package org.alfresco.module.org_alfresco_module_rm.security;

import java.io.Serializable;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService;
import org.alfresco.module.org_alfresco_module_rm.audit.event.AuditEvent;
import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService;
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService;
import org.alfresco.module.org_alfresco_module_rm.util.ServiceBaseImpl;
import org.alfresco.repo.node.NodeServicePolicies;
import org.alfresco.repo.policy.Behaviour;
import org.alfresco.repo.policy.JavaBehaviour;
import org.alfresco.repo.policy.PolicyComponent;
import org.alfresco.repo.policy.annotation.BehaviourBean;
import org.alfresco.repo.policy.annotation.BehaviourKind;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.rm.rest.api.model.RMNode;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AccessPermission;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.AuthorityType;
import org.alfresco.service.cmr.security.OwnableService;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.namespace.QName;
import org.alfresco.util.ParameterCheck;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

@BehaviourBean
/* loaded from: input_file:org/alfresco/module/org_alfresco_module_rm/security/FilePlanPermissionServiceImpl.class */
public class FilePlanPermissionServiceImpl extends ServiceBaseImpl implements FilePlanPermissionService, RMPermissionModel, NodeServicePolicies.OnMoveNodePolicy {
    private static final String AUDIT_SET_PERMISSION = "set-permission";
    private static final String AUDIT_NAMESPACE = "audit://permissions/";
    private PermissionService permissionService;
    private OwnableService ownableService;
    private PolicyComponent policyComponent;
    private AuthorityService authorityService;
    private FilePlanRoleService filePlanRoleService;
    private FilePlanService filePlanService;
    private RecordsManagementAuditService recordsManagementAuditService;
    private static final Log LOGGER = LogFactory.getLog(FilePlanPermissionServiceImpl.class);

    public void init() {
        getPolicyComponent().bindClassBehaviour(NodeServicePolicies.OnAddAspectPolicy.QNAME, ASPECT_RECORD, new JavaBehaviour(this, "onAddRecord", Behaviour.NotificationFrequency.TRANSACTION_COMMIT));
        getPolicyComponent().bindClassBehaviour(NodeServicePolicies.OnMoveNodePolicy.QNAME, ASPECT_RECORD, new JavaBehaviour(this, "onMoveRecord", Behaviour.NotificationFrequency.TRANSACTION_COMMIT));
        getPolicyComponent().bindClassBehaviour(NodeServicePolicies.OnMoveNodePolicy.QNAME, TYPE_RECORD_CATEGORY, new JavaBehaviour(this, "onMoveNode", Behaviour.NotificationFrequency.TRANSACTION_COMMIT));
        AuthenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork<Void>() { // from class: org.alfresco.module.org_alfresco_module_rm.security.FilePlanPermissionServiceImpl.1
            /* renamed from: doWork, reason: merged with bridge method [inline-methods] */
            public Void m241doWork() throws Exception {
                FilePlanPermissionServiceImpl.this.recordsManagementAuditService.registerAuditEvent(new AuditEvent(FilePlanPermissionServiceImpl.AUDIT_SET_PERMISSION, "rm.audit.set-permission"));
                return null;
            }
        });
    }

    protected PermissionService getPermissionService() {
        return this.permissionService;
    }

    public void setPermissionService(PermissionService permissionService) {
        this.permissionService = permissionService;
    }

    protected PolicyComponent getPolicyComponent() {
        return this.policyComponent;
    }

    public void setPolicyComponent(PolicyComponent policyComponent) {
        this.policyComponent = policyComponent;
    }

    protected OwnableService getOwnableService() {
        return this.ownableService;
    }

    public void setOwnableService(OwnableService ownableService) {
        this.ownableService = ownableService;
    }

    public AuthorityService getAuthorityService() {
        return this.authorityService;
    }

    public void setAuthorityService(AuthorityService authorityService) {
        this.authorityService = authorityService;
    }

