package org.eclipse.ditto.services.gateway.proxy.actors;

import akka.actor.AbstractActor;
import akka.actor.AbstractActorWithStash;
import akka.actor.ActorRef;
import akka.actor.Cancellable;
import akka.actor.PoisonPill;
import akka.actor.Props;
import akka.cluster.ddata.LWWRegister;
import akka.cluster.ddata.Replicator;
import akka.cluster.pubsub.DistributedPubSubMediator;
import akka.event.DiagnosticLoggingAdapter;
import akka.japi.Creator;
import akka.japi.pf.ReceiveBuilder;
import akka.pattern.AskTimeoutException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.concurrent.Immutable;
import org.eclipse.ditto.model.base.auth.AuthorizationContext;
import org.eclipse.ditto.model.base.exceptions.DittoRuntimeException;
import org.eclipse.ditto.model.base.headers.DittoHeaders;
import org.eclipse.ditto.model.base.headers.WithDittoHeaders;
import org.eclipse.ditto.model.base.json.JsonSchemaVersion;
import org.eclipse.ditto.model.messages.MessageSendNotAllowedException;
import org.eclipse.ditto.model.policies.SubjectIssuer;
import org.eclipse.ditto.model.things.AccessControlList;
import org.eclipse.ditto.model.things.Permission;
import org.eclipse.ditto.model.things.Thing;
import org.eclipse.ditto.protocoladapter.TopicPath;
import org.eclipse.ditto.services.gateway.starter.service.util.FireAndForgetMessageUtil;
import org.eclipse.ditto.services.gateway.streaming.StreamingType;
import org.eclipse.ditto.services.models.policies.PoliciesAclMigrations;
import org.eclipse.ditto.services.models.things.ThingCacheEntry;
import org.eclipse.ditto.services.models.things.commands.sudo.SudoCommand;
import org.eclipse.ditto.services.utils.akka.LogUtil;
import org.eclipse.ditto.services.utils.distributedcache.actors.RegisterForCacheUpdates;
import org.eclipse.ditto.services.utils.distributedcache.model.CacheEntry;
import org.eclipse.ditto.signals.base.Signal;
import org.eclipse.ditto.signals.base.WithThingId;
import org.eclipse.ditto.signals.commands.base.Command;
import org.eclipse.ditto.signals.commands.messages.MessageCommand;
import org.eclipse.ditto.signals.commands.messages.SendClaimMessage;
import org.eclipse.ditto.signals.commands.policies.exceptions.PolicyCommandToAccessExceptionRegistry;
import org.eclipse.ditto.signals.commands.policies.query.RetrievePolicy;
import org.eclipse.ditto.signals.commands.policies.query.RetrievePolicyResponse;
import org.eclipse.ditto.signals.commands.things.exceptions.EventSendNotAllowedException;
import org.eclipse.ditto.signals.commands.things.exceptions.ThingCommandToAccessExceptionRegistry;
import org.eclipse.ditto.signals.commands.things.exceptions.ThingCommandToModifyExceptionRegistry;
import org.eclipse.ditto.signals.commands.things.exceptions.ThingNotAccessibleException;
import org.eclipse.ditto.signals.commands.things.modify.CreateThing;
import org.eclipse.ditto.signals.commands.things.modify.DeleteThing;
import org.eclipse.ditto.signals.commands.things.modify.ModifyThing;
import org.eclipse.ditto.signals.commands.things.modify.ThingModifyCommand;
import org.eclipse.ditto.signals.commands.things.query.RetrieveAcl;
import org.eclipse.ditto.signals.commands.things.query.RetrieveAclResponse;
import org.eclipse.ditto.signals.commands.things.query.ThingQueryCommand;
import org.eclipse.ditto.signals.events.things.AclEntryCreated;
import org.eclipse.ditto.signals.events.things.AclEntryDeleted;
import org.eclipse.ditto.signals.events.things.AclEntryModified;
import org.eclipse.ditto.signals.events.things.AclModified;
import org.eclipse.ditto.signals.events.things.ThingCreated;
import org.eclipse.ditto.signals.events.things.ThingDeleted;
import org.eclipse.ditto.signals.events.things.ThingEvent;
import org.eclipse.ditto.signals.events.things.ThingModified;
import scala.concurrent.duration.FiniteDuration;

