package org.eclipse.ditto.services.concierge.enforcement;

import akka.actor.ActorRef;
import akka.pattern.AskTimeoutException;
import akka.pattern.Patterns;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.function.BiFunction;
import java.util.function.Function;
import javax.annotation.Nullable;
import org.eclipse.ditto.json.JsonFactory;
import org.eclipse.ditto.json.JsonFieldDefinition;
import org.eclipse.ditto.json.JsonFieldSelector;
import org.eclipse.ditto.json.JsonFieldSelectorBuilder;
import org.eclipse.ditto.json.JsonObject;
import org.eclipse.ditto.json.JsonObjectBuilder;
import org.eclipse.ditto.json.JsonRuntimeException;
import org.eclipse.ditto.json.JsonValue;
import org.eclipse.ditto.model.base.auth.AuthorizationContext;
import org.eclipse.ditto.model.base.exceptions.DittoJsonException;
import org.eclipse.ditto.model.base.exceptions.DittoRuntimeException;
import org.eclipse.ditto.model.base.headers.DittoHeaders;
import org.eclipse.ditto.model.base.headers.WithDittoHeaders;
import org.eclipse.ditto.model.base.json.FieldType;
import org.eclipse.ditto.model.base.json.JsonSchemaVersion;
import org.eclipse.ditto.model.enforcers.AclEnforcer;
import org.eclipse.ditto.model.enforcers.Enforcer;
import org.eclipse.ditto.model.enforcers.PolicyEnforcers;
import org.eclipse.ditto.model.namespaces.NamespaceBlockedException;
import org.eclipse.ditto.model.policies.Permissions;
import org.eclipse.ditto.model.policies.PoliciesModelFactory;
import org.eclipse.ditto.model.policies.PoliciesResourceType;
import org.eclipse.ditto.model.policies.Policy;
import org.eclipse.ditto.model.policies.PolicyException;
import org.eclipse.ditto.model.policies.PolicyId;
import org.eclipse.ditto.model.policies.ResourceKey;
import org.eclipse.ditto.model.policies.Subject;
import org.eclipse.ditto.model.policies.SubjectId;
import org.eclipse.ditto.model.policies.SubjectIssuer;
import org.eclipse.ditto.model.things.AccessControlList;
import org.eclipse.ditto.model.things.AclInvalidException;
import org.eclipse.ditto.model.things.AclNotAllowedException;
import org.eclipse.ditto.model.things.AclValidator;
import org.eclipse.ditto.model.things.Thing;
import org.eclipse.ditto.model.things.ThingId;
import org.eclipse.ditto.services.concierge.enforcement.placeholders.references.PolicyIdReferencePlaceholderResolver;
import org.eclipse.ditto.services.concierge.enforcement.placeholders.references.ReferencePlaceholder;
import org.eclipse.ditto.services.models.concierge.ConciergeMessagingConstants;
import org.eclipse.ditto.services.models.policies.Permission;
import org.eclipse.ditto.services.models.policies.PoliciesAclMigrations;
import org.eclipse.ditto.services.models.policies.PoliciesValidator;
import org.eclipse.ditto.services.utils.akka.LogUtil;
import org.eclipse.ditto.services.utils.akka.controlflow.AbstractGraphActor;
import org.eclipse.ditto.services.utils.cache.Cache;
import org.eclipse.ditto.services.utils.cache.EntityIdWithResourceType;
import org.eclipse.ditto.services.utils.cache.InvalidateCacheEntry;
import org.eclipse.ditto.services.utils.cache.entry.Entry;
import org.eclipse.ditto.services.utils.cacheloaders.IdentityCache;
import org.eclipse.ditto.services.utils.cluster.DistPubSubAccess;
import org.eclipse.ditto.signals.commands.base.exceptions.GatewayInternalErrorException;
import org.eclipse.ditto.signals.commands.policies.PolicyErrorResponse;
import org.eclipse.ditto.signals.commands.policies.exceptions.PolicyConflictException;
import org.eclipse.ditto.signals.commands.policies.exceptions.PolicyNotAccessibleException;
import org.eclipse.ditto.signals.commands.policies.exceptions.PolicyUnavailableException;
import org.eclipse.ditto.signals.commands.policies.modify.CreatePolicy;
import org.eclipse.ditto.signals.commands.policies.modify.CreatePolicyResponse;
import org.eclipse.ditto.signals.commands.policies.query.PolicyQueryCommandResponse;
import org.eclipse.ditto.signals.commands.policies.query.RetrievePolicy;
import org.eclipse.ditto.signals.commands.policies.query.RetrievePolicyResponse;
import org.eclipse.ditto.signals.commands.things.ThingCommand;
import org.eclipse.ditto.signals.commands.things.exceptions.PolicyIdNotAllowedException;
import org.eclipse.ditto.signals.commands.things.exceptions.PolicyInvalidException;
import org.eclipse.ditto.signals.commands.things.exceptions.ThingCommandToAccessExceptionRegistry;
import org.eclipse.ditto.signals.commands.things.exceptions.ThingCommandToModifyExceptionRegistry;
import org.eclipse.ditto.signals.commands.things.exceptions.ThingNotAccessibleException;
import org.eclipse.ditto.signals.commands.things.exceptions.ThingNotCreatableException;
import org.eclipse.ditto.signals.commands.things.exceptions.ThingNotModifiableException;
import org.eclipse.ditto.signals.commands.things.exceptions.ThingUnavailableException;
import org.eclipse.ditto.signals.commands.things.modify.CreateThing;
import org.eclipse.ditto.signals.commands.things.modify.ModifyThing;
import org.eclipse.ditto.signals.commands.things.modify.ThingModifyCommand;
import org.eclipse.ditto.signals.commands.things.query.RetrieveThing;
import org.eclipse.ditto.signals.commands.things.query.RetrieveThingResponse;
import org.eclipse.ditto.signals.commands.things.query.ThingQueryCommand;
import org.eclipse.ditto.signals.commands.things.query.ThingQueryCommandResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/ditto/services/concierge/enforcement/ThingCommandEnforcement.class */
public final class ThingCommandEnforcement extends AbstractEnforcement<ThingCommand> {
    private static final String DEFAULT_POLICY_ENTRY_LABEL = "DEFAULT";
    private final List<SubjectIssuer> subjectIssuersForPolicyMigration;
    private final ActorRef thingsShardRegion;
    private final ActorRef policiesShardRegion;
    private final EnforcerRetriever thingEnforcerRetriever;
    private final EnforcerRetriever policyEnforcerRetriever;
    private final Cache<EntityIdWithResourceType, Entry<EntityIdWithResourceType>> thingIdCache;
    private final Cache<EntityIdWithResourceType, Entry<Enforcer>> policyEnforcerCache;
    private final Function<WithDittoHeaders, CompletionStage<WithDittoHeaders>> preEnforcer;
    private final Cache<EntityIdWithResourceType, Entry<Enforcer>> aclEnforcerCache;
    private final PolicyIdReferencePlaceholderResolver policyIdReferencePlaceholderResolver;
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) ThingCommandEnforcement.class);
    private static final JsonFieldSelector THING_QUERY_COMMAND_RESPONSE_WHITELIST = JsonFactory.newFieldSelector(Thing.JsonFields.ID, new JsonFieldDefinition[0]);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/ditto/services/concierge/enforcement/ThingCommandEnforcement$CreateThingWithEnforcer.class */
    public static final class CreateThingWithEnforcer {
        private final CreateThing createThing;
        private final Enforcer enforcer;

