package org.kuali.kfs.kns.service.impl;

import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.reflect.InvocationTargetException;
import java.lang.runtime.ObjectMethods;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Optional;
import javax.validation.constraints.NotNull;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.Validate;
import org.kuali.kfs.core.api.config.AppEnvironment;
import org.kuali.kfs.core.api.config.property.ConfigurationService;
import org.kuali.kfs.datadictionary.legacy.BusinessObjectDictionaryService;
import org.kuali.kfs.datadictionary.legacy.MaintenanceDocumentDictionaryService;
import org.kuali.kfs.kim.api.KimConstants;
import org.kuali.kfs.kim.api.permission.PermissionService;
import org.kuali.kfs.kim.impl.identity.Person;
import org.kuali.kfs.kns.datadictionary.BusinessObjectEntry;
import org.kuali.kfs.kns.document.authorization.BusinessObjectRestrictions;
import org.kuali.kfs.kns.service.DocumentHelperService;
import org.kuali.kfs.krad.bo.BusinessObject;
import org.kuali.kfs.krad.bo.DataObjectAuthorizer;
import org.kuali.kfs.krad.datadictionary.AttributeDefinition;
import org.kuali.kfs.krad.document.Document;
import org.kuali.kfs.krad.util.KRADConstants;
import org.kuali.kfs.krad.util.KRADUtils;

/* loaded from: input_file:WEB-INF/lib/kfs-core-cdk-SNAPSHOT.jar:org/kuali/kfs/kns/service/impl/UnmaskAuthorizationHelper.class */
public class UnmaskAuthorizationHelper {
    private final AppEnvironment appEnvironment;
    protected final BusinessObjectDictionaryService businessObjectDictionaryService;
    private final ConfigurationService configurationService;
    private final DocumentHelperService documentHelperService;
    private final MaintenanceDocumentDictionaryService maintenanceDocumentDictionaryService;
    private final PermissionService permissionService;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/kfs-core-cdk-SNAPSHOT.jar:org/kuali/kfs/kns/service/impl/UnmaskAuthorizationHelper$AuthorizerDetails.class */
    public static final class AuthorizerDetails extends Record {
        private final BusinessObject businessObject;
        private final Optional<? extends DataObjectAuthorizer> authorizer;

        private AuthorizerDetails(BusinessObject businessObject, Optional<? extends DataObjectAuthorizer> optional) {
            this.businessObject = businessObject;
            this.authorizer = optional;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, AuthorizerDetails.class), AuthorizerDetails.class, "businessObject;authorizer", "FIELD:Lorg/kuali/kfs/kns/service/impl/UnmaskAuthorizationHelper$AuthorizerDetails;->businessObject:Lorg/kuali/kfs/krad/bo/BusinessObject;", "FIELD:Lorg/kuali/kfs/kns/service/impl/UnmaskAuthorizationHelper$AuthorizerDetails;->authorizer:Ljava/util/Optional;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, AuthorizerDetails.class), AuthorizerDetails.class, "businessObject;authorizer", "FIELD:Lorg/kuali/kfs/kns/service/impl/UnmaskAuthorizationHelper$AuthorizerDetails;->businessObject:Lorg/kuali/kfs/krad/bo/BusinessObject;", "FIELD:Lorg/kuali/kfs/kns/service/impl/UnmaskAuthorizationHelper$AuthorizerDetails;->authorizer:Ljava/util/Optional;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, AuthorizerDetails.class, Object.class), AuthorizerDetails.class, "businessObject;authorizer", "FIELD:Lorg/kuali/kfs/kns/service/impl/UnmaskAuthorizationHelper$AuthorizerDetails;->businessObject:Lorg/kuali/kfs/krad/bo/BusinessObject;", "FIELD:Lorg/kuali/kfs/kns/service/impl/UnmaskAuthorizationHelper$AuthorizerDetails;->authorizer:Ljava/util/Optional;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public BusinessObject businessObject() {
            return this.businessObject;
        }

        public Optional<? extends DataObjectAuthorizer> authorizer() {
            return this.authorizer;
        }
    }