/* loaded from: input_file:org/eclipse/ditto/services/gateway/proxy/actors/AclEnforcerActor.class */
public final class AclEnforcerActor extends AbstractActorWithStash {
    private final DiagnosticLoggingAdapter log;
    private final String thingId;
    private final ActorRef thingsShardRegion;
    private final ActorRef policiesShardRegion;
    private final ActorRef pubSubMediator;
    private final FiniteDuration cacheInterval;
    private final FiniteDuration askTimeout;
    private final AbstractActor.Receive enforcingBehaviour;
    private final AbstractActor.Receive synchronizingBehaviour;
    private long accessCounter;
    private Cancellable activityCheckCancellable;
    private Cancellable synchronizationTimeout;
    private AccessControlList acl;
    private long thingRevision;
    private int stashCount;
    private List<SubjectIssuer> subjectIssuersForPolicyMigration;

    /* JADX INFO: Access modifiers changed from: private */
    @Immutable
    /* loaded from: input_file:org/eclipse/ditto/services/gateway/proxy/actors/AclEnforcerActor$CheckActivity.class */
    public static final class CheckActivity {
        private final long accessCounter;

        CheckActivity(long j) {
            this.accessCounter = j;
        }

        long getAccessCounter() {
            return this.accessCounter;
        }
    }

    private AclEnforcerActor(ActorRef actorRef, ActorRef actorRef2, ActorRef actorRef3, ActorRef actorRef4, FiniteDuration finiteDuration, FiniteDuration finiteDuration2, List<SubjectIssuer> list) {
        this.log = LogUtil.obtain(this);
        this.thingRevision = -1L;
        this.stashCount = 0;
        try {
            this.thingId = URLDecoder.decode(getSelf().path().name(), StandardCharsets.UTF_8.name());
            this.thingsShardRegion = actorRef2;
            this.policiesShardRegion = actorRef3;
            this.pubSubMediator = actorRef;
            this.cacheInterval = finiteDuration;
            this.askTimeout = finiteDuration2;
            this.subjectIssuersForPolicyMigration = Collections.unmodifiableList(new ArrayList(list));
            this.enforcingBehaviour = buildEnforcingBehaviour();
            this.synchronizingBehaviour = buildSynchronizingBehaviour();
            actorRef4.tell(new RegisterForCacheUpdates(this.thingId, getSelf()), getSelf());
            synchronizeAcl();
            scheduleActivityCheck();
        } catch (UnsupportedEncodingException e) {
            throw new IllegalStateException("Unsupported encoding", e);
        }
    }

    public static Props props(final ActorRef actorRef, final ActorRef actorRef2, final ActorRef actorRef3, final ActorRef actorRef4, final FiniteDuration finiteDuration, final FiniteDuration finiteDuration2, final List<SubjectIssuer> list) {
        return Props.create(AclEnforcerActor.class, new Creator<AclEnforcerActor>() { // from class: org.eclipse.ditto.services.gateway.proxy.actors.AclEnforcerActor.1
            private static final long serialVersionUID = 1;

            /* renamed from: create, reason: merged with bridge method [inline-methods] */
            public AclEnforcerActor m1create() throws Exception {
                return new AclEnforcerActor(actorRef, actorRef2, actorRef3, actorRef4, finiteDuration, finiteDuration2, list);
            }
        });
    }

    public void postStop() {
        cancelIfNonnull(this.activityCheckCancellable, this.synchronizationTimeout);
    }

    public AbstractActor.Receive createReceive() {
        return ReceiveBuilder.create().matchAny(obj -> {
            this.log.warning("Received message during init phase, dropping: <{}>.", obj);
            unhandled(obj);
        }).build();
    }

