package org.eclipse.ditto.model.enforcers.tree;

import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.Nullable;
import javax.annotation.concurrent.Immutable;
import org.eclipse.ditto.json.JsonFactory;
import org.eclipse.ditto.json.JsonField;
import org.eclipse.ditto.json.JsonKey;
import org.eclipse.ditto.json.JsonObject;
import org.eclipse.ditto.json.JsonObjectBuilder;
import org.eclipse.ditto.json.JsonPointer;
import org.eclipse.ditto.json.JsonValue;
import org.eclipse.ditto.model.base.auth.AuthorizationContext;
import org.eclipse.ditto.model.base.auth.AuthorizationSubject;
import org.eclipse.ditto.model.base.common.ConditionChecker;
import org.eclipse.ditto.model.enforcers.EffectedSubjectIds;
import org.eclipse.ditto.model.enforcers.EffectedSubjects;
import org.eclipse.ditto.model.enforcers.Enforcer;
import org.eclipse.ditto.model.policies.EffectedPermissions;
import org.eclipse.ditto.model.policies.Permissions;
import org.eclipse.ditto.model.policies.Policy;
import org.eclipse.ditto.model.policies.Resource;
import org.eclipse.ditto.model.policies.ResourceKey;

/* loaded from: input_file:org/eclipse/ditto/model/enforcers/tree/TreeBasedPolicyEnforcer.class */
public final class TreeBasedPolicyEnforcer implements Enforcer {
    private static final String ROOT_RESOURCE = "/";
    private final Map<String, PolicyTreeNode> tree;

    /* JADX INFO: Access modifiers changed from: package-private */
    @Immutable
    /* loaded from: input_file:org/eclipse/ditto/model/enforcers/tree/TreeBasedPolicyEnforcer$PointerAndPermission.class */
    public static final class PointerAndPermission {
        private final JsonPointer pointer;
        private final String permission;

        PointerAndPermission(JsonPointer jsonPointer, String str) {
            this.pointer = jsonPointer;
            this.permission = str;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    @Immutable
    /* loaded from: input_file:org/eclipse/ditto/model/enforcers/tree/TreeBasedPolicyEnforcer$PointerAndValue.class */
    public static final class PointerAndValue {
        private final JsonPointer pointer;
        private final JsonValue value;

        PointerAndValue(JsonPointer jsonPointer, JsonValue jsonValue) {
            this.pointer = jsonPointer;
            this.value = jsonValue;
        }
    }

    private TreeBasedPolicyEnforcer(Map<String, PolicyTreeNode> map) {
        this.tree = map;
    }

