package org.eclipse.ditto.services.concierge.enforcement;

import akka.actor.ActorRef;
import akka.event.DiagnosticLoggingAdapter;
import akka.pattern.AskTimeoutException;
import akka.pattern.PatternsCS;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import java.util.function.BiFunction;
import java.util.function.Function;
import javax.annotation.Nullable;
import org.eclipse.ditto.json.JsonFactory;
import org.eclipse.ditto.json.JsonFieldDefinition;
import org.eclipse.ditto.json.JsonFieldSelector;
import org.eclipse.ditto.json.JsonFieldSelectorBuilder;
import org.eclipse.ditto.json.JsonObject;
import org.eclipse.ditto.json.JsonObjectBuilder;
import org.eclipse.ditto.json.JsonRuntimeException;
import org.eclipse.ditto.json.JsonValue;
import org.eclipse.ditto.model.base.auth.AuthorizationContext;
import org.eclipse.ditto.model.base.exceptions.DittoJsonException;
import org.eclipse.ditto.model.base.exceptions.DittoRuntimeException;
import org.eclipse.ditto.model.base.headers.DittoHeaders;
import org.eclipse.ditto.model.base.headers.WithDittoHeaders;
import org.eclipse.ditto.model.base.json.FieldType;
import org.eclipse.ditto.model.base.json.JsonSchemaVersion;
import org.eclipse.ditto.model.enforcers.AclEnforcer;
import org.eclipse.ditto.model.enforcers.Enforcer;
import org.eclipse.ditto.model.enforcers.PolicyEnforcers;
import org.eclipse.ditto.model.namespaces.NamespaceBlockedException;
import org.eclipse.ditto.model.policies.Permissions;
import org.eclipse.ditto.model.policies.PoliciesModelFactory;
import org.eclipse.ditto.model.policies.PoliciesResourceType;
import org.eclipse.ditto.model.policies.Policy;
import org.eclipse.ditto.model.policies.PolicyException;
import org.eclipse.ditto.model.policies.ResourceKey;
import org.eclipse.ditto.model.policies.Subject;
import org.eclipse.ditto.model.policies.SubjectId;
import org.eclipse.ditto.model.policies.SubjectIssuer;
import org.eclipse.ditto.model.things.AccessControlList;
import org.eclipse.ditto.model.things.AclInvalidException;
import org.eclipse.ditto.model.things.AclNotAllowedException;
import org.eclipse.ditto.model.things.AclValidator;
import org.eclipse.ditto.model.things.Thing;
import org.eclipse.ditto.services.concierge.cache.IdentityCache;
import org.eclipse.ditto.services.concierge.enforcement.AbstractEnforcement;
import org.eclipse.ditto.services.concierge.enforcement.placeholders.references.PolicyIdReferencePlaceholderResolver;
import org.eclipse.ditto.services.concierge.enforcement.placeholders.references.ReferencePlaceholder;
import org.eclipse.ditto.services.models.concierge.EntityId;
import org.eclipse.ditto.services.models.policies.Permission;
import org.eclipse.ditto.services.models.policies.PoliciesAclMigrations;
import org.eclipse.ditto.services.models.policies.PoliciesValidator;
import org.eclipse.ditto.services.utils.akka.LogUtil;
import org.eclipse.ditto.services.utils.cache.Cache;
import org.eclipse.ditto.services.utils.cache.entry.Entry;
import org.eclipse.ditto.signals.commands.base.exceptions.GatewayInternalErrorException;
import org.eclipse.ditto.signals.commands.base.exceptions.GatewayServiceTimeoutException;
import org.eclipse.ditto.signals.commands.policies.PolicyErrorResponse;
import org.eclipse.ditto.signals.commands.policies.exceptions.PolicyConflictException;
import org.eclipse.ditto.signals.commands.policies.exceptions.PolicyNotAccessibleException;
import org.eclipse.ditto.signals.commands.policies.exceptions.PolicyUnavailableException;
import org.eclipse.ditto.signals.commands.policies.modify.CreatePolicy;
import org.eclipse.ditto.signals.commands.policies.modify.CreatePolicyResponse;
import org.eclipse.ditto.signals.commands.policies.query.PolicyQueryCommandResponse;
import org.eclipse.ditto.signals.commands.policies.query.RetrievePolicy;
import org.eclipse.ditto.signals.commands.policies.query.RetrievePolicyResponse;
import org.eclipse.ditto.signals.commands.things.ThingCommand;
import org.eclipse.ditto.signals.commands.things.ThingCommandResponse;
import org.eclipse.ditto.signals.commands.things.ThingErrorResponse;
import org.eclipse.ditto.signals.commands.things.exceptions.PolicyIdNotAllowedException;
import org.eclipse.ditto.signals.commands.things.exceptions.PolicyInvalidException;
import org.eclipse.ditto.signals.commands.things.exceptions.ThingCommandToAccessExceptionRegistry;
import org.eclipse.ditto.signals.commands.things.exceptions.ThingCommandToModifyExceptionRegistry;
import org.eclipse.ditto.signals.commands.things.exceptions.ThingNotAccessibleException;
import org.eclipse.ditto.signals.commands.things.exceptions.ThingNotCreatableException;
import org.eclipse.ditto.signals.commands.things.exceptions.ThingNotModifiableException;
import org.eclipse.ditto.signals.commands.things.exceptions.ThingUnavailableException;
import org.eclipse.ditto.signals.commands.things.modify.CreateThing;
import org.eclipse.ditto.signals.commands.things.modify.ModifyThing;
import org.eclipse.ditto.signals.commands.things.modify.ThingModifyCommand;
import org.eclipse.ditto.signals.commands.things.query.RetrieveThing;
import org.eclipse.ditto.signals.commands.things.query.RetrieveThingResponse;
import org.eclipse.ditto.signals.commands.things.query.ThingQueryCommand;
import org.eclipse.ditto.signals.commands.things.query.ThingQueryCommandResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/ditto/services/concierge/enforcement/ThingCommandEnforcement.class */
public final class ThingCommandEnforcement extends AbstractEnforcement<ThingCommand> {
    private static final String DEFAULT_POLICY_ENTRY_LABEL = "DEFAULT";
    private final List<SubjectIssuer> subjectIssuersForPolicyMigration;
    private final ActorRef thingsShardRegion;
    private final ActorRef policiesShardRegion;
    private final EnforcerRetriever thingEnforcerRetriever;
    private final EnforcerRetriever policyEnforcerRetriever;
    private final Cache<EntityId, Entry<EntityId>> thingIdCache;
    private final Cache<EntityId, Entry<Enforcer>> policyEnforcerCache;
    private final Function<WithDittoHeaders, CompletionStage<WithDittoHeaders>> blockCachedNamespaces;
    private final Cache<EntityId, Entry<Enforcer>> aclEnforcerCache;
    private final PolicyIdReferencePlaceholderResolver policyIdReferencePlaceholderResolver;
    private static final Logger LOGGER = LoggerFactory.getLogger(ThingCommandEnforcement.class);
    private static final JsonFieldSelector THING_QUERY_COMMAND_RESPONSE_WHITELIST = JsonFactory.newFieldSelector(Thing.JsonFields.ID, new JsonFieldDefinition[0]);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/ditto/services/concierge/enforcement/ThingCommandEnforcement$CreateThingWithEnforcer.class */
    public static final class CreateThingWithEnforcer {
        private final CreateThing createThing;
        private final Enforcer enforcer;

