package org.eclipse.ditto.concierge.service.enforcement;

import akka.actor.ActorRef;
import akka.actor.ActorSystem;
import akka.pattern.AskTimeoutException;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.function.BiFunction;
import java.util.stream.Collectors;
import javax.annotation.Nullable;
import org.eclipse.ditto.base.api.persistence.PersistenceLifecycle;
import org.eclipse.ditto.base.model.auth.AuthorizationContext;
import org.eclipse.ditto.base.model.exceptions.DittoJsonException;
import org.eclipse.ditto.base.model.exceptions.DittoRuntimeException;
import org.eclipse.ditto.base.model.headers.DittoHeaders;
import org.eclipse.ditto.base.model.headers.WithDittoHeaders;
import org.eclipse.ditto.base.model.json.FieldType;
import org.eclipse.ditto.base.model.json.JsonSchemaVersion;
import org.eclipse.ditto.base.model.namespaces.NamespaceBlockedException;
import org.eclipse.ditto.base.model.signals.commands.exceptions.GatewayInternalErrorException;
import org.eclipse.ditto.concierge.service.common.DittoConciergeConfig;
import org.eclipse.ditto.concierge.service.enforcement.placeholders.references.PolicyIdReferencePlaceholderResolver;
import org.eclipse.ditto.concierge.service.enforcement.placeholders.references.ReferencePlaceholder;
import org.eclipse.ditto.internal.utils.akka.logging.DittoLoggerFactory;
import org.eclipse.ditto.internal.utils.akka.logging.ThreadSafeDittoLogger;
import org.eclipse.ditto.internal.utils.cache.Cache;
import org.eclipse.ditto.internal.utils.cache.entry.Entry;
import org.eclipse.ditto.internal.utils.cacheloaders.AskWithRetry;
import org.eclipse.ditto.internal.utils.cacheloaders.EnforcementCacheKey;
import org.eclipse.ditto.internal.utils.cacheloaders.PolicyEnforcer;
import org.eclipse.ditto.internal.utils.cluster.DistPubSubAccess;
import org.eclipse.ditto.internal.utils.config.DefaultScopedConfig;
import org.eclipse.ditto.json.JsonFactory;
import org.eclipse.ditto.json.JsonFieldDefinition;
import org.eclipse.ditto.json.JsonFieldSelector;
import org.eclipse.ditto.json.JsonObject;
import org.eclipse.ditto.json.JsonObjectBuilder;
import org.eclipse.ditto.json.JsonPointer;
import org.eclipse.ditto.json.JsonPointerInvalidException;
import org.eclipse.ditto.json.JsonRuntimeException;
import org.eclipse.ditto.json.JsonValue;
import org.eclipse.ditto.policies.api.Permission;
import org.eclipse.ditto.policies.api.PoliciesValidator;
import org.eclipse.ditto.policies.model.Permissions;
import org.eclipse.ditto.policies.model.PoliciesModelFactory;
import org.eclipse.ditto.policies.model.PoliciesResourceType;
import org.eclipse.ditto.policies.model.Policy;
import org.eclipse.ditto.policies.model.PolicyException;
import org.eclipse.ditto.policies.model.PolicyId;
import org.eclipse.ditto.policies.model.ResourceKey;
import org.eclipse.ditto.policies.model.Subject;
import org.eclipse.ditto.policies.model.SubjectId;
import org.eclipse.ditto.policies.model.enforcers.Enforcer;
import org.eclipse.ditto.policies.model.enforcers.PolicyEnforcers;
import org.eclipse.ditto.policies.model.signals.commands.PolicyErrorResponse;
import org.eclipse.ditto.policies.model.signals.commands.exceptions.PolicyConflictException;
import org.eclipse.ditto.policies.model.signals.commands.exceptions.PolicyNotAccessibleException;
import org.eclipse.ditto.policies.model.signals.commands.exceptions.PolicyUnavailableException;
import org.eclipse.ditto.policies.model.signals.commands.modify.CreatePolicy;
import org.eclipse.ditto.policies.model.signals.commands.modify.CreatePolicyResponse;
import org.eclipse.ditto.policies.model.signals.commands.query.PolicyQueryCommandResponse;
import org.eclipse.ditto.policies.model.signals.commands.query.RetrievePolicy;
import org.eclipse.ditto.policies.model.signals.commands.query.RetrievePolicyResponse;
import org.eclipse.ditto.rql.model.ParserException;
import org.eclipse.ditto.rql.model.predicates.ast.RootNode;
import org.eclipse.ditto.rql.parser.RqlPredicateParser;
import org.eclipse.ditto.rql.query.things.FieldNamesPredicateVisitor;
import org.eclipse.ditto.things.model.Thing;
import org.eclipse.ditto.things.model.ThingConstants;
import org.eclipse.ditto.things.model.ThingId;
import org.eclipse.ditto.things.model.signals.commands.ThingCommand;
import org.eclipse.ditto.things.model.signals.commands.exceptions.PolicyIdNotAllowedException;
import org.eclipse.ditto.things.model.signals.commands.exceptions.PolicyInvalidException;
import org.eclipse.ditto.things.model.signals.commands.exceptions.ThingCommandToAccessExceptionRegistry;
import org.eclipse.ditto.things.model.signals.commands.exceptions.ThingCommandToModifyExceptionRegistry;
import org.eclipse.ditto.things.model.signals.commands.exceptions.ThingConditionFailedException;
import org.eclipse.ditto.things.model.signals.commands.exceptions.ThingConditionInvalidException;
import org.eclipse.ditto.things.model.signals.commands.exceptions.ThingNotAccessibleException;
import org.eclipse.ditto.things.model.signals.commands.exceptions.ThingNotCreatableException;
import org.eclipse.ditto.things.model.signals.commands.exceptions.ThingNotModifiableException;
import org.eclipse.ditto.things.model.signals.commands.exceptions.ThingUnavailableException;
import org.eclipse.ditto.things.model.signals.commands.modify.CreateThing;
import org.eclipse.ditto.things.model.signals.commands.modify.MergeThing;
import org.eclipse.ditto.things.model.signals.commands.modify.ModifyThing;
import org.eclipse.ditto.things.model.signals.commands.modify.ThingModifyCommand;
import org.eclipse.ditto.things.model.signals.commands.query.RetrieveThing;
import org.eclipse.ditto.things.model.signals.commands.query.RetrieveThingResponse;
import org.eclipse.ditto.things.model.signals.commands.query.ThingQueryCommand;
import org.eclipse.ditto.things.model.signals.commands.query.ThingQueryCommandResponse;