        private CreateThingWithEnforcer(CreateThing createThing, Enforcer enforcer) {
            this.createThing = createThing;
            this.enforcer = enforcer;
        }
    }

    /* loaded from: input_file:org/eclipse/ditto/services/concierge/enforcement/ThingCommandEnforcement$Provider.class */
    public static final class Provider implements EnforcementProvider<ThingCommand> {
        private static final List<SubjectIssuer> DEFAULT_SUBJECT_ISSUERS_FOR_POLICY_MIGRATION = Collections.singletonList(SubjectIssuer.GOOGLE);
        private final ActorRef thingsShardRegion;
        private final ActorRef policiesShardRegion;
        private final Cache<EntityIdWithResourceType, Entry<EntityIdWithResourceType>> thingIdCache;
        private final Cache<EntityIdWithResourceType, Entry<Enforcer>> policyEnforcerCache;
        private final Cache<EntityIdWithResourceType, Entry<Enforcer>> aclEnforcerCache;
        private final Function<WithDittoHeaders, CompletionStage<WithDittoHeaders>> preEnforcer;
        private final List<SubjectIssuer> subjectIssuersForPolicyMigration;

        public Provider(ActorRef actorRef, ActorRef actorRef2, Cache<EntityIdWithResourceType, Entry<EntityIdWithResourceType>> cache, Cache<EntityIdWithResourceType, Entry<Enforcer>> cache2, Cache<EntityIdWithResourceType, Entry<Enforcer>> cache3, @Nullable Function<WithDittoHeaders, CompletionStage<WithDittoHeaders>> function) {
            this(actorRef, actorRef2, cache, cache2, cache3, function, DEFAULT_SUBJECT_ISSUERS_FOR_POLICY_MIGRATION);
        }

        public Provider(ActorRef actorRef, ActorRef actorRef2, Cache<EntityIdWithResourceType, Entry<EntityIdWithResourceType>> cache, Cache<EntityIdWithResourceType, Entry<Enforcer>> cache2, Cache<EntityIdWithResourceType, Entry<Enforcer>> cache3, @Nullable Function<WithDittoHeaders, CompletionStage<WithDittoHeaders>> function, List<SubjectIssuer> list) {
            this.thingsShardRegion = (ActorRef) Objects.requireNonNull(actorRef);
            this.policiesShardRegion = (ActorRef) Objects.requireNonNull(actorRef2);
            this.thingIdCache = (Cache) Objects.requireNonNull(cache);
            this.policyEnforcerCache = (Cache) Objects.requireNonNull(cache2);
            this.aclEnforcerCache = (Cache) Objects.requireNonNull(cache3);
            this.preEnforcer = (Function) Optional.ofNullable(function).orElse((v0) -> {
                return CompletableFuture.completedFuture(v0);
            });
            this.subjectIssuersForPolicyMigration = (List) Objects.requireNonNull(list);
        }

        @Override // org.eclipse.ditto.services.concierge.enforcement.EnforcementProvider
        public Class<ThingCommand> getCommandClass() {
            return ThingCommand.class;
        }

        @Override // org.eclipse.ditto.services.concierge.enforcement.EnforcementProvider
        public boolean isApplicable(ThingCommand thingCommand) {
            return !LiveSignalEnforcement.isLiveSignal(thingCommand);
        }

        @Override // org.eclipse.ditto.services.concierge.enforcement.EnforcementProvider
        public AbstractEnforcement<ThingCommand> createEnforcement(Contextual<ThingCommand> contextual) {
            return new ThingCommandEnforcement(contextual, this.thingsShardRegion, this.policiesShardRegion, this.thingIdCache, this.policyEnforcerCache, this.aclEnforcerCache, this.preEnforcer, this.subjectIssuersForPolicyMigration);
        }
    }

    private ThingCommandEnforcement(Contextual<ThingCommand> contextual, ActorRef actorRef, ActorRef actorRef2, Cache<EntityIdWithResourceType, Entry<EntityIdWithResourceType>> cache, Cache<EntityIdWithResourceType, Entry<Enforcer>> cache2, Cache<EntityIdWithResourceType, Entry<Enforcer>> cache3, Function<WithDittoHeaders, CompletionStage<WithDittoHeaders>> function, List<SubjectIssuer> list) {
        super(contextual);
        this.thingsShardRegion = (ActorRef) Objects.requireNonNull(actorRef);
        this.policiesShardRegion = (ActorRef) Objects.requireNonNull(actorRef2);
        this.subjectIssuersForPolicyMigration = (List) Objects.requireNonNull(list);
        this.thingIdCache = (Cache) Objects.requireNonNull(cache);
        this.policyEnforcerCache = (Cache) Objects.requireNonNull(cache2);
        this.aclEnforcerCache = (Cache) Objects.requireNonNull(cache3);
        this.preEnforcer = function;
        this.thingEnforcerRetriever = PolicyOrAclEnforcerRetrieverFactory.create(cache, cache2, cache3);
        this.policyEnforcerRetriever = new EnforcerRetriever(IdentityCache.INSTANCE, cache2);
        this.policyIdReferencePlaceholderResolver = PolicyIdReferencePlaceholderResolver.of(conciergeForwarder(), getAskTimeout());
    }

