package io.apicurio.registry.auth;

import io.apicurio.registry.storage.NotFoundException;
import io.apicurio.registry.storage.RegistryStorage;
import io.apicurio.registry.types.Current;
import io.quarkus.security.UnauthorizedException;
import io.quarkus.security.identity.SecurityIdentity;
import javax.annotation.PostConstruct;
import javax.inject.Inject;
import javax.interceptor.AroundInvoke;
import javax.interceptor.Interceptor;
import javax.interceptor.InvocationContext;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Interceptor
@Authorized
/* loaded from: input_file:io/apicurio/registry/auth/AuthorizedInterceptor.class */
public class AuthorizedInterceptor {
    private static final Logger log = LoggerFactory.getLogger(AuthorizedInterceptor.class);

    @Inject
    SecurityIdentity securityIdentity;

    @Inject
    @Current
    RegistryStorage storage;

    @ConfigProperty(name = "registry.auth.enabled", defaultValue = "false")
    boolean authenticationEnabled;

    @ConfigProperty(name = "registry.auth.owner-only-authorization", defaultValue = "false")
    boolean authorizationEnabled;

    @ConfigProperty(name = "registry.auth.roles.admin", defaultValue = "sr-admin")
    String adminRole;

    @PostConstruct
    public void onConstruct() {
        if (isAuthEnabled()) {
            log.info("*** Only-only authorization is enabled ***");
        }
    }

    private boolean isAuthEnabled() {
        return this.authenticationEnabled && this.authorizationEnabled;
    }

    @AroundInvoke
    public Object authorizeMethod(InvocationContext invocationContext) throws Exception {
        if (!isAuthEnabled() || isAllowed(invocationContext)) {
            return invocationContext.proceed();
        }
        throw new UnauthorizedException("User " + this.securityIdentity.getPrincipal().getName() + " is not authorized to perform the requested operation.");
    }

    private boolean isAllowed(InvocationContext invocationContext) {
        if (isAdmin()) {
            return true;
        }
        AuthorizedStyle value = ((Authorized) invocationContext.getMethod().getAnnotation(Authorized.class)).value();
        if (value == AuthorizedStyle.GroupAndArtifact) {
            return verifyArtifactCreatedBy(getStringParam(invocationContext, 0), getStringParam(invocationContext, 1));
        }
        if (value == AuthorizedStyle.GroupOnly) {
            return verifyGroupCreatedBy(getStringParam(invocationContext, 0));
        }
        if (value == AuthorizedStyle.ArtifactOnly) {
            return verifyArtifactCreatedBy(null, getStringParam(invocationContext, 1));
        }
        return true;
    }

    private boolean verifyGroupCreatedBy(String str) {
        try {
            String createdBy = this.storage.getGroupMetaData(str).getCreatedBy();
            if (createdBy != null) {
                if (!createdBy.equals(this.securityIdentity.getPrincipal().getName())) {
                    return false;
                }
            }
            return true;
        } catch (NotFoundException e) {
            return true;
        }
    }

    private boolean verifyArtifactCreatedBy(String str, String str2) {
        try {
            String createdBy = this.storage.getArtifactMetaData(str, str2).getCreatedBy();
            if (createdBy != null) {
                if (!createdBy.equals(this.securityIdentity.getPrincipal().getName())) {
                    return false;
                }
            }
            return true;
        } catch (NotFoundException e) {
            return true;
        }
    }

    private boolean isAdmin() {
        return this.securityIdentity.hasRole(this.adminRole);
    }

    private static String getStringParam(InvocationContext invocationContext, int i) {
        return (String) invocationContext.getParameters()[i];
    }
}
