package org.kuali.rice.kew.doctype.service.impl;

import java.lang.reflect.Field;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.builder.EqualsBuilder;
import org.apache.commons.lang.builder.HashCodeBuilder;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.eclipse.persistence.jaxb.javamodel.Helper;
import org.kuali.rice.core.api.CoreConstants;
import org.kuali.rice.core.api.datetime.DateTimeService;
import org.kuali.rice.core.api.reflect.ObjectDefinition;
import org.kuali.rice.core.api.resourceloader.GlobalResourceLoader;
import org.kuali.rice.core.api.util.KeyValue;
import org.kuali.rice.kew.api.KewApiConstants;
import org.kuali.rice.kew.api.KewApiServiceLocator;
import org.kuali.rice.kew.api.WorkflowRuntimeException;
import org.kuali.rice.kew.api.document.Document;
import org.kuali.rice.kew.api.document.search.DocumentSearchResult;
import org.kuali.rice.kew.api.document.search.DocumentSearchResults;
import org.kuali.rice.kew.api.extension.ExtensionDefinition;
import org.kuali.rice.kew.api.extension.ExtensionRepositoryService;
import org.kuali.rice.kew.doctype.DocumentTypeSecurity;
import org.kuali.rice.kew.doctype.SecurityPermissionInfo;
import org.kuali.rice.kew.doctype.SecuritySession;
import org.kuali.rice.kew.doctype.bo.DocumentType;
import org.kuali.rice.kew.doctype.service.DocumentSecurityService;
import org.kuali.rice.kew.framework.KewFrameworkServiceLocator;
import org.kuali.rice.kew.framework.document.security.DocumentSecurityAttribute;
import org.kuali.rice.kew.framework.document.security.DocumentSecurityDirective;
import org.kuali.rice.kew.framework.document.security.DocumentSecurityHandlerService;
import org.kuali.rice.kew.routeheader.DocumentRouteHeaderValue;
import org.kuali.rice.kew.service.KEWServiceLocator;
import org.kuali.rice.kew.user.UserUtils;
import org.kuali.rice.kim.api.group.Group;
import org.kuali.rice.kim.api.services.KimApiServiceLocator;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;

/* loaded from: input_file:WEB-INF/lib/rice-impl-2410.0004.jar:org/kuali/rice/kew/doctype/service/impl/DocumentSecurityServiceImpl.class */
public class DocumentSecurityServiceImpl implements DocumentSecurityService {
    public static final Logger LOG = LogManager.getLogger((Class<?>) DocumentSecurityServiceImpl.class);
    private ExtensionRepositoryService extensionRepositoryService;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/rice-impl-2410.0004.jar:org/kuali/rice/kew/doctype/service/impl/DocumentSecurityServiceImpl$PartitionKey.class */
    public static final class PartitionKey {
        String applicationId;
        Set<String> documentSecurityAttributeNames = new HashSet();

        PartitionKey(String str, Collection<ExtensionDefinition> collection) {
            this.applicationId = str;
            Iterator<ExtensionDefinition> it = collection.iterator();
            while (it.hasNext()) {
                this.documentSecurityAttributeNames.add(it.next().getName());
            }
        }

        List<String> getDocumentSecurityAttributeNameList() {
            return new ArrayList(this.documentSecurityAttributeNames);
        }

        public boolean equals(Object obj) {
            if (!(obj instanceof PartitionKey)) {
                return false;
            }
            PartitionKey partitionKey = (PartitionKey) obj;
            EqualsBuilder equalsBuilder = new EqualsBuilder();
            equalsBuilder.append(this.applicationId, partitionKey.applicationId);
            equalsBuilder.append(this.documentSecurityAttributeNames, partitionKey.documentSecurityAttributeNames);
            return equalsBuilder.isEquals();
        }

        public int hashCode() {
            HashCodeBuilder hashCodeBuilder = new HashCodeBuilder();
            hashCodeBuilder.append(this.applicationId);
            hashCodeBuilder.append(this.documentSecurityAttributeNames);
            return hashCodeBuilder.hashCode();
        }
    }