    @Override // org.eclipse.ditto.services.concierge.enforcement.AbstractEnforcement
    public CompletionStage<Contextual<WithDittoHeaders>> enforce() {
        LogUtil.enhanceLogWithCorrelationIdOrRandom(signal());
        return this.thingEnforcerRetriever.retrieve(entityId(), (entry, entry2) -> {
            try {
                return doEnforce(entry, entry2).exceptionally(this::handleExceptionally);
            } catch (RuntimeException e) {
                return CompletableFuture.completedFuture(handleExceptionally(e));
            }
        });
    }

    private CompletionStage<Contextual<WithDittoHeaders>> doEnforce(Entry<EntityIdWithResourceType> entry, Entry<Enforcer> entry2) {
        if (!entry2.exists()) {
            return enforceThingCommandByNonexistentEnforcer(entry);
        }
        if (isAclEnforcer(entry)) {
            return enforceThingCommandByAclEnforcer(entry2.getValueOrThrow());
        }
        return enforceThingCommandByPolicyEnforcer(signal(), PolicyId.of(entry.getValueOrThrow().getId()), entry2.getValueOrThrow());
    }

    private CompletionStage<Contextual<WithDittoHeaders>> enforceThingCommandByNonexistentEnforcer(Entry<EntityIdWithResourceType> entry) {
        if (!entry.exists()) {
            return enforceCreateThingBySelf().thenCompose(createThingWithEnforcer -> {
                return handleInitialCreateThing(createThingWithEnforcer.createThing, createThingWithEnforcer.enforcer).thenApply(contextual -> {
                    return contextual.withReceiver(this.thingsShardRegion);
                });
            }).exceptionally(th -> {
                DittoRuntimeException asDittoRuntimeException = DittoRuntimeException.asDittoRuntimeException(th, th -> {
                    LOGGER.warn("Error during thing by itself enforcement - {}: {}", th.getClass().getSimpleName(), th.getMessage());
                    throw GatewayInternalErrorException.newBuilder().cause2(th).build();
                });
                LOGGER.debug("DittoRuntimeException during enforceThingCommandByNonexistentEnforcer - {}: {}", asDittoRuntimeException.getClass().getSimpleName(), asDittoRuntimeException.getMessage());
                throw asDittoRuntimeException;
            });
        }
        ThingId thingEntityId = signal().getThingEntityId();
        DittoRuntimeException errorForExistingThingWithDeletedPolicy = errorForExistingThingWithDeletedPolicy(signal(), thingEntityId, entry.getValueOrThrow().getId());
        log().info("Enforcer was not existing for Thing <{}>, responding with: {}", thingEntityId, errorForExistingThingWithDeletedPolicy);
        throw errorForExistingThingWithDeletedPolicy;
    }

    private CompletionStage<Contextual<WithDittoHeaders>> enforceThingCommandByAclEnforcer(Enforcer enforcer) {
        ThingCommand signal = signal();
        Optional authorizeByAcl = authorizeByAcl(enforcer, signal);
        if (!authorizeByAcl.isPresent()) {
            throw errorForThingCommand(signal);
        }
        ThingCommand thingCommand = (ThingCommand) authorizeByAcl.get();
        return ((thingCommand instanceof RetrieveThing) && shouldRetrievePolicyWithThing(thingCommand)) ? retrieveThingAclAndMigrateToPolicy((RetrieveThing) thingCommand, enforcer).thenApply(withDittoHeaders -> {
            return withMessageToReceiver(withDittoHeaders, sender());
        }) : CompletableFuture.completedFuture(forwardToThingsShardRegion(thingCommand));
    }

    private CompletionStage<WithDittoHeaders> retrieveThingAclAndMigrateToPolicy(RetrieveThing retrieveThing, Enforcer enforcer) {
        JsonFieldSelectorBuilder addFieldDefinition = JsonFactory.newFieldSelectorBuilder().addFieldDefinition(Thing.JsonFields.ACL, new JsonFieldDefinition[0]);
        Optional<JsonFieldSelector> selectedFields = retrieveThing.getSelectedFields();
        Objects.requireNonNull(addFieldDefinition);
        selectedFields.ifPresent((v1) -> {
            r1.addPointers(v1);
        });
        return Patterns.ask(this.thingsShardRegion, RetrieveThing.getBuilder(retrieveThing.getThingEntityId(), retrieveThing.getDittoHeaders().toBuilder().schemaVersion(JsonSchemaVersion.V_1).build()).withSelectedFields(addFieldDefinition.build()).build(), getAskTimeout()).handle((obj, th) -> {
            if (!(obj instanceof RetrieveThingResponse)) {
                if (isAskTimeoutException(obj, th)) {
                    throw reportThingUnavailable();
                }
                throw reportUnexpectedErrorOrResponse("retrieving thing for ACL migration", obj, th);
            }
            RetrieveThingResponse retrieveThingResponse = (RetrieveThingResponse) obj;
            Optional<AccessControlList> accessControlList = retrieveThingResponse.getThing().getAccessControlList();
            if (!accessControlList.isPresent()) {
                return retrieveThingResponse.setDittoHeaders2(retrieveThing.getDittoHeaders());
            }
            return reportAggregatedThingAndPolicy(retrieveThing, retrieveThingResponse.setDittoHeaders2(retrieveThing.getDittoHeaders()), PoliciesAclMigrations.accessControlListToPolicyEntries(accessControlList.get(), PolicyId.of(retrieveThing.getThingEntityId()), this.subjectIssuersForPolicyMigration), enforcer);
        });
    }

