package com.netflix.spinnaker.clouddriver.security;

import com.netflix.spinnaker.kork.annotations.NonnullByDefault;
import com.netflix.spinnaker.kork.secrets.EncryptedSecret;
import com.netflix.spinnaker.kork.secrets.SecretDecryptionException;
import com.netflix.spinnaker.kork.secrets.StandardSecretParameter;
import com.netflix.spinnaker.kork.secrets.user.UserSecret;
import com.netflix.spinnaker.kork.secrets.user.UserSecretManager;
import com.netflix.spinnaker.kork.secrets.user.UserSecretReference;
import java.util.Collections;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import lombok.Generated;

@NonnullByDefault
/* loaded from: input_file:com/netflix/spinnaker/clouddriver/security/AccountDefinitionSecretManager.class */
public class AccountDefinitionSecretManager {
    private final UserSecretManager userSecretManager;
    private final AccountSecurityPolicy policy;
    private final Map<String, Set<UserSecretReference>> refsByAccountName = new ConcurrentHashMap();

    public String getUserSecretString(UserSecretReference userSecretReference, String str) {
        UserSecret userSecret = getUserSecret(userSecretReference);
        this.refsByAccountName.computeIfAbsent(str, str2 -> {
            return ConcurrentHashMap.newKeySet();
        }).add(userSecretReference);
        try {
            return userSecret.getSecretString((String) userSecretReference.getParameters().getOrDefault(StandardSecretParameter.KEY.getParameterName(), ""));
        } catch (NoSuchElementException e) {
            throw new SecretDecryptionException(e);
        }
    }

    public boolean canAccessAccountWithSecrets(String str, String str2) {
        return this.policy.isAdmin(str) || (!accountDefinitionUsesUnauthorizedUserSecrets(str, str2) && this.policy.canUseAccount(str, str2));
    }

    private boolean accountDefinitionUsesUnauthorizedUserSecrets(String str, String str2) {
        Set<String> roles = this.policy.getRoles(str);
        return this.refsByAccountName.getOrDefault(str2, Set.of()).stream().map(this::getUserSecret).anyMatch(userSecret -> {
            return Collections.disjoint(userSecret.getRoles(), roles);
        });
    }

    @Generated
    public AccountDefinitionSecretManager(UserSecretManager userSecretManager, AccountSecurityPolicy accountSecurityPolicy) {
        this.userSecretManager = userSecretManager;
        this.policy = accountSecurityPolicy;
    }

    @Generated
    public UserSecret getUserSecret(UserSecretReference userSecretReference) {
        return this.userSecretManager.getUserSecret(userSecretReference);
    }

    @Generated
    public byte[] getExternalSecret(EncryptedSecret encryptedSecret) {
        return this.userSecretManager.getExternalSecret(encryptedSecret);
    }

    @Generated
    public String getExternalSecretString(EncryptedSecret encryptedSecret) {
        return this.userSecretManager.getExternalSecretString(encryptedSecret);
    }
}
