package io.gravitee.rest.api.portal.rest.filter;

import io.gravitee.rest.api.model.permissions.RoleScope;
import io.gravitee.rest.api.portal.rest.security.Permission;
import io.gravitee.rest.api.portal.rest.security.Permissions;
import io.gravitee.rest.api.portal.rest.security.RequirePortalAuth;
import io.gravitee.rest.api.service.ConfigService;
import io.gravitee.rest.api.service.PermissionService;
import io.gravitee.rest.api.service.common.ExecutionContext;
import io.gravitee.rest.api.service.common.GraviteeContext;
import io.gravitee.rest.api.service.exceptions.ForbiddenAccessException;
import io.gravitee.rest.api.service.exceptions.UnauthorizedAccessException;
import jakarta.annotation.Priority;
import jakarta.inject.Inject;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.container.ResourceInfo;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.SecurityContext;
import jakarta.ws.rs.ext.Provider;
import java.io.IOException;
import java.util.List;
import java.util.Optional;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Provider
@Priority(200)
/* loaded from: input_file:io/gravitee/rest/api/portal/rest/filter/PermissionsFilter.class */
public class PermissionsFilter implements ContainerRequestFilter {
    protected final Logger logger = LoggerFactory.getLogger(getClass());

    @Context
    protected ResourceInfo resourceInfo;

    @Inject
    private SecurityContext securityContext;

    @Inject
    private PermissionService permissionService;

    @Inject
    private ConfigService configService;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.gravitee.rest.api.portal.rest.filter.PermissionsFilter$1, reason: invalid class name */
    /* loaded from: input_file:io/gravitee/rest/api/portal/rest/filter/PermissionsFilter$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$gravitee$rest$api$model$permissions$RoleScope = new int[RoleScope.values().length];

        static {
            try {
                $SwitchMap$io$gravitee$rest$api$model$permissions$RoleScope[RoleScope.ORGANIZATION.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$gravitee$rest$api$model$permissions$RoleScope[RoleScope.ENVIRONMENT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$gravitee$rest$api$model$permissions$RoleScope[RoleScope.APPLICATION.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$io$gravitee$rest$api$model$permissions$RoleScope[RoleScope.API.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        ExecutionContext executionContext = GraviteeContext.getExecutionContext();
        checkAuthenticationConditions(executionContext);
        findRequiredPermissions().ifPresent(permissions -> {
            filter(permissions, containerRequestContext, executionContext);
        });
    }

    protected void filter(Permissions permissions, ContainerRequestContext containerRequestContext, ExecutionContext executionContext) {
        Stream.of((Object[]) permissions.value()).filter(permission -> {
            return hasPermission(permission, containerRequestContext, executionContext);
        }).findAny().orElseThrow(ForbiddenAccessException::new);
    }

    private void checkAuthenticationConditions(ExecutionContext executionContext) {
        if (requiresPortalAuth(executionContext) && this.securityContext.getUserPrincipal() == null) {
            throw new UnauthorizedAccessException();
        }
    }

    private boolean hasPermission(Permission permission, ContainerRequestContext containerRequestContext, ExecutionContext executionContext) {
        switch (AnonymousClass1.$SwitchMap$io$gravitee$rest$api$model$permissions$RoleScope[permission.value().getScope().ordinal()]) {
            case 1:
                return hasPermission(executionContext, permission, executionContext.getOrganizationId());
            case 2:
                return executionContext.hasEnvironmentId() && hasPermission(executionContext, permission, executionContext.getEnvironmentId());
            case 3:
                return hasPermission(executionContext, permission, getApplicationId(containerRequestContext));
            case 4:
                return hasPermission(executionContext, permission, getApiId(containerRequestContext));
            default:
                return false;
        }
    }

    private boolean hasPermission(ExecutionContext executionContext, Permission permission, String str) {
        return this.permissionService.hasPermission(executionContext, permission.value(), str, permission.acls());
    }

    private boolean requiresPortalAuth(ExecutionContext executionContext) {
        return findRequirePortalAuthAnnotation().isPresent() && this.configService.portalLoginForced(executionContext);
    }

    private String getApiId(ContainerRequestContext containerRequestContext) {
        return getId("apiId", containerRequestContext);
    }

    private String getApplicationId(ContainerRequestContext containerRequestContext) {
        return getId("applicationId", containerRequestContext);
    }

    private String getId(String str, ContainerRequestContext containerRequestContext) {
        List list = (List) containerRequestContext.getUriInfo().getPathParameters().get(str);
        if (list != null) {
            return (String) list.iterator().next();
        }
        List list2 = (List) containerRequestContext.getUriInfo().getQueryParameters().get(str);
        if (list2 != null) {
            return (String) list2.iterator().next();
        }
        return null;
    }

    private Optional<Permissions> findRequiredPermissions() {
        return Optional.ofNullable((Permissions) this.resourceInfo.getResourceMethod().getDeclaredAnnotation(Permissions.class)).or(() -> {
            return Optional.ofNullable((Permissions) this.resourceInfo.getResourceClass().getDeclaredAnnotation(Permissions.class));
        });
    }

    private Optional<RequirePortalAuth> findRequirePortalAuthAnnotation() {
        return Optional.ofNullable((RequirePortalAuth) this.resourceInfo.getResourceMethod().getDeclaredAnnotation(RequirePortalAuth.class)).or(() -> {
            return Optional.ofNullable((RequirePortalAuth) this.resourceInfo.getResourceClass().getDeclaredAnnotation(RequirePortalAuth.class));
        });
    }
}
