package org.eclipse.ditto.concierge.service.enforcement;

import akka.actor.ActorRef;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.stream.Collectors;
import org.eclipse.ditto.base.model.auth.AuthorizationContext;
import org.eclipse.ditto.base.model.exceptions.DittoRuntimeException;
import org.eclipse.ditto.base.model.headers.DittoHeaderDefinition;
import org.eclipse.ditto.base.model.headers.WithDittoHeaders;
import org.eclipse.ditto.internal.utils.cache.Cache;
import org.eclipse.ditto.internal.utils.cache.entry.Entry;
import org.eclipse.ditto.internal.utils.cacheloaders.EnforcementCacheKey;
import org.eclipse.ditto.internal.utils.cacheloaders.PolicyEnforcer;
import org.eclipse.ditto.internal.utils.cluster.DistPubSubAccess;
import org.eclipse.ditto.json.JsonFactory;
import org.eclipse.ditto.json.JsonFieldDefinition;
import org.eclipse.ditto.json.JsonFieldSelector;
import org.eclipse.ditto.json.JsonKey;
import org.eclipse.ditto.json.JsonObject;
import org.eclipse.ditto.json.JsonValue;
import org.eclipse.ditto.policies.model.Label;
import org.eclipse.ditto.policies.model.Permissions;
import org.eclipse.ditto.policies.model.PoliciesResourceType;
import org.eclipse.ditto.policies.model.Policy;
import org.eclipse.ditto.policies.model.PolicyId;
import org.eclipse.ditto.policies.model.ResourceKey;
import org.eclipse.ditto.policies.model.enforcers.Enforcer;
import org.eclipse.ditto.policies.model.enforcers.PolicyEnforcers;
import org.eclipse.ditto.policies.model.signals.commands.PolicyCommand;
import org.eclipse.ditto.policies.model.signals.commands.actions.PolicyActionCommand;
import org.eclipse.ditto.policies.model.signals.commands.actions.TopLevelPolicyActionCommand;
import org.eclipse.ditto.policies.model.signals.commands.exceptions.PolicyCommandToAccessExceptionRegistry;
import org.eclipse.ditto.policies.model.signals.commands.exceptions.PolicyCommandToActionsExceptionRegistry;
import org.eclipse.ditto.policies.model.signals.commands.exceptions.PolicyCommandToModifyExceptionRegistry;
import org.eclipse.ditto.policies.model.signals.commands.exceptions.PolicyNotAccessibleException;
import org.eclipse.ditto.policies.model.signals.commands.exceptions.PolicyUnavailableException;
import org.eclipse.ditto.policies.model.signals.commands.modify.CreatePolicy;
import org.eclipse.ditto.policies.model.signals.commands.modify.ModifyPolicy;
import org.eclipse.ditto.policies.model.signals.commands.modify.PolicyModifyCommand;
import org.eclipse.ditto.policies.model.signals.commands.query.PolicyQueryCommand;
import org.eclipse.ditto.policies.model.signals.commands.query.PolicyQueryCommandResponse;

/* loaded from: input_file:org/eclipse/ditto/concierge/service/enforcement/PolicyCommandEnforcement.class */
public final class PolicyCommandEnforcement extends AbstractEnforcementWithAsk<PolicyCommand<?>, PolicyQueryCommandResponse<?>> {
    private static final JsonFieldSelector POLICY_QUERY_COMMAND_RESPONSE_ALLOWLIST = JsonFactory.newFieldSelector(Policy.JsonFields.ID, new JsonFieldDefinition[0]);
    private final ActorRef policiesShardRegion;
    private final EnforcerRetriever<PolicyEnforcer> enforcerRetriever;
    private final Cache<EnforcementCacheKey, Entry<PolicyEnforcer>> enforcerCache;

