package org.alfresco.module.org_alfresco_module_rm.capability;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.ConfigAttribute;
import net.sf.acegisecurity.vote.AccessDecisionVoter;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.module.org_alfresco_module_rm.capability.policy.ConfigAttributeDefinition;
import org.alfresco.module.org_alfresco_module_rm.capability.policy.Policy;
import org.alfresco.module.org_alfresco_module_rm.security.RMMethodSecurityInterceptor;
import org.alfresco.module.org_alfresco_module_rm.util.AlfrescoTransactionSupport;
import org.alfresco.module.org_alfresco_module_rm.util.AuthenticationUtil;
import org.alfresco.module.org_alfresco_module_rm.util.TransactionalResourceHelper;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.namespace.NamespacePrefixResolver;
import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;

/* loaded from: input_file:org/alfresco/module/org_alfresco_module_rm/capability/RMEntryVoter.class */
public class RMEntryVoter extends RMSecurityCommon implements AccessDecisionVoter, InitializingBean, PolicyRegister {
    private static Log logger = LogFactory.getLog(RMEntryVoter.class);
    private NamespacePrefixResolver nspr;
    private CapabilityService capabilityService;
    private TransactionalResourceHelper transactionalResourceHelper;
    private AlfrescoTransactionSupport alfrescoTransactionSupport;
    private AuthenticationUtil authenticationUtil;
    private Map<String, Policy> policies = new HashMap();

    public void setCapabilityService(CapabilityService capabilityService) {
        this.capabilityService = capabilityService;
    }

    public void setNamespacePrefixResolver(NamespacePrefixResolver namespacePrefixResolver) {
        this.nspr = namespacePrefixResolver;
    }

    public void setTransactionalResourceHelper(TransactionalResourceHelper transactionalResourceHelper) {
        this.transactionalResourceHelper = transactionalResourceHelper;
    }

    public void setAlfrescoTransactionSupport(AlfrescoTransactionSupport alfrescoTransactionSupport) {
        this.alfrescoTransactionSupport = alfrescoTransactionSupport;
    }

    public void setAuthenticationUtil(AuthenticationUtil authenticationUtil) {
        this.authenticationUtil = authenticationUtil;
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.capability.PolicyRegister
    public void registerPolicy(Policy policy) {
        this.policies.put(policy.getName(), policy);
    }

    public boolean supports(ConfigAttribute configAttribute) {
        boolean z = false;
        String attribute = configAttribute.getAttribute();
        if (StringUtils.isNotBlank(attribute) && (attribute.equals(ConfigAttributeDefinition.RM_ABSTAIN) || attribute.equals(ConfigAttributeDefinition.RM_QUERY) || attribute.equals(ConfigAttributeDefinition.RM_ALLOW) || attribute.equals(ConfigAttributeDefinition.RM_DENY) || attribute.startsWith(ConfigAttributeDefinition.RM_CAP) || attribute.startsWith(ConfigAttributeDefinition.RM))) {
            z = true;
        }
        return z;
    }

    public boolean supports(Class cls) {
        return MethodInvocation.class.isAssignableFrom(cls);
    }