        private CreateThingWithEnforcer(CreateThing createThing, Enforcer enforcer) {
            this.createThing = createThing;
            this.enforcer = enforcer;
        }
    }

    /* loaded from: input_file:org/eclipse/ditto/services/concierge/enforcement/ThingCommandEnforcement$Provider.class */
    public static final class Provider implements EnforcementProvider<ThingCommand> {
        private static final List<SubjectIssuer> DEFAULT_SUBJECT_ISSUERS_FOR_POLICY_MIGRATION = Collections.singletonList(SubjectIssuer.GOOGLE);
        private final ActorRef thingsShardRegion;
        private final ActorRef policiesShardRegion;
        private final Cache<EntityId, Entry<EntityId>> thingIdCache;
        private final Cache<EntityId, Entry<Enforcer>> policyEnforcerCache;
        private final Cache<EntityId, Entry<Enforcer>> aclEnforcerCache;
        private final Function<WithDittoHeaders, CompletionStage<WithDittoHeaders>> blockCachedNamespaces;
        private final List<SubjectIssuer> subjectIssuersForPolicyMigration;

        public Provider(ActorRef actorRef, ActorRef actorRef2, Cache<EntityId, Entry<EntityId>> cache, Cache<EntityId, Entry<Enforcer>> cache2, Cache<EntityId, Entry<Enforcer>> cache3, @Nullable Function<WithDittoHeaders, CompletionStage<WithDittoHeaders>> function) {
            this(actorRef, actorRef2, cache, cache2, cache3, function, DEFAULT_SUBJECT_ISSUERS_FOR_POLICY_MIGRATION);
        }

        public Provider(ActorRef actorRef, ActorRef actorRef2, Cache<EntityId, Entry<EntityId>> cache, Cache<EntityId, Entry<Enforcer>> cache2, Cache<EntityId, Entry<Enforcer>> cache3, @Nullable Function<WithDittoHeaders, CompletionStage<WithDittoHeaders>> function, List<SubjectIssuer> list) {
            this.thingsShardRegion = (ActorRef) Objects.requireNonNull(actorRef);
            this.policiesShardRegion = (ActorRef) Objects.requireNonNull(actorRef2);
            this.thingIdCache = (Cache) Objects.requireNonNull(cache);
            this.policyEnforcerCache = (Cache) Objects.requireNonNull(cache2);
            this.aclEnforcerCache = (Cache) Objects.requireNonNull(cache3);
            this.blockCachedNamespaces = (Function) Optional.ofNullable(function).orElse((v0) -> {
                return CompletableFuture.completedFuture(v0);
            });
            this.subjectIssuersForPolicyMigration = (List) Objects.requireNonNull(list);
        }

        @Override // org.eclipse.ditto.services.concierge.enforcement.EnforcementProvider
        public Class<ThingCommand> getCommandClass() {
            return ThingCommand.class;
        }

        @Override // org.eclipse.ditto.services.concierge.enforcement.EnforcementProvider
        public boolean isApplicable(ThingCommand thingCommand) {
            return !LiveSignalEnforcement.isLiveSignal(thingCommand);
        }

        @Override // org.eclipse.ditto.services.concierge.enforcement.EnforcementProvider
        public AbstractEnforcement<ThingCommand> createEnforcement(AbstractEnforcement.Context context) {
            return new ThingCommandEnforcement(context, this.thingsShardRegion, this.policiesShardRegion, this.thingIdCache, this.policyEnforcerCache, this.aclEnforcerCache, this.blockCachedNamespaces, this.subjectIssuersForPolicyMigration);
        }
    }

    private ThingCommandEnforcement(AbstractEnforcement.Context context, ActorRef actorRef, ActorRef actorRef2, Cache<EntityId, Entry<EntityId>> cache, Cache<EntityId, Entry<Enforcer>> cache2, Cache<EntityId, Entry<Enforcer>> cache3, Function<WithDittoHeaders, CompletionStage<WithDittoHeaders>> function, List<SubjectIssuer> list) {
        super(context);
        this.thingsShardRegion = (ActorRef) Objects.requireNonNull(actorRef);
        this.policiesShardRegion = (ActorRef) Objects.requireNonNull(actorRef2);
        this.subjectIssuersForPolicyMigration = (List) Objects.requireNonNull(list);
        this.thingIdCache = (Cache) Objects.requireNonNull(cache);
        this.policyEnforcerCache = (Cache) Objects.requireNonNull(cache2);
        this.aclEnforcerCache = (Cache) Objects.requireNonNull(cache3);
        this.blockCachedNamespaces = function;
        this.thingEnforcerRetriever = PolicyOrAclEnforcerRetrieverFactory.create(cache, cache2, cache3);
        this.policyEnforcerRetriever = new EnforcerRetriever((Cache<EntityId, Entry<EntityId>>) IdentityCache.INSTANCE, cache2);
        this.policyIdReferencePlaceholderResolver = PolicyIdReferencePlaceholderResolver.of(conciergeForwarder(), getAskTimeout());
    }

