package io.camunda.zeebe.engine.processing.identity;

import io.camunda.zeebe.engine.EngineConfiguration;
import io.camunda.zeebe.engine.state.immutable.AuthorizationState;
import io.camunda.zeebe.engine.state.immutable.UserState;
import io.camunda.zeebe.engine.state.user.PersistedUser;
import io.camunda.zeebe.protocol.record.value.AuthorizationOwnerType;
import io.camunda.zeebe.protocol.record.value.AuthorizationResourceType;
import io.camunda.zeebe.protocol.record.value.PermissionType;
import io.camunda.zeebe.protocol.record.value.UserType;
import io.camunda.zeebe.stream.api.records.TypedRecord;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;

/* loaded from: input_file:io/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior.class */
public final class AuthorizationCheckBehavior {
    public static final String UNAUTHORIZED_ERROR_MESSAGE = "Unauthorized to perform operation '%s' on resource '%s'";
    public static final String UNAUTHORIZED_ERROR_MESSAGE_WITH_RESOURCE = "Unauthorized to perform operation '%s' on resource '%s' with %s";
    public static final String WILDCARD_PERMISSION = "*";
    private final AuthorizationState authorizationState;
    private final UserState userState;
    private final EngineConfiguration engineConfig;

    /* renamed from: io.camunda.zeebe.engine.processing.identity.AuthorizationCheckBehavior$1, reason: invalid class name */
    /* loaded from: input_file:io/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$camunda$zeebe$protocol$record$value$AuthorizationOwnerType = new int[AuthorizationOwnerType.values().length];

        static {
            try {
                $SwitchMap$io$camunda$zeebe$protocol$record$value$AuthorizationOwnerType[AuthorizationOwnerType.USER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$camunda$zeebe$protocol$record$value$AuthorizationOwnerType[AuthorizationOwnerType.ROLE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* loaded from: input_file:io/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior$AuthorizationRequest.class */
    public static final class AuthorizationRequest {
        private final TypedRecord<?> command;
        private final AuthorizationResourceType resourceType;
        private final PermissionType permissionType;
        private final Set<String> resourceIds = new HashSet();

        public AuthorizationRequest(TypedRecord<?> typedRecord, AuthorizationResourceType authorizationResourceType, PermissionType permissionType) {
            this.command = typedRecord;
            this.resourceType = authorizationResourceType;
            this.permissionType = permissionType;
            this.resourceIds.add(AuthorizationCheckBehavior.WILDCARD_PERMISSION);
        }

        public TypedRecord<?> getCommand() {
            return this.command;
        }

        public AuthorizationResourceType getResourceType() {
            return this.resourceType;
        }

        public PermissionType getPermissionType() {
            return this.permissionType;
        }

        public AuthorizationRequest addResourceId(String str) {
            this.resourceIds.add(str);
            return this;
        }

        public Set<String> getResourceIds() {
            return this.resourceIds;
        }
    }

    /* loaded from: input_file:io/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior$UnauthorizedException.class */
    public static class UnauthorizedException extends RuntimeException {
        public UnauthorizedException(AuthorizationRequest authorizationRequest, String str) {
            super(AuthorizationCheckBehavior.UNAUTHORIZED_ERROR_MESSAGE_WITH_RESOURCE.formatted(authorizationRequest.getPermissionType(), authorizationRequest.getResourceType(), str));
        }
    }

    public AuthorizationCheckBehavior(AuthorizationState authorizationState, UserState userState, EngineConfiguration engineConfiguration) {
        this.authorizationState = authorizationState;
        this.userState = userState;
        this.engineConfig = engineConfiguration;
    }

    public boolean isAuthorized(AuthorizationRequest authorizationRequest) {
        if (!this.engineConfig.isEnableAuthorization() || !authorizationRequest.getCommand().hasRequestMetadata()) {
            return true;
        }
        Set<String> hashSet = new HashSet();
        Optional<Long> userKey = getUserKey(authorizationRequest);
        if (userKey.isPresent()) {
            hashSet = getUserAuthorizedResourceIdentifiers(userKey.get().longValue(), authorizationRequest.getResourceType(), authorizationRequest.getPermissionType());
        }
        return hasRequiredPermission(authorizationRequest.getResourceIds(), hashSet);
    }

    private static Optional<Long> getUserKey(AuthorizationRequest authorizationRequest) {
        return Optional.ofNullable((Long) authorizationRequest.getCommand().getAuthorizations().get("authorized_user_key"));
    }

    public Set<String> getAuthorizedResourceIdentifiers(AuthorizationRequest authorizationRequest) {
        if (!this.engineConfig.isEnableAuthorization()) {
            return Set.of(WILDCARD_PERMISSION);
        }
        Optional<Long> userKey = getUserKey(authorizationRequest);
        return userKey.isEmpty() ? new HashSet() : getUserAuthorizedResourceIdentifiers(userKey.get().longValue(), authorizationRequest.getResourceType(), authorizationRequest.getPermissionType());
    }

    public Set<String> getAuthorizedResourceIdentifiers(long j, AuthorizationOwnerType authorizationOwnerType, AuthorizationResourceType authorizationResourceType, PermissionType permissionType) {
        switch (AnonymousClass1.$SwitchMap$io$camunda$zeebe$protocol$record$value$AuthorizationOwnerType[authorizationOwnerType.ordinal()]) {
            case 1:
                return getUserAuthorizedResourceIdentifiers(j, authorizationResourceType, permissionType);
            case 2:
                return getRoleAuthorizedResourceIdentifiers(List.of(Long.valueOf(j)), authorizationResourceType, permissionType);
            default:
                return new HashSet();
        }
    }

    private Set<String> getUserAuthorizedResourceIdentifiers(long j, AuthorizationResourceType authorizationResourceType, PermissionType permissionType) {
        Optional<PersistedUser> user = this.userState.getUser(j);
        if (user.isEmpty()) {
            return new HashSet();
        }
        PersistedUser persistedUser = user.get();
        if (persistedUser.getUserType().equals(UserType.DEFAULT)) {
            return new HashSet(Set.of(WILDCARD_PERMISSION));
        }
        return (Set) Stream.concat(this.authorizationState.getResourceIdentifiers(Long.valueOf(j), authorizationResourceType, permissionType).stream(), getRoleAuthorizedResourceIdentifiers(persistedUser.getRoleKeysList(), authorizationResourceType, permissionType).stream()).collect(Collectors.toSet());
    }

    private Set<String> getRoleAuthorizedResourceIdentifiers(List<Long> list, AuthorizationResourceType authorizationResourceType, PermissionType permissionType) {
        return (Set) list.stream().flatMap(l -> {
            return this.authorizationState.getResourceIdentifiers(l, authorizationResourceType, permissionType).stream();
        }).collect(Collectors.toSet());
    }

    private boolean hasRequiredPermission(Set<String> set, Set<String> set2) {
        Stream<String> stream = set2.stream();
        Objects.requireNonNull(set);
        return stream.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }
}
