package no.lyse.alfresco.workflow.interceptor;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import no.lyse.alfresco.repo.model.LyseProjectModel;
import no.lyse.alfresco.repo.model.LyseWorkflowModel;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.permissions.AccessDeniedException;
import org.alfresco.repo.workflow.WorkflowModel;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.cmr.site.SiteInfo;
import org.alfresco.service.cmr.site.SiteService;
import org.alfresco.service.cmr.workflow.WorkflowService;
import org.alfresco.service.cmr.workflow.WorkflowTask;
import org.alfresco.service.namespace.QName;
import org.aopalliance.intercept.MethodInterceptor;
import org.aopalliance.intercept.MethodInvocation;
import org.apache.log4j.Logger;

/* loaded from: input_file:no/lyse/alfresco/workflow/interceptor/LyseWorkflowPermissionInterceptor.class */
public class LyseWorkflowPermissionInterceptor implements MethodInterceptor {
    private static final Logger LOG = Logger.getLogger(LyseWorkflowPermissionInterceptor.class);
    private PersonService personService;
    private AuthorityService authorityService;
    private WorkflowService workflowService;
    private NodeService nodeService;
    private PermissionService permissionService;
    private SiteService siteService;

    public Object invoke(final MethodInvocation methodInvocation) throws Throwable {
        final String fullyAuthenticatedUser = AuthenticationUtil.getFullyAuthenticatedUser();
        if (LOG.isTraceEnabled()) {
            LOG.trace("Invoke " + methodInvocation + ", user=" + fullyAuthenticatedUser);
        }
        return (fullyAuthenticatedUser == null || !(this.authorityService.isAdminAuthority(fullyAuthenticatedUser) || AuthenticationUtil.isRunAsUserTheSystemUser())) ? AuthenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork<Object>() { // from class: no.lyse.alfresco.workflow.interceptor.LyseWorkflowPermissionInterceptor.1
            public Object doWork() throws Exception {
                Exception exc;
                String name = methodInvocation.getMethod().getName();
                if (name.equals("getTaskById") || name.equals("getStartTask")) {
                    String str = (String) methodInvocation.getArguments()[0];
                    if (!LyseWorkflowPermissionInterceptor.this.hasDatalistItemReadPermission(str)) {
                        throw new AccessDeniedException("Accessing task with id='" + str + "' is not allowed for user '" + AuthenticationUtil.getFullyAuthenticatedUser() + "'");
                    }
                    try {
                        return methodInvocation.proceed();
                    } finally {
                    }
                }
                if (name.equals("updateTask") || name.equals("endTask")) {
                    String str2 = (String) methodInvocation.getArguments()[0];
                    WorkflowTask taskById = LyseWorkflowPermissionInterceptor.this.workflowService.getTaskById(str2);
                    if (!LyseWorkflowPermissionInterceptor.this.isInitiatorOrAssignee(taskById, fullyAuthenticatedUser) && !LyseWorkflowPermissionInterceptor.this.isSameBaseGroupAsCurrentUser(taskById, fullyAuthenticatedUser)) {
                        throw new AccessDeniedException("Accessing task with id='" + str2 + "' is not allowed for user '" + fullyAuthenticatedUser + "'");
                    }
                    try {
                        return methodInvocation.proceed();
                    } catch (Throwable th) {
                        LyseWorkflowPermissionInterceptor.LOG.error("An unhandled error occurred, please inform the system development team.", th);
                        throw new Exception(th);
                    }
                }
                if (!name.equals("getTasksForWorkflowPath") && !name.equals("getStartTasks") && !name.equals("queryTasks")) {
                    try {
                        return methodInvocation.proceed();
                    } catch (Throwable th2) {
                        LyseWorkflowPermissionInterceptor.LOG.error("an error occured", th2);
                        throw new Exception(th2);
                    }
                }
                try {
                    List<WorkflowTask> list = (List) methodInvocation.proceed();
                    ArrayList arrayList = new ArrayList(list.size());
                    for (WorkflowTask workflowTask : list) {
                        if (LyseWorkflowPermissionInterceptor.this.hasDatalistItemReadPermission(workflowTask.getId())) {
                            arrayList.add(workflowTask);
                        }
                    }
                    return arrayList;
                } finally {
                }
            }
        }) : methodInvocation.proceed();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isSameBaseGroupAsCurrentUser(WorkflowTask workflowTask, final String str) {
        SiteInfo site;
        String str2;
        Boolean bool = false;
        if (workflowTask == null) {
            return false;
        }
        Map properties = workflowTask.getProperties();
        final String str3 = (String) properties.get(ContentModel.PROP_OWNER);
        NodeRef nodeRef = (NodeRef) properties.get(LyseWorkflowModel.ASSOC_RELATED_DATALIST_ITEM);
        if (nodeRef == null || !this.nodeService.exists(nodeRef) || (site = this.siteService.getSite(nodeRef)) == null) {
            return false;
        }
        Set set = (Set) AuthenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork<Set<String>>() { // from class: no.lyse.alfresco.workflow.interceptor.LyseWorkflowPermissionInterceptor.2
            /* renamed from: doWork, reason: merged with bridge method [inline-methods] */
            public Set<String> m790doWork() throws Exception {
                return LyseWorkflowPermissionInterceptor.this.authorityService.getAuthoritiesForUser(str);
            }
        });
        String str4 = "GROUP_site_" + site.getShortName() + "_" + LyseProjectModel.SITE_CONTRACTOR_TECH;
        if (set.contains("GROUP_site_" + site.getShortName() + "_" + LyseProjectModel.SITE_COMPANY_REP)) {
            str2 = LyseProjectModel.SITE_COMPANY_BASE;
        } else if (set.contains("GROUP_site_" + site.getShortName() + "_" + LyseProjectModel.SITE_CONTRACTOR_REP)) {
            str2 = LyseProjectModel.SITE_CONTRACTOR_BASE;
        } else {
            if (!set.contains("GROUP_site_" + site.getShortName() + "_" + LyseProjectModel.SITE_CONTRACTOR_TECH)) {
                return false;
            }
            str2 = LyseProjectModel.SITE_CONTRACTOR_BASE;
        }
        if (((Set) AuthenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork<Set<String>>() { // from class: no.lyse.alfresco.workflow.interceptor.LyseWorkflowPermissionInterceptor.3
            /* renamed from: doWork, reason: merged with bridge method [inline-methods] */
            public Set<String> m791doWork() throws Exception {
                return LyseWorkflowPermissionInterceptor.this.authorityService.getAuthoritiesForUser(str3);
            }
        })).contains("GROUP_site_" + site.getShortName() + "_" + str2)) {
            bool = true;
        }
        return bool.booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean hasDatalistItemReadPermission(String str) {
        boolean z = true;
        WorkflowTask taskById = this.workflowService.getTaskById(str);
        if (taskById != null) {
            final NodeRef nodeRef = (NodeRef) taskById.getProperties().get(LyseWorkflowModel.ASSOC_RELATED_DATALIST_ITEM);
            if (nodeRef == null) {
                LOG.trace(String.format("No related datalist item on task '%s'.", taskById.getName()));
            } else if (this.nodeService.exists(nodeRef)) {
                z = ((Boolean) AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Boolean>() { // from class: no.lyse.alfresco.workflow.interceptor.LyseWorkflowPermissionInterceptor.4
                    /* renamed from: doWork, reason: merged with bridge method [inline-methods] */
                    public Boolean m792doWork() throws Exception {
                        return LyseWorkflowPermissionInterceptor.this.permissionService.hasPermission(nodeRef, "Read") == AccessStatus.ALLOWED;
                    }
                }, AuthenticationUtil.getFullyAuthenticatedUser())).booleanValue();
            } else {
                LOG.warn(String.format("Task %s has a reference to a non-existing data list %s", taskById, nodeRef));
            }
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isInitiatorOrAssignee(WorkflowTask workflowTask, String str) {
        NodeRef nodeRef;
        if (workflowTask == null) {
            return true;
        }
        NodeRef person = this.personService.getPerson(str);
        Map properties = workflowTask.getProperties();
        String str2 = (String) properties.get(ContentModel.PROP_OWNER);
        if (str2 == null && (nodeRef = (NodeRef) properties.get(QName.createQName("", "initiatorhome"))) != null) {
            str2 = (String) this.nodeService.getProperty(nodeRef, ContentModel.PROP_OWNER);
        }
        if (str != null && str.equalsIgnoreCase(str2)) {
            return true;
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(getUserGroupRef(properties.get(WorkflowModel.ASSOC_ASSIGNEE)));
        arrayList.add(getUserGroupRef(properties.get(WorkflowModel.ASSOC_GROUP_ASSIGNEE)));
        arrayList.addAll(getUserGroupRefs(properties.get(WorkflowModel.ASSOC_GROUP_ASSIGNEES)));
        arrayList.addAll(getUserGroupRefs(properties.get(WorkflowModel.ASSOC_ASSIGNEES)));
        arrayList.addAll(getUserGroupRefs(workflowTask.getProperties().get(WorkflowModel.ASSOC_POOLED_ACTORS)));
        arrayList.addAll(getUserGroupRefs(workflowTask.getProperties().get(LyseWorkflowModel.ASSOC_LYSE_INTERFACE_ASSIGNEES)));
        if (arrayList.contains(person)) {
            return true;
        }
        Iterator it = this.authorityService.getAuthoritiesForUser(str).iterator();
        while (it.hasNext()) {
            NodeRef authorityNodeRef = this.authorityService.getAuthorityNodeRef((String) it.next());
            if (authorityNodeRef != null && arrayList.contains(authorityNodeRef)) {
                return true;
            }
        }
        return false;
    }