    @Override // org.eclipse.ditto.services.concierge.enforcement.AbstractEnforcement
    public CompletionStage<Void> enforce(ThingCommand thingCommand, ActorRef actorRef, DiagnosticLoggingAdapter diagnosticLoggingAdapter) {
        LogUtil.enhanceLogWithCorrelationIdOrRandom(thingCommand);
        return this.thingEnforcerRetriever.retrieve(entityId(), (entry, entry2) -> {
            if (!entry2.exists()) {
                enforceThingCommandByNonexistentEnforcer(entry, thingCommand, actorRef);
            } else if (isAclEnforcer(entry)) {
                enforceThingCommandByAclEnforcer(thingCommand, (Enforcer) entry2.getValueOrThrow(), actorRef);
            } else {
                enforceThingCommandByPolicyEnforcer(thingCommand, ((EntityId) entry.getValueOrThrow()).getId(), (Enforcer) entry2.getValueOrThrow(), actorRef);
            }
        });
    }

    private void enforceThingCommandByNonexistentEnforcer(Entry<EntityId> entry, ThingCommand thingCommand, ActorRef actorRef) {
        if (!entry.exists()) {
            enforceCreateThingBySelf(thingCommand, actorRef).ifPresent(createThingWithEnforcer -> {
                handleInitialCreateThing(createThingWithEnforcer.createThing, createThingWithEnforcer.enforcer, actorRef);
            });
            return;
        }
        String thingId = thingCommand.getThingId();
        DittoRuntimeException errorForExistingThingWithDeletedPolicy = errorForExistingThingWithDeletedPolicy(thingCommand, thingId, ((EntityId) entry.getValueOrThrow()).getId());
        log(thingCommand).info("Enforcer was not existing for Thing <{}>, responding with: {}", thingId, errorForExistingThingWithDeletedPolicy);
        replyToSender(errorForExistingThingWithDeletedPolicy, actorRef);
    }

    private void enforceThingCommandByAclEnforcer(ThingCommand<?> thingCommand, Enforcer enforcer, ActorRef actorRef) {
        Optional authorizeByAcl = authorizeByAcl(enforcer, thingCommand);
        if (!authorizeByAcl.isPresent()) {
            respondWithError(thingCommand, actorRef, self());
            return;
        }
        ThingCommand thingCommand2 = (ThingCommand) authorizeByAcl.get();
        if ((thingCommand2 instanceof RetrieveThing) && shouldRetrievePolicyWithThing(thingCommand2)) {
            retrieveThingAclAndMigrateToPolicy((RetrieveThing) thingCommand2, enforcer, actorRef);
        } else {
            forwardToThingsShardRegion(thingCommand2, actorRef);
        }
    }

    private void retrieveThingAclAndMigrateToPolicy(RetrieveThing retrieveThing, Enforcer enforcer, ActorRef actorRef) {
        JsonFieldSelectorBuilder addFieldDefinition = JsonFactory.newFieldSelectorBuilder().addFieldDefinition(Thing.JsonFields.ACL, new JsonFieldDefinition[0]);
        Optional selectedFields = retrieveThing.getSelectedFields();
        addFieldDefinition.getClass();
        selectedFields.ifPresent((v1) -> {
            r1.addPointers(v1);
        });
        PatternsCS.ask(this.thingsShardRegion, RetrieveThing.getBuilder(retrieveThing.getThingId(), retrieveThing.getDittoHeaders().toBuilder().schemaVersion(JsonSchemaVersion.V_1).build()).withSelectedFields(addFieldDefinition.build()).build(), getAskTimeout().toMillis()).handleAsync((obj, th) -> {
            if (obj instanceof RetrieveThingResponse) {
                RetrieveThingResponse retrieveThingResponse = (RetrieveThingResponse) obj;
                Optional accessControlList = retrieveThingResponse.getThing().getAccessControlList();
                if (!accessControlList.isPresent()) {
                    replyToSender(retrieveThingResponse.setDittoHeaders(retrieveThing.getDittoHeaders()), actorRef);
                    return null;
                }
                reportAggregatedThingAndPolicy(retrieveThing, retrieveThingResponse.setDittoHeaders(retrieveThing.getDittoHeaders()), PoliciesAclMigrations.accessControlListToPolicyEntries((AccessControlList) accessControlList.get(), retrieveThing.getThingId(), this.subjectIssuersForPolicyMigration), enforcer, actorRef);
                return null;
            }
            if (obj instanceof WithDittoHeaders) {
                replyToSender(((WithDittoHeaders) obj).setDittoHeaders(retrieveThing.getDittoHeaders()), actorRef);
                return null;
            }
            if (isAskTimeoutException(obj, th)) {
                reportThingUnavailable(retrieveThing.getThingId(), retrieveThing.getDittoHeaders(), actorRef);
                return null;
            }
            reportUnexpectedErrorOrResponse("retrieving thing for ACL migration", actorRef, obj, th, retrieveThing.getDittoHeaders());
            return null;
        }, getEnforcementExecutor());
    }

    private void enforceThingCommandByPolicyEnforcer(ThingCommand<?> thingCommand, String str, Enforcer enforcer, ActorRef actorRef) {
        if (authorizeByPolicy(enforcer, thingCommand).map(thingCommand2 -> {
            if (!(thingCommand2 instanceof ThingQueryCommand)) {
                return Boolean.valueOf(forwardToThingsShardRegion(thingCommand2, actorRef));
            }
            ThingQueryCommand thingQueryCommand = (ThingQueryCommand) thingCommand2;
            return ((thingQueryCommand instanceof RetrieveThing) && shouldRetrievePolicyWithThing(thingQueryCommand)) ? Boolean.valueOf(retrieveThingAndPolicy((RetrieveThing) thingQueryCommand, str, enforcer, actorRef)) : Boolean.valueOf(askThingsShardRegionAndBuildJsonView(thingQueryCommand, enforcer, actorRef));
        }).isPresent()) {
            return;
        }
        respondWithError(thingCommand, actorRef, self());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void respondWithError(ThingCommand thingCommand, ActorRef actorRef, ActorRef actorRef2) {
        actorRef.tell(errorForThingCommand(thingCommand), actorRef2);
    }

