package org.eclipse.ditto.policies.enforcement.pre;

import akka.actor.ActorSystem;
import com.typesafe.config.Config;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.eclipse.ditto.base.model.exceptions.DittoRuntimeException;
import org.eclipse.ditto.base.model.headers.DittoHeaders;
import org.eclipse.ditto.base.model.signals.Signal;
import org.eclipse.ditto.internal.utils.akka.logging.DittoLoggerFactory;
import org.eclipse.ditto.internal.utils.akka.logging.ThreadSafeDittoLogger;
import org.eclipse.ditto.policies.enforcement.PolicyEnforcer;
import org.eclipse.ditto.policies.enforcement.PolicyEnforcerProvider;
import org.eclipse.ditto.policies.enforcement.PolicyEnforcerProviderExtension;
import org.eclipse.ditto.policies.model.EffectedImports;
import org.eclipse.ditto.policies.model.ImportableType;
import org.eclipse.ditto.policies.model.PoliciesModelFactory;
import org.eclipse.ditto.policies.model.Policy;
import org.eclipse.ditto.policies.model.PolicyId;
import org.eclipse.ditto.policies.model.PolicyImport;
import org.eclipse.ditto.policies.model.ResourceKey;
import org.eclipse.ditto.policies.model.signals.commands.exceptions.PolicyNotAccessibleException;
import org.eclipse.ditto.policies.model.signals.commands.modify.CreatePolicy;
import org.eclipse.ditto.policies.model.signals.commands.modify.ModifyPolicy;
import org.eclipse.ditto.policies.model.signals.commands.modify.ModifyPolicyImport;
import org.eclipse.ditto.policies.model.signals.commands.modify.ModifyPolicyImports;
import org.eclipse.ditto.policies.model.signals.commands.modify.PolicyModifyCommand;

/* loaded from: input_file:org/eclipse/ditto/policies/enforcement/pre/PolicyImportsPreEnforcer.class */
public class PolicyImportsPreEnforcer implements PreEnforcer {
    private static final ThreadSafeDittoLogger LOG = DittoLoggerFactory.getThreadSafeLogger(PolicyImportsPreEnforcer.class);
    private static final String POLICY_RESOURCE = "policy";
    private static final String ENTRIES_PREFIX = "/entries/";
    private final PolicyEnforcerProvider policyEnforcerProvider;

    public PolicyImportsPreEnforcer(ActorSystem actorSystem, Config config) {
        this.policyEnforcerProvider = PolicyEnforcerProviderExtension.get(actorSystem).getPolicyEnforcerProvider();
    }

    PolicyImportsPreEnforcer(PolicyEnforcerProvider policyEnforcerProvider) {
        this.policyEnforcerProvider = policyEnforcerProvider;
    }

    @Override // java.util.function.Function
    public CompletionStage<Signal<?>> apply(Signal<?> signal) {
        if (signal instanceof ModifyPolicy) {
            ModifyPolicy modifyPolicy = (ModifyPolicy) signal;
            return doApply(modifyPolicy.getPolicy().getPolicyImports().stream(), modifyPolicy);
        }
        if (signal instanceof CreatePolicy) {
            CreatePolicy createPolicy = (CreatePolicy) signal;
            return doApply(createPolicy.getPolicy().getPolicyImports().stream(), createPolicy);
        }
        if (signal instanceof ModifyPolicyImports) {
            ModifyPolicyImports modifyPolicyImports = (ModifyPolicyImports) signal;
            return doApply(modifyPolicyImports.getPolicyImports().stream(), modifyPolicyImports);
        }
        if (!(signal instanceof ModifyPolicyImport)) {
            return CompletableFuture.completedStage(signal);
        }
        ModifyPolicyImport modifyPolicyImport = (ModifyPolicyImport) signal;
        return doApply(Stream.of(modifyPolicyImport.getPolicyImport()), modifyPolicyImport);
    }

