package io.camunda.zeebe.engine.processing.identity;

import io.camunda.zeebe.engine.processing.Rejection;
import io.camunda.zeebe.engine.processing.identity.AuthorizationCheckBehavior;
import io.camunda.zeebe.engine.state.immutable.AuthorizationState;
import io.camunda.zeebe.engine.state.immutable.ProcessingState;
import io.camunda.zeebe.protocol.impl.record.value.authorization.AuthorizationRecord;
import io.camunda.zeebe.protocol.record.RejectionType;
import io.camunda.zeebe.protocol.record.value.AuthorizationRecordValue;
import io.camunda.zeebe.protocol.record.value.AuthorizationResourceType;
import io.camunda.zeebe.protocol.record.value.PermissionType;
import io.camunda.zeebe.stream.api.records.TypedRecord;
import io.camunda.zeebe.util.Either;
import java.util.HashSet;
import java.util.Set;

/* loaded from: input_file:io/camunda/zeebe/engine/processing/identity/PermissionsBehavior.class */
public class PermissionsBehavior {
    public static final String OWNER_NOT_FOUND_MESSAGE = "Expected to find owner with key: '%d', but none was found";
    public static final String PERMISSION_ALREADY_EXISTS_MESSAGE = "Expected to add '%s' permission for resource '%s' and resource identifiers '%s' for owner '%s', but this permission for resource identifiers '%s' already exist. Existing resource ids are: '%s'";
    public static final String PERMISSION_NOT_FOUND_MESSAGE = "Expected to remove '%s' permission for resource '%s' and resource identifiers '%s' for owner '%s', but this permission for resource identifiers '%s' is not found. Existing resource ids are: '%s'";
    private final AuthorizationState authorizationState;
    private final AuthorizationCheckBehavior authCheckBehavior;

    public PermissionsBehavior(ProcessingState processingState, AuthorizationCheckBehavior authorizationCheckBehavior) {
        this.authorizationState = processingState.getAuthorizationState();
        this.authCheckBehavior = authorizationCheckBehavior;
    }

    public Either<Rejection, AuthorizationRecord> isAuthorized(TypedRecord<AuthorizationRecord> typedRecord) {
        return this.authCheckBehavior.isAuthorized(new AuthorizationCheckBehavior.AuthorizationRequest(typedRecord, AuthorizationResourceType.AUTHORIZATION, PermissionType.UPDATE)).map(r3 -> {
            return (AuthorizationRecord) typedRecord.getValue();
        });
    }

    public Either<Rejection, AuthorizationRecord> ownerExists(AuthorizationRecord authorizationRecord) {
        Long ownerKey = authorizationRecord.getOwnerKey();
        return (Either) this.authorizationState.getOwnerType(ownerKey.longValue()).map(authorizationOwnerType -> {
            authorizationRecord.setOwnerType(authorizationOwnerType);
            return Either.right(authorizationRecord);
        }).orElseGet(() -> {
            return Either.left(new Rejection(RejectionType.NOT_FOUND, OWNER_NOT_FOUND_MESSAGE.formatted(ownerKey)));
        });
    }

    public Either<Rejection, AuthorizationRecord> permissionAlreadyExists(AuthorizationRecord authorizationRecord) {
        for (AuthorizationRecordValue.PermissionValue permissionValue : authorizationRecord.getPermissions()) {
            Set<String> resourceIds = permissionValue.getResourceIds();
            Set<String> directAuthorizedResourceIdentifiers = this.authCheckBehavior.getDirectAuthorizedResourceIdentifiers(authorizationRecord.getOwnerKey().longValue(), authorizationRecord.getResourceType(), permissionValue.getPermissionType());
            HashSet hashSet = new HashSet(directAuthorizedResourceIdentifiers);
            hashSet.retainAll(resourceIds);
            if (!hashSet.isEmpty()) {
                return Either.left(new Rejection(RejectionType.ALREADY_EXISTS, PERMISSION_ALREADY_EXISTS_MESSAGE.formatted(permissionValue.getPermissionType(), authorizationRecord.getResourceType(), resourceIds, authorizationRecord.getOwnerKey(), hashSet, directAuthorizedResourceIdentifiers)));
            }
        }
        return Either.right(authorizationRecord);
    }

    public Either<Rejection, AuthorizationRecord> permissionDoesNotExist(AuthorizationRecord authorizationRecord) {
        for (AuthorizationRecordValue.PermissionValue permissionValue : authorizationRecord.getPermissions()) {
            Set<String> directAuthorizedResourceIdentifiers = this.authCheckBehavior.getDirectAuthorizedResourceIdentifiers(authorizationRecord.getOwnerKey().longValue(), authorizationRecord.getResourceType(), permissionValue.getPermissionType());
            Set<String> resourceIds = permissionValue.getResourceIds();
            if (!directAuthorizedResourceIdentifiers.containsAll(resourceIds)) {
                HashSet hashSet = new HashSet(resourceIds);
                hashSet.removeAll(directAuthorizedResourceIdentifiers);
                return Either.left(new Rejection(RejectionType.NOT_FOUND, PERMISSION_NOT_FOUND_MESSAGE.formatted(permissionValue.getPermissionType(), authorizationRecord.getResourceType(), resourceIds, authorizationRecord.getOwnerKey(), hashSet, directAuthorizedResourceIdentifiers)));
            }
        }
        return Either.right(authorizationRecord);
    }
}
