package li.strolch.privilege.policy;

import java.text.MessageFormat;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import li.strolch.privilege.base.AccessDeniedException;
import li.strolch.privilege.base.PrivilegeConstants;
import li.strolch.privilege.base.PrivilegeException;
import li.strolch.privilege.i18n.PrivilegeMessages;
import li.strolch.privilege.model.Certificate;
import li.strolch.privilege.model.IPrivilege;
import li.strolch.privilege.model.PrivilegeContext;
import li.strolch.privilege.model.Restrictable;
import li.strolch.utils.helper.StringHelper;

/* loaded from: input_file:li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.class */
public class UsernameFromCertificateWithSameOrganisationPrivilege extends UsernameFromCertificatePrivilege {
    @Override // li.strolch.privilege.policy.UsernameFromCertificatePrivilege, li.strolch.privilege.policy.PrivilegePolicy
    public void validateAction(PrivilegeContext privilegeContext, IPrivilege iPrivilege, Restrictable restrictable) throws AccessDeniedException {
        validateAction(privilegeContext, iPrivilege, restrictable, true);
    }

    @Override // li.strolch.privilege.policy.UsernameFromCertificatePrivilege, li.strolch.privilege.policy.PrivilegePolicy
    public boolean hasPrivilege(PrivilegeContext privilegeContext, IPrivilege iPrivilege, Restrictable restrictable) throws PrivilegeException {
        return validateAction(privilegeContext, iPrivilege, restrictable, false);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // li.strolch.privilege.policy.UsernameFromCertificatePrivilege
    public boolean validateAction(PrivilegeContext privilegeContext, IPrivilege iPrivilege, Restrictable restrictable, boolean z) throws AccessDeniedException {
        PrivilegePolicyHelper.preValidate(iPrivilege, restrictable);
        Object privilegeValue = restrictable.getPrivilegeValue();
        if (!(privilegeValue instanceof Certificate)) {
            throw new PrivilegeException(MessageFormat.format(Restrictable.class.getName() + PrivilegeMessages.getString("Privilege.illegalArgument.noncertificate"), restrictable.getClass().getSimpleName()));
        }
        Certificate certificate = (Certificate) privilegeValue;
        if (isStrolchAdminAndIgnoreOrganisation(certificate) || assertUserInSameOrganisation(privilegeContext, certificate, z)) {
            return super.validateAction(privilegeContext, iPrivilege, restrictable, z);
        }
        return false;
    }

    protected boolean isStrolchAdminAndIgnoreOrganisation(Certificate certificate) {
        return certificate.hasRole(PrivilegeConstants.ROLE_STROLCH_ADMIN);
    }

    protected boolean assertUserInSameOrganisation(PrivilegeContext privilegeContext, Certificate certificate, boolean z) {
        Set<String> userOrganisations = getUserOrganisations(privilegeContext.getCertificate());
        Set<String> userOrganisations2 = getUserOrganisations(certificate);
        if (isUserInOrganisation(userOrganisations, userOrganisations2)) {
            return true;
        }
        if (z) {
            throw new AccessDeniedException("User " + privilegeContext.getUsername() + " may not access users outside of their organisation: " + String.valueOf(userOrganisations) + " / " + String.valueOf(userOrganisations2));
        }
        return false;
    }

    protected boolean isUserInOrganisation(Set<String> set, Set<String> set2) {
        Stream<String> stream = set2.stream();
        Objects.requireNonNull(set);
        return stream.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }

    protected Set<String> getUserOrganisations(Certificate certificate) {
        String organisation = certificate.getOrganisation();
        if (StringHelper.isEmpty(organisation)) {
            throw new PrivilegeException("No organisation configured for user " + certificate.getUsername());
        }
        return (Set) Stream.of((Object[]) organisation.split(",")).map((v0) -> {
            return v0.trim();
        }).collect(Collectors.toSet());
    }
}
