package io.imunity.scim.admin;

import io.imunity.scim.config.SCIMEndpointDescription;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.EntityManagement;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.exceptions.AuthorizationException;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.types.basic.EntityParam;

/* loaded from: input_file:io/imunity/scim/admin/AdminAuthzService.class */
class AdminAuthzService {
    private static final Logger log = Log.getLogger("unity.server.scim", AdminAuthzService.class);
    private final SCIMEndpointDescription configuration;
    private final EntityManagement entityManagement;

    @Component
    /* loaded from: input_file:io/imunity/scim/admin/AdminAuthzService$SCIMAdminAuthzServiceFactory.class */
    static class SCIMAdminAuthzServiceFactory {
        private final EntityManagement entityManagement;

        @Autowired
        SCIMAdminAuthzServiceFactory(@Qualifier("insecure") EntityManagement entityManagement) {
            this.entityManagement = entityManagement;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public AdminAuthzService getService(SCIMEndpointDescription sCIMEndpointDescription) {
            return new AdminAuthzService(sCIMEndpointDescription, this.entityManagement);
        }
    }

    AdminAuthzService(SCIMEndpointDescription sCIMEndpointDescription, EntityManagement entityManagement) {
        this.configuration = sCIMEndpointDescription;
        this.entityManagement = entityManagement;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void authorizeReadOrUpdateOfExposedGroups() throws EngineException {
        if (this.configuration.restAdminGroup.isEmpty()) {
            log.debug("Missconfigured SCIM endpoint {}, rest admin group is not set", this.configuration.endpointName);
            throw new AuthorizationException("Access is denied");
        }
        InvocationContext current = InvocationContext.getCurrent();
        if (!current.getInvocationMaterial().equals(InvocationContext.InvocationMaterial.DIRECT)) {
            log.debug("Access is denied. Update exposed groups is available only via direct authentication");
            throw new AuthorizationException("Access is denied");
        }
        if (this.entityManagement.getGroups(new EntityParam(Long.valueOf(current.getLoginSession().getEntityId()))).containsKey(this.configuration.restAdminGroup.get())) {
            return;
        }
        log.debug("Access is denied. Caller not a member of admin SCIM admin group");
        throw new AuthorizationException("Access is denied");
    }
}
