package io.camunda.operate.webapp.security.identity;

import io.camunda.operate.exceptions.OperateRuntimeException;
import io.camunda.operate.property.OperateProperties;
import io.camunda.operate.webapp.security.SecurityContextWrapper;
import io.camunda.operate.webapp.security.sso.TokenAuthentication;
import jakarta.annotation.PostConstruct;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;

/* loaded from: input_file:io/camunda/operate/webapp/security/identity/PermissionsService.class */
public class PermissionsService {
    public static final String RESOURCE_KEY_ALL = "*";
    public static final String RESOURCE_TYPE_PROCESS_DEFINITION = "process-definition";
    public static final String RESOURCE_TYPE_DECISION_DEFINITION = "decision-definition";
    private static final Logger LOGGER = LoggerFactory.getLogger(PermissionsService.class);
    private final OperateProperties operateProperties;
    private final SecurityContextWrapper securityContextWrapperComponent;

    /* loaded from: input_file:io/camunda/operate/webapp/security/identity/PermissionsService$ResourcesAllowed.class */
    public static final class ResourcesAllowed {
        private final boolean all;
        private final Set<String> ids;

        private ResourcesAllowed(boolean z, Set<String> set) {
            this.all = z;
            this.ids = set;
        }

        public static ResourcesAllowed all() {
            return new ResourcesAllowed(true, null);
        }

        public static ResourcesAllowed withIds(Set<String> set) {
            return new ResourcesAllowed(false, set);
        }

        public int hashCode() {
            return Objects.hash(Boolean.valueOf(this.all), this.ids);
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            ResourcesAllowed resourcesAllowed = (ResourcesAllowed) obj;
            return this.all == resourcesAllowed.all && Objects.equals(this.ids, resourcesAllowed.ids);
        }

        public boolean isAll() {
            return this.all;
        }

        public Set<String> getIds() {
            return this.ids;
        }
    }

    public PermissionsService(OperateProperties operateProperties, SecurityContextWrapper securityContextWrapper) {
        this.operateProperties = operateProperties;
        this.securityContextWrapperComponent = securityContextWrapper;
    }

    @PostConstruct
    public void logCreated() {
        LOGGER.debug("PermissionsService bean created.");
    }

    public Set<String> getProcessDefinitionPermission(String str) {
        return getProcessDefinitionPermission(str, true);
    }

    public Set<String> getProcessDefinitionPermission(String str, boolean z) {
        HashSet hashSet = new HashSet();
        getIdentityAuthorizations().stream().filter(identityAuthorization -> {
            return Objects.equals(identityAuthorization.getResourceKey(), str) && Objects.equals(identityAuthorization.getResourceType(), RESOURCE_TYPE_PROCESS_DEFINITION);
        }).findFirst().ifPresent(identityAuthorization2 -> {
            if (identityAuthorization2.getPermissions() != null) {
                hashSet.addAll(identityAuthorization2.getPermissions());
            }
        });
        if (z) {
            hashSet.addAll(getProcessDefinitionPermission("*", false));
        }
        return hashSet;
    }

    public Set<String> getDecisionDefinitionPermission(String str) {
        return getDecisionDefinitionPermission(str, true);
    }

    public Set<String> getDecisionDefinitionPermission(String str, boolean z) {
        HashSet hashSet = new HashSet();
        getIdentityAuthorizations().stream().filter(identityAuthorization -> {
            return Objects.equals(identityAuthorization.getResourceKey(), str) && Objects.equals(identityAuthorization.getResourceType(), RESOURCE_TYPE_DECISION_DEFINITION);
        }).findFirst().ifPresent(identityAuthorization2 -> {
            if (identityAuthorization2.getPermissions() != null) {
                hashSet.addAll(identityAuthorization2.getPermissions());
            }
        });
        if (z) {
            hashSet.addAll(getDecisionDefinitionPermission("*", false));
        }
        return hashSet;
    }