    private AbstractActor.Receive buildEnforcingBehaviour() {
        return ReceiveBuilder.create().match(SudoCommand.class, this::forwardSudoCommand).match(org.eclipse.ditto.services.models.policies.commands.sudo.SudoCommand.class, this::forwardPoliciesSudoCommand).match(SendClaimMessage.class, (v1) -> {
            forwardMessageCommand(v1);
        }).match(MessageCommand.class, this::isAuthorized, this::forwardMessageCommand).match(MessageCommand.class, this::unauthorized).match(ThingModifyCommand.class, thingModifyCommand -> {
            return isLiveSignal(thingModifyCommand) && isAuthorized(thingModifyCommand);
        }, thingModifyCommand2 -> {
            publishLiveSignal(StreamingType.LIVE_COMMANDS.getDistributedPubSubTopic(), thingModifyCommand2);
        }).match(ThingModifyCommand.class, (v0) -> {
            return isLiveSignal(v0);
        }, this::unauthorized).match(ThingQueryCommand.class, thingQueryCommand -> {
            return isLiveSignal(thingQueryCommand) && isAuthorized(thingQueryCommand);
        }, thingQueryCommand2 -> {
            publishLiveSignal(StreamingType.LIVE_COMMANDS.getDistributedPubSubTopic(), thingQueryCommand2);
        }).match(ThingQueryCommand.class, (v0) -> {
            return isLiveSignal(v0);
        }, this::unauthorized).match(ThingEvent.class, thingEvent -> {
            return isLiveSignal(thingEvent) && isAuthorized(thingEvent);
        }, thingEvent2 -> {
            publishLiveSignal(StreamingType.LIVE_EVENTS.getDistributedPubSubTopic(), thingEvent2);
        }).match(ThingEvent.class, (v0) -> {
            return isLiveSignal(v0);
        }, this::unauthorized).match(CreateThing.class, createThing -> {
            return this.acl == null;
        }, (v1) -> {
            forwardModifyCommand(v1);
        }).match(DeleteThing.class, this::isAuthorized, (v1) -> {
            forwardModifyCommand(v1);
        }).match(DeleteThing.class, (v1) -> {
            unauthorized(v1);
        }).match(ThingModifyCommand.class, this::isAuthorized, this::forwardModifyCommand).match(ThingModifyCommand.class, this::unauthorized).match(ThingQueryCommand.class, this::isAuthorized, (v1) -> {
            forwardQueryCommand(v1);
        }).match(ThingQueryCommand.class, this::unauthorized).match(RetrievePolicy.class, this::migrateAclIfAuthorized).match(AclModified.class, (v1) -> {
            return isApplicable(v1);
        }, aclModified -> {
            this.acl = aclModified.getAccessControlList();
            this.thingRevision = aclModified.getRevision();
        }).match(AclEntryCreated.class, (v1) -> {
            return isApplicable(v1);
        }, aclEntryCreated -> {
            this.acl = this.acl.merge(aclEntryCreated.getAclEntry());
            this.thingRevision = aclEntryCreated.getRevision();
        }).match(AclEntryModified.class, (v1) -> {
            return isApplicable(v1);
        }, aclEntryModified -> {
            this.acl = this.acl.merge(aclEntryModified.getAclEntry());
            this.thingRevision = aclEntryModified.getRevision();
        }).match(AclEntryDeleted.class, (v1) -> {
            return isApplicable(v1);
        }, aclEntryDeleted -> {
            this.acl = this.acl.removeAllPermissionsOf(aclEntryDeleted.getAuthorizationSubject());
            this.thingRevision = aclEntryDeleted.getRevision();
        }).match(ThingCreated.class, (v1) -> {
            return isApplicable(v1);
        }, thingCreated -> {
            thingCreated.getThing().getAccessControlList().ifPresent(accessControlList -> {
                this.acl = accessControlList;
                this.thingRevision = thingCreated.getRevision();
            });
            this.thingRevision = thingCreated.getRevision();
        }).match(ThingModified.class, (v1) -> {
            return isApplicable(v1);
        }, thingModified -> {
            thingModified.getThing().getAccessControlList().ifPresent(accessControlList -> {
                this.acl = accessControlList;
                this.thingRevision = thingModified.getRevision();
            });
        }).match(ThingDeleted.class, (v1) -> {
            return isApplicable(v1);
        }, thingDeleted -> {
            getContext().stop(getSelf());
        }).match(ThingEvent.class, (v1) -> {
            unhandled(v1);
        }).match(Replicator.Changed.class, this::processChangedCacheEntry).match(CheckActivity.class, checkActivity -> {
            if (checkActivity.getAccessCounter() < this.accessCounter) {
                scheduleActivityCheck();
            } else {
                this.log.debug("Stopping due to inactivity ...");
                getContext().stop(getSelf());
            }
        }).match(RetrieveAclResponse.class, retrieveAclResponse -> {
            this.log.debug("Received 'RetrieveAclResponse' in 'EnforcingBehaviour'. Ignoring that one.");
        }).matchAny(obj -> {
            LogUtil.enhanceLogWithCorrelationId(this.log, obj instanceof WithDittoHeaders ? (String) ((WithDittoHeaders) obj).getDittoHeaders().getCorrelationId().orElse("") : "");
            this.log.warning("Received unknown message while in 'EnforcingBehaviour': <{}>!", obj);
        }).build();
    }

