package otoroshi.next.plugins;

import otoroshi.env.Env;
import otoroshi.gateway.Errors$;
import otoroshi.models.ApiKey;
import otoroshi.models.JwtInjection;
import otoroshi.models.PrivateAppsUser;
import otoroshi.models.ServiceDescriptor;
import otoroshi.next.models.NgRoute;
import otoroshi.next.plugins.api.NgAccess;
import otoroshi.next.plugins.api.NgAccess$NgAllowed$;
import otoroshi.next.plugins.api.NgAccessContext;
import otoroshi.next.plugins.api.NgAccessValidator;
import otoroshi.next.plugins.api.NgNamedPlugin;
import otoroshi.next.plugins.api.NgPluginCategory;
import otoroshi.next.plugins.api.NgPluginCategory$AccessControl$;
import otoroshi.next.plugins.api.NgPluginCategory$Security$;
import otoroshi.next.plugins.api.NgPluginConfig;
import otoroshi.next.plugins.api.NgPluginVisibility;
import otoroshi.next.plugins.api.NgPluginVisibility$NgUserLand$;
import otoroshi.next.plugins.api.NgStep;
import otoroshi.next.plugins.api.NgStep$ValidateAccess$;
import otoroshi.script.NamedPlugin;
import otoroshi.script.PluginType;
import otoroshi.utils.TypedMap;
import otoroshi.utils.syntax.implicits$;
import otoroshi.utils.syntax.implicits$BetterJsReadable$;
import otoroshi.utils.syntax.implicits$BetterJsValue$;
import otoroshi.utils.syntax.implicits$BetterSyntax$;
import play.api.libs.json.JsArray;
import play.api.libs.json.JsObject;
import play.api.libs.json.JsString;
import play.api.libs.json.JsValue;
import play.api.libs.json.Json$;
import play.api.libs.json.Reads$;
import play.api.mvc.RequestHeader;
import play.api.mvc.Results;
import play.api.mvc.Results$;
import scala.Array$;
import scala.None$;
import scala.Option;
import scala.Predef$;
import scala.Predef$DummyImplicit$;
import scala.Some;
import scala.collection.IndexedSeq;
import scala.collection.IndexedSeq$;
import scala.collection.Seq;
import scala.collection.immutable.$colon;
import scala.collection.immutable.Nil$;
import scala.collection.mutable.ArrayOps;
import scala.concurrent.ExecutionContext;
import scala.concurrent.Future;
import scala.reflect.ScalaSignature;
import scala.runtime.BooleanRef;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;
import scala.util.Try$;

