package org.activiti.cloud.services.security;

import com.querydsl.core.types.Predicate;
import com.querydsl.core.types.dsl.BooleanExpression;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.activiti.cloud.services.query.model.QProcessInstance;
import org.activiti.cloud.services.query.model.QVariable;
import org.activiti.engine.UserGroupLookupProxy;
import org.activiti.engine.UserRoleLookupProxy;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:org/activiti/cloud/services/security/SecurityPoliciesApplicationService.class */
public class SecurityPoliciesApplicationService {

    @Autowired(required = false)
    private UserGroupLookupProxy userGroupLookupProxy;

    @Autowired(required = false)
    private UserRoleLookupProxy userRoleLookupProxy;

    @Autowired
    private AuthenticationWrapper authenticationWrapper;

    @Autowired
    private SecurityPoliciesService securityPoliciesService;

    public Predicate restrictProcessInstanceQuery(Predicate predicate, SecurityPolicy securityPolicy) {
        return noSecurityPoliciesOrNoUser() ? predicate : buildPredicateForQProcessInstance(predicate, securityPolicy, QProcessInstance.processInstance);
    }

    public Predicate restrictProcessInstanceVariableQuery(Predicate predicate, SecurityPolicy securityPolicy) {
        if (noSecurityPoliciesOrNoUser()) {
            return predicate;
        }
        QProcessInstance qProcessInstance = QVariable.variable.processInstance;
        BooleanExpression isNotNull = qProcessInstance.isNotNull();
        BooleanExpression booleanExpression = isNotNull;
        if (predicate != null) {
            booleanExpression = isNotNull.and(predicate);
        }
        return buildPredicateForQProcessInstance(booleanExpression, securityPolicy, qProcessInstance);
    }

    public Predicate buildPredicateForQProcessInstance(Predicate predicate, SecurityPolicy securityPolicy, QProcessInstance qProcessInstance) {
        BooleanExpression booleanExpression = null;
        Map<String, Set<String>> definitionKeysAllowedForPolicy = definitionKeysAllowedForPolicy(securityPolicy);
        for (String str : definitionKeysAllowedForPolicy.keySet()) {
            booleanExpression = addProcessDefRestrictionToExpression(qProcessInstance, booleanExpression, str, definitionKeysAllowedForPolicy.get(str));
        }
        return (booleanExpression == null && this.securityPoliciesService.policiesDefined()) ? getImpossiblePredicate(qProcessInstance) : booleanExpression != null ? booleanExpression.and(predicate) : predicate;
    }

    public BooleanExpression getImpossiblePredicate(QProcessInstance qProcessInstance) {
        return qProcessInstance.id.eq("1").and(qProcessInstance.id.eq("2"));
    }

    public BooleanExpression addProcessDefRestrictionToExpression(QProcessInstance qProcessInstance, BooleanExpression booleanExpression, String str, Set<String> set) {
        BooleanExpression and = qProcessInstance.processDefinitionKey.in(set).and(qProcessInstance.applicationName.eq(str));
        return booleanExpression == null ? and : booleanExpression.or(and);
    }

    private boolean noSecurityPoliciesOrNoUser() {
        return !this.securityPoliciesService.policiesDefined() || this.authenticationWrapper.getAuthenticatedUserId() == null;
    }

    private Map<String, Set<String>> definitionKeysAllowedForPolicy(SecurityPolicy securityPolicy) {
        List list = null;
        if (this.userGroupLookupProxy != null && this.authenticationWrapper.getAuthenticatedUserId() != null) {
            list = this.userGroupLookupProxy.getGroupsForCandidateUser(this.authenticationWrapper.getAuthenticatedUserId());
        }
        return this.securityPoliciesService.getProcessDefinitionKeys(this.authenticationWrapper.getAuthenticatedUserId(), list, securityPolicy);
    }

    public boolean canWrite(String str, String str2) {
        return hasPermission(str, SecurityPolicy.WRITE, str2);
    }

    public boolean canRead(String str, String str2) {
        return hasPermission(str, SecurityPolicy.READ, str2);
    }

    private boolean hasPermission(String str, SecurityPolicy securityPolicy, String str2) {
        if (!this.securityPoliciesService.policiesDefined() || this.userGroupLookupProxy == null || this.authenticationWrapper.getAuthenticatedUserId() == null) {
            return true;
        }
        if (this.userRoleLookupProxy != null && this.userRoleLookupProxy.isAdmin(this.authenticationWrapper.getAuthenticatedUserId())) {
            return true;
        }
        Set<String> set = definitionKeysAllowedForPolicy(securityPolicy).get(str2);
        return set != null && set.contains(str);
    }
}
