package org.eclipse.ditto.policies.enforcement.pre;

import com.typesafe.config.Config;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.regex.Pattern;
import javax.annotation.concurrent.Immutable;
import org.apache.pekko.actor.ActorSystem;
import org.eclipse.ditto.base.model.entity.id.WithEntityId;
import org.eclipse.ditto.base.model.exceptions.EntityNotCreatableException;
import org.eclipse.ditto.base.model.headers.DittoHeaders;
import org.eclipse.ditto.base.model.signals.Signal;
import org.eclipse.ditto.base.model.signals.commands.Command;
import org.eclipse.ditto.internal.utils.pekko.logging.DittoLoggerFactory;
import org.eclipse.ditto.internal.utils.pekko.logging.ThreadSafeDittoLogger;
import org.eclipse.ditto.policies.enforcement.config.CreationRestrictionConfig;
import org.eclipse.ditto.policies.enforcement.config.DefaultEntityCreationConfig;
import org.eclipse.ditto.policies.enforcement.config.EntityCreationConfig;

@Immutable
/* loaded from: input_file:org/eclipse/ditto/policies/enforcement/pre/CreationRestrictionPreEnforcer.class */
public final class CreationRestrictionPreEnforcer implements PreEnforcer {
    private static final ThreadSafeDittoLogger LOG = DittoLoggerFactory.getThreadSafeLogger((Class<?>) CreationRestrictionPreEnforcer.class);
    private final EntityCreationConfig config;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/eclipse/ditto/policies/enforcement/pre/CreationRestrictionPreEnforcer$Context.class */
    public static final class Context extends Record {
        private final String resourceType;
        private final String namespace;
        private final DittoHeaders headers;

        Context(String str, String str2, DittoHeaders dittoHeaders) {
            this.resourceType = str;
            this.namespace = str2;
            this.headers = dittoHeaders;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, Context.class), Context.class, "resourceType;namespace;headers", "FIELD:Lorg/eclipse/ditto/policies/enforcement/pre/CreationRestrictionPreEnforcer$Context;->resourceType:Ljava/lang/String;", "FIELD:Lorg/eclipse/ditto/policies/enforcement/pre/CreationRestrictionPreEnforcer$Context;->namespace:Ljava/lang/String;", "FIELD:Lorg/eclipse/ditto/policies/enforcement/pre/CreationRestrictionPreEnforcer$Context;->headers:Lorg/eclipse/ditto/base/model/headers/DittoHeaders;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, Context.class), Context.class, "resourceType;namespace;headers", "FIELD:Lorg/eclipse/ditto/policies/enforcement/pre/CreationRestrictionPreEnforcer$Context;->resourceType:Ljava/lang/String;", "FIELD:Lorg/eclipse/ditto/policies/enforcement/pre/CreationRestrictionPreEnforcer$Context;->namespace:Ljava/lang/String;", "FIELD:Lorg/eclipse/ditto/policies/enforcement/pre/CreationRestrictionPreEnforcer$Context;->headers:Lorg/eclipse/ditto/base/model/headers/DittoHeaders;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, Context.class, Object.class), Context.class, "resourceType;namespace;headers", "FIELD:Lorg/eclipse/ditto/policies/enforcement/pre/CreationRestrictionPreEnforcer$Context;->resourceType:Ljava/lang/String;", "FIELD:Lorg/eclipse/ditto/policies/enforcement/pre/CreationRestrictionPreEnforcer$Context;->namespace:Ljava/lang/String;", "FIELD:Lorg/eclipse/ditto/policies/enforcement/pre/CreationRestrictionPreEnforcer$Context;->headers:Lorg/eclipse/ditto/base/model/headers/DittoHeaders;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String resourceType() {
            return this.resourceType;
        }

        public String namespace() {
            return this.namespace;
        }

        public DittoHeaders headers() {
            return this.headers;
        }
    }

    public CreationRestrictionPreEnforcer(ActorSystem actorSystem, Config config) {
        this.config = DefaultEntityCreationConfig.of(actorSystem.settings().config());
    }

    boolean canCreate(Context context) {
        return matchesList(this.config.getGrant(), context) && !matchesList(this.config.getRevoke(), context);
    }

    private boolean matchesList(List<CreationRestrictionConfig> list, Context context) {
        return list.stream().anyMatch(creationRestrictionConfig -> {
            return matches(creationRestrictionConfig, context);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean matches(CreationRestrictionConfig creationRestrictionConfig, Context context) {
        return matchesResourceType(creationRestrictionConfig.getResourceTypes(), context) && matchesAuthSubjectPattern(creationRestrictionConfig.getAuthSubject(), context) && matchesNamespacePattern(creationRestrictionConfig.getNamespace(), context);
    }

    private static boolean matchesResourceType(Set<String> set, Context context) {
        if (set.isEmpty()) {
            LOG.withCorrelationId(context.headers()).debug("No resource type restriction: pass");
            return true;
        }
        if (set.contains(context.resourceType())) {
            return true;
        }
        LOG.withCorrelationId(context.headers()).debug("No resource type match: reject");
        return false;
    }

    private static boolean matchesAuthSubjectPattern(List<Pattern> list, Context context) {
        if (list.isEmpty()) {
            LOG.withCorrelationId(context.headers()).debug("No auth subject restriction: pass");
            return true;
        }
        for (String str : context.headers().getAuthorizationContext().getAuthorizationSubjectIds()) {
            Iterator<Pattern> it = list.iterator();
            while (it.hasNext()) {
                if (it.next().matcher(str).matches()) {
                    LOG.withCorrelationId(context.headers()).debug("Matched auth subject {}: pass", str);
                    return true;
                }
            }
        }
        LOG.withCorrelationId(context.headers()).debug("No auth subject match: reject");
        return false;
    }

    private static boolean matchesNamespacePattern(List<Pattern> list, Context context) {
        if (list.isEmpty()) {
            LOG.withCorrelationId(context.headers()).debug("No namespace restriction: pass");
            return true;
        }
        String namespace = context.namespace();
        for (Pattern pattern : list) {
            if (pattern.matcher(namespace).matches()) {
                LOG.withCorrelationId(context.headers()).debug("Namespace '{}' matched {}: pass", namespace, pattern);
                return true;
            }
        }
        LOG.withCorrelationId(context.headers()).debug("No namespace match: reject");
        return false;
    }

    public String toString() {
        return getClass().getSimpleName() + " [config=" + this.config + "]";
    }

    @Override // java.util.function.Function
    public CompletionStage<Signal<?>> apply(Signal<?> signal) {
        return isCreatingCommand(signal) ? CompletableFuture.completedFuture(handleCreatingCommand(signal)) : CompletableFuture.completedFuture(signal);
    }

    private static boolean isCreatingCommand(Signal<?> signal) {
        return (signal instanceof Command) && ((Command) signal).getCategory().equals(Command.Category.CREATE);
    }

    private Signal<?> handleCreatingCommand(Signal<?> signal) {
        WithEntityId messageAsWithEntityId = getMessageAsWithEntityId(signal);
        if (canCreate(new Context(signal.getResourceType(), getEntityIdAsNamespacedEntityId(messageAsWithEntityId.getEntityId()).getNamespace(), signal.getDittoHeaders()))) {
            return signal;
        }
        throw EntityNotCreatableException.newBuilder(messageAsWithEntityId.getEntityId()).dittoHeaders(signal.getDittoHeaders()).build();
    }
}
