package org.cotrix.application.impl.delegation;

import org.cotrix.action.Action;
import org.cotrix.application.DelegationPolicy;
import org.cotrix.domain.user.Role;
import org.cotrix.domain.user.User;

/* loaded from: input_file:WEB-INF/lib/cotrix-application-0.0.1-SNAPSHOT.jar:org/cotrix/application/impl/delegation/DefaultDelegationPolicy.class */
public class DefaultDelegationPolicy implements DelegationPolicy {
    @Override // org.cotrix.application.DelegationPolicy
    public void validateDelegation(User user, User user2, Action... actionArr) {
        for (Action action : actionArr) {
            if (action.isTemplate() && !user.isRoot()) {
                throw new IllegalAccessError(user.name() + " cannot delegate or revoke template " + action + ", as she does not have root privileges");
            }
            if (!user.can(action)) {
                throw new IllegalAccessError(user.name() + " cannot perform " + action + ", hence cannot delegate it or revoke it to or from " + user2.name());
            }
        }
    }

    @Override // org.cotrix.application.DelegationPolicy
    public void validateRevocation(User user, User user2, Action... actionArr) {
        validateDelegation(user, user2, actionArr);
    }

    @Override // org.cotrix.application.DelegationPolicy
    public void validateDelegation(User user, User user2, Role... roleArr) {
        for (Role role : roleArr) {
            if (!user.is(role)) {
                throw new IllegalAccessError(user.name() + " does not have role " + role + ", hence cannot delegate or revoke it to or from " + user2.name());
            }
            for (Action action : role.permissions()) {
                if (action.isTemplate() && action.type() == role.type() && !user.isRoot()) {
                    throw new IllegalAccessError(user.name() + " cannot delegate or revoke template " + action + ", as she does not have root privileges");
                }
            }
        }
    }

    @Override // org.cotrix.application.DelegationPolicy
    public void validateRevocation(User user, User user2, Role... roleArr) {
        validateDelegation(user, user2, roleArr);
    }
}