    public FilePlanRoleService getFilePlanRoleService() {
        return this.filePlanRoleService;
    }

    public void setFilePlanRoleService(FilePlanRoleService filePlanRoleService) {
        this.filePlanRoleService = filePlanRoleService;
    }

    public FilePlanService getFilePlanService() {
        return this.filePlanService;
    }

    public void setFilePlanService(FilePlanService filePlanService) {
        this.filePlanService = filePlanService;
    }

    public void setRecordsManagementAuditService(RecordsManagementAuditService recordsManagementAuditService) {
        this.recordsManagementAuditService = recordsManagementAuditService;
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.security.FilePlanPermissionService
    public void setupRecordCategoryPermissions(NodeRef nodeRef) {
        ParameterCheck.mandatory("recordCategory", nodeRef);
        if (!instanceOf(nodeRef, TYPE_RECORD_CATEGORY)) {
            throw new AlfrescoRuntimeException("Unable to setup record category permissions, because node is not a record category.");
        }
        setupPermissions(this.nodeService.getPrimaryParent(nodeRef).getParentRef(), nodeRef);
    }

    @org.alfresco.repo.policy.annotation.Behaviour(type = RMNode.UNFILED_RECORD_FOLDER_TYPE, kind = BehaviourKind.CLASS, policy = "alf:onCreateNode", notificationFrequency = Behaviour.NotificationFrequency.TRANSACTION_COMMIT)
    public void onCreateUnfiledRecordFolder(ChildAssociationRef childAssociationRef) {
        ParameterCheck.mandatory("childAssocRef", childAssociationRef);
        setupPermissions(childAssociationRef.getParentRef(), childAssociationRef.getChildRef());
    }

    @org.alfresco.repo.policy.annotation.Behaviour(type = RMNode.RECORD_FOLDER_TYPE, kind = BehaviourKind.CLASS, policy = "alf:onCreateNode", notificationFrequency = Behaviour.NotificationFrequency.TRANSACTION_COMMIT)
    public void onCreateRecordFolder(ChildAssociationRef childAssociationRef) {
        ParameterCheck.mandatory("childAssocRef", childAssociationRef);
        setupPermissions(childAssociationRef.getParentRef(), childAssociationRef.getChildRef());
    }

    @org.alfresco.repo.policy.annotation.Behaviour(type = "rma:hold", kind = BehaviourKind.CLASS, policy = "alf:onCreateNode", notificationFrequency = Behaviour.NotificationFrequency.TRANSACTION_COMMIT)
    public void onCreateHold(ChildAssociationRef childAssociationRef) {
        createContainerElement(childAssociationRef);
    }

    @org.alfresco.repo.policy.annotation.Behaviour(type = RMNode.TRANSFER_TYPE, kind = BehaviourKind.CLASS, policy = "alf:onCreateNode", notificationFrequency = Behaviour.NotificationFrequency.TRANSACTION_COMMIT)
    public void onCreateTransfer(ChildAssociationRef childAssociationRef) {
        createContainerElement(childAssociationRef);
    }

    private void createContainerElement(ChildAssociationRef childAssociationRef) {
        ParameterCheck.mandatory("childAssocRef", childAssociationRef);
        NodeRef childRef = childAssociationRef.getChildRef();
        setupPermissions(childAssociationRef.getParentRef(), childRef);
        grantFilingPermissionToCreator(childRef);
    }

