package org.duracloud.durastore.aop;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.lang.reflect.Method;
import java.util.Map;
import org.duracloud.error.UnauthorizedException;
import org.duracloud.security.util.AuthorizationHelper;
import org.duracloud.snapshot.id.SnapshotIdentifier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.aop.MethodBeforeAdvice;
import org.springframework.core.Ordered;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:org/duracloud/durastore/aop/SnapshotAccessAdvice.class */
public class SnapshotAccessAdvice implements MethodBeforeAdvice, Ordered {
    private Logger log = LoggerFactory.getLogger(SnapshotAccessAdvice.class);
    private int order = 0;
    private AuthorizationHelper authHelper;

    public SnapshotAccessAdvice(AuthorizationHelper authorizationHelper) {
        this.authHelper = authorizationHelper;
    }

    public void setOrder(int i) {
        this.order = i;
    }

    public int getOrder() {
        return this.order;
    }

    public void before(Method method, Object[] objArr, Object obj) throws Throwable {
        if (((String) objArr[0]).matches("get-snapshot[^s]?(-.+)?")) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (this.authHelper.hasAdmin(authentication)) {
                return;
            }
            String asText = new ObjectMapper().getJsonFactory().createJsonParser((String) objArr[1]).readValueAsTree().get("snapshotId").asText();
            SnapshotIdentifier parseSnapshotId = SnapshotIdentifier.parseSnapshotId(asText);
            String spaceId = parseSnapshotId.getSpaceId();
            Map spaceACLs = this.authHelper.getSpaceACLs(parseSnapshotId.getStoreId(), spaceId);
            if (this.authHelper.hasReadAccess(authentication.getName(), spaceACLs) || this.authHelper.groupsHaveReadAccess(authentication, spaceACLs)) {
                this.log.debug("successfully authorized {} to view {}", authentication.getName(), asText);
            } else {
                this.log.error(authentication.getName() + " is not authorized to view " + asText);
                throw new UnauthorizedException("You are not authorized to access snapshot " + asText + ".");
            }
        }
    }
}