    public UnmaskAuthorizationHelper(AppEnvironment appEnvironment, BusinessObjectDictionaryService businessObjectDictionaryService, ConfigurationService configurationService, DocumentHelperService documentHelperService, MaintenanceDocumentDictionaryService maintenanceDocumentDictionaryService, PermissionService permissionService) {
        Validate.isTrue(appEnvironment != null, "appEnvironment must be supplied", new Object[0]);
        this.appEnvironment = appEnvironment;
        Validate.isTrue(businessObjectDictionaryService != null, "businessObjectDictionaryService must be supplied", new Object[0]);
        this.businessObjectDictionaryService = businessObjectDictionaryService;
        Validate.isTrue(configurationService != null, "configurationService must be supplied", new Object[0]);
        this.configurationService = configurationService;
        Validate.isTrue(documentHelperService != null, "documentHelperService must be supplied", new Object[0]);
        this.documentHelperService = documentHelperService;
        Validate.isTrue(maintenanceDocumentDictionaryService != null, "maintenanceDocumentDictionaryService must be supplied", new Object[0]);
        this.maintenanceDocumentDictionaryService = maintenanceDocumentDictionaryService;
        Validate.isTrue(permissionService != null, "permissionService must be supplied", new Object[0]);
        this.permissionService = permissionService;
    }

    public void considerBusinessObjectFieldUnmaskAuthorization(Object obj, Person person, BusinessObjectRestrictions businessObjectRestrictions, String str, Document document) {
        BusinessObjectEntry businessObjectEntry = this.businessObjectDictionaryService.getBusinessObjectEntry(obj.getClass().getName());
        BusinessObject businessObject = obj instanceof BusinessObject ? (BusinessObject) obj : document;
        Iterator<String> it = businessObjectEntry.getAttributeNames().iterator();
        while (it.hasNext()) {
            applyMaskRestrictions(obj, person, businessObjectRestrictions, str, document, it.next(), businessObjectEntry, businessObject);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void applyMaskRestrictions(Object obj, Person person, BusinessObjectRestrictions businessObjectRestrictions, String str, Document document, String str2, BusinessObjectEntry businessObjectEntry, BusinessObject businessObject) {
        AttributeDefinition attributeDefinition = businessObjectEntry.getAttributeDefinition(str2);
        if (attributeDefinition.getAttributeSecurity() == null) {
            return;
        }
        if (attributeDefinition.getAttributeSecurity().isMask() && !canFullyUnmaskFieldForBusinessObject(person, obj.getClass(), str2, businessObject, document)) {
            businessObjectRestrictions.addFullyMaskedField(str + str2, attributeDefinition.getAttributeSecurity().getMaskFormatter());
        }
        if (!attributeDefinition.getAttributeSecurity().isPartialMask() || canPartiallyUnmaskFieldForBusinessObject(person, obj.getClass(), str2, businessObject, document)) {
            return;
        }
        businessObjectRestrictions.addPartiallyMaskedField(str + str2, attributeDefinition.getAttributeSecurity().getPartialMaskFormatter());
    }

    private boolean canFullyUnmaskFieldForBusinessObject(Person person, Class<?> cls, String str, BusinessObject businessObject, Document document) {
        return canUnmaskFieldForBusinessObject(person, cls, str, KimConstants.PermissionTemplateNames.FULL_UNMASK_FIELD, businessObject, document);
    }

    private boolean canPartiallyUnmaskFieldForBusinessObject(Person person, Class<?> cls, String str, BusinessObject businessObject, Document document) {
        return canUnmaskFieldForBusinessObject(person, cls, str, KimConstants.PermissionTemplateNames.PARTIAL_UNMASK_FIELD, businessObject, document);
    }

