package com.liferay.portal.search.internal;

import com.liferay.petra.string.StringBundler;
import com.liferay.portal.configuration.metatype.bnd.util.ConfigurableUtil;
import com.liferay.portal.kernel.exception.NoSuchResourceException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.model.Group;
import com.liferay.portal.kernel.model.Role;
import com.liferay.portal.kernel.model.User;
import com.liferay.portal.kernel.search.BooleanClauseOccur;
import com.liferay.portal.kernel.search.Document;
import com.liferay.portal.kernel.search.IndexerRegistry;
import com.liferay.portal.kernel.search.SearchContext;
import com.liferay.portal.kernel.search.SearchPermissionChecker;
import com.liferay.portal.kernel.search.filter.BooleanFilter;
import com.liferay.portal.kernel.search.filter.TermFilter;
import com.liferay.portal.kernel.search.filter.TermsFilter;
import com.liferay.portal.kernel.security.permission.PermissionChecker;
import com.liferay.portal.kernel.security.permission.PermissionCheckerFactory;
import com.liferay.portal.kernel.security.permission.PermissionThreadLocal;
import com.liferay.portal.kernel.security.permission.UserBag;
import com.liferay.portal.kernel.service.GroupLocalService;
import com.liferay.portal.kernel.service.ResourcePermissionLocalService;
import com.liferay.portal.kernel.service.RoleLocalService;
import com.liferay.portal.kernel.service.UserLocalService;
import com.liferay.portal.kernel.util.ArrayUtil;
import com.liferay.portal.kernel.util.GetterUtil;
import com.liferay.portal.kernel.util.ListUtil;
import com.liferay.portal.kernel.util.Portal;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.search.configuration.SearchPermissionCheckerConfiguration;
import com.liferay.portal.search.spi.model.permission.SearchPermissionFieldContributor;
import com.liferay.portal.search.spi.model.permission.SearchPermissionFilterContributor;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArrayList;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@Component(configurationPid = {"com.liferay.portal.search.configuration.SearchPermissionCheckerConfiguration"}, immediate = true, service = {SearchPermissionChecker.class})
/* loaded from: input_file:com/liferay/portal/search/internal/SearchPermissionCheckerImpl.class */
public class SearchPermissionCheckerImpl implements SearchPermissionChecker {

    @Reference
    protected GroupLocalService groupLocalService;

    @Reference
    protected IndexerRegistry indexerRegistry;
    protected PermissionChecker permissionChecker;

    @Reference
    protected PermissionCheckerFactory permissionCheckerFactory;

    @Reference
    protected Portal portal;

    @Reference
    protected ResourcePermissionLocalService resourcePermissionLocalService;

    @Reference
    protected RoleLocalService roleLocalService;
    protected volatile SearchPermissionCheckerConfiguration searchPermissionCheckerConfiguration;

    @Reference
    protected UserLocalService userLocalService;
    private static final String _NULL_SEARCH_PERMISSION_CONTEXT = "";
    private static final Log _log = LogFactoryUtil.getLog(SearchPermissionCheckerImpl.class);
    private final Collection<SearchPermissionFieldContributor> _searchPermissionFieldContributors = new CopyOnWriteArrayList();
    private final Collection<SearchPermissionFilterContributor> _searchPermissionFilterContributors = new CopyOnWriteArrayList();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/liferay/portal/search/internal/SearchPermissionCheckerImpl$SearchPermissionContext.class */
    public static class SearchPermissionContext implements Serializable {
        private static final long serialVersionUID = 1;
        private final TermsFilter _groupRolesTermsFilter;
        private final long[] _regularRoleIds;
        private final long[] _roleIds;
        private final TermsFilter _rolesTermsFilter;
        private final List<UsersGroupIdRoles> _usersGroupIdsRoles;

        public boolean containsGroupId(long j) {
            Iterator<UsersGroupIdRoles> it = this._usersGroupIdsRoles.iterator();
            while (it.hasNext()) {
                if (j == it.next()._groupId) {
                    return true;
                }
            }
            return false;
        }