    private boolean askThingsShardRegionAndBuildJsonView(ThingQueryCommand thingQueryCommand, Enforcer enforcer, ActorRef actorRef) {
        PatternsCS.ask(this.thingsShardRegion, thingQueryCommand, getAskTimeout().toMillis()).handleAsync((obj, th) -> {
            if (obj instanceof ThingQueryCommandResponse) {
                reportJsonViewForThingQuery(actorRef, (ThingQueryCommandResponse) obj, enforcer);
                return null;
            }
            if (obj instanceof DittoRuntimeException) {
                replyToSender(obj, actorRef);
                return null;
            }
            if (isAskTimeoutException(obj, th)) {
                reportTimeoutForThingQuery(thingQueryCommand, actorRef, th instanceof AskTimeoutException ? (AskTimeoutException) th : (AskTimeoutException) obj);
                return null;
            }
            if (th != null) {
                reportUnexpectedError("before building JsonView", actorRef, th, thingQueryCommand.getDittoHeaders());
                return null;
            }
            reportUnknownResponse("before building JsonView", actorRef, obj, thingQueryCommand.getDittoHeaders());
            return null;
        }, getEnforcementExecutor());
        return true;
    }

    private boolean retrieveThingAndPolicy(RetrieveThing retrieveThing, String str, Enforcer enforcer, ActorRef actorRef) {
        Optional authorizePolicyCommand = PolicyCommandEnforcement.authorizePolicyCommand(RetrievePolicy.of(str, retrieveThing.getDittoHeaders().toBuilder().removePreconditionHeaders().build()), enforcer);
        if (!authorizePolicyCommand.isPresent()) {
            return askThingsShardRegionAndBuildJsonView(retrieveThing, enforcer, actorRef);
        }
        retrieveThingBeforePolicy(retrieveThing, actorRef).thenAccept(optional -> {
            optional.ifPresent(retrieveThingResponse -> {
                retrieveInlinedPolicyForThing(retrieveThing, (RetrievePolicy) authorizePolicyCommand.get()).thenAccept(optional -> {
                    if (optional.isPresent()) {
                        reportAggregatedThingAndPolicyResponse(retrieveThing, retrieveThingResponse, (RetrievePolicyResponse) PolicyCommandEnforcement.buildJsonViewForPolicyQueryCommandResponse((PolicyQueryCommandResponse) optional.get(), enforcer), enforcer, actorRef);
                    } else {
                        replyToSender(retrieveThingResponse, actorRef);
                    }
                });
            });
        });
        return true;
    }

    private CompletionStage<Optional<RetrieveThingResponse>> retrieveThingBeforePolicy(RetrieveThing retrieveThing, ActorRef actorRef) {
        return PatternsCS.ask(this.thingsShardRegion, retrieveThing, getAskTimeout().toMillis()).handleAsync((obj, th) -> {
            if (obj instanceof RetrieveThingResponse) {
                return Optional.of((RetrieveThingResponse) obj);
            }
            if ((obj instanceof ThingErrorResponse) || (obj instanceof DittoRuntimeException)) {
                replyToSender(obj, actorRef);
            } else if (isAskTimeoutException(obj, th)) {
                reportThingUnavailable(retrieveThing.getThingId(), retrieveThing.getDittoHeaders(), actorRef);
            } else {
                reportUnexpectedErrorOrResponse("retrieving thing before inlined policy", actorRef, obj, th, retrieveThing.getDittoHeaders());
            }
            return Optional.empty();
        }, getEnforcementExecutor());
    }

    private void reportThingUnavailable(String str, DittoHeaders dittoHeaders, ActorRef actorRef) {
        replyToSender(ThingUnavailableException.newBuilder(str).dittoHeaders(dittoHeaders).build(), actorRef);
    }

    private CompletionStage<Optional<RetrievePolicyResponse>> retrieveInlinedPolicyForThing(RetrieveThing retrieveThing, RetrievePolicy retrievePolicy) {
        return this.blockCachedNamespaces.apply(retrievePolicy).thenCompose(withDittoHeaders -> {
            return PatternsCS.ask(this.policiesShardRegion, withDittoHeaders, getAskTimeout());
        }).handleAsync((obj, th) -> {
            LOGGER.debug("Response of policiesShardRegion: <{}>", obj);
            if (obj instanceof RetrievePolicyResponse) {
                return Optional.of((RetrievePolicyResponse) obj);
            }
            if (th != null) {
                log(th).error(th, "retrieving inlined policy after RetrieveThing");
            } else {
                log(obj).info("No authorized response when retrieving inlined policy <{}> for thing <{}>: {}", retrievePolicy.getId(), retrieveThing.getThingId(), obj);
            }
            return Optional.empty();
        }, getEnforcementExecutor());
    }

    private void reportAggregatedThingAndPolicyResponse(RetrieveThing retrieveThing, RetrieveThingResponse retrieveThingResponse, RetrievePolicyResponse retrievePolicyResponse, Enforcer enforcer, ActorRef actorRef) {
        reportAggregatedThingAndPolicy(retrieveThing, retrieveThingResponse, retrievePolicyResponse.getPolicy(), enforcer, actorRef);
    }

    private void reportAggregatedThingAndPolicy(RetrieveThing retrieveThing, RetrieveThingResponse retrieveThingResponse, Policy policy, Enforcer enforcer, ActorRef actorRef) {
        RetrieveThingResponse buildJsonViewForThingQueryCommandResponse = buildJsonViewForThingQueryCommandResponse(retrieveThingResponse, enforcer);
        replyToSender(buildJsonViewForThingQueryCommandResponse.setEntity(buildJsonViewForThingQueryCommandResponse.getEntity().asObject().toBuilder().setAll(policy.toInlinedJson(retrieveThing.getImplementedSchemaVersion(), FieldType.notHidden())).build()), actorRef);
    }

    private void reportTimeoutForThingQuery(ThingQueryCommand thingQueryCommand, ActorRef actorRef, AskTimeoutException askTimeoutException) {
        log(thingQueryCommand).error(askTimeoutException, "Timeout before building JsonView");
        replyToSender(ThingUnavailableException.newBuilder(thingQueryCommand.getThingId()).dittoHeaders(thingQueryCommand.getDittoHeaders()).build(), actorRef);
    }

    private void reportJsonViewForThingQuery(ActorRef actorRef, ThingQueryCommandResponse<?> thingQueryCommandResponse, Enforcer enforcer) {
        try {
            replyToSender(buildJsonViewForThingQueryCommandResponse(thingQueryCommandResponse, enforcer), actorRef);
        } catch (RuntimeException e) {
            reportError("Error after building JsonView", actorRef, e, thingQueryCommandResponse.getDittoHeaders());
        }
    }

