package org.eclipse.ditto.services.concierge.enforcement;

import akka.actor.ActorRef;
import akka.event.DiagnosticLoggingAdapter;
import akka.pattern.AskTimeoutException;
import akka.pattern.PatternsCS;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.CompletionStage;
import org.eclipse.ditto.json.JsonFactory;
import org.eclipse.ditto.json.JsonFieldDefinition;
import org.eclipse.ditto.json.JsonFieldSelector;
import org.eclipse.ditto.json.JsonObject;
import org.eclipse.ditto.json.JsonValue;
import org.eclipse.ditto.model.base.auth.AuthorizationContext;
import org.eclipse.ditto.model.base.exceptions.DittoRuntimeException;
import org.eclipse.ditto.model.enforcers.Enforcer;
import org.eclipse.ditto.model.enforcers.PolicyEnforcers;
import org.eclipse.ditto.model.policies.Permissions;
import org.eclipse.ditto.model.policies.PoliciesResourceType;
import org.eclipse.ditto.model.policies.Policy;
import org.eclipse.ditto.model.policies.ResourceKey;
import org.eclipse.ditto.services.concierge.cache.IdentityCache;
import org.eclipse.ditto.services.concierge.enforcement.AbstractEnforcement;
import org.eclipse.ditto.services.models.concierge.EntityId;
import org.eclipse.ditto.services.models.concierge.cache.Entry;
import org.eclipse.ditto.services.utils.akka.LogUtil;
import org.eclipse.ditto.services.utils.cache.Cache;
import org.eclipse.ditto.signals.commands.policies.PolicyCommand;
import org.eclipse.ditto.signals.commands.policies.exceptions.PolicyCommandToAccessExceptionRegistry;
import org.eclipse.ditto.signals.commands.policies.exceptions.PolicyCommandToModifyExceptionRegistry;
import org.eclipse.ditto.signals.commands.policies.exceptions.PolicyNotAccessibleException;
import org.eclipse.ditto.signals.commands.policies.exceptions.PolicyUnavailableException;
import org.eclipse.ditto.signals.commands.policies.modify.CreatePolicy;
import org.eclipse.ditto.signals.commands.policies.modify.ModifyPolicy;
import org.eclipse.ditto.signals.commands.policies.modify.PolicyModifyCommand;
import org.eclipse.ditto.signals.commands.policies.query.PolicyQueryCommand;
import org.eclipse.ditto.signals.commands.policies.query.PolicyQueryCommandResponse;

/* loaded from: input_file:org/eclipse/ditto/services/concierge/enforcement/PolicyCommandEnforcement.class */
public final class PolicyCommandEnforcement extends AbstractEnforcement<PolicyCommand> {
    private static final JsonFieldSelector POLICY_QUERY_COMMAND_RESPONSE_WHITELIST = JsonFactory.newFieldSelector(Policy.JsonFields.ID, new JsonFieldDefinition[0]);
    private final ActorRef policiesShardRegion;
    private final EnforcerRetriever enforcerRetriever;
    private final Cache<EntityId, Entry<Enforcer>> enforcerCache;

    /* loaded from: input_file:org/eclipse/ditto/services/concierge/enforcement/PolicyCommandEnforcement$Provider.class */
    public static final class Provider implements EnforcementProvider<PolicyCommand> {
        private final Cache<EntityId, Entry<Enforcer>> enforcerCache;
        private ActorRef policiesShardRegion;

        public Provider(ActorRef actorRef, Cache<EntityId, Entry<Enforcer>> cache) {
            this.policiesShardRegion = (ActorRef) Objects.requireNonNull(actorRef);
            this.enforcerCache = (Cache) Objects.requireNonNull(cache);
        }

        @Override // org.eclipse.ditto.services.concierge.enforcement.EnforcementProvider
        public Class<PolicyCommand> getCommandClass() {
            return PolicyCommand.class;
        }