/* loaded from: input_file:org/eclipse/ditto/concierge/service/enforcement/ThingCommandEnforcement.class */
public final class ThingCommandEnforcement extends AbstractEnforcementWithAsk<ThingCommand<?>, ThingQueryCommandResponse<?>> {
    private static final String DEFAULT_POLICY_ENTRY_LABEL = "DEFAULT";
    private final ActorRef thingsShardRegion;
    private final ActorRef policiesShardRegion;
    private final EnforcerRetriever<Enforcer> thingEnforcerRetriever;
    private final EnforcerRetriever<Enforcer> policyEnforcerRetriever;
    private final Cache<EnforcementCacheKey, Entry<EnforcementCacheKey>> thingIdCache;
    private final Cache<EnforcementCacheKey, Entry<Enforcer>> policyEnforcerCache;
    private final PreEnforcer preEnforcer;
    private final PolicyIdReferencePlaceholderResolver policyIdReferencePlaceholderResolver;
    private static final ThreadSafeDittoLogger LOGGER = DittoLoggerFactory.getThreadSafeLogger(ThingCommandEnforcement.class);
    private static final Map<String, ThreadSafeDittoLogger> NAMESPACE_INSPECTION_LOGGERS = new HashMap();
    private static final JsonFieldSelector THING_QUERY_COMMAND_RESPONSE_ALLOWLIST = JsonFactory.newFieldSelector(Thing.JsonFields.ID, new JsonFieldDefinition[0]);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/ditto/concierge/service/enforcement/ThingCommandEnforcement$CreateThingWithEnforcer.class */
    public static final class CreateThingWithEnforcer {
        private final CreateThing createThing;
        private final Enforcer enforcer;

        private CreateThingWithEnforcer(CreateThing createThing, Enforcer enforcer) {
            this.createThing = createThing;
            this.enforcer = enforcer;
        }
    }

    /* loaded from: input_file:org/eclipse/ditto/concierge/service/enforcement/ThingCommandEnforcement$Provider.class */
    public static final class Provider implements EnforcementProvider<ThingCommand<?>> {
        private final ActorSystem actorSystem;
        private final ActorRef thingsShardRegion;
        private final ActorRef policiesShardRegion;
        private final Cache<EnforcementCacheKey, Entry<EnforcementCacheKey>> thingIdCache;
        private final Cache<EnforcementCacheKey, Entry<Enforcer>> policyEnforcerCache;
        private final PreEnforcer preEnforcer;

        public Provider(ActorSystem actorSystem, ActorRef actorRef, ActorRef actorRef2, Cache<EnforcementCacheKey, Entry<EnforcementCacheKey>> cache, Cache<EnforcementCacheKey, Entry<Enforcer>> cache2, @Nullable PreEnforcer preEnforcer) {
            this.actorSystem = (ActorSystem) Objects.requireNonNull(actorSystem);
            this.thingsShardRegion = (ActorRef) Objects.requireNonNull(actorRef);
            this.policiesShardRegion = (ActorRef) Objects.requireNonNull(actorRef2);
            this.thingIdCache = (Cache) Objects.requireNonNull(cache);
            this.policyEnforcerCache = (Cache) Objects.requireNonNull(cache2);
            this.preEnforcer = (PreEnforcer) Optional.ofNullable(preEnforcer).orElse((v0) -> {
                return CompletableFuture.completedFuture(v0);
            });
        }

        @Override // org.eclipse.ditto.concierge.service.enforcement.EnforcementProvider
        public Class<ThingCommand<?>> getCommandClass() {
            return ThingCommand.class;
        }

        @Override // org.eclipse.ditto.concierge.service.enforcement.EnforcementProvider
        public boolean isApplicable(ThingCommand<?> thingCommand) {
            return !LiveSignalEnforcement.isLiveSignal(thingCommand);
        }

        @Override // org.eclipse.ditto.concierge.service.enforcement.EnforcementProvider
        public boolean changesAuthorization(ThingCommand<?> thingCommand) {
            return (thingCommand instanceof ThingModifyCommand) && ((ThingModifyCommand) thingCommand).changesAuthorization();
        }

        @Override // org.eclipse.ditto.concierge.service.enforcement.EnforcementProvider
        public AbstractEnforcement<ThingCommand<?>> createEnforcement(Contextual<ThingCommand<?>> contextual) {
            return new ThingCommandEnforcement(contextual, this.actorSystem, this.thingsShardRegion, this.policiesShardRegion, this.thingIdCache, this.policyEnforcerCache, this.preEnforcer);
        }
    }

    private ThingCommandEnforcement(Contextual<ThingCommand<?>> contextual, ActorSystem actorSystem, ActorRef actorRef, ActorRef actorRef2, Cache<EnforcementCacheKey, Entry<EnforcementCacheKey>> cache, Cache<EnforcementCacheKey, Entry<Enforcer>> cache2, PreEnforcer preEnforcer) {
        super(contextual, ThingQueryCommandResponse.class);
        this.thingsShardRegion = (ActorRef) Objects.requireNonNull(actorRef);
        this.policiesShardRegion = (ActorRef) Objects.requireNonNull(actorRef2);
        DittoConciergeConfig.of(DefaultScopedConfig.dittoScoped(actorSystem.settings().config())).getEnforcementConfig().getSpecialLoggingInspectedNamespaces().forEach(str -> {
            NAMESPACE_INSPECTION_LOGGERS.put(str, DittoLoggerFactory.getThreadSafeLogger(ThingCommandEnforcement.class.getName() + ".namespace." + str));
        });
        this.thingIdCache = (Cache) Objects.requireNonNull(cache);
        this.policyEnforcerCache = (Cache) Objects.requireNonNull(cache2);
        this.preEnforcer = preEnforcer;
        this.thingEnforcerRetriever = PolicyEnforcerRetrieverFactory.create(cache, cache2);
        this.policyEnforcerRetriever = new EnforcerRetriever<>(IdentityCache.INSTANCE, cache2);
        this.policyIdReferencePlaceholderResolver = PolicyIdReferencePlaceholderResolver.of(conciergeForwarder(), getAskWithRetryConfig(), this.context.getScheduler(), this.context.getExecutor());
    }

