package de.odil.platform.hn.pl.persistence.api.permission;

import de.odil.platform.hn.pl.persistence.api.permission.StoreAccessPermission;
import java.util.function.Predicate;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.rs.security.oauth2.utils.OAuthContextUtils;
import org.hamcrest.BaseMatcher;
import org.hamcrest.Description;
import org.hamcrest.DiagnosingMatcher;
import org.hamcrest.Matcher;
import org.hamcrest.StringDescription;

/* loaded from: input_file:de/odil/platform/hn/pl/persistence/api/permission/PermissionChecker.class */
public class PermissionChecker {
    public static final PermissionChecker ALLOW_ALL = new PermissionChecker(null, "none") { // from class: de.odil.platform.hn.pl.persistence.api.permission.PermissionChecker.1
        @Override // de.odil.platform.hn.pl.persistence.api.permission.PermissionChecker
        protected boolean hasPermission(MessageContext messageContext, StoreAccessPermission.Access access) {
            return true;
        }

        @Override // de.odil.platform.hn.pl.persistence.api.permission.PermissionChecker
        public Permissions getRolePermissions() {
            return Permissions.ANY;
        }
    };
    private final MessageContext messageContext;
    private final String serviceId;

    public PermissionChecker(MessageContext messageContext, String str) {
        this.serviceId = str;
        this.messageContext = messageContext;
    }

    public MessageContext getMessageContext() {
        return this.messageContext;
    }

    public String getServiceId() {
        return this.serviceId;
    }

    protected String createRolePermissionFromAccess(StoreAccessPermission.Access access) {
        return (getServiceId() + ":" + access.name()).toLowerCase();
    }

    protected boolean hasPermission(MessageContext messageContext, StoreAccessPermission.Access access) {
        if (messageContext == null) {
            return true;
        }
        return getRolePermissions().allowsAccess(getServiceId(), access);
    }

    public Permissions getRolePermissions() {
        MessageContext messageContext = getMessageContext();
        return messageContext == null ? Permissions.ANY : Permissions.createFromRolePermissions(OAuthContextUtils.resolveUserRoles(messageContext));
    }

    public static CombinableMatcher<PermissionChecker> isPermittedTo(StoreAccessPermission.Access... accessArr) {
        if (accessArr == null || accessArr.length == 0) {
            return new IsOkMatcher();
        }
        CombinableMatcher<PermissionChecker> combinableMatcher = null;
        for (final StoreAccessPermission.Access access : accessArr) {
            final BaseMatcher<PermissionChecker> baseMatcher = new BaseMatcher<PermissionChecker>() { // from class: de.odil.platform.hn.pl.persistence.api.permission.PermissionChecker.2
                public void describeTo(Description description) {
                    description.appendText("permission '" + access + "'");
                }

                public boolean matches(Object obj) {
                    PermissionChecker permissionChecker = (PermissionChecker) obj;
                    return permissionChecker.hasPermission(permissionChecker.getMessageContext(), access);
                }

                public void describeMismatch(Object obj, Description description) {
                    description.appendText("is missing ");
                }
            };
            combinableMatcher = combinableMatcher == null ? new CombinableMatcher<PermissionChecker>(baseMatcher) { // from class: de.odil.platform.hn.pl.persistence.api.permission.PermissionChecker.3
                @Override // de.odil.platform.hn.pl.persistence.api.permission.CombinableMatcher
                protected boolean matches(Object obj, Description description) {
                    boolean matches = baseMatcher.matches(obj);
                    if (!matches) {
                        baseMatcher.describeMismatch(obj, description);
                    }
                    return matches;
                }
            } : combinableMatcher.and(baseMatcher);
        }
        return combinableMatcher;
    }

    public boolean checkIf(Predicate<PermissionChecker> predicate) {
        return predicate.test(this);
    }

    public void assertThat(Predicate<PermissionChecker> predicate) {
        if (!predicate.test(this)) {
            throw ExceptionUtils.toForbiddenException((Throwable) null, (Response) null);
        }
    }

    public boolean checkIf(Matcher<PermissionChecker> matcher) {
        return matcher.matches(this);
    }

    public void assertThat(DiagnosingMatcher<PermissionChecker> diagnosingMatcher) {
        if (diagnosingMatcher.matches(this)) {
            return;
        }
        Description appendText = new StringDescription().appendText("Permission for store '" + getServiceId() + "': ");
        diagnosingMatcher.describeMismatch(this, appendText);
        throw ExceptionUtils.toForbiddenException(new Exception(appendText.toString()), (Response) null);
    }

    public void assertAccess(StoreAccessPermission.Access... accessArr) {
        assertThat(isPermittedTo(accessArr));
    }

    public void assertCreate() throws WebApplicationException {
        assertThat(isPermittedTo(StoreAccessPermission.Access.CREATE));
    }

    public boolean canCreate() {
        return checkIf((Matcher<PermissionChecker>) isPermittedTo(StoreAccessPermission.Access.CREATE));
    }

    public void assertUpdate() throws WebApplicationException {
        assertThat(isPermittedTo(StoreAccessPermission.Access.UPDATE));
    }

    public boolean canUpdate() {
        return checkIf((Matcher<PermissionChecker>) isPermittedTo(StoreAccessPermission.Access.UPDATE));
    }

    public void assertRead() throws WebApplicationException {
        assertThat(isPermittedTo(StoreAccessPermission.Access.READ));
    }

    public boolean canRead() {
        return checkIf((Matcher<PermissionChecker>) isPermittedTo(StoreAccessPermission.Access.READ));
    }

    public void assertDelete() throws WebApplicationException {
        assertThat(isPermittedTo(StoreAccessPermission.Access.DELETE));
    }

    public boolean canDelete() {
        return checkIf((Matcher<PermissionChecker>) isPermittedTo(StoreAccessPermission.Access.DELETE));
    }

    public void assertSelf() throws WebApplicationException {
        assertThat(isPermittedTo(StoreAccessPermission.Access.SELF));
    }

    public boolean canSelf() {
        return checkIf((Matcher<PermissionChecker>) isPermittedTo(StoreAccessPermission.Access.SELF));
    }
}