    private void grantFilingPermissionToCreator(final NodeRef nodeRef) {
        final String fullyAuthenticatedUser = AuthenticationUtil.getFullyAuthenticatedUser();
        if (((Boolean) this.authenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Boolean>() { // from class: org.alfresco.module.org_alfresco_module_rm.security.FilePlanPermissionServiceImpl.2
            /* renamed from: doWork, reason: merged with bridge method [inline-methods] */
            public Boolean m242doWork() {
                return Boolean.valueOf(FilePlanPermissionServiceImpl.this.getPermissionService().hasPermission(nodeRef, RMPermissionModel.FILING) == AccessStatus.ALLOWED);
            }
        }, fullyAuthenticatedUser)).booleanValue()) {
            return;
        }
        this.authenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork<Void>() { // from class: org.alfresco.module.org_alfresco_module_rm.security.FilePlanPermissionServiceImpl.3
            /* renamed from: doWork, reason: merged with bridge method [inline-methods] */
            public Void m243doWork() {
                FilePlanPermissionServiceImpl.this.getPermissionService().setPermission(nodeRef, fullyAuthenticatedUser, RMPermissionModel.FILING, true);
                return null;
            }
        });
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.security.FilePlanPermissionService
    public void setupPermissions(final NodeRef nodeRef, final NodeRef nodeRef2) {
        ParameterCheck.mandatory("parent", nodeRef);
        ParameterCheck.mandatory("nodeRef", nodeRef2);
        if (this.nodeService.exists(nodeRef2) && this.nodeService.exists(nodeRef)) {
            this.authenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork<Object>() { // from class: org.alfresco.module.org_alfresco_module_rm.security.FilePlanPermissionServiceImpl.4
                public Object doWork() {
                    boolean z = FilePlanPermissionServiceImpl.this.isRecordCategory(nodeRef2) && FilePlanPermissionServiceImpl.this.isFilePlan(nodeRef);
                    boolean isInheritanceAllowed = FilePlanPermissionServiceImpl.this.isInheritanceAllowed(nodeRef2, Boolean.valueOf(z));
                    FilePlanPermissionServiceImpl.this.getPermissionService().setInheritParentPermissions(nodeRef2, isInheritanceAllowed);
                    HashSet<AccessPermission> hashSet = new HashSet(5);
                    for (AccessPermission accessPermission : FilePlanPermissionServiceImpl.this.getPermissionService().getAllSetPermissions(nodeRef2)) {
                        if (accessPermission.getAuthority().startsWith("GROUP_IPR")) {
                            hashSet.add(accessPermission);
                        }
                    }
                    FilePlanPermissionServiceImpl.this.getPermissionService().clearPermission(nodeRef2, (String) null);
                    for (AccessPermission accessPermission2 : hashSet) {
                        FilePlanPermissionServiceImpl.this.setPermission(nodeRef2, accessPermission2.getAuthority(), accessPermission2.getPermission());
                    }
                    if (!isInheritanceAllowed) {
                        FilePlanPermissionServiceImpl.this.getPermissionService().setPermission(nodeRef2, FilePlanPermissionServiceImpl.this.getAdminRole(nodeRef2), RMPermissionModel.FILING, true);
                    }
                    FilePlanPermissionServiceImpl.this.getOwnableService().setOwner(nodeRef2, "");
                    if (!z) {
                        return null;
                    }
                    for (AccessPermission accessPermission3 : FilePlanPermissionServiceImpl.this.permissionService.getAllSetPermissions(nodeRef)) {
                        if (RMPermissionModel.FILING.equals(accessPermission3.getPermission())) {
                            FilePlanPermissionServiceImpl.this.permissionService.setPermission(nodeRef2, accessPermission3.getAuthority(), accessPermission3.getPermission(), AccessStatus.ALLOWED.equals(accessPermission3.getAccessStatus()));
                        }
                    }
                    return null;
                }
            });
        }
    }

    private String getAdminRole(NodeRef nodeRef) {
        NodeRef filePlan = getFilePlan(nodeRef);
        if (filePlan == null) {
            throw new AlfrescoRuntimeException("The file plan could not be found for the give node: '" + nodeRef + "'.");
        }
        return this.authorityService.getName(AuthorityType.GROUP, "Administrator" + filePlan.getId());
    }

    private boolean isInheritanceAllowed(NodeRef nodeRef, Boolean bool) {
        return (isFilePlan(nodeRef) || isTransfer(nodeRef) || isHold(nodeRef) || isUnfiledRecordsContainer(nodeRef) || (isRecordCategory(nodeRef) && BooleanUtils.isTrue(bool))) ? false : true;
    }