    private boolean canUnmaskFieldForBusinessObject(Person person, Class<?> cls, String str, String str2, BusinessObject businessObject, Document document) {
        if (unmaskingIsNotPossible(person)) {
            return false;
        }
        AuthorizerDetails determineAuthorizer = determineAuthorizer(businessObject, document);
        Map<String, String> additionalRoleQualifiersForUnmask = additionalRoleQualifiersForUnmask(determineAuthorizer.businessObject());
        return determineAuthorizer.authorizer().isEmpty() ? this.permissionService.isAuthorizedByTemplate(person.getPrincipalId(), "KFS-SYS", str2, new HashMap(getFieldPermissionDetails(cls, str)), additionalRoleQualifiersForUnmask) : determineAuthorizer.authorizer().get().isAuthorizedByTemplate(determineAuthorizer.businessObject(), "KFS-SYS", str2, person.getPrincipalId(), getFieldPermissionDetails(cls, str), additionalRoleQualifiersForUnmask);
    }

    private boolean isNonProductionEnvAndUnmaskingTurnedOff() {
        return (this.appEnvironment.isProductionEnvironment() || this.configurationService.getPropertyValueAsBoolean(KRADConstants.ENABLE_NONPRODUCTION_UNMASKING)) ? false : true;
    }

    private boolean unmaskingIsNotPossible(Person person) {
        return isNonProductionEnvAndUnmaskingTurnedOff() || person == null || StringUtils.isEmpty(person.getPrincipalId());
    }

    @NotNull
    protected Map<String, String> additionalRoleQualifiersForUnmask(BusinessObject businessObject) {
        return Map.of();
    }

    @NotNull
    private AuthorizerDetails determineAuthorizer(BusinessObject businessObject, Document document) {
        return document != null ? new AuthorizerDetails(document, findDocumentAuthorizerForBusinessObject(document)) : new AuthorizerDetails(businessObject, findDocumentAuthorizerForBusinessObject(businessObject).or(() -> {
            return findInquiryAuthorizerForBusinessObject(businessObject);
        }));
    }

    @NotNull
    private Optional<DataObjectAuthorizer> findDocumentAuthorizerForBusinessObject(BusinessObject businessObject) {
        if (businessObject == null) {
            return Optional.empty();
        }
        if (businessObject instanceof Document) {
            return Optional.ofNullable(this.documentHelperService.getDocumentAuthorizer((Document) businessObject));
        }
        String documentTypeName = this.maintenanceDocumentDictionaryService.getDocumentTypeName(businessObject.getClass());
        return StringUtils.isBlank(documentTypeName) ? Optional.empty() : Optional.ofNullable(this.documentHelperService.getDocumentAuthorizer(documentTypeName));
    }

    @NotNull
    private Optional<DataObjectAuthorizer> findInquiryAuthorizerForBusinessObject(BusinessObject businessObject) {
        if (businessObject == null) {
            return Optional.empty();
        }
        BusinessObjectEntry businessObjectEntry = this.businessObjectDictionaryService.getBusinessObjectEntry(businessObject.getClass().getName());
        if (businessObjectEntry == null || businessObjectEntry.getInquiryDefinition() == null || businessObjectEntry.getInquiryDefinition().getAuthorizerClass() == null) {
            return Optional.empty();
        }
        try {
            return Optional.of((DataObjectAuthorizer) businessObjectEntry.getInquiryDefinition().getAuthorizerClass().getConstructor(new Class[0]).newInstance(new Object[0]));
        } catch (IllegalAccessException | InstantiationException | NoSuchMethodException | InvocationTargetException e) {
            throw new RuntimeException("Could not instantiate authorizer for inquiry of " + businessObject.getClass().getName(), e);
        }
    }

    public boolean canFullyUnmaskField(Person person, Class<?> cls, String str, Document document) {
        return canFullyUnmaskFieldForBusinessObject(person, cls, str, document, null);
    }

    public boolean canPartiallyUnmaskField(Person person, Class<?> cls, String str, Document document) {
        return canPartiallyUnmaskFieldForBusinessObject(person, cls, str, document, null);
    }

    private Map<String, String> getFieldPermissionDetails(Class<?> cls, String str) {
        Map<String, String> namespaceAndComponentSimpleName = KRADUtils.getNamespaceAndComponentSimpleName(cls);
        namespaceAndComponentSimpleName.put("propertyName", str);
        return namespaceAndComponentSimpleName;
    }
}