    @Override // org.kuali.rice.kew.doctype.service.DocumentSecurityService
    public boolean routeLogAuthorized(String str, DocumentRouteHeaderValue documentRouteHeaderValue, SecuritySession securitySession) {
        Document document = DocumentRouteHeaderValue.to(documentRouteHeaderValue);
        if (document != null) {
            return checkAuthorizations(str, securitySession, Collections.singletonList(document)).contains(documentRouteHeaderValue.getDocumentId());
        }
        return false;
    }

    @Override // org.kuali.rice.kew.doctype.service.DocumentSecurityService
    public Set<String> documentSearchResultAuthorized(String str, DocumentSearchResults documentSearchResults, SecuritySession securitySession) {
        ArrayList arrayList = new ArrayList();
        Iterator<DocumentSearchResult> it = documentSearchResults.getSearchResults().iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getDocument());
        }
        return checkAuthorizations(str, securitySession, arrayList);
    }

    protected Set<String> checkAuthorizations(String str, SecuritySession securitySession, List<Document> list) {
        HashSet hashSet = new HashSet();
        ArrayList arrayList = new ArrayList();
        boolean isAdmin = isAdmin(securitySession);
        for (Document document : list) {
            if (isAdmin) {
                hashSet.add(document.getDocumentId());
            } else {
                try {
                    DocumentTypeSecurity documentTypeSecurity = getDocumentTypeSecurity(document.getDocumentTypeName(), securitySession);
                    if (documentTypeSecurity == null || !documentTypeSecurity.isActive() || checkStandardAuthorization(documentTypeSecurity, str, document, securitySession)) {
                        hashSet.add(document.getDocumentId());
                    } else if (CollectionUtils.isNotEmpty(documentTypeSecurity.getSecurityAttributeExtensionNames())) {
                        arrayList.add(document);
                    }
                } catch (Exception e) {
                    LOG.warn("Not able to retrieve DocumentTypeSecurity from remote system for documentTypeName: " + document.getDocumentTypeName(), (Throwable) e);
                }
            }
        }
        processDocumentRequiringExtensionProcessing(arrayList, securitySession, hashSet);
        return hashSet;
    }

    protected void processDocumentRequiringExtensionProcessing(List<Document> list, SecuritySession securitySession, Set<String> set) {
        if (CollectionUtils.isNotEmpty(list)) {
            LOG.info("Beginning processing of documents requiring extension processing (total: " + list.size() + " documents)");
            long currentTimeMillis = System.currentTimeMillis();
            MultiValueMap<PartitionKey, Document> partitionDocumentsForSecurity = partitionDocumentsForSecurity(list, securitySession);
            LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
            for (PartitionKey partitionKey : partitionDocumentsForSecurity.keySet()) {
                linkedMultiValueMap.add(partitionKey.applicationId, DocumentSecurityDirective.create(partitionKey.getDocumentSecurityAttributeNameList(), (List) partitionDocumentsForSecurity.get(partitionKey)));
            }
            for (K k : linkedMultiValueMap.keySet()) {
                List<String> authorizedDocumentIds = loadSecurityHandler(k).getAuthorizedDocumentIds(securitySession.getPrincipalId(), (List) linkedMultiValueMap.get((Object) k));
                if (CollectionUtils.isNotEmpty(authorizedDocumentIds)) {
                    set.addAll(authorizedDocumentIds);
                }
            }
            LOG.info("Finished processing of documents requiring extension processing (total time: " + (currentTimeMillis - System.currentTimeMillis()) + ")");
        }
    }

    protected MultiValueMap<PartitionKey, Document> partitionDocumentsForSecurity(List<Document> list, SecuritySession securitySession) {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        for (Document document : list) {
            MultiValueMap<String, ExtensionDefinition> loadExtensionDefinitions = loadExtensionDefinitions(getDocumentTypeSecurity(document.getDocumentTypeName(), securitySession), securitySession);
            for (String str : loadExtensionDefinitions.keySet()) {
                linkedMultiValueMap.add(new PartitionKey(str, (List) loadExtensionDefinitions.get(str)), document);
            }
        }
        return linkedMultiValueMap;
    }

    protected MultiValueMap<String, ExtensionDefinition> loadExtensionDefinitions(DocumentTypeSecurity documentTypeSecurity, SecuritySession securitySession) {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        Iterator<String> it = documentTypeSecurity.getSecurityAttributeExtensionNames().iterator();
        while (it.hasNext()) {
            ExtensionDefinition extensionByName = this.extensionRepositoryService.getExtensionByName(it.next());
            linkedMultiValueMap.add(extensionByName.getApplicationId(), extensionByName);
        }
        return linkedMultiValueMap;
    }

