package org.infinispan.rest.resources;

import io.netty.handler.codec.http.HttpResponseStatus;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import org.infinispan.commons.dataconversion.internal.Json;
import org.infinispan.configuration.global.GlobalAuthorizationConfiguration;
import org.infinispan.configuration.global.GlobalConfiguration;
import org.infinispan.rest.InvocationHelper;
import org.infinispan.rest.NettyRestResponse;
import org.infinispan.rest.cachemanager.RestCacheManager;
import org.infinispan.rest.framework.Method;
import org.infinispan.rest.framework.ResourceHandler;
import org.infinispan.rest.framework.RestRequest;
import org.infinispan.rest.framework.RestResponse;
import org.infinispan.rest.framework.impl.Invocations;
import org.infinispan.rest.logging.Log;
import org.infinispan.security.AuditContext;
import org.infinispan.security.AuthorizationPermission;
import org.infinispan.security.GlobalSecurityManager;
import org.infinispan.security.MutablePrincipalRoleMapper;
import org.infinispan.security.MutableRolePermissionMapper;
import org.infinispan.security.Role;
import org.infinispan.security.actions.SecurityActions;
import org.infinispan.security.impl.Authorizer;
import org.infinispan.security.impl.CacheRoleImpl;
import org.infinispan.security.impl.SubjectACL;

/* loaded from: input_file:org/infinispan/rest/resources/SecurityResource.class */
public class SecurityResource implements ResourceHandler {
    private final InvocationHelper invocationHelper;
    private final String accessGrantedPath;
    private final String accessDeniedPath;
    private final MutablePrincipalRoleMapper principalRoleMapper;
    private final MutableRolePermissionMapper rolePermissionMapper;

    public SecurityResource(InvocationHelper invocationHelper, String str, String str2) {
        this.invocationHelper = invocationHelper;
        this.accessGrantedPath = str;
        this.accessDeniedPath = str2;
        GlobalConfiguration cacheManagerConfiguration = SecurityActions.getCacheManagerConfiguration(invocationHelper.getRestCacheManager().getInstance());
        MutablePrincipalRoleMapper principalRoleMapper = cacheManagerConfiguration.security().authorization().principalRoleMapper();
        this.principalRoleMapper = principalRoleMapper instanceof MutablePrincipalRoleMapper ? principalRoleMapper : null;
        MutableRolePermissionMapper rolePermissionMapper = cacheManagerConfiguration.security().authorization().rolePermissionMapper();
        this.rolePermissionMapper = rolePermissionMapper instanceof MutableRolePermissionMapper ? rolePermissionMapper : null;
    }

    @Override // org.infinispan.rest.framework.ResourceHandler
    public Invocations getInvocations() {
        return new Invocations.Builder().invocation().methods(Method.GET).path("/v2/login").withAction("config").anonymous().handleWith(this::loginConfiguration).invocation().methods(Method.GET, Method.POST).deprecated().path("/v2/login").withAction("login").permission(AuthorizationPermission.NONE).name("USER LOGIN").auditContext(AuditContext.SERVER).handleWith(this::login).invocation().methods(Method.GET).deprecated().path("/v2/login").permission(AuthorizationPermission.NONE).name("USER LOGIN").auditContext(AuditContext.SERVER).handleWith(this::login).invocation().methods(Method.GET).path("/v2/security/user/acl").handleWith(this::acl).invocation().method(Method.GET).path("/v2/security/roles").permission(AuthorizationPermission.ADMIN).name("ROLES").auditContext(AuditContext.SERVER).handleWith(this::listAllRoles).invocation().method(Method.GET).path("/v2/security/roles/{principal}").permission(AuthorizationPermission.ADMIN).name("ROLES PRINCIPAL").auditContext(AuditContext.SERVER).handleWith(this::listPrincipalRoles).invocation().method(Method.PUT).path("/v2/security/roles/{principal}").withAction("grant").permission(AuthorizationPermission.ADMIN).name("ROLES GRANT").auditContext(AuditContext.SERVER).handleWith(this::grant).invocation().method(Method.PUT).path("/v2/security/roles/{principal}").withAction("deny").permission(AuthorizationPermission.ADMIN).name("ROLES DENY").auditContext(AuditContext.SERVER).handleWith(this::deny).invocation().methods(Method.POST, Method.PUT).path("/v2/security/permissions/{role}").permission(AuthorizationPermission.ADMIN).name("ROLES CREATE").auditContext(AuditContext.SERVER).handleWith(this::createRole).invocation().method(Method.DELETE).path("/v2/security/permissions/{role}").permission(AuthorizationPermission.ADMIN).name("ROLES DELETE").auditContext(AuditContext.SERVER).handleWith(this::deleteRole).invocation().method(Method.POST).path("/v2/security/cache").withAction("flush").permission(AuthorizationPermission.ADMIN).name("ACL CACHE FLUSH").auditContext(AuditContext.SERVER).handleWith(this::aclCacheFlush).create();
    }