    private CompletionStage<Contextual<WithDittoHeaders>> enforceThingCommandByPolicyEnforcer(ThingCommand<?> thingCommand, PolicyId policyId, Enforcer enforcer) {
        return (CompletionStage) authorizeByPolicy(enforcer, thingCommand).map(thingCommand2 -> {
            if (!(thingCommand2 instanceof ThingQueryCommand)) {
                return CompletableFuture.completedFuture(forwardToThingsShardRegion(thingCommand2));
            }
            ThingQueryCommand thingQueryCommand = (ThingQueryCommand) thingCommand2;
            return ((thingQueryCommand instanceof RetrieveThing) && shouldRetrievePolicyWithThing(thingQueryCommand)) ? retrieveThingAndPolicy((RetrieveThing) thingQueryCommand, policyId, enforcer).thenApply(withDittoHeaders -> {
                return withMessageToReceiver(withDittoHeaders, sender());
            }) : askThingsShardRegionAndBuildJsonView(thingQueryCommand, enforcer).thenApply(withDittoHeaders2 -> {
                return withMessageToReceiver(withDittoHeaders2, sender());
            });
        }).orElseThrow(() -> {
            return errorForThingCommand(thingCommand);
        });
    }

    private CompletionStage<WithDittoHeaders> askThingsShardRegionAndBuildJsonView(ThingQueryCommand thingQueryCommand, Enforcer enforcer) {
        return Patterns.ask(this.thingsShardRegion, thingQueryCommand, getAskTimeout()).handle((obj, th) -> {
            if (obj instanceof ThingQueryCommandResponse) {
                return reportJsonViewForThingQuery((ThingQueryCommandResponse) obj, enforcer);
            }
            if (obj instanceof DittoRuntimeException) {
                return (DittoRuntimeException) obj;
            }
            if (isAskTimeoutException(obj, th)) {
                return reportTimeoutForThingQuery(thingQueryCommand, th instanceof AskTimeoutException ? (AskTimeoutException) th : (AskTimeoutException) obj);
            }
            return th != null ? reportUnexpectedError("before building JsonView", th) : reportUnknownResponse("before building JsonView", obj);
        });
    }

    private CompletionStage<WithDittoHeaders> retrieveThingAndPolicy(RetrieveThing retrieveThing, PolicyId policyId, Enforcer enforcer) {
        Optional authorizePolicyCommand = PolicyCommandEnforcement.authorizePolicyCommand(RetrievePolicy.of(policyId, retrieveThing.getDittoHeaders().toBuilder().removePreconditionHeaders().build()), enforcer);
        return authorizePolicyCommand.isPresent() ? retrieveThingBeforePolicy(retrieveThing).thenCompose(withDittoHeaders -> {
            return withDittoHeaders instanceof RetrieveThingResponse ? retrieveInlinedPolicyForThing(retrieveThing, (RetrievePolicy) authorizePolicyCommand.get()).thenApply(optional -> {
                if (!optional.isPresent()) {
                    return withDittoHeaders;
                }
                return reportAggregatedThingAndPolicyResponse(retrieveThing, (RetrieveThingResponse) withDittoHeaders, (RetrievePolicyResponse) PolicyCommandEnforcement.buildJsonViewForPolicyQueryCommandResponse((PolicyQueryCommandResponse) optional.get(), enforcer), enforcer);
            }) : CompletableFuture.completedFuture(withDittoHeaders);
        }) : askThingsShardRegionAndBuildJsonView(retrieveThing, enforcer);
    }

    private CompletionStage<WithDittoHeaders> retrieveThingBeforePolicy(RetrieveThing retrieveThing) {
        return Patterns.ask(this.thingsShardRegion, retrieveThing, getAskTimeout()).handle((obj, th) -> {
            return obj instanceof WithDittoHeaders ? (WithDittoHeaders) obj : isAskTimeoutException(obj, th) ? reportThingUnavailable() : reportUnexpectedErrorOrResponse("retrieving thing before inlined policy", obj, th);
        });
    }

    private ThingUnavailableException reportThingUnavailable() {
        return ThingUnavailableException.newBuilder(signal().getThingEntityId()).dittoHeaders(dittoHeaders()).build();
    }

    private CompletionStage<Optional<RetrievePolicyResponse>> retrieveInlinedPolicyForThing(RetrieveThing retrieveThing, RetrievePolicy retrievePolicy) {
        return this.preEnforcer.apply(retrievePolicy).thenCompose(withDittoHeaders -> {
            return Patterns.ask(this.policiesShardRegion, withDittoHeaders, getAskTimeout());
        }).handle((obj, th) -> {
            LOGGER.debug("Response of policiesShardRegion: <{}>", obj);
            if (obj instanceof RetrievePolicyResponse) {
                return Optional.of((RetrievePolicyResponse) obj);
            }
            if (th != null) {
                log(th).error(th, "retrieving inlined policy after RetrieveThing");
            } else {
                log(obj).info("No authorized response when retrieving inlined policy <{}> for thing <{}>: {}", retrievePolicy.getEntityId(), retrieveThing.getThingEntityId(), obj);
            }
            return Optional.empty();
        });
    }

    private RetrieveThingResponse reportAggregatedThingAndPolicyResponse(RetrieveThing retrieveThing, RetrieveThingResponse retrieveThingResponse, RetrievePolicyResponse retrievePolicyResponse, Enforcer enforcer) {
        return reportAggregatedThingAndPolicy(retrieveThing, retrieveThingResponse, retrievePolicyResponse.getPolicy(), enforcer);
    }

    private RetrieveThingResponse reportAggregatedThingAndPolicy(RetrieveThing retrieveThing, RetrieveThingResponse retrieveThingResponse, Policy policy, Enforcer enforcer) {
        RetrieveThingResponse retrieveThingResponse2 = (RetrieveThingResponse) buildJsonViewForThingQueryCommandResponse(retrieveThingResponse, enforcer);
        return retrieveThingResponse2.setEntity((JsonValue) retrieveThingResponse2.getEntity().asObject().toBuilder().setAll(policy.toInlinedJson(retrieveThing.getImplementedSchemaVersion(), FieldType.notHidden())).build());
    }

