package com.appiancorp.recordlevelsecurity.service;

import com.appian.data.client.AdsInvariantException;
import com.appian.data.client.AdsUserInputException;
import com.appian.data.client.DataClient;
import com.appian.data.client.DataClientSingletonSupplier;
import com.appian.data.client.Query;
import com.appiancorp.core.expr.portable.PortableTypedValue;
import com.appiancorp.core.expr.portable.Type;
import com.appiancorp.core.expr.portable.cdt.RecordRowLevelSecurityDataFilterType;
import com.appiancorp.core.expr.portable.cdt.RecordRowLevelSecurityMembershipFilterType;
import com.appiancorp.core.expr.portable.cdt.RecordUiSecurityType;
import com.appiancorp.record.data.RecordQueryAdsExceptionTranslator;
import com.appiancorp.record.data.TranslatesAdsExceptions;
import com.appiancorp.record.domain.SupportsReadOnlyReplicatedRecordType;
import com.appiancorp.record.recordlevelsecurity.DependencyType;
import com.appiancorp.record.recordlevelsecurity.RecordSecurityRuntimeFilterCreator;
import com.appiancorp.record.recordlevelsecurity.RlsExternalDependencies;
import com.appiancorp.record.recordlevelsecurity.externaldependents.RecordSecurityExternalDependencyService;
import com.appiancorp.record.service.UserGroupRecordService;
import com.appiancorp.record.sources.ReadOnlyRecordSourceField;
import com.appiancorp.record.ui.HasRecordUiSecurity;
import com.appiancorp.recordlevelsecurity.RecordSecurityToCdtConverter;
import com.appiancorp.recordlevelsecurity.SecurityExternalDependencyRuntimeException;
import com.appiancorp.recordlevelsecurity.exception.RecordSecurityConfigurationException;
import com.appiancorp.recordlevelsecurity.externaldependents.generated._RlsConstant;
import com.appiancorp.suiteapi.common.exceptions.AppianRuntimeException;
import com.appiancorp.suiteapi.common.exceptions.ErrorCode;
import com.appiancorp.suiteapi.type.TypedValue;
import com.appiancorp.tracing.TracingHelper;
import com.appiancorp.type.cdt.RecordRowLevelSecurityMembershipCombined;
import com.appiancorp.type.cdt.RecordRowLevelSecurityMembershipFilter;
import com.appiancorp.type.cdt.RecordRowLevelSecurityRule;
import com.appiancorp.types.ads.AttrRef;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.log4j.Logger;

/* loaded from: input_file:com/appiancorp/recordlevelsecurity/service/RecordUiSecurityCalculator.class */
public abstract class RecordUiSecurityCalculator {
    protected static final String NUM_UI_CONFIGS_TAG_NAME = "numUiConfigs";
    private final RecordSecurityRuntimeFilterCreator securityConfigConverter;
    private final RecordSecurityExternalDependencyService externalDependencyService;
    private final DataClientSingletonSupplier dataClientSingletonSupplier;
    private final TranslatesAdsExceptions adsExceptionTranslator;
    private final RecordSecurityConfigTypeResolver configTypeResolver;
    private final UserGroupRecordService groupService;
    protected final RecordSecurityToCdtConverter recordSecurityToCdtConverter;
    private static final Logger LOG = Logger.getLogger(RecordUiSecurityCalculator.class);
    protected static final TypedValue NO_INSTANCE_TYPED_VALUE = new TypedValue(Type.STRING.getTypeId(), "NO_INSTANCE_VALUE");
    private static final DependencyType[] dependencyTypesToFind = {DependencyType.GROUP, DependencyType.CONSTANT};

