processAfterCopy(MaintenanceDocument maintenanceDocument, Map<String, String[]> map) {
        ((SecurityModel) maintenanceDocument.getNewMaintainableObject().getBusinessObject()).setRoleId("");
        super.processAfterCopy(maintenanceDocument, map);
    }
}