    /* loaded from: input_file:org/eclipse/ditto/concierge/service/enforcement/PolicyCommandEnforcement$Provider.class */
    public static final class Provider implements EnforcementProvider<PolicyCommand<?>> {
        private final Cache<EnforcementCacheKey, Entry<PolicyEnforcer>> enforcerCache;
        private final ActorRef policiesShardRegion;

        public Provider(ActorRef actorRef, Cache<EnforcementCacheKey, Entry<PolicyEnforcer>> cache) {
            this.policiesShardRegion = (ActorRef) Objects.requireNonNull(actorRef);
            this.enforcerCache = (Cache) Objects.requireNonNull(cache);
        }

        @Override // org.eclipse.ditto.concierge.service.enforcement.EnforcementProvider
        public Class<PolicyCommand<?>> getCommandClass() {
            return PolicyCommand.class;
        }

        @Override // org.eclipse.ditto.concierge.service.enforcement.EnforcementProvider
        public boolean changesAuthorization(PolicyCommand<?> policyCommand) {
            return policyCommand instanceof PolicyModifyCommand;
        }

        @Override // org.eclipse.ditto.concierge.service.enforcement.EnforcementProvider
        public AbstractEnforcement<PolicyCommand<?>> createEnforcement(Contextual<PolicyCommand<?>> contextual) {
            return new PolicyCommandEnforcement(contextual, this.policiesShardRegion, this.enforcerCache);
        }
    }

    private PolicyCommandEnforcement(Contextual<PolicyCommand<?>> contextual, ActorRef actorRef, Cache<EnforcementCacheKey, Entry<PolicyEnforcer>> cache) {
        super(contextual, PolicyQueryCommandResponse.class);
        this.policiesShardRegion = (ActorRef) Objects.requireNonNull(actorRef);
        this.enforcerCache = (Cache) Objects.requireNonNull(cache);
        this.enforcerRetriever = new EnforcerRetriever<>(IdentityCache.INSTANCE, cache);
    }

    public static <T extends PolicyCommand<?>> Optional<T> authorizePolicyCommand(T t, PolicyEnforcer policyEnforcer) {
        Optional<T> of;
        Enforcer enforcer = policyEnforcer.getEnforcer();
        ResourceKey policyResource = PoliciesResourceType.policyResource(t.getResourcePath());
        AuthorizationContext authorizationContext = t.getDittoHeaders().getAuthorizationContext();
        if (t instanceof CreatePolicy) {
            of = (t.getDittoHeaders().isAllowPolicyLockout() || hasUnrestrictedWritePermission(enforcer, policyResource, authorizationContext)) ? Optional.of(t) : Optional.empty();
        } else if (t instanceof PolicyActionCommand) {
            of = authorizeActionCommand(policyEnforcer, t, policyResource, authorizationContext);
        } else {
            if (!(t instanceof PolicyModifyCommand)) {
                return enforcer.hasPartialPermissions(policyResource, authorizationContext, "READ", new String[0]) ? Optional.of(t) : Optional.empty();
            }
            of = hasUnrestrictedWritePermission(enforcer, policyResource, authorizationContext) ? Optional.of(t) : Optional.empty();
        }
        return of;
    }

    private static <T extends PolicyCommand<?>> Optional<T> authorizeActionCommand(PolicyEnforcer policyEnforcer, T t, ResourceKey resourceKey, AuthorizationContext authorizationContext) {
        return t instanceof TopLevelPolicyActionCommand ? authorizeTopLevelAction(policyEnforcer, (TopLevelPolicyActionCommand) t, authorizationContext) : authorizeEntryLevelAction(policyEnforcer.getEnforcer(), t, resourceKey, authorizationContext);
    }

    private static <T extends PolicyCommand<?>> Optional<T> authorizeEntryLevelAction(Enforcer enforcer, T t, ResourceKey resourceKey, AuthorizationContext authorizationContext) {
        return enforcer.hasUnrestrictedPermissions(resourceKey, authorizationContext, "EXECUTE", new String[0]) ? Optional.of(t) : Optional.empty();
    }

