package com.osivia.cns.proto.security;

import java.security.Principal;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nuxeo.ecm.core.api.DocumentException;
import org.nuxeo.ecm.core.api.security.ACP;
import org.nuxeo.ecm.core.api.security.Access;
import org.nuxeo.ecm.core.model.Document;
import org.nuxeo.ecm.core.query.sql.model.SQLQuery;
import org.nuxeo.ecm.core.security.AbstractSecurityPolicy;
import org.nuxeo.runtime.api.Framework;

/* loaded from: input_file:com/osivia/cns/proto/security/CnsDomainSecurityPolicy.class */
public class CnsDomainSecurityPolicy extends AbstractSecurityPolicy {
    private static final Log log = LogFactory.getLog(CnsDomainSecurityPolicy.class);
    private static final String RESTRICTED_DOMAIN_NAME = Framework.getProperty("cns.domainSecurity.restrictedDomain", "ged-cns");
    private static final String ALLOWED_PROFILE = Framework.getProperty("cns.domainSecurity.allowedProfiles", "CNS_commun-cns");

    public Access checkPermission(Document document, ACP acp, Principal principal, String str, String[] strArr, String[] strArr2) {
        Access access = Access.UNKNOWN;
        try {
            if (doPolicyApply(document)) {
                access = restrictToProfile(document, principal, strArr2);
            }
        } catch (DocumentException e) {
            log.error("Failed to evaluate the policy, error: " + e.getMessage());
        }
        return access;
    }

    private Access restrictToProfile(Document document, Principal principal, String[] strArr) {
        return hasAllowedProfile(principal != null ? (String[]) ArrayUtils.add(strArr, principal.getName()) : strArr) ? Access.UNKNOWN : Access.DENY;
    }

    private boolean hasAllowedProfile(String[] strArr) {
        for (String str : strArr) {
            if (StringUtils.equals(str, ALLOWED_PROFILE)) {
                return true;
            }
        }
        return false;
    }

    private static boolean doPolicyApply(Document document) throws DocumentException {
        return docIsInRestrictedDomain(document);
    }

    private static boolean docIsInRestrictedDomain(Document document) throws DocumentException {
        String str = null;
        String removeStart = StringUtils.removeStart(document.getPath(), "/");
        if (StringUtils.isNotBlank(removeStart)) {
            str = StringUtils.split(removeStart, '/')[0];
        }
        return StringUtils.equals(str, RESTRICTED_DOMAIN_NAME);
    }

    public boolean isExpressibleInQuery() {
        return true;
    }

    public SQLQuery.Transformer getQueryTransformer() {
        return SQLQuery.Transformer.IDENTITY;
    }
}
