package org.jbpm.casemgmt.impl;

import java.io.IOException;
import java.io.InputStream;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.stream.Stream;
import org.jbpm.casemgmt.api.auth.AuthorizationManager;
import org.jbpm.casemgmt.api.model.instance.CaseFileInstance;
import org.jbpm.casemgmt.api.model.instance.CommentInstance;
import org.jbpm.casemgmt.impl.model.instance.CaseFileInstanceImpl;
import org.jbpm.casemgmt.impl.model.instance.CommentInstanceImpl;
import org.jbpm.shared.services.impl.TransactionalCommandService;
import org.jbpm.shared.services.impl.commands.QueryNameCommand;
import org.kie.internal.identity.IdentityProvider;
import org.kie.server.api.rest.RestURI;
import org.kie.server.services.taskassigning.planning.data.AbstractStringListValueAttributeMapValueExtractor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/jbpm-case-mgmt-impl-7.43.1.Final.jar:org/jbpm/casemgmt/impl/AuthorizationManagerImpl.class */
public class AuthorizationManagerImpl implements AuthorizationManager {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) AuthorizationManagerImpl.class);
    private static final String NO_ACCESS_MSG = "User {0} is not authorized to access case {1}";
    private static final String NO_AUTH_OPER_MSG = "User {0} is not authorized to {1} on case {2}";
    private static final String NO_AUTH_TO_DATA = "User {0} does not have access to data item named {1} in case {2}";
    private static final String NO_AUTH_TO_COMMENT = "User {0} does not have access to comment {1} in case {2}";
    private IdentityProvider identityProvider;
    private TransactionalCommandService commandService;
    private boolean enabled = Boolean.parseBoolean(System.getProperty("org.jbpm.cases.auth.enabled", "true"));
    private Map<AuthorizationManager.ProtectedOperation, List<String>> operationAuthorization = new HashMap();

    public AuthorizationManagerImpl(IdentityProvider identityProvider, TransactionalCommandService transactionalCommandService) {
        this.identityProvider = identityProvider;
        this.commandService = transactionalCommandService;
        buildAuthorizationConfig();
    }

    @Override // org.jbpm.casemgmt.api.auth.AuthorizationManager
    public void checkAuthorization(String str) throws SecurityException {
        if (isEnabled()) {
            if (loggedInAsSystemUser()) {
                logger.debug("Logged in as system user 'unknown'. Skipping authorization check.");
                return;
            }
            logger.debug("Checking authorization to case {} for user {}", str, this.identityProvider.getName());
            HashMap hashMap = new HashMap();
            hashMap.put(RestURI.CASE_ID, str);
            verifyAuthorization(str, (List) this.commandService.execute(new QueryNameCommand("getAuthorizationToCaseInstance", hashMap)), MessageFormat.format(NO_ACCESS_MSG, this.identityProvider.getName(), str));
        }
    }

    @Override // org.jbpm.casemgmt.api.auth.AuthorizationManager
    public void checkOperationAuthorization(String str, AuthorizationManager.ProtectedOperation protectedOperation) throws SecurityException {
        if (loggedInAsSystemUser()) {
            logger.debug("Logged in as system user 'unknown'. Skipping operation authorization check.");
            return;
        }
        List<String> list = this.operationAuthorization.get(protectedOperation);
        if (list == null || list.isEmpty()) {
            logger.debug("No restrictions defined for operation {}", protectedOperation);
            checkAuthorization(str);
        } else {
            HashMap hashMap = new HashMap();
            hashMap.put(RestURI.CASE_ID, str);
            hashMap.put("roles", list);
            verifyAuthorization(str, (List) this.commandService.execute(new QueryNameCommand("getAuthorizationToCaseInstanceByRole", hashMap)), MessageFormat.format(NO_AUTH_OPER_MSG, this.identityProvider.getName(), protectedOperation, str));
        }
    }

    public boolean isEnabled() {
        return this.enabled;
    }

    public void setEnabled(boolean z) {
        this.enabled = z;
    }

    protected void buildAuthorizationConfig() {
        Properties properties = new Properties();
        InputStream resourceAsStream = getClass().getResourceAsStream("/case-authorization.properties");
        if (resourceAsStream != null) {
            try {
                properties.load(resourceAsStream);
            } catch (IOException e) {
                logger.error("Error loading case autorization config from file due to {}", e.getMessage(), e);
            }
        }
        Stream.of((Object[]) AuthorizationManager.ProtectedOperation.values()).forEach(protectedOperation -> {
            ArrayList arrayList = new ArrayList();
            String property = properties.getProperty(protectedOperation.toString());
            if (property != null) {
                arrayList.addAll(Arrays.asList(property.split(AbstractStringListValueAttributeMapValueExtractor.COMMA_SEPARATOR)));
            }
            this.operationAuthorization.put(protectedOperation, arrayList);
        });
    }

