package org.alfresco.module.org_alfresco_module_rm.model.security;

import java.io.Serializable;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.alfresco.module.org_alfresco_module_rm.capability.Capability;
import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService;
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.repo.node.NodeServicePolicies;
import org.alfresco.repo.policy.Behaviour;
import org.alfresco.repo.policy.JavaBehaviour;
import org.alfresco.repo.policy.PolicyComponent;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
import org.alfresco.util.EqualsHelper;

/* loaded from: input_file:org/alfresco/module/org_alfresco_module_rm/model/security/ModelSecurityServiceImpl.class */
public class ModelSecurityServiceImpl implements ModelSecurityService, RecordsManagementModel, NodeServicePolicies.BeforeAddAspectPolicy, NodeServicePolicies.BeforeRemoveAspectPolicy, NodeServicePolicies.OnUpdatePropertiesPolicy {
    private PolicyComponent policyComponent;
    private NodeService nodeService;
    private NamespaceService namespaceService;
    private FilePlanService filePlanService;
    private boolean enabled = true;
    private Map<QName, ProtectedProperty> protectedProperties = new HashMap(21);
    private Map<QName, ProtectedAspect> protectedAspects = new HashMap(21);
    private JavaBehaviour beforeAddAspectBehaviour = new JavaBehaviour(this, "beforeAddAspect", Behaviour.NotificationFrequency.EVERY_EVENT);
    private JavaBehaviour beforeRemoveAspectBehaviour = new JavaBehaviour(this, "beforeRemoveAspect", Behaviour.NotificationFrequency.EVERY_EVENT);
    private JavaBehaviour onUpdatePropertiesBehaviour = new JavaBehaviour(this, "onUpdateProperties", Behaviour.NotificationFrequency.EVERY_EVENT);

    @Override // org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService
    public void setEnabled(boolean z) {
        this.enabled = z;
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService
    public boolean isEnabled() {
        return this.enabled;
    }

    public void setPolicyComponent(PolicyComponent policyComponent) {
        this.policyComponent = policyComponent;
    }

    public void setNodeService(NodeService nodeService) {
        this.nodeService = nodeService;
    }

    public void setNamespaceService(NamespaceService namespaceService) {
        this.namespaceService = namespaceService;
    }

    public void setFilePlanService(FilePlanService filePlanService) {
        this.filePlanService = filePlanService;
    }

    public void init() {
        this.policyComponent.bindClassBehaviour(NodeServicePolicies.BeforeAddAspectPolicy.QNAME, this, this.beforeAddAspectBehaviour);
        this.policyComponent.bindClassBehaviour(NodeServicePolicies.BeforeRemoveAspectPolicy.QNAME, this, this.beforeRemoveAspectBehaviour);
        this.policyComponent.bindClassBehaviour(NodeServicePolicies.OnUpdatePropertiesPolicy.QNAME, this, this.onUpdatePropertiesBehaviour);
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService
    public void disable() {
        this.beforeAddAspectBehaviour.disable();
        this.beforeRemoveAspectBehaviour.disable();
        this.onUpdatePropertiesBehaviour.disable();
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService
    public void enable() {
        this.beforeAddAspectBehaviour.enable();
        this.beforeRemoveAspectBehaviour.enable();
        this.onUpdatePropertiesBehaviour.enable();
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService
    public void register(ProtectedModelArtifact protectedModelArtifact) {
        if (protectedModelArtifact instanceof ProtectedProperty) {
            this.protectedProperties.put(protectedModelArtifact.getQName(), (ProtectedProperty) protectedModelArtifact);
        } else if (protectedModelArtifact instanceof ProtectedAspect) {
            this.protectedAspects.put(protectedModelArtifact.getQName(), (ProtectedAspect) protectedModelArtifact);
        }
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService
    public boolean isProtectedProperty(QName qName) {
        return this.protectedProperties.containsKey(qName);
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService
    public Set<QName> getProtectedProperties() {
        return Collections.unmodifiableSet(this.protectedProperties.keySet());
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService
    public ProtectedProperty getProtectedProperty(QName qName) {
        return this.protectedProperties.get(qName);
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService
    public boolean canEditProtectedProperty(NodeRef nodeRef, QName qName) {
        ProtectedProperty protectedProperty = getProtectedProperty(qName);
        return protectedProperty == null ? true : canEdit(nodeRef, protectedProperty);
    }

    private boolean canEdit(NodeRef nodeRef, ProtectedModelArtifact protectedModelArtifact) {
        boolean z = false;
        if (this.filePlanService.getFilePlan(nodeRef) != null) {
            Iterator<Capability> it = protectedModelArtifact.getCapabilities().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (it.next().hasPermission(nodeRef).equals(AccessStatus.ALLOWED)) {
                    z = true;
                    break;
                }
            }
        }
        return z;
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService
    public boolean isProtectedAspect(QName qName) {
        return this.protectedAspects.containsKey(qName);
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService
    public Set<QName> getProtectedAspects() {
        return Collections.unmodifiableSet(this.protectedAspects.keySet());
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService
    public ProtectedAspect getProtectedAspect(QName qName) {
        return this.protectedAspects.get(qName);
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.model.security.ModelSecurityService
    public boolean canEditProtectedAspect(NodeRef nodeRef, QName qName) {
        ProtectedAspect protectedAspect = getProtectedAspect(qName);
        return protectedAspect == null ? true : canEdit(nodeRef, protectedAspect);
    }

    public void beforeAddAspect(NodeRef nodeRef, QName qName) {
        if (this.enabled && AuthenticationUtil.getFullyAuthenticatedUser() != null && !AuthenticationUtil.isRunAsUserTheSystemUser() && isProtectedAspect(qName) && this.nodeService.exists(nodeRef) && !canEditProtectedAspect(nodeRef, qName)) {
            throw new ModelAccessDeniedException("The user " + AuthenticationUtil.getFullyAuthenticatedUser() + " does not have the permission to add the protected aspect " + qName.toPrefixString(this.namespaceService) + " from the node " + nodeRef.toString());
        }
    }

    public void beforeRemoveAspect(NodeRef nodeRef, QName qName) {
        if (this.enabled && AuthenticationUtil.getFullyAuthenticatedUser() != null && !AuthenticationUtil.isRunAsUserTheSystemUser() && isProtectedAspect(qName) && this.nodeService.exists(nodeRef) && !canEditProtectedAspect(nodeRef, qName)) {
            throw new ModelAccessDeniedException("The user " + AuthenticationUtil.getFullyAuthenticatedUser() + " does not have the permission to remove the protected aspect " + qName.toPrefixString(this.namespaceService) + " from the node " + nodeRef.toString());
        }
    }

    public void onUpdateProperties(NodeRef nodeRef, Map<QName, Serializable> map, Map<QName, Serializable> map2) {
        if (!this.enabled || AuthenticationUtil.getFullyAuthenticatedUser() == null || AuthenticationUtil.isRunAsUserTheSystemUser() || !this.nodeService.exists(nodeRef)) {
            return;
        }
        for (QName qName : map2.keySet()) {
            if (isProtectedProperty(qName)) {
                if (map == null || map.isEmpty() || map.get(qName) == null) {
                    return;
                }
                if (!EqualsHelper.nullSafeEquals(map.get(qName), map2.get(qName)) && !canEditProtectedProperty(nodeRef, qName)) {
                    throw new ModelAccessDeniedException("The user " + AuthenticationUtil.getFullyAuthenticatedUser() + " does not have the permission to edit the protected property " + qName.toPrefixString(this.namespaceService) + " on the node " + nodeRef.toString());
                }
            }
        }
    }
}