    private static Optional<TopLevelPolicyActionCommand> authorizeTopLevelAction(PolicyEnforcer policyEnforcer, TopLevelPolicyActionCommand topLevelPolicyActionCommand, AuthorizationContext authorizationContext) {
        Enforcer enforcer = policyEnforcer.getEnforcer();
        List list = (List) policyEnforcer.getPolicy().map(policy -> {
            return (List) policy.getEntriesSet().stream().map((v0) -> {
                return v0.getLabel();
            }).filter(label -> {
                return enforcer.hasUnrestrictedPermissions(asResourceKey(label, topLevelPolicyActionCommand), authorizationContext, "EXECUTE", new String[0]);
            }).collect(Collectors.toList());
        }).orElse(List.of());
        return list.isEmpty() ? Optional.empty() : Optional.of(TopLevelPolicyActionCommand.of(topLevelPolicyActionCommand.getPolicyActionCommand(), list));
    }

    private static boolean hasUnrestrictedWritePermission(Enforcer enforcer, ResourceKey resourceKey, AuthorizationContext authorizationContext) {
        return enforcer.hasUnrestrictedPermissions(resourceKey, authorizationContext, "WRITE", new String[0]);
    }

    public static <T extends PolicyQueryCommandResponse<T>> T buildJsonViewForPolicyQueryCommandResponse(PolicyQueryCommandResponse<T> policyQueryCommandResponse, Enforcer enforcer) {
        JsonValue entity = policyQueryCommandResponse.getEntity();
        return entity.isObject() ? (T) policyQueryCommandResponse.setEntity(getJsonViewForPolicyQueryCommandResponse(entity.asObject(), policyQueryCommandResponse, enforcer)) : (T) policyQueryCommandResponse.setEntity(entity);
    }

    private static JsonObject getJsonViewForPolicyQueryCommandResponse(JsonObject jsonObject, PolicyQueryCommandResponse<?> policyQueryCommandResponse, Enforcer enforcer) {
        return enforcer.buildJsonView(ResourceKey.newInstance(PolicyCommand.RESOURCE_TYPE, policyQueryCommandResponse.getResourcePath()), jsonObject, policyQueryCommandResponse.getDittoHeaders().getAuthorizationContext(), POLICY_QUERY_COMMAND_RESPONSE_ALLOWLIST, Permissions.newInstance("READ", new String[0]));
    }

    private static PolicyCommand<?> transformModifyPolicyToCreatePolicy(PolicyCommand<?> policyCommand) {
        if (!(policyCommand instanceof ModifyPolicy)) {
            return policyCommand;
        }
        ModifyPolicy modifyPolicy = (ModifyPolicy) policyCommand;
        return CreatePolicy.of(modifyPolicy.getPolicy(), modifyPolicy.getDittoHeaders());
    }

    private static DittoRuntimeException errorForPolicyCommand(PolicyCommand<?> policyCommand) {
        return (policyCommand instanceof PolicyActionCommand ? PolicyCommandToActionsExceptionRegistry.getInstance() : policyCommand instanceof PolicyModifyCommand ? PolicyCommandToModifyExceptionRegistry.getInstance() : PolicyCommandToAccessExceptionRegistry.getInstance()).exceptionFrom(policyCommand);
    }

    @Override // org.eclipse.ditto.concierge.service.enforcement.AbstractEnforcement
    public CompletionStage<Contextual<WithDittoHeaders>> enforce() {
        return this.enforcerRetriever.retrieve(entityId(), (entry, entry2) -> {
            try {
                return CompletableFuture.completedFuture(doEnforce(entry2));
            } catch (RuntimeException e) {
                return CompletableFuture.failedStage(e);
            }
        });
    }

    private Contextual<WithDittoHeaders> doEnforce(Entry<PolicyEnforcer> entry) {
        return entry.exists() ? enforcePolicyCommandByEnforcer((PolicyEnforcer) entry.getValueOrThrow()) : forwardToPoliciesShardRegion(enforcePolicyCommandByNonexistentEnforcer());
    }