    @Override // org.eclipse.ditto.concierge.service.enforcement.AbstractEnforcement
    public CompletionStage<Contextual<WithDittoHeaders>> enforce() {
        return this.thingEnforcerRetriever.retrieve(entityId(), (entry, entry2) -> {
            try {
                return doEnforce(entry, entry2);
            } catch (RuntimeException e) {
                return CompletableFuture.failedStage(e);
            }
        });
    }

    private CompletionStage<Contextual<WithDittoHeaders>> doEnforce(Entry<EnforcementCacheKey> entry, Entry<Enforcer> entry2) {
        if (!entry2.exists()) {
            return enforceThingCommandByNonexistentEnforcer(entry);
        }
        if (!keyEntryForDeletedThing(entry)) {
            return CompletableFuture.completedFuture(enforceThingCommandByPolicyEnforcer(signal(), PolicyId.of(((EnforcementCacheKey) entry.getValueOrThrow()).getId()), (Enforcer) entry2.getValueOrThrow()));
        }
        if (!isRetrieveCommandForDeletedThing()) {
            return enforceThingCommandByNonexistentEnforcer(entry);
        }
        return CompletableFuture.completedFuture(enforceThingCommandByPolicyEnforcer(signal(), PolicyId.of(((EnforcementCacheKey) entry.getValueOrThrow()).getId()), (Enforcer) entry2.getValueOrThrow()));
    }

    private boolean isRetrieveCommandForDeletedThing() {
        return (signal() instanceof RetrieveThing) && ((ThingCommand) signal()).getDittoHeaders().shouldRetrieveDeleted();
    }

    private boolean keyEntryForDeletedThing(Entry<EnforcementCacheKey> entry) {
        return entry.exists() && ((Boolean) ((EnforcementCacheKey) entry.getValueOrThrow()).getCacheLookupContext().flatMap((v0) -> {
            return v0.getPersistenceLifecycle();
        }).map(persistenceLifecycle -> {
            return Boolean.valueOf(PersistenceLifecycle.DELETED == persistenceLifecycle);
        }).orElse(false)).booleanValue();
    }

    private CompletionStage<Contextual<WithDittoHeaders>> enforceThingCommandByNonexistentEnforcer(Entry<EnforcementCacheKey> entry) {
        if (!entry.exists() || keyEntryForDeletedThing(entry)) {
            return enforceCreateThingBySelf().thenCompose(createThingWithEnforcer -> {
                return handleInitialCreateThing(createThingWithEnforcer.createThing, createThingWithEnforcer.enforcer).thenApply(contextual -> {
                    return contextual.withReceiver(this.thingsShardRegion);
                });
            }).exceptionally(th -> {
                ThreadSafeDittoLogger withCorrelationId = LOGGER.withCorrelationId(dittoHeaders());
                DittoRuntimeException asDittoRuntimeException = DittoRuntimeException.asDittoRuntimeException(th, th -> {
                    withCorrelationId.warn("Error during thing by itself enforcement - {}: {}", th.getClass().getSimpleName(), th.getMessage());
                    throw GatewayInternalErrorException.newBuilder().cause(th).build();
                });
                withCorrelationId.debug("DittoRuntimeException during enforceThingCommandByNonexistentEnforcer - {}: {}", asDittoRuntimeException.getClass().getSimpleName(), asDittoRuntimeException.getMessage());
                throw asDittoRuntimeException;
            });
        }
        ThingId entityId = ((ThingCommand) signal()).getEntityId();
        DittoRuntimeException errorForExistingThingWithDeletedPolicy = errorForExistingThingWithDeletedPolicy((ThingCommand) signal(), entityId, ((EnforcementCacheKey) entry.getValueOrThrow()).getId());
        if (LOGGER.isInfoEnabled()) {
            LOGGER.withCorrelationId(dittoHeaders()).info("Enforcer was not existing for Thing <{}>, responding with: {}", entityId, errorForExistingThingWithDeletedPolicy.toString());
        }
        throw errorForExistingThingWithDeletedPolicy;
    }

    private static boolean isResponseRequired(WithDittoHeaders withDittoHeaders) {
        return withDittoHeaders.getDittoHeaders().isResponseRequired();
    }

    private Contextual<WithDittoHeaders> enforceThingCommandByPolicyEnforcer(ThingCommand<?> thingCommand, PolicyId policyId, Enforcer enforcer) {
        Contextual<WithDittoHeaders> forwardToThingsShardRegion;
        RetrieveThing authorizeByPolicyOrThrow = authorizeByPolicyOrThrow(enforcer, thingCommand);
        if (authorizeByPolicyOrThrow instanceof ThingQueryCommand) {
            RetrieveThing retrieveThing = (ThingQueryCommand) authorizeByPolicyOrThrow;
            if (!isResponseRequired(retrieveThing)) {
                forwardToThingsShardRegion = withMessageToReceiver(null, ActorRef.noSender());
            } else if ((retrieveThing instanceof RetrieveThing) && shouldRetrievePolicyWithThing(retrieveThing)) {
                RetrieveThing retrieveThing2 = retrieveThing;
                forwardToThingsShardRegion = withMessageToReceiverViaAskFuture(retrieveThing2, sender(), () -> {
                    return retrieveThingAndPolicy(retrieveThing2, policyId, enforcer);
                });
            } else {
                forwardToThingsShardRegion = withMessageToReceiverViaAskFuture(retrieveThing, sender(), () -> {
                    return askAndBuildJsonView(this.thingsShardRegion, retrieveThing, enforcer, this.context.getScheduler(), this.context.getExecutor());
                });
            }
        } else {
            forwardToThingsShardRegion = forwardToThingsShardRegion(authorizeByPolicyOrThrow);
        }
        return forwardToThingsShardRegion;
    }