    private CompletionStage<Signal<?>> doApply(Stream<PolicyImport> stream, PolicyModifyCommand<?> policyModifyCommand) {
        if (LOG.isDebugEnabled()) {
            LOG.withCorrelationId(policyModifyCommand).debug("Applying policy import pre-enforcement on policy <{}>.", policyModifyCommand.getEntityId());
        }
        DittoHeaders dittoHeaders = policyModifyCommand.getDittoHeaders();
        return ((CompletionStage) stream.map(policyImport -> {
            return getPolicyEnforcer(policyImport.getImportedPolicyId(), dittoHeaders).thenApply(policyEnforcer -> {
                return Boolean.valueOf(authorize(policyModifyCommand, policyEnforcer, policyImport));
            });
        }).reduce(CompletableFuture.completedStage(true), (completionStage, completionStage2) -> {
            return completionStage.thenCombine(completionStage2, (bool, bool2) -> {
                return Boolean.valueOf(bool.booleanValue() && bool2.booleanValue());
            });
        })).thenApply(bool -> {
            return policyModifyCommand;
        });
    }

    private CompletionStage<PolicyEnforcer> getPolicyEnforcer(PolicyId policyId, DittoHeaders dittoHeaders) {
        return this.policyEnforcerProvider.getPolicyEnforcer(policyId).thenApply(optional -> {
            return (PolicyEnforcer) optional.orElseThrow(policyNotAccessible(policyId, dittoHeaders));
        });
    }

    private static Supplier<PolicyNotAccessibleException> policyNotAccessible(PolicyId policyId, DittoHeaders dittoHeaders) {
        return () -> {
            return PolicyNotAccessibleException.newBuilder(policyId).dittoHeaders(dittoHeaders).build();
        };
    }

    private static Set<ResourceKey> getImportedResourceKeys(Policy policy, PolicyImport policyImport) {
        return (Set) Stream.concat(policy.stream().filter(policyEntry -> {
            return ImportableType.IMPLICIT.equals(policyEntry.getImportableType());
        }).map((v0) -> {
            return v0.getLabel();
        }), ((EffectedImports) policyImport.getEffectedImports().orElse(PoliciesModelFactory.emptyEffectedImportedEntries())).getImportedLabels().stream()).map(label -> {
            return "/entries/" + label;
        }).map(str -> {
            return ResourceKey.newInstance(POLICY_RESOURCE, str);
        }).collect(Collectors.toSet());
    }

    private boolean authorize(PolicyModifyCommand<?> policyModifyCommand, PolicyEnforcer policyEnforcer, PolicyImport policyImport) {
        boolean hasUnrestrictedPermissions = policyEnforcer.getEnforcer().hasUnrestrictedPermissions(getImportedResourceKeys(policyEnforcer.getPolicy().orElseThrow(policyNotAccessible(policyModifyCommand.getEntityId(), policyModifyCommand.getDittoHeaders())), policyImport), policyModifyCommand.getDittoHeaders().getAuthorizationContext(), "READ", new String[0]);
        if (LOG.isDebugEnabled()) {
            ThreadSafeDittoLogger withCorrelationId = LOG.withCorrelationId(policyModifyCommand);
            Object[] objArr = new Object[3];
            objArr[0] = policyModifyCommand;
            objArr[1] = policyImport;
            objArr[2] = hasUnrestrictedPermissions ? "authorized" : "not authorized";
            withCorrelationId.debug("Enforcement result for command <{}> and policy import {}: {}.", objArr);
        }
        if (hasUnrestrictedPermissions) {
            return true;
        }
        throw errorForPolicyModifyCommand(policyImport);
    }

    private static DittoRuntimeException errorForPolicyModifyCommand(PolicyImport policyImport) {
        return PolicyNotAccessibleException.newBuilder(policyImport.getImportedPolicyId()).description("Check if the ID of the imported Policy was correct and you have sufficient permissions on all imported policy entries.").build();
    }
}
