package com.axelor.auth;

import com.axelor.auth.db.Permission;
import com.axelor.auth.db.User;
import com.axelor.db.JpaSecurity;
import com.axelor.db.Model;
import com.axelor.rpc.filter.Filter;
import com.axelor.rpc.filter.JPQLFilter;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import groovy.lang.Binding;
import groovy.lang.GroovyShell;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.inject.Provider;
import javax.inject.Singleton;
import org.apache.shiro.authz.UnauthorizedException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:com/axelor/auth/AuthSecurity.class */
class AuthSecurity implements JpaSecurity, Provider<JpaSecurity> {
    private static final Logger LOG = LoggerFactory.getLogger(AuthSecurity.class);
    private AuthResolver authResolver = new AuthResolver();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/axelor/auth/AuthSecurity$Condition.class */
    public static final class Condition {
        private Filter filter;

        public Condition(User user, String str, String str2) {
            ArrayList newArrayList = Lists.newArrayList();
            for (String str3 : (str2 == null ? "" : str2).split(",")) {
                String trim = str3.trim();
                if ("__user__".equals(trim)) {
                    newArrayList.add(user);
                } else if (trim.startsWith("__user__.")) {
                    newArrayList.add(eval(user, "__user__", trim));
                } else {
                    newArrayList.add(trim);
                }
            }
            this.filter = new JPQLFilter(str, newArrayList.toArray());
        }

        private Object eval(Object obj, String str, String str2) {
            if (obj == null) {
                return null;
            }
            return new GroovyShell(new Binding(ImmutableMap.of(str, obj))).evaluate(str2);
        }

        public Filter getFilter() {
            return this.filter;
        }

        public String toString() {
            return this.filter.getQuery();
        }
    }

    AuthSecurity() {
    }

    private User getUser() {
        User user = AuthUtils.getUser();
        if (user == null || AuthUtils.isAdmin(user)) {
            return null;
        }
        return user;
    }

    private Condition getCondition(User user, Permission permission, JpaSecurity.AccessType accessType) {
        String condition = permission.getCondition();
        String conditionParams = permission.getConditionParams();
        if (condition == null || "".equals(condition.trim())) {
            return null;
        }
        return new Condition(user, condition, conditionParams);
    }

    @Override // com.axelor.db.JpaSecurity
    public boolean hasRole(String str) {
        User user = getUser();
        if (user == null) {
            return true;
        }
        return AuthUtils.hasRole(user, str);
    }

    @Override // com.axelor.db.JpaSecurity
    public Set<JpaSecurity.AccessType> getAccessTypes(Class<? extends Model> cls, Long l) {
        LOG.info("**** getAccessTypes for {} with id {}", cls.getName(), l);
        HashSet newHashSet = Sets.newHashSet();
        for (JpaSecurity.AccessType accessType : JpaSecurity.AccessType.values()) {
            if (isPermitted(accessType, cls, l)) {
                newHashSet.add(accessType);
            }
        }
        return newHashSet;
    }

    @Override // com.axelor.db.JpaSecurity
    public Filter getFilter(JpaSecurity.AccessType accessType, Class<? extends Model> cls, Long... lArr) {
        User user = getUser();
        if (user == null) {
            return null;
        }
        ArrayList newArrayList = Lists.newArrayList();
        Set<Permission> resolve = this.authResolver.resolve(user, cls.getName(), accessType);
        if (resolve.isEmpty()) {
            return null;
        }
        Iterator<Permission> it = resolve.iterator();
        while (it.hasNext()) {
            Condition condition = getCondition(user, it.next(), accessType);
            if (condition != null) {
                newArrayList.add(condition.getFilter());
            }
        }
        if (newArrayList.isEmpty() && lArr.length == 0) {
            return null;
        }
        Filter or = newArrayList.isEmpty() ? null : Filter.or(newArrayList);
        Filter filter = null;
        if (lArr != null && lArr.length > 0 && lArr[0] != null) {
            filter = Filter.in("id", Lists.newArrayList(lArr));
        }
        return filter == null ? or : or == null ? filter : Filter.and(or, filter, new Filter[0]);
    }

    @Override // com.axelor.db.JpaSecurity
    public boolean isPermitted(JpaSecurity.AccessType accessType, Class<? extends Model> cls, Long... lArr) {
        User user = getUser();
        if (user == null) {
            LOG.info("Null user");
            return true;
        }
        LOG.info("User {} request permission {} for {} with ids {}", new Object[]{user.getCode(), accessType.name(), cls.getName(), lArr});
        Set<Permission> resolve = this.authResolver.resolve(user, cls.getName(), accessType);
        if (resolve.isEmpty()) {
            LOG.info("Empty permissions");
            return false;
        }
        for (Permission permission : resolve) {
            LOG.info("Checking permission {}", permission.toString());
            if (permission.getCondition() == null && !this.authResolver.hasAccess(permission, accessType)) {
                LOG.info("Permission {} not allowed", accessType.name());
                return false;
            }
        }
        if (lArr == null || lArr.length == 0) {
            LOG.info("Null ids");
            return true;
        }
        Filter filter = getFilter(accessType, cls, lArr);
        if (filter == null) {
            LOG.info("Null filter");
            return true;
        }
        long count = filter.build(cls).count();
        LOG.info("Build filter `{}` for {} with params {}. Found {} record(s) (ids.length={})", new Object[]{filter.toString(), cls.getName(), filter.getParams(), Long.valueOf(count), Integer.valueOf(lArr.length)});
        return count == ((long) lArr.length);
    }

    @Override // com.axelor.db.JpaSecurity
    public void check(JpaSecurity.AccessType accessType, Class<? extends Model> cls, Long... lArr) {
        LOG.info(" **** Checking permission {} for {} with ids {}", new Object[]{accessType.name(), cls.getName(), lArr});
        if (isPermitted(accessType, cls, lArr)) {
            LOG.info("Access allowed");
        } else {
            LOG.info("Access denied");
            throw new UnauthorizedException(accessType.getMessage(), new AuthSecurityException(accessType, cls, lArr));
        }
    }

    /* renamed from: get, reason: merged with bridge method [inline-methods] */
    public JpaSecurity m8get() {
        return new AuthSecurity();
    }
}