    private Contextual<WithDittoHeaders> enforcePolicyCommandByEnforcer(PolicyEnforcer policyEnforcer) {
        Optional authorizePolicyCommand = authorizePolicyCommand((PolicyCommand) signal(), policyEnforcer);
        if (!authorizePolicyCommand.isPresent()) {
            throw errorForPolicyCommand((PolicyCommand) signal());
        }
        PolicyQueryCommand policyQueryCommand = (PolicyCommand) authorizePolicyCommand.get();
        if (!(policyQueryCommand instanceof PolicyQueryCommand)) {
            return forwardToPoliciesShardRegion(policyQueryCommand);
        }
        PolicyQueryCommand policyQueryCommand2 = policyQueryCommand;
        return !policyQueryCommand2.getDittoHeaders().isResponseRequired() ? withMessageToReceiver(null, ActorRef.noSender()) : withMessageToReceiverViaAskFuture(policyQueryCommand2, sender(), () -> {
            return askAndBuildJsonView(this.policiesShardRegion, policyQueryCommand2, policyEnforcer.getEnforcer(), this.context.getScheduler(), this.context.getExecutor());
        });
    }

    private CreatePolicy enforcePolicyCommandByNonexistentEnforcer() {
        CreatePolicy transformModifyPolicyToCreatePolicy = transformModifyPolicyToCreatePolicy((PolicyCommand) signal());
        if (!(transformModifyPolicyToCreatePolicy instanceof CreatePolicy)) {
            throw PolicyNotAccessibleException.newBuilder(transformModifyPolicyToCreatePolicy.getEntityId()).dittoHeaders(transformModifyPolicyToCreatePolicy.getDittoHeaders()).build();
        }
        CreatePolicy createPolicy = transformModifyPolicyToCreatePolicy;
        if (authorizePolicyCommand(createPolicy, PolicyEnforcer.of(PolicyEnforcers.defaultEvaluator(createPolicy.getPolicy()))).isPresent()) {
            return createPolicy;
        }
        throw errorForPolicyCommand((PolicyCommand) signal());
    }

    private Contextual<WithDittoHeaders> forwardToPoliciesShardRegion(PolicyCommand<?> policyCommand) {
        PolicyCommand<?> policyCommand2;
        if (policyCommand instanceof PolicyModifyCommand) {
            invalidateCaches(policyCommand.getEntityId());
            policyCommand2 = policyCommand.setDittoHeaders(policyCommand.getDittoHeaders().toBuilder().putHeader(DittoHeaderDefinition.POLICY_ENFORCER_INVALIDATED_PREEMPTIVELY.getKey(), Boolean.TRUE.toString()).build());
        } else {
            policyCommand2 = policyCommand;
        }
        return withMessageToReceiver(policyCommand2, this.policiesShardRegion);
    }

    private void invalidateCaches(PolicyId policyId) {
        EnforcementCacheKey of = EnforcementCacheKey.of(policyId);
        this.enforcerCache.invalidate(of);
        pubSubMediator().tell(DistPubSubAccess.sendToAll("/user/conciergeRoot/enforcer", InvalidateCacheEntry.of(of), true), self());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.eclipse.ditto.concierge.service.enforcement.AbstractEnforcementWithAsk
    public DittoRuntimeException handleAskTimeoutForCommand(PolicyCommand<?> policyCommand, Throwable th) {
        log(policyCommand).error(th, "Timeout before building JsonView");
        return PolicyUnavailableException.newBuilder(policyCommand.getEntityId()).dittoHeaders(policyCommand.getDittoHeaders()).build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.eclipse.ditto.concierge.service.enforcement.AbstractEnforcementWithAsk
    public PolicyQueryCommandResponse<?> filterJsonView(PolicyQueryCommandResponse<?> policyQueryCommandResponse, Enforcer enforcer) {
        try {
            return buildJsonViewForPolicyQueryCommandResponse(policyQueryCommandResponse, enforcer);
        } catch (RuntimeException e) {
            throw reportError("Error after building JsonView", e);
        }
    }

    private static ResourceKey asResourceKey(Label label, PolicyCommand<?> policyCommand) {
        return ResourceKey.newInstance("policy", Policy.JsonFields.ENTRIES.getPointer().addLeaf(JsonKey.of(label)).append(policyCommand.getResourcePath()));
    }
}
