package otoroshi.plugins.biscuit;

import com.clevercloud.biscuit.error.Error;
import com.clevercloud.biscuit.token.Authorizer;
import com.clevercloud.biscuit.token.builder.Check;
import com.clevercloud.biscuit.token.builder.Fact;
import com.clevercloud.biscuit.token.builder.Rule;
import com.clevercloud.biscuit.token.builder.Utils;
import com.clevercloud.biscuit.token.builder.parser.Parser;
import io.vavr.Tuple2;
import java.util.List;
import otoroshi.env.Env;
import otoroshi.models.ApiKey;
import otoroshi.models.PrivateAppsUser;
import otoroshi.script.ContextWithConfig;
import otoroshi.utils.http.RequestImplicits$;
import otoroshi.utils.http.RequestImplicits$EnhancedRequestHeader$;
import play.api.libs.json.JsLookup$;
import play.api.libs.json.JsLookupResult$;
import play.api.libs.json.JsValue;
import play.api.libs.json.JsValue$;
import play.api.libs.json.Reads$;
import play.api.mvc.RequestHeader;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Predef$;
import scala.collection.IterableLike;
import scala.collection.JavaConverters$;
import scala.collection.Seq;
import scala.collection.Seq$;
import scala.collection.TraversableLike;
import scala.collection.immutable.$colon;
import scala.collection.immutable.Nil$;
import scala.collection.mutable.Buffer;
import scala.package$;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;
import scala.util.Either;
import scala.util.Left;
import scala.util.Right;
import scala.util.Try$;

/* compiled from: biscuit.scala */
/* loaded from: input_file:otoroshi/plugins/biscuit/BiscuitHelper$.class */
public final class BiscuitHelper$ {
    public static BiscuitHelper$ MODULE$;

    static {
        new BiscuitHelper$();
    }

    public BiscuitConfig readConfig(String str, ContextWithConfig contextWithConfig) {
        JsValue configFor = contextWithConfig.configFor(str);
        return new BiscuitConfig(JsLookup$.MODULE$.$bslash$extension1(JsValue$.MODULE$.jsValueToJsLookup(configFor), "publicKey").asOpt(Reads$.MODULE$.StringReads()), (Seq) JsLookup$.MODULE$.$bslash$extension1(JsValue$.MODULE$.jsValueToJsLookup(configFor), "checks").asOpt(Reads$.MODULE$.traversableReads(Predef$.MODULE$.fallbackStringCanBuildFrom(), Reads$.MODULE$.StringReads())).getOrElse(() -> {
            return Nil$.MODULE$;
        }), (Seq) JsLookup$.MODULE$.$bslash$extension1(JsValue$.MODULE$.jsValueToJsLookup(configFor), "facts").asOpt(Reads$.MODULE$.traversableReads(Predef$.MODULE$.fallbackStringCanBuildFrom(), Reads$.MODULE$.StringReads())).getOrElse(() -> {
            return Nil$.MODULE$;
        }), (Seq) JsLookup$.MODULE$.$bslash$extension1(JsValue$.MODULE$.jsValueToJsLookup(configFor), "resources").asOpt(Reads$.MODULE$.traversableReads(Predef$.MODULE$.fallbackStringCanBuildFrom(), Reads$.MODULE$.StringReads())).getOrElse(() -> {
            return Nil$.MODULE$;
        }), (Seq) JsLookup$.MODULE$.$bslash$extension1(JsValue$.MODULE$.jsValueToJsLookup(configFor), "rules").asOpt(Reads$.MODULE$.traversableReads(Predef$.MODULE$.fallbackStringCanBuildFrom(), Reads$.MODULE$.StringReads())).getOrElse(() -> {
            return Nil$.MODULE$;
        }), (Seq) JsLookup$.MODULE$.$bslash$extension1(JsValue$.MODULE$.jsValueToJsLookup(configFor), "revocation_ids").asOpt(Reads$.MODULE$.traversableReads(Predef$.MODULE$.fallbackStringCanBuildFrom(), Reads$.MODULE$.StringReads())).getOrElse(() -> {
            return Nil$.MODULE$;
        }), (String) JsLookup$.MODULE$.$bslash$extension1(JsLookupResult$.MODULE$.jsLookupResultToJsLookup(JsLookup$.MODULE$.$bslash$extension1(JsValue$.MODULE$.jsValueToJsLookup(configFor), "extractor")), "type").asOpt(Reads$.MODULE$.StringReads()).getOrElse(() -> {
            return "header";
        }), (String) JsLookup$.MODULE$.$bslash$extension1(JsLookupResult$.MODULE$.jsLookupResultToJsLookup(JsLookup$.MODULE$.$bslash$extension1(JsValue$.MODULE$.jsValueToJsLookup(configFor), "extractor")), "name").asOpt(Reads$.MODULE$.StringReads()).getOrElse(() -> {
            return "Authorization";
        }), BoxesRunTime.unboxToBoolean(JsLookup$.MODULE$.$bslash$extension1(JsValue$.MODULE$.jsValueToJsLookup(configFor), "enforce").asOpt(Reads$.MODULE$.BooleanReads()).getOrElse(() -> {
            return false;
        })));
    }

