package org.swisspush.gateleen.security.authorization;

import io.vertx.core.Handler;
import io.vertx.core.Vertx;
import io.vertx.core.buffer.Buffer;
import io.vertx.core.eventbus.EventBus;
import io.vertx.core.http.HttpMethod;
import io.vertx.core.http.HttpServerRequest;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.swisspush.gateleen.core.http.RequestLoggerFactory;
import org.swisspush.gateleen.core.storage.ResourceStorage;
import org.swisspush.gateleen.core.util.ResourcesUtils;
import org.swisspush.gateleen.core.util.RoleExtractor;
import org.swisspush.gateleen.core.util.StatusCode;
import org.swisspush.gateleen.validation.ValidationException;

/* loaded from: input_file:org/swisspush/gateleen/security/authorization/Authorizer.class */
public class Authorizer {
    private static final String UPDATE_ADDRESS = "gateleen.authorization-updated";
    private Pattern userUriPattern;
    private String aclRoot;
    private PatternHolder aclUriPattern;
    private Vertx vertx;
    private EventBus eb;
    private ResourceStorage storage;
    private RoleExtractor roleExtractor;
    public static final Logger log = LoggerFactory.getLogger(Authorizer.class);
    private String aclKey = "acls";
    private String adminRole = "admin";
    private String anonymousRole = "everyone";
    private String deviceHeader = "x-rp-deviceid";
    private String userHeader = "x-rp-usr";
    private Map<PatternHolder, Map<String, Set<String>>> grantedRoles = new HashMap();
    private long updateTimerId = -1;
    private String aclSchema = ResourcesUtils.loadResource("gateleen_security_schema_acl", true);
    private AclFactory aclFactory = new AclFactory(this.aclSchema);
    private Map<PatternHolder, Map<String, Set<String>>> initialGrantedRoles = new HashMap();

    public Authorizer(Vertx vertx, ResourceStorage resourceStorage, String str, String str2) {
        this.vertx = vertx;
        this.storage = resourceStorage;
        this.aclRoot = str + this.aclKey + "/";
        this.aclUriPattern = new PatternHolder(Pattern.compile("^" + this.aclRoot + "(?<role>.+)$"));
        this.userUriPattern = Pattern.compile(str + "user(\\?.*)?");
        this.roleExtractor = new RoleExtractor(str2);
        this.eb = vertx.eventBus();
        this.initialGrantedRoles.put(this.aclUriPattern, new HashMap());
        this.initialGrantedRoles.get(this.aclUriPattern).put("PUT", new HashSet());
        this.initialGrantedRoles.get(this.aclUriPattern).put("GET", new HashSet());
        this.initialGrantedRoles.get(this.aclUriPattern).put("DELETE", new HashSet());
        this.initialGrantedRoles.get(this.aclUriPattern).get("PUT").add(this.adminRole);
        this.initialGrantedRoles.get(this.aclUriPattern).get("GET").add(this.adminRole);
        this.initialGrantedRoles.get(this.aclUriPattern).get("DELETE").add(this.adminRole);
        updateAllAcls();
        this.eb.consumer(UPDATE_ADDRESS, message -> {
            updateAllAcls();
        });
    }

    public void authorize(HttpServerRequest httpServerRequest, Handler<Void> handler) {
        if (!this.userUriPattern.matcher(httpServerRequest.uri()).matches()) {
            if (!isAuthorized(httpServerRequest)) {
                RequestLoggerFactory.getLogger(Authorizer.class, httpServerRequest).info("403 Forbidden");
                httpServerRequest.response().setStatusCode(StatusCode.FORBIDDEN.getStatusCode());
                httpServerRequest.response().setStatusMessage(StatusCode.FORBIDDEN.getStatusMessage());
                httpServerRequest.response().end(StatusCode.FORBIDDEN.getStatusMessage());
                return;
            }
            if (this.aclUriPattern.getPattern().matcher(httpServerRequest.uri()).matches()) {
                if (HttpMethod.PUT == httpServerRequest.method()) {
                    httpServerRequest.bodyHandler(buffer -> {
                        try {
                            this.aclFactory.parseAcl(buffer);
                            this.storage.put(httpServerRequest.uri(), buffer, num -> {
                                if (num.intValue() == StatusCode.OK.getStatusCode()) {
                                    scheduleUpdate();
                                } else {
                                    httpServerRequest.response().setStatusCode(num.intValue());
                                }
                                httpServerRequest.response().end();
                            });
                        } catch (ValidationException e) {
                            log.warn("Could not parse acl: " + e.toString());
                            httpServerRequest.response().setStatusCode(StatusCode.BAD_REQUEST.getStatusCode());
                            httpServerRequest.response().setStatusMessage(StatusCode.BAD_REQUEST.getStatusMessage() + " " + e.getMessage());
                            if (e.getValidationDetails() == null) {
                                httpServerRequest.response().end(e.getMessage());
                            } else {
                                httpServerRequest.response().headers().add("content-type", "application/json");
                                httpServerRequest.response().end(e.getValidationDetails().encode());
                            }
                        }
                    });
                    return;
                } else if (HttpMethod.DELETE == httpServerRequest.method()) {
                    this.storage.delete(httpServerRequest.uri(), num -> {
                        if (num.intValue() == StatusCode.OK.getStatusCode()) {
                            this.eb.publish(UPDATE_ADDRESS, "*");
                        } else {
                            log.warn("Could not delete '" + (httpServerRequest.uri() == null ? "<null>" : httpServerRequest.uri()) + "'. Error code is '" + (num == null ? "<null>" : num) + "'.");
                            httpServerRequest.response().setStatusCode(num.intValue());
                        }
                        httpServerRequest.response().end();
                    });
                    return;
                }
            }
            handler.handle((Object) null);
            return;
        }
        if (HttpMethod.GET != httpServerRequest.method()) {
            httpServerRequest.response().setStatusCode(StatusCode.METHOD_NOT_ALLOWED.getStatusCode());
            httpServerRequest.response().setStatusMessage(StatusCode.METHOD_NOT_ALLOWED.getStatusMessage());
            httpServerRequest.response().end();
            return;
        }
        String str = httpServerRequest.headers().get("x-rp-usr");
        JsonObject jsonObject = new JsonObject();
        httpServerRequest.response().headers().set("Content-Type", "application/json");
        String str2 = httpServerRequest.headers().get("cas_name");
        if (str2 != null) {
            str = str2;
        }
        jsonObject.put("userId", str);
        Set extractRoles = this.roleExtractor.extractRoles(httpServerRequest);
        if (extractRoles != null) {
            extractRoles.add(this.anonymousRole);
            jsonObject.put("roles", new JsonArray(new ArrayList(extractRoles)));
        }
        httpServerRequest.response().end(jsonObject.toString());
    }

