package org.projectnessie.server.authz;

import com.google.common.collect.ImmutableMap;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.function.Supplier;
import org.projectnessie.cel.tools.Script;
import org.projectnessie.cel.tools.ScriptException;
import org.projectnessie.services.authz.AbstractBatchAccessChecker;
import org.projectnessie.services.authz.AccessContext;
import org.projectnessie.services.authz.Check;
import org.projectnessie.services.cel.CELUtil;

/* loaded from: input_file:org/projectnessie/server/authz/CelBatchAccessChecker.class */
final class CelBatchAccessChecker extends AbstractBatchAccessChecker {
    private final CompiledAuthorizationRules compiledRules;
    private final AccessContext context;

    /* JADX INFO: Access modifiers changed from: package-private */
    public CelBatchAccessChecker(CompiledAuthorizationRules compiledAuthorizationRules, AccessContext accessContext) {
        this.compiledRules = compiledAuthorizationRules;
        this.context = accessContext;
    }

    @Override // org.projectnessie.services.authz.BatchAccessChecker
    public Map<Check, String> check() {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        getChecks().forEach(check -> {
            if (check.type().isContent()) {
                canPerformOpOnPath(check, linkedHashMap);
            } else if (check.type().isRef()) {
                canPerformOpOnReference(check, linkedHashMap);
            } else {
                canPerformOp(check, linkedHashMap);
            }
        });
        return linkedHashMap;
    }

    private String getRoleName() {
        return null != this.context.user() ? this.context.user().getName() : "";
    }

    private void canPerformOp(Check check, Map<Check, String> map) {
        String roleName = getRoleName();
        canPerformOp(ImmutableMap.of(CELUtil.VAR_ROLE, roleName, "op", check.type().name(), "path", "", "ref", "", "contentType", ""), check, () -> {
            return String.format("'%s' is not allowed for role '%s' ", check.type(), roleName);
        }, map);
    }

    private void canPerformOpOnReference(Check check, Map<Check, String> map) {
        String roleName = getRoleName();
        canPerformOp(ImmutableMap.of("ref", check.ref().getName(), CELUtil.VAR_ROLE, roleName, "op", check.type().name(), "path", "", "contentType", ""), check, () -> {
            return String.format("'%s' is not allowed for role '%s' on reference '%s'", check.type(), roleName, check.ref().getName());
        }, map);
    }

    private void canPerformOpOnPath(Check check, Map<Check, String> map) {
        String roleName = getRoleName();
        canPerformOp(ImmutableMap.of("ref", check.ref().getName(), "path", check.key().toPathString(), CELUtil.VAR_ROLE, roleName, "op", check.type().name(), "contentType", check.contentType() != null ? check.contentType().name() : ""), check, () -> {
            return String.format("'%s' is not allowed for role '%s' on content '%s'", check.type(), roleName, check.key().toPathString());
        }, map);
    }

    private void canPerformOp(Map<String, Object> map, Check check, Supplier<String> supplier, Map<Check, String> map2) {
        if (this.compiledRules.getRules().entrySet().stream().anyMatch(entry -> {
            try {
                return ((Boolean) ((Script) entry.getValue()).execute(Boolean.class, map)).booleanValue();
            } catch (ScriptException e) {
                throw new RuntimeException(String.format("Failed to execute authorization rule with id '%s' due to: %s", entry.getKey(), e.getMessage()), e);
            }
        })) {
            return;
        }
        map2.put(check, supplier.get());
    }
}
