package com.netflix.spinnaker.fiat.controllers;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.netflix.spectator.api.Id;
import com.netflix.spectator.api.Registry;
import com.netflix.spinnaker.fiat.config.FiatServerConfigurationProperties;
import com.netflix.spinnaker.fiat.config.UnrestrictedResourceConfig;
import com.netflix.spinnaker.fiat.model.Authorization;
import com.netflix.spinnaker.fiat.model.UserPermission;
import com.netflix.spinnaker.fiat.model.resources.Account;
import com.netflix.spinnaker.fiat.model.resources.Application;
import com.netflix.spinnaker.fiat.model.resources.Resource;
import com.netflix.spinnaker.fiat.model.resources.ResourceType;
import com.netflix.spinnaker.fiat.model.resources.Role;
import com.netflix.spinnaker.fiat.model.resources.ServiceAccount;
import com.netflix.spinnaker.fiat.model.resources.Viewable;
import com.netflix.spinnaker.fiat.permissions.PermissionsRepository;
import com.netflix.spinnaker.fiat.permissions.PermissionsResolver;
import com.netflix.spinnaker.fiat.providers.ResourcePermissionProvider;
import com.netflix.spinnaker.kork.web.exceptions.InvalidRequestException;
import com.netflix.spinnaker.kork.web.exceptions.NotFoundException;
import com.netflix.spinnaker.security.AuthenticatedRequest;
import io.swagger.v3.oas.annotations.Operation;
import java.io.IOException;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

@RequestMapping({"/authorize"})
@RestController
/* loaded from: input_file:com/netflix/spinnaker/fiat/controllers/AuthorizeController.class */
public class AuthorizeController {
    private static final Logger log = LoggerFactory.getLogger(AuthorizeController.class);
    private final Registry registry;
    private final PermissionsRepository permissionsRepository;
    private final PermissionsResolver permissionsResolver;
    private final FiatServerConfigurationProperties configProps;
    private final ResourcePermissionProvider<Application> applicationResourcePermissionProvider;
    private final ObjectMapper objectMapper;
    private final List<Resource> resources;
    private final Id getUserPermissionCounterId;

    @Autowired
    public AuthorizeController(Registry registry, PermissionsRepository permissionsRepository, PermissionsResolver permissionsResolver, FiatServerConfigurationProperties fiatServerConfigurationProperties, ResourcePermissionProvider<Application> resourcePermissionProvider, List<Resource> list, ObjectMapper objectMapper) {
        this.registry = registry;
        this.permissionsRepository = permissionsRepository;
        this.permissionsResolver = permissionsResolver;
        this.configProps = fiatServerConfigurationProperties;
        this.applicationResourcePermissionProvider = resourcePermissionProvider;
        this.resources = list;
        this.objectMapper = objectMapper;
        this.getUserPermissionCounterId = registry.createId("fiat.getUserPermission");
    }

    @RequestMapping(method = {RequestMethod.GET})
    @Operation(summary = "Used mostly for testing. Not really any real value to the rest of the system. Disabled by default.")
    public Set<UserPermission.View> getAll(HttpServletResponse httpServletResponse) throws IOException {
        if (!this.configProps.isGetAllEnabled()) {
            httpServletResponse.sendError(405, "/authorize is disabled");
            return null;
        }
        log.debug("UserPermissions requested for all users");
        Stream stream = this.permissionsRepository.getAllById().keySet().stream();
        PermissionsRepository permissionsRepository = this.permissionsRepository;
        Objects.requireNonNull(permissionsRepository);
        return (Set) stream.map(permissionsRepository::get).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).map((v0) -> {
            return v0.getView();
        }).map(view -> {
            return view.setAllowAccessToUnknownApplications(this.configProps.isAllowAccessToUnknownApplications());
        }).collect(Collectors.toSet());
    }

    @RequestMapping(value = {"/{userId:.+}"}, method = {RequestMethod.GET})
    public UserPermission.View getUserPermission(@PathVariable String str) {
        return getUserPermissionView(str);
    }

    @RequestMapping(value = {"/{userId:.+}/accounts"}, method = {RequestMethod.GET})
    public Set<Account.View> getUserAccounts(@PathVariable String str) {
        return new HashSet(getUserPermissionView(str).getAccounts());
    }

