package io.camunda.zeebe.engine.processing.identity;

import io.camunda.security.configuration.SecurityConfiguration;
import io.camunda.zeebe.auth.Authorization;
import io.camunda.zeebe.engine.processing.Rejection;
import io.camunda.zeebe.engine.state.authorization.PersistedMapping;
import io.camunda.zeebe.engine.state.immutable.AuthorizationState;
import io.camunda.zeebe.engine.state.immutable.GroupState;
import io.camunda.zeebe.engine.state.immutable.MappingState;
import io.camunda.zeebe.engine.state.immutable.ProcessingState;
import io.camunda.zeebe.engine.state.immutable.UserState;
import io.camunda.zeebe.engine.state.user.PersistedUser;
import io.camunda.zeebe.protocol.record.RejectionType;
import io.camunda.zeebe.protocol.record.value.AuthorizationOwnerType;
import io.camunda.zeebe.protocol.record.value.AuthorizationResourceType;
import io.camunda.zeebe.protocol.record.value.PermissionType;
import io.camunda.zeebe.stream.api.records.TypedRecord;
import io.camunda.zeebe.util.Either;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;

/* loaded from: input_file:io/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior.class */
public final class AuthorizationCheckBehavior {
    public static final String FORBIDDEN_ERROR_MESSAGE = "Insufficient permissions to perform operation '%s' on resource '%s'";
    public static final String FORBIDDEN_ERROR_MESSAGE_WITH_RESOURCE = "Insufficient permissions to perform operation '%s' on resource '%s', required resource identifiers are one of '%s'";
    public static final String NOT_FOUND_ERROR_MESSAGE = "Expected to %s with key '%s', but no %s was found";
    public static final String WILDCARD_PERMISSION = "*";
    private static final String UNAUTHORIZED_ERROR_MESSAGE = "Unauthorized to perform operation '%s' on resource '%s'";
    private final AuthorizationState authorizationState;
    private final UserState userState;
    private final SecurityConfiguration securityConfig;
    private final MappingState mappingState;
    private final GroupState groupState;

    /* loaded from: input_file:io/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior$AuthorizationRequest.class */
    public static final class AuthorizationRequest {
        private final TypedRecord<?> command;
        private final AuthorizationResourceType resourceType;
        private final PermissionType permissionType;
        private final Set<String> resourceIds;
        private final String tenantId;

        public AuthorizationRequest(TypedRecord<?> typedRecord, AuthorizationResourceType authorizationResourceType, PermissionType permissionType, String str) {
            this.command = typedRecord;
            this.resourceType = authorizationResourceType;
            this.permissionType = permissionType;
            this.resourceIds = new HashSet();
            this.resourceIds.add("*");
            this.tenantId = str;
        }

        public AuthorizationRequest(TypedRecord<?> typedRecord, AuthorizationResourceType authorizationResourceType, PermissionType permissionType) {
            this(typedRecord, authorizationResourceType, permissionType, "<default>");
        }

        public TypedRecord<?> getCommand() {
            return this.command;
        }

        public AuthorizationResourceType getResourceType() {
            return this.resourceType;
        }

        public PermissionType getPermissionType() {
            return this.permissionType;
        }

        public AuthorizationRequest addResourceId(String str) {
            this.resourceIds.add(str);
            return this;
        }

        public Set<String> getResourceIds() {
            return this.resourceIds;
        }

        public String getTenantId() {
            return this.tenantId;
        }

        public String getForbiddenErrorMessage() {
            return this.resourceIds.size() == 1 && this.resourceIds.contains("*") ? AuthorizationCheckBehavior.FORBIDDEN_ERROR_MESSAGE.formatted(this.permissionType, this.resourceType) : AuthorizationCheckBehavior.FORBIDDEN_ERROR_MESSAGE_WITH_RESOURCE.formatted(this.permissionType, this.resourceType, this.resourceIds.stream().sorted().toList());
        }
    }

    /* loaded from: input_file:io/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior$ForbiddenException.class */
    public static class ForbiddenException extends RuntimeException {
        public ForbiddenException(AuthorizationRequest authorizationRequest) {
            super(authorizationRequest.getForbiddenErrorMessage());
        }

        public RejectionType getRejectionType() {
            return RejectionType.FORBIDDEN;
        }
    }

