package org.kie.kogito.auth;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import org.kie.kogito.internal.process.workitem.KogitoWorkItem;
import org.kie.kogito.internal.process.workitem.NotAuthorizedException;
import org.kie.kogito.internal.process.workitem.Policy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/kie/kogito/auth/SecurityPolicy.class */
public class SecurityPolicy implements Policy {
    private static final Logger LOGGER = LoggerFactory.getLogger(SecurityPolicy.class);
    private IdentityProvider identity;

    public static SecurityPolicy of(String str, Collection<String> collection) {
        return new SecurityPolicy(IdentityProviders.of(str, collection));
    }

    public static SecurityPolicy of(IdentityProvider identityProvider) {
        Objects.requireNonNull(identityProvider);
        return new SecurityPolicy(identityProvider);
    }

    protected SecurityPolicy(IdentityProvider identityProvider) {
        this.identity = identityProvider;
    }

    public String getUser() {
        return this.identity.getName();
    }

    public Collection<String> getRoles() {
        return this.identity.getRoles();
    }

    @Override // org.kie.kogito.internal.process.workitem.Policy
    public void enforce(KogitoWorkItem kogitoWorkItem) {
        if (kogitoWorkItem.getActualOwner() == null || !kogitoWorkItem.getActualOwner().equals(getUser())) {
            String actualOwner = kogitoWorkItem.getActualOwner();
            String str = (String) kogitoWorkItem.getParameter("ActorId");
            String str2 = (String) kogitoWorkItem.getParameter("GroupId");
            String str3 = (String) kogitoWorkItem.getParameter("ExcludedOwnerId");
            if (str == null && str2 == null) {
                return;
            }
            ArrayList arrayList = str != null ? new ArrayList(List.of((Object[]) str.split(","))) : new ArrayList();
            ArrayList arrayList2 = str3 != null ? new ArrayList(List.of((Object[]) str3.split(","))) : new ArrayList();
            arrayList.removeAll(arrayList2);
            Collection<?> of = str2 != null ? List.of((Object[]) str2.split(",")) : new ArrayList<>();
            ArrayList arrayList3 = new ArrayList(this.identity.getRoles());
            arrayList3.retainAll(of);
            LOGGER.debug("enforcing identity {} and roles {} with potential owners {} and potential groups {} and exclude groups {}", new Object[]{this.identity.getName(), this.identity.getRoles(), arrayList, of, arrayList2});
            if (!arrayList.contains(this.identity.getName()) && arrayList3.isEmpty()) {
                LOGGER.debug("not authorized with owner {} against identity {}", actualOwner, this.identity.getName());
                throw new NotAuthorizedException("this work item " + kogitoWorkItem.getStringId() + " is not allows by this owner " + str + " or " + str2);
            }
            if (!arrayList3.isEmpty() || actualOwner == null || this.identity.getName().equals(actualOwner)) {
                return;
            }
            LOGGER.debug("identity {} with roles {} not authorized in {}", new Object[]{this.identity.getName(), this.identity.getRoles(), of});
            throw new NotAuthorizedException("this work item " + kogitoWorkItem.getStringId() + " is not allows by this owner " + actualOwner);
        }
    }

    public String toString() {
        return "SecurityPolicy [identity=" + this.identity.getName() + ", roles=" + this.identity.getRoles() + "]";
    }
}
