package org.restheart.security.authorizers;

import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import io.undertow.predicate.Predicate;
import io.undertow.security.idm.Account;
import io.undertow.server.HttpServerExchange;
import java.io.FileNotFoundException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.TreeMap;
import java.util.function.Consumer;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import org.restheart.configuration.ConfigurationException;
import org.restheart.exchange.Request;
import org.restheart.plugins.FileConfigurablePlugin;
import org.restheart.plugins.Inject;
import org.restheart.plugins.OnInit;
import org.restheart.plugins.PluginsRegistry;
import org.restheart.plugins.RegisterPlugin;
import org.restheart.plugins.security.Authorizer;
import org.restheart.security.BaseAclPermission;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RegisterPlugin(name = "fileAclAuthorizer", description = "authorizes requests according to acl defined in a configuration file", enabledByDefault = false)
/* loaded from: input_file:org/restheart/security/authorizers/FileAclAuthorizer.class */
public class FileAclAuthorizer extends FileConfigurablePlugin implements Authorizer {
    private static final Logger LOGGER = LoggerFactory.getLogger(FileAclAuthorizer.class);
    public static final String $UNAUTHENTICATED = "$unauthenticated";

    @Inject("registry")
    private PluginsRegistry registry;

    @Inject("config")
    private Map<String, Object> config;
    private final Set<FileAclPermission> permissions = new LinkedHashSet();
    private boolean permissionsTransformed = false;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/restheart/security/authorizers/FileAclAuthorizer$NotAuthenticatedAccount.class */
    public static class NotAuthenticatedAccount implements Account {
        private static final long serialVersionUID = 3124;

        private NotAuthenticatedAccount() {
        }

        public Principal getPrincipal() {
            return null;
        }

        public Set<String> getRoles() {
            return Sets.newHashSet(new String[]{"$unauthenticated"});
        }
    }

    @OnInit
    public void init() throws FileNotFoundException, ConfigurationException {
        init(this.config, "permissions");
        ArrayList arrayList = new ArrayList(this.permissions);
        Collections.reverse(arrayList);
        this.permissions.clear();
        Stream stream = arrayList.stream();
        Set<FileAclPermission> set = this.permissions;
        Objects.requireNonNull(set);
        stream.forEach((v1) -> {
            r1.add(v1);
        });
    }

    public Consumer<? super Map<String, Object>> consumeConfiguration() {
        return map -> {
            try {
                this.permissions.add(FileAclPermission.build(map));
            } catch (ConfigurationException e) {
                LOGGER.error("Wrong permission", e);
            }
        };
    }

    private void transformPermissions() {
        this.permissions.forEach(fileAclPermission -> {
            this.registry.getPermissionTransformers().stream().forEach(baseAclPermissionTransformer -> {
                baseAclPermissionTransformer.transform(fileAclPermission);
            });
        });
    }

    public boolean isAllowed(Request<?> request) {
        if (!this.permissionsTransformed) {
            this.permissionsTransformed = true;
            transformPermissions();
        }
        if (request.isOptions()) {
            return true;
        }
        HttpServerExchange exchange = request.getExchange();
        if (exchange.getAttachment(Predicate.PREDICATE_CONTEXT) == null) {
            exchange.putAttachment(Predicate.PREDICATE_CONTEXT, new TreeMap());
        }
        exchange.setRelativePath(exchange.getRequestPath());
        ArrayList arrayList = new ArrayList();
        if (LOGGER.isDebugEnabled()) {
            roles(exchange).forEachOrdered(str -> {
                ArrayList newArrayListWithCapacity = Lists.newArrayListWithCapacity(1);
                rolePermissions(str).stream().anyMatch(fileAclPermission -> {
                    Object obj;
                    boolean allow = fileAclPermission.allow(request);
                    if (allow && newArrayListWithCapacity.isEmpty()) {
                        newArrayListWithCapacity.add(fileAclPermission);
                        obj = "<--";
                    } else {
                        obj = "";
                    }
                    LOGGER.debug("role {}, permission (roles={},predicate={}), resolve {} {}", new Object[]{str, fileAclPermission.getRoles(), fileAclPermission.getRequestPredicate(), Boolean.valueOf(allow), obj});
                    return false;
                });
            });
        }
        roles(exchange).forEachOrdered(str2 -> {
            rolePermissions(str2).stream().anyMatch(fileAclPermission -> {
                if (!fileAclPermission.allow(request)) {
                    return false;
                }
                arrayList.add(fileAclPermission);
                return true;
            });
        });
        if (arrayList.isEmpty()) {
            return false;
        }
        exchange.putAttachment(BaseAclPermission.MATCHING_ACL_PERMISSION, (BaseAclPermission) arrayList.get(0));
        return true;
    }

    public boolean isAuthenticationRequired(Request<?> request) {
        if (request.isOptions()) {
            return false;
        }
        HttpServerExchange exchange = request.getExchange();
        LinkedHashSet<FileAclPermission> rolePermissions = rolePermissions("$unauthenticated");
        if (rolePermissions == null) {
            return true;
        }
        if (exchange.getAttachment(Predicate.PREDICATE_CONTEXT) == null) {
            exchange.putAttachment(Predicate.PREDICATE_CONTEXT, new TreeMap());
        }
        exchange.setRelativePath(request.getPath());
        return !rolePermissions.stream().anyMatch(fileAclPermission -> {
            return fileAclPermission.allow(request);
        });
    }

    private Stream<String> roles(HttpServerExchange httpServerExchange) {
        return account(httpServerExchange).getRoles().stream();
    }

    private LinkedHashSet<FileAclPermission> rolePermissions(String str) {
        LinkedHashSet<FileAclPermission> newLinkedHashSet = Sets.newLinkedHashSet();
        StreamSupport.stream(this.permissions.spliterator(), true).filter(fileAclPermission -> {
            return fileAclPermission.getRoles() != null && fileAclPermission.getRoles().contains(str);
        }).sorted(Comparator.comparingInt((v0) -> {
            return v0.getPriority();
        })).forEachOrdered(fileAclPermission2 -> {
            newLinkedHashSet.add(fileAclPermission2);
        });
        return newLinkedHashSet;
    }

    private Account account(HttpServerExchange httpServerExchange) {
        Account authenticatedAccount = httpServerExchange.getSecurityContext().getAuthenticatedAccount();
        return isAuthenticated(authenticatedAccount) ? authenticatedAccount : new NotAuthenticatedAccount();
    }

    private boolean isAuthenticated(Account account) {
        return account != null;
    }
}