    @RequestMapping(value = {"/{userId:.+}/roles"}, method = {RequestMethod.GET})
    public Set<Role.View> getUserRoles(@PathVariable String str) {
        return new HashSet(getUserPermissionView(str).getRoles());
    }

    @RequestMapping(value = {"/{userId:.+}/accounts/{accountName:.+}"}, method = {RequestMethod.GET})
    public Account.View getUserAccount(@PathVariable String str, @PathVariable String str2) {
        return (Account.View) getUserPermissionView(str).getAccounts().stream().filter(view -> {
            return str2.equalsIgnoreCase(view.getName());
        }).findFirst().orElseThrow(userNotFound(str));
    }

    @RequestMapping(value = {"/{userId:.+}/applications"}, method = {RequestMethod.GET})
    public Set<Application.View> getUserApplications(@PathVariable String str) {
        return new HashSet(getUserPermissionView(str).getApplications());
    }

    @RequestMapping(value = {"/{userId:.+}/applications/{applicationName:.+}"}, method = {RequestMethod.GET})
    public Application.View getUserApplication(@PathVariable String str, @PathVariable String str2) {
        return (Application.View) getUserPermissionView(str).getApplications().stream().filter(view -> {
            return str2.equalsIgnoreCase(view.getName());
        }).findFirst().orElseThrow(userNotFound(str));
    }

    @RequestMapping(value = {"/{userId:.+}/serviceAccounts"}, method = {RequestMethod.GET})
    public Set<? extends Viewable.BaseView> getServiceAccounts(@PathVariable String str, @RequestParam(name = "expand", defaultValue = "false") boolean z) {
        Set<? extends Viewable.BaseView> serviceAccounts = getUserPermissionView(str).getServiceAccounts();
        if (!z) {
            return serviceAccounts;
        }
        if (serviceAccounts.size() > this.configProps.getMaxExpandedServiceAccounts()) {
            throw new InvalidRequestException(String.format("Unable to expand service accounts for user %s. User has %s service accounts. Maximum expandable service accounts is %s.", str, Integer.valueOf(serviceAccounts.size()), Integer.valueOf(this.configProps.getMaxExpandedServiceAccounts())));
        }
        return (Set) serviceAccounts.stream().map((v0) -> {
            return v0.getName();
        }).map(this::getUserPermissionView).collect(Collectors.toSet());
    }

    @RequestMapping(value = {"/{userId:.+}/serviceAccounts/{serviceAccountName:.+}"}, method = {RequestMethod.GET})
    public ServiceAccount.View getServiceAccount(@PathVariable String str, @PathVariable String str2) {
        return (ServiceAccount.View) getUserPermissionOrDefault(str).orElseThrow(userNotFound(str)).getView().getServiceAccounts().stream().filter(view -> {
            return view.getName().equalsIgnoreCase(ControllerSupport.convert(str2));
        }).findFirst().orElseThrow(serviceAccountNotFound(str, str2));
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v17, types: [java.util.Set] */
    /* JADX WARN: Type inference failed for: r0v20, types: [java.util.Set] */
    @RequestMapping(value = {"/{userId:.+}/{resourceType:.+}/{resourceName:.+}/{authorization:.+}"}, method = {RequestMethod.GET})
    public void getUserAuthorization(@PathVariable String str, @PathVariable String str2, @PathVariable String str3, @PathVariable String str4, HttpServletResponse httpServletResponse) throws IOException {
        Authorization valueOf = Authorization.valueOf(str4.toUpperCase());
        ResourceType parse = ResourceType.parse(str2);
        HashSet hashSet = new HashSet(0);
        try {
            if (parse.equals(ResourceType.ACCOUNT)) {
                hashSet = getUserAccount(str, str3).getAuthorizations();
            } else {
                if (!parse.equals(ResourceType.APPLICATION)) {
                    httpServletResponse.sendError(400, "Resource type " + str2 + " does not contain authorizations");
                    return;
                }
                hashSet = getUserApplication(str, str3).getAuthorizations();
            }
        } catch (NotFoundException e) {
        }
        if (hashSet.contains(valueOf)) {
            httpServletResponse.setStatus(200);
        } else {
            httpServletResponse.setStatus(404);
        }
    }

