package io.camunda.security.impl;

import io.camunda.search.clients.AuthorizationSearchClient;
import io.camunda.search.query.AuthorizationQuery;
import io.camunda.security.auth.Authentication;
import io.camunda.security.auth.SecurityContext;
import io.camunda.zeebe.protocol.record.value.AuthorizationResourceType;
import io.camunda.zeebe.protocol.record.value.PermissionType;
import java.util.ArrayList;
import java.util.List;

/* loaded from: input_file:io/camunda/security/impl/AuthorizationChecker.class */
public class AuthorizationChecker {
    private final AuthorizationSearchClient authorizationSearchClient;

    public AuthorizationChecker(AuthorizationSearchClient authorizationSearchClient) {
        this.authorizationSearchClient = authorizationSearchClient.withSecurityContext(SecurityContext.withoutAuthentication());
    }

    public List<String> retrieveAuthorizedResourceKeys(SecurityContext securityContext) {
        List<Long> collectOwnerKeys = collectOwnerKeys(securityContext.authentication());
        AuthorizationResourceType resourceType = securityContext.authorization().resourceType();
        PermissionType permissionType = securityContext.authorization().permissionType();
        return this.authorizationSearchClient.findAllAuthorizations(AuthorizationQuery.of(builder -> {
            return builder.filter(builder -> {
                return builder.ownerKeys(collectOwnerKeys).resourceType(resourceType.name()).permissionType(permissionType);
            });
        })).stream().flatMap(authorizationEntity -> {
            return authorizationEntity.permissions().stream().filter(permission -> {
                return permissionType.equals(permission.type());
            }).flatMap(permission2 -> {
                return permission2.resourceIds().stream();
            });
        }).toList();
    }

    public boolean isAuthorized(String str, SecurityContext securityContext) {
        List<Long> collectOwnerKeys = collectOwnerKeys(securityContext.authentication());
        AuthorizationResourceType resourceType = securityContext.authorization().resourceType();
        PermissionType permissionType = securityContext.authorization().permissionType();
        return this.authorizationSearchClient.searchAuthorizations(AuthorizationQuery.of(builder -> {
            return builder.filter(builder -> {
                return builder.ownerKeys(collectOwnerKeys).resourceType(resourceType.name()).permissionType(permissionType).resourceIds(List.of("*", str));
            }).page(builder2 -> {
                return builder2.size(1);
            });
        })).total() > 0;
    }

    private List<Long> collectOwnerKeys(Authentication authentication) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(authentication.authenticatedUserKey());
        if (authentication.authenticatedGroupKeys() != null) {
            arrayList.addAll(authentication.authenticatedGroupKeys());
        }
        return arrayList;
    }
}