    /* JADX INFO: Access modifiers changed from: protected */
    public RecordUiSecurityCalculator(DataClientSingletonSupplier dataClientSingletonSupplier, RecordSecurityRuntimeFilterCreator recordSecurityRuntimeFilterCreator, RecordSecurityExternalDependencyService recordSecurityExternalDependencyService, TranslatesAdsExceptions translatesAdsExceptions, RecordSecurityConfigTypeResolver recordSecurityConfigTypeResolver, UserGroupRecordService userGroupRecordService, RecordSecurityToCdtConverter recordSecurityToCdtConverter) {
        this.dataClientSingletonSupplier = dataClientSingletonSupplier;
        this.securityConfigConverter = recordSecurityRuntimeFilterCreator;
        this.externalDependencyService = recordSecurityExternalDependencyService;
        this.adsExceptionTranslator = translatesAdsExceptions;
        this.configTypeResolver = recordSecurityConfigTypeResolver;
        this.groupService = userGroupRecordService;
        this.recordSecurityToCdtConverter = recordSecurityToCdtConverter;
    }

    protected abstract Query getBaseQuery(SupportsReadOnlyReplicatedRecordType supportsReadOnlyReplicatedRecordType, Collection<PortableTypedValue> collection);

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<String, Boolean> getNonAdsSecurityValuesMap(Map<String, RecordRowLevelSecurityRule> map) {
        return (Map) map.entrySet().stream().collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry -> {
            return Boolean.valueOf(getNonAdsSecurityRuleValue((RecordRowLevelSecurityRule) entry.getValue()));
        }));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean areAllUisNonAdsSecurityRules(Collection<RecordRowLevelSecurityRule> collection) {
        return collection.stream().allMatch(recordRowLevelSecurityRule -> {
            return isNonAdsSecurityCheck(recordRowLevelSecurityRule);
        });
    }

    private boolean getNonAdsSecurityRuleValue(RecordRowLevelSecurityRule recordRowLevelSecurityRule) {
        return isAllowAllSecurityRule(recordRowLevelSecurityRule) || isAllowedBasedOnGroup(recordRowLevelSecurityRule);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Query buildAdsQuery(SupportsReadOnlyReplicatedRecordType supportsReadOnlyReplicatedRecordType, Map<String, RecordRowLevelSecurityRule> map, Collection<PortableTypedValue> collection) {
        Query baseQuery = getBaseQuery(supportsReadOnlyReplicatedRecordType, collection);
        try {
            RlsExternalDependencies findExternalDependencies = this.externalDependencyService.findExternalDependencies(new ArrayList(map.values()), supportsReadOnlyReplicatedRecordType.getUuid(), dependencyTypesToFind);
            for (Map.Entry<String, RecordRowLevelSecurityRule> entry : map.entrySet()) {
                RecordRowLevelSecurityRule value = entry.getValue();
                if (isNonAdsSecurityCheck(value)) {
                    boolean nonAdsSecurityRuleValue = getNonAdsSecurityRuleValue(value);
                    baseQuery.project(entry.getKey(), Query.Projection.target(Query.Function.caseBuilder().addCase(Query.Filter.isNotNull(AttrRef.of(_RlsConstant.UUID_ALIAS)), Boolean.valueOf(nonAdsSecurityRuleValue)).defaultValue(Boolean.valueOf(nonAdsSecurityRuleValue)).build()));
                } else {
                    baseQuery.project(entry.getKey(), Query.Projection.target(Query.Function.caseBuilder().addCase(convertRuleToFilter(entry.getValue(), supportsReadOnlyReplicatedRecordType, findExternalDependencies), Boolean.TRUE).defaultValue(Boolean.FALSE).build()));
                }
            }
            return baseQuery;
        } catch (SecurityExternalDependencyRuntimeException e) {
            LOG.debug(String.format("Failed to evaluate the %s record security policies for recordType[uuid=%s]", getClass().getName(), supportsReadOnlyReplicatedRecordType.getUuid()), e);
            throw new AppianRuntimeException(ErrorCode.RECORD_CANNOT_RETRIEVE_DATA, new Object[]{supportsReadOnlyReplicatedRecordType.getName(), e.getLocalizedMessage()});
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<String, Boolean> executeQuery(SupportsReadOnlyReplicatedRecordType supportsReadOnlyReplicatedRecordType, Map<String, RecordRowLevelSecurityRule> map, Query query) {
        return executeQuery(supportsReadOnlyReplicatedRecordType, map, query, Collections.singletonList(NO_INSTANCE_TYPED_VALUE)).get(NO_INSTANCE_TYPED_VALUE);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<PortableTypedValue, Map<String, Boolean>> executeQuery(SupportsReadOnlyReplicatedRecordType supportsReadOnlyReplicatedRecordType, Map<String, RecordRowLevelSecurityRule> map, Query query, Collection<PortableTypedValue> collection) {
        List<Map<String, Object>> emptyList;
        DataClient dataClient = this.dataClientSingletonSupplier.get();
        try {
            emptyList = (List) dataClient.runWithAdditionalGroups(new long[]{-2}, () -> {
                return dataClient.query(query);
            });
        } catch (AdsUserInputException | AdsInvariantException e) {
            String code = e.getCode();
            if (((e instanceof AdsUserInputException) && RecordQueryAdsExceptionTranslator.ADS_INVALID_SYNC_ERRORS.contains(code)) || RecordQueryAdsExceptionTranslator.ADS_DATA_RETRIEVAL_ERRORS.contains(code)) {
                LOG.debug(String.format("[%s] security query has invalid user or sync for recordType[UUID=%s]", getClass().getName(), supportsReadOnlyReplicatedRecordType.getUuid()), e);
                throw this.adsExceptionTranslator.translate(e, supportsReadOnlyReplicatedRecordType);
            }
            emptyList = Collections.emptyList();
            LOG.debug(String.format("[%s] security query failed to execute for recordType[UUID=%s]", getClass().getName(), supportsReadOnlyReplicatedRecordType.getUuid()), e);
        }
        if (!emptyList.isEmpty()) {
            return formulateResult(map, emptyList, supportsReadOnlyReplicatedRecordType.getRecordIdSourceField());
        }
        LOG.debug(String.format("[%s] security query returned empty results for recordType[UUID=%s]. Defaulting to false for all security rules", getClass().getName(), supportsReadOnlyReplicatedRecordType.getUuid()));
        return (Map) collection.stream().collect(Collectors.toMap(Function.identity(), portableTypedValue -> {
            return (Map) map.keySet().stream().collect(Collectors.toMap(Function.identity(), str -> {
                return Boolean.FALSE;
            }));
        }));
    }