    private ThingUnavailableException reportTimeoutForThingQuery(ThingQueryCommand thingQueryCommand, AskTimeoutException askTimeoutException) {
        log(thingQueryCommand).error(askTimeoutException, "Timeout before building JsonView");
        return ThingUnavailableException.newBuilder(thingQueryCommand.getThingEntityId()).dittoHeaders(thingQueryCommand.getDittoHeaders()).build();
    }

    private ThingQueryCommandResponse reportJsonViewForThingQuery(ThingQueryCommandResponse<?> thingQueryCommandResponse, Enforcer enforcer) {
        try {
            return buildJsonViewForThingQueryCommandResponse(thingQueryCommandResponse, enforcer);
        } catch (RuntimeException e) {
            throw reportError("Error after building JsonView", e);
        }
    }

    private CompletionStage<Contextual<WithDittoHeaders>> enforceCreateThingForNonexistentThingWithPolicyId(CreateThing createThing, PolicyId policyId) {
        return this.policyEnforcerRetriever.retrieve(EntityIdWithResourceType.of("policy", policyId), (entry, entry2) -> {
            if (entry2.exists()) {
                return enforceThingCommandByPolicyEnforcer(createThing, policyId, (Enforcer) entry2.getValueOrThrow());
            }
            throw errorForExistingThingWithDeletedPolicy(createThing, createThing.getThingEntityId(), policyId);
        });
    }

    private static <T extends ThingQueryCommandResponse> T buildJsonViewForThingQueryCommandResponse(ThingQueryCommandResponse<T> thingQueryCommandResponse, Enforcer enforcer) {
        JsonValue entity = thingQueryCommandResponse.getEntity();
        return entity.isObject() ? thingQueryCommandResponse.setEntity((JsonValue) getJsonViewForThingQueryCommandResponse(entity.asObject(), thingQueryCommandResponse, enforcer)) : thingQueryCommandResponse.setEntity(entity);
    }

    private Contextual<WithDittoHeaders> forwardToThingsShardRegion(ThingCommand thingCommand) {
        if ((thingCommand instanceof ThingModifyCommand) && ((ThingModifyCommand) thingCommand).changesAuthorization()) {
            invalidateThingCaches(thingCommand.getThingEntityId());
        }
        return withMessageToReceiver(thingCommand, this.thingsShardRegion);
    }

    private void invalidateThingCaches(ThingId thingId) {
        EntityIdWithResourceType of = EntityIdWithResourceType.of("thing", thingId);
        this.thingIdCache.invalidate(of);
        this.aclEnforcerCache.invalidate(of);
        pubSubMediator().tell(DistPubSubAccess.sendToAll(ConciergeMessagingConstants.ENFORCER_ACTOR_PATH, InvalidateCacheEntry.of(of), true), self());
    }

    private void invalidatePolicyCache(PolicyId policyId) {
        EntityIdWithResourceType of = EntityIdWithResourceType.of("policy", policyId);
        this.policyEnforcerCache.invalidate(of);
        pubSubMediator().tell(DistPubSubAccess.sendToAll(ConciergeMessagingConstants.ENFORCER_ACTOR_PATH, InvalidateCacheEntry.of(of), true), self());
    }

    private static JsonObject getJsonViewForThingQueryCommandResponse(JsonObject jsonObject, ThingQueryCommandResponse thingQueryCommandResponse, Enforcer enforcer) {
        return enforcer.buildJsonView(ResourceKey.newInstance("thing", thingQueryCommandResponse.getResourcePath()), jsonObject, thingQueryCommandResponse.getDittoHeaders().getAuthorizationContext(), THING_QUERY_COMMAND_RESPONSE_WHITELIST, Permissions.newInstance("READ", new String[0]));
    }

    private static DittoRuntimeException errorForExistingThingWithDeletedPolicy(ThingCommand thingCommand, ThingId thingId, CharSequence charSequence) {
        String format = String.format("The Thing with ID '%s' could not be accessed as its Policy with ID '%s' is not or no longer existing.", thingId, charSequence);
        String format2 = String.format("Recreate/create the Policy with ID '%s' in order to get access to the Thing again.", charSequence);
        return thingCommand instanceof ThingModifyCommand ? ThingNotModifiableException.newBuilder(thingId).message(format).description(format2).dittoHeaders(thingCommand.getDittoHeaders()).build() : ThingNotAccessibleException.newBuilder(thingId).message(format).description(format2).dittoHeaders(thingCommand.getDittoHeaders()).build();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static DittoRuntimeException errorForThingCommand(ThingCommand thingCommand) {
        return (thingCommand instanceof ThingModifyCommand ? ThingCommandToModifyExceptionRegistry.getInstance() : ThingCommandToAccessExceptionRegistry.getInstance()).exceptionFrom(thingCommand);
    }

    private CompletionStage<CreateThingWithEnforcer> enforceCreateThingBySelf() {
        ThingCommand transformModifyThingToCreateThing = transformModifyThingToCreateThing(signal());
        if (transformModifyThingToCreateThing instanceof CreateThing) {
            return replaceInitialPolicyWithCopiedPolicyIfPresent((CreateThing) transformModifyThingToCreateThing).thenApply(createThing -> {
                Optional<JsonObject> initialPolicy = createThing.getInitialPolicy();
                return initialPolicy.isPresent() ? enforceCreateThingByOwnInlinedPolicy(createThing, initialPolicy.get()).orElse(null) : (CreateThingWithEnforcer) ((Optional) createThing.getThing().getAccessControlList().filter(accessControlList -> {
                    return !accessControlList.isEmpty();
                }).map(accessControlList2 -> {
                    return enforceCreateThingByOwnAcl(createThing, accessControlList2);
                }).orElseGet(() -> {
                    return enforceCreateThingByAuthorizationContext(createThing);
                })).orElse(null);
            });
        }
        ThingNotAccessibleException build = ThingNotAccessibleException.newBuilder(transformModifyThingToCreateThing.getThingEntityId()).dittoHeaders(transformModifyThingToCreateThing.getDittoHeaders()).build();
        log().info("Enforcer was not existing for Thing <{}> and no auth info was inlined, responding with: {}", transformModifyThingToCreateThing.getThingEntityId(), build);
        throw build;
    }