    private CompletionStage<ThingQueryCommandResponse<?>> retrieveThingAndPolicy(RetrieveThing retrieveThing, PolicyId policyId, Enforcer enforcer) {
        Optional authorizePolicyCommand = PolicyCommandEnforcement.authorizePolicyCommand(RetrievePolicy.of(policyId, DittoHeaders.newBuilder(retrieveThing.getDittoHeaders()).removePreconditionHeaders().build()), PolicyEnforcer.of(enforcer));
        return authorizePolicyCommand.isPresent() ? retrieveThingBeforePolicy(retrieveThing).thenCompose(thingQueryCommandResponse -> {
            return thingQueryCommandResponse instanceof RetrieveThingResponse ? retrieveInlinedPolicyForThing(retrieveThing, (RetrievePolicy) authorizePolicyCommand.get()).thenApply(optional -> {
                if (!optional.isPresent()) {
                    return thingQueryCommandResponse;
                }
                return reportAggregatedThingAndPolicyResponse(retrieveThing, (RetrieveThingResponse) thingQueryCommandResponse, PolicyCommandEnforcement.buildJsonViewForPolicyQueryCommandResponse((PolicyQueryCommandResponse) optional.get(), enforcer), enforcer);
            }) : CompletableFuture.completedFuture(thingQueryCommandResponse);
        }) : askAndBuildJsonView(this.thingsShardRegion, retrieveThing, enforcer, this.context.getScheduler(), this.context.getExecutor());
    }

    private CompletionStage<ThingQueryCommandResponse<?>> retrieveThingBeforePolicy(RetrieveThing retrieveThing) {
        return ask(this.thingsShardRegion, retrieveThing, "retrieving thing before inlined policy", this.context.getScheduler(), this.context.getExecutor());
    }

    private CompletionStage<Optional<RetrievePolicyResponse>> retrieveInlinedPolicyForThing(RetrieveThing retrieveThing, RetrievePolicy retrievePolicy) {
        return this.preEnforcer.apply(retrievePolicy).thenCompose(dittoHeadersSettable -> {
            return AskWithRetry.askWithRetry(this.policiesShardRegion, dittoHeadersSettable, getAskWithRetryConfig(), this.context.getScheduler(), this.context.getExecutor(), obj -> {
                if (obj instanceof RetrievePolicyResponse) {
                    return Optional.of((RetrievePolicyResponse) obj);
                }
                LOGGER.withCorrelationId(getCorrelationIdOrNull(obj, retrieveThing)).info("No authorized response when retrieving inlined policy <{}> for thing <{}>: {}", new Object[]{retrievePolicy.getEntityId(), retrieveThing.getEntityId(), obj});
                return Optional.empty();
            }).exceptionally(th -> {
                LOGGER.withCorrelationId(getCorrelationIdOrNull(th, retrieveThing)).error("Retrieving inlined policy after RetrieveThing", th);
                return Optional.empty();
            });
        });
    }

    @Nullable
    private static CharSequence getCorrelationIdOrNull(Object obj, WithDittoHeaders withDittoHeaders) {
        return (CharSequence) (isWithDittoHeaders(obj) ? (WithDittoHeaders) obj : withDittoHeaders).getDittoHeaders().getCorrelationId().orElse(null);
    }

    private static boolean isWithDittoHeaders(Object obj) {
        return obj instanceof WithDittoHeaders;
    }

    private static RetrieveThingResponse reportAggregatedThingAndPolicyResponse(RetrieveThing retrieveThing, RetrieveThingResponse retrieveThingResponse, RetrievePolicyResponse retrievePolicyResponse, Enforcer enforcer) {
        return reportAggregatedThingAndPolicy(retrieveThing, retrieveThingResponse, retrievePolicyResponse.getPolicy(), enforcer);
    }

    private static RetrieveThingResponse reportAggregatedThingAndPolicy(RetrieveThing retrieveThing, RetrieveThingResponse retrieveThingResponse, Policy policy, Enforcer enforcer) {
        RetrieveThingResponse buildJsonViewForThingQueryCommandResponse = buildJsonViewForThingQueryCommandResponse(retrieveThingResponse, enforcer);
        return buildJsonViewForThingQueryCommandResponse.setEntity(buildJsonViewForThingQueryCommandResponse.getEntity().asObject().toBuilder().setAll(policy.toInlinedJson(retrieveThing.getImplementedSchemaVersion(), FieldType.notHidden())).build());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.eclipse.ditto.concierge.service.enforcement.AbstractEnforcementWithAsk
    public DittoRuntimeException handleAskTimeoutForCommand(ThingCommand<?> thingCommand, Throwable th) {
        LOGGER.withCorrelationId(dittoHeaders()).error("Timeout before building JsonView", th);
        return ThingUnavailableException.newBuilder(thingCommand.getEntityId()).dittoHeaders(thingCommand.getDittoHeaders()).build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.eclipse.ditto.concierge.service.enforcement.AbstractEnforcementWithAsk
    public ThingQueryCommandResponse<?> filterJsonView(ThingQueryCommandResponse<?> thingQueryCommandResponse, Enforcer enforcer) {
        try {
            return buildJsonViewForThingQueryCommandResponse(thingQueryCommandResponse, enforcer);
        } catch (RuntimeException e) {
            throw reportError("Error after building JsonView", e);
        }
    }

    private CompletionStage<Contextual<WithDittoHeaders>> enforceCreateThingForNonexistentThingWithPolicyId(CreateThing createThing, PolicyId policyId) {
        return this.policyEnforcerRetriever.retrieve(EnforcementCacheKey.of(policyId), (entry, entry2) -> {
            if (entry2.exists()) {
                return CompletableFuture.completedFuture(enforceThingCommandByPolicyEnforcer(createThing, policyId, (Enforcer) entry2.getValueOrThrow()));
            }
            throw errorForExistingThingWithDeletedPolicy(createThing, createThing.getEntityId(), policyId);
        });
    }