    private static boolean isLiveSignal(Signal<?> signal) {
        Optional channel = signal.getDittoHeaders().getChannel();
        String name = TopicPath.Channel.LIVE.getName();
        name.getClass();
        return channel.filter((v1) -> {
            return r1.equals(v1);
        }).isPresent();
    }

    private AbstractActor.Receive buildSynchronizingBehaviour() {
        return ReceiveBuilder.create().match(ThingCreated.class, thingCreated -> {
            return this.acl == null;
        }, thingCreated2 -> {
            LogUtil.enhanceLogWithCorrelationId(this.log, thingCreated2);
            cancelIfNonnull(this.synchronizationTimeout);
            this.log.debug("Received <{}> event.", thingCreated2.getType());
            thingCreated2.getThing().getAccessControlList().ifPresent(accessControlList -> {
                this.acl = accessControlList;
                this.thingRevision = thingCreated2.getRevision();
            });
            getContext().become(this.enforcingBehaviour);
            doUnstashAll();
        }).match(ThingModified.class, thingModified -> {
            return thingModified.getThing().getAccessControlList().isPresent();
        }, thingModified2 -> {
            LogUtil.enhanceLogWithCorrelationId(this.log, thingModified2);
            cancelIfNonnull(this.synchronizationTimeout);
            this.log.debug("Received <{}> event.", thingModified2.getType());
            thingModified2.getThing().getAccessControlList().ifPresent(accessControlList -> {
                this.acl = accessControlList;
                this.thingRevision = thingModified2.getRevision();
            });
            getContext().become(this.enforcingBehaviour);
            doUnstashAll();
        }).match(RetrieveAclResponse.class, retrieveAclResponse -> {
            LogUtil.enhanceLogWithCorrelationId(this.log, retrieveAclResponse);
            cancelIfNonnull(this.synchronizationTimeout);
            this.acl = retrieveAclResponse.getAcl();
            this.log.debug("Received <{}> response with ACL <{}>. Becoming 'EnforcingBehaviour'.", retrieveAclResponse.getType(), this.acl.toJson());
            getContext().become(this.enforcingBehaviour);
            doUnstashAll();
        }).match(ThingNotAccessibleException.class, thingNotAccessibleException -> {
            LogUtil.enhanceLogWithCorrelationId(this.log, thingNotAccessibleException);
            cancelIfNonnull(this.synchronizationTimeout);
            this.log.debug("Received <{}> for Thing <{}>. Becoming 'EnforcingBehaviour'.", getSimpleClassName(thingNotAccessibleException), this.thingId);
            getContext().become(this.enforcingBehaviour);
            doUnstashAll();
        }).match(DittoRuntimeException.class, dittoRuntimeException -> {
            LogUtil.enhanceLogWithCorrelationId(this.log, dittoRuntimeException);
            this.log.warning("Received unexpected <{}> exception while synchronizing ACL of Thing <{}>: <{}>! Sending the PoisonPill to ourselves.", dittoRuntimeException.getErrorCode(), this.thingId, dittoRuntimeException.getMessage());
            stopAfterHandlingPendingMessages();
        }).match(AskTimeoutException.class, askTimeoutException -> {
            this.log.warning("Synchronization of ACL of thing <{}> timed out! Sending the PoisonPill to ourselves.", this.thingId);
            stopAfterHandlingPendingMessages();
        }).match(CheckActivity.class, checkActivity -> {
            if (checkActivity.getAccessCounter() < this.accessCounter) {
                scheduleActivityCheck();
            } else {
                this.log.debug("Stopping due to inactivity.");
                getContext().stop(getSelf());
            }
        }).matchAny(obj -> {
            LogUtil.enhanceLogWithCorrelationId(this.log, obj instanceof WithDittoHeaders ? (String) ((WithDittoHeaders) obj).getDittoHeaders().getCorrelationId().orElse("") : "");
            if (this.stashCount < 1) {
                this.log.debug("Received unknown message while in 'SynchronizingBehaviour': <{}>! Message will be stashed.", obj);
            } else {
                this.log.warning("Received unknown message while in 'SynchronizingBehaviour': <{}>! Message will be stashed - current stashCount: <{}>", obj, Integer.valueOf(this.stashCount));
            }
            doStash();
        }).build();
    }