/* compiled from: rbac.scala */
@ScalaSignature(bytes = "\u0006\u0001\u00055c\u0001\u0002\t\u0012\u0001aAQ!\n\u0001\u0005\u0002\u0019BQ!\u000b\u0001\u0005B)BQA\u000f\u0001\u0005BmBQ\u0001\u0011\u0001\u0005B\u0005CQ!\u0012\u0001\u0005B\u0019CQA\u0013\u0001\u0005B\u0019CQa\u0013\u0001\u0005B1CQ!\u0016\u0001\u0005BYCQA\u0017\u0001\u0005BmCQ\u0001\u0019\u0001\u0005\n\u0005DQA\u001b\u0001\u0005\n-DQA\u001c\u0001\u0005\n=DQ!\u001f\u0001\u0005\niDq!a\u0001\u0001\t\u0013\t)\u0001C\u0004\u0002\u0014\u0001!\t%!\u0006\u0003\tI\u0013\u0015i\u0011\u0006\u0003%M\tq\u0001\u001d7vO&t7O\u0003\u0002\u0015+\u0005!a.\u001a=u\u0015\u00051\u0012\u0001C8u_J|7\u000f[5\u0004\u0001M\u0019\u0001!G\u0010\u0011\u0005iiR\"A\u000e\u000b\u0003q\tQa]2bY\u0006L!AH\u000e\u0003\r\u0005s\u0017PU3g!\t\u00013%D\u0001\"\u0015\t\u0011\u0013#A\u0002ba&L!\u0001J\u0011\u0003#9;\u0017iY2fgN4\u0016\r\\5eCR|'/\u0001\u0004=S:LGO\u0010\u000b\u0002OA\u0011\u0001\u0006A\u0007\u0002#\u0005)1\u000f^3qgV\t1\u0006E\u0002-i]r!!\f\u001a\u000f\u00059\nT\"A\u0018\u000b\u0005A:\u0012A\u0002\u001fs_>$h(C\u0001\u001d\u0013\t\u00194$A\u0004qC\u000e\\\u0017mZ3\n\u0005U2$aA*fc*\u00111g\u0007\t\u0003AaJ!!O\u0011\u0003\r9;7\u000b^3q\u0003)\u0019\u0017\r^3h_JLWm]\u000b\u0002yA\u0019A\u0006N\u001f\u0011\u0005\u0001r\u0014BA \"\u0005Aqu\r\u00157vO&t7)\u0019;fO>\u0014\u00180\u0001\u0006wSNL'-\u001b7jif,\u0012A\u0011\t\u0003A\rK!\u0001R\u0011\u0003%9;\u0007\u000b\\;hS:4\u0016n]5cS2LG/_\u0001\u000e[VdG/[%ogR\fgnY3\u0016\u0003\u001d\u0003\"A\u0007%\n\u0005%[\"a\u0002\"p_2,\u0017M\\\u0001\u0005G>\u0014X-\u0001\u0003oC6,W#A'\u0011\u00059\u0013fBA(Q!\tq3$\u0003\u0002R7\u00051\u0001K]3eK\u001aL!a\u0015+\u0003\rM#(/\u001b8h\u0015\t\t6$A\u0006eKN\u001c'/\u001b9uS>tW#A,\u0011\u0007iAV*\u0003\u0002Z7\t1q\n\u001d;j_:\f1\u0003Z3gCVdGoQ8oM&<wJ\u00196fGR,\u0012\u0001\u0018\t\u00045ak\u0006C\u0001\u0011_\u0013\ty\u0016E\u0001\bOOBcWoZ5o\u0007>tg-[4\u0002\u000f5\fGo\u00195fgR\u0019qIY3\t\u000b\rT\u0001\u0019\u00013\u0002\u000bI|G.Z:\u0011\u00071\"T\nC\u0003g\u0015\u0001\u0007q-\u0001\u0004d_:4\u0017n\u001a\t\u0003Q!L!![\t\u0003\u0015I\u0013\u0015iQ\"p]\u001aLw-\u0001\u0005uef\u0004\u0016M]:f)\t!G\u000eC\u0003n\u0017\u0001\u0007Q*A\u0003wC2,X-A\u000edQ\u0016\u001c7NU5hQR\u001chI]8n\u0015^$\u0018J\u001c6fGRLwN\u001c\u000b\u0004\u000fBD\b\"B9\r\u0001\u0004\u0011\u0018!C5oU\u0016\u001cG/[8o!\t\u0019h/D\u0001u\u0015\t)X#\u0001\u0004n_\u0012,Gn]\u0005\u0003oR\u0014ABS<u\u0013:TWm\u0019;j_:DQA\u001a\u0007A\u0002\u001d\fQc\u00195fG.\u0014\u0016n\u001a5ug\u001a\u0013x.\\!qS.,\u0017\u0010\u0006\u0003Hw\u0006\u0005\u0001\"\u0002?\u000e\u0001\u0004i\u0018AB1qS.,\u0017\u0010\u0005\u0002t}&\u0011q\u0010\u001e\u0002\u0007\u0003BL7*Z=\t\u000b\u0019l\u0001\u0019A4\u0002'\rDWmY6SS\u001eDGo\u001d$s_6,6/\u001a:\u0015\u000b\u001d\u000b9!!\u0005\t\u000f\u0005%a\u00021\u0001\u0002\f\u0005!Qo]3s!\r\u0019\u0018QB\u0005\u0004\u0003\u001f!(a\u0004)sSZ\fG/Z!qaN,6/\u001a:\t\u000b\u0019t\u0001\u0019A4\u0002\r\u0005\u001c7-Z:t)\u0011\t9\"a\u0011\u0015\r\u0005e\u00111FA\u001d!\u0019\tY\"!\t\u0002&5\u0011\u0011Q\u0004\u0006\u0004\u0003?Y\u0012AC2p]\u000e,(O]3oi&!\u00111EA\u000f\u0005\u00191U\u000f^;sKB\u0019\u0001%a\n\n\u0007\u0005%\u0012E\u0001\u0005OO\u0006\u001b7-Z:t\u0011\u001d\tic\u0004a\u0002\u0003_\t1!\u001a8w!\u0011\t\t$!\u000e\u000e\u0005\u0005M\"bAA\u0017+%!\u0011qGA\u001a\u0005\r)eN\u001e\u0005\b\u0003wy\u00019AA\u001f\u0003\t)7\r\u0005\u0003\u0002\u001c\u0005}\u0012\u0002BA!\u0003;\u0011\u0001#\u0012=fGV$\u0018n\u001c8D_:$X\r\u001f;\t\u000f\u0005\u0015s\u00021\u0001\u0002H\u0005\u00191\r\u001e=\u0011\u0007\u0001\nI%C\u0002\u0002L\u0005\u0012qBT4BG\u000e,7o]\"p]R,\u0007\u0010\u001e")
/* loaded from: input_file:otoroshi/next/plugins/RBAC.class */
public class RBAC implements NgAccessValidator {
    @Override // otoroshi.next.plugins.api.NgAccessValidator
    public boolean isAccessAsync() {
        boolean isAccessAsync;
        isAccessAsync = isAccessAsync();
        return isAccessAsync;
    }