    private static <T extends ThingQueryCommandResponse<T>> T buildJsonViewForThingQueryCommandResponse(ThingQueryCommandResponse<T> thingQueryCommandResponse, Enforcer enforcer) {
        JsonValue entity = thingQueryCommandResponse.getEntity();
        return entity.isObject() ? (T) thingQueryCommandResponse.setEntity(getJsonViewForThingQueryCommandResponse(entity.asObject(), thingQueryCommandResponse, enforcer)) : (T) thingQueryCommandResponse.setEntity(entity);
    }

    private Contextual<WithDittoHeaders> forwardToThingsShardRegion(ThingCommand<?> thingCommand) {
        JsonValue jsonValue;
        if ((thingCommand instanceof ThingModifyCommand) && ((ThingModifyCommand) thingCommand).changesAuthorization()) {
            invalidateThingCaches(thingCommand.getEntityId());
        }
        if (NAMESPACE_INSPECTION_LOGGERS.containsKey(thingCommand.getEntityId().getNamespace())) {
            ThreadSafeDittoLogger withCorrelationId = NAMESPACE_INSPECTION_LOGGERS.get(thingCommand.getEntityId().getNamespace()).withCorrelationId(thingCommand);
            if ((thingCommand instanceof ThingModifyCommand) && null != (jsonValue = (JsonValue) ((ThingModifyCommand) thingCommand).getEntity().orElse(null))) {
                withCorrelationId.info("Forwarding modify command type <{}> with resourceKeys <{}>", thingCommand.getType(), calculateLeaves(thingCommand.getResourcePath(), jsonValue));
            }
            withCorrelationId.debug("Forwarding command type <{}>: <{}>", thingCommand.getType(), thingCommand);
        }
        return withMessageToReceiver(thingCommand, this.thingsShardRegion);
    }

    private void invalidateThingCaches(ThingId thingId) {
        EnforcementCacheKey of = EnforcementCacheKey.of(thingId);
        this.thingIdCache.invalidate(of);
        pubSubMediator().tell(DistPubSubAccess.sendToAll("/user/conciergeRoot/enforcer", InvalidateCacheEntry.of(of), true), self());
    }

    private void invalidatePolicyCache(PolicyId policyId) {
        EnforcementCacheKey of = EnforcementCacheKey.of(policyId);
        this.policyEnforcerCache.invalidate(of);
        pubSubMediator().tell(DistPubSubAccess.sendToAll("/user/conciergeRoot/enforcer", InvalidateCacheEntry.of(of), true), self());
    }

    private static JsonObject getJsonViewForThingQueryCommandResponse(JsonObject jsonObject, ThingQueryCommandResponse<?> thingQueryCommandResponse, Enforcer enforcer) {
        return enforcer.buildJsonView(ResourceKey.newInstance(ThingConstants.ENTITY_TYPE, thingQueryCommandResponse.getResourcePath()), jsonObject, thingQueryCommandResponse.getDittoHeaders().getAuthorizationContext(), THING_QUERY_COMMAND_RESPONSE_ALLOWLIST, Permissions.newInstance("READ", new String[0]));
    }

    private static DittoRuntimeException errorForExistingThingWithDeletedPolicy(ThingCommand<?> thingCommand, ThingId thingId, CharSequence charSequence) {
        String format = String.format("The Thing with ID '%s' could not be accessed as its Policy with ID '%s' is not or no longer existing.", thingId, charSequence);
        String format2 = String.format("Recreate/create the Policy with ID '%s' in order to get access to the Thing again.", charSequence);
        return thingCommand instanceof ThingModifyCommand ? ThingNotModifiableException.newBuilder(thingId).message(format).description(format2).dittoHeaders(thingCommand.getDittoHeaders()).build() : ThingNotAccessibleException.newBuilder(thingId).message(format).description(format2).dittoHeaders(thingCommand.getDittoHeaders()).build();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static DittoRuntimeException errorForThingCommand(ThingCommand<?> thingCommand) {
        return (thingCommand instanceof ThingModifyCommand ? ThingCommandToModifyExceptionRegistry.getInstance() : ThingCommandToAccessExceptionRegistry.getInstance()).exceptionFrom(thingCommand);
    }

    private CompletionStage<CreateThingWithEnforcer> enforceCreateThingBySelf() {
        ThingCommand<?> transformModifyThingToCreateThing = transformModifyThingToCreateThing((ThingCommand) signal());
        if (transformModifyThingToCreateThing instanceof CreateThing) {
            return replaceInitialPolicyWithCopiedPolicyIfPresent((CreateThing) transformModifyThingToCreateThing).thenApply(createThing -> {
                return (CreateThingWithEnforcer) createThing.getInitialPolicy().map(jsonObject -> {
                    return enforceCreateThingByOwnInlinedPolicyOrThrow(createThing, jsonObject);
                }).orElseGet(() -> {
                    return enforceCreateThingByAuthorizationContext(createThing);
                });
            });
        }
        DittoRuntimeException build = ThingNotAccessibleException.newBuilder(transformModifyThingToCreateThing.getEntityId()).dittoHeaders(transformModifyThingToCreateThing.getDittoHeaders()).build();
        LOGGER.withCorrelationId(dittoHeaders()).info("Enforcer was not existing for Thing <{}> and no auth info was inlined, responding with: {} - {}", new Object[]{transformModifyThingToCreateThing.getEntityId(), build.getClass().getSimpleName(), build.getMessage()});
        throw build;
    }

    private CompletionStage<CreateThing> replaceInitialPolicyWithCopiedPolicyIfPresent(CreateThing createThing) {
        return getInitialPolicyOrCopiedPolicy(createThing).thenApply(jsonObject -> {
            return CreateThing.of(createThing.getThing(), jsonObject, createThing.getDittoHeaders());
        });
    }

