package io.camunda.zeebe.engine.processing.identity;

import io.camunda.zeebe.engine.EngineConfiguration;
import io.camunda.zeebe.engine.state.immutable.AuthorizationState;
import io.camunda.zeebe.engine.state.immutable.UserState;
import io.camunda.zeebe.engine.state.user.PersistedUser;
import io.camunda.zeebe.protocol.record.value.AuthorizationResourceType;
import io.camunda.zeebe.protocol.record.value.PermissionType;
import io.camunda.zeebe.protocol.record.value.UserType;
import io.camunda.zeebe.stream.api.records.TypedRecord;
import java.util.HashSet;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Stream;

/* loaded from: input_file:io/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior.class */
public final class AuthorizationCheckBehavior {
    public static final String UNAUTHORIZED_ERROR_MESSAGE = "Unauthorized to perform operation '%s' on resource '%s'";
    private static final String WILDCARD_PERMISSION = "*";
    private final AuthorizationState authorizationState;
    private final UserState userState;
    private final EngineConfiguration engineConfig;

    /* loaded from: input_file:io/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior$AuthorizationRequest.class */
    public static final class AuthorizationRequest {
        private final TypedRecord<?> command;
        private final AuthorizationResourceType resourceType;
        private final PermissionType permissionType;
        private final Set<String> resourceIds = new HashSet();

        public AuthorizationRequest(TypedRecord<?> typedRecord, AuthorizationResourceType authorizationResourceType, PermissionType permissionType) {
            this.command = typedRecord;
            this.resourceType = authorizationResourceType;
            this.permissionType = permissionType;
            this.resourceIds.add(AuthorizationCheckBehavior.WILDCARD_PERMISSION);
        }

        public TypedRecord<?> getCommand() {
            return this.command;
        }

        public AuthorizationResourceType getResourceType() {
            return this.resourceType;
        }

        public PermissionType getPermissionType() {
            return this.permissionType;
        }

        public AuthorizationRequest addResourceId(String str) {
            this.resourceIds.add(str);
            return this;
        }

        public Set<String> getResourceIds() {
            return this.resourceIds;
        }
    }

    /* loaded from: input_file:io/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior$UnauthorizedException.class */
    public static class UnauthorizedException extends RuntimeException {
        public UnauthorizedException(AuthorizationRequest authorizationRequest) {
            super(AuthorizationCheckBehavior.UNAUTHORIZED_ERROR_MESSAGE.formatted(authorizationRequest.getPermissionType(), authorizationRequest.getResourceType()));
        }
    }

    public AuthorizationCheckBehavior(AuthorizationState authorizationState, UserState userState, EngineConfiguration engineConfiguration) {
        this.authorizationState = authorizationState;
        this.userState = userState;
        this.engineConfig = engineConfiguration;
    }

    public boolean isAuthorized(AuthorizationRequest authorizationRequest) {
        if (!this.engineConfig.isEnableAuthorization() || !authorizationRequest.getCommand().hasRequestMetadata()) {
            return true;
        }
        Long l = (Long) authorizationRequest.getCommand().getAuthorizations().get("authorized_user_key");
        if (l == null) {
            return false;
        }
        Optional<PersistedUser> user = this.userState.getUser(l.longValue());
        if (user.isEmpty()) {
            return false;
        }
        if (user.get().getUserType().equals(UserType.DEFAULT)) {
            return true;
        }
        return hasRequiredPermission(authorizationRequest.getResourceIds(), getAuthorizedResourceIdentifiers(l.longValue(), authorizationRequest.getResourceType(), authorizationRequest.getPermissionType()));
    }

    private Set<String> getAuthorizedResourceIdentifiers(long j, AuthorizationResourceType authorizationResourceType, PermissionType permissionType) {
        return this.authorizationState.getResourceIdentifiers(Long.valueOf(j), authorizationResourceType, permissionType);
    }

    private boolean hasRequiredPermission(Set<String> set, Set<String> set2) {
        Stream<String> stream = set2.stream();
        Objects.requireNonNull(set);
        return stream.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }
}