    public int vote(Authentication authentication, Object obj, net.sf.acegisecurity.ConfigAttributeDefinition configAttributeDefinition) {
        RMMethodSecurityInterceptor.isRMSecurityChecked(true);
        MethodInvocation methodInvocation = (MethodInvocation) obj;
        if (this.transactionalResourceHelper.isResourcePresent("voting")) {
            if (!logger.isDebugEnabled()) {
                return 1;
            }
            logger.debug(" .. grant access already voting: " + methodInvocation.getMethod().getDeclaringClass().getName() + "." + methodInvocation.getMethod().getName());
            return 1;
        }
        if (logger.isDebugEnabled()) {
            logger.debug("Method: " + methodInvocation.getMethod().getDeclaringClass().getName() + "." + methodInvocation.getMethod().getName());
        }
        this.alfrescoTransactionSupport.bindResource("voting", true);
        try {
            if (this.authenticationUtil.isRunAsUserTheSystemUser()) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Access granted for the system user");
                }
                return 1;
            }
            List<ConfigAttributeDefinition> extractSupportedDefinitions = extractSupportedDefinitions(configAttributeDefinition);
            if (extractSupportedDefinitions.size() == 0) {
                this.alfrescoTransactionSupport.unbindResource("voting");
                return 0;
            }
            if (!(obj instanceof MethodInvocation)) {
                throw new AlfrescoRuntimeException("Passed object is not an instance of MethodInvocation as expected.");
            }
            MethodInvocation methodInvocation2 = (MethodInvocation) obj;
            Class<?>[] parameterTypes = methodInvocation2.getMethod().getParameterTypes();
            for (ConfigAttributeDefinition configAttributeDefinition2 : extractSupportedDefinitions) {
                if (configAttributeDefinition2.getTypeString().equals(ConfigAttributeDefinition.RM_DENY)) {
                    RMMethodSecurityInterceptor.addMessage("RM_DENY: check that a security policy has been set for this method");
                    this.alfrescoTransactionSupport.unbindResource("voting");
                    return -1;
                }
                if (configAttributeDefinition2.getTypeString().equals(ConfigAttributeDefinition.RM_ABSTAIN)) {
                    this.alfrescoTransactionSupport.unbindResource("voting");
                    return 0;
                }
                if (configAttributeDefinition2.getTypeString().equals(ConfigAttributeDefinition.RM_ALLOW)) {
                    this.alfrescoTransactionSupport.unbindResource("voting");
                    return 1;
                }
                if (configAttributeDefinition2.getTypeString().equals(ConfigAttributeDefinition.RM_QUERY)) {
                    this.alfrescoTransactionSupport.unbindResource("voting");
                    return 1;
                }
                if (configAttributeDefinition2.getParameters().get(0) == null || configAttributeDefinition2.getParameters().get(0).intValue() < methodInvocation2.getArguments().length) {
                    if (configAttributeDefinition2.getParameters().get(1) == null || configAttributeDefinition2.getParameters().get(1).intValue() < methodInvocation2.getArguments().length) {
                        if (configAttributeDefinition2.getTypeString().equals(ConfigAttributeDefinition.RM_CAP)) {
                            switch (checkCapability(methodInvocation2, parameterTypes, configAttributeDefinition2)) {
                                case -1:
                                    this.alfrescoTransactionSupport.unbindResource("voting");
                                    return -1;
                                case 0:
                                    if (logger.isDebugEnabled()) {
                                        if (logger.isTraceEnabled()) {
                                            logger.trace("Capability " + configAttributeDefinition2.getRequired() + " abstained for " + methodInvocation2.getMethod(), new IllegalStateException());
                                        } else {
                                            logger.debug("Capability " + configAttributeDefinition2.getRequired() + " abstained for " + methodInvocation2.getMethod());
                                        }
                                    }
                                    this.alfrescoTransactionSupport.unbindResource("voting");
                                    return -1;
                            }
                        }
                        if (configAttributeDefinition2.getTypeString().equals(ConfigAttributeDefinition.RM)) {
                            switch (checkPolicy(methodInvocation2, parameterTypes, configAttributeDefinition2)) {
                                case -1:
                                    RMMethodSecurityInterceptor.addMessage("Policy " + configAttributeDefinition2.getPolicyName() + " denied.");
                                    this.alfrescoTransactionSupport.unbindResource("voting");
                                    return -1;
                                case 0:
                                    if (logger.isDebugEnabled()) {
                                        if (logger.isTraceEnabled()) {
                                            logger.trace("Policy " + configAttributeDefinition2.getPolicyName() + " abstained for " + methodInvocation2.getMethod(), new IllegalStateException());
                                        } else {
                                            logger.debug("Policy " + configAttributeDefinition2.getPolicyName() + " abstained for " + methodInvocation2.getMethod());
                                        }
                                    }
                                    this.alfrescoTransactionSupport.unbindResource("voting");
                                    return -1;
                            }
                        }
                    }
                }
            }
            this.alfrescoTransactionSupport.unbindResource("voting");
            return 1;
        } finally {
            this.alfrescoTransactionSupport.unbindResource("voting");
        }
    }

    private int checkCapability(MethodInvocation methodInvocation, Class[] clsArr, ConfigAttributeDefinition configAttributeDefinition) {
        NodeRef testNode = getTestNode(methodInvocation, clsArr, configAttributeDefinition.getParameters().get(0).intValue(), configAttributeDefinition.isParent());
        if (testNode == null) {
            return 0;
        }
        Capability capability = this.capabilityService.getCapability(configAttributeDefinition.getRequired().getName());
        if (capability == null) {
            throw new AlfrescoRuntimeException("The capability '" + configAttributeDefinition.getRequired().getName() + "' set on method '" + methodInvocation.getMethod().getName() + "' does not exist.");
        }
        return capability.hasPermissionRaw(testNode);
    }

    private int checkPolicy(MethodInvocation methodInvocation, Class[] clsArr, ConfigAttributeDefinition configAttributeDefinition) {
        Policy policy = this.policies.get(configAttributeDefinition.getPolicyName());
        if (policy == null) {
            throw new AlfrescoRuntimeException("The policy '" + configAttributeDefinition.getPolicyName() + "' set on the method '" + methodInvocation.getMethod().getName() + "' does not exist.");
        }
        return policy.evaluate(methodInvocation, clsArr, configAttributeDefinition);
    }

    public void afterPropertiesSet() {
    }

    private List<ConfigAttributeDefinition> extractSupportedDefinitions(net.sf.acegisecurity.ConfigAttributeDefinition configAttributeDefinition) {
        ArrayList arrayList = new ArrayList(2);
        Iterator configAttributes = configAttributeDefinition.getConfigAttributes();
        while (configAttributes.hasNext()) {
            ConfigAttribute configAttribute = (ConfigAttribute) configAttributes.next();
            if (supports(configAttribute)) {
                arrayList.add(new ConfigAttributeDefinition(configAttribute, this.nspr));
            }
        }
        return arrayList;
    }
}
