package com.netflix.spinnaker.clouddriver.security;

import com.netflix.spinnaker.clouddriver.security.AccountDefinitionRepository;
import com.netflix.spinnaker.credentials.definition.CredentialsDefinition;
import com.netflix.spinnaker.kork.annotations.Beta;
import com.netflix.spinnaker.kork.annotations.NonnullByDefault;
import com.netflix.spinnaker.kork.annotations.VisibleForTesting;
import com.netflix.spinnaker.kork.secrets.SecretException;
import com.netflix.spinnaker.kork.secrets.user.UserSecretReference;
import com.netflix.spinnaker.kork.web.exceptions.InvalidRequestException;
import com.netflix.spinnaker.security.AuthenticatedRequest;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.Nullable;
import lombok.Generated;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.prepost.PostFilter;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.util.ReflectionUtils;

@NonnullByDefault
@Beta
/* loaded from: input_file:com/netflix/spinnaker/clouddriver/security/AccountDefinitionService.class */
public class AccountDefinitionService {
    private final AccountDefinitionRepository repository;
    private final AccountDefinitionSecretManager secretManager;
    private final AccountCredentialsProvider accountCredentialsProvider;
    private final AccountSecurityPolicy policy;
    private final List<AuthorizedRolesExtractor> extractors;

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:com/netflix/spinnaker/clouddriver/security/AccountDefinitionService$AccountAction.class */
    public enum AccountAction {
        CREATE,
        UPDATE,
        SAVE
    }

    @PostFilter("@accountDefinitionSecretManager.canAccessAccountWithSecrets(authentication.name, filterObject.name)")
    @PreAuthorize("@accountSecurity.isAccountManager(authentication.name)")
    public List<? extends CredentialsDefinition> listAccountDefinitionsByType(String str, int i, @Nullable String str2) {
        return this.repository.listByType(str, i, str2);
    }

    @PreAuthorize("@accountSecurity.isAccountManager(authentication.name)")
    public CredentialsDefinition createAccount(CredentialsDefinition credentialsDefinition) {
        String name = credentialsDefinition.getName();
        String str = (String) AuthenticatedRequest.getSpinnakerUser().orElse("anonymous");
        if (this.accountCredentialsProvider.getCredentials(name) != null) {
            throw new InvalidRequestException(String.format("Cannot create an account which already exists (name: %s)", name));
        }
        validateAccountWritePermissions(str, credentialsDefinition, AccountAction.CREATE);
        this.repository.create(credentialsDefinition);
        return credentialsDefinition;
    }

    @PreAuthorize("@accountSecurity.isAccountManager(authentication.name)")
    public CredentialsDefinition saveAccount(CredentialsDefinition credentialsDefinition) {
        String name = credentialsDefinition.getName();
        String str = (String) AuthenticatedRequest.getSpinnakerUser().orElse("anonymous");
        if (this.accountCredentialsProvider.getCredentials(name) != null && !this.policy.canModifyAccount(str, name)) {
            throw new AccessDeniedException(String.format("Unauthorized to overwrite existing account (name: %s)", name));
        }
        validateAccountWritePermissions(str, credentialsDefinition, AccountAction.SAVE);
        this.repository.save(credentialsDefinition);
        return credentialsDefinition;
    }

    @PreAuthorize("@accountSecurity.canModifyAccount(authentication.name, #definition.name)")
    public CredentialsDefinition updateAccount(CredentialsDefinition credentialsDefinition) {
        String name = credentialsDefinition.getName();
        if (this.accountCredentialsProvider.getCredentials(name) == null) {
            throw new InvalidRequestException(String.format("Cannot update an account which does not exist (name: %s)", name));
        }
        validateAccountWritePermissions((String) AuthenticatedRequest.getSpinnakerUser().orElse("anonymous"), credentialsDefinition, AccountAction.UPDATE);
        this.repository.update(credentialsDefinition);
        return credentialsDefinition;
    }

    @PreAuthorize("@accountSecurity.canModifyAccount(authentication.name, #accountName)")
    public void deleteAccount(String str) {
        this.repository.delete(str);
    }

    @PreAuthorize("@accountSecurity.canModifyAccount(authentication.name, #accountName)")
    public List<AccountDefinitionRepository.Revision> getAccountHistory(String str) {
        return this.repository.revisionHistory(str);
    }

    private void validateAccountWritePermissions(String str, CredentialsDefinition credentialsDefinition, AccountAction accountAction) {
        if (this.policy.isAdmin(str)) {
            return;
        }
        Set<String> roles = this.policy.getRoles(str);
        validateAccountAuthorization(roles, credentialsDefinition, accountAction);
        validateUserSecretAuthorization(roles, credentialsDefinition, accountAction);
    }

    @VisibleForTesting
    void validateAccountAuthorization(Set<String> set, CredentialsDefinition credentialsDefinition, AccountAction accountAction) {
        String name = credentialsDefinition.getName();
        Class<?> cls = credentialsDefinition.getClass();
        Set set2 = (Set) this.extractors.stream().filter(authorizedRolesExtractor -> {
            return authorizedRolesExtractor.supportsType(cls);
        }).flatMap(authorizedRolesExtractor2 -> {
            return authorizedRolesExtractor2.getAuthorizedRoles(credentialsDefinition).stream();
        }).collect(Collectors.toSet());
        if (!set2.isEmpty() && Collections.disjoint(set, set2)) {
            throw new InvalidRequestException(String.format("Cannot %s account without granting permissions for current user (name: %s)", accountAction.name().toLowerCase(Locale.ROOT), name));
        }
    }

    @VisibleForTesting
    void validateUserSecretAuthorization(Set<String> set, CredentialsDefinition credentialsDefinition, AccountAction accountAction) {
        Class<?> cls = credentialsDefinition.getClass();
        HashSet<UserSecretReference> hashSet = new HashSet();
        ReflectionUtils.doWithFields(cls, field -> {
            field.setAccessible(true);
            Optional tryParse = UserSecretReference.tryParse(field.get(credentialsDefinition));
            Objects.requireNonNull(hashSet);
            tryParse.ifPresent((v1) -> {
                r1.add(v1);
            });
        }, field2 -> {
            return field2.getType() == String.class;
        });
        for (UserSecretReference userSecretReference : hashSet) {
            try {
                if (Collections.disjoint(set, Set.copyOf(this.secretManager.getUserSecret(userSecretReference).getRoles()))) {
                    throw new AccessDeniedException(String.format("Unauthorized to %s account with user secret %s", accountAction.name().toLowerCase(Locale.ROOT), userSecretReference));
                }
            } catch (SecretException e) {
                throw new InvalidRequestException(e);
            }
        }
    }

    @Generated
    public AccountDefinitionService(AccountDefinitionRepository accountDefinitionRepository, AccountDefinitionSecretManager accountDefinitionSecretManager, AccountCredentialsProvider accountCredentialsProvider, AccountSecurityPolicy accountSecurityPolicy, List<AuthorizedRolesExtractor> list) {
        this.repository = accountDefinitionRepository;
        this.secretManager = accountDefinitionSecretManager;
        this.accountCredentialsProvider = accountCredentialsProvider;
        this.policy = accountSecurityPolicy;
        this.extractors = list;
    }
}