    /* loaded from: input_file:io/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior$NotFoundException.class */
    public static class NotFoundException extends RuntimeException {
        public NotFoundException(String str) {
            super(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior$UserTokenClaim.class */
    public static final class UserTokenClaim extends Record {
        private final String claimName;
        private final String claimValue;

        private UserTokenClaim(String str, String str2) {
            this.claimName = str;
            this.claimValue = str2;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, UserTokenClaim.class), UserTokenClaim.class, "claimName;claimValue", "FIELD:Lio/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior$UserTokenClaim;->claimName:Ljava/lang/String;", "FIELD:Lio/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior$UserTokenClaim;->claimValue:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, UserTokenClaim.class), UserTokenClaim.class, "claimName;claimValue", "FIELD:Lio/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior$UserTokenClaim;->claimName:Ljava/lang/String;", "FIELD:Lio/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior$UserTokenClaim;->claimValue:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, UserTokenClaim.class, Object.class), UserTokenClaim.class, "claimName;claimValue", "FIELD:Lio/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior$UserTokenClaim;->claimName:Ljava/lang/String;", "FIELD:Lio/camunda/zeebe/engine/processing/identity/AuthorizationCheckBehavior$UserTokenClaim;->claimValue:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String claimName() {
            return this.claimName;
        }

        public String claimValue() {
            return this.claimValue;
        }
    }

    public AuthorizationCheckBehavior(ProcessingState processingState, SecurityConfiguration securityConfiguration) {
        this.authorizationState = processingState.getAuthorizationState();
        this.userState = processingState.getUserState();
        this.mappingState = processingState.getMappingState();
        this.groupState = processingState.getGroupState();
        processingState.getTenantState();
        this.securityConfig = securityConfiguration;
    }

    public Either<Rejection, Void> isAuthorized(AuthorizationRequest authorizationRequest) {
        Stream<String> mappingsAuthorizedResourceIdentifiers;
        if (this.securityConfig.getAuthorizations().isEnabled() && authorizationRequest.getCommand().hasRequestMetadata() && !isAuthorizedAnonymousUser(authorizationRequest.getCommand())) {
            Optional<Long> userKey = getUserKey(authorizationRequest);
            if (userKey.isPresent()) {
                Optional<PersistedUser> user = this.userState.getUser(userKey.get().longValue());
                if (user.isEmpty()) {
                    return Either.left(new Rejection(RejectionType.UNAUTHORIZED, UNAUTHORIZED_ERROR_MESSAGE.formatted(authorizationRequest.getPermissionType(), authorizationRequest.getResourceType())));
                }
                if (!isUserAuthorizedForTenant(authorizationRequest, user.get())) {
                    return Either.left(new Rejection(RejectionType.NOT_FOUND, authorizationRequest.getForbiddenErrorMessage()));
                }
                mappingsAuthorizedResourceIdentifiers = getUserAuthorizedResourceIdentifiers(user.get(), authorizationRequest.getResourceType(), authorizationRequest.getPermissionType());
            } else {
                mappingsAuthorizedResourceIdentifiers = getMappingsAuthorizedResourceIdentifiers(authorizationRequest);
            }
            return hasRequiredPermission(authorizationRequest.getResourceIds(), mappingsAuthorizedResourceIdentifiers) ? Either.right(null) : Either.left(new Rejection(RejectionType.FORBIDDEN, authorizationRequest.getForbiddenErrorMessage()));
        }
        return Either.right(null);
    }

    private boolean isAuthorizedAnonymousUser(TypedRecord<?> typedRecord) {
        Optional ofNullable = Optional.ofNullable(typedRecord.getAuthorizations().get(Authorization.AUTHORIZED_ANONYMOUS_USER));
        Class<Boolean> cls = Boolean.class;
        Objects.requireNonNull(Boolean.class);
        return ((Boolean) ofNullable.map(cls::cast).orElse(false)).booleanValue();
    }