    protected DocumentSecurityHandlerService loadSecurityHandler(String str) {
        DocumentSecurityHandlerService documentSecurityHandlerService = KewFrameworkServiceLocator.getDocumentSecurityHandlerService(str);
        if (documentSecurityHandlerService == null) {
            throw new WorkflowRuntimeException("Failed to locate DocumentSecurityHandlerService for applicationId: " + str);
        }
        return documentSecurityHandlerService;
    }

    protected boolean isAdmin(SecuritySession securitySession) {
        if (securitySession.getPrincipalId() == null) {
            return false;
        }
        return KimApiServiceLocator.getPermissionService().isAuthorized(securitySession.getPrincipalId(), "KR-WKFLW", KewApiConstants.PermissionNames.UNRESTRICTED_DOCUMENT_SEARCH, new HashMap());
    }

    protected boolean checkStandardAuthorization(DocumentTypeSecurity documentTypeSecurity, String str, Document document, SecuritySession securitySession) {
        String documentId = document.getDocumentId();
        String initiatorPrincipalId = document.getInitiatorPrincipalId();
        LOG.debug("auth check user=" + str + " docId=" + documentId);
        if (documentTypeSecurity.getInitiatorOk() != null && documentTypeSecurity.getInitiatorOk().booleanValue() && StringUtils.equals(initiatorPrincipalId, str)) {
            return true;
        }
        List<SecurityPermissionInfo> permissions = documentTypeSecurity.getPermissions();
        if (permissions != null) {
            for (SecurityPermissionInfo securityPermissionInfo : permissions) {
                if (isAuthenticatedByPermission(documentId, securityPermissionInfo.getPermissionNamespaceCode(), securityPermissionInfo.getPermissionName(), securityPermissionInfo.getPermissionDetails(), securityPermissionInfo.getQualifications(), securitySession)) {
                    return true;
                }
            }
        }
        List<Group> workgroups = documentTypeSecurity.getWorkgroups();
        if (workgroups != null) {
            for (Group group : workgroups) {
                if (isGroupAuthenticated(group.getNamespaceCode(), group.getName(), securitySession)) {
                    return true;
                }
            }
        }
        List<KeyValue> searchableAttributes = documentTypeSecurity.getSearchableAttributes();
        if (searchableAttributes != null) {
            for (KeyValue keyValue : searchableAttributes) {
                String key = keyValue.getKey();
                String idValue = UserUtils.getIdValue(keyValue.getValue(), str);
                if (!StringUtils.isEmpty(idValue) && KEWServiceLocator.getRouteHeaderService().hasSearchableAttributeValue(documentId, key, idValue)) {
                    return true;
                }
            }
        }
        if (documentTypeSecurity.getRouteLogAuthenticatedOk() != null && documentTypeSecurity.getRouteLogAuthenticatedOk().booleanValue() && (StringUtils.equals(initiatorPrincipalId, str) || KEWServiceLocator.getActionTakenService().hasUserTakenAction(str, documentId) || KEWServiceLocator.getActionRequestService().doesPrincipalHaveRequest(str, documentId))) {
            return true;
        }
        List<DocumentSecurityAttribute> immediateSecurityAttributes = getImmediateSecurityAttributes(document, documentTypeSecurity, securitySession);
        if (immediateSecurityAttributes != null) {
            Iterator<DocumentSecurityAttribute> it = immediateSecurityAttributes.iterator();
            while (it.hasNext()) {
                if (it.next().isAuthorizedForDocument(str, document)) {
                    return true;
                }
            }
        }
        LOG.debug("user not authorized");
        return false;
    }

    protected List<DocumentSecurityAttribute> getImmediateSecurityAttributes(Document document, DocumentTypeSecurity documentTypeSecurity, SecuritySession securitySession) {
        ArrayList arrayList = new ArrayList();
        for (String str : documentTypeSecurity.getSecurityAttributeClassNames()) {
            DocumentSecurityAttribute securityAttributeForClass = securitySession.getSecurityAttributeForClass(str);
            if (securityAttributeForClass == null) {
                securityAttributeForClass = (DocumentSecurityAttribute) GlobalResourceLoader.getObject(new ObjectDefinition(str));
                securitySession.setSecurityAttributeForClass(str, securityAttributeForClass);
            }
            arrayList.add(securityAttributeForClass);
        }
        return arrayList;
    }