    public boolean hasPermissionForProcess(String str, IdentityPermission identityPermission) {
        if (!permissionsEnabled()) {
            return true;
        }
        if (identityPermission == null) {
            throw new IllegalStateException("Identity permission can't be null");
        }
        return getProcessDefinitionPermission(str).stream().anyMatch(str2 -> {
            return str2.equalsIgnoreCase(identityPermission.toString());
        });
    }

    public boolean hasPermissionForDecision(String str, IdentityPermission identityPermission) {
        if (!permissionsEnabled()) {
            return true;
        }
        if (identityPermission == null) {
            throw new IllegalStateException("Identity permission can't be null");
        }
        return getDecisionDefinitionPermission(str).stream().anyMatch(str2 -> {
            return str2.equalsIgnoreCase(identityPermission.toString());
        });
    }

    private List<IdentityAuthorization> getIdentityAuthorizations() {
        List<IdentityAuthorization> list = null;
        Authentication authentication = this.securityContextWrapperComponent.getAuthentication();
        if (authentication == null) {
            return new ArrayList();
        }
        if (authentication instanceof IdentityAuthentication) {
            list = ((IdentityAuthentication) authentication).getAuthorizations();
            LOGGER.debug("Following authorizations found for IdentityAuthentication: " + String.valueOf(list));
        } else if (authentication instanceof TokenAuthentication) {
            list = ((TokenAuthentication) authentication).getAuthorizations();
            LOGGER.debug("Following authorizations found for TokenAuthentication: " + String.valueOf(list));
        } else {
            LOGGER.error("Unable to read resource based permissions. Unknown token type: " + authentication.getClass().getSimpleName(), new OperateRuntimeException());
        }
        return list == null ? new ArrayList() : list;
    }

    private boolean permissionsEnabled() {
        return this.operateProperties.getIdentity().isResourcePermissionsEnabled() && !isJwtToken();
    }

    private boolean isJwtToken() {
        return this.securityContextWrapperComponent.getAuthentication() instanceof JwtAuthenticationToken;
    }

    public ResourcesAllowed getProcessesWithPermission(IdentityPermission identityPermission) {
        if (identityPermission == null) {
            throw new IllegalStateException("Identity permission can't be null");
        }
        if (!permissionsEnabled()) {
            return ResourcesAllowed.all();
        }
        List<IdentityAuthorization> list = (List) getIdentityAuthorizations().stream().filter(identityAuthorization -> {
            return Objects.equals(identityAuthorization.getResourceType(), RESOURCE_TYPE_PROCESS_DEFINITION);
        }).collect(Collectors.toList());
        HashSet hashSet = new HashSet();
        for (IdentityAuthorization identityAuthorization2 : list) {
            if (identityAuthorization2.getPermissions() != null && identityAuthorization2.getPermissions().contains(identityPermission.name())) {
                if ("*".equals(identityAuthorization2.getResourceKey())) {
                    return ResourcesAllowed.all();
                }
                hashSet.add(identityAuthorization2.getResourceKey());
            }
        }
        return ResourcesAllowed.withIds(hashSet);
    }

    public ResourcesAllowed getDecisionsWithPermission(IdentityPermission identityPermission) {
        if (identityPermission == null) {
            throw new IllegalStateException("Identity permission can't be null");
        }
        if (!permissionsEnabled()) {
            return ResourcesAllowed.all();
        }
        List<IdentityAuthorization> list = (List) getIdentityAuthorizations().stream().filter(identityAuthorization -> {
            return Objects.equals(identityAuthorization.getResourceType(), RESOURCE_TYPE_DECISION_DEFINITION);
        }).collect(Collectors.toList());
        HashSet hashSet = new HashSet();
        for (IdentityAuthorization identityAuthorization2 : list) {
            if (identityAuthorization2.getPermissions() != null && identityAuthorization2.getPermissions().contains(identityPermission.name())) {
                if ("*".equals(identityAuthorization2.getResourceKey())) {
                    return ResourcesAllowed.all();
                }
                hashSet.add(identityAuthorization2.getResourceKey());
            }
        }
        return ResourcesAllowed.withIds(hashSet);
    }
}
