package com.yahoo.vespa.hosted.provision.restapi.v2.filter;

import com.google.inject.Inject;
import com.yahoo.config.provision.Zone;
import com.yahoo.config.provisioning.NodeRepositoryConfig;
import com.yahoo.jdisc.handler.ResponseHandler;
import com.yahoo.jdisc.http.filter.DiscFilterRequest;
import com.yahoo.jdisc.http.filter.SecurityRequestFilter;
import com.yahoo.net.HostName;
import com.yahoo.vespa.hosted.provision.NodeRepository;
import com.yahoo.vespa.hosted.provision.restapi.v2.ErrorResponse;
import com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifier;
import com.yahoo.yolean.chain.After;
import java.net.URI;
import java.util.Optional;
import java.util.Set;
import java.util.function.BiConsumer;
import java.util.function.BiPredicate;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import java.util.stream.Stream;

@After({"NodeIdentifierFilter"})
/* loaded from: input_file:com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.class */
public class AuthorizationFilter implements SecurityRequestFilter {
    private static final Logger log = Logger.getLogger(AuthorizationFilter.class.getName());
    private final BiPredicate<NodePrincipal, URI> authorizer;
    private final BiConsumer<ErrorResponse, ResponseHandler> rejectAction;

    @Inject
    public AuthorizationFilter(Zone zone, NodeRepository nodeRepository, NodeRepositoryConfig nodeRepositoryConfig) {
        this(new Authorizer(zone.system(), nodeRepository, (Set) Stream.concat(Stream.of(HostName.getLocalhost()), Stream.of((Object[]) nodeRepositoryConfig.hostnameWhitelist().split(","))).filter(str -> {
            return !str.isEmpty();
        }).collect(Collectors.toSet())), AuthorizationFilter::logAndReject);
    }

    AuthorizationFilter(BiPredicate<NodePrincipal, URI> biPredicate, BiConsumer<ErrorResponse, ResponseHandler> biConsumer) {
        this.authorizer = biPredicate;
        this.rejectAction = biConsumer;
    }

    public void filter(DiscFilterRequest discFilterRequest, ResponseHandler responseHandler) {
        validateAccess(discFilterRequest).ifPresent(errorResponse -> {
            this.rejectAction.accept(errorResponse, responseHandler);
        });
    }

    private Optional<ErrorResponse> validateAccess(DiscFilterRequest discFilterRequest) {
        try {
            NodePrincipal nodePrincipal = (NodePrincipal) discFilterRequest.getUserPrincipal();
            if (nodePrincipal == null) {
                return Optional.of(ErrorResponse.internalServerError(createErrorMessage(discFilterRequest, "Principal is missing. NodeIdentifierFilter has not been applied.")));
            }
            if (!this.authorizer.test(nodePrincipal, discFilterRequest.getUri())) {
                return Optional.of(ErrorResponse.forbidden(createErrorMessage(discFilterRequest, "Invalid credentials: " + nodePrincipal.toString())));
            }
            discFilterRequest.setUserPrincipal(nodePrincipal);
            return Optional.empty();
        } catch (NodeIdentifier.NodeIdentifierException e) {
            return Optional.of(ErrorResponse.forbidden(createErrorMessage(discFilterRequest, "Invalid credentials: " + e.getMessage())));
        }
    }

    private static String createErrorMessage(DiscFilterRequest discFilterRequest, String str) {
        return String.format("%s %s denied for %s: %s", discFilterRequest.getMethod(), discFilterRequest.getUri().getPath(), discFilterRequest.getRemoteAddr(), str);
    }

    private static void logAndReject(ErrorResponse errorResponse, ResponseHandler responseHandler) {
        log.warning(errorResponse.message());
        FilterUtils.write(errorResponse, responseHandler);
    }
}