    protected abstract Map<PortableTypedValue, Map<String, Boolean>> formulateResult(Map<String, RecordRowLevelSecurityRule> map, List<Map<String, Object>> list, ReadOnlyRecordSourceField readOnlyRecordSourceField);

    private Query.Filter convertRuleToFilter(RecordRowLevelSecurityRule recordRowLevelSecurityRule, SupportsReadOnlyReplicatedRecordType supportsReadOnlyReplicatedRecordType, RlsExternalDependencies rlsExternalDependencies) {
        return (Query.Filter) TracingHelper.traceDebug(String.format("%s#convertRuleToFilter", getClass().getSimpleName()), () -> {
            return this.securityConfigConverter.convertFiltersAsAdministrator(Collections.singletonList(recordRowLevelSecurityRule), supportsReadOnlyReplicatedRecordType, rlsExternalDependencies);
        });
    }

    private boolean isNonAdsSecurityCheck(RecordRowLevelSecurityRule recordRowLevelSecurityRule) {
        return isAllowAllSecurityRule(recordRowLevelSecurityRule) || isOnlyGroupedBasedSecurityRule(recordRowLevelSecurityRule);
    }

    private boolean isAllowAllSecurityRule(RecordRowLevelSecurityRule recordRowLevelSecurityRule) {
        return RecordRowLevelSecurityMembershipFilterType.MEMBERSHIP_ALL.equals(recordRowLevelSecurityRule.getMembershipFilter().getType()) && RecordRowLevelSecurityDataFilterType.ALLOW_ALL.equals(recordRowLevelSecurityRule.getDataFilter().getType());
    }

    private boolean isOnlyGroupedBasedSecurityRule(RecordRowLevelSecurityRule recordRowLevelSecurityRule) {
        return getGroupMembershipOnlyFilter(recordRowLevelSecurityRule) != null;
    }