    private NodeRef getUserGroupRef(Object obj) {
        NodeRef nodeRef = null;
        if (obj == null || (obj instanceof NodeRef)) {
            nodeRef = (NodeRef) obj;
        } else {
            try {
                nodeRef = this.personService.getPerson(obj.toString());
            } catch (Exception e) {
                try {
                    nodeRef = this.authorityService.getAuthorityNodeRef(obj.toString());
                } catch (Exception e2) {
                }
            }
        }
        return nodeRef;
    }

    private Collection<NodeRef> getUserGroupRefs(Object obj) {
        ArrayList arrayList = new ArrayList();
        if (obj != null && (obj instanceof Collection)) {
            Iterator it = ((Collection) obj).iterator();
            while (it.hasNext()) {
                arrayList.add(getUserGroupRef(it.next()));
            }
        }
        return arrayList;
    }

    public void setSiteService(SiteService siteService) {
        this.siteService = siteService;
    }

    public void setPersonService(PersonService personService) {
        this.personService = personService;
    }

    public void setAuthorityService(AuthorityService authorityService) {
        this.authorityService = authorityService;
    }

    public void setWorkflowService(WorkflowService workflowService) {
        this.workflowService = workflowService;
    }

    public void setNodeService(NodeService nodeService) {
        this.nodeService = nodeService;
    }

    public void setPermissionService(PermissionService permissionService) {
        this.permissionService = permissionService;
    }
}