    public String readOrWrite(String str) {
        return "DELETE".equals(str) ? "write" : ("GET".equals(str) || "HEAD".equals(str) || "OPTIONS".equals(str)) ? "read" : ("PATCH".equals(str) || "POST".equals(str) || "PUT".equals(str)) ? "write" : "none";
    }

    public Option<BiscuitToken> extractToken(RequestHeader requestHeader, BiscuitConfig biscuitConfig) {
        String extractor = biscuitConfig.extractor();
        return ("header".equals(extractor) ? requestHeader.headers().get(biscuitConfig.extractorName()) : "query".equals(extractor) ? requestHeader.getQueryString(biscuitConfig.extractorName()) : "cookie".equals(extractor) ? requestHeader.cookies().get(biscuitConfig.extractorName()).map(cookie -> {
            return cookie.value();
        }) : None$.MODULE$).map(str -> {
            return new PubKeyBiscuitToken(str.replace("Bearer ", "").replace("Biscuit ", "").replace("biscuit: ", "").replace("sealed-biscuit: ", "").trim());
        });
    }

    public Either<Error, BoxedUnit> verify(Authorizer authorizer, BiscuitConfig biscuitConfig, VerificationContext verificationContext, Env env) {
        authorizer.set_time();
        authorizer.add_fact(new StringBuilder(13).append("operation(\"").append(readOrWrite(verificationContext.request().method())).append("\")").toString());
        authorizer.add_fact(Utils.fact("resource", (List) JavaConverters$.MODULE$.seqAsJavaListConverter(new $colon.colon(Utils.string(verificationContext.request().method().toLowerCase()), new $colon.colon(Utils.string(RequestImplicits$EnhancedRequestHeader$.MODULE$.theDomain$extension(RequestImplicits$.MODULE$.EnhancedRequestHeader(verificationContext.request()), env)), new $colon.colon(Utils.string(RequestImplicits$EnhancedRequestHeader$.MODULE$.thePath$extension(RequestImplicits$.MODULE$.EnhancedRequestHeader(verificationContext.request()))), Nil$.MODULE$)))).asJava()));
        authorizer.add_fact(Utils.fact("req_path", (List) JavaConverters$.MODULE$.seqAsJavaListConverter(new $colon.colon(Utils.string(RequestImplicits$EnhancedRequestHeader$.MODULE$.thePath$extension(RequestImplicits$.MODULE$.EnhancedRequestHeader(verificationContext.request()))), Nil$.MODULE$)).asJava()));
        authorizer.add_fact(Utils.fact("req_domain", (List) JavaConverters$.MODULE$.seqAsJavaListConverter(new $colon.colon(Utils.string(RequestImplicits$EnhancedRequestHeader$.MODULE$.theDomain$extension(RequestImplicits$.MODULE$.EnhancedRequestHeader(verificationContext.request()), env)), Nil$.MODULE$)).asJava()));
        authorizer.add_fact(Utils.fact("req_method", (List) JavaConverters$.MODULE$.seqAsJavaListConverter(new $colon.colon(Utils.string(verificationContext.request().method().toLowerCase()), Nil$.MODULE$)).asJava()));
        authorizer.add_fact(Utils.fact("descriptor_id", (List) JavaConverters$.MODULE$.seqAsJavaListConverter(new $colon.colon(Utils.string(verificationContext.descriptor().id()), Nil$.MODULE$)).asJava()));
        verificationContext.apikey().foreach(apiKey -> {
            $anonfun$verify$1(authorizer, apiKey);
            return BoxedUnit.UNIT;
        });
        verificationContext.user().foreach(privateAppsUser -> {
            $anonfun$verify$4(authorizer, privateAppsUser);
            return BoxedUnit.UNIT;
        });
        biscuitConfig.resources().foreach(str -> {
            return authorizer.add_fact(new StringBuilder(12).append("resource(\"").append(str).append("\")").toString());
        });
        ((IterableLike) ((TraversableLike) ((TraversableLike) biscuitConfig.checks().map(str2 -> {