    private CompletionStage<CreateThing> replaceInitialPolicyWithCopiedPolicyIfPresent(CreateThing createThing) {
        return getInitialPolicyOrCopiedPolicy(createThing).thenApply(jsonObject -> {
            return CreateThing.of(createThing.getThing(), jsonObject, createThing.getDittoHeaders());
        });
    }

    private CompletionStage<JsonObject> getInitialPolicyOrCopiedPolicy(CreateThing createThing) {
        return ((CompletionStage) createThing.getPolicyIdOrPlaceholder().flatMap((v0) -> {
            return ReferencePlaceholder.fromCharSequence(v0);
        }).map(referencePlaceholder -> {
            log(createThing).debug("CreateThing command contains a reference placeholder for the policy it wants to copy: {}", referencePlaceholder);
            return this.policyIdReferencePlaceholderResolver.resolve(referencePlaceholder, dittoHeaders());
        }).orElseGet(() -> {
            return CompletableFuture.completedFuture(createThing.getPolicyIdOrPlaceholder().orElse(null));
        })).thenCompose(str -> {
            if (str != null) {
                log().debug("CreateThing command wants to use a copy of Policy <{}>", str);
                return retrievePolicyWithEnforcement(PolicyId.of(str)).thenApply(policy -> {
                    return policy.toJson(JsonSchemaVersion.V_2).remove("policyId");
                });
            }
            log().debug("CreateThing command did not contain a policy that should be copied.");
            return CompletableFuture.completedFuture(createThing.getInitialPolicy().orElse(null));
        });
    }

    private CompletionStage<Policy> retrievePolicyWithEnforcement(PolicyId policyId) {
        HashMap hashMap = new HashMap(dittoHeaders());
        hashMap.put(AbstractGraphActor.DITTO_INTERNAL_SPECIAL_ENFORCEMENT_LANE, "true");
        return Patterns.ask(conciergeForwarder(), RetrievePolicy.of(policyId, DittoHeaders.of(hashMap)), getAskTimeout()).thenApply(obj -> {
            if (obj instanceof RetrievePolicyResponse) {
                return ((RetrievePolicyResponse) obj).getPolicy();
            }
            if (obj instanceof PolicyErrorResponse) {
                throw ((PolicyErrorResponse) obj).getDittoRuntimeException();
            }
            if (obj instanceof DittoRuntimeException) {
                throw ((DittoRuntimeException) obj);
            }
            log().error("Got an unexpected response while retrieving a Policy that should be copied during Thing creation: {}", obj);
            throw GatewayInternalErrorException.newBuilder().build();
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Optional<CreateThingWithEnforcer> enforceCreateThingByAuthorizationContext(CreateThing createThing) {
        AuthorizedSubjectsEnforcer authorizedSubjectsEnforcer = new AuthorizedSubjectsEnforcer((Set) createThing.getDittoHeaders().getAuthorizationContext().getFirstAuthorizationSubject().map((v0) -> {
            return Collections.singleton(v0);
        }).orElse(Collections.emptySet()));
        return Optional.of(new CreateThingWithEnforcer((CreateThing) AbstractEnforcement.addEffectedReadSubjectsToThingSignal(createThing, authorizedSubjectsEnforcer), authorizedSubjectsEnforcer));
    }

    private Optional<CreateThingWithEnforcer> enforceCreateThingByOwnInlinedPolicy(CreateThing createThing, JsonObject jsonObject) {
        return checkInitialPolicy(createThing, jsonObject).flatMap(policy -> {
            if (PoliciesValidator.newInstance(policy).isValid()) {
                return attachEnforcerOrReplyWithError(createThing, PolicyEnforcers.defaultEvaluator(policy), ThingCommandEnforcement::authorizeByPolicy);
            }
            throw PolicyInvalidException.newBuilder(Permission.MIN_REQUIRED_POLICY_PERMISSIONS, createThing.getThingEntityId()).dittoHeaders(createThing.getDittoHeaders()).build();
        });
    }

    private Optional<Policy> checkInitialPolicy(CreateThing createThing, JsonObject jsonObject) {
        try {
            return Optional.of(PoliciesModelFactory.newPolicy(jsonObject));
        } catch (JsonRuntimeException | DittoJsonException e) {
            throw PolicyInvalidException.newBuilderForCause(e, createThing.getThingEntityId()).dittoHeaders(createThing.getDittoHeaders()).build();
        } catch (DittoRuntimeException e2) {
            DittoHeaders dittoHeaders = createThing.getDittoHeaders();
            if (e2 instanceof PolicyException) {
                throw e2.setDittoHeaders2(dittoHeaders);
            }
            throw reportError("Error during creation of inline policy from JSON", e2);
        }
    }

    private Optional<CreateThingWithEnforcer> enforceCreateThingByOwnAcl(CreateThing createThing, AccessControlList accessControlList) {
        if (AclValidator.newInstance(accessControlList, Thing.MIN_REQUIRED_PERMISSIONS).isValid()) {
            return attachEnforcerOrReplyWithError(createThing, AclEnforcer.of(accessControlList), ThingCommandEnforcement::authorizeByAcl);
        }
        throw AclInvalidException.newBuilder(createThing.getThingEntityId()).dittoHeaders(createThing.getDittoHeaders()).build();
    }