    private void doStash() {
        this.stashCount++;
        stash();
    }

    private void doUnstashAll() {
        unstashAll();
        this.stashCount = 0;
    }

    private void forwardPoliciesSudoCommand(org.eclipse.ditto.services.models.policies.commands.sudo.SudoCommand sudoCommand) {
        LogUtil.enhanceLogWithCorrelationId(this.log, sudoCommand.getDittoHeaders().getCorrelationId());
        this.log.debug("Received <{}> command. Telling Policies about it.", sudoCommand.getName());
        this.accessCounter++;
        this.policiesShardRegion.forward(sudoCommand, getContext());
    }

    private void processChangedCacheEntry(Replicator.Changed changed) {
        LWWRegister lWWRegister = changed.get(changed.key());
        if (!(lWWRegister instanceof LWWRegister)) {
            this.log.warning("Received unknown cache ReplicatedData <{}>!", lWWRegister);
            return;
        }
        Object value = lWWRegister.getValue();
        if (value instanceof ThingCacheEntry) {
            processThingCacheEntry((ThingCacheEntry) value);
        } else {
            this.log.warning("Received unknown cache entry <{}>!", value);
        }
    }

    private void processThingCacheEntry(CacheEntry cacheEntry) {
        LogUtil.enhanceLogWithCorrelationId(this.log, "");
        this.log.debug("Received new <{}> with revision <{}>.", getSimpleClassName(cacheEntry), Long.valueOf(cacheEntry.getRevision()));
        if (cacheEntry.isDeleted()) {
            this.log.info("Cache entry was deleted: <{}>.", cacheEntry);
            this.acl = null;
            this.thingRevision = cacheEntry.getRevision();
        } else if (cacheEntry.getRevision() > this.thingRevision) {
            this.log.debug("Received cache entry has revision <{}> which is greater than the current actor's one <{}>.", Long.valueOf(cacheEntry.getRevision()), Long.valueOf(this.thingRevision));
            synchronizeAcl();
        }
    }

    private void forwardSudoCommand(SudoCommand<?> sudoCommand) {
        forwardCommandWithoutChangingActorState(sudoCommand);
        if ((sudoCommand instanceof ThingModifyCommand) && ((ThingModifyCommand) sudoCommand).changesAuthorization()) {
            synchronizeAcl();
        }
    }

    private void forwardCommandWithoutChangingActorState(Command<?> command) {
        LogUtil.enhanceLogWithCorrelationId(this.log, command.getDittoHeaders().getCorrelationId());
        Command enrichDittoHeaders = enrichDittoHeaders(command);
        this.log.debug("Received <{}>. Telling Things about it.", enrichDittoHeaders.getName());
        this.accessCounter++;
        this.thingsShardRegion.forward(enrichDittoHeaders, getContext());
    }

    private void forwardQueryCommand(Command command) {
        forwardCommandWithoutChangingActorState(command);
    }

    private void forwardModifyCommand(ThingModifyCommand thingModifyCommand) {
        forwardCommandWithoutChangingActorState(thingModifyCommand);
        if (thingModifyCommand.changesAuthorization()) {
            synchronizeAcl();
        }
    }

    private void forwardMessageCommand(MessageCommand<?, ?> messageCommand) {
        publishLiveSignal("messages.commands:", messageCommand);
        FireAndForgetMessageUtil.getResponseForFireAndForgetMessage(messageCommand).ifPresent(sendMessageAcceptedResponse -> {
            getSender().tell(sendMessageAcceptedResponse, getSelf());
        });
    }

    private void publishLiveSignal(String str, Signal<?> signal) {
        LogUtil.enhanceLogWithCorrelationId(this.log, signal.getDittoHeaders().getCorrelationId());
        Signal enrichDittoHeaders = enrichDittoHeaders(signal);
        this.log.debug("Received <{}>. Publishing to topic {}.", enrichDittoHeaders.getName(), str);
        this.accessCounter++;
        this.pubSubMediator.tell(new DistributedPubSubMediator.Publish(str, enrichDittoHeaders, true), getSender());
    }

    private <T extends Signal> T enrichDittoHeaders(Signal<T> signal) {
        return signal.setDittoHeaders(DittoHeaders.newBuilder(signal.getDittoHeaders()).readSubjects(determineReadSubjects(signal)).build());
    }

