package com.netflix.spinnaker.clouddriver.security;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.netflix.spinnaker.clouddriver.security.AccountDefinitionRepository;
import com.netflix.spinnaker.credentials.definition.CredentialsDefinition;
import com.netflix.spinnaker.kork.annotations.Alpha;
import com.netflix.spinnaker.kork.annotations.NonnullByDefault;
import com.netflix.spinnaker.kork.web.exceptions.InvalidRequestException;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nullable;
import lombok.Generated;
import org.springframework.security.access.prepost.PostFilter;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.context.SecurityContextHolder;

@Alpha
@NonnullByDefault
/* loaded from: input_file:com/netflix/spinnaker/clouddriver/security/AccountDefinitionService.class */
public class AccountDefinitionService {
    private final AccountDefinitionRepository repository;
    private final AccountDefinitionAuthorizer authorizer;
    private final AccountCredentialsProvider accountCredentialsProvider;
    private final ObjectMapper objectMapper;

    /* loaded from: input_file:com/netflix/spinnaker/clouddriver/security/AccountDefinitionService$AccountAction.class */
    private enum AccountAction {
        CREATE,
        UPDATE
    }

    @PostFilter("@accountDefinitionSecretManager.canAccessAccountWithSecrets(filterObject.name)")
    @PreAuthorize("@accountDefinitionAuthorizer.isAccountManager(authentication.name)")
    public List<? extends CredentialsDefinition> listAccountDefinitionsByType(String str, int i, @Nullable String str2) {
        return this.repository.listByType(str, i, str2);
    }

    @PreAuthorize("@accountDefinitionAuthorizer.isAccountManager(authentication.name)")
    public CredentialsDefinition createAccount(CredentialsDefinition credentialsDefinition) {
        String name = credentialsDefinition.getName();
        if (this.accountCredentialsProvider.getCredentials(name) != null) {
            throw new InvalidRequestException(String.format("Cannot create duplicate account (name: %s)", name));
        }
        validateAccountWritePermissions(credentialsDefinition, AccountAction.CREATE);
        this.repository.create(credentialsDefinition);
        return credentialsDefinition;
    }

    @PreAuthorize("@accountDefinitionAuthorizer.isAccountManager(authentication.name) and hasPermission(#definition.name, 'ACCOUNT', 'WRITE')")
    public CredentialsDefinition updateAccount(CredentialsDefinition credentialsDefinition) {
        if (this.accountCredentialsProvider.getCredentials(credentialsDefinition.getName()) == null) {
            throw new InvalidRequestException(String.format("Cannot update an account which does not exist (name: %s)", credentialsDefinition.getName()));
        }
        validateAccountWritePermissions(credentialsDefinition, AccountAction.UPDATE);
        this.repository.update(credentialsDefinition);
        return credentialsDefinition;
    }

    @PreAuthorize("@accountDefinitionAuthorizer.isAccountManager(authentication.name) and hasPermission(#accountName, 'ACCOUNT', 'WRITE')")
    public void deleteAccount(String str) {
        if (this.accountCredentialsProvider.getCredentials(str) == null) {
            throw new InvalidRequestException(String.format("Cannot delete an account which does not exist (name: %s)", str));
        }
        this.repository.delete(str);
    }

    @PreAuthorize("@accountDefinitionAuthorizer.isAccountManager(authentication.name) and hasPermission(#accountName, 'ACCOUNT', 'WRITE')")
    public List<AccountDefinitionRepository.Revision> getAccountHistory(String str) {
        return this.repository.revisionHistory(str);
    }

    private void validateAccountWritePermissions(CredentialsDefinition credentialsDefinition, AccountAction accountAction) {
        String name = SecurityContextHolder.getContext().getAuthentication().getName();
        if (this.authorizer.isAdmin(name)) {
            return;
        }
        String name2 = credentialsDefinition.getName();
        if (Collections.disjoint(this.authorizer.getRoles(name), Set.copyOf((Collection) ((Map) ((Map) this.objectMapper.convertValue(credentialsDefinition, new TypeReference<Map<String, Object>>() { // from class: com.netflix.spinnaker.clouddriver.security.AccountDefinitionService.1
        })).getOrDefault("permissions", Map.of())).getOrDefault("WRITE", List.of())))) {
            throw new InvalidRequestException(String.format("Cannot %s account without specifying WRITE permissions for current user (name: %s)", accountAction.name().toLowerCase(Locale.ROOT), name2));
        }
    }

    @Generated
    public AccountDefinitionService(AccountDefinitionRepository accountDefinitionRepository, AccountDefinitionAuthorizer accountDefinitionAuthorizer, AccountCredentialsProvider accountCredentialsProvider, ObjectMapper objectMapper) {
        this.repository = accountDefinitionRepository;
        this.authorizer = accountDefinitionAuthorizer;
        this.accountCredentialsProvider = accountCredentialsProvider;
        this.objectMapper = objectMapper;
    }
}