    protected void verifyAuthorization(String str, List<String> list, String str2) {
        logger.debug("Case {} authorization set is {}", str, list);
        if (list.isEmpty()) {
            logger.debug("Not access restrictions defined for case {}", str);
            return;
        }
        List<String> collectUserAuthInfo = collectUserAuthInfo();
        logger.debug("Caller authorization set is {}", collectUserAuthInfo);
        if (collectUserAuthInfo.stream().anyMatch(str3 -> {
            return list.contains(str3);
        })) {
            logger.debug("User {} authorized to access case {}", this.identityProvider.getName(), str);
        } else {
            logger.debug("User {} not authorized to access case {}", this.identityProvider.getName(), str);
            throw new SecurityException(str2);
        }
    }

    protected List<String> collectUserAuthInfo() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.identityProvider.getName());
        arrayList.addAll(this.identityProvider.getRoles());
        arrayList.add("_public_");
        return arrayList;
    }

    @Override // org.jbpm.casemgmt.api.auth.AuthorizationManager
    public Map<String, Object> filterByDataAuthorization(String str, CaseFileInstance caseFileInstance, Map<String, Object> map) {
        if (loggedInAsSystemUser()) {
            logger.debug("Logged in as system user 'unknown'. Returning all data.");
            return map;
        }
        if (map == null || map.isEmpty()) {
            logger.debug("No data to be filtered");
            return map;
        }
        Map<String, List<String>> accessRestrictions = ((CaseFileInstanceImpl) caseFileInstance).getAccessRestrictions();
        if (accessRestrictions == null || accessRestrictions.isEmpty()) {
            logger.debug("Case {} does not define any data restrictions returning unfiltered map", str);
            return map;
        }
        List<String> collectUserAuthInfo = collectUserAuthInfo();
        logger.debug("Caller authorization set is {}", collectUserAuthInfo);
        List<String> callerRoles = getCallerRoles(caseFileInstance, collectUserAuthInfo);
        logger.debug("Caller case role set is {}", callerRoles);
        HashMap hashMap = new HashMap(map);
        for (Map.Entry<String, List<String>> entry : accessRestrictions.entrySet()) {
            List<String> value = entry.getValue();
            if (value.isEmpty() || value.stream().anyMatch(str2 -> {
                return callerRoles.contains(str2);
            })) {
                logger.debug("Caller {} has access to data item named {}", this.identityProvider.getName(), entry.getKey());
            } else {
                logger.debug("Caller {} does not have access to data item named {}, required roles are {} and caller has {}", this.identityProvider.getName(), entry.getKey(), value, callerRoles);
                hashMap.remove(entry.getKey());
            }
        }
        return hashMap;
    }

    @Override // org.jbpm.casemgmt.api.auth.AuthorizationManager
    public void checkDataAuthorization(String str, CaseFileInstance caseFileInstance, Collection<String> collection) {
        if (loggedInAsSystemUser()) {
            logger.debug("Logged in as system user 'unknown'. Skipping data authorization check.");
            return;
        }
        if (collection == null || collection.isEmpty()) {
            logger.debug("No data to be checked");
            return;
        }
        Map<String, List<String>> accessRestrictions = ((CaseFileInstanceImpl) caseFileInstance).getAccessRestrictions();
        if (accessRestrictions == null || accessRestrictions.isEmpty()) {
            logger.debug("Case {} does not define any data restrictions", str);
            return;
        }
        List<String> collectUserAuthInfo = collectUserAuthInfo();
        logger.debug("Caller {} authorization set is {}", this.identityProvider.getName(), collectUserAuthInfo);
        List<String> callerRoles = getCallerRoles(caseFileInstance, collectUserAuthInfo);
        logger.debug("Caller {} case role set is {}", this.identityProvider.getName(), callerRoles);
        for (Map.Entry<String, List<String>> entry : accessRestrictions.entrySet()) {
            if (collection.contains(entry.getKey())) {
                List<String> value = entry.getValue();
                if (!value.isEmpty() && !value.stream().anyMatch(str2 -> {
                    return callerRoles.contains(str2);
                })) {
                    logger.warn("User {} does not have access to data item {} in case {}, required roles are {} and user has {}", this.identityProvider.getName(), entry.getKey(), str, value, callerRoles);
                    throw new SecurityException(MessageFormat.format(NO_AUTH_TO_DATA, this.identityProvider.getName(), entry.getKey(), str, value, callerRoles));
                }
                logger.debug("Caller has access to data item named {}", entry.getKey());
            }
        }
    }