    public static TreeBasedPolicyEnforcer createInstance(Policy policy) {
        ConditionChecker.checkNotNull(policy, "policy");
        HashMap hashMap = new HashMap();
        policy.getEntriesSet().forEach(policyEntry -> {
            policyEntry.getSubjects().forEach(subject -> {
                PolicyTreeNode policyTreeNode = (PolicyTreeNode) hashMap.computeIfAbsent(subject.getId().toString(), SubjectNode::of);
                policyEntry.getResources().forEach(resource -> {
                    addResourceSubTree((ResourceNode) policyTreeNode.computeIfAbsent(resource.getType(), str -> {
                        r0 = Collections.emptySet();
                        return ResourceNode.of(policyTreeNode, str, EffectedPermissions.newInstance(r0, r0));
                    }), resource, resource.getPath());
                });
            });
        });
        return new TreeBasedPolicyEnforcer(hashMap);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void addResourceSubTree(ResourceNode resourceNode, Resource resource, JsonPointer jsonPointer) {
        if (jsonPointer.getLevelCount() != 1 && !ROOT_RESOURCE.equals(jsonPointer.toString())) {
            String str = (String) jsonPointer.getRoot().map((v0) -> {
                return v0.toString();
            }).orElse("");
            addResourceSubTree((ResourceNode) resourceNode.getChild(str).orElseGet(() -> {
                ResourceNode of = ResourceNode.of(resourceNode, str);
                resourceNode.addChild(of);
                return of;
            }), resource, jsonPointer.nextLevel());
            return;
        }
        String str2 = ROOT_RESOURCE.equals(jsonPointer.toString()) ? ROOT_RESOURCE : (String) jsonPointer.getRoot().map((v0) -> {
            return v0.toString();
        }).orElseThrow(() -> {
            return new NullPointerException("Path did not contain a root!");
        });
        if (str2.equals(ROOT_RESOURCE)) {
            resourceNode.getParent().ifPresent(policyTreeNode -> {
                mergePermissions(resource, resourceNode);
            });
            return;
        }
        if (!resourceNode.getChild(str2).isPresent()) {
            resourceNode.addChild(ResourceNode.of(resourceNode, str2, resource.getEffectedPermissions()));
            return;
        }
        Optional<PolicyTreeNode> child = resourceNode.getChild(str2);
        Class<ResourceNode> cls = ResourceNode.class;
        Objects.requireNonNull(ResourceNode.class);
        mergePermissions(resource, (ResourceNode) child.map((v1) -> {
            return r1.cast(v1);
        }).orElseThrow(() -> {
            return new NullPointerException(MessageFormat.format("Parent node did not contain a child for path <{}>!", str2));
        }));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void mergePermissions(Resource resource, ResourceNode resourceNode) {
        EffectedPermissions permissions = resourceNode.getPermissions();
        HashSet hashSet = new HashSet((Collection) permissions.getGrantedPermissions());
        HashSet hashSet2 = new HashSet((Collection) permissions.getRevokedPermissions());
        if (!resource.getEffectedPermissions().getRevokedPermissions().isEmpty()) {
            hashSet2.addAll(resource.getEffectedPermissions().getRevokedPermissions());
        }
        if (!resource.getEffectedPermissions().getGrantedPermissions().isEmpty()) {
            hashSet.addAll(resource.getEffectedPermissions().getGrantedPermissions());
        }
        resourceNode.setPermissions(EffectedPermissions.newInstance(hashSet, hashSet2));
    }

    @Override // org.eclipse.ditto.model.enforcers.Enforcer
    public boolean hasUnrestrictedPermissions(ResourceKey resourceKey, AuthorizationContext authorizationContext, Permissions permissions) {
        checkPermissions(permissions);
        return ((Boolean) visitTree(new CheckUnrestrictedPermissionsVisitor(createAbsoluteResourcePointer(resourceKey), getAuthorizationSubjectIds(authorizationContext), permissions))).booleanValue();
    }

    private static void checkPermissions(Permissions permissions) {
        ConditionChecker.checkNotNull(permissions, "permissions to check");
    }

    private static JsonPointer createAbsoluteResourcePointer(ResourceKey resourceKey) {
        return JsonFactory.newPointer(resourceKey.getResourceType()).append(resourceKey.getResourcePath());
    }

    private static Collection<String> getAuthorizationSubjectIds(AuthorizationContext authorizationContext) {
        ConditionChecker.checkNotNull(authorizationContext, "Authorization Context");
        return (Collection) authorizationContext.stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toSet());
    }

    private <T> T visitTree(Visitor<T> visitor) {
        this.tree.values().forEach(policyTreeNode -> {
            policyTreeNode.accept(visitor);
        });
        return visitor.get();
    }

    @Override // org.eclipse.ditto.model.enforcers.Enforcer
    public EffectedSubjectIds getSubjectIdsWithPermission(ResourceKey resourceKey, Permissions permissions) {
        checkResourceKey(resourceKey);
        checkPermissions(permissions);
        return (EffectedSubjectIds) visitTree(new CollectEffectedSubjectIdsVisitor(createAbsoluteResourcePointer(resourceKey), permissions));
    }