    private CompletionStage<RestResponse> createRole(RestRequest restRequest) {
        NettyRestResponse.Builder builder = new NettyRestResponse.Builder();
        if (this.rolePermissionMapper == null) {
            return CompletableFuture.completedFuture(new NettyRestResponse.Builder().status(HttpResponseStatus.CONFLICT).entity((Object) Log.REST.rolePermissionMapperNotMutable()).build());
        }
        String str = restRequest.variables().get("role");
        List<String> list = restRequest.parameters().get("permission");
        if (list == null) {
            return CompletableFuture.completedFuture(builder.status(HttpResponseStatus.BAD_REQUEST).build());
        }
        return this.rolePermissionMapper.addRole(new CacheRoleImpl(str, true, (Set) list.stream().map(str2 -> {
            return AuthorizationPermission.valueOf(str2.toUpperCase());
        }).collect(Collectors.toSet()))).thenCompose(r5 -> {
            return aclCacheFlush(restRequest);
        });
    }

    private CompletionStage<RestResponse> deleteRole(RestRequest restRequest) {
        if (this.rolePermissionMapper == null) {
            return CompletableFuture.completedFuture(new NettyRestResponse.Builder().status(HttpResponseStatus.CONFLICT).entity((Object) Log.REST.rolePermissionMapperNotMutable()).build());
        }
        return this.rolePermissionMapper.removeRole(restRequest.variables().get("role")).thenCompose(bool -> {
            return aclCacheFlush(restRequest);
        });
    }

    private CompletionStage<RestResponse> aclCacheFlush(RestRequest restRequest) {
        return ((GlobalSecurityManager) SecurityActions.getGlobalComponentRegistry(this.invocationHelper.getRestCacheManager().getInstance()).getComponent(GlobalSecurityManager.class)).flushGlobalACLCache().thenApply(r3 -> {
            return new NettyRestResponse.Builder().status(HttpResponseStatus.NO_CONTENT).build();
        });
    }

    private CompletionStage<RestResponse> deny(RestRequest restRequest) {
        NettyRestResponse.Builder builder = new NettyRestResponse.Builder();
        if (this.principalRoleMapper == null) {
            return CompletableFuture.completedFuture(new NettyRestResponse.Builder().status(HttpResponseStatus.CONFLICT).entity((Object) Log.REST.principalRoleMapperNotMutable()).build());
        }
        String str = restRequest.variables().get("principal");
        List<String> list = restRequest.parameters().get("role");
        if (list == null) {
            return CompletableFuture.completedFuture(builder.status(HttpResponseStatus.BAD_REQUEST).build());
        }
        list.forEach(str2 -> {
            this.principalRoleMapper.deny(str2, str);
        });
        return aclCacheFlush(restRequest);
    }

