package ch.admin.bag.covidcertificate.authorization.impl;

import ch.admin.bag.covidcertificate.authorization.AuthorizationConfig;
import ch.admin.bag.covidcertificate.authorization.AuthorizationService;
import ch.admin.bag.covidcertificate.authorization.config.RoleConfig;
import ch.admin.bag.covidcertificate.authorization.config.RoleData;
import ch.admin.bag.covidcertificate.authorization.config.ServiceData;
import java.text.MessageFormat;
import java.time.LocalDateTime;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.TreeMap;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.PostConstruct;
import org.apache.commons.collections4.CollectionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Profile;
import org.springframework.stereotype.Service;
import org.springframework.util.StringUtils;

@Profile({"authorization && !mock-authorization"})
@Service
/* loaded from: input_file:ch/admin/bag/covidcertificate/authorization/impl/AuthorizationServiceImpl.class */
public class AuthorizationServiceImpl implements AuthorizationService {
    private static final Logger log = LoggerFactory.getLogger(AuthorizationServiceImpl.class);
    private final AuthorizationConfig authorizationConfig;
    private final RoleConfig roleConfig;
    private Map<String, ServiceData> services;
    private Map<String, String> roleMapping;

    @Override // ch.admin.bag.covidcertificate.authorization.AuthorizationService
    public Set<String> getCurrent(String str, List<String> list) {
        Set<String> emptySet = Collections.emptySet();
        ServiceData serviceData = this.services.get(str);
        if (serviceData == null) {
            log.info("service '{}' unknown", str);
        } else {
            Set<String> mapRawRoles = mapRawRoles(list);
            if (mapRawRoles.isEmpty()) {
                log.info("no supported roles in '{}'", list);
            } else {
                emptySet = (Set) filterByPointInTime(LocalDateTime.now(), serviceData.getFunctions().values()).stream().filter(function -> {
                    return isGrantedIntern(mapRawRoles, function);
                }).map((v0) -> {
                    return v0.getIdentifier();
                }).collect(Collectors.toSet());
            }
        }
        log.info("grants: " + emptySet);
        return emptySet;
    }

    @Override // ch.admin.bag.covidcertificate.authorization.AuthorizationService
    public ServiceData getDefinition(String str) {
        return this.services.get(str);
    }

    @Override // ch.admin.bag.covidcertificate.authorization.AuthorizationService
    public List<RoleData> getRoleMapping() {
        return this.roleConfig.getMappings();
    }

    @Override // ch.admin.bag.covidcertificate.authorization.AuthorizationService
    public boolean isGranted(Set<String> set, ServiceData.Function function) {
        return isGrantedIntern(mapRawRoles(set), function);
    }

    private boolean isGrantedIntern(Set<String> set, ServiceData.Function function) {
        if (!function.isBetween(LocalDateTime.now())) {
            return false;
        }
        boolean z = true;
        if (CollectionUtils.isNotEmpty(function.getAdditional())) {
            z = filterByPointInTime(LocalDateTime.now(), function.getAdditional()).stream().allMatch(function2 -> {
                return isGrantedIntern(set, function2);
            });
        }
        List<String> oneOf = function.getOneOf();
        if (CollectionUtils.isEmpty(oneOf)) {
            return z;
        }
        Stream<String> stream = oneOf.stream();
        Objects.requireNonNull(set);
        return z && stream.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }

    @Override // ch.admin.bag.covidcertificate.authorization.AuthorizationService
    public boolean isUserPermitted(Collection<String> collection) {
        boolean z = true;
        boolean z2 = collection.contains("bag-cc-hin-epr") || collection.contains("bag-cc-hin");
        boolean z3 = collection.contains("bag-cc-hincode") || collection.contains("bag-cc-personal");
        if (z2 && !z3) {
            log.warn("HIN-User not allowed to use the application...");
            log.warn("userroles: {}", collection);
            z = false;
        }
        return z;
    }