    @Override // otoroshi.next.plugins.api.NgAccessValidator
    public NgAccess accessSync(NgAccessContext ngAccessContext, Env env, ExecutionContext executionContext) {
        NgAccess accessSync;
        accessSync = accessSync(ngAccessContext, env, executionContext);
        return accessSync;
    }

    @Override // otoroshi.next.plugins.api.NgNamedPlugin
    public Seq<String> tags() {
        Seq<String> tags;
        tags = tags();
        return tags;
    }

    @Override // otoroshi.next.plugins.api.NgNamedPlugin, otoroshi.script.NamedPlugin
    public final Option<JsObject> defaultConfig() {
        Option<JsObject> defaultConfig;
        defaultConfig = defaultConfig();
        return defaultConfig;
    }

    @Override // otoroshi.next.plugins.api.NgNamedPlugin, otoroshi.script.NamedPlugin
    public PluginType pluginType() {
        PluginType pluginType;
        pluginType = pluginType();
        return pluginType;
    }

    @Override // otoroshi.next.plugins.api.NgNamedPlugin, otoroshi.script.NamedPlugin
    public Option<String> configRoot() {
        Option<String> configRoot;
        configRoot = configRoot();
        return configRoot;
    }

    @Override // otoroshi.next.plugins.api.NgNamedPlugin, otoroshi.script.NamedPlugin
    public JsObject jsonDescription() {
        JsObject jsonDescription;
        jsonDescription = jsonDescription();
        return jsonDescription;
    }

    @Override // otoroshi.script.NamedPlugin
    public boolean deprecated() {
        boolean deprecated;
        deprecated = deprecated();
        return deprecated;
    }

    @Override // otoroshi.script.NamedPlugin
    public String internalName() {
        String internalName;
        internalName = internalName();
        return internalName;
    }

    @Override // otoroshi.script.NamedPlugin
    public Option<String> documentation() {
        Option<String> documentation;
        documentation = documentation();
        return documentation;
    }