    private void scheduleUpdate() {
        this.vertx.cancelTimer(this.updateTimerId);
        this.updateTimerId = this.vertx.setTimer(3000L, l -> {
            this.eb.publish(UPDATE_ADDRESS, "*");
        });
    }

    private void updateAllAcls() {
        this.storage.get(this.aclRoot, buffer -> {
            if (buffer == null) {
                log.warn("No ACLs in storage, using initial authorization.");
                this.grantedRoles = this.initialGrantedRoles;
            } else {
                this.grantedRoles = new HashMap();
                Iterator it = new JsonObject(buffer.toString("UTF-8")).getJsonArray(this.aclKey).iterator();
                while (it.hasNext()) {
                    updateAcl((String) it.next());
                }
            }
        });
    }

    private boolean isAuthorized(HttpServerRequest httpServerRequest) {
        Set<String> extractRoles = this.roleExtractor.extractRoles(httpServerRequest);
        if (extractRoles == null) {
            return true;
        }
        extractRoles.add(this.anonymousRole);
        RequestLoggerFactory.getLogger(Authorizer.class, httpServerRequest).debug("Roles: " + extractRoles);
        return isAuthorized(extractRoles, httpServerRequest);
    }

    private boolean isAuthorized(Set<String> set, HttpServerRequest httpServerRequest) {
        Set<String> set2;
        for (Map.Entry<PatternHolder, Map<String, Set<String>>> entry : this.grantedRoles.entrySet()) {
            Matcher matcher = entry.getKey().getPattern().matcher(httpServerRequest.uri());
            if (matcher.matches() && (set2 = entry.getValue().get(httpServerRequest.method().name())) != null) {
                Iterator<String> it = set2.iterator();
                while (it.hasNext()) {
                    if (checkRole(set, httpServerRequest, matcher, it.next())) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private boolean checkRole(Set<String> set, HttpServerRequest httpServerRequest, Matcher matcher, String str) {
        if (!set.contains(str)) {
            return false;
        }
        boolean z = true;
        if (matcher.groupCount() > 0) {
            try {
                String group = matcher.group("user");
                z = true & (group != null && group.equals(httpServerRequest.headers().get(this.userHeader)));
            } catch (IllegalArgumentException e) {
            }
            try {
                String group2 = matcher.group("device");
                z &= group2 != null && group2.equals(httpServerRequest.headers().get(this.deviceHeader));
            } catch (IllegalArgumentException e2) {
            }
            try {
                String group3 = matcher.group("role");
                z &= group3 != null && set.contains(group3);
            } catch (IllegalArgumentException e3) {
            }
        }
        return z;
    }

    private void updateAcl(String str) {
        this.storage.get(this.aclRoot + str, buffer -> {
            if (buffer == null) {
                log.error("No acl for role " + str + " found in storage");
                return;
            }
            try {
                log.info("Applying acl for " + str);
                mergeAcl(str, buffer);
            } catch (ValidationException e) {
                log.error("Could not parse acls: " + e.toString());
            }
        });
    }

    private void mergeAcl(String str, Buffer buffer) throws ValidationException {
        for (Map.Entry<PatternHolder, Set<String>> entry : this.aclFactory.parseAcl(buffer).entrySet()) {
            PatternHolder key = entry.getKey();
            Map<String, Set<String>> map = this.grantedRoles.get(key);
            if (map == null) {
                map = new HashMap();
                this.grantedRoles.put(key, map);
            }
            for (String str2 : entry.getValue()) {
                Set<String> set = map.get(str2);
                if (set == null) {
                    set = new HashSet();
                    map.put(str2, set);
                }
                set.add(str);
            }
        }
    }
}