    @Override // org.jbpm.casemgmt.api.auth.AuthorizationManager
    public List<CommentInstance> filterByCommentAuthorization(String str, CaseFileInstance caseFileInstance, List<CommentInstance> list) {
        if (loggedInAsSystemUser()) {
            logger.debug("Logged in as system user 'unknown'. Returning all comments.");
            return list;
        }
        if (list == null || list.isEmpty()) {
            logger.debug("No comments to be filtered");
            return list;
        }
        List<String> collectUserAuthInfo = collectUserAuthInfo();
        logger.debug("Caller {} authorization set is {}", this.identityProvider.getName(), collectUserAuthInfo);
        List<String> callerRoles = getCallerRoles(caseFileInstance, collectUserAuthInfo);
        logger.debug("Caller {} case role set is {}", this.identityProvider.getName(), callerRoles);
        ArrayList arrayList = new ArrayList(list);
        Iterator<CommentInstance> it = list.iterator();
        while (it.hasNext()) {
            CommentInstanceImpl commentInstanceImpl = (CommentInstanceImpl) it.next();
            List<String> restrictedTo = commentInstanceImpl.getRestrictedTo();
            if (restrictedTo != null && !restrictedTo.isEmpty()) {
                if (restrictedTo.isEmpty() || restrictedTo.stream().anyMatch(str2 -> {
                    return callerRoles.contains(str2);
                })) {
                    logger.debug("Caller {} has access to comment {}", this.identityProvider.getName(), commentInstanceImpl.getId());
                } else {
                    logger.debug("Caller {} does not have access to comment {}", this.identityProvider.getName(), commentInstanceImpl.getId());
                    arrayList.remove(commentInstanceImpl);
                }
            }
        }
        return arrayList;
    }

    @Override // org.jbpm.casemgmt.api.auth.AuthorizationManager
    public void checkCommentAuthorization(String str, CaseFileInstance caseFileInstance, CommentInstance commentInstance) {
        if (loggedInAsSystemUser()) {
            logger.debug("Logged in as system user 'unknown'. Skipping comment authorization check.");
            return;
        }
        CommentInstanceImpl commentInstanceImpl = (CommentInstanceImpl) commentInstance;
        if (commentInstanceImpl.getRestrictedTo() == null || commentInstanceImpl.getRestrictedTo().isEmpty()) {
            return;
        }
        List<String> collectUserAuthInfo = collectUserAuthInfo();
        logger.debug("Caller {} authorization set is {}", this.identityProvider.getName(), collectUserAuthInfo);
        List<String> callerRoles = getCallerRoles(caseFileInstance, collectUserAuthInfo);
        logger.debug("Caller {} case role set is {}", this.identityProvider.getName(), callerRoles);
        List<String> restrictedTo = commentInstanceImpl.getRestrictedTo();
        if (restrictedTo.isEmpty() || restrictedTo.stream().anyMatch(str2 -> {
            return callerRoles.contains(str2);
        })) {
            logger.debug("Caller has access to comment {}", commentInstanceImpl.getId());
        } else {
            logger.warn("User {} does not have access to comment {} in case {}, required roles are {} and user has {}", this.identityProvider.getName(), commentInstanceImpl.getId(), str, restrictedTo, callerRoles);
            throw new SecurityException(MessageFormat.format(NO_AUTH_TO_COMMENT, this.identityProvider.getName(), commentInstanceImpl.getId(), str));
        }
    }

    protected List<String> getCallerRoles(CaseFileInstance caseFileInstance, List<String> list) {
        List<String> rolesForOrgEntities = ((CaseFileInstanceImpl) caseFileInstance).getRolesForOrgEntities(list);
        rolesForOrgEntities.add("_public_");
        return rolesForOrgEntities;
    }

    protected boolean loggedInAsSystemUser() {
        return "unknown".equals(this.identityProvider.getName());
    }
}
