package com.orientechnologies.orient.core.metadata.security;

import com.orientechnologies.orient.core.db.ODatabaseDocumentInternal;
import com.orientechnologies.orient.core.db.record.OIdentifiable;
import com.orientechnologies.orient.core.exception.OConfigurationException;
import com.orientechnologies.orient.core.metadata.schema.OImmutableClass;
import com.orientechnologies.orient.core.metadata.security.ORule;
import com.orientechnologies.orient.core.record.impl.ODocument;
import com.orientechnologies.orient.core.record.impl.ODocumentInternal;
import java.util.Set;

/* loaded from: input_file:WEB-INF/lib/orientdb-core-3.1.12.jar:com/orientechnologies/orient/core/metadata/security/ORestrictedAccessHook.class */
public class ORestrictedAccessHook {
    public static boolean onRecordBeforeCreate(ODocument oDocument, ODatabaseDocumentInternal oDatabaseDocumentInternal) {
        OImmutableClass immutableSchemaClass = ODocumentInternal.getImmutableSchemaClass(oDatabaseDocumentInternal, oDocument);
        if (immutableSchemaClass == null || !immutableSchemaClass.isRestricted()) {
            return false;
        }
        String custom = immutableSchemaClass.getCustom("onCreate.fields");
        if (custom == null) {
            custom = ORestrictedOperation.ALLOW_ALL.getFieldName();
        }
        String[] split = custom.split(",");
        String custom2 = immutableSchemaClass.getCustom("onCreate.identityType");
        if (custom2 == null) {
            custom2 = "user";
        }
        OIdentifiable oIdentifiable = null;
        if (custom2.equals("user")) {
            OSecurityUser user = oDatabaseDocumentInternal.getUser();
            if (user != null) {
                oIdentifiable = user.getIdentity();
            }
        } else {
            if (!custom2.equals("role")) {
                throw new OConfigurationException("Wrong custom field 'onCreate.identityType' in class '" + immutableSchemaClass.getName() + "' with value '" + custom2 + "'. Supported ones are: 'user', 'role'");
            }
            Set<? extends OSecurityRole> roles = oDatabaseDocumentInternal.getUser().getRoles();
            if (!roles.isEmpty()) {
                oIdentifiable = roles.iterator().next().getIdentity();
            }
        }
        if (oIdentifiable == null) {
            return false;
        }
        for (String str : split) {
            oDatabaseDocumentInternal.getSharedContext().getSecurity().allowIdentity(oDatabaseDocumentInternal, oDocument, str, oIdentifiable);
        }
        return true;
    }

    public static boolean isAllowed(ODatabaseDocumentInternal oDatabaseDocumentInternal, ODocument oDocument, ORestrictedOperation oRestrictedOperation, boolean z) {
        OImmutableClass immutableSchemaClass = ODocumentInternal.getImmutableSchemaClass(oDatabaseDocumentInternal, oDocument);
        if (immutableSchemaClass == null || !immutableSchemaClass.isRestricted() || oDatabaseDocumentInternal.getUser() == null) {
            return true;
        }
        if (oDatabaseDocumentInternal.getUser().isRuleDefined(ORule.ResourceGeneric.BYPASS_RESTRICTED, null) && oDatabaseDocumentInternal.getUser().checkIfAllowed(ORule.ResourceGeneric.BYPASS_RESTRICTED, null, ORole.PERMISSION_READ) != null) {
            return true;
        }
        ODocument oDocument2 = z ? (ODocument) oDatabaseDocumentInternal.load(oDocument.getIdentity()) : oDocument;
        if (oDocument2 == null) {
            return false;
        }
        return oDatabaseDocumentInternal.getMetadata().getSecurity().isAllowed((Set) oDocument2.field(ORestrictedOperation.ALLOW_ALL.getFieldName()), (Set) oDocument2.field(oRestrictedOperation.getFieldName()));
    }
}
