package org.ametys.cms.model.restrictions;

import com.opensymphony.workflow.spi.Step;
import java.util.Iterator;
import java.util.Set;
import org.ametys.cms.content.indexing.solr.SolrFieldNames;
import org.ametys.cms.repository.Content;
import org.ametys.cms.repository.WorkflowAwareContent;
import org.ametys.core.right.RightManager;
import org.ametys.core.user.CurrentUserProvider;
import org.ametys.core.user.UserIdentity;
import org.ametys.plugins.repository.AmetysRepositoryException;
import org.ametys.plugins.workflow.support.WorkflowProvider;
import org.ametys.runtime.model.ModelItem;
import org.apache.avalon.framework.component.Component;
import org.apache.avalon.framework.configuration.Configuration;
import org.apache.avalon.framework.configuration.ConfigurationException;
import org.apache.avalon.framework.service.ServiceException;
import org.apache.avalon.framework.service.ServiceManager;
import org.apache.avalon.framework.service.Serviceable;

/* loaded from: input_file:org/ametys/cms/model/restrictions/ContentRestrictedModelItemHelper.class */
public class ContentRestrictedModelItemHelper implements Component, Serviceable {
    public static final String ROLE = ContentRestrictedModelItemHelper.class.getName();
    private RightManager _rightManager;
    private CurrentUserProvider _currentUserProvider;
    private WorkflowProvider _workflowProvider;

    /* loaded from: input_file:org/ametys/cms/model/restrictions/ContentRestrictedModelItemHelper$FirstRestrictionsChecksState.class */
    public enum FirstRestrictionsChecksState {
        TRUE,
        FALSE,
        UNKNOWN
    }

    public void service(ServiceManager serviceManager) throws ServiceException {
        this._rightManager = (RightManager) serviceManager.lookup(RightManager.ROLE);
        this._currentUserProvider = (CurrentUserProvider) serviceManager.lookup(CurrentUserProvider.ROLE);
        this._workflowProvider = (WorkflowProvider) serviceManager.lookup(WorkflowProvider.ROLE);
    }

    public boolean canRead(Content content, ModelItem modelItem, Restrictions restrictions) throws AmetysRepositoryException {
        FirstRestrictionsChecksState _doFirstRestrictionsChecks = _doFirstRestrictionsChecks(content, restrictions, true);
        if (!FirstRestrictionsChecksState.UNKNOWN.equals(_doFirstRestrictionsChecks)) {
            return FirstRestrictionsChecksState.TRUE.equals(_doFirstRestrictionsChecks);
        }
        RestrictedModelItem parent = modelItem.getParent();
        if (parent == null || !(parent instanceof RestrictedModelItem)) {
            return true;
        }
        return parent.canRead(content);
    }

    public boolean canWrite(Content content, ModelItem modelItem, Restrictions restrictions) throws AmetysRepositoryException {
        FirstRestrictionsChecksState _doFirstRestrictionsChecks = _doFirstRestrictionsChecks(content, restrictions, false);
        if (!FirstRestrictionsChecksState.UNKNOWN.equals(_doFirstRestrictionsChecks)) {
            return FirstRestrictionsChecksState.TRUE.equals(_doFirstRestrictionsChecks);
        }
        RestrictedModelItem parent = modelItem.getParent();
        return (parent == null || !(parent instanceof RestrictedModelItem)) ? canRead(content, modelItem, restrictions) : parent.canWrite(content);
    }

    public FirstRestrictionsChecksState _doFirstRestrictionsChecks(Content content, Restrictions restrictions, boolean z) {
        if (restrictions == null) {
            return FirstRestrictionsChecksState.TRUE;
        }
        if ((z && restrictions.cannotRead()) || (!z && restrictions.cannotWrite())) {
            return FirstRestrictionsChecksState.FALSE;
        }
        if (content == null) {
            return FirstRestrictionsChecksState.TRUE;
        }
        if (!_hasRights(content, z ? restrictions.getReadRightIds() : restrictions.getWriteRightIds())) {
            return FirstRestrictionsChecksState.FALSE;
        }
        if (content instanceof WorkflowAwareContent) {
            if (!_isInWorkflowStep((WorkflowAwareContent) content, z ? restrictions.getReadWorkflowfStepIds() : restrictions.getWriteWorkflowfStepIds())) {
                return FirstRestrictionsChecksState.FALSE;
            }
        }
        return FirstRestrictionsChecksState.UNKNOWN;
    }

