package li.strolch.privilege.policy;

import java.text.MessageFormat;
import li.strolch.privilege.base.AccessDeniedException;
import li.strolch.privilege.base.PrivilegeException;
import li.strolch.privilege.i18n.PrivilegeMessages;
import li.strolch.privilege.model.Certificate;
import li.strolch.privilege.model.IPrivilege;
import li.strolch.privilege.model.PrivilegeContext;
import li.strolch.privilege.model.Restrictable;
import li.strolch.utils.helper.StringHelper;

/* loaded from: input_file:li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.class */
public class UsernameFromCertificateWithSameOrganisationPrivilege extends UsernameFromCertificatePrivilege {
    private static final String PARAM_ORGANISATION = "organisation";

    @Override // li.strolch.privilege.policy.UsernameFromCertificatePrivilege, li.strolch.privilege.policy.PrivilegePolicy
    public void validateAction(PrivilegeContext privilegeContext, IPrivilege iPrivilege, Restrictable restrictable) {
        PrivilegePolicyHelper.preValidate(iPrivilege, restrictable);
        Object privilegeValue = restrictable.getPrivilegeValue();
        if (!(privilegeValue instanceof Certificate)) {
            throw new PrivilegeException(MessageFormat.format(Restrictable.class.getName() + PrivilegeMessages.getString("Privilege.illegalArgument.noncertificate"), restrictable.getClass().getSimpleName()));
        }
        Certificate certificate = (Certificate) privilegeValue;
        String property = privilegeContext.getCertificate().getProperty(PARAM_ORGANISATION);
        if (StringHelper.isEmpty(property)) {
            throw new AccessDeniedException("No organisation configured for user " + privilegeContext.getUsername());
        }
        String property2 = certificate.getProperty(PARAM_ORGANISATION);
        if (!property.equals(property2)) {
            throw new AccessDeniedException("User " + privilegeContext.getUsername() + " may not access users outside of their organisation: " + property + " / " + property2);
        }
        super.validateAction(privilegeContext, iPrivilege, restrictable);
    }
}