        private SearchPermissionContext(Set<Role> set, List<UsersGroupIdRoles> list) {
            this._groupRolesTermsFilter = new TermsFilter("groupRoleId");
            this._rolesTermsFilter = new TermsFilter("roleId");
            this._usersGroupIdsRoles = list;
            ArrayList arrayList = new ArrayList(set.size());
            ArrayList arrayList2 = new ArrayList();
            for (Role role : set) {
                arrayList.add(Long.valueOf(role.getRoleId()));
                if (role.getType() == 1) {
                    arrayList2.add(Long.valueOf(role.getRoleId()));
                }
                this._rolesTermsFilter.addValue(String.valueOf(role.getRoleId()));
            }
            this._roleIds = ArrayUtil.toLongArray(arrayList);
            this._regularRoleIds = ArrayUtil.toLongArray(arrayList2);
            for (UsersGroupIdRoles usersGroupIdRoles : this._usersGroupIdsRoles) {
                long j = usersGroupIdRoles._groupId;
                Iterator it = usersGroupIdRoles._groupRoles.iterator();
                while (it.hasNext()) {
                    this._groupRolesTermsFilter.addValue(j + "-" + ((Role) it.next()).getRoleId());
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/liferay/portal/search/internal/SearchPermissionCheckerImpl$UsersGroupIdRoles.class */
    public static class UsersGroupIdRoles implements Serializable {
        private static final long serialVersionUID = 1;
        private final long _groupId;
        private final List<Role> _groupRoles;

        private UsersGroupIdRoles(long j, List<Role> list) {
            this._groupId = j;
            this._groupRoles = list;
        }
    }

    public void addPermissionFields(long j, Document document) {
        try {
            long j2 = GetterUtil.getLong(document.get("groupId"));
            String str = document.get("entryClassName");
            String str2 = document.get("entryClassPK");
            if (Validator.isNull(str) && Validator.isNull(str2)) {
                str = document.get("rootEntryClassName");
                str2 = document.get("rootEntryClassPK");
            }
            if (GetterUtil.getBoolean(document.get("relatedEntry"))) {
                long j3 = GetterUtil.getLong(document.get("classNameId"));
                if (j3 == 0) {
                    return;
                }
                str = this.portal.getClassName(j3);
                str2 = document.get("classPK");
            }
            if (Validator.isNull(str) || Validator.isNull(str2) || !this.indexerRegistry.nullSafeGetIndexer(str).isPermissionAware()) {
                return;
            }
            String str3 = document.get("viewActionId");
            if (Validator.isNull(str3)) {
                str3 = "VIEW";
            }
            _addPermissionFields(j, j2, str, GetterUtil.getLong(str2), str3, document);
        } catch (Exception e) {
            _log.error(e);
        } catch (NoSuchResourceException e2) {
            if (_log.isDebugEnabled()) {
                _log.debug(e2);
            }
        }
    }

    public BooleanFilter getPermissionBooleanFilter(long j, long[] jArr, long j2, String str, BooleanFilter booleanFilter, SearchContext searchContext) {
        try {
            return _getPermissionBooleanFilter(j, jArr, j2, str, booleanFilter, searchContext);
        } catch (Exception e) {
            _log.error(e);
            return booleanFilter;
        }
    }

    public void updatePermissionFields(String str, String str2) {
        try {
            this.indexerRegistry.nullSafeGetIndexer(str).reindex(str, GetterUtil.getLong(str2));
        } catch (Exception e) {
            _log.error(e);
        }
    }

    @Activate
    @Modified
    protected void activate(Map<String, Object> map) {
        this.searchPermissionCheckerConfiguration = (SearchPermissionCheckerConfiguration) ConfigurableUtil.createConfigurable(SearchPermissionCheckerConfiguration.class, map);
    }

    @Reference(cardinality = ReferenceCardinality.MULTIPLE, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    protected void addSearchPermissionFieldContributor(SearchPermissionFieldContributor searchPermissionFieldContributor) {
        this._searchPermissionFieldContributors.add(searchPermissionFieldContributor);
    }

    @Reference(cardinality = ReferenceCardinality.MULTIPLE, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    protected void addSearchPermissionFilterContributor(SearchPermissionFilterContributor searchPermissionFilterContributor) {
        this._searchPermissionFilterContributors.add(searchPermissionFilterContributor);
    }

    protected void removeSearchPermissionFieldContributor(SearchPermissionFieldContributor searchPermissionFieldContributor) {
        this._searchPermissionFieldContributors.remove(searchPermissionFieldContributor);
    }

    protected void removeSearchPermissionFilterContributor(SearchPermissionFilterContributor searchPermissionFilterContributor) {
        this._searchPermissionFilterContributors.remove(searchPermissionFilterContributor);
    }

    private void _add(BooleanFilter booleanFilter, TermsFilter termsFilter) {
        if (termsFilter.isEmpty()) {
            return;
        }
        booleanFilter.add(termsFilter, BooleanClauseOccur.SHOULD);
    }

    private void _addGroup(Group group, List<Role> list, List<UsersGroupIdRoles> list2) {
        if (group != null) {
            list2.add(new UsersGroupIdRoles(group.getGroupId(), list));
        }
    }