    @Override // otoroshi.script.NamedPlugin
    /* renamed from: configSchema */
    public Option<JsObject> mo647configSchema() {
        Option<JsObject> mo647configSchema;
        mo647configSchema = mo647configSchema();
        return mo647configSchema;
    }

    @Override // otoroshi.script.NamedPlugin
    public Seq<String> configFlow() {
        Seq<String> configFlow;
        configFlow = configFlow();
        return configFlow;
    }

    @Override // otoroshi.next.plugins.api.NgNamedPlugin, otoroshi.script.NamedPlugin
    public Seq<NgStep> steps() {
        return new $colon.colon<>(NgStep$ValidateAccess$.MODULE$, Nil$.MODULE$);
    }

    @Override // otoroshi.next.plugins.api.NgNamedPlugin, otoroshi.script.NamedPlugin
    public Seq<NgPluginCategory> categories() {
        return new $colon.colon<>(NgPluginCategory$AccessControl$.MODULE$, new $colon.colon(NgPluginCategory$Security$.MODULE$, Nil$.MODULE$));
    }

    @Override // otoroshi.next.plugins.api.NgNamedPlugin, otoroshi.script.NamedPlugin
    public NgPluginVisibility visibility() {
        return NgPluginVisibility$NgUserLand$.MODULE$;
    }

    @Override // otoroshi.next.plugins.api.NgNamedPlugin
    public boolean multiInstance() {
        return true;
    }

    @Override // otoroshi.script.NamedPlugin
    public boolean core() {
        return true;
    }

    @Override // otoroshi.script.NamedPlugin
    public String name() {
        return "RBAC";
    }

    @Override // otoroshi.script.NamedPlugin
    public Option<String> description() {
        return implicits$BetterSyntax$.MODULE$.some$extension(implicits$.MODULE$.BetterSyntax("This plugin check if current user/apikey/jwt token has the right role"));
    }

    @Override // otoroshi.next.plugins.api.NgNamedPlugin
    public Option<NgPluginConfig> defaultConfigObject() {
        return implicits$BetterSyntax$.MODULE$.some$extension(implicits$.MODULE$.BetterSyntax(new RBACConfig(RBACConfig$.MODULE$.apply$default$1(), RBACConfig$.MODULE$.apply$default$2(), RBACConfig$.MODULE$.apply$default$3(), RBACConfig$.MODULE$.apply$default$4(), RBACConfig$.MODULE$.apply$default$5(), RBACConfig$.MODULE$.apply$default$6(), RBACConfig$.MODULE$.apply$default$7(), RBACConfig$.MODULE$.apply$default$8(), RBACConfig$.MODULE$.apply$default$9())));
    }

    private boolean matches(Seq<String> seq, RBACConfig rBACConfig) {
        if (seq.isEmpty()) {
            return false;
        }
        return (rBACConfig.allow().isEmpty() ? true : rBACConfig.allowAll() ? rBACConfig.allow().forall(str -> {
            return BoxesRunTime.boxToBoolean(seq.contains(str));
        }) : rBACConfig.allow().exists(str2 -> {
            return BoxesRunTime.boxToBoolean(seq.contains(str2));
        })) && !(rBACConfig.deny().isEmpty() ? true : rBACConfig.denyAll() ? rBACConfig.deny().forall(str3 -> {
            return BoxesRunTime.boxToBoolean(seq.contains(str3));
        }) : rBACConfig.deny().exists(str4 -> {
            return BoxesRunTime.boxToBoolean(seq.contains(str4));
        }));
    }

    private Seq<String> tryParse(String str) {
        return (str.trim().startsWith("[") && str.trim().endsWith("]")) ? (Seq) Try$.MODULE$.apply(() -> {
            return (IndexedSeq) implicits$BetterJsReadable$.MODULE$.asArray$extension(implicits$.MODULE$.BetterJsReadable(Json$.MODULE$.parse(str))).value().map(jsValue -> {
                return implicits$BetterJsReadable$.MODULE$.asString$extension(implicits$.MODULE$.BetterJsReadable(jsValue));
            }, IndexedSeq$.MODULE$.canBuildFrom());
        }).getOrElse(() -> {
            return Nil$.MODULE$;
        }) : (Seq) new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(str.split(","))).map(str2 -> {
            return str2.trim();
        }, Array$.MODULE$.fallbackCanBuildFrom(Predef$DummyImplicit$.MODULE$.dummyImplicit()));
    }

