package org.eclipse.ditto.services.concierge.enforcement;

import akka.actor.ActorRef;
import akka.cluster.pubsub.DistributedPubSubMediator;
import akka.pattern.AskTimeoutException;
import akka.pattern.Patterns;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import org.eclipse.ditto.json.JsonFactory;
import org.eclipse.ditto.json.JsonFieldDefinition;
import org.eclipse.ditto.json.JsonFieldSelector;
import org.eclipse.ditto.json.JsonObject;
import org.eclipse.ditto.json.JsonValue;
import org.eclipse.ditto.model.base.auth.AuthorizationContext;
import org.eclipse.ditto.model.base.exceptions.DittoRuntimeException;
import org.eclipse.ditto.model.base.headers.WithDittoHeaders;
import org.eclipse.ditto.model.enforcers.Enforcer;
import org.eclipse.ditto.model.enforcers.PolicyEnforcers;
import org.eclipse.ditto.model.policies.Permissions;
import org.eclipse.ditto.model.policies.PoliciesResourceType;
import org.eclipse.ditto.model.policies.Policy;
import org.eclipse.ditto.model.policies.ResourceKey;
import org.eclipse.ditto.services.utils.akka.LogUtil;
import org.eclipse.ditto.services.utils.cache.Cache;
import org.eclipse.ditto.services.utils.cache.EntityId;
import org.eclipse.ditto.services.utils.cache.InvalidateCacheEntry;
import org.eclipse.ditto.services.utils.cache.entry.Entry;
import org.eclipse.ditto.services.utils.cacheloaders.IdentityCache;
import org.eclipse.ditto.signals.commands.policies.PolicyCommand;
import org.eclipse.ditto.signals.commands.policies.exceptions.PolicyCommandToAccessExceptionRegistry;
import org.eclipse.ditto.signals.commands.policies.exceptions.PolicyCommandToModifyExceptionRegistry;
import org.eclipse.ditto.signals.commands.policies.exceptions.PolicyNotAccessibleException;
import org.eclipse.ditto.signals.commands.policies.exceptions.PolicyUnavailableException;
import org.eclipse.ditto.signals.commands.policies.modify.CreatePolicy;
import org.eclipse.ditto.signals.commands.policies.modify.ModifyPolicy;
import org.eclipse.ditto.signals.commands.policies.modify.PolicyModifyCommand;
import org.eclipse.ditto.signals.commands.policies.query.PolicyQueryCommand;
import org.eclipse.ditto.signals.commands.policies.query.PolicyQueryCommandResponse;

/* loaded from: input_file:org/eclipse/ditto/services/concierge/enforcement/PolicyCommandEnforcement.class */
public final class PolicyCommandEnforcement extends AbstractEnforcement<PolicyCommand> {
    private static final JsonFieldSelector POLICY_QUERY_COMMAND_RESPONSE_WHITELIST = JsonFactory.newFieldSelector(Policy.JsonFields.ID, new JsonFieldDefinition[0]);
    private final ActorRef policiesShardRegion;
    private final EnforcerRetriever enforcerRetriever;
    private final Cache<EntityId, Entry<Enforcer>> enforcerCache;

    /* loaded from: input_file:org/eclipse/ditto/services/concierge/enforcement/PolicyCommandEnforcement$Provider.class */
    public static final class Provider implements EnforcementProvider<PolicyCommand> {
        private final Cache<EntityId, Entry<Enforcer>> enforcerCache;
        private ActorRef policiesShardRegion;

        public Provider(ActorRef actorRef, Cache<EntityId, Entry<Enforcer>> cache) {
            this.policiesShardRegion = (ActorRef) Objects.requireNonNull(actorRef);
            this.enforcerCache = (Cache) Objects.requireNonNull(cache);
        }

        @Override // org.eclipse.ditto.services.concierge.enforcement.EnforcementProvider
        public Class<PolicyCommand> getCommandClass() {
            return PolicyCommand.class;
        }