    private boolean _hasRights(Content content, Set<String> set) {
        if (set.isEmpty()) {
            return true;
        }
        UserIdentity user = this._currentUserProvider.getUser();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (this._rightManager.hasRight(user, it.next(), content) == RightManager.RightResult.RIGHT_ALLOW) {
                return true;
            }
        }
        return false;
    }

    private boolean _isInWorkflowStep(WorkflowAwareContent workflowAwareContent, Set<Integer> set) throws AmetysRepositoryException {
        if (set.isEmpty()) {
            return true;
        }
        for (Step step : this._workflowProvider.getAmetysObjectWorkflow(workflowAwareContent).getCurrentSteps(workflowAwareContent.getWorkflowId())) {
            Iterator<Integer> it = set.iterator();
            while (it.hasNext()) {
                if (step.getStepId() == it.next().intValue()) {
                    return true;
                }
            }
        }
        return false;
    }

    public Restrictions _parseRestrictions(Configuration configuration) throws ConfigurationException {
        Restrictions restrictions = new Restrictions();
        populateRestrictions(configuration, restrictions);
        return restrictions;
    }

    public void populateRestrictions(Configuration configuration, Restrictions restrictions) throws ConfigurationException {
        Configuration child = configuration.getChild("restrict-to", true);
        _populateNegativeRestrictions(child, restrictions);
        _populateRightRestrictions(child, restrictions);
        _populateWorkflowRestrictions(child, restrictions);
    }

    private void _populateNegativeRestrictions(Configuration configuration, Restrictions restrictions) throws ConfigurationException {
        for (Configuration configuration2 : configuration.getChildren("cannot")) {
            if (_parseAccessType(configuration2)) {
                restrictions.setCannotRead(true);
            } else {
                restrictions.setCannotWrite(true);
            }
        }
    }

    private void _populateRightRestrictions(Configuration configuration, Restrictions restrictions) throws ConfigurationException {
        for (Configuration configuration2 : configuration.getChildren("right")) {
            String attribute = configuration2.getAttribute(SolrFieldNames.ID, (String) null);
            if (attribute == null) {
                throw new ConfigurationException("Attribute 'id' is mandatory on 'right' element in a content type configuration.", configuration2);
            }
            if (_parseAccessType(configuration2)) {
                restrictions.addReadRightIds(attribute);
            } else {
                restrictions.addWriteRightIds(attribute);
            }
        }
    }

    private void _populateWorkflowRestrictions(Configuration configuration, Restrictions restrictions) throws ConfigurationException {
        for (Configuration configuration2 : configuration.getChildren("workflow")) {
            String attribute = configuration2.getAttribute("step", (String) null);
            int i = -1;
            if (attribute != null) {
                try {
                    i = Integer.valueOf(attribute).intValue();
                } catch (NumberFormatException e) {
                }
            }
            if (_parseAccessType(configuration2)) {
                restrictions.addReadWorkflowfStepIds(Integer.valueOf(i));
            } else {
                restrictions.addWriteWorkflowfStepIds(Integer.valueOf(i));
            }
        }
    }

    private boolean _parseAccessType(Configuration configuration) throws ConfigurationException {
        String attribute = configuration.getAttribute("read-write-direction");
        if ("read".equalsIgnoreCase(attribute)) {
            return true;
        }
        if ("write".equalsIgnoreCase(attribute)) {
            return false;
        }
        throw new ConfigurationException("Attribute 'type' must be 'read' or 'write'.", configuration);
    }
}