    /* JADX WARN: Removed duplicated region for block: B:21:0x0165  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private boolean checkRightsFromJwtInjection(otoroshi.models.JwtInjection r7, otoroshi.next.plugins.RBACConfig r8) {
        /*
            Method dump skipped, instructions count: 377
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: otoroshi.next.plugins.RBAC.checkRightsFromJwtInjection(otoroshi.models.JwtInjection, otoroshi.next.plugins.RBACConfig):boolean");
    }

    /* JADX WARN: Removed duplicated region for block: B:11:0x0117  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private boolean checkRightsFromApikey(otoroshi.models.ApiKey r7, otoroshi.next.plugins.RBACConfig r8) {
        /*
            Method dump skipped, instructions count: 305
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: otoroshi.next.plugins.RBAC.checkRightsFromApikey(otoroshi.models.ApiKey, otoroshi.next.plugins.RBACConfig):boolean");
    }

    /* JADX WARN: Removed duplicated region for block: B:11:0x0127  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private boolean checkRightsFromUser(otoroshi.models.PrivateAppsUser r7, otoroshi.next.plugins.RBACConfig r8) {
        /*
            Method dump skipped, instructions count: 326
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: otoroshi.next.plugins.RBAC.checkRightsFromUser(otoroshi.models.PrivateAppsUser, otoroshi.next.plugins.RBACConfig):boolean");
    }

    @Override // otoroshi.next.plugins.api.NgAccessValidator
    public Future<NgAccess> access(NgAccessContext ngAccessContext, Env env, ExecutionContext executionContext) {
        BooleanRef create = BooleanRef.create(false);
        RBACConfig rBACConfig = (RBACConfig) ngAccessContext.cachedConfig(internalName(), RBACConfig$.MODULE$.format()).getOrElse(() -> {
            return new RBACConfig(RBACConfig$.MODULE$.apply$default$1(), RBACConfig$.MODULE$.apply$default$2(), RBACConfig$.MODULE$.apply$default$3(), RBACConfig$.MODULE$.apply$default$4(), RBACConfig$.MODULE$.apply$default$5(), RBACConfig$.MODULE$.apply$default$6(), RBACConfig$.MODULE$.apply$default$7(), RBACConfig$.MODULE$.apply$default$8(), RBACConfig$.MODULE$.apply$default$9());
        });
        ngAccessContext.attrs().get(Keys$.MODULE$.JwtInjectionKey()).foreach(jwtInjection -> {
            $anonfun$access$2(this, create, rBACConfig, jwtInjection);
            return BoxedUnit.UNIT;
        });
        ngAccessContext.apikey().foreach(apiKey -> {
            $anonfun$access$3(this, create, rBACConfig, apiKey);
            return BoxedUnit.UNIT;
        });
        ngAccessContext.user().foreach(privateAppsUser -> {
            $anonfun$access$4(this, create, rBACConfig, privateAppsUser);
            return BoxedUnit.UNIT;
        });
        if (create.elem) {
            return implicits$BetterSyntax$.MODULE$.vfuture$extension(implicits$.MODULE$.BetterSyntax(NgAccess$NgAllowed$.MODULE$));
        }
        Results.Status Forbidden = Results$.MODULE$.Forbidden();
        RequestHeader request = ngAccessContext.request();
        Option<ServiceDescriptor> option = None$.MODULE$;
        Option<String> option2 = None$.MODULE$;
        TypedMap attrs = ngAccessContext.attrs();
        Option<NgRoute> some$extension = implicits$BetterSyntax$.MODULE$.some$extension(implicits$.MODULE$.BetterSyntax(ngAccessContext.route()));
        return Errors$.MODULE$.craftResponseResult("forbidden", Forbidden, request, option, option2, Errors$.MODULE$.craftResponseResult$default$6(), Errors$.MODULE$.craftResponseResult$default$7(), Errors$.MODULE$.craftResponseResult$default$8(), Errors$.MODULE$.craftResponseResult$default$9(), Errors$.MODULE$.craftResponseResult$default$10(), Errors$.MODULE$.craftResponseResult$default$11(), attrs, some$extension, executionContext, env).map(result -> {
            return new NgAccess.NgDenied(result);
        }, executionContext);
    }