    private void enforceCreateThingForNonexistentThingWithPolicyId(CreateThing createThing, String str, ActorRef actorRef) {
        this.policyEnforcerRetriever.retrieve(EntityId.of("policy", str), (entry, entry2) -> {
            if (entry2.exists()) {
                enforceThingCommandByPolicyEnforcer(createThing, str, (Enforcer) entry2.getValueOrThrow(), actorRef);
            } else {
                replyToSender(errorForExistingThingWithDeletedPolicy(createThing, createThing.getThingId(), str), actorRef);
            }
        });
    }

    private static <T extends ThingQueryCommandResponse> T buildJsonViewForThingQueryCommandResponse(ThingQueryCommandResponse<T> thingQueryCommandResponse, Enforcer enforcer) {
        JsonValue entity = thingQueryCommandResponse.getEntity();
        return entity.isObject() ? (T) thingQueryCommandResponse.setEntity(getJsonViewForThingQueryCommandResponse(entity.asObject(), thingQueryCommandResponse, enforcer)) : (T) thingQueryCommandResponse.setEntity(entity);
    }

    private boolean forwardToThingsShardRegion(ThingCommand thingCommand, ActorRef actorRef) {
        this.thingsShardRegion.tell(thingCommand, actorRef);
        if (!(thingCommand instanceof ThingModifyCommand) || !((ThingModifyCommand) thingCommand).changesAuthorization()) {
            return true;
        }
        invalidateThingCaches(thingCommand.getThingId());
        return true;
    }

    private void invalidateThingCaches(String str) {
        EntityId of = EntityId.of("thing", str);
        this.thingIdCache.invalidate(of);
        this.aclEnforcerCache.invalidate(of);
    }

    private void invalidatePolicyCache(String str) {
        this.policyEnforcerCache.invalidate(EntityId.of("policy", str));
    }

    private static JsonObject getJsonViewForThingQueryCommandResponse(JsonObject jsonObject, ThingQueryCommandResponse thingQueryCommandResponse, Enforcer enforcer) {
        return enforcer.buildJsonView(ResourceKey.newInstance("thing", thingQueryCommandResponse.getResourcePath()), jsonObject, thingQueryCommandResponse.getDittoHeaders().getAuthorizationContext(), THING_QUERY_COMMAND_RESPONSE_WHITELIST, Permissions.newInstance("READ", new String[0]));
    }

    private static DittoRuntimeException errorForExistingThingWithDeletedPolicy(ThingCommand thingCommand, String str, String str2) {
        String format = String.format("The Thing with ID '%s' could not be accessed as its Policy with ID '%s' is not or no longer existing.", str, str2);
        String format2 = String.format("Recreate/create the Policy with ID '%s' in order to get access to the Thing again.", str2);
        return thingCommand instanceof ThingModifyCommand ? ThingNotModifiableException.newBuilder(str).message(format).description(format2).dittoHeaders(thingCommand.getDittoHeaders()).build() : ThingNotAccessibleException.newBuilder(str).message(format).description(format2).dittoHeaders(thingCommand.getDittoHeaders()).build();
    }

    private static DittoRuntimeException errorForThingCommand(ThingCommand thingCommand) {
        return (thingCommand instanceof ThingModifyCommand ? ThingCommandToModifyExceptionRegistry.getInstance() : ThingCommandToAccessExceptionRegistry.getInstance()).exceptionFrom(thingCommand);
    }

    private static boolean isAclEnforcer(Entry<EntityId> entry) {
        return entry.exists() && Objects.equals("thing", ((EntityId) entry.getValueOrThrow()).getResourceType());
    }

    private Optional<CreateThingWithEnforcer> enforceCreateThingBySelf(ThingCommand thingCommand, ActorRef actorRef) {
        Optional<CreateThingWithEnforcer> empty;
        ThingCommand transformModifyThingToCreateThing = transformModifyThingToCreateThing(thingCommand);
        if (transformModifyThingToCreateThing instanceof CreateThing) {
            CreateThing replaceInitialPolicyWithCopiedPolicyIfPresent = replaceInitialPolicyWithCopiedPolicyIfPresent((CreateThing) transformModifyThingToCreateThing);
            Optional initialPolicy = replaceInitialPolicyWithCopiedPolicyIfPresent.getInitialPolicy();
            if (initialPolicy.isPresent()) {
                empty = enforceCreateThingByOwnInlinedPolicy(replaceInitialPolicyWithCopiedPolicyIfPresent, (JsonObject) initialPolicy.get(), actorRef);
            } else {
                Optional filter = replaceInitialPolicyWithCopiedPolicyIfPresent.getThing().getAccessControlList().filter(accessControlList -> {
                    return !accessControlList.isEmpty();
                });
                empty = filter.isPresent() ? enforceCreateThingByOwnAcl(replaceInitialPolicyWithCopiedPolicyIfPresent, (AccessControlList) filter.get(), actorRef) : enforceCreateThingByAuthorizationContext(replaceInitialPolicyWithCopiedPolicyIfPresent);
            }
        } else {
            DittoRuntimeException build = ThingNotAccessibleException.newBuilder(transformModifyThingToCreateThing.getThingId()).dittoHeaders(transformModifyThingToCreateThing.getDittoHeaders()).build();
            log(transformModifyThingToCreateThing).info("Enforcer was not existing for Thing <{}> and no auth info was inlined, responding with: {}", transformModifyThingToCreateThing.getThingId(), build);
            replyToSender(build, actorRef);
            empty = Optional.empty();
        }
        return empty;
    }

    private CreateThing replaceInitialPolicyWithCopiedPolicyIfPresent(CreateThing createThing) {
        return CreateThing.of(createThing.getThing(), getInitialPolicyOrCopiedPolicy(createThing).orElse(null), createThing.getDittoHeaders());
    }