    private CompletionStage<JsonObject> getInitialPolicyOrCopiedPolicy(CreateThing createThing) {
        ThreadSafeDittoLogger withCorrelationId = LOGGER.withCorrelationId(createThing);
        return ((CompletionStage) createThing.getPolicyIdOrPlaceholder().flatMap((v0) -> {
            return ReferencePlaceholder.fromCharSequence(v0);
        }).map(referencePlaceholder -> {
            withCorrelationId.debug("CreateThing command contains a reference placeholder for the policy it wants to copy: {}", referencePlaceholder);
            return this.policyIdReferencePlaceholderResolver.resolve(referencePlaceholder, dittoHeaders().toBuilder().removePreconditionHeaders().responseRequired(true).build());
        }).orElseGet(() -> {
            return CompletableFuture.completedFuture((String) createThing.getPolicyIdOrPlaceholder().orElse(null));
        })).thenCompose(str -> {
            if (str != null) {
                withCorrelationId.debug("CreateThing command wants to use a copy of Policy <{}>", str);
                return retrievePolicyWithEnforcement(PolicyId.of(str)).thenApply(policy -> {
                    return policy.toJson(JsonSchemaVersion.V_2).remove("policyId");
                });
            }
            withCorrelationId.debug("CreateThing command did not contain a policy that should be copied.");
            return CompletableFuture.completedFuture((JsonObject) createThing.getInitialPolicy().orElse(null));
        });
    }

    private CompletionStage<Policy> retrievePolicyWithEnforcement(PolicyId policyId) {
        DittoHeaders build = dittoHeaders().toBuilder().removePreconditionHeaders().responseRequired(true).build();
        return AskWithRetry.askWithRetry(conciergeForwarder(), RetrievePolicy.of(policyId, build), getAskWithRetryConfig(), this.context.getScheduler(), this.context.getExecutor(), obj -> {
            if (obj instanceof RetrievePolicyResponse) {
                return ((RetrievePolicyResponse) obj).getPolicy();
            }
            if (obj instanceof PolicyErrorResponse) {
                throw ((PolicyErrorResponse) obj).getDittoRuntimeException();
            }
            if (obj instanceof DittoRuntimeException) {
                throw ((DittoRuntimeException) obj);
            }
            LOGGER.withCorrelationId(build).error("Got an unexpected response while retrieving a Policy that should be copied during Thing creation: {}", obj);
            throw GatewayInternalErrorException.newBuilder().build();
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static CreateThingWithEnforcer enforceCreateThingByAuthorizationContext(CreateThing createThing) {
        AuthorizationContext authorizationContext = createThing.getDittoHeaders().getAuthorizationContext();
        AuthorizedSubjectsEnforcer authorizedSubjectsEnforcer = new AuthorizedSubjectsEnforcer(AuthorizationContext.newInstance(authorizationContext.getType(), (Set) authorizationContext.getFirstAuthorizationSubject().map((v0) -> {
            return Collections.singleton(v0);
        }).orElse(Collections.emptySet())));
        return new CreateThingWithEnforcer(AbstractEnforcement.addEffectedReadSubjectsToThingSignal(createThing, authorizedSubjectsEnforcer), authorizedSubjectsEnforcer);
    }

    private CreateThingWithEnforcer enforceCreateThingByOwnInlinedPolicyOrThrow(CreateThing createThing, JsonObject jsonObject) {
        Policy initialPolicy = getInitialPolicy(createThing, jsonObject);
        if (PoliciesValidator.newInstance(initialPolicy).isValid()) {
            return attachEnforcerOrThrow(createThing, PolicyEnforcers.defaultEvaluator(initialPolicy), ThingCommandEnforcement::authorizeByPolicyOrThrow);
        }
        throw PolicyInvalidException.newBuilder(Permission.MIN_REQUIRED_POLICY_PERMISSIONS, createThing.getEntityId()).dittoHeaders(createThing.getDittoHeaders()).build();
    }

    private Policy getInitialPolicy(CreateThing createThing, JsonObject jsonObject) {
        try {
            return PoliciesModelFactory.newPolicy(jsonObject);
        } catch (JsonRuntimeException | DittoJsonException e) {
            throw PolicyInvalidException.newBuilderForCause(e, createThing.getEntityId()).dittoHeaders(createThing.getDittoHeaders()).build();
        } catch (DittoRuntimeException e2) {
            DittoHeaders dittoHeaders = createThing.getDittoHeaders();
            if (e2 instanceof PolicyException) {
                throw e2.setDittoHeaders(dittoHeaders);
            }
            throw reportError("Error during creation of inline policy from JSON", e2);
        }
    }

    private static CreateThingWithEnforcer attachEnforcerOrThrow(CreateThing createThing, Enforcer enforcer, BiFunction<Enforcer, ThingCommand<CreateThing>, CreateThing> biFunction) {
        return new CreateThingWithEnforcer(biFunction.apply(enforcer, createThing), enforcer);
    }

    private static ThingCommand<?> transformModifyThingToCreateThing(ThingCommand<?> thingCommand) {
        if (!(thingCommand instanceof ModifyThing)) {
            return thingCommand;
        }
        ModifyThing modifyThing = (ModifyThing) thingCommand;
        return CreateThing.of(modifyThing.getThing().toBuilder().setId(modifyThing.getEntityId()).build(), (JsonObject) modifyThing.getInitialPolicy().orElse(null), (String) modifyThing.getPolicyIdOrPlaceholder().orElse(null), modifyThing.getDittoHeaders());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static <T extends ThingCommand<T>> T authorizeByPolicyOrThrow(Enforcer enforcer, ThingCommand<T> thingCommand) {
        ResourceKey thingResource = PoliciesResourceType.thingResource(thingCommand.getResourcePath());
        DittoHeaders dittoHeaders = thingCommand.getDittoHeaders();
        AuthorizationContext authorizationContext = dittoHeaders.getAuthorizationContext();
        boolean enforceMergeThingCommand = thingCommand instanceof MergeThing ? enforceMergeThingCommand(enforcer, (MergeThing) thingCommand, thingResource, authorizationContext) : thingCommand instanceof ThingModifyCommand ? enforcer.hasUnrestrictedPermissions(thingResource, authorizationContext, "WRITE", new String[0]) : enforcer.hasPartialPermissions(thingResource, authorizationContext, "READ", new String[0]);
        Optional condition = dittoHeaders.getCondition();
        if (!(thingCommand instanceof CreateThing) && condition.isPresent()) {
            enforceReadPermissionOnCondition((String) condition.get(), enforcer, dittoHeaders);
        }
        if (enforceMergeThingCommand) {
            return AbstractEnforcement.addEffectedReadSubjectsToThingSignal(thingCommand, enforcer);
        }
        throw errorForThingCommand(thingCommand);
    }

