package io.camunda.tasklist.webapp.security.permission;

import io.camunda.security.auth.Authentication;
import io.camunda.security.auth.Authorization;
import io.camunda.security.configuration.SecurityConfiguration;
import io.camunda.security.impl.AuthorizationChecker;
import io.camunda.service.security.SecurityContextProvider;
import io.camunda.tasklist.util.LazySupplier;
import io.camunda.webapps.schema.entities.tasklist.TaskEntity;
import io.camunda.zeebe.gateway.rest.RequestMapper;
import java.util.List;
import java.util.function.Supplier;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:io/camunda/tasklist/webapp/security/permission/TasklistPermissionServices.class */
public class TasklistPermissionServices {
    private static final List<String> WILD_CARD_PERMISSION = List.of("*");
    private static final Authorization READ_PROC_DEF_AUTH_CHECK = Authorization.of(builder -> {
        return builder.processDefinition().readProcessDefinition();
    });
    private static final Authorization CREATE_PROC_INST_AUTH_CHECK = Authorization.of(builder -> {
        return builder.processDefinition().createProcessInstance();
    });
    private static final Authorization UPDATE_USER_TASK_AUTH_CHECK = Authorization.of(builder -> {
        return builder.processDefinition().updateUserTask();
    });
    private final SecurityConfiguration securityConfiguration;
    private final SecurityContextProvider securityContextProvider;
    private final AuthorizationChecker authorizationChecker;

    public TasklistPermissionServices(SecurityConfiguration securityConfiguration, SecurityContextProvider securityContextProvider, AuthorizationChecker authorizationChecker) {
        this.securityConfiguration = securityConfiguration;
        this.securityContextProvider = securityContextProvider;
        this.authorizationChecker = authorizationChecker;
    }

    public boolean hasPermissionToCreateProcessInstance(String str) {
        return isAuthorizedForResource(str, CREATE_PROC_INST_AUTH_CHECK);
    }

    public boolean hasPermissionToReadProcessDefinition(String str) {
        return isAuthorizedForResource(str, READ_PROC_DEF_AUTH_CHECK);
    }

    public boolean hasPermissionToUpdateUserTask(TaskEntity taskEntity) {
        return isAuthorizedForResource(taskEntity.getBpmnProcessId(), UPDATE_USER_TASK_AUTH_CHECK);
    }

    public List<String> getProcessDefinitionsWithCreateProcessInstancePermission() {
        LazySupplier of = LazySupplier.of(RequestMapper::getAuthentication);
        if (isAuthorizationCheckDisabled(of)) {
            return WILD_CARD_PERMISSION;
        }
        return this.authorizationChecker.retrieveAuthorizedResourceKeys(this.securityContextProvider.provideSecurityContext((Authentication) of.get(), CREATE_PROC_INST_AUTH_CHECK));
    }

    private boolean isAuthorizedForResource(String str, Authorization authorization) {
        LazySupplier of = LazySupplier.of(RequestMapper::getAuthentication);
        if (isAuthorizationCheckDisabled(of)) {
            return true;
        }
        return this.securityContextProvider.isAuthorized(str, (Authentication) of.get(), authorization);
    }

    private boolean isAuthorizationCheckDisabled(Supplier<Authentication> supplier) {
        return isAuthorizationDisabled() || isWithoutAuthenticatedUserKey(supplier.get());
    }

    private boolean isAuthorizationDisabled() {
        return !this.securityConfiguration.getAuthorizations().isEnabled();
    }

    private boolean isWithoutAuthenticatedUserKey(Authentication authentication) {
        return authentication == null || authentication.authenticatedUserKey() == null;
    }
}