        @Override // org.eclipse.ditto.services.concierge.enforcement.EnforcementProvider
        public AbstractEnforcement<PolicyCommand> createEnforcement(AbstractEnforcement.Context context) {
            return new PolicyCommandEnforcement(context, this.policiesShardRegion, this.enforcerCache);
        }
    }

    private PolicyCommandEnforcement(AbstractEnforcement.Context context, ActorRef actorRef, Cache<EntityId, Entry<Enforcer>> cache) {
        super(context);
        this.policiesShardRegion = (ActorRef) Objects.requireNonNull(actorRef);
        this.enforcerCache = (Cache) Objects.requireNonNull(cache);
        this.enforcerRetriever = new EnforcerRetriever((Cache<EntityId, Entry<EntityId>>) IdentityCache.INSTANCE, cache);
    }

    public static <T extends PolicyCommand> Optional<T> authorizePolicyCommand(T t, Enforcer enforcer) {
        ResourceKey policyResource = PoliciesResourceType.policyResource(t.getResourcePath());
        AuthorizationContext authorizationContext = t.getDittoHeaders().getAuthorizationContext();
        return t instanceof PolicyModifyCommand ? enforcer.hasUnrestrictedPermissions(policyResource, authorizationContext, "WRITE", new String[0]) : enforcer.hasPartialPermissions(policyResource, authorizationContext, "READ", new String[0]) ? Optional.of(t) : Optional.empty();
    }

    public static <T extends PolicyQueryCommandResponse> T buildJsonViewForPolicyQueryCommandResponse(PolicyQueryCommandResponse<T> policyQueryCommandResponse, Enforcer enforcer) {
        JsonValue entity = policyQueryCommandResponse.getEntity();
        return entity.isObject() ? (T) policyQueryCommandResponse.setEntity(getJsonViewForPolicyQueryCommandResponse(entity.asObject(), policyQueryCommandResponse, enforcer)) : (T) policyQueryCommandResponse.setEntity(entity);
    }

    private static JsonObject getJsonViewForPolicyQueryCommandResponse(JsonObject jsonObject, PolicyQueryCommandResponse policyQueryCommandResponse, Enforcer enforcer) {
        return enforcer.buildJsonView(ResourceKey.newInstance("policy", policyQueryCommandResponse.getResourcePath()), jsonObject, policyQueryCommandResponse.getDittoHeaders().getAuthorizationContext(), POLICY_QUERY_COMMAND_RESPONSE_WHITELIST, Permissions.newInstance("READ", new String[0]));
    }

    private static PolicyCommand transformModifyPolicyToCreatePolicy(PolicyCommand policyCommand) {
        if (!(policyCommand instanceof ModifyPolicy)) {
            return policyCommand;
        }
        ModifyPolicy modifyPolicy = (ModifyPolicy) policyCommand;
        return CreatePolicy.of(modifyPolicy.getPolicy(), modifyPolicy.getDittoHeaders());
    }

    private static DittoRuntimeException errorForPolicyCommand(PolicyCommand policyCommand) {
        return (policyCommand instanceof PolicyModifyCommand ? PolicyCommandToModifyExceptionRegistry.getInstance() : PolicyCommandToAccessExceptionRegistry.getInstance()).exceptionFrom(policyCommand);
    }

    @Override // org.eclipse.ditto.services.concierge.enforcement.AbstractEnforcement
    public CompletionStage<Void> enforce(PolicyCommand policyCommand, ActorRef actorRef, DiagnosticLoggingAdapter diagnosticLoggingAdapter) {
        LogUtil.enhanceLogWithCorrelationIdOrRandom(policyCommand);
        return this.enforcerRetriever.retrieve(entityId(), (entry, entry2) -> {
            if (entry2.exists()) {
                enforcePolicyCommandByEnforcer(policyCommand, (Enforcer) entry2.getValue(), actorRef);
            } else {
                enforcePolicyCommandByNonexistentEnforcer(policyCommand, actorRef);
            }
        });
    }