    protected DocumentTypeSecurity getDocumentTypeSecurity(String str, SecuritySession securitySession) {
        DocumentType findByName;
        DocumentTypeSecurity documentTypeSecurity = securitySession.getDocumentTypeSecurity().get(str);
        if (documentTypeSecurity == null && (findByName = KEWServiceLocator.getDocumentTypeService().findByName(str)) != null) {
            documentTypeSecurity = findByName.getDocumentTypeSecurity();
            securitySession.getDocumentTypeSecurity().put(str, documentTypeSecurity);
        }
        return documentTypeSecurity;
    }

    protected boolean isGroupAuthenticated(String str, String str2, SecuritySession securitySession) {
        String str3 = str.trim() + ":" + str2.trim();
        Boolean bool = securitySession.getAuthenticatedWorkgroups().get(str3);
        if (bool != null) {
            return bool.booleanValue();
        }
        boolean isMemberOfGroupWithName = isMemberOfGroupWithName(str, str2, securitySession.getPrincipalId());
        securitySession.getAuthenticatedWorkgroups().put(str3, Boolean.valueOf(isMemberOfGroupWithName));
        return isMemberOfGroupWithName;
    }

    private boolean isMemberOfGroupWithName(String str, String str2, String str3) {
        for (Group group : KimApiServiceLocator.getGroupService().getGroupsByPrincipalId(str3)) {
            if (StringUtils.equals(str, group.getNamespaceCode()) && StringUtils.equals(str2, group.getName())) {
                return true;
            }
        }
        return false;
    }

    protected boolean isAuthenticatedByPermission(String str, String str2, String str3, Map<String, String> map, Map<String, String> map2, SecuritySession securitySession) {
        try {
            Document document = KewApiServiceLocator.getWorkflowDocumentService().getDocument(str);
            for (String str4 : map2.keySet()) {
                map2.put(str4, getReplacementString(document, map2.get(str4)));
            }
            for (String str5 : map.keySet()) {
                map2.put(str5, getReplacementString(document, map2.get(str5)));
            }
            return KimApiServiceLocator.getPermissionService().isAuthorized(securitySession.getPrincipalId(), str2, str3, map2);
        } catch (Exception e) {
            LOG.error(e.getMessage(), (Throwable) e);
            return false;
        }
    }

    private String getReplacementString(Document document, String str) throws Exception {
        if (!str.startsWith("${document.")) {
            return str;
        }
        int indexOf = str.indexOf("${document.");
        int indexOf2 = str.indexOf("}", indexOf + "${document.".length());
        if (indexOf2 == -1) {
            throw new RuntimeException("No ending bracket on token in value " + str);
        }
        return getRouteHeaderVariableValue(document, str.substring(indexOf + "${document.".length(), indexOf2));
    }

    private String getRouteHeaderVariableValue(Document document, String str) throws Exception {
        try {
            Field declaredField = document.getClass().getDeclaredField(str);
            declaredField.setAccessible(true);
            Object obj = declaredField.get(document);
            Class<?> type = declaredField.getType();
            return type.equals(String.class) ? (String) obj : (type.getName().equals("boolean") || type.getName().equals("java.lang.Boolean")) ? ((Boolean) obj).booleanValue() ? "Y" : "N" : type.getName().equals(Helper.CALENDAR) ? ((DateTimeService) GlobalResourceLoader.getService(CoreConstants.Services.DATETIME_SERVICE)).toDateString(((Calendar) obj).getTime()) : String.valueOf(obj);
        } catch (NoSuchFieldException e) {
            LOG.error("Field '" + str + "' not found on Document object.", (Throwable) e);
            return null;
        }
    }

    public ExtensionRepositoryService getExtensionRepositoryService() {
        return this.extensionRepositoryService;
    }

    public void setExtensionRepositoryService(ExtensionRepositoryService extensionRepositoryService) {
        this.extensionRepositoryService = extensionRepositoryService;
    }
}
