package org.activiti.cloud.services.security;

import com.querydsl.core.BooleanBuilder;
import com.querydsl.core.types.EntityPath;
import com.querydsl.core.types.Predicate;
import com.querydsl.core.types.dsl.BooleanExpression;
import com.querydsl.jpa.JPAExpressions;
import jakarta.validation.constraints.NotNull;
import java.util.List;
import org.activiti.api.runtime.shared.security.SecurityManager;
import org.activiti.cloud.services.query.model.QProcessInstanceEntity;
import org.activiti.cloud.services.query.model.QTaskEntity;
import org.activiti.cloud.services.query.model.QTaskVariableEntity;
import org.activiti.cloud.services.query.rest.predicate.QueryDslPredicateFilter;
import org.springframework.beans.factory.annotation.Value;

/* loaded from: input_file:org/activiti/cloud/services/security/TaskLookupRestrictionService.class */
public class TaskLookupRestrictionService implements QueryDslPredicateFilter {
    private final SecurityManager securityManager;

    @Value("${activiti.cloud.security.task.restrictions.enabled:true}")
    private boolean restrictionsEnabled;

    @Value("${activiti.cloud.security.task.restrictions.involved.user.enabled:true}")
    private boolean restrictionsInvolvedUserEnabled;

    public TaskLookupRestrictionService(SecurityManager securityManager) {
        this.securityManager = securityManager;
    }

    public Predicate restrictTaskQuery(Predicate predicate) {
        return restrictTaskQuery(predicate, QTaskEntity.taskEntity);
    }

    @Override // org.activiti.cloud.services.query.rest.predicate.QueryDslPredicateFilter
    public Predicate extend(@NotNull Predicate predicate) {
        return restrictTaskQuery(predicate);
    }

    public Predicate restrictTaskVariableQuery(Predicate predicate) {
        QTaskEntity qTaskEntity = QTaskVariableEntity.taskVariableEntity.task;
        return restrictTaskQuery(addAndConditionToPredicate(predicate, qTaskEntity.isNotNull()), qTaskEntity);
    }

    public Predicate restrictToInvolvedUsersQuery(Predicate predicate) {
        if (!this.restrictionsInvolvedUserEnabled) {
            return restrictTaskQuery(predicate);
        }
        EntityPath entityPath = QTaskEntity.taskEntity;
        QProcessInstanceEntity qProcessInstanceEntity = QProcessInstanceEntity.processInstanceEntity;
        String authenticatedUserId = this.securityManager.getAuthenticatedUserId();
        Predicate restrictTaskQuery = restrictTaskQuery(new BooleanBuilder());
        return addAndConditionToPredicate(predicate, qProcessInstanceEntity.initiator.eq(authenticatedUserId).or(((QTaskEntity) entityPath).processInstanceId.in(JPAExpressions.select(((QTaskEntity) entityPath).processInstanceId).from(new EntityPath[]{entityPath}).where(new Predicate[]{restrictTaskQuery}))).or(restrictTaskQuery));
    }

    private Predicate restrictTaskQuery(Predicate predicate, QTaskEntity qTaskEntity) {
        if (!this.restrictionsEnabled) {
            return predicate;
        }
        String authenticatedUserId = this.securityManager.getAuthenticatedUserId();
        BooleanExpression booleanExpression = null;
        if (authenticatedUserId != null) {
            BooleanExpression isNull = qTaskEntity.assignee.isNull();
            BooleanExpression or = qTaskEntity.assignee.eq(authenticatedUserId).or(qTaskEntity.owner.eq(authenticatedUserId)).or(qTaskEntity.taskCandidateUsers.any().userId.eq(authenticatedUserId).and(isNull));
            List list = null;
            if (this.securityManager != null) {
                list = this.securityManager.getAuthenticatedUserGroups();
            }
            if (list != null && list.size() > 0) {
                or = or.or(qTaskEntity.taskCandidateGroups.any().groupId.in(list).and(isNull));
            }
            booleanExpression = or.or(qTaskEntity.taskCandidateUsers.isEmpty().and(qTaskEntity.taskCandidateGroups.isEmpty()).and(isNull));
        }
        return addAndConditionToPredicate(predicate, booleanExpression);
    }

    private Predicate addAndConditionToPredicate(Predicate predicate, BooleanExpression booleanExpression) {
        return (booleanExpression == null || predicate == null) ? booleanExpression == null ? predicate : booleanExpression : booleanExpression.and(predicate);
    }

    public void setRestrictionsEnabled(boolean z) {
        this.restrictionsEnabled = z;
    }

    public boolean isRestrictionsEnabled() {
        return this.restrictionsEnabled;
    }

    public boolean isRestrictionsInvolvedUserEnabled() {
        return this.restrictionsInvolvedUserEnabled;
    }

    public void setRestrictionsInvolvedUserEnabled(boolean z) {
        this.restrictionsInvolvedUserEnabled = z;
    }
}