    private Optional<CreateThingWithEnforcer> attachEnforcerOrReplyWithError(CreateThing createThing, Enforcer enforcer, BiFunction<Enforcer, ThingCommand<CreateThing>, Optional<CreateThing>> biFunction) {
        Optional<CreateThing> apply = biFunction.apply(enforcer, createThing);
        if (apply.isPresent()) {
            return apply.map(createThing2 -> {
                return new CreateThingWithEnforcer(createThing2, enforcer);
            });
        }
        throw errorForThingCommand(createThing);
    }

    private static ThingCommand transformModifyThingToCreateThing(ThingCommand thingCommand) {
        if (!(thingCommand instanceof ModifyThing)) {
            return thingCommand;
        }
        ModifyThing modifyThing = (ModifyThing) thingCommand;
        return CreateThing.of(modifyThing.getThing().toBuilder().setId(modifyThing.getThingEntityId()).build(), modifyThing.getInitialPolicy().orElse(null), modifyThing.getPolicyIdOrPlaceholder().orElse(null), modifyThing.getDittoHeaders());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static <T extends ThingCommand> Optional<T> authorizeByPolicy(Enforcer enforcer, ThingCommand<T> thingCommand) {
        ResourceKey thingResource = PoliciesResourceType.thingResource(thingCommand.getResourcePath());
        AuthorizationContext authorizationContext = thingCommand.getDittoHeaders().getAuthorizationContext();
        return thingCommand instanceof ThingModifyCommand ? enforcer.hasUnrestrictedPermissions(thingResource, authorizationContext, "WRITE", new String[0]) : enforcer.hasPartialPermissions(thingResource, authorizationContext, "READ", new String[0]) ? Optional.of((ThingCommand) AbstractEnforcement.addEffectedReadSubjectsToThingSignal(thingCommand, enforcer)) : Optional.empty();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static <T extends ThingCommand<T>> Optional<T> authorizeByAcl(Enforcer enforcer, ThingCommand<T> thingCommand) {
        return enforcer.hasUnrestrictedPermissions(PoliciesResourceType.thingResource(thingCommand.getResourcePath()), thingCommand.getDittoHeaders().getAuthorizationContext(), thingCommand instanceof ThingModifyCommand ? computeAclPermissions((ThingModifyCommand) thingCommand) : Permissions.newInstance("READ", new String[0])) ? Optional.of((ThingCommand) AbstractEnforcement.addEffectedReadSubjectsToThingSignal(thingCommand, enforcer)) : Optional.empty();
    }

    private static Permissions computeAclPermissions(ThingModifyCommand thingModifyCommand) {
        return thingModifyCommand.changesAuthorization() ? Permissions.newInstance("WRITE", org.eclipse.ditto.model.things.Permission.ADMINISTRATE.name()) : Permissions.newInstance("WRITE", new String[0]);
    }

    private static boolean shouldRetrievePolicyWithThing(ThingCommand thingCommand) {
        return (JsonSchemaVersion.V_1 != thingCommand.getImplementedSchemaVersion()) && ((RetrieveThing) thingCommand).getSelectedFields().filter(jsonFieldSelector -> {
            return jsonFieldSelector.getPointers().stream().anyMatch(jsonPointer -> {
                return jsonPointer.getRoot().filter(jsonKey -> {
                    return Policy.INLINED_FIELD_NAME.equals(jsonKey.toString());
                }).isPresent();
            });
        }).isPresent();
    }

    private CompletionStage<Contextual<WithDittoHeaders>> handleInitialCreateThing(CreateThing createThing, Enforcer enforcer) {
        if (shouldCreatePolicyForCreateThing(createThing)) {
            Optional<DittoRuntimeException> checkForErrorsInCreateThingWithPolicy = checkForErrorsInCreateThingWithPolicy(createThing);
            if (checkForErrorsInCreateThingWithPolicy.isPresent()) {
                throw checkForErrorsInCreateThingWithPolicy.get();
            }
            return createThingWithInitialPolicy(createThing, enforcer).thenApply((v1) -> {
                return forwardToThingsShardRegion(v1);
            });
        }
        if (!createThing.getThing().getPolicyEntityId().isPresent()) {
            return CompletableFuture.completedFuture(forwardToThingsShardRegion(createThing));
        }
        PolicyId orElseThrow = createThing.getThing().getPolicyEntityId().orElseThrow(IllegalStateException::new);
        Optional<DittoRuntimeException> checkForErrorsInCreateThingWithPolicy2 = checkForErrorsInCreateThingWithPolicy(createThing);
        if (checkForErrorsInCreateThingWithPolicy2.isPresent()) {
            throw checkForErrorsInCreateThingWithPolicy2.get();
        }
        return enforceCreateThingForNonexistentThingWithPolicyId(createThing, orElseThrow);
    }

    private CompletionStage<CreateThing> createThingWithInitialPolicy(CreateThing createThing, Enforcer enforcer) {
        try {
            Optional<Policy> inlinedOrDefaultPolicyForCreateThing = getInlinedOrDefaultPolicyForCreateThing(createThing);
            if (inlinedOrDefaultPolicyForCreateThing.isPresent()) {
                return (CompletionStage) PolicyCommandEnforcement.authorizePolicyCommand(CreatePolicy.of(inlinedOrDefaultPolicyForCreateThing.get(), createThing.getDittoHeaders().toBuilder().removePreconditionHeaders().build()), enforcer).map(createPolicy -> {
                    return createPolicyAndThing(createPolicy, createThing);
                }).orElseThrow(() -> {
                    return errorForThingCommand(createThing);
                });
            }
            ThingId thingEntityId = createThing.getThingEntityId();
            throw ThingNotCreatableException.newBuilderForPolicyMissing(thingEntityId, PolicyId.of(thingEntityId)).message(String.format("The Thing with ID '%s' could not be created with implicit Policy because no authorization subject is present.", thingEntityId)).description(() -> {
                return null;
            }).dittoHeaders(createThing.getDittoHeaders()).build();
        } catch (RuntimeException e) {
            throw reportError("error before creating thing with initial policy", e);
        }
    }