    private Optional<JsonObject> getInitialPolicyOrCopiedPolicy(CreateThing createThing) {
        DittoHeaders dittoHeaders = createThing.getDittoHeaders();
        Optional optional = (Optional) createThing.getPolicyIdOrPlaceholder().flatMap((v0) -> {
            return ReferencePlaceholder.fromCharSequence(v0);
        }).map(referencePlaceholder -> {
            log(createThing).debug("CreateThing command contains a reference placeholder for the policy it wants to copy: {}", referencePlaceholder);
            return this.policyIdReferencePlaceholderResolver.resolve(referencePlaceholder, dittoHeaders);
        }).map(completionStage -> {
            return awaitPolicyIdCompletionStage(completionStage, createThing);
        }).map((v0) -> {
            return Optional.of(v0);
        }).orElse(createThing.getPolicyIdOrPlaceholder());
        if (optional.isPresent()) {
            log(dittoHeaders).debug("CreateThing command wants to use a copy of Policy <{}>", optional.get());
            return Optional.of(retrievePolicyWithEnforcement((String) optional.get(), dittoHeaders).toJson(JsonSchemaVersion.V_2).remove("policyId"));
        }
        log(dittoHeaders).debug("CreateThing command did not contain a policy that should be copied.");
        return createThing.getInitialPolicy();
    }

    private String awaitPolicyIdCompletionStage(CompletionStage<String> completionStage, CreateThing createThing) {
        try {
            return completionStage.toCompletableFuture().get(getAskTimeout().toMillis(), TimeUnit.MILLISECONDS);
        } catch (InterruptedException | TimeoutException e) {
            log(createThing).error(e, "An error occurred when trying to resolve policy id.");
            throw GatewayServiceTimeoutException.newBuilder().dittoHeaders(createThing.getDittoHeaders()).build();
        } catch (ExecutionException e2) {
            if (e2.getCause() instanceof DittoRuntimeException) {
                throw e2.getCause();
            }
            throw GatewayInternalErrorException.newBuilder().dittoHeaders(createThing.getDittoHeaders()).cause(e2.getCause()).build();
        }
    }

    private Policy retrievePolicyWithEnforcement(String str, DittoHeaders dittoHeaders) {
        return awaitPolicyCompletionStage(PatternsCS.ask(conciergeForwarder(), RetrievePolicy.of(str, dittoHeaders), getAskTimeout()).thenApplyAsync(obj -> {
            if (obj instanceof RetrievePolicyResponse) {
                return ((RetrievePolicyResponse) obj).getPolicy();
            }
            if (obj instanceof PolicyErrorResponse) {
                throw ((PolicyErrorResponse) obj).getDittoRuntimeException();
            }
            if (obj instanceof DittoRuntimeException) {
                throw ((DittoRuntimeException) obj);
            }
            log(dittoHeaders).error("Got an unexpected response while retrieving a Policy that should be copied during Thing creation: {}", obj);
            throw GatewayInternalErrorException.newBuilder().build();
        }, getEnforcementExecutor()), dittoHeaders);
    }

    private Policy awaitPolicyCompletionStage(CompletionStage<Policy> completionStage, DittoHeaders dittoHeaders) {
        try {
            return completionStage.toCompletableFuture().get(getAskTimeout().toMillis(), TimeUnit.MILLISECONDS);
        } catch (InterruptedException | TimeoutException e) {
            log(dittoHeaders).error(e, "An error occurred when trying to retrieve policy.");
            throw GatewayServiceTimeoutException.newBuilder().build();
        } catch (ExecutionException e2) {
            if (e2.getCause() instanceof DittoRuntimeException) {
                throw e2.getCause();
            }
            throw GatewayInternalErrorException.newBuilder().cause(e2.getCause()).build();
        }
    }

    private Optional<CreateThingWithEnforcer> enforceCreateThingByAuthorizationContext(CreateThing createThing) {
        Set set = (Set) createThing.getDittoHeaders().getAuthorizationContext().getFirstAuthorizationSubject().map(authorizationSubject -> {
            return Collections.singleton(authorizationSubject.getId());
        }).orElse(Collections.emptySet());
        return Optional.of(new CreateThingWithEnforcer(AbstractEnforcement.addReadSubjectsToSignal(createThing, set), new AuthorizedSubjectsEnforcer(set)));
    }

    private Optional<CreateThingWithEnforcer> enforceCreateThingByOwnInlinedPolicy(CreateThing createThing, JsonObject jsonObject, ActorRef actorRef) {
        return checkInitialPolicy(createThing, jsonObject, actorRef).flatMap(policy -> {
            if (PoliciesValidator.newInstance(policy).isValid()) {
                return attachEnforcerOrReplyWithError(createThing, PolicyEnforcers.defaultEvaluator(policy), ThingCommandEnforcement::authorizeByPolicy, actorRef);
            }
            replyToSender(PolicyInvalidException.newBuilder(Permission.MIN_REQUIRED_POLICY_PERMISSIONS, createThing.getThingId()).dittoHeaders(createThing.getDittoHeaders()).build(), actorRef);
            return Optional.empty();
        });
    }

    private Optional<Policy> checkInitialPolicy(CreateThing createThing, JsonObject jsonObject, ActorRef actorRef) {
        try {
            return Optional.of(PoliciesModelFactory.newPolicy(jsonObject));
        } catch (JsonRuntimeException | DittoJsonException e) {
            replyToSender(PolicyInvalidException.newBuilderForCause(e, createThing.getThingId()).dittoHeaders(createThing.getDittoHeaders()).build(), actorRef);
            return Optional.empty();
        } catch (DittoRuntimeException e2) {
            DittoHeaders dittoHeaders = createThing.getDittoHeaders();
            if (e2 instanceof PolicyException) {
                replyToSender(e2.setDittoHeaders(dittoHeaders), actorRef);
            } else {
                reportError("Error during creation of inline policy from JSON", actorRef, e2, dittoHeaders);
            }
            return Optional.empty();
        }
    }

    private Optional<CreateThingWithEnforcer> enforceCreateThingByOwnAcl(CreateThing createThing, AccessControlList accessControlList, ActorRef actorRef) {
        if (AclValidator.newInstance(accessControlList, Thing.MIN_REQUIRED_PERMISSIONS).isValid()) {
            return attachEnforcerOrReplyWithError(createThing, AclEnforcer.of(accessControlList), ThingCommandEnforcement::authorizeByAcl, actorRef);
        }
        replyToSender(AclInvalidException.newBuilder(createThing.getThingId()).dittoHeaders(createThing.getDittoHeaders()).build(), actorRef);
        return Optional.empty();
    }

    private Optional<CreateThingWithEnforcer> attachEnforcerOrReplyWithError(CreateThing createThing, Enforcer enforcer, BiFunction<Enforcer, ThingCommand<CreateThing>, Optional<CreateThing>> biFunction, ActorRef actorRef) {
        Optional<CreateThing> apply = biFunction.apply(enforcer, createThing);
        if (apply.isPresent()) {
            return apply.map(createThing2 -> {
                return new CreateThingWithEnforcer(createThing2, enforcer);
            });
        }
        respondWithError(createThing, actorRef, self());
        return Optional.empty();
    }