    private static void enforceReadPermissionOnCondition(String str, Enforcer enforcer, DittoHeaders dittoHeaders) {
        if (!enforcer.hasUnrestrictedPermissions(determineResourceKeys(tryParseRqlCondition(str, dittoHeaders), dittoHeaders), dittoHeaders.getAuthorizationContext(), "READ", new String[0])) {
            throw ThingConditionFailedException.newBuilderForInsufficientPermission(dittoHeaders).build();
        }
    }

    private static RootNode tryParseRqlCondition(String str, DittoHeaders dittoHeaders) {
        try {
            return RqlPredicateParser.getInstance().parse(str);
        } catch (ParserException e) {
            throw ThingConditionInvalidException.newBuilder(str, e.getMessage()).dittoHeaders(dittoHeaders).build();
        }
    }

    private static Set<ResourceKey> determineResourceKeys(RootNode rootNode, DittoHeaders dittoHeaders) {
        FieldNamesPredicateVisitor newInstance = FieldNamesPredicateVisitor.getNewInstance();
        newInstance.visit(rootNode);
        return (Set) newInstance.getFieldNames().stream().map(str -> {
            return tryGetResourceKey(str, dittoHeaders);
        }).collect(Collectors.toSet());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static ResourceKey tryGetResourceKey(String str, DittoHeaders dittoHeaders) {
        try {
            return PoliciesResourceType.thingResource(str);
        } catch (JsonPointerInvalidException e) {
            throw ThingConditionInvalidException.newBuilder(str, (String) e.getDescription().orElse("")).dittoHeaders(dittoHeaders).build();
        }
    }

    private static boolean enforceMergeThingCommand(Enforcer enforcer, MergeThing mergeThing, ResourceKey resourceKey, AuthorizationContext authorizationContext) {
        if (enforcer.hasUnrestrictedPermissions(resourceKey, authorizationContext, "WRITE", new String[0])) {
            return true;
        }
        if (enforcer.hasPartialPermissions(resourceKey, authorizationContext, "WRITE", new String[0])) {
            return enforcer.hasUnrestrictedPermissions(calculateLeaves(mergeThing.getPath(), mergeThing.getValue()), authorizationContext, "WRITE", new String[0]);
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Set<ResourceKey> calculateLeaves(JsonPointer jsonPointer, JsonValue jsonValue) {
        return jsonValue.isObject() ? (Set) jsonValue.asObject().stream().map(jsonField -> {
            return calculateLeaves(jsonPointer.append(jsonField.getKey().asPointer()), jsonField.getValue());
        }).reduce(new HashSet(), ThingCommandEnforcement::addAll, ThingCommandEnforcement::addAll) : Set.of(PoliciesResourceType.thingResource(jsonPointer));
    }

    private static Set<ResourceKey> addAll(Set<ResourceKey> set, Set<ResourceKey> set2) {
        set.addAll(set2);
        return set;
    }

    private static boolean shouldRetrievePolicyWithThing(ThingCommand<?> thingCommand) {
        return ((RetrieveThing) thingCommand).getSelectedFields().filter(jsonFieldSelector -> {
            return jsonFieldSelector.getPointers().stream().anyMatch(jsonPointer -> {
                return jsonPointer.getRoot().filter(jsonKey -> {
                    return "_policy".equals(jsonKey.toString());
                }).isPresent();
            });
        }).isPresent();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private CompletionStage<Contextual<WithDittoHeaders>> handleInitialCreateThing(CreateThing createThing, Enforcer enforcer) {
        CompletionStage completedFuture;
        if (shouldCreatePolicyForCreateThing(createThing)) {
            checkForErrorsInCreateThingWithPolicy(createThing);
            completedFuture = createThingWithInitialPolicy(createThing, enforcer).thenApply((v1) -> {
                return forwardToThingsShardRegion(v1);
            });
        } else if (createThing.getThing().getPolicyEntityId().isPresent()) {
            PolicyId policyId = (PolicyId) createThing.getThing().getPolicyEntityId().orElseThrow(IllegalStateException::new);
            checkForErrorsInCreateThingWithPolicy(createThing);
            completedFuture = enforceCreateThingForNonexistentThingWithPolicyId(createThing, policyId);
        } else {
            completedFuture = CompletableFuture.completedFuture(forwardToThingsShardRegion(createThing));
        }
        return completedFuture;
    }

    private static boolean shouldCreatePolicyForCreateThing(CreateThing createThing) {
        return createThing.getInitialPolicy().isPresent() || createThing.getThing().getPolicyEntityId().isEmpty();
    }

    private static void checkForErrorsInCreateThingWithPolicy(CreateThing createThing) {
        validatePolicyIdForCreateThing(createThing);
    }

    private static void validatePolicyIdForCreateThing(CreateThing createThing) {
        boolean z;
        Optional map = createThing.getThing().getPolicyEntityId().map((v0) -> {
            return String.valueOf(v0);
        });
        Optional flatMap = createThing.getInitialPolicy().flatMap(jsonObject -> {
            return jsonObject.getValue(Thing.JsonFields.POLICY_ID);
        });
        if (map.isPresent()) {
            z = flatMap.isEmpty() || flatMap.equals(map);
        } else {
            z = true;
        }
        if (!z) {
            throw PolicyIdNotAllowedException.newBuilder(createThing.getEntityId()).dittoHeaders(createThing.getDittoHeaders()).build();
        }
    }