    private CompletionStage<CreateThing> createPolicyAndThing(CreatePolicy createPolicy, CreateThing createThing) {
        CreateThing of = CreateThing.of(createThing.getThing().setPolicyId(createPolicy.getEntityId()), null, createThing.getDittoHeaders());
        invalidatePolicyCache(createPolicy.getEntityId());
        return this.preEnforcer.apply(createPolicy).thenCompose(withDittoHeaders -> {
            return Patterns.ask(this.policiesShardRegion, withDittoHeaders, getAskTimeout());
        }).thenApply(obj -> {
            handlePolicyResponseForCreateThing(createPolicy, of, obj);
            invalidateThingCaches(of.getThingEntityId());
            return of;
        });
    }

    private void handlePolicyResponseForCreateThing(CreatePolicy createPolicy, CreateThing createThing, Object obj) {
        if (obj instanceof CreatePolicyResponse) {
            return;
        }
        if (shouldReportInitialPolicyCreationFailure(obj)) {
            throw reportInitialPolicyCreationFailure(createPolicy.getEntityId(), createThing);
        }
        if (!isAskTimeoutException(obj, null)) {
            throw reportUnexpectedErrorOrResponse(String.format("creating initial policy during creation of Thing <%s>", createThing.getThingEntityId()), obj, null);
        }
        throw PolicyUnavailableException.newBuilder(createPolicy.getEntityId()).dittoHeaders(createThing.getDittoHeaders()).build();
    }

    private boolean shouldReportInitialPolicyCreationFailure(Object obj) {
        return (obj instanceof PolicyConflictException) || (obj instanceof PolicyNotAccessibleException) || (obj instanceof NamespaceBlockedException);
    }

    private ThingNotCreatableException reportInitialPolicyCreationFailure(PolicyId policyId, CreateThing createThing) {
        log(createThing).info("Failed to create Policy with ID '{}' is already existing, the CreateThing command which would have created a Policy for the Thing with ID '{}' is therefore not handled", policyId, createThing.getThingEntityId());
        return ThingNotCreatableException.newBuilderForPolicyExisting(createThing.getThingEntityId(), policyId).dittoHeaders(createThing.getDittoHeaders()).build();
    }

    private static Optional<Policy> getInlinedOrDefaultPolicyForCreateThing(CreateThing createThing) {
        Optional<JsonObject> initialPolicy = createThing.getInitialPolicy();
        if (!initialPolicy.isPresent()) {
            return getDefaultPolicy(createThing.getDittoHeaders().getAuthorizationContext(), createThing.getThingEntityId());
        }
        JsonObject jsonObject = initialPolicy.get();
        JsonObjectBuilder builder = jsonObject.toBuilder();
        Thing thing = createThing.getThing();
        if (thing.getPolicyEntityId().isPresent() || !jsonObject.contains(Policy.JsonFields.ID.getPointer())) {
            builder.set((JsonFieldDefinition<JsonFieldDefinition<String>>) Policy.JsonFields.ID, (JsonFieldDefinition<String>) thing.getPolicyEntityId().map((v0) -> {
                return String.valueOf(v0);
            }).orElse(createThing.getThingEntityId().toString()));
        }
        return Optional.of(PoliciesModelFactory.newPolicy(builder.build()));
    }

    private static Optional<DittoRuntimeException> checkForErrorsInCreateThingWithPolicy(CreateThing createThing) {
        return (Optional) checkAclAbsenceInCreateThing(createThing).map((v0) -> {
            return Optional.of(v0);
        }).orElseGet(() -> {
            return checkPolicyIdValidityForCreateThing(createThing);
        });
    }

    private static Optional<DittoRuntimeException> checkAclAbsenceInCreateThing(CreateThing createThing) {
        return createThing.getThing().getAccessControlList().isPresent() ? Optional.of(AclNotAllowedException.newBuilder(createThing.getThingEntityId()).dittoHeaders(createThing.getDittoHeaders()).build()) : Optional.empty();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Optional<DittoRuntimeException> checkPolicyIdValidityForCreateThing(CreateThing createThing) {
        boolean z;
        Optional<U> map = createThing.getThing().getPolicyEntityId().map((v0) -> {
            return String.valueOf(v0);
        });
        Optional<U> flatMap = createThing.getInitialPolicy().flatMap(jsonObject -> {
            return jsonObject.getValue(Thing.JsonFields.POLICY_ID);
        });
        if (map.isPresent()) {
            z = !flatMap.isPresent() || flatMap.equals(map);
        } else {
            z = true;
        }
        return !z ? Optional.of(PolicyIdNotAllowedException.newBuilder(createThing.getThingEntityId()).dittoHeaders(createThing.getDittoHeaders()).build()) : Optional.empty();
    }

    private static boolean shouldCreatePolicyForCreateThing(CreateThing createThing) {
        return createThing.getInitialPolicy().isPresent() || !(JsonSchemaVersion.V_1 == createThing.getDittoHeaders().getSchemaVersion().orElse(JsonSchemaVersion.LATEST) || createThing.getThing().getPolicyEntityId().isPresent());
    }

    private static Optional<Policy> getDefaultPolicy(AuthorizationContext authorizationContext, ThingId thingId) {
        return authorizationContext.getFirstAuthorizationSubject().map((v0) -> {
            return v0.getId();
        }).map((v0) -> {
            return SubjectId.newInstance(v0);
        }).map(Subject::newInstance).map(subject -> {
            return Policy.newBuilder(PolicyId.of(thingId)).forLabel(DEFAULT_POLICY_ENTRY_LABEL).setSubject(subject).setGrantedPermissions(PoliciesResourceType.thingResource("/"), org.eclipse.ditto.services.models.things.Permission.DEFAULT_THING_PERMISSIONS).setGrantedPermissions(PoliciesResourceType.policyResource("/"), Permission.DEFAULT_POLICY_PERMISSIONS).setGrantedPermissions(PoliciesResourceType.messageResource("/"), Permission.DEFAULT_POLICY_PERMISSIONS).build();
        });
    }

    private static boolean isAclEnforcer(Entry<EntityIdWithResourceType> entry) {
        return entry.exists() && Objects.equals("thing", entry.getValueOrThrow().getResourceType());
    }
}