    private void _addPermissionFields(long j, long j2, String str, long j3, String str2, Document document) throws Exception {
        Iterator<SearchPermissionFieldContributor> it = this._searchPermissionFieldContributors.iterator();
        while (it.hasNext()) {
            it.next().contribute(document, str, j3);
        }
        List<Role> roles = this.resourcePermissionLocalService.getRoles(j, str, 4, String.valueOf(j3), str2);
        if (roles.isEmpty()) {
            return;
        }
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        for (Role role : roles) {
            if (role.getType() == 3 || role.getType() == 2) {
                arrayList2.add(j2 + "-" + role.getRoleId());
            } else {
                arrayList.add(Long.valueOf(role.getRoleId()));
            }
        }
        document.addKeyword("roleId", (Long[]) arrayList.toArray(new Long[0]));
        document.addKeyword("groupRoleId", (String[]) arrayList2.toArray(new String[0]));
    }

    private SearchPermissionContext _createSearchPermissionContext(long j, long[] jArr, long j2, PermissionChecker permissionChecker) throws Exception {
        UserBag userBag = permissionChecker.getUserBag();
        if (userBag == null) {
            return null;
        }
        HashSet hashSet = new HashSet();
        if (permissionChecker.isSignedIn() && ArrayUtil.isNotEmpty(jArr)) {
            for (long j3 : jArr) {
                for (Role role : this.roleLocalService.getRoles(permissionChecker.getRoleIds(j2, j3))) {
                    if (role.getType() == 1) {
                        hashSet.add(role);
                    }
                }
            }
        } else {
            hashSet.addAll(this.roleLocalService.getRoles(permissionChecker.getRoleIds(j2, 0L)));
        }
        int size = hashSet.size();
        int permissionTermsLimit = this.searchPermissionCheckerConfiguration.permissionTermsLimit();
        if (size > permissionTermsLimit) {
            if (!_log.isDebugEnabled()) {
                return null;
            }
            _log.debug(StringBundler.concat(new Object[]{"Skipping presearch permission checking due to too ", "many roles: ", Integer.valueOf(size), " > ", Integer.valueOf(permissionTermsLimit)}));
            return null;
        }
        Collection<Group> groups = userBag.getGroups();
        ArrayList arrayList = new ArrayList(groups.size());
        int size2 = size + groups.size();
        if (size2 > permissionTermsLimit) {
            if (!_log.isDebugEnabled()) {
                return null;
            }
            _log.debug(StringBundler.concat(new Object[]{"Skipping presearch permission checking due to too ", "many roles and groups: ", Integer.valueOf(size2), " > ", Integer.valueOf(permissionTermsLimit)}));
            return null;
        }
        Role role2 = this.roleLocalService.getRole(j, "Organization User");
        Role role3 = this.roleLocalService.getRole(j, "Site Member");
        for (Group group : groups) {
            List<Role> roles = this.roleLocalService.getRoles(permissionChecker.getRoleIds(j2, group.getGroupId()));
            hashSet.addAll(roles);
            Iterator<Role> it = roles.iterator();
            while (it.hasNext()) {
                Role next = it.next();
                if (next.getType() != 3 && next.getType() != 2) {
                    it.remove();
                }
            }
            if (group.isOrganization() && !roles.contains(role2)) {
                roles.add(role2);
            }
            if (group.isSite() && !roles.contains(role3)) {
                roles.add(role3);
            }
            _addGroup(group, roles, arrayList);
            _addGroup(group.getStagingGroup(), roles, arrayList);
            size2 += roles.size();
            if (size2 > permissionTermsLimit) {
                if (!_log.isDebugEnabled()) {
                    return null;
                }
                _log.debug(StringBundler.concat(new Object[]{"Skipping presearch permission checking due to ", "too many roles, groups, and group roles: ", Integer.valueOf(size2), " > ", Integer.valueOf(permissionTermsLimit)}));
                return null;
            }
        }
        return new SearchPermissionContext(hashSet, arrayList);
    }

    private BooleanFilter _getPermissionBooleanFilter(long j, long[] jArr, long j2, String str, BooleanFilter booleanFilter, SearchContext searchContext) throws Exception {
        BooleanFilter _getPermissionBooleanFilter = _getPermissionBooleanFilter(j, jArr, j2, str, searchContext);
        if (booleanFilter == null) {
            return _getPermissionBooleanFilter;
        }
        if (_getPermissionBooleanFilter != null) {
            booleanFilter.add(_getPermissionBooleanFilter, BooleanClauseOccur.MUST);
        }
        return booleanFilter;
    }