    @Override // org.eclipse.ditto.model.enforcers.Enforcer
    public EffectedSubjects getSubjectsWithPermission(ResourceKey resourceKey, Permissions permissions) {
        checkResourceKey(resourceKey);
        checkPermissions(permissions);
        return (EffectedSubjects) visitTree(new CollectEffectedSubjectsVisitor(createAbsoluteResourcePointer(resourceKey), permissions));
    }

    private static void checkResourceKey(ResourceKey resourceKey) {
        ConditionChecker.checkNotNull(resourceKey, "resource key");
    }

    @Override // org.eclipse.ditto.model.enforcers.Enforcer
    public Set<String> getSubjectIdsWithPartialPermission(ResourceKey resourceKey, Permissions permissions) {
        checkResourceKey(resourceKey);
        checkPermissions(permissions);
        return (Set) visitTree(new CollectPartialGrantedSubjectIdsVisitor(createAbsoluteResourcePointer(resourceKey), permissions));
    }

    @Override // org.eclipse.ditto.model.enforcers.Enforcer
    public Set<AuthorizationSubject> getSubjectsWithPartialPermission(ResourceKey resourceKey, Permissions permissions) {
        checkResourceKey(resourceKey);
        checkPermissions(permissions);
        return (Set) visitTree(new CollectPartialGrantedSubjectsVisitor(createAbsoluteResourcePointer(resourceKey), permissions));
    }

    @Override // org.eclipse.ditto.model.enforcers.Enforcer
    public boolean hasPartialPermissions(ResourceKey resourceKey, AuthorizationContext authorizationContext, Permissions permissions) {
        checkResourceKey(resourceKey);
        checkPermissions(permissions);
        return ((Boolean) visitTree(new CheckPartialPermissionsVisitor(createAbsoluteResourcePointer(resourceKey), getAuthorizationSubjectIds(authorizationContext), permissions))).booleanValue();
    }

    @Override // org.eclipse.ditto.model.enforcers.Enforcer
    public JsonObject buildJsonView(ResourceKey resourceKey, Iterable<JsonField> iterable, AuthorizationContext authorizationContext, Permissions permissions) {
        checkResourceKey(resourceKey);
        ConditionChecker.checkNotNull(iterable, "JSON fields");
        checkPermissions(permissions);
        EffectedResources grantedAndRevokedSubResource = getGrantedAndRevokedSubResource(JsonFactory.newPointer(ROOT_RESOURCE), resourceKey.getResourceType(), getAuthorizationSubjectIds(authorizationContext), permissions);
        if ((iterable instanceof JsonObject) && ((JsonObject) iterable).isNull()) {
            return JsonFactory.nullObject();
        }
        ArrayList arrayList = new ArrayList();
        iterable.forEach(jsonField -> {
            collectFlatPointers(jsonField.getKey().asPointer(), jsonField, arrayList);
        });
        Set<JsonPointer> extractJsonPointers = extractJsonPointers(grantedAndRevokedSubResource.getGrantedResources());
        Set<JsonPointer> extractJsonPointers2 = extractJsonPointers(grantedAndRevokedSubResource.getRevokedResources());
        JsonPointer resourcePath = resourceKey.getResourcePath();
        return filterEntries((List) arrayList.stream().map(pointerAndValue -> {
            return new PointerAndValue(resourcePath.append(pointerAndValue.pointer), pointerAndValue.value);
        }).collect(Collectors.toList()), extractJsonPointers, extractJsonPointers2, resourcePath);
    }

    private static Set<JsonPointer> extractJsonPointers(Collection<PointerAndPermission> collection) {
        return (Set) collection.stream().map(pointerAndPermission -> {
            return pointerAndPermission.pointer;
        }).collect(Collectors.toSet());
    }

    public String toString() {
        return getClass().getSimpleName() + " [tree=" + this.tree + "]";
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static List<PointerAndValue> collectFlatPointers(JsonPointer jsonPointer, JsonField jsonField, List<PointerAndValue> list) {
        JsonValue value = jsonField.getValue();
        if (value.isObject()) {
            JsonObject asObject = value.asObject();
            if (asObject.isEmpty()) {
                list.add(new PointerAndValue(jsonPointer, value));
            } else {
                asObject.forEach(jsonField2 -> {
                    collectFlatPointers(jsonPointer.addLeaf(jsonField2.getKey()), jsonField2, list);
                });
            }
        } else {
            list.add(new PointerAndValue(jsonPointer, value));
        }
        return list;
    }

