package io.gravitee.rest.api.portal.rest.filter;

import io.gravitee.rest.api.model.ApplicationEntity;
import io.gravitee.rest.api.model.MembershipReferenceType;
import io.gravitee.rest.api.model.api.ApiEntity;
import io.gravitee.rest.api.model.permissions.RoleScope;
import io.gravitee.rest.api.portal.rest.resource.AbstractResource;
import io.gravitee.rest.api.portal.rest.security.Permission;
import io.gravitee.rest.api.portal.rest.security.Permissions;
import io.gravitee.rest.api.portal.rest.security.RequirePortalAuth;
import io.gravitee.rest.api.service.ApiService;
import io.gravitee.rest.api.service.ApplicationService;
import io.gravitee.rest.api.service.ConfigService;
import io.gravitee.rest.api.service.MembershipService;
import io.gravitee.rest.api.service.RoleService;
import io.gravitee.rest.api.service.common.GraviteeContext;
import io.gravitee.rest.api.service.exceptions.ForbiddenAccessException;
import io.gravitee.rest.api.service.exceptions.UnauthorizedAccessException;
import java.io.IOException;
import java.security.Principal;
import java.util.List;
import javax.annotation.Priority;
import javax.inject.Inject;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.ext.Provider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Provider
@Priority(200)
/* loaded from: input_file:io/gravitee/rest/api/portal/rest/filter/PermissionsFilter.class */
public class PermissionsFilter implements ContainerRequestFilter {
    protected final Logger logger = LoggerFactory.getLogger(getClass());

    @Context
    protected ResourceInfo resourceInfo;

    @Inject
    private SecurityContext securityContext;

    @Inject
    private MembershipService membershipService;

    @Inject
    private ApplicationService applicationService;

    @Inject
    private ApiService apiService;

    @Inject
    private RoleService roleService;

    @Inject
    private ConfigService configService;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.gravitee.rest.api.portal.rest.filter.PermissionsFilter$1, reason: invalid class name */
    /* loaded from: input_file:io/gravitee/rest/api/portal/rest/filter/PermissionsFilter$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$gravitee$rest$api$model$permissions$RoleScope = new int[RoleScope.values().length];

        static {
            try {
                $SwitchMap$io$gravitee$rest$api$model$permissions$RoleScope[RoleScope.ORGANIZATION.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$gravitee$rest$api$model$permissions$RoleScope[RoleScope.ENVIRONMENT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$gravitee$rest$api$model$permissions$RoleScope[RoleScope.APPLICATION.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$io$gravitee$rest$api$model$permissions$RoleScope[RoleScope.API.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (this.securityContext.isUserInRole(AbstractResource.ENVIRONMENT_ADMIN)) {
            this.logger.debug("User [{}] has full access because of its ADMIN role", this.securityContext.getUserPrincipal().getName());
        } else {
            filter(getRequiredPermission(), containerRequestContext);
            filter(requiredPortalAuth());
        }
    }

    protected void filter(Permissions permissions, ContainerRequestContext containerRequestContext) {
        if (permissions == null || permissions.value().length <= 0) {
            return;
        }
        Principal userPrincipal = this.securityContext.getUserPrincipal();
        if (userPrincipal != null) {
            String name = userPrincipal.getName();
            for (Permission permission : permissions.value()) {
                if (hasPermission(containerRequestContext, name, permission)) {
                    return;
                }
            }
        }
        sendSecurityError();
    }

    protected void filter(boolean z) {
        if (z && this.configService.portalLoginForced(GraviteeContext.getCurrentEnvironment()) && this.securityContext.getUserPrincipal() == null) {
            sendSecurityError();
        }
    }

    protected boolean hasPermission(ContainerRequestContext containerRequestContext, String str, Permission permission) {
        switch (AnonymousClass1.$SwitchMap$io$gravitee$rest$api$model$permissions$RoleScope[permission.value().getScope().ordinal()]) {
            case 1:
                return this.roleService.hasPermission(this.membershipService.getUserMemberPermissions(GraviteeContext.getCurrentEnvironment(), MembershipReferenceType.ORGANIZATION, GraviteeContext.getCurrentOrganization(), str), permission.value().getPermission(), permission.acls());
            case 2:
                return this.roleService.hasPermission(this.membershipService.getUserMemberPermissions(GraviteeContext.getCurrentEnvironment(), MembershipReferenceType.ENVIRONMENT, GraviteeContext.getCurrentEnvironment(), str), permission.value().getPermission(), permission.acls());
            case 3:
                return this.roleService.hasPermission(this.membershipService.getUserMemberPermissions(GraviteeContext.getCurrentEnvironment(), getApplication(containerRequestContext), str), permission.value().getPermission(), permission.acls());
            case 4:
                return this.roleService.hasPermission(this.membershipService.getUserMemberPermissions(GraviteeContext.getCurrentEnvironment(), getApi(containerRequestContext), str), permission.value().getPermission(), permission.acls());
            default:
                sendSecurityError();
                return false;
        }
    }

    private ApiEntity getApi(ContainerRequestContext containerRequestContext) {
        String id = getId("apiId", containerRequestContext);
        if (id == null) {
            return null;
        }
        return this.apiService.findById(id);
    }

    private ApplicationEntity getApplication(ContainerRequestContext containerRequestContext) {
        String id = getId("applicationId", containerRequestContext);
        if (id == null) {
            return null;
        }
        return this.applicationService.findById(GraviteeContext.getCurrentEnvironment(), id);
    }

    private String getId(String str, ContainerRequestContext containerRequestContext) {
        List list = (List) containerRequestContext.getUriInfo().getPathParameters().get(str);
        if (list != null) {
            return (String) list.iterator().next();
        }
        List list2 = (List) containerRequestContext.getUriInfo().getQueryParameters().get(str);
        if (list2 != null) {
            return (String) list2.iterator().next();
        }
        return null;
    }

    private void sendSecurityError() {
        if (this.securityContext.getUserPrincipal() == null) {
            throw new UnauthorizedAccessException();
        }
        throw new ForbiddenAccessException();
    }

    private Permissions getRequiredPermission() {
        Permissions permissions = (Permissions) this.resourceInfo.getResourceMethod().getDeclaredAnnotation(Permissions.class);
        return permissions == null ? (Permissions) this.resourceInfo.getResourceClass().getDeclaredAnnotation(Permissions.class) : permissions;
    }

    private boolean requiredPortalAuth() {
        boolean z = this.resourceInfo.getResourceMethod().getDeclaredAnnotation(RequirePortalAuth.class) != null;
        if (!z) {
            z = this.resourceInfo.getResourceClass().getDeclaredAnnotation(RequirePortalAuth.class) != null;
        }
        return z;
    }
}