    private RecordRowLevelSecurityMembershipFilter getGroupMembershipOnlyFilter(RecordRowLevelSecurityRule recordRowLevelSecurityRule) {
        RecordRowLevelSecurityMembershipFilter membershipFilter;
        RecordRowLevelSecurityMembershipFilter groupsMembership;
        if (!RecordRowLevelSecurityDataFilterType.ALLOW_ALL.equals(recordRowLevelSecurityRule.getDataFilter().getType()) || (membershipFilter = recordRowLevelSecurityRule.getMembershipFilter()) == null) {
            return null;
        }
        RecordRowLevelSecurityMembershipCombined convertTypedValueToCdt = this.configTypeResolver.convertTypedValueToCdt(membershipFilter.getConfig());
        if (!(convertTypedValueToCdt instanceof RecordRowLevelSecurityMembershipCombined)) {
            return null;
        }
        RecordRowLevelSecurityMembershipCombined recordRowLevelSecurityMembershipCombined = convertTypedValueToCdt;
        if (recordRowLevelSecurityMembershipCombined.getFieldsMembership() == null && (groupsMembership = recordRowLevelSecurityMembershipCombined.getGroupsMembership()) != null) {
            return groupsMembership;
        }
        return null;
    }

    private boolean isAllowedBasedOnGroup(RecordRowLevelSecurityRule recordRowLevelSecurityRule) {
        RecordRowLevelSecurityMembershipFilter groupMembershipOnlyFilter = getGroupMembershipOnlyFilter(recordRowLevelSecurityRule);
        if (groupMembershipOnlyFilter == null || groupMembershipOnlyFilter.getConfig() == null) {
            return false;
        }
        return this.groupService.isLoggedInUserMemberOfGroups(this.configTypeResolver.convertTypedValueToCdt(groupMembershipOnlyFilter.getConfig()).getUuids());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<String, RecordRowLevelSecurityRule> buildUuidToSecurityRuleMap(SupportsReadOnlyReplicatedRecordType supportsReadOnlyReplicatedRecordType, Collection<HasRecordUiSecurity> collection) {
        HashMap hashMap = new HashMap();
        String uuid = supportsReadOnlyReplicatedRecordType.getUuid();
        for (HasRecordUiSecurity hasRecordUiSecurity : collection) {
            try {
                hashMap.put(hasRecordUiSecurity.getUniqueIdentifier(), this.recordSecurityToCdtConverter.convertSecurityConfigToSecurityRule(hasRecordUiSecurity.getSecurityCfg(), uuid));
            } catch (RecordSecurityConfigurationException e) {
                securityRuleErrorHandling(supportsReadOnlyReplicatedRecordType, e);
            }
        }
        return hashMap;
    }

    protected void securityRuleErrorHandling(SupportsReadOnlyReplicatedRecordType supportsReadOnlyReplicatedRecordType, RuntimeException runtimeException) {
        LOG.debug(String.format("%s security configuration failed for recordType[UUID=%s]", getClass().getName(), supportsReadOnlyReplicatedRecordType.getUuid()), runtimeException);
        throw new AppianRuntimeException(getSecurityRuleErrorCode(), new Object[]{runtimeException});
    }

    protected abstract ErrorCode getSecurityRuleErrorCode();

    /* JADX INFO: Access modifiers changed from: protected */
    public <T extends HasRecordUiSecurity> List<HasRecordUiSecurity> filterSecurityCfgs(Class<T> cls, Collection<? extends HasRecordUiSecurity> collection) {
        Stream<? extends HasRecordUiSecurity> stream = collection.stream();
        cls.getClass();
        return (List) stream.filter((v1) -> {
            return r1.isInstance(v1);
        }).filter(hasRecordUiSecurity -> {
            return RecordUiSecurityType.GUIDED.equals(hasRecordUiSecurity.getRecordUiSecurityType());
        }).map(hasRecordUiSecurity2 -> {
            return hasRecordUiSecurity2;
        }).collect(Collectors.toList());
    }
}