    private static JsonObject filterEntries(Collection<PointerAndValue> collection, Collection<JsonPointer> collection2, Collection<JsonPointer> collection3, JsonPointer jsonPointer) {
        int levelCount = jsonPointer.getLevelCount();
        JsonObjectBuilder newObjectBuilder = JsonFactory.newObjectBuilder();
        collection.stream().filter(pointerAndValue -> {
            return pointerAndValue.pointer.toString().startsWith(jsonPointer.toString());
        }).filter(pointerAndValue2 -> {
            JsonPointer newPointer = JsonFactory.newPointer(ROOT_RESOURCE);
            boolean z = collection2.contains(newPointer) && !collection3.contains(newPointer);
            JsonPointer jsonPointer2 = pointerAndValue2.pointer;
            for (int i = 1; i <= jsonPointer2.getLevelCount(); i++) {
                if (containsPrefixPointer(getPrefixPointerOrThrow(jsonPointer2, i), collection2)) {
                    z = true;
                }
                if (containsPrefixPointer(getPrefixPointerOrThrow(jsonPointer2, i), collection3)) {
                    z = false;
                }
            }
            return z;
        }).forEach(pointerAndValue3 -> {
            newObjectBuilder.set(jsonPointer.append((JsonPointer) pointerAndValue3.pointer.getSubPointer(levelCount).orElseThrow(() -> {
                return new NullPointerException(MessageFormat.format("JsonPointer did not contain a sub-pointer for level <{0}>!", Integer.valueOf(levelCount)));
            })), pointerAndValue3.value);
        });
        return (JsonObject) newObjectBuilder.build().getValue(jsonPointer).filter((v0) -> {
            return v0.isObject();
        }).map((v0) -> {
            return v0.asObject();
        }).orElseGet(JsonFactory::newObject);
    }

    private static JsonPointer getPrefixPointerOrThrow(JsonPointer jsonPointer, int i) {
        return (JsonPointer) jsonPointer.getPrefixPointer(i).orElseThrow(() -> {
            return new NullPointerException(MessageFormat.format("JsonPointer did not contain a prefix pointer for level <{0}>!", Integer.valueOf(i)));
        });
    }

    private static boolean containsPrefixPointer(JsonPointer jsonPointer, Collection<JsonPointer> collection) {
        return collection.stream().anyMatch(jsonPointer2 -> {
            return jsonPointer2.equals(jsonPointer);
        });
    }

    private EffectedResources getGrantedAndRevokedSubResource(JsonPointer jsonPointer, String str, Iterable<String> iterable, Permissions permissions) {
        HashSet hashSet = new HashSet();
        return EffectedResources.of(removeDeeperRevokes(jsonPointer, (Set) permissions.stream().map(str2 -> {
            EffectedResources checkPermissionOnAnySubResource = checkPermissionOnAnySubResource(jsonPointer, str, iterable, str2);
            hashSet.addAll(checkPermissionOnAnySubResource.getRevokedResources());
            return checkPermissionOnAnySubResource.getGrantedResources();
        }).reduce((v0, v1) -> {
            return retainElements(v0, v1);
        }).orElseGet(Collections::emptySet), hashSet), hashSet);
    }

    private static Set<PointerAndPermission> removeDeeperRevokes(JsonPointer jsonPointer, Iterable<PointerAndPermission> iterable, Collection<PointerAndPermission> collection) {
        HashSet hashSet = new HashSet();
        iterable.forEach(pointerAndPermission -> {
            JsonPointer jsonPointer2 = pointerAndPermission.pointer;
            if (collection.stream().noneMatch(pointerAndPermission -> {
                return jsonPointer.getLevelCount() > jsonPointer2.getLevelCount() && pointerAndPermission.permission.equals(pointerAndPermission.permission) && pointerAndPermission.pointer.getLevelCount() >= jsonPointer2.getLevelCount() && Objects.equals(getPrefixPointerOrThrow(pointerAndPermission.pointer, jsonPointer2.getLevelCount()), jsonPointer2);
            })) {
                hashSet.add(pointerAndPermission);
            }
        });
        return hashSet;
    }