    public void onAddRecord(final NodeRef nodeRef, final QName qName) {
        ParameterCheck.mandatory("childAssocRef", nodeRef);
        ParameterCheck.mandatory("childAssocRef", qName);
        this.authenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork<Object>() { // from class: org.alfresco.module.org_alfresco_module_rm.security.FilePlanPermissionServiceImpl.5
            public Object doWork() {
                if (!FilePlanPermissionServiceImpl.this.nodeService.exists(nodeRef) || !FilePlanPermissionServiceImpl.this.nodeService.hasAspect(nodeRef, qName)) {
                    return null;
                }
                FilePlanPermissionServiceImpl.this.setupPermissions(FilePlanPermissionServiceImpl.this.nodeService.getPrimaryParent(nodeRef).getParentRef(), nodeRef);
                return null;
            }
        });
    }

    public void onMoveRecord(final ChildAssociationRef childAssociationRef, final ChildAssociationRef childAssociationRef2) {
        ParameterCheck.mandatory("sourceAssocRef", childAssociationRef);
        ParameterCheck.mandatory("destinationAssocRef", childAssociationRef2);
        this.authenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Void>() { // from class: org.alfresco.module.org_alfresco_module_rm.security.FilePlanPermissionServiceImpl.6
            /* renamed from: doWork, reason: merged with bridge method [inline-methods] */
            public Void m244doWork() {
                NodeRef childRef = childAssociationRef.getChildRef();
                if (!FilePlanPermissionServiceImpl.this.nodeService.exists(childRef) || !FilePlanPermissionServiceImpl.this.nodeService.hasAspect(childRef, RecordsManagementModel.ASPECT_RECORD)) {
                    return null;
                }
                boolean inheritParentPermissions = FilePlanPermissionServiceImpl.this.permissionService.getInheritParentPermissions(childRef);
                HashSet<AccessPermission> hashSet = new HashSet(5);
                for (AccessPermission accessPermission : FilePlanPermissionServiceImpl.this.permissionService.getAllSetPermissions(childRef)) {
                    String permission = accessPermission.getPermission();
                    if (RMPermissionModel.FILING.equals(permission) || RMPermissionModel.READ_RECORDS.equals(permission)) {
                        if (accessPermission.isSetDirectly()) {
                            hashSet.add(accessPermission);
                        }
                    }
                }
                FilePlanPermissionServiceImpl.this.setupPermissions(childAssociationRef2.getParentRef(), childRef);
                for (AccessPermission accessPermission2 : hashSet) {
                    FilePlanPermissionServiceImpl.this.setPermission(childRef, accessPermission2.getAuthority(), accessPermission2.getPermission());
                }
                FilePlanPermissionServiceImpl.this.permissionService.setInheritParentPermissions(childRef, inheritParentPermissions);
                return null;
            }
        }, AuthenticationUtil.getSystemUserName());
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.security.FilePlanPermissionService
    public void setPermission(final NodeRef nodeRef, final String str, final String str2) {
        ParameterCheck.mandatory("nodeRef", nodeRef);
        ParameterCheck.mandatory("authority", str);
        ParameterCheck.mandatory("permission", str2);
        this.authenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork<Object>() { // from class: org.alfresco.module.org_alfresco_module_rm.security.FilePlanPermissionServiceImpl.7
            /* renamed from: doWork, reason: merged with bridge method [inline-methods] */
            public Void m245doWork() {
                if (!FilePlanPermissionServiceImpl.this.canPerformPermissionAction(nodeRef)) {
                    if (!FilePlanPermissionServiceImpl.LOGGER.isWarnEnabled()) {
                        return null;
                    }
                    FilePlanPermissionServiceImpl.LOGGER.warn("Setting permissions for this node is not supported.  (nodeRef=" + nodeRef + ", authority=" + str + ", permission=" + str2 + ")");
                    return null;
                }
                QName constructAuditEventName = FilePlanPermissionServiceImpl.this.constructAuditEventName(str, str2);
                Map<QName, Serializable> currentPermissionForAuthority = FilePlanPermissionServiceImpl.this.getCurrentPermissionForAuthority(nodeRef, str, str2, constructAuditEventName);
                FilePlanPermissionServiceImpl.this.getPermissionService().setPermission(nodeRef, str, str2, true);
                FilePlanPermissionServiceImpl.this.recordsManagementAuditService.auditOrUpdateEvent(nodeRef, FilePlanPermissionServiceImpl.AUDIT_SET_PERMISSION, currentPermissionForAuthority, new HashMap(Collections.singletonMap(constructAuditEventName, true)), true);
                return null;
            }
        });
    }

