package org.camunda.bpm.engine.impl.cfg.auth;

import java.util.ArrayList;
import java.util.Date;
import org.camunda.bpm.engine.authorization.HistoricTaskPermissions;
import org.camunda.bpm.engine.authorization.Permission;
import org.camunda.bpm.engine.authorization.Permissions;
import org.camunda.bpm.engine.authorization.Resource;
import org.camunda.bpm.engine.authorization.Resources;
import org.camunda.bpm.engine.authorization.TaskPermissions;
import org.camunda.bpm.engine.delegate.DelegateTask;
import org.camunda.bpm.engine.filter.Filter;
import org.camunda.bpm.engine.identity.Group;
import org.camunda.bpm.engine.identity.Tenant;
import org.camunda.bpm.engine.identity.User;
import org.camunda.bpm.engine.impl.context.Context;
import org.camunda.bpm.engine.impl.db.entitymanager.DbEntityManager;
import org.camunda.bpm.engine.impl.history.event.HistoricProcessInstanceEventEntity;
import org.camunda.bpm.engine.impl.history.event.HistoryEvent;
import org.camunda.bpm.engine.impl.identity.Authentication;
import org.camunda.bpm.engine.impl.persistence.entity.AuthorizationEntity;
import org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager;
import org.camunda.bpm.engine.impl.persistence.entity.ExecutionEntity;
import org.camunda.bpm.engine.impl.util.EnsureUtil;
import org.camunda.bpm.engine.repository.DecisionDefinition;
import org.camunda.bpm.engine.repository.DecisionRequirementsDefinition;
import org.camunda.bpm.engine.repository.Deployment;
import org.camunda.bpm.engine.repository.ProcessDefinition;
import org.camunda.bpm.engine.runtime.ProcessInstance;
import org.camunda.bpm.engine.task.Task;

/* loaded from: input_file:BOOT-INF/lib/camunda-engine-7.15.0.jar:org/camunda/bpm/engine/impl/cfg/auth/DefaultAuthorizationProvider.class */
public class DefaultAuthorizationProvider implements ResourceAuthorizationProvider {
    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] newUser(User user) {
        String id = user.getId();
        EnsureUtil.ensureValidIndividualResourceId("Cannot create default authorization for user " + id, id);
        return new AuthorizationEntity[]{createGrantAuthorization(id, null, Resources.USER, id, Permissions.ALL)};
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] newGroup(Group group) {
        ArrayList arrayList = new ArrayList();
        String id = group.getId();
        EnsureUtil.ensureValidIndividualResourceId("Cannot create default authorization for group " + id, id);
        arrayList.add(createGrantAuthorization(null, id, Resources.GROUP, id, Permissions.READ));
        return (AuthorizationEntity[]) arrayList.toArray(new AuthorizationEntity[0]);
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] newTenant(Tenant tenant) {
        return null;
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] groupMembershipCreated(String str, String str2) {
        return null;
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] tenantMembershipCreated(Tenant tenant, User user) {
        return new AuthorizationEntity[]{createGrantAuthorization(user.getId(), null, Resources.TENANT, tenant.getId(), Permissions.READ)};
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] tenantMembershipCreated(Tenant tenant, Group group) {
        return new AuthorizationEntity[]{createGrantAuthorization(null, group.getId(), Resources.TENANT, tenant.getId(), Permissions.READ)};
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] newFilter(Filter filter) {
        String owner = filter.getOwner();
        if (owner == null) {
            return null;
        }
        String id = filter.getId();
        EnsureUtil.ensureValidIndividualResourceId("Cannot create default authorization for filter owner " + owner, owner);
        return new AuthorizationEntity[]{createGrantAuthorization(owner, null, Resources.FILTER, id, Permissions.ALL)};
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] newDeployment(Deployment deployment) {
        Authentication currentAuthentication = Context.getProcessEngineConfiguration().getIdentityService().getCurrentAuthentication();
        if (currentAuthentication == null || currentAuthentication.getUserId() == null) {
            return null;
        }
        return new AuthorizationEntity[]{createGrantAuthorization(currentAuthentication.getUserId(), null, Resources.DEPLOYMENT, deployment.getId(), Permissions.READ, Permissions.DELETE)};
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] newProcessDefinition(ProcessDefinition processDefinition) {
        return null;
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] newProcessInstance(ProcessInstance processInstance) {
        return null;
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] newTask(Task task) {
        return null;
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] newTaskAssignee(Task task, String str, String str2) {
        if (str2 == null) {
            return null;
        }
        EnsureUtil.ensureValidIndividualResourceId("Cannot create default authorization for assignee " + str2, str2);
        return createOrUpdateAuthorizationsByUserId(task, str2);
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] newTaskOwner(Task task, String str, String str2) {
        if (str2 == null) {
            return null;
        }
        EnsureUtil.ensureValidIndividualResourceId("Cannot create default authorization for owner " + str2, str2);
        return createOrUpdateAuthorizationsByUserId(task, str2);
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] newTaskUserIdentityLink(Task task, String str, String str2) {
        EnsureUtil.ensureValidIndividualResourceId("Cannot grant default authorization for identity link to user " + str, str);
        return createOrUpdateAuthorizationsByUserId(task, str);
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] newTaskGroupIdentityLink(Task task, String str, String str2) {
        EnsureUtil.ensureValidIndividualResourceId("Cannot grant default authorization for identity link to group " + str, str);
        return createOrUpdateAuthorizationsByGroupId(task, str);
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] deleteTaskUserIdentityLink(Task task, String str, String str2) {
        return null;
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] deleteTaskGroupIdentityLink(Task task, String str, String str2) {
        return null;
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] newDecisionDefinition(DecisionDefinition decisionDefinition) {
        return null;
    }

