package com.appiancorp.record.query.ads;

import com.appian.data.client.QueryResult;
import com.appiancorp.record.domain.SupportsReadOnlyReplicatedRecordType;
import com.appiancorp.record.query.SupportsRelatedRecordQuery;
import com.appiancorp.record.query.projection.BaseProjection;
import com.appiancorp.record.query.projection.RelatedProjection;
import com.appiancorp.record.service.DataStewardPrivilegeEscalator;
import com.appiancorp.record.service.RecordIdSourceFieldProvider;
import com.appiancorp.security.auth.SecurityContextProvider;
import com.appiancorp.suiteapi.security.auth.AppianUserDetails;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.function.Supplier;
import java.util.stream.Collectors;

/* loaded from: input_file:com/appiancorp/record/query/ads/AdsQueryDataStewardPrivilegeChecker.class */
public class AdsQueryDataStewardPrivilegeChecker {
    private final DataStewardPrivilegeEscalator dataStewardPrivilegeEscalator;
    private final SecurityContextProvider securityContextProvider;
    private final RecordIdSourceFieldProvider recordIdSourceFieldProvider;

    public AdsQueryDataStewardPrivilegeChecker(DataStewardPrivilegeEscalator dataStewardPrivilegeEscalator, SecurityContextProvider securityContextProvider, RecordIdSourceFieldProvider recordIdSourceFieldProvider) {
        this.dataStewardPrivilegeEscalator = dataStewardPrivilegeEscalator;
        this.securityContextProvider = securityContextProvider;
        this.recordIdSourceFieldProvider = recordIdSourceFieldProvider;
    }

    public boolean shouldEscalateWithinDataStewardContext() {
        return this.dataStewardPrivilegeEscalator.isInContextWhereDataStewardCanViewRecordTypes();
    }

    public QueryResult validateAndRunAsAdsSuperuser(SupportsRelatedRecordQuery supportsRelatedRecordQuery, Supplier<QueryResult> supplier) {
        validateCurrentUserCanAccessSelectedRecordTypes(supportsRelatedRecordQuery);
        AppianUserDetails appianUserDetails = this.securityContextProvider.get();
        if (!(appianUserDetails instanceof AppianUserDetails)) {
            throw new IllegalStateException("The current security context is not in the expected class. It is a: " + (appianUserDetails == null ? "<null>" : appianUserDetails.getClass().getName()));
        }
        AppianUserDetails appianUserDetails2 = appianUserDetails;
        boolean isAdsSuperUser = appianUserDetails2.isAdsSuperUser();
        appianUserDetails2.setIsAdsSuperUser(true);
        try {
            QueryResult queryResult = supplier.get();
            appianUserDetails2.setIsAdsSuperUser(isAdsSuperUser);
            return queryResult;
        } catch (Throwable th) {
            appianUserDetails2.setIsAdsSuperUser(isAdsSuperUser);
            throw th;
        }
    }

    public void validateCurrentUserCanAccessSelectedRecordTypes(SupportsRelatedRecordQuery supportsRelatedRecordQuery) {
        validateCurrentUserCanAccessBaseRecordType(supportsRelatedRecordQuery);
        validateCurrentUserCanAccessSelectedRelatedRecordTypes(supportsRelatedRecordQuery);
    }

    private void validateCurrentUserCanAccessBaseRecordType(SupportsRelatedRecordQuery supportsRelatedRecordQuery) {
        validateDataStewardRecordTypePrivileges(supportsRelatedRecordQuery.getRecordTypeDefinition());
    }

    private void validateCurrentUserCanAccessSelectedRelatedRecordTypes(SupportsRelatedRecordQuery supportsRelatedRecordQuery) {
        List<RelatedProjection> list = (List) supportsRelatedRecordQuery.getProjections().stream().filter(complexRecordProjection -> {
            return complexRecordProjection instanceof RelatedProjection;
        }).map(complexRecordProjection2 -> {
            return (RelatedProjection) complexRecordProjection2;
        }).collect(Collectors.toList());
        if (list.isEmpty()) {
            return;
        }
        HashSet hashSet = new HashSet();
        populateRecordTypeDefinitionsToValidate(list, hashSet);
        Iterator<SupportsReadOnlyReplicatedRecordType> it = hashSet.iterator();
        while (it.hasNext()) {
            validateDataStewardRecordTypePrivileges(it.next());
        }
    }

    private void populateRecordTypeDefinitionsToValidate(List<RelatedProjection> list, Set<SupportsReadOnlyReplicatedRecordType> set) {
        set.addAll((List) list.stream().filter(this::assertIncludesAtLeastOneBaseProjectionThatIsNotTheIdField).map((v0) -> {
            return v0.getTargetRecordTypeDefinition();
        }).collect(Collectors.toList()));
        List<RelatedProjection> list2 = (List) list.stream().map((v0) -> {
            return v0.getNestedProjections();
        }).flatMap((v0) -> {
            return v0.stream();
        }).filter(complexRecordProjection -> {
            return complexRecordProjection instanceof RelatedProjection;
        }).map(complexRecordProjection2 -> {
            return (RelatedProjection) complexRecordProjection2;
        }).collect(Collectors.toList());
        if (list2.isEmpty()) {
            return;
        }
        populateRecordTypeDefinitionsToValidate(list2, set);
    }

    private boolean assertIncludesAtLeastOneBaseProjectionThatIsNotTheIdField(RelatedProjection relatedProjection) {
        String uuid = this.recordIdSourceFieldProvider.getIdSourceField(relatedProjection.getTargetRecordTypeDefinition()).getUuid();
        return !((List) relatedProjection.getNestedProjections().stream().filter(complexRecordProjection -> {
            return complexRecordProjection instanceof BaseProjection;
        }).map(complexRecordProjection2 -> {
            return (BaseProjection) complexRecordProjection2;
        }).filter(baseProjection -> {
            return !uuid.equals(baseProjection.getProjectionName());
        }).collect(Collectors.toList())).isEmpty();
    }

    private void validateDataStewardRecordTypePrivileges(SupportsReadOnlyReplicatedRecordType supportsReadOnlyReplicatedRecordType) {
        String uuid = supportsReadOnlyReplicatedRecordType.getUuid();
        if (!this.dataStewardPrivilegeEscalator.doesCurrentUserHaveFullRecordViewerAccess(uuid)) {
            throw new IllegalStateException(String.format("Error when accessing record type with uuid: %s. Within the Data Steward context, users cannot access Record Types of which they're not a Data Steward.", uuid));
        }
    }
}