    private Map<QName, Serializable> getCurrentPermissionForAuthority(NodeRef nodeRef, String str, String str2, QName qName) {
        for (AccessPermission accessPermission : getPermissionService().getAllSetPermissions(nodeRef)) {
            if (accessPermission.getAuthority().equals(str) && accessPermission.getPermission().equals(str2)) {
                return new HashMap(Collections.singletonMap(qName, true));
            }
        }
        return new HashMap(Collections.singletonMap(qName, false));
    }

    @Override // org.alfresco.module.org_alfresco_module_rm.security.FilePlanPermissionService
    public void deletePermission(final NodeRef nodeRef, final String str, final String str2) {
        ParameterCheck.mandatory("nodeRef", nodeRef);
        ParameterCheck.mandatory("authority", str);
        ParameterCheck.mandatory("permission", str2);
        this.authenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork<Object>() { // from class: org.alfresco.module.org_alfresco_module_rm.security.FilePlanPermissionServiceImpl.8
            /* renamed from: doWork, reason: merged with bridge method [inline-methods] */
            public Void m246doWork() {
                if (!FilePlanPermissionServiceImpl.this.canPerformPermissionAction(nodeRef)) {
                    if (!FilePlanPermissionServiceImpl.LOGGER.isWarnEnabled()) {
                        return null;
                    }
                    FilePlanPermissionServiceImpl.LOGGER.warn("Deleting permissions for this node is not supported.  (nodeRef=" + nodeRef + ", authority=" + str + ", permission=" + str2 + ")");
                    return null;
                }
                QName constructAuditEventName = FilePlanPermissionServiceImpl.this.constructAuditEventName(str, str2);
                Map<QName, Serializable> currentPermissionForAuthority = FilePlanPermissionServiceImpl.this.getCurrentPermissionForAuthority(nodeRef, str, str2, constructAuditEventName);
                FilePlanPermissionServiceImpl.this.getPermissionService().deletePermission(nodeRef, str, str2);
                FilePlanPermissionServiceImpl.this.recordsManagementAuditService.auditOrUpdateEvent(nodeRef, FilePlanPermissionServiceImpl.AUDIT_SET_PERMISSION, currentPermissionForAuthority, new HashMap(Collections.singletonMap(constructAuditEventName, false)), true);
                return null;
            }
        });
    }

    private QName constructAuditEventName(String str, String str2) {
        return QName.createQName(AUDIT_NAMESPACE, str2 + " " + str);
    }

    private boolean canPerformPermissionAction(NodeRef nodeRef) {
        return isFilePlanContainer(nodeRef) || isRecordFolder(nodeRef) || isRecord(nodeRef) || isTransfer(nodeRef) || isHold(nodeRef);
    }

    public void onMoveNode(ChildAssociationRef childAssociationRef, ChildAssociationRef childAssociationRef2) {
        if (isFilePlan(childAssociationRef2.getParentRef())) {
            this.permissionService.setInheritParentPermissions(childAssociationRef.getChildRef(), false);
        }
    }
}