    @Override // org.camunda.bpm.engine.impl.cfg.auth.ResourceAuthorizationProvider
    public AuthorizationEntity[] newDecisionRequirementsDefinition(DecisionRequirementsDefinition decisionRequirementsDefinition) {
        return null;
    }

    protected AuthorizationEntity[] createOrUpdateAuthorizationsByGroupId(Task task, String str) {
        return createOrUpdateAuthorizations(task, str, null);
    }

    protected AuthorizationEntity[] createOrUpdateAuthorizationsByUserId(Task task, String str) {
        return createOrUpdateAuthorizations(task, null, str);
    }

    protected AuthorizationEntity[] createOrUpdateAuthorizations(Task task, String str, String str2) {
        boolean isEnforceSpecificVariablePermission = isEnforceSpecificVariablePermission();
        AuthorizationEntity createOrUpdateAuthorization = createOrUpdateAuthorization(task, str2, str, Resources.TASK, false, getRuntimePermissions(isEnforceSpecificVariablePermission));
        return !isHistoricInstancePermissionsEnabled() ? new AuthorizationEntity[]{createOrUpdateAuthorization} : new AuthorizationEntity[]{createOrUpdateAuthorization, createOrUpdateAuthorization(task, str2, str, Resources.HISTORIC_TASK, true, getHistoricPermissions(isEnforceSpecificVariablePermission))};
    }

    protected AuthorizationEntity createOrUpdateAuthorization(Task task, String str, String str2, Resource resource, boolean z, Permission... permissionArr) {
        String id = task.getId();
        AuthorizationEntity grantAuthorization = getGrantAuthorization(id, str, str2, resource);
        if (grantAuthorization == null) {
            grantAuthorization = createAuthorization(str, str2, resource, id, permissionArr);
            if (z) {
                provideRemovalTime(grantAuthorization, task);
            }
        } else {
            addPermissions(grantAuthorization, permissionArr);
        }
        return grantAuthorization;
    }

    protected void provideRemovalTime(AuthorizationEntity authorizationEntity, Task task) {
        String rootProcessInstanceId = getRootProcessInstanceId(task);
        if (rootProcessInstanceId != null) {
            authorizationEntity.setRootProcessInstanceId(rootProcessInstanceId);
            if (isHistoryRemovalTimeStrategyStart()) {
                HistoryEvent findHistoricProcessInstance = findHistoricProcessInstance(rootProcessInstanceId);
                Date date = null;
                if (findHistoricProcessInstance != null) {
                    date = findHistoricProcessInstance.getRemovalTime();
                }
                authorizationEntity.setRemovalTime(date);
            }
        }
    }

    protected String getRootProcessInstanceId(Task task) {
        ExecutionEntity executionEntity = (ExecutionEntity) ((DelegateTask) task).getExecution();
        if (executionEntity != null) {
            return executionEntity.getRootProcessInstanceId();
        }
        return null;
    }

    protected boolean isHistoryRemovalTimeStrategyStart() {
        return "start".equals(getHistoryRemovalTimeStrategy());
    }

    protected String getHistoryRemovalTimeStrategy() {
        return Context.getProcessEngineConfiguration().getHistoryRemovalTimeStrategy();
    }

    protected HistoryEvent findHistoricProcessInstance(String str) {
        return (HistoryEvent) Context.getCommandContext().getDbEntityManager().selectById(HistoricProcessInstanceEventEntity.class, str);
    }

