package com.evolveum.midpoint.wf.impl.access;

import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
import com.evolveum.midpoint.model.api.util.DeputyUtils;
import com.evolveum.midpoint.schema.RelationRegistry;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CaseWorkItemType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import java.util.Iterator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/workflow-impl-4.3.3-SNAPSHOT.jar:com/evolveum/midpoint/wf/impl/access/AuthorizationHelper.class */
public class AuthorizationHelper {

    @Autowired
    private SecurityEnforcer securityEnforcer;

    @Autowired
    private SecurityContextManager securityContextManager;

    @Autowired
    private RelationRegistry relationRegistry;

    /* loaded from: input_file:WEB-INF/lib/workflow-impl-4.3.3-SNAPSHOT.jar:com/evolveum/midpoint/wf/impl/access/AuthorizationHelper$RequestedOperation.class */
    public enum RequestedOperation {
        COMPLETE(ModelAuthorizationAction.COMPLETE_ALL_WORK_ITEMS, null),
        DELEGATE(ModelAuthorizationAction.DELEGATE_ALL_WORK_ITEMS, ModelAuthorizationAction.DELEGATE_OWN_WORK_ITEMS);

        ModelAuthorizationAction actionAll;
        ModelAuthorizationAction actionOwn;

        RequestedOperation(ModelAuthorizationAction modelAuthorizationAction, ModelAuthorizationAction modelAuthorizationAction2) {
            this.actionAll = modelAuthorizationAction;
            this.actionOwn = modelAuthorizationAction2;
        }
    }

    public boolean isAuthorized(CaseWorkItemType caseWorkItemType, RequestedOperation requestedOperation, Task task, OperationResult operationResult) throws ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        try {
            MidPointPrincipal principal = this.securityContextManager.getPrincipal();
            if (principal.getOid() == null) {
                return false;
            }
            try {
                if (this.securityEnforcer.isAuthorized(requestedOperation.actionAll.getUrl(), null, AuthorizationParameters.EMPTY, null, task, operationResult)) {
                    return true;
                }
                if (requestedOperation.actionOwn != null) {
                    if (!this.securityEnforcer.isAuthorized(requestedOperation.actionOwn.getUrl(), null, AuthorizationParameters.EMPTY, null, task, operationResult)) {
                        return false;
                    }
                }
                Iterator<ObjectReferenceType> it = caseWorkItemType.getAssigneeRef().iterator();
                while (it.hasNext()) {
                    if (isEqualOrDeputyOf(principal, it.next().getOid(), this.relationRegistry)) {
                        return true;
                    }
                }
                return isAmongCandidates(principal, caseWorkItemType);
            } catch (SchemaException e) {
                throw new SystemException(e.getMessage(), e);
            }
        } catch (SecurityViolationException e2) {
            return false;
        }
    }

    private boolean isEqualOrDeputyOf(MidPointPrincipal midPointPrincipal, String str, RelationRegistry relationRegistry) {
        return midPointPrincipal.getOid().equals(str) || DeputyUtils.isDelegationPresent(midPointPrincipal.getFocus(), str, relationRegistry);
    }

    private boolean isAmongCandidates(MidPointPrincipal midPointPrincipal, CaseWorkItemType caseWorkItemType) {
        for (ObjectReferenceType objectReferenceType : caseWorkItemType.getCandidateRef()) {
            if (midPointPrincipal.getOid().equals(objectReferenceType.getOid()) || isMemberOrDeputyOf(midPointPrincipal.getFocus(), objectReferenceType)) {
                return true;
            }
        }
        return false;
    }

    public boolean isAuthorizedToClaim(CaseWorkItemType caseWorkItemType) {
        try {
            MidPointPrincipal principal = this.securityContextManager.getPrincipal();
            return principal.getOid() != null && isAmongCandidates(principal, caseWorkItemType);
        } catch (SecurityViolationException e) {
            return false;
        }
    }

    private boolean isMemberOrDeputyOf(FocusType focusType, ObjectReferenceType objectReferenceType) {
        return focusType.getRoleMembershipRef().stream().anyMatch(objectReferenceType2 -> {
            return matches(objectReferenceType, objectReferenceType2);
        }) || focusType.getDelegatedRef().stream().anyMatch(objectReferenceType3 -> {
            return matches(objectReferenceType, objectReferenceType3);
        });
    }

    private boolean matches(ObjectReferenceType objectReferenceType, ObjectReferenceType objectReferenceType2) {
        return (this.relationRegistry.isMember(objectReferenceType2.getRelation()) || this.relationRegistry.isDelegation(objectReferenceType2.getRelation())) && objectReferenceType2.getOid().equals(objectReferenceType.getOid());
    }
}