    public static final /* synthetic */ boolean $anonfun$checkRightsFromApikey$1(RBACConfig rBACConfig, String str) {
        return str.startsWith(rBACConfig.prefix());
    }

    public static final /* synthetic */ boolean $anonfun$checkRightsFromUser$1(RBACConfig rBACConfig, String str) {
        return str.startsWith(rBACConfig.prefix());
    }

    public static final /* synthetic */ boolean $anonfun$checkRightsFromUser$6(RBAC rbac, RBACConfig rBACConfig, JsValue jsValue) {
        boolean z;
        boolean z2 = false;
        Some some = null;
        Option asOpt = implicits$BetterJsValue$.MODULE$.select$extension0(implicits$.MODULE$.BetterJsValue(jsValue), rBACConfig.roles()).asOpt(Reads$.MODULE$.JsValueReads());
        if (asOpt instanceof Some) {
            z2 = true;
            some = (Some) asOpt;
            JsString jsString = (JsValue) some.value();
            if (jsString instanceof JsString) {
                String value = jsString.value();
                z = rbac.matches((Seq) new $colon.colon(value, Nil$.MODULE$), rBACConfig) ? true : rbac.matches(rbac.tryParse(value), rBACConfig);
                return z;
            }
        }
        if (z2) {
            JsArray jsArray = (JsValue) some.value();
            if (jsArray instanceof JsArray) {
                z = rbac.matches((Seq) jsArray.value().map(jsValue2 -> {
                    return implicits$BetterJsReadable$.MODULE$.asString$extension(implicits$.MODULE$.BetterJsReadable(jsValue2));
                }, IndexedSeq$.MODULE$.canBuildFrom()), rBACConfig);
                return z;
            }
        }
        z = false;
        return z;
    }

    public static final /* synthetic */ void $anonfun$access$2(RBAC rbac, BooleanRef booleanRef, RBACConfig rBACConfig, JwtInjection jwtInjection) {
        if (booleanRef.elem || !rbac.checkRightsFromJwtInjection(jwtInjection, rBACConfig)) {
            return;
        }
        booleanRef.elem = true;
    }

    public static final /* synthetic */ void $anonfun$access$3(RBAC rbac, BooleanRef booleanRef, RBACConfig rBACConfig, ApiKey apiKey) {
        if (booleanRef.elem || !rbac.checkRightsFromApikey(apiKey, rBACConfig)) {
            return;
        }
        booleanRef.elem = true;
    }

    public static final /* synthetic */ void $anonfun$access$4(RBAC rbac, BooleanRef booleanRef, RBACConfig rBACConfig, PrivateAppsUser privateAppsUser) {
        if (booleanRef.elem || !rbac.checkRightsFromUser(privateAppsUser, rBACConfig)) {
            return;
        }
        booleanRef.elem = true;
    }

    public RBAC() {
        NamedPlugin.$init$(this);
        NgNamedPlugin.$init$((NgNamedPlugin) this);
        NgAccessValidator.$init$((NgAccessValidator) this);
    }
}
