package io.camunda.operate.webapp.security.permission;

import io.camunda.authentication.entity.CamundaUser;
import io.camunda.operate.exceptions.OperateRuntimeException;
import io.camunda.operate.webapp.elasticsearch.QueryHelper;
import io.camunda.operate.webapp.security.identity.IdentityPermission;
import io.camunda.operate.webapp.security.tenant.TenantService;
import io.camunda.security.auth.Authentication;
import io.camunda.security.auth.Authorization;
import io.camunda.security.auth.SecurityContext;
import io.camunda.security.configuration.SecurityConfiguration;
import io.camunda.security.impl.AuthorizationChecker;
import io.camunda.zeebe.protocol.record.value.AuthorizationResourceType;
import io.camunda.zeebe.protocol.record.value.PermissionType;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:io/camunda/operate/webapp/security/permission/PermissionsService.class */
public class PermissionsService {
    private static final Logger LOGGER = LoggerFactory.getLogger(PermissionsService.class);
    private final SecurityConfiguration securityConfiguration;
    private final AuthorizationChecker authorizationChecker;
    private final TenantService tenantService;

    /* loaded from: input_file:io/camunda/operate/webapp/security/permission/PermissionsService$ResourcesAllowed.class */
    public static final class ResourcesAllowed {
        private final boolean all;
        private final Set<String> ids;

        private ResourcesAllowed(boolean z, Set<String> set) {
            this.all = z;
            this.ids = set;
        }

        public static ResourcesAllowed all() {
            return new ResourcesAllowed(true, null);
        }

        public static ResourcesAllowed withIds(Set<String> set) {
            return new ResourcesAllowed(false, set);
        }

        public int hashCode() {
            return Objects.hash(Boolean.valueOf(this.all), this.ids);
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            ResourcesAllowed resourcesAllowed = (ResourcesAllowed) obj;
            return this.all == resourcesAllowed.all && Objects.equals(this.ids, resourcesAllowed.ids);
        }

        public boolean isAll() {
            return this.all;
        }

        public Set<String> getIds() {
            return this.ids;
        }
    }

    public PermissionsService(SecurityConfiguration securityConfiguration, AuthorizationChecker authorizationChecker, TenantService tenantService) {
        this.securityConfiguration = securityConfiguration;
        this.authorizationChecker = authorizationChecker;
        this.tenantService = tenantService;
    }

    public Set<String> getProcessDefinitionPermissions(String str) {
        return getResourcePermissions(str, AuthorizationResourceType.PROCESS_DEFINITION);
    }

    public Set<String> getDecisionDefinitionPermissions(String str) {
        return getResourcePermissions(str, AuthorizationResourceType.DECISION_DEFINITION);
    }

    public Set<String> getResourcePermissions(String str, AuthorizationResourceType authorizationResourceType) {
        HashSet hashSet = new HashSet();
        if (isAuthorized()) {
            this.authorizationChecker.collectPermissionTypes(str, authorizationResourceType, getAuthentication()).forEach(permissionType -> {
                hashSet.add(permissionType.name());
            });
        }
        return hashSet;
    }

    public boolean hasPermissionForProcess(String str, IdentityPermission identityPermission) {
        return hasPermissionForResource(str, AuthorizationResourceType.PROCESS_DEFINITION, identityPermission);
    }

    public boolean hasPermissionForDecision(String str, IdentityPermission identityPermission) {
        return hasPermissionForResource(str, AuthorizationResourceType.DECISION_DEFINITION, identityPermission);
    }

    private boolean hasPermissionForResource(String str, AuthorizationResourceType authorizationResourceType, IdentityPermission identityPermission) {
        if (!permissionsEnabled()) {
            return true;
        }
        if (isAuthorized()) {
            return isAuthorizedFor(str, authorizationResourceType, getPermission(identityPermission));
        }
        return false;
    }

    public ResourcesAllowed getProcessesWithPermission(IdentityPermission identityPermission) {
        return getResourcesWithPermission(AuthorizationResourceType.PROCESS_DEFINITION, identityPermission);
    }

    public ResourcesAllowed getDecisionsWithPermission(IdentityPermission identityPermission) {
        return getResourcesWithPermission(AuthorizationResourceType.DECISION_DEFINITION, identityPermission);
    }

    private ResourcesAllowed getResourcesWithPermission(AuthorizationResourceType authorizationResourceType, IdentityPermission identityPermission) {
        if (!permissionsEnabled()) {
            return ResourcesAllowed.all();
        }
        if (!isAuthorized()) {
            return ResourcesAllowed.withIds(Set.of());
        }
        List<String> retrieveAuthorizedResourceKeys = this.authorizationChecker.retrieveAuthorizedResourceKeys(getSecurityContext(new Authorization(authorizationResourceType, getPermission(identityPermission))));
        return hasWildcardPermission(retrieveAuthorizedResourceKeys) ? ResourcesAllowed.all() : ResourcesAllowed.withIds(new LinkedHashSet(retrieveAuthorizedResourceKeys));
    }

    private boolean hasWildcardPermission(List<String> list) {
        return list != null && list.contains(QueryHelper.WILD_CARD);
    }

    public boolean permissionsEnabled() {
        return this.securityConfiguration.getAuthorizations().isEnabled();
    }

    private boolean isAuthorized() {
        return getAuthenticatedUserKey() != null;
    }

    private Long getAuthenticatedUserKey() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            return null;
        }
        Object principal = authentication.getPrincipal();
        if (principal instanceof CamundaUser) {
            return ((CamundaUser) principal).getUserKey();
        }
        return null;
    }

    private List<Long> getAuthenticatedUserRoleKeys() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication != null) {
            Object principal = authentication.getPrincipal();
            if (principal instanceof CamundaUser) {
                return ((CamundaUser) principal).getRoles().stream().map((v0) -> {
                    return v0.roleKey();
                }).toList();
            }
        }
        return Collections.emptyList();
    }

    private boolean isAuthorizedFor(String str, AuthorizationResourceType authorizationResourceType, PermissionType permissionType) {
        return this.authorizationChecker.isAuthorized(str, getSecurityContext(new Authorization(authorizationResourceType, permissionType)));
    }

    private SecurityContext getSecurityContext(Authorization authorization) {
        return new SecurityContext(getAuthentication(), authorization);
    }

    private io.camunda.security.auth.Authentication getAuthentication() {
        Long authenticatedUserKey = getAuthenticatedUserKey();
        List<Long> authenticatedUserRoleKeys = getAuthenticatedUserRoleKeys();
        return new Authentication.Builder().user(authenticatedUserKey).roleKeys(authenticatedUserRoleKeys).tenants(this.tenantService.tenantIds()).build();
    }

    private PermissionType getPermission(IdentityPermission identityPermission) {
        try {
            return PermissionType.valueOf(identityPermission.name());
        } catch (Exception e) {
            throw new OperateRuntimeException(String.format("No PermissionType found for IdentityPermission [%s]", identityPermission));
        }
    }
}
