package org.activiti.cloud.services.security;

import com.querydsl.core.types.Predicate;
import com.querydsl.core.types.dsl.BooleanExpression;
import com.querydsl.core.types.dsl.StringPath;
import java.util.List;
import org.activiti.api.runtime.shared.identity.UserGroupManager;
import org.activiti.api.runtime.shared.security.SecurityManager;
import org.activiti.cloud.services.query.model.QTaskEntity;
import org.activiti.cloud.services.query.model.QTaskVariableEntity;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:BOOT-INF/lib/activiti-cloud-services-query-rest-7.0.97.jar:org/activiti/cloud/services/security/TaskLookupRestrictionService.class */
public class TaskLookupRestrictionService {
    private final UserGroupManager userGroupManager;
    private final SecurityManager securityManager;

    @Value("${activiti.cloud.security.task.restrictions.enabled:true}")
    private boolean restrictionsEnabled;

    @Autowired
    public TaskLookupRestrictionService(UserGroupManager userGroupManager, SecurityManager securityManager) {
        this.userGroupManager = userGroupManager;
        this.securityManager = securityManager;
    }

    public Predicate restrictTaskQuery(Predicate predicate) {
        return restrictTaskQuery(predicate, QTaskEntity.taskEntity);
    }

    public Predicate restrictTaskVariableQuery(Predicate predicate) {
        QTaskEntity qTaskEntity = QTaskVariableEntity.taskVariableEntity.task;
        return restrictTaskQuery(addAndConditionToPredicate(predicate, qTaskEntity.isNotNull()), qTaskEntity);
    }

    private Predicate restrictTaskQuery(Predicate predicate, QTaskEntity qTaskEntity) {
        if (!this.restrictionsEnabled) {
            return predicate;
        }
        String authenticatedUserId = this.securityManager.getAuthenticatedUserId();
        BooleanExpression booleanExpression = null;
        if (authenticatedUserId != null) {
            BooleanExpression isNull = qTaskEntity.assignee.isNull();
            BooleanExpression or = qTaskEntity.assignee.eq((StringPath) authenticatedUserId).or(qTaskEntity.owner.eq((StringPath) authenticatedUserId)).or(qTaskEntity.taskCandidateUsers.any().userId.eq((StringPath) authenticatedUserId).and(isNull));
            List<String> list = null;
            if (this.userGroupManager != null) {
                list = this.userGroupManager.getUserGroups(authenticatedUserId);
            }
            if (list != null && list.size() > 0) {
                or = or.or(qTaskEntity.taskCandidateGroups.any().groupId.in(list).and(isNull));
            }
            booleanExpression = or.or(qTaskEntity.taskCandidateUsers.isEmpty().and(qTaskEntity.taskCandidateGroups.isEmpty()).and(isNull));
        }
        return addAndConditionToPredicate(predicate, booleanExpression);
    }

    private Predicate addAndConditionToPredicate(Predicate predicate, BooleanExpression booleanExpression) {
        return (booleanExpression == null || predicate == null) ? booleanExpression == null ? predicate : booleanExpression : booleanExpression.and(predicate);
    }

    public void setRestrictionsEnabled(boolean z) {
        this.restrictionsEnabled = z;
    }

    public boolean isRestrictionsEnabled() {
        return this.restrictionsEnabled;
    }
}