    private static ThingCommand transformModifyThingToCreateThing(ThingCommand thingCommand) {
        if (!(thingCommand instanceof ModifyThing)) {
            return thingCommand;
        }
        ModifyThing modifyThing = (ModifyThing) thingCommand;
        return CreateThing.of(modifyThing.getThing().toBuilder().setId(modifyThing.getThingId()).build(), (JsonObject) modifyThing.getInitialPolicy().orElse(null), (String) modifyThing.getPolicyIdOrPlaceholder().orElse(null), modifyThing.getDittoHeaders());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static <T extends ThingCommand> Optional<T> authorizeByPolicy(Enforcer enforcer, ThingCommand<T> thingCommand) {
        ResourceKey thingResource = PoliciesResourceType.thingResource(thingCommand.getResourcePath());
        AuthorizationContext authorizationContext = thingCommand.getDittoHeaders().getAuthorizationContext();
        return thingCommand instanceof ThingModifyCommand ? enforcer.hasUnrestrictedPermissions(thingResource, authorizationContext, "WRITE", new String[0]) : enforcer.hasPartialPermissions(thingResource, authorizationContext, "READ", new String[0]) ? Optional.of(AbstractEnforcement.addReadSubjectsToThingSignal(thingCommand, enforcer)) : Optional.empty();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static <T extends ThingCommand> Optional<T> authorizeByAcl(Enforcer enforcer, ThingCommand<T> thingCommand) {
        return enforcer.hasUnrestrictedPermissions(PoliciesResourceType.thingResource(thingCommand.getResourcePath()), thingCommand.getDittoHeaders().getAuthorizationContext(), thingCommand instanceof ThingModifyCommand ? computeAclPermissions((ThingModifyCommand) thingCommand) : Permissions.newInstance("READ", new String[0])) ? Optional.of(AbstractEnforcement.addReadSubjectsToThingSignal(thingCommand, enforcer)) : Optional.empty();
    }

    private static Permissions computeAclPermissions(ThingModifyCommand thingModifyCommand) {
        return thingModifyCommand.changesAuthorization() ? Permissions.newInstance("WRITE", new String[]{org.eclipse.ditto.model.things.Permission.ADMINISTRATE.name()}) : Permissions.newInstance("WRITE", new String[0]);
    }

    private static boolean shouldRetrievePolicyWithThing(ThingCommand thingCommand) {
        return (JsonSchemaVersion.V_1 != thingCommand.getImplementedSchemaVersion()) && ((RetrieveThing) thingCommand).getSelectedFields().filter(jsonFieldSelector -> {
            return jsonFieldSelector.getPointers().stream().anyMatch(jsonPointer -> {
                return jsonPointer.getRoot().filter(jsonKey -> {
                    return "_policy".equals(jsonKey.toString());
                }).isPresent();
            });
        }).isPresent();
    }

    private void handleInitialCreateThing(CreateThing createThing, Enforcer enforcer, ActorRef actorRef) {
        if (shouldCreatePolicyForCreateThing(createThing)) {
            Optional<DittoRuntimeException> checkForErrorsInCreateThingWithPolicy = checkForErrorsInCreateThingWithPolicy(createThing);
            if (checkForErrorsInCreateThingWithPolicy.isPresent()) {
                replyToSender(checkForErrorsInCreateThingWithPolicy.get(), actorRef);
                return;
            } else {
                createThingWithInitialPolicy(createThing, enforcer, actorRef);
                return;
            }
        }
        if (!createThing.getThing().getPolicyId().isPresent()) {
            forwardToThingsShardRegion(createThing, actorRef);
            return;
        }
        String str = (String) createThing.getThing().getPolicyId().orElseThrow(IllegalStateException::new);
        Optional<DittoRuntimeException> checkForErrorsInCreateThingWithPolicy2 = checkForErrorsInCreateThingWithPolicy(createThing);
        if (checkForErrorsInCreateThingWithPolicy2.isPresent()) {
            replyToSender(checkForErrorsInCreateThingWithPolicy2.get(), actorRef);
        } else {
            enforceCreateThingForNonexistentThingWithPolicyId(createThing, str, actorRef);
        }
    }

    private void createThingWithInitialPolicy(CreateThing createThing, Enforcer enforcer, ActorRef actorRef) {
        try {
            Optional<Policy> inlinedOrDefaultPolicyForCreateThing = getInlinedOrDefaultPolicyForCreateThing(createThing);
            if (!inlinedOrDefaultPolicyForCreateThing.isPresent()) {
                String thingId = createThing.getThingId();
                replyToSender(ThingNotCreatableException.newBuilderForPolicyMissing(thingId, thingId).message(String.format("The Thing with ID '%s' could not be created with implicit Policy because no authorization subject is present.", thingId)).description(() -> {
                    return null;
                }).dittoHeaders(createThing.getDittoHeaders()).build(), actorRef);
            } else if (!PolicyCommandEnforcement.authorizePolicyCommand(CreatePolicy.of(inlinedOrDefaultPolicyForCreateThing.get(), createThing.getDittoHeaders().toBuilder().removePreconditionHeaders().build()), enforcer).filter(createPolicy -> {
                return createPolicyAndThing(createPolicy, createThing, actorRef);
            }).isPresent()) {
                replyToSender(errorForThingCommand(createThing), actorRef);
            }
        } catch (RuntimeException e) {
            reportError("error before creating thing with initial policy", actorRef, e, createThing.getDittoHeaders());
        }
    }

    private static Optional<Policy> getInlinedOrDefaultPolicyForCreateThing(CreateThing createThing) {
        Optional initialPolicy = createThing.getInitialPolicy();
        if (!initialPolicy.isPresent()) {
            return getDefaultPolicy(createThing.getDittoHeaders().getAuthorizationContext(), createThing.getThingId());
        }
        JsonObject jsonObject = (JsonObject) initialPolicy.get();
        JsonObjectBuilder builder = jsonObject.toBuilder();
        Thing thing = createThing.getThing();
        if (thing.getPolicyId().isPresent() || !jsonObject.contains(Policy.JsonFields.ID.getPointer())) {
            builder.set(Policy.JsonFields.ID, (String) thing.getPolicyId().orElse(createThing.getThingId()));
        }
        return Optional.of(PoliciesModelFactory.newPolicy(builder.build()));
    }