    private CompletionStage<CreateThing> createThingWithInitialPolicy(CreateThing createThing, Enforcer enforcer) {
        try {
            Optional<Policy> inlinedOrDefaultPolicyForCreateThing = getInlinedOrDefaultPolicyForCreateThing(createThing);
            if (inlinedOrDefaultPolicyForCreateThing.isPresent()) {
                return (CompletionStage) PolicyCommandEnforcement.authorizePolicyCommand(CreatePolicy.of(inlinedOrDefaultPolicyForCreateThing.get(), DittoHeaders.newBuilder(createThing.getDittoHeaders()).removePreconditionHeaders().responseRequired(true).build()), PolicyEnforcer.of(enforcer)).map(createPolicy -> {
                    return createPolicyAndThing(createPolicy, createThing);
                }).orElseThrow(() -> {
                    return errorForThingCommand(createThing);
                });
            }
            ThingId entityId = createThing.getEntityId();
            throw ThingNotCreatableException.newBuilderForPolicyMissing(entityId, PolicyId.of(entityId)).message(String.format("The Thing with ID '%s' could not be created with implicit Policy because no authorization subject is present.", entityId)).description(() -> {
                return null;
            }).dittoHeaders(createThing.getDittoHeaders()).build();
        } catch (RuntimeException e) {
            throw reportError("error before creating thing with initial policy", e);
        }
    }

    private CompletionStage<CreateThing> createPolicyAndThing(CreatePolicy createPolicy, CreateThing createThing) {
        CreateThing of = CreateThing.of(createThing.getThing().setPolicyId(createPolicy.getEntityId()), (JsonObject) null, createThing.getDittoHeaders());
        invalidatePolicyCache(createPolicy.getEntityId());
        return this.preEnforcer.apply(createPolicy).thenCompose(dittoHeadersSettable -> {
            return AskWithRetry.askWithRetry(this.policiesShardRegion, dittoHeadersSettable, getAskWithRetryConfig(), this.context.getScheduler(), this.context.getExecutor(), obj -> {
                handlePolicyResponseForCreateThing(createPolicy, of, obj);
                invalidateThingCaches(of.getEntityId());
                return of;
            });
        }).exceptionally(th -> {
            if (th instanceof AskTimeoutException) {
                throw PolicyUnavailableException.newBuilder(createPolicy.getEntityId()).dittoHeaders(of.getDittoHeaders()).build();
            }
            throw reportErrorOrResponse(String.format("creating initial policy during creation of Thing <%s>", of.getEntityId()), null, th);
        });
    }

    private void handlePolicyResponseForCreateThing(CreatePolicy createPolicy, CreateThing createThing, Object obj) {
        if (obj instanceof CreatePolicyResponse) {
            return;
        }
        if (shouldReportInitialPolicyCreationFailure(obj)) {
            throw reportInitialPolicyCreationFailure(createPolicy.getEntityId(), createThing);
        }
        if (!isAskTimeoutException(obj, null)) {
            throw reportErrorOrResponse(String.format("creating initial policy during creation of Thing <%s>", createThing.getEntityId()), obj, null);
        }
        throw PolicyUnavailableException.newBuilder(createPolicy.getEntityId()).dittoHeaders(createThing.getDittoHeaders()).build();
    }

    private static boolean shouldReportInitialPolicyCreationFailure(Object obj) {
        return (obj instanceof PolicyConflictException) || (obj instanceof PolicyNotAccessibleException) || (obj instanceof NamespaceBlockedException);
    }

    private static ThingNotCreatableException reportInitialPolicyCreationFailure(PolicyId policyId, CreateThing createThing) {
        LOGGER.withCorrelationId(createThing).info("Failed to create Policy with ID <{}> because it already exists. The CreateThing command which would have created a Policy for the Thing with ID <{}> is therefore not handled.", policyId, createThing.getEntityId());
        return ThingNotCreatableException.newBuilderForPolicyExisting(createThing.getEntityId(), policyId).dittoHeaders(createThing.getDittoHeaders()).build();
    }

    private static Optional<Policy> getInlinedOrDefaultPolicyForCreateThing(CreateThing createThing) {
        Optional initialPolicy = createThing.getInitialPolicy();
        if (!initialPolicy.isPresent()) {
            return getDefaultPolicy(createThing.getDittoHeaders().getAuthorizationContext(), createThing.getEntityId());
        }
        JsonObject jsonObject = (JsonObject) initialPolicy.get();
        JsonObjectBuilder builder = jsonObject.toBuilder();
        Thing thing = createThing.getThing();
        if (thing.getPolicyEntityId().isPresent() || !jsonObject.contains(Policy.JsonFields.ID.getPointer())) {
            builder.set(Policy.JsonFields.ID, (String) thing.getPolicyEntityId().map((v0) -> {
                return String.valueOf(v0);
            }).orElse(createThing.getEntityId().toString()));
        }
        return Optional.of(PoliciesModelFactory.newPolicy(builder.build()));
    }

    private static Optional<Policy> getDefaultPolicy(AuthorizationContext authorizationContext, ThingId thingId) {
        return authorizationContext.getFirstAuthorizationSubject().map((v0) -> {
            return v0.getId();
        }).map((v0) -> {
            return SubjectId.newInstance(v0);
        }).map(Subject::newInstance).map(subject -> {
            return Policy.newBuilder(PolicyId.of(thingId)).forLabel(DEFAULT_POLICY_ENTRY_LABEL).setSubject(subject).setGrantedPermissions(PoliciesResourceType.thingResource("/"), org.eclipse.ditto.things.api.Permission.DEFAULT_THING_PERMISSIONS).setGrantedPermissions(PoliciesResourceType.policyResource("/"), Permission.DEFAULT_POLICY_PERMISSIONS).setGrantedPermissions(PoliciesResourceType.messageResource("/"), Permission.DEFAULT_POLICY_PERMISSIONS).build();
        });
    }
}