    private Optional<Long> getUserKey(AuthorizationRequest authorizationRequest) {
        return getUserKey(authorizationRequest.getCommand());
    }

    private boolean isUserAuthorizedForTenant(AuthorizationRequest authorizationRequest, PersistedUser persistedUser) {
        String str = authorizationRequest.tenantId;
        if (str.equals("<default>") || persistedUser.getTenantIdsList().contains(str)) {
            return true;
        }
        return areGroupsAuthorizedForTenant(persistedUser.getGroupKeysList(), str);
    }

    private boolean isMappingAuthorizedForTenant(AuthorizationRequest authorizationRequest, PersistedMapping persistedMapping) {
        String str = authorizationRequest.tenantId;
        if (str.equals("<default>") || persistedMapping.getTenantIdsList().contains(authorizationRequest.getTenantId())) {
            return true;
        }
        return areGroupsAuthorizedForTenant(persistedMapping.getGroupKeysList(), str);
    }

    private boolean areGroupsAuthorizedForTenant(List<Long> list, String str) {
        return getTenantIdsForGroups(list).contains(str);
    }

    private Set<String> getTenantIdsForGroups(List<Long> list) {
        Stream<Long> stream = list.stream();
        GroupState groupState = this.groupState;
        Objects.requireNonNull(groupState);
        return (Set) stream.map((v1) -> {
            return r1.get(v1);
        }).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).flatMap(persistedGroup -> {
            return persistedGroup.getTenantIdsList().stream();
        }).collect(Collectors.toSet());
    }

    public Set<String> getAllAuthorizedResourceIdentifiers(AuthorizationRequest authorizationRequest) {
        if (this.securityConfig.getAuthorizations().isEnabled() && !isAuthorizedAnonymousUser(authorizationRequest.getCommand())) {
            return (Set) ((Stream) getUserKey(authorizationRequest).map(l -> {
                return (Stream) this.userState.getUser(l.longValue()).map(persistedUser -> {
                    return getUserAuthorizedResourceIdentifiers(persistedUser, authorizationRequest.getResourceType(), authorizationRequest.getPermissionType());
                }).orElseGet(Stream::empty);
            }).orElseGet(() -> {
                return getMappingsAuthorizedResourceIdentifiers(authorizationRequest);
            })).collect(Collectors.toSet());
        }
        return Set.of("*");
    }

    public Set<String> getDirectAuthorizedResourceIdentifiers(AuthorizationOwnerType authorizationOwnerType, String str, AuthorizationResourceType authorizationResourceType, PermissionType permissionType) {
        return this.authorizationState.getResourceIdentifiers(authorizationOwnerType, str, authorizationResourceType, permissionType);
    }

    private Stream<String> getUserAuthorizedResourceIdentifiers(PersistedUser persistedUser, AuthorizationResourceType authorizationResourceType, PermissionType permissionType) {
        return Stream.concat(this.authorizationState.getResourceIdentifiers(AuthorizationOwnerType.USER, persistedUser.getUsername(), authorizationResourceType, permissionType).stream(), Stream.concat(getAuthorizedResourceIdentifiersForOwners(AuthorizationOwnerType.ROLE, persistedUser.getRoleKeysList(), authorizationResourceType, permissionType), getAuthorizedResourceIdentifiersForOwners(AuthorizationOwnerType.GROUP, persistedUser.getGroupKeysList(), authorizationResourceType, permissionType)));
    }

    private Stream<String> getMappingsAuthorizedResourceIdentifiers(AuthorizationRequest authorizationRequest) {
        return extractUserTokenClaims(authorizationRequest.getCommand()).mapMulti((userTokenClaim, consumer) -> {
            this.mappingState.get(userTokenClaim.claimName(), userTokenClaim.claimValue()).ifPresent(consumer);
        }).filter(persistedMapping -> {
            return isMappingAuthorizedForTenant(authorizationRequest, persistedMapping);
        }).mapMulti((persistedMapping2, consumer2) -> {
            getAuthorizedResourceIdentifiersForOwners(AuthorizationOwnerType.MAPPING, List.of(Long.valueOf(persistedMapping2.getMappingKey())), authorizationRequest.getResourceType(), authorizationRequest.getPermissionType()).forEach(consumer2);
            getAuthorizedResourceIdentifiersForOwners(AuthorizationOwnerType.GROUP, persistedMapping2.getGroupKeysList(), authorizationRequest.getResourceType(), authorizationRequest.getPermissionType()).forEach(consumer2);
            getAuthorizedResourceIdentifiersForOwners(AuthorizationOwnerType.ROLE, persistedMapping2.getRoleKeysList(), authorizationRequest.getResourceType(), authorizationRequest.getPermissionType()).forEach(consumer2);
        });
    }