    private static Optional<DittoRuntimeException> checkForErrorsInCreateThingWithPolicy(CreateThing createThing) {
        return (Optional) checkAclAbsenceInCreateThing(createThing).map((v0) -> {
            return Optional.of(v0);
        }).orElseGet(() -> {
            return checkPolicyIdValidityForCreateThing(createThing);
        });
    }

    private static Optional<DittoRuntimeException> checkAclAbsenceInCreateThing(CreateThing createThing) {
        return createThing.getThing().getAccessControlList().isPresent() ? Optional.of(AclNotAllowedException.newBuilder(createThing.getThingId()).dittoHeaders(createThing.getDittoHeaders()).build()) : Optional.empty();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Optional<DittoRuntimeException> checkPolicyIdValidityForCreateThing(CreateThing createThing) {
        boolean z;
        Optional policyId = createThing.getThing().getPolicyId();
        Optional flatMap = createThing.getInitialPolicy().flatMap(jsonObject -> {
            return jsonObject.getValue(Thing.JsonFields.POLICY_ID);
        });
        if (policyId.isPresent()) {
            z = !flatMap.isPresent() || flatMap.equals(policyId);
        } else {
            z = true;
        }
        return !z ? Optional.of(PolicyIdNotAllowedException.newBuilder(createThing.getThingId()).dittoHeaders(createThing.getDittoHeaders()).build()) : Optional.empty();
    }

    private static boolean shouldCreatePolicyForCreateThing(CreateThing createThing) {
        return createThing.getInitialPolicy().isPresent() || !(JsonSchemaVersion.V_1 == ((JsonSchemaVersion) createThing.getDittoHeaders().getSchemaVersion().orElse(JsonSchemaVersion.LATEST)) || createThing.getThing().getPolicyId().isPresent());
    }

    private boolean createPolicyAndThing(CreatePolicy createPolicy, CreateThing createThing, ActorRef actorRef) {
        long millis = getAskTimeout().toMillis();
        CreateThing of = CreateThing.of(createThing.getThing().setPolicyId(createPolicy.getId()), (JsonObject) null, createThing.getDittoHeaders());
        invalidatePolicyCache(createPolicy.getId());
        this.blockCachedNamespaces.apply(createPolicy).thenCompose(withDittoHeaders -> {
            return PatternsCS.ask(this.policiesShardRegion, withDittoHeaders, millis);
        }).handleAsync((obj, th) -> {
            handlePolicyResponseForCreateThing(createPolicy, of, obj, th, actorRef).ifPresent(createThing2 -> {
                invalidateThingCaches(createThing2.getThingId());
                PatternsCS.ask(this.thingsShardRegion, createThing2, millis).handleAsync((obj, th) -> {
                    return handleThingResponseForCreateThing(of, obj, th, actorRef);
                });
            });
            return null;
        }, getEnforcementExecutor());
        return true;
    }

    private Optional<CreateThing> handlePolicyResponseForCreateThing(CreatePolicy createPolicy, CreateThing createThing, Object obj, Throwable th, ActorRef actorRef) {
        if (obj instanceof CreatePolicyResponse) {
            return Optional.of(createThing);
        }
        if (shouldReportInitialPolicyCreationFailure(obj, th)) {
            reportInitialPolicyCreationFailure(createPolicy.getId(), createThing, actorRef);
        } else if (isAskTimeoutException(obj, th)) {
            replyToSender(PolicyUnavailableException.newBuilder(createThing.getThingId()).dittoHeaders(createThing.getDittoHeaders()).build(), actorRef);
        } else {
            reportUnexpectedErrorOrResponse(String.format("creating initial policy during creation of Thing <%s>", createThing.getThingId()), actorRef, obj, th, createThing.getDittoHeaders());
        }
        return Optional.empty();
    }

    private boolean shouldReportInitialPolicyCreationFailure(Object obj, Throwable th) {
        return (obj instanceof PolicyConflictException) || (obj instanceof PolicyNotAccessibleException) || (th instanceof NamespaceBlockedException);
    }

    private Void handleThingResponseForCreateThing(CreateThing createThing, Object obj, Throwable th, ActorRef actorRef) {
        if ((obj instanceof ThingCommandResponse) || (obj instanceof DittoRuntimeException)) {
            replyToSender(obj, actorRef);
            return null;
        }
        if (isAskTimeoutException(obj, th)) {
            replyToSender(ThingUnavailableException.newBuilder(createThing.getThingId()).dittoHeaders(createThing.getDittoHeaders()).build(), actorRef);
            return null;
        }
        reportUnexpectedErrorOrResponse(String.format("after creating initial policy during creation of Thing <%s>", createThing.getThingId()), actorRef, obj, th, createThing.getDittoHeaders());
        return null;
    }

    private void reportInitialPolicyCreationFailure(String str, CreateThing createThing, ActorRef actorRef) {
        log(createThing).info("Failed to create Policy with ID '{}' is already existing, the CreateThing command which would have created a Policy for the Thing with ID '{}' is therefore not handled", str, createThing.getThingId());
        replyToSender(ThingNotCreatableException.newBuilderForPolicyExisting(createThing.getThingId(), str).dittoHeaders(createThing.getDittoHeaders()).build(), actorRef);
    }

    private static Optional<Policy> getDefaultPolicy(AuthorizationContext authorizationContext, CharSequence charSequence) {
        return authorizationContext.getFirstAuthorizationSubject().map((v0) -> {
            return v0.getId();
        }).map((v0) -> {
            return SubjectId.newInstance(v0);
        }).map(Subject::newInstance).map(subject -> {
            return Policy.newBuilder(charSequence).forLabel(DEFAULT_POLICY_ENTRY_LABEL).setSubject(subject).setGrantedPermissions(PoliciesResourceType.thingResource("/"), org.eclipse.ditto.services.models.things.Permission.DEFAULT_THING_PERMISSIONS).setGrantedPermissions(PoliciesResourceType.policyResource("/"), Permission.DEFAULT_POLICY_PERMISSIONS).setGrantedPermissions(PoliciesResourceType.messageResource("/"), Permission.DEFAULT_POLICY_PERMISSIONS).build();
        });
    }
}