    private Collection<String> determineReadSubjects(Signal<?> signal) {
        DittoHeaders dittoHeaders = signal.getDittoHeaders();
        if (!isLiveSignal(signal)) {
            if (signal instanceof CreateThing) {
                return determineReadSubjects(dittoHeaders, ((CreateThing) signal).getThing());
            }
            if ((signal instanceof ModifyThing) && ((ModifyThing) signal).getThing().getAccessControlList().isPresent()) {
                return determineReadSubjects(dittoHeaders, ((ModifyThing) signal).getThing());
            }
        }
        return this.acl != null ? (Collection) this.acl.getAuthorizedSubjectsFor(Permission.READ, new Permission[0]).stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toSet()) : Collections.emptySet();
    }

    private static Collection<String> determineReadSubjects(DittoHeaders dittoHeaders, Thing thing) {
        return (Collection) thing.getAccessControlList().map(AclEnforcerActor::calculateReadSubjects).orElseGet(() -> {
            return Collections.singleton(dittoHeaders.getAuthorizationContext().getFirstAuthorizationSubject().map((v0) -> {
                return v0.getId();
            }).orElse(""));
        });
    }

    private static Set<String> calculateReadSubjects(AccessControlList accessControlList) {
        return (Set) accessControlList.getAuthorizedSubjectsFor(Permission.READ, new Permission[0]).stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toSet());
    }

    private boolean isApplicable(WithThingId withThingId) {
        return Objects.equals(this.thingId, withThingId.getThingId());
    }

    private boolean isAuthorized(DeleteThing deleteThing) {
        if (this.acl != null) {
            return this.acl.hasPermission(deleteThing.getDittoHeaders().getAuthorizationContext(), Permission.WRITE, new Permission[]{Permission.ADMINISTRATE});
        }
        logNullAclForCommand(deleteThing);
        return false;
    }

    private void logNullAclForCommand(Signal<?> signal) {
        LogUtil.enhanceLogWithCorrelationId(this.log, signal);
        this.log.info("ACL is null, therefore signal <{}> cannot be authorized.", signal.getType());
    }

    private boolean isAuthorized(ThingModifyCommand thingModifyCommand) {
        if (this.acl == null) {
            logNullAclForCommand(thingModifyCommand);
            return false;
        }
        AuthorizationContext authorizationContext = thingModifyCommand.getDittoHeaders().getAuthorizationContext();
        return ((Boolean) thingModifyCommand.getEntity().filter((v0) -> {
            return v0.isObject();
        }).map((v0) -> {
            return v0.asObject();
        }).filter(jsonObject -> {
            return jsonObject.contains(Thing.JsonFields.ACL.getPointer());
        }).map(jsonObject2 -> {
            return Boolean.valueOf(this.acl.hasPermission(authorizationContext, Permission.WRITE, new Permission[]{Permission.ADMINISTRATE}));
        }).orElse(Boolean.valueOf(this.acl.hasPermission(authorizationContext, Permission.WRITE, new Permission[0])))).booleanValue();
    }

    private boolean isAuthorized(ThingQueryCommand thingQueryCommand) {
        if (this.acl != null) {
            return this.acl.hasPermission(thingQueryCommand.getDittoHeaders().getAuthorizationContext(), Permission.READ, new Permission[0]);
        }
        logNullAclForCommand(thingQueryCommand);
        return false;
    }

    private boolean isAuthorized(MessageCommand messageCommand) {
        if (this.acl != null) {
            return this.acl.hasPermission(messageCommand.getDittoHeaders().getAuthorizationContext(), Permission.WRITE, new Permission[0]);
        }
        logNullAclForCommand(messageCommand);
        return false;
    }

    private boolean isAuthorized(ThingEvent thingEvent) {
        if (this.acl != null) {
            return this.acl.hasPermission(thingEvent.getDittoHeaders().getAuthorizationContext(), Permission.WRITE, new Permission[0]);
        }
        logNullAclForCommand(thingEvent);
        return false;
    }

    private void unauthorized(ThingModifyCommand thingModifyCommand) {
        DittoRuntimeException exceptionFrom = ThingCommandToModifyExceptionRegistry.getInstance().exceptionFrom(thingModifyCommand);
        logUnauthorized(thingModifyCommand, exceptionFrom);
        getSender().tell(exceptionFrom, getSelf());
    }