    private void enforcePolicyCommandByEnforcer(PolicyCommand<?> policyCommand, Enforcer enforcer, ActorRef actorRef) {
        Optional authorizePolicyCommand = authorizePolicyCommand(policyCommand, enforcer);
        if (!authorizePolicyCommand.isPresent()) {
            respondWithError(policyCommand, actorRef);
            return;
        }
        PolicyCommand policyCommand2 = (PolicyCommand) authorizePolicyCommand.get();
        if (policyCommand2 instanceof PolicyQueryCommand) {
            askPoliciesShardRegionAndBuildJsonView((PolicyQueryCommand) policyCommand2, enforcer, actorRef);
        } else {
            forwardToPoliciesShardRegion(policyCommand2, actorRef);
        }
    }

    private void enforcePolicyCommandByNonexistentEnforcer(PolicyCommand policyCommand, ActorRef actorRef) {
        CreatePolicy transformModifyPolicyToCreatePolicy = transformModifyPolicyToCreatePolicy(policyCommand);
        if (!(transformModifyPolicyToCreatePolicy instanceof CreatePolicy)) {
            replyToSender(PolicyNotAccessibleException.newBuilder(policyCommand.getId()).dittoHeaders(policyCommand.getDittoHeaders()).build(), actorRef);
            return;
        }
        CreatePolicy createPolicy = transformModifyPolicyToCreatePolicy;
        if (authorizePolicyCommand(createPolicy, PolicyEnforcers.defaultEvaluator(createPolicy.getPolicy())).isPresent()) {
            forwardToPoliciesShardRegion(createPolicy, actorRef);
        } else {
            respondWithError(policyCommand, actorRef);
        }
    }

    private void forwardToPoliciesShardRegion(PolicyCommand policyCommand, ActorRef actorRef) {
        if (policyCommand instanceof PolicyModifyCommand) {
            invalidateCaches(policyCommand.getId());
        }
        this.policiesShardRegion.tell(policyCommand, actorRef);
    }

    private void invalidateCaches(String str) {
        this.enforcerCache.invalidate(EntityId.of("policy", str));
    }

    private void respondWithError(PolicyCommand policyCommand, ActorRef actorRef) {
        actorRef.tell(errorForPolicyCommand(policyCommand), self());
    }

    private void askPoliciesShardRegionAndBuildJsonView(PolicyQueryCommand policyQueryCommand, Enforcer enforcer, ActorRef actorRef) {
        PatternsCS.ask(this.policiesShardRegion, policyQueryCommand, getAskTimeout().toMillis()).handleAsync((obj, th) -> {
            if (obj instanceof PolicyQueryCommandResponse) {
                reportJsonViewForPolicyQuery(actorRef, (PolicyQueryCommandResponse) obj, enforcer);
                return null;
            }
            if (obj instanceof DittoRuntimeException) {
                replyToSender(obj, actorRef);
                return null;
            }
            if (isAskTimeoutException(obj, th)) {
                reportTimeoutForPolicyQuery(policyQueryCommand, actorRef, (AskTimeoutException) obj);
                return null;
            }
            if (th != null) {
                reportUnexpectedError("before building JsonView", actorRef, th, policyQueryCommand.getDittoHeaders());
                return null;
            }
            reportUnknownResponse("before building JsonView", actorRef, obj, policyQueryCommand.getDittoHeaders());
            return null;
        }, getEnforcementExecutor());
    }

    private void reportTimeoutForPolicyQuery(PolicyQueryCommand policyQueryCommand, ActorRef actorRef, AskTimeoutException askTimeoutException) {
        log(policyQueryCommand).error(askTimeoutException, "Timeout before building JsonView");
        replyToSender(PolicyUnavailableException.newBuilder(policyQueryCommand.getId()).dittoHeaders(policyQueryCommand.getDittoHeaders()).build(), actorRef);
    }

    private void reportJsonViewForPolicyQuery(ActorRef actorRef, PolicyQueryCommandResponse<?> policyQueryCommandResponse, Enforcer enforcer) {
        try {
            replyToSender(buildJsonViewForPolicyQueryCommandResponse(policyQueryCommandResponse, enforcer), actorRef);
        } catch (RuntimeException e) {
            reportError("Error after building JsonView", actorRef, e, policyQueryCommandResponse.getDittoHeaders());
        }
    }
}