    @RequestMapping(value = {"/{userId:.+}/{resourceType:.+}/create"}, method = {RequestMethod.POST})
    public void canCreate(@PathVariable String str, @PathVariable String str2, @Nonnull @RequestBody Object obj, HttpServletResponse httpServletResponse) throws IOException {
        ResourceType parse = ResourceType.parse(str2);
        if (!parse.equals(ResourceType.APPLICATION)) {
            httpServletResponse.sendError(400, "Resource type " + str2 + " does not support creation");
            return;
        }
        if (!this.configProps.isRestrictApplicationCreation()) {
            httpServletResponse.setStatus(200);
            return;
        }
        UserPermission.View userPermissionView = getUserPermissionView(str);
        List list = (List) userPermissionView.getRoles().stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toList());
        Application application = (Resource) this.objectMapper.convertValue(obj, this.resources.stream().filter(resource -> {
            return resource.getResourceType().equals(parse);
        }).findFirst().orElseThrow(IllegalArgumentException::new).getClass());
        if (userPermissionView.isAdmin() || this.applicationResourcePermissionProvider.getPermissions(application).getAuthorizations(list).contains(Authorization.CREATE)) {
            httpServletResponse.setStatus(200);
        } else {
            httpServletResponse.setStatus(404);
        }
    }

    private Optional<UserPermission> getUserPermissionOrDefault(String str) {
        String str2 = (String) AuthenticatedRequest.getSpinnakerUser().orElse(null);
        UserPermission userPermission = (UserPermission) this.permissionsRepository.get(ControllerSupport.convert(str)).orElse(null);
        if (userPermission != null) {
            this.registry.counter(this.getUserPermissionCounterId.withTag("success", true).withTag("fallback", false)).increment();
            return Optional.of(userPermission);
        }
        if (str.equalsIgnoreCase(str2) && (this.configProps.isAllowPermissionResolverFallback() || this.configProps.isDefaultToUnrestrictedUser())) {
            Optional optional = this.permissionsRepository.get(UnrestrictedResourceConfig.UNRESTRICTED_USERNAME);
            if (!optional.isPresent()) {
                log.error("Error resolving fallback permissions: lookup of unrestricted user failed. Access to anonymous resources will fail");
            }
            if (this.configProps.isAllowPermissionResolverFallback()) {
                UserPermission resolve = this.permissionsResolver.resolve(ControllerSupport.convert(str2));
                if (resolve.getAllResources().stream().anyMatch((v0) -> {
                    return Objects.nonNull(v0);
                })) {
                    log.debug("Resolved fallback permissions for user {}", str2);
                    userPermission = resolve;
                    Objects.requireNonNull(userPermission);
                    optional.ifPresent(userPermission::merge);
                }
            }
            if (userPermission == null && this.configProps.isDefaultToUnrestrictedUser() && optional.isPresent()) {
                log.debug("Falling back to unrestricted user permissions for user {}", str2);
                userPermission = new UserPermission().setId(str2).merge((UserPermission) optional.get());
            }
            Logger logger = log;
            Object[] objArr = new Object[3];
            objArr[0] = str;
            objArr[1] = userPermission != null ? userPermission.getAccounts() : Collections.emptyList();
            objArr[2] = userPermission != null ? userPermission.getRoles().stream().map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toList()) : Collections.emptyList();
            logger.debug("Returning fallback permissions (user: {}, accounts: {}, roles: {})", objArr);
        } else {
            log.debug("Not populating fallback. userId: {}, authenticatedUserId: {}, allowPermissionResolverFallback: {}, defaultToUnrestrictedUser: {}", new Object[]{str, str2, Boolean.valueOf(this.configProps.isAllowPermissionResolverFallback()), Boolean.valueOf(this.configProps.isDefaultToUnrestrictedUser())});
        }
        this.registry.counter(this.getUserPermissionCounterId.withTag("success", userPermission != null).withTag("fallback", true)).increment();
        return Optional.ofNullable(userPermission);
    }

    private UserPermission.View getUserPermissionView(String str) {
        return getUserPermissionOrDefault(str).orElseThrow(userNotFound(str)).getView().setAllowAccessToUnknownApplications(this.configProps.isAllowAccessToUnknownApplications());
    }

    private Supplier<NotFoundException> userNotFound(String str) {
        return () -> {
            return new NotFoundException(String.format("user not found: %s", str));
        };
    }

    private Supplier<NotFoundException> serviceAccountNotFound(String str, String str2) {
        return () -> {
            return new NotFoundException(String.format("service account not found: %s, for user: %s", str2, str));
        };
    }
}