    private void unauthorized(ThingQueryCommand thingQueryCommand) {
        DittoRuntimeException exceptionFrom = ThingCommandToAccessExceptionRegistry.getInstance().exceptionFrom(thingQueryCommand);
        logUnauthorized(thingQueryCommand, exceptionFrom);
        getSender().tell(exceptionFrom, getSelf());
    }

    private void unauthorized(MessageCommand messageCommand) {
        MessageSendNotAllowedException build = MessageSendNotAllowedException.newBuilder(messageCommand.getThingId()).dittoHeaders(messageCommand.getDittoHeaders()).build();
        logUnauthorized(messageCommand, build);
        getSender().tell(build, getSelf());
    }

    private void unauthorized(ThingEvent thingEvent) {
        EventSendNotAllowedException build = EventSendNotAllowedException.newBuilder(thingEvent.getThingId()).dittoHeaders(thingEvent.getDittoHeaders()).build();
        logUnauthorized(thingEvent, build);
        getSender().tell(build, getSelf());
    }

    private void logUnauthorized(Signal signal, DittoRuntimeException dittoRuntimeException) {
        LogUtil.enhanceLogWithCorrelationId(this.log, signal);
        this.log.info("The <{}> signal was not forwarded due to insufficient rights {}: {} - AuthorizationSubjects: {}", signal.getType(), getSimpleClassName(dittoRuntimeException), dittoRuntimeException.getMessage(), signal.getDittoHeaders().getAuthorizationSubjects());
        this.log.debug("The AuthorizationContext for the not allowed signal '{}' was: {} - the ACL was: {}", signal.getType(), signal.getDittoHeaders().getAuthorizationContext(), this.acl);
    }

    private void scheduleActivityCheck() {
        this.log.debug("Scheduling activity check in <{}> seconds.", Long.valueOf(this.cacheInterval.toSeconds()));
        cancelIfNonnull(this.activityCheckCancellable);
        this.activityCheckCancellable = getContext().system().scheduler().scheduleOnce(this.cacheInterval, getSelf(), new CheckActivity(this.accessCounter), getContext().dispatcher(), getSelf());
    }

    private void synchronizeAcl() {
        this.log.debug("Synchronizing ACL for Thing <{}>.", this.thingId);
        this.synchronizationTimeout = scheduleAskTimeout();
        getContext().become(this.synchronizingBehaviour);
        this.thingsShardRegion.tell(RetrieveAcl.of(this.thingId, DittoHeaders.newBuilder().schemaVersion(JsonSchemaVersion.V_1).build()), getSelf());
    }

    private Cancellable scheduleAskTimeout() {
        return getContext().system().scheduler().scheduleOnce(this.askTimeout, getSelf(), new AskTimeoutException("Request timeout."), getContext().dispatcher(), getSelf());
    }

    private void migrateAclIfAuthorized(RetrievePolicy retrievePolicy) {
        boolean hasPermission;
        if (this.acl == null) {
            logNullAclForCommand(retrievePolicy);
            hasPermission = false;
        } else {
            hasPermission = this.acl.hasPermission(retrievePolicy.getDittoHeaders().getAuthorizationContext(), Permission.READ, new Permission[0]);
        }
        if (hasPermission) {
            getSender().tell(RetrievePolicyResponse.of(this.thingId, PoliciesAclMigrations.accessControlListToPolicyEntries(this.acl, retrievePolicy.getId(), this.subjectIssuersForPolicyMigration), retrievePolicy.getDittoHeaders()), getSelf());
        } else {
            getSender().tell(PolicyCommandToAccessExceptionRegistry.getInstance().exceptionFrom(retrievePolicy), getSelf());
        }
    }

    private void stopAfterHandlingPendingMessages() {
        cancelIfNonnull(this.synchronizationTimeout, this.activityCheckCancellable);
        getContext().become(this.enforcingBehaviour);
        doUnstashAll();
        getSelf().tell(PoisonPill.getInstance(), getSelf());
    }

    private static void cancelIfNonnull(Cancellable... cancellableArr) {
        for (Cancellable cancellable : cancellableArr) {
            if (cancellable != null) {
                cancellable.cancel();
            }
        }
    }

    private static String getSimpleClassName(Object obj) {
        return obj.getClass().getSimpleName();
    }
}
