package org.graylog.security.entities;

import com.google.common.collect.ImmutableMultimap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.UnmodifiableIterator;
import jakarta.inject.Inject;
import java.util.Collections;
import java.util.Set;
import org.graylog.grn.GRN;
import org.graylog.security.BuiltinCapabilities;
import org.graylog.security.Capability;
import org.graylog.security.GranteeAuthorizer;

/* loaded from: input_file:org/graylog/security/entities/EntityDependencyPermissionChecker.class */
public class EntityDependencyPermissionChecker {
    private final GranteeAuthorizer.Factory granteeAuthorizerFactory;
    private final BuiltinCapabilities builtinCapabilities;

    @Inject
    public EntityDependencyPermissionChecker(GranteeAuthorizer.Factory factory, BuiltinCapabilities builtinCapabilities) {
        this.granteeAuthorizerFactory = factory;
        this.builtinCapabilities = builtinCapabilities;
    }

    public ImmutableMultimap<GRN, EntityDescriptor> check(GRN grn, ImmutableSet<EntityDescriptor> immutableSet, Set<GRN> set) {
        ImmutableMultimap.Builder builder = ImmutableMultimap.builder();
        GranteeAuthorizer create = this.granteeAuthorizerFactory.create(grn);
        for (GRN grn2 : set) {
            GranteeAuthorizer create2 = this.granteeAuthorizerFactory.create(grn2);
            UnmodifiableIterator it = immutableSet.iterator();
            while (it.hasNext()) {
                EntityDescriptor entityDescriptor = (EntityDescriptor) it.next();
                if (!cannotView(create, entityDescriptor) && cannotView(create2, entityDescriptor)) {
                    builder.put(grn2, entityDescriptor);
                }
            }
        }
        return builder.build();
    }

    private boolean cannotView(GranteeAuthorizer granteeAuthorizer, EntityDescriptor entityDescriptor) {
        return ((Set) this.builtinCapabilities.get(Capability.VIEW).map((v0) -> {
            return v0.permissions();
        }).orElse(Collections.emptySet())).stream().filter(str -> {
            return entityDescriptor.id().isPermissionApplicable(str);
        }).noneMatch(str2 -> {
            return granteeAuthorizer.isPermitted(str2, entityDescriptor.id());
        });
    }
}