        @Override // org.eclipse.ditto.services.concierge.enforcement.EnforcementProvider
        public AbstractEnforcement<PolicyCommand> createEnforcement(Contextual<PolicyCommand> contextual) {
            return new PolicyCommandEnforcement(contextual, this.policiesShardRegion, this.enforcerCache);
        }
    }

    private PolicyCommandEnforcement(Contextual<PolicyCommand> contextual, ActorRef actorRef, Cache<EntityId, Entry<Enforcer>> cache) {
        super(contextual);
        this.policiesShardRegion = (ActorRef) Objects.requireNonNull(actorRef);
        this.enforcerCache = (Cache) Objects.requireNonNull(cache);
        this.enforcerRetriever = new EnforcerRetriever((Cache<EntityId, Entry<EntityId>>) IdentityCache.INSTANCE, cache);
    }

    public static <T extends PolicyCommand> Optional<T> authorizePolicyCommand(T t, Enforcer enforcer) {
        ResourceKey policyResource = PoliciesResourceType.policyResource(t.getResourcePath());
        AuthorizationContext authorizationContext = t.getDittoHeaders().getAuthorizationContext();
        return t instanceof PolicyModifyCommand ? enforcer.hasUnrestrictedPermissions(policyResource, authorizationContext, "WRITE", new String[0]) : enforcer.hasPartialPermissions(policyResource, authorizationContext, "READ", new String[0]) ? Optional.of(t) : Optional.empty();
    }

    public static <T extends PolicyQueryCommandResponse> T buildJsonViewForPolicyQueryCommandResponse(PolicyQueryCommandResponse<T> policyQueryCommandResponse, Enforcer enforcer) {
        JsonValue entity = policyQueryCommandResponse.getEntity();
        return entity.isObject() ? (T) policyQueryCommandResponse.setEntity(getJsonViewForPolicyQueryCommandResponse(entity.asObject(), policyQueryCommandResponse, enforcer)) : (T) policyQueryCommandResponse.setEntity(entity);
    }

    private static JsonObject getJsonViewForPolicyQueryCommandResponse(JsonObject jsonObject, PolicyQueryCommandResponse policyQueryCommandResponse, Enforcer enforcer) {
        return enforcer.buildJsonView(ResourceKey.newInstance("policy", policyQueryCommandResponse.getResourcePath()), jsonObject, policyQueryCommandResponse.getDittoHeaders().getAuthorizationContext(), POLICY_QUERY_COMMAND_RESPONSE_WHITELIST, Permissions.newInstance("READ", new String[0]));
    }

    private static PolicyCommand transformModifyPolicyToCreatePolicy(PolicyCommand policyCommand) {
        if (!(policyCommand instanceof ModifyPolicy)) {
            return policyCommand;
        }
        ModifyPolicy modifyPolicy = (ModifyPolicy) policyCommand;
        return CreatePolicy.of(modifyPolicy.getPolicy(), modifyPolicy.getDittoHeaders());
    }

    private static DittoRuntimeException errorForPolicyCommand(PolicyCommand policyCommand) {
        return (policyCommand instanceof PolicyModifyCommand ? PolicyCommandToModifyExceptionRegistry.getInstance() : PolicyCommandToAccessExceptionRegistry.getInstance()).exceptionFrom(policyCommand);
    }

    @Override // org.eclipse.ditto.services.concierge.enforcement.AbstractEnforcement
    public CompletionStage<Contextual<WithDittoHeaders>> enforce() {
        LogUtil.enhanceLogWithCorrelationIdOrRandom(signal());
        return this.enforcerRetriever.retrieve(entityId(), (entry, entry2) -> {
            try {
                return doEnforce(entry2).exceptionally(this::handleExceptionally);
            } catch (RuntimeException e) {
                return CompletableFuture.completedFuture(handleExceptionally(e));
            }
        });
    }

    private CompletionStage<Contextual<WithDittoHeaders>> doEnforce(Entry<Enforcer> entry) {
        return entry.exists() ? enforcePolicyCommandByEnforcer((Enforcer) entry.getValueOrThrow()) : CompletableFuture.completedFuture(forwardToPoliciesShardRegion(enforcePolicyCommandByNonexistentEnforcer()));
    }