    private CompletionStage<RestResponse> grant(RestRequest restRequest) {
        NettyRestResponse.Builder builder = new NettyRestResponse.Builder();
        if (this.principalRoleMapper == null) {
            return CompletableFuture.completedFuture(new NettyRestResponse.Builder().status(HttpResponseStatus.CONFLICT).entity((Object) Log.REST.principalRoleMapperNotMutable()).build());
        }
        String str = restRequest.variables().get("principal");
        List<String> list = restRequest.parameters().get("role");
        if (list == null) {
            return CompletableFuture.completedFuture(builder.status(HttpResponseStatus.BAD_REQUEST).build());
        }
        list.forEach(str2 -> {
            this.principalRoleMapper.grant(str2, str);
        });
        return aclCacheFlush(restRequest);
    }

    private CompletionStage<RestResponse> listAllRoles(RestRequest restRequest) {
        GlobalAuthorizationConfiguration authorization = this.invocationHelper.getRestCacheManager().getInstance().getCacheManagerConfiguration().security().authorization();
        if (!authorization.enabled()) {
            throw Log.REST.authorizationNotEnabled();
        }
        Json array = Json.array();
        authorization.roles().entrySet().stream().filter(entry -> {
            return ((Role) entry.getValue()).isInheritable();
        }).forEach(entry2 -> {
            array.add(entry2.getKey());
        });
        return ResourceUtil.asJsonResponseFuture(array, ResourceUtil.isPretty(restRequest));
    }

    private CompletionStage<RestResponse> listPrincipalRoles(RestRequest restRequest) {
        String str = restRequest.variables().get("principal");
        if (this.principalRoleMapper == null) {
            return CompletableFuture.completedFuture(new NettyRestResponse.Builder().status(HttpResponseStatus.CONFLICT).entity((Object) Log.REST.principalRoleMapperNotMutable()).build());
        }
        Json array = Json.array();
        this.principalRoleMapper.list(str).forEach(str2 -> {
            array.add(str2);
        });
        return ResourceUtil.asJsonResponseFuture(array, ResourceUtil.isPretty(restRequest));
    }

    private CompletionStage<RestResponse> acl(RestRequest restRequest) {
        Subject subject = restRequest.getSubject();
        RestCacheManager<Object> restCacheManager = this.invocationHelper.getRestCacheManager();
        Collection<String> cacheNames = restCacheManager.getCacheNames();
        Json object = Json.object();
        if (subject == null) {
            object.set("subject", Json.array());
        } else {
            Json array = Json.array();
            subject.getPrincipals().forEach(principal -> {
                array.add(Json.object().set("name", principal.getName()).set("type", principal.getClass().getSimpleName()));
            });
            object.set("subject", array);
            Authorizer authorizer = restCacheManager.getAuthorizer();
            object.set("global", aclToJson(authorizer.getACL(subject)));
            Json object2 = Json.object();
            object.set("caches", object2);
            for (String str : cacheNames) {
                object2.set(str, aclToJson(authorizer.getACL(subject, SecurityActions.getCacheConfiguration(restCacheManager.getInstance(), str).security().authorization())));
            }
        }
        return ResourceUtil.asJsonResponseFuture(object, ResourceUtil.isPretty(restRequest));
    }

    private Json aclToJson(SubjectACL subjectACL) {
        Json array = Json.array();
        Iterator it = subjectACL.getPermissions().iterator();
        while (it.hasNext()) {
            array.add(((AuthorizationPermission) it.next()).name());
        }
        return array;
    }

    private CompletionStage<RestResponse> loginConfiguration(RestRequest restRequest) {
        return ResourceUtil.asJsonResponseFuture(Json.make(this.invocationHelper.getServer().getLoginConfiguration(this.invocationHelper.getProtocolServer())), ResourceUtil.isPretty(restRequest));
    }

    private CompletionStage<RestResponse> login(RestRequest restRequest) {
        NettyRestResponse.Builder builder = new NettyRestResponse.Builder();
        builder.status(HttpResponseStatus.TEMPORARY_REDIRECT).header("Location", (Object) this.accessGrantedPath);
        return CompletableFuture.completedFuture(builder.build());
    }
}