    protected Permission[] getHistoricPermissions(boolean z) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(HistoricTaskPermissions.READ);
        if (z) {
            arrayList.add(HistoricTaskPermissions.READ_VARIABLE);
        }
        return (Permission[]) arrayList.toArray(new Permission[0]);
    }

    protected Permission[] getRuntimePermissions(boolean z) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(Permissions.READ);
        arrayList.add(getDefaultUserPermissionForTask());
        if (z) {
            arrayList.add(TaskPermissions.READ_VARIABLE);
        }
        return (Permission[]) arrayList.toArray(new Permission[0]);
    }

    protected boolean isHistoricInstancePermissionsEnabled() {
        return Context.getProcessEngineConfiguration().isEnableHistoricInstancePermissions();
    }

    protected AuthorizationManager getAuthorizationManager() {
        return Context.getCommandContext().getAuthorizationManager();
    }

    protected AuthorizationEntity getGrantAuthorization(String str, String str2, String str3, Resource resource) {
        return str3 != null ? getGrantAuthorizationByGroupId(str3, resource, str) : getGrantAuthorizationByUserId(str2, resource, str);
    }

    protected AuthorizationEntity getGrantAuthorizationByUserId(String str, Resource resource, String str2) {
        return getAuthorizationManager().findAuthorizationByUserIdAndResourceId(1, str, resource, str2);
    }

    protected AuthorizationEntity getGrantAuthorizationByGroupId(String str, Resource resource, String str2) {
        return getAuthorizationManager().findAuthorizationByGroupIdAndResourceId(1, str, resource, str2);
    }

    protected AuthorizationEntity createAuthorization(String str, String str2, Resource resource, String str3, Permission... permissionArr) {
        AuthorizationEntity createGrantAuthorization = createGrantAuthorization(str, str2, resource, str3, permissionArr);
        updateAuthorizationBasedOnCacheEntries(createGrantAuthorization, str, str2, resource, str3);
        return createGrantAuthorization;
    }

    protected void addPermissions(AuthorizationEntity authorizationEntity, Permission... permissionArr) {
        if (permissionArr != null) {
            for (Permission permission : permissionArr) {
                if (permission != null) {
                    authorizationEntity.addPermission(permission);
                }
            }
        }
    }

    protected AuthorizationEntity createGrantAuthorization(String str, String str2, Resource resource, String str3, Permission... permissionArr) {
        if (str != null) {
            EnsureUtil.ensureValidIndividualResourceId("Cannot create authorization for user " + str, str);
        }
        if (str2 != null) {
            EnsureUtil.ensureValidIndividualResourceId("Cannot create authorization for group " + str2, str2);
        }
        AuthorizationEntity authorizationEntity = new AuthorizationEntity(1);
        authorizationEntity.setUserId(str);
        authorizationEntity.setGroupId(str2);
        authorizationEntity.setResource(resource);
        authorizationEntity.setResourceId(str3);
        addPermissions(authorizationEntity, permissionArr);
        return authorizationEntity;
    }

    protected Permission getDefaultUserPermissionForTask() {
        return Context.getProcessEngineConfiguration().getDefaultUserPermissionForTask();
    }

    protected boolean isEnforceSpecificVariablePermission() {
        return Context.getProcessEngineConfiguration().isEnforceSpecificVariablePermission();
    }

    protected void updateAuthorizationBasedOnCacheEntries(AuthorizationEntity authorizationEntity, String str, String str2, Resource resource, String str3) {
        DbEntityManager dbEntityManager = Context.getCommandContext().getDbEntityManager();
        for (AuthorizationEntity authorizationEntity2 : dbEntityManager.getCachedEntitiesByType(AuthorizationEntity.class)) {
            if (hasEntitySameAuthorizationRights(authorizationEntity2, str, str2, resource, str3)) {
                authorizationEntity.setPermissions(authorizationEntity2.getPermissions());
                dbEntityManager.getDbEntityCache().remove(authorizationEntity2);
                return;
            }
        }
    }

    protected boolean hasEntitySameAuthorizationRights(AuthorizationEntity authorizationEntity, String str, String str2, Resource resource, String str3) {
        return areIdsEqual(authorizationEntity.getUserId(), str) && areIdsEqual(authorizationEntity.getGroupId(), str2) && (authorizationEntity.getResourceType() == resource.resourceType()) && areIdsEqual(authorizationEntity.getResourceId(), str3) && (authorizationEntity.getAuthorizationType() == 1);
    }

    protected boolean areIdsEqual(String str, String str2) {
        return (str == null || str2 == null) ? str == str2 : str.equals(str2);
    }
}