    private Stream<String> getAuthorizedResourceIdentifiersForOwners(AuthorizationOwnerType authorizationOwnerType, List<Long> list, AuthorizationResourceType authorizationResourceType, PermissionType permissionType) {
        return list.stream().flatMap(l -> {
            return this.authorizationState.getResourceIdentifiers(authorizationOwnerType, String.valueOf(l), authorizationResourceType, permissionType).stream();
        });
    }

    private static boolean hasRequiredPermission(Set<String> set, Stream<String> stream) {
        Objects.requireNonNull(set);
        return stream.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }

    public AuthorizedTenants getAuthorizedTenantIds(TypedRecord<?> typedRecord) {
        if (isAuthorizedAnonymousUser(typedRecord)) {
            return AuthorizedTenants.ANONYMOUS;
        }
        if (typedRecord.getAuthorizations().get(Authorization.AUTHORIZED_TENANTS) != null) {
            return new AuthenticatedAuthorizedTenants((List<String>) typedRecord.getAuthorizations().get(Authorization.AUTHORIZED_TENANTS));
        }
        Optional<Long> userKey = getUserKey(typedRecord);
        if (userKey.isPresent()) {
            return (AuthorizedTenants) this.userState.getUser(userKey.get().longValue()).map(persistedUser -> {
                List<String> tenantIdsList = persistedUser.getTenantIdsList();
                tenantIdsList.addAll(getTenantIdsForGroups(persistedUser.getGroupKeysList()));
                return tenantIdsList;
            }).filter(list -> {
                return !list.isEmpty();
            }).map(AuthenticatedAuthorizedTenants::new).orElse(AuthorizedTenants.DEFAULT_TENANTS);
        }
        List list2 = extractUserTokenClaims(typedRecord).map(userTokenClaim -> {
            return this.mappingState.get(userTokenClaim.claimName(), userTokenClaim.claimValue());
        }).mapMulti((v0, v1) -> {
            v0.ifPresent(v1);
        }).flatMap(persistedMapping -> {
            List<String> tenantIdsList = persistedMapping.getTenantIdsList();
            tenantIdsList.addAll(getTenantIdsForGroups(persistedMapping.getGroupKeysList()));
            return tenantIdsList.stream();
        }).toList();
        return list2.isEmpty() ? AuthorizedTenants.DEFAULT_TENANTS : new AuthenticatedAuthorizedTenants((List<String>) list2);
    }

    private Optional<Long> getUserKey(TypedRecord<?> typedRecord) {
        Optional ofNullable = Optional.ofNullable((String) typedRecord.getAuthorizations().get(Authorization.AUTHORIZED_USERNAME));
        UserState userState = this.userState;
        Objects.requireNonNull(userState);
        return ofNullable.flatMap(userState::getUser).map((v0) -> {
            return v0.getUserKey();
        });
    }

    private static Stream<UserTokenClaim> extractUserTokenClaims(TypedRecord<?> typedRecord) {
        return typedRecord.getAuthorizations().entrySet().stream().filter(entry -> {
            return ((String) entry.getKey()).startsWith(Authorization.USER_TOKEN_CLAIM_PREFIX);
        }).flatMap(entry2 -> {
            String substring = ((String) entry2.getKey()).substring(Authorization.USER_TOKEN_CLAIM_PREFIX.length());
            Object value = entry2.getValue();
            return value instanceof Collection ? ((Collection) value).stream().map(obj -> {
                return new UserTokenClaim(substring, obj.toString());
            }) : Stream.of(new UserTokenClaim(substring, value.toString()));
        });
    }
}
