package com.netflix.spinnaker.clouddriver.deploy;

import com.netflix.spectator.api.Id;
import com.netflix.spectator.api.Registry;
import com.netflix.spinnaker.clouddriver.security.AccountDefinitionSecretManager;
import com.netflix.spinnaker.clouddriver.security.config.SecurityConfig;
import com.netflix.spinnaker.clouddriver.security.resources.AccountNameable;
import com.netflix.spinnaker.clouddriver.security.resources.ApplicationNameable;
import com.netflix.spinnaker.clouddriver.security.resources.ResourcesNameable;
import com.netflix.spinnaker.fiat.model.resources.ResourceType;
import com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.validation.Errors;

/* loaded from: input_file:com/netflix/spinnaker/clouddriver/deploy/DescriptionAuthorizerService.class */
public class DescriptionAuthorizerService {
    private final Logger log = LoggerFactory.getLogger(getClass());
    private final Registry registry;
    private final FiatPermissionEvaluator fiatPermissionEvaluator;
    private final SecurityConfig.OperationsSecurityConfigurationProperties opsSecurityConfigProps;
    private final AccountDefinitionSecretManager secretManager;
    private final Id skipAuthorizationId;
    private final Id missingApplicationId;
    private final Id authorizationId;

    public DescriptionAuthorizerService(Registry registry, Optional<FiatPermissionEvaluator> optional, SecurityConfig.OperationsSecurityConfigurationProperties operationsSecurityConfigurationProperties, AccountDefinitionSecretManager accountDefinitionSecretManager) {
        this.registry = registry;
        this.fiatPermissionEvaluator = optional.orElse(null);
        this.opsSecurityConfigProps = operationsSecurityConfigurationProperties;
        this.secretManager = accountDefinitionSecretManager;
        this.skipAuthorizationId = registry.createId("authorization.skipped");
        this.missingApplicationId = registry.createId("authorization.missingApplication");
        this.authorizationId = registry.createId("authorization");
    }

    public void authorize(Object obj, Errors errors) {
        authorize(obj, errors, List.of(ResourceType.ACCOUNT, ResourceType.APPLICATION));
    }

    public void authorize(Object obj, Errors errors, Collection<ResourceType> collection) {
        if (this.fiatPermissionEvaluator == null || obj == null) {
            return;
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        String str = null;
        ArrayList<String> arrayList = new ArrayList();
        boolean z = true;
        if (obj instanceof AccountNameable) {
            AccountNameable accountNameable = (AccountNameable) obj;
            z = accountNameable.requiresApplicationRestriction();
            if (accountNameable.requiresAuthorization(this.opsSecurityConfigProps)) {
                str = accountNameable.getAccount();
            } else {
                this.registry.counter(this.skipAuthorizationId.withTag("descriptionClass", obj.getClass().getSimpleName())).increment();
                this.log.info("Skipping authorization for operation `{}` in account `{}`.", obj.getClass().getSimpleName(), accountNameable.getAccount());
            }
        }
        if (obj instanceof ApplicationNameable) {
            arrayList.addAll((Collection) ((Collection) Optional.ofNullable(((ApplicationNameable) obj).getApplications()).orElse(Collections.emptyList())).stream().filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.toList()));
        }
        if (obj instanceof ResourcesNameable) {
            arrayList.addAll((Collection) ((Collection) Optional.ofNullable(((ResourcesNameable) obj).getResourceApplications()).orElse(Collections.emptyList())).stream().filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.toList()));
        }
        boolean z2 = true;
        if (collection.contains(ResourceType.ACCOUNT) && str != null && !this.secretManager.canAccessAccountWithSecrets(authentication.getName(), str)) {
            z2 = false;
            errors.reject("authorization.account", String.format("Access denied to account %s", str));
        }
        if (collection.contains(ResourceType.APPLICATION) && !arrayList.isEmpty()) {
            this.fiatPermissionEvaluator.storeWholePermission();
            for (String str2 : arrayList) {
                if (!this.fiatPermissionEvaluator.hasPermission(authentication, str2, "APPLICATION", "WRITE")) {
                    z2 = false;
                    errors.reject("authorization.application", String.format("Access denied to application %s", str2));
                }
            }
        }
        if (z && str != null && arrayList.isEmpty()) {
            this.registry.counter(this.missingApplicationId.withTag("descriptionClass", obj.getClass().getSimpleName()).withTag("hasValidationErrors", errors.hasErrors())).increment();
            this.log.warn("No application(s) specified for operation with account restriction (type: {}, account: {}, hasValidationErrors: {})", new Object[]{obj.getClass().getSimpleName(), str, Boolean.valueOf(errors.hasErrors())});
        }
        this.registry.counter(this.authorizationId.withTag("descriptionClass", obj.getClass().getSimpleName()).withTag("success", z2)).increment();
    }
}