    private CompletionStage<Contextual<WithDittoHeaders>> enforcePolicyCommandByEnforcer(Enforcer enforcer) {
        Optional authorizePolicyCommand = authorizePolicyCommand(signal(), enforcer);
        if (!authorizePolicyCommand.isPresent()) {
            throw errorForPolicyCommand(signal());
        }
        PolicyCommand policyCommand = (PolicyCommand) authorizePolicyCommand.get();
        return policyCommand instanceof PolicyQueryCommand ? askPoliciesShardRegionAndBuildJsonView((PolicyQueryCommand) policyCommand, enforcer).thenApply(withDittoHeaders -> {
            return withMessageToReceiver(withDittoHeaders, sender());
        }) : CompletableFuture.completedFuture(forwardToPoliciesShardRegion(policyCommand));
    }

    private CreatePolicy enforcePolicyCommandByNonexistentEnforcer() {
        CreatePolicy transformModifyPolicyToCreatePolicy = transformModifyPolicyToCreatePolicy(signal());
        if (!(transformModifyPolicyToCreatePolicy instanceof CreatePolicy)) {
            throw PolicyNotAccessibleException.newBuilder(transformModifyPolicyToCreatePolicy.getId()).dittoHeaders(transformModifyPolicyToCreatePolicy.getDittoHeaders()).build();
        }
        CreatePolicy createPolicy = transformModifyPolicyToCreatePolicy;
        if (authorizePolicyCommand(createPolicy, PolicyEnforcers.defaultEvaluator(createPolicy.getPolicy())).isPresent()) {
            return createPolicy;
        }
        throw errorForPolicyCommand(signal());
    }

    private Contextual<WithDittoHeaders> forwardToPoliciesShardRegion(PolicyCommand policyCommand) {
        if (policyCommand instanceof PolicyModifyCommand) {
            invalidateCaches(policyCommand.getId());
        }
        return withMessageToReceiver(policyCommand, this.policiesShardRegion);
    }

    private void invalidateCaches(String str) {
        EntityId of = EntityId.of("policy", str);
        this.enforcerCache.invalidate(of);
        pubSubMediator().tell(new DistributedPubSubMediator.SendToAll("/user/conciergeRoot/enforcer", InvalidateCacheEntry.of(of), true), self());
    }

    private CompletionStage<WithDittoHeaders> askPoliciesShardRegionAndBuildJsonView(PolicyQueryCommand policyQueryCommand, Enforcer enforcer) {
        return Patterns.ask(this.policiesShardRegion, policyQueryCommand, getAskTimeout()).handle((obj, th) -> {
            if (obj instanceof PolicyQueryCommandResponse) {
                return reportJsonViewForPolicyQuery((PolicyQueryCommandResponse) obj, enforcer);
            }
            if (obj instanceof DittoRuntimeException) {
                throw ((DittoRuntimeException) obj);
            }
            if (isAskTimeoutException(obj, th)) {
                throw reportTimeoutForPolicyQuery(policyQueryCommand, (AskTimeoutException) obj);
            }
            if (th != null) {
                throw reportUnexpectedError("before building JsonView", th);
            }
            throw reportUnknownResponse("before building JsonView", obj);
        });
    }

    private PolicyUnavailableException reportTimeoutForPolicyQuery(PolicyQueryCommand policyQueryCommand, AskTimeoutException askTimeoutException) {
        log(policyQueryCommand).error(askTimeoutException, "Timeout before building JsonView");
        return PolicyUnavailableException.newBuilder(policyQueryCommand.getId()).dittoHeaders(policyQueryCommand.getDittoHeaders()).build();
    }

    private PolicyQueryCommandResponse reportJsonViewForPolicyQuery(PolicyQueryCommandResponse<?> policyQueryCommandResponse, Enforcer enforcer) {
        try {
            return buildJsonViewForPolicyQueryCommandResponse(policyQueryCommandResponse, enforcer);
        } catch (RuntimeException e) {
            throw reportError("Error after building JsonView", e);
        }
    }
}