    private BooleanFilter _getPermissionBooleanFilter(long j, long[] jArr, long j2, String str, SearchContext searchContext) throws Exception {
        if (!this.indexerRegistry.getIndexer(str).isPermissionAware()) {
            return null;
        }
        PermissionChecker _getPermissionChecker = _getPermissionChecker();
        User user = _getPermissionChecker.getUser();
        if (user == null || user.getUserId() != j2) {
            User fetchUser = this.userLocalService.fetchUser(j2);
            if (fetchUser == null) {
                return null;
            }
            _getPermissionChecker = this.permissionCheckerFactory.create(fetchUser);
        }
        Serializable attribute = searchContext.getAttribute("searchPermissionContext");
        SearchPermissionContext searchPermissionContext = null;
        if (attribute != null) {
            if (attribute == _NULL_SEARCH_PERMISSION_CONTEXT) {
                return null;
            }
            searchPermissionContext = (SearchPermissionContext) attribute;
        } else if (!_getPermissionChecker.isCompanyAdmin(j)) {
            searchPermissionContext = _createSearchPermissionContext(j, jArr, j2, _getPermissionChecker);
        }
        if (searchPermissionContext == null) {
            searchContext.setAttribute("searchPermissionContext", _NULL_SEARCH_PERMISSION_CONTEXT);
            return null;
        }
        searchContext.setAttribute("searchPermissionContext", searchPermissionContext);
        return _getPermissionFilter(j, jArr, j2, _getPermissionChecker, _getPermissionName(searchContext, str), searchPermissionContext);
    }

    private PermissionChecker _getPermissionChecker() {
        return this.permissionChecker != null ? this.permissionChecker : PermissionThreadLocal.getPermissionChecker();
    }

    private BooleanFilter _getPermissionFilter(long j, long[] jArr, long j2, PermissionChecker permissionChecker, String str, SearchPermissionContext searchPermissionContext) throws Exception {
        List<UsersGroupIdRoles> list = searchPermissionContext._usersGroupIdsRoles;
        BooleanFilter booleanFilter = new BooleanFilter();
        if (j2 > 0) {
            booleanFilter.add(new TermFilter("userId", String.valueOf(j2)), BooleanClauseOccur.SHOULD);
        }
        TermsFilter termsFilter = searchPermissionContext._groupRolesTermsFilter;
        TermsFilter termsFilter2 = searchPermissionContext._rolesTermsFilter;
        long[] jArr2 = searchPermissionContext._roleIds;
        if (this.resourcePermissionLocalService.hasResourcePermission(j, str, 1, String.valueOf(j), jArr2, "VIEW")) {
            return null;
        }
        if (this.resourcePermissionLocalService.hasResourcePermission(j, str, 3, String.valueOf(0L), searchPermissionContext._regularRoleIds, "VIEW")) {
            return null;
        }
        TermsFilter termsFilter3 = new TermsFilter("groupId");
        for (UsersGroupIdRoles usersGroupIdRoles : list) {
            long j3 = usersGroupIdRoles._groupId;
            List list2 = usersGroupIdRoles._groupRoles;
            if (permissionChecker.isGroupAdmin(j3) || this.resourcePermissionLocalService.hasResourcePermission(j, str, 2, String.valueOf(j3), jArr2, "VIEW") || this.resourcePermissionLocalService.hasResourcePermission(j, str, 3, String.valueOf(0L), ListUtil.toLongArray(list2, Role.ROLE_ID_ACCESSOR), "VIEW")) {
                termsFilter3.addValue(String.valueOf(j3));
            }
        }
        if (ArrayUtil.isNotEmpty(jArr)) {
            for (long j4 : jArr) {
                if (!searchPermissionContext.containsGroupId(j4) && this.resourcePermissionLocalService.hasResourcePermission(j, str, 2, String.valueOf(j4), jArr2, "VIEW")) {
                    termsFilter3.addValue(String.valueOf(j4));
                }
            }
        }
        _add(booleanFilter, termsFilter);
        _add(booleanFilter, termsFilter3);
        _add(booleanFilter, termsFilter2);
        Iterator<SearchPermissionFilterContributor> it = this._searchPermissionFilterContributors.iterator();
        while (it.hasNext()) {
            it.next().contribute(booleanFilter, j, jArr, j2, permissionChecker, str);
        }
        if (booleanFilter.hasClauses()) {
            return booleanFilter;
        }
        return null;
    }

    private String _getPermissionName(SearchContext searchContext, String str) {
        return GetterUtil.getString(searchContext.getAttribute("resourcePermissionName"), str);
    }
}