            return Parser.check(str2);
        }, Seq$.MODULE$.canBuildFrom())).filter(either -> {
            return BoxesRunTime.boxToBoolean(either.isRight());
        })).map(either2 -> {
            return (Check) ((Tuple2) either2.get())._2;
        }, Seq$.MODULE$.canBuildFrom())).foreach(check -> {
            return authorizer.add_check(check);
        });
        ((IterableLike) ((TraversableLike) ((TraversableLike) biscuitConfig.facts().map(str3 -> {
            return Parser.fact(str3);
        }, Seq$.MODULE$.canBuildFrom())).filter(either3 -> {
            return BoxesRunTime.boxToBoolean(either3.isRight());
        })).map(either4 -> {
            return (Fact) ((Tuple2) either4.get())._2;
        }, Seq$.MODULE$.canBuildFrom())).foreach(fact -> {
            return authorizer.add_fact(fact);
        });
        ((IterableLike) ((TraversableLike) ((TraversableLike) biscuitConfig.rules().map(str4 -> {
            return Parser.rule(str4);
        }, Seq$.MODULE$.canBuildFrom())).filter(either5 -> {
            return BoxesRunTime.boxToBoolean(either5.isRight());
        })).map(either6 -> {
            return (Rule) ((Tuple2) either6.get())._2;
        }, Seq$.MODULE$.canBuildFrom())).foreach(rule -> {
            return authorizer.add_rule(rule);
        });
        Buffer buffer = (Buffer) JavaConverters$.MODULE$.asScalaBufferConverter(authorizer.get_revocation_ids()).asScala();
        if (biscuitConfig.revocation_ids().nonEmpty() && biscuitConfig.revocation_ids().exists(str5 -> {
            return BoxesRunTime.boxToBoolean(buffer.contains(str5));
        })) {
            return package$.MODULE$.Left().apply(new Error.FormatError.DeserializationError("revoked token"));
        }
        boolean z = false;
        Left either7 = Try$.MODULE$.apply(() -> {
            return authorizer.allow().authorize();
        }).toEither();
        if (either7 instanceof Left) {
            z = true;
            Error error = (Throwable) either7.value();
            if (error instanceof Error) {
                return package$.MODULE$.Left().apply(error);
            }
        }
        if (z) {
            return package$.MODULE$.Left().apply(new Error.InternalError());
        }
        if (either7 instanceof Right) {
            return package$.MODULE$.Right().apply(BoxedUnit.UNIT);
        }
        throw new MatchError(either7);
    }

    public static final /* synthetic */ void $anonfun$verify$1(Authorizer authorizer, ApiKey apiKey) {
        apiKey.tags().foreach(str -> {
            return authorizer.add_fact(Utils.fact("apikey_tag", (List) JavaConverters$.MODULE$.seqAsJavaListConverter(new $colon.colon(Utils.string(str), Nil$.MODULE$)).asJava()));
        });
        apiKey.metadata().foreach(tuple2 -> {
            return authorizer.add_fact(Utils.fact("apikey_meta", (List) JavaConverters$.MODULE$.seqAsJavaListConverter(new $colon.colon(Utils.string((String) tuple2._1()), new $colon.colon(Utils.string((String) tuple2._2()), Nil$.MODULE$))).asJava()));
        });
    }

    public static final /* synthetic */ void $anonfun$verify$4(Authorizer authorizer, PrivateAppsUser privateAppsUser) {
        privateAppsUser.metadata().foreach(tuple2 -> {
            return authorizer.add_fact(Utils.fact("user_meta", (List) JavaConverters$.MODULE$.seqAsJavaListConverter(new $colon.colon(Utils.string((String) tuple2._1()), new $colon.colon(Utils.string((String) tuple2._2()), Nil$.MODULE$))).asJava()));
        });
    }

    private BiscuitHelper$() {
        MODULE$ = this;
    }
}
