package io.camunda.zeebe.engine.processing.identity;

import io.camunda.zeebe.engine.processing.Rejection;
import io.camunda.zeebe.engine.processing.identity.AuthorizationCheckBehavior;
import io.camunda.zeebe.engine.state.authorization.PersistedAuthorization;
import io.camunda.zeebe.engine.state.immutable.AuthorizationState;
import io.camunda.zeebe.engine.state.immutable.ProcessingState;
import io.camunda.zeebe.protocol.impl.record.value.authorization.AuthorizationRecord;
import io.camunda.zeebe.protocol.record.RejectionType;
import io.camunda.zeebe.protocol.record.value.AuthorizationResourceType;
import io.camunda.zeebe.protocol.record.value.PermissionType;
import io.camunda.zeebe.stream.api.records.TypedRecord;
import io.camunda.zeebe.util.Either;
import java.util.Set;

/* loaded from: input_file:io/camunda/zeebe/engine/processing/identity/PermissionsBehavior.class */
public class PermissionsBehavior {
    public static final String PERMISSIONS_ALREADY_EXISTS_MESSAGE = "Expected to create authorization for owner '%s' for resource identifier '%s', but an authorization for this resource identifier already exists.";
    public static final String AUTHORIZATION_DOES_NOT_EXIST_ERROR_MESSAGE_UPDATE = "Expected to update authorization with key %s, but an authorization with this key does not exist";
    public static final String AUTHORIZATION_DOES_NOT_EXIST_ERROR_MESSAGE_DELETION = "Expected to delete authorization with key %s, but an authorization with this key does not exist";
    private final AuthorizationState authorizationState;
    private final AuthorizationCheckBehavior authCheckBehavior;

    public PermissionsBehavior(ProcessingState processingState, AuthorizationCheckBehavior authorizationCheckBehavior) {
        this.authorizationState = processingState.getAuthorizationState();
        this.authCheckBehavior = authorizationCheckBehavior;
    }

    public Either<Rejection, AuthorizationRecord> isAuthorized(TypedRecord<AuthorizationRecord> typedRecord) {
        return isAuthorized(typedRecord, PermissionType.UPDATE);
    }

    public Either<Rejection, AuthorizationRecord> isAuthorized(TypedRecord<AuthorizationRecord> typedRecord, PermissionType permissionType) {
        return this.authCheckBehavior.isAuthorized(new AuthorizationCheckBehavior.AuthorizationRequest(typedRecord, AuthorizationResourceType.AUTHORIZATION, permissionType)).map(r3 -> {
            return (AuthorizationRecord) typedRecord.getValue();
        });
    }

    public Either<Rejection, PersistedAuthorization> authorizationExists(AuthorizationRecord authorizationRecord, String str) {
        Long authorizationKey = authorizationRecord.getAuthorizationKey();
        return (Either) this.authorizationState.get(authorizationKey.longValue()).map((v0) -> {
            return Either.right(v0);
        }).orElseGet(() -> {
            return Either.left(new Rejection(RejectionType.NOT_FOUND, str.formatted(authorizationKey)));
        });
    }

    public Either<Rejection, AuthorizationRecord> permissionsAlreadyExist(AuthorizationRecord authorizationRecord) {
        for (PermissionType permissionType : authorizationRecord.getPermissionTypes()) {
            String resourceId = authorizationRecord.getResourceId();
            if (this.authCheckBehavior.getDirectAuthorizedResourceIdentifiers(authorizationRecord.getOwnerType(), authorizationRecord.getOwnerId(), authorizationRecord.getResourceType(), permissionType).contains(resourceId)) {
                return Either.left(new Rejection(RejectionType.ALREADY_EXISTS, PERMISSIONS_ALREADY_EXISTS_MESSAGE.formatted(authorizationRecord.getOwnerId(), resourceId)));
            }
        }
        return Either.right(authorizationRecord);
    }

    public Either<Rejection, AuthorizationRecord> hasValidPermissionTypes(AuthorizationRecord authorizationRecord, Set<PermissionType> set, AuthorizationResourceType authorizationResourceType, String str) {
        if (authorizationResourceType.getSupportedPermissionTypes().containsAll(authorizationRecord.getPermissionTypes())) {
            return Either.right(authorizationRecord);
        }
        set.removeAll(authorizationResourceType.getSupportedPermissionTypes());
        return Either.left(new Rejection(RejectionType.INVALID_ARGUMENT, str.formatted(set, authorizationResourceType, authorizationResourceType.getSupportedPermissionTypes())));
    }
}