    private static Set<PointerAndPermission> retainElements(Collection<PointerAndPermission> collection, Collection<PointerAndPermission> collection2) {
        Set set = (Set) collection2.stream().map(pointerAndPermission -> {
            return pointerAndPermission.pointer;
        }).collect(Collectors.toSet());
        return (Set) collection.stream().filter(pointerAndPermission2 -> {
            return set.contains(pointerAndPermission2.pointer);
        }).collect(Collectors.toSet());
    }

    private EffectedResources checkPermissionOnAnySubResource(JsonPointer jsonPointer, String str, Iterable<String> iterable, String str2) {
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        iterable.forEach(str3 -> {
            traverseSubtreeForPermissionAccess(str2, jsonPointer, str, this.tree.get(str3), hashSet, hashSet2, 0, true);
        });
        return EffectedResources.of(hashSet, hashSet2);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void traverseSubtreeForPermissionAccess(String str, JsonPointer jsonPointer, String str2, @Nullable PolicyTreeNode policyTreeNode, Set<PointerAndPermission> set, Set<PointerAndPermission> set2, int i, boolean z) {
        if (policyTreeNode == null) {
            return;
        }
        if (!(policyTreeNode instanceof SubjectNode)) {
            addPermission(str, jsonPointer, set, set2, i, (ResourceNode) policyTreeNode);
            Optional optional = jsonPointer.get(i);
            if (z && optional.isPresent()) {
                policyTreeNode.getChild(((JsonKey) optional.get()).toString()).ifPresent(policyTreeNode2 -> {
                    traverseSubtreeForPermissionAccess(str, jsonPointer, str2, policyTreeNode2, set, set2, i + 1, true);
                });
                return;
            } else {
                policyTreeNode.getChildren().forEach((str3, policyTreeNode3) -> {
                    traverseSubtreeForPermissionAccess(str, jsonPointer.addLeaf(JsonKey.of(str3)), str2, policyTreeNode3, set, set2, i + 1, false);
                });
                return;
            }
        }
        Optional<PolicyTreeNode> child = policyTreeNode.getChild(str2);
        if (ROOT_RESOURCE.equals(jsonPointer.toString())) {
            child.ifPresent(policyTreeNode4 -> {
                traverseSubtreeForPermissionAccess(str, jsonPointer, str2, policyTreeNode4, set, set2, i, false);
            });
        } else if (child.isPresent()) {
            traverseSubtreeForPermissionAccess(str, jsonPointer, str2, child.get(), set, set2, i, true);
        } else {
            jsonPointer.get(i).ifPresent(jsonKey -> {
                policyTreeNode.getChild(jsonKey.toString()).ifPresent(policyTreeNode5 -> {
                    traverseSubtreeForPermissionAccess(str, jsonPointer, str2, policyTreeNode5, set, set2, i + 1, true);
                });
            });
        }
    }

    private static void addPermission(String str, JsonPointer jsonPointer, Collection<PointerAndPermission> collection, Collection<PointerAndPermission> collection2, int i, ResourceNode resourceNode) {
        JsonPointer newPointer = ROOT_RESOURCE.equals(jsonPointer.toString()) ? JsonFactory.newPointer(ROOT_RESOURCE) : getPrefixPointerOrThrow(jsonPointer, i);
        EffectedPermissions permissions = resourceNode.getPermissions();
        if (permissions.getGrantedPermissions().contains(str)) {
            collection.add(new PointerAndPermission(newPointer, str));
        }
        if (permissions.getRevokedPermissions().contains(str)) {
            collection2.add(new PointerAndPermission(newPointer, str));
        }
    }
}