    @Override // ch.admin.bag.covidcertificate.authorization.AuthorizationService
    public List<ServiceData.Function> identifyFunction(String str, String str2, String str3) {
        return getDefinition(str).getFunctions().values().stream().filter(function -> {
            return StringUtils.hasText(function.getUri());
        }).filter(function2 -> {
            return function2.matchesUri(str2);
        }).filter(function3 -> {
            return function3.matchesHttpMethod(str3);
        }).filter(function4 -> {
            return function4.isBetween(LocalDateTime.now());
        }).toList();
    }

    @Override // ch.admin.bag.covidcertificate.authorization.AuthorizationService
    public Set<String> mapRawRoles(Collection<String> collection) {
        return (Set) collection.stream().map(str -> {
            return this.roleMapping.get(str);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toSet());
    }

    private List<ServiceData.Function> filterByPointInTime(LocalDateTime localDateTime, Collection<ServiceData.Function> collection) {
        List<ServiceData.Function> emptyList = Collections.emptyList();
        if (collection != null && localDateTime != null) {
            emptyList = ((Stream) collection.stream().parallel()).filter(function -> {
                return function.isBetween(localDateTime);
            }).toList();
        }
        return emptyList;
    }

    @PostConstruct
    void init() {
        this.services = new TreeMap();
        this.services.put(AuthorizationService.SERVICE_NOTIFICATIONS, enrichServiceData(this.authorizationConfig.getNotifications()));
        this.services.put(AuthorizationService.SERVICE_API_GATEWAY, enrichServiceData(this.authorizationConfig.getApiGateway()));
        this.services.put(AuthorizationService.SERVICE_MANAGEMENT, enrichServiceData(this.authorizationConfig.getManagement()));
        this.services.put(AuthorizationService.SERVICE_WEB_UI, enrichServiceData(this.authorizationConfig.getWebUi()));
        this.services.put(AuthorizationService.SERVICE_REPORT, enrichServiceData(this.authorizationConfig.getReport()));
        this.roleMapping = new TreeMap();
        for (RoleData roleData : this.roleConfig.getMappings()) {
            if (this.roleMapping.containsKey(roleData.getClaim()) || this.roleMapping.containsKey(roleData.getEiam())) {
                throw new IllegalStateException(MessageFormat.format("role mappings for \"{0}\" not unique (conflicts with either eiam \"{1}\" or claim \"{2}\")", roleData.getIntern(), roleData.getEiam(), roleData.getClaim()));
            }
            this.roleMapping.put(roleData.getClaim(), roleData.getIntern());
            this.roleMapping.put(roleData.getEiam(), roleData.getIntern());
        }
    }

    private ServiceData enrichServiceData(ServiceData serviceData) {
        if (serviceData == null) {
            return null;
        }
        serviceData.getFunctions().values().forEach(function -> {
            enrichFunction(function, serviceData.getFunctions());
        });
        return serviceData;
    }

    private void enrichFunction(ServiceData.Function function, Map<String, ServiceData.Function> map) {
        function.setAdditional(buildAdditionalList(function.getAdditionalRef(), map));
        if (function.getOneOf() == null) {
            function.setOneOf(Collections.emptyList());
        }
    }

    private List<ServiceData.Function> buildAdditionalList(List<String> list, Map<String, ServiceData.Function> map) {
        ArrayList arrayList = new ArrayList();
        if (list != null) {
            for (String str : list) {
                ServiceData.Function function = map.get(str);
                if (function == null) {
                    throw new IllegalStateException(MessageFormat.format("referenced Function in Authorization Config not found: \"{0}\"", str));
                }
                arrayList.add(function);
            }
        }
        return arrayList;
    }

    public AuthorizationServiceImpl(AuthorizationConfig authorizationConfig, RoleConfig roleConfig) {
        this.authorizationConfig = authorizationConfig;
        this.roleConfig = roleConfig;
    }
}
