package org.jbpm.process.instance.impl.humantask;

import java.util.Collection;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Stream;
import org.kie.kogito.auth.IdentityProvider;
import org.kie.kogito.auth.SecurityPolicy;
import org.kie.kogito.process.workitem.Attachment;
import org.kie.kogito.process.workitem.Comment;
import org.kie.kogito.process.workitem.HumanTaskWorkItem;
import org.kie.kogito.process.workitem.NotAuthorizedException;
import org.kie.kogito.process.workitem.Policy;
import org.kie.kogito.process.workitems.impl.KogitoWorkItemImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/jbpm-flow-1.44.1-SNAPSHOT.jar:org/jbpm/process/instance/impl/humantask/HumanTaskWorkItemImpl.class */
public class HumanTaskWorkItemImpl extends KogitoWorkItemImpl implements HumanTaskWorkItem {
    private static final long serialVersionUID = 6168927742199190604L;
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) HumanTaskWorkItemImpl.class);
    private String taskName;
    private String taskDescription;
    private String taskPriority;
    private String referenceName;
    private String actualOwner;
    private Set<String> potentialUsers = new HashSet();
    private Set<String> potentialGroups = new HashSet();
    private Set<String> excludedUsers = new HashSet();
    private Set<String> adminUsers = new HashSet();
    private Set<String> adminGroups = new HashSet();
    private Map<Object, Comment> comments = new ConcurrentHashMap();
    private Map<Object, Attachment> attachments = new ConcurrentHashMap();

    @Override // org.kie.kogito.process.workitem.HumanTaskWorkItem
    public String getTaskName() {
        return this.taskName;
    }

    public void setTaskName(String str) {
        this.taskName = str;
    }

    @Override // org.kie.kogito.process.workitem.HumanTaskWorkItem
    public String getTaskDescription() {
        return this.taskDescription;
    }

    public void setTaskDescription(String str) {
        this.taskDescription = str;
    }

    @Override // org.kie.kogito.process.workitem.HumanTaskWorkItem
    public String getTaskPriority() {
        return this.taskPriority;
    }

    public void setTaskPriority(String str) {
        this.taskPriority = str;
    }

    @Override // org.kie.kogito.process.workitem.HumanTaskWorkItem
    public String getReferenceName() {
        return this.referenceName;
    }

    public void setReferenceName(String str) {
        this.referenceName = str;
    }

    @Override // org.kie.kogito.process.workitem.HumanTaskWorkItem
    public String getActualOwner() {
        return this.actualOwner;
    }

    public void setActualOwner(String str) {
        this.actualOwner = str;
    }

    @Override // org.kie.kogito.process.workitem.HumanTaskWorkItem
    public Set<String> getPotentialUsers() {
        return this.potentialUsers;
    }

    public void setPotentialUsers(Set<String> set) {
        this.potentialUsers = set;
    }

    @Override // org.kie.kogito.process.workitem.HumanTaskWorkItem
    public Set<String> getPotentialGroups() {
        return this.potentialGroups;
    }

    public void setPotentialGroups(Set<String> set) {
        this.potentialGroups = set;
    }

    @Override // org.kie.kogito.process.workitem.HumanTaskWorkItem
    public Set<String> getExcludedUsers() {
        return this.excludedUsers;
    }

    public void setExcludedUsers(Set<String> set) {
        this.excludedUsers = set;
    }

    @Override // org.kie.kogito.process.workitem.HumanTaskWorkItem
    public Set<String> getAdminUsers() {
        return this.adminUsers;
    }

    public void setAdminUsers(Set<String> set) {
        this.adminUsers = set;
    }

    @Override // org.kie.kogito.process.workitem.HumanTaskWorkItem
    public Set<String> getAdminGroups() {
        return this.adminGroups;
    }

    public void setAdminGroups(Set<String> set) {
        this.adminGroups = set;
    }

    @Override // org.kie.kogito.internal.process.runtime.KogitoWorkItem
    public boolean enforce(Policy<?>... policyArr) {
        for (Policy<?> policy : policyArr) {
            if (policy instanceof SecurityPolicy) {
                try {
                    enforceAuthorization(((SecurityPolicy) policy).value());
                    return true;
                } catch (NotAuthorizedException e) {
                    return false;
                }
            }
        }
        String actualOwner = getActualOwner();
        return (actualOwner == null || actualOwner.trim().isEmpty()) && getPotentialUsers().isEmpty();
    }

    protected void enforceAuthorization(IdentityProvider identityProvider) {
        if (identityProvider != null) {
            logger.debug("Identity information provided, enforcing security restrictions, user '{}' with roles '{}'", identityProvider.getName(), identityProvider.getRoles());
            String name = identityProvider.getName();
            String actualOwner = getActualOwner();
            if (actualOwner == null || actualOwner.trim().isEmpty() || name.equals(actualOwner) || (getAdminUsers() != null && getAdminUsers().contains(name))) {
                checkAssignedOwners(name, identityProvider.getRoles());
            } else {
                logger.debug("Work item {} has already owner assigned so requesting user must match - owner '{}' == requestor '{}'", getStringId(), actualOwner, name);
                throw new NotAuthorizedException("User " + name + " is not authorized to access task instance with id " + getStringId());
            }
        }
    }

    protected void checkAssignedOwners(String str, Collection<String> collection) {
        if (getExcludedUsers().contains(str)) {
            logger.debug("Requesting user '{}' is excluded from the potential workers on work item {}", str, getStringId());
            throw new NotAuthorizedException("User " + str + " is not authorized to access task instance with id " + getStringId());
        }
        if ((getPotentialUsers().isEmpty() && getPotentialGroups().isEmpty()) || getPotentialUsers().contains(str)) {
            return;
        }
        Stream<String> stream = getPotentialGroups().stream();
        Objects.requireNonNull(collection);
        if (stream.noneMatch((v1) -> {
            return r1.contains(v1);
        })) {
            throw new NotAuthorizedException("User " + str + " is not authorized to access task instance with id " + getStringId());
        }
    }

    @Override // org.kie.kogito.process.workitem.HumanTaskWorkItem
    public Map<Object, Attachment> getAttachments() {
        return this.attachments;
    }

    @Override // org.kie.kogito.process.workitem.HumanTaskWorkItem
    public Map<Object, Comment> getComments() {
        return this.comments;
    }
}
