package org.kathra.resourcemanager.resource.service.security;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.IntStream;
import org.apache.commons.jxpath.JXPathContext;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.NotImplementedException;
import org.aspectj.lang.JoinPoint;
import org.aspectj.lang.annotation.AfterReturning;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Before;
import org.kathra.core.model.Resource;
import org.kathra.resourcemanager.security.SecurityContext;
import org.kathra.resourcemanager.security.SessionService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.DefaultParameterNameDiscoverer;
import org.springframework.stereotype.Component;

@Aspect
@Component
/* loaded from: input_file:org/kathra/resourcemanager/resource/service/security/ResourceSecurityProcessor.class */
public class ResourceSecurityProcessor {

    @Autowired
    private ResourceSecurityService resourceSecurityService;

    @Autowired
    private SessionService sessionSecurity;
    private DefaultParameterNameDiscoverer defaultParameterNameDiscoverer;
    private static final String TARGET_OUTPUT_PREFIX = "output";
    private static final String TARGET_SEPARATOR_JXPATH = "/";

    public ResourceSecurityProcessor() {
        this.defaultParameterNameDiscoverer = new DefaultParameterNameDiscoverer();
    }

    public ResourceSecurityProcessor(ResourceSecurityService resourceSecurityService, SessionService sessionService) {
        this.resourceSecurityService = resourceSecurityService;
        this.sessionSecurity = sessionService;
        this.defaultParameterNameDiscoverer = new DefaultParameterNameDiscoverer();
    }

    public ResourceSecurityProcessor(ResourceSecurityService resourceSecurityService, SessionService sessionService, DefaultParameterNameDiscoverer defaultParameterNameDiscoverer) {
        this.resourceSecurityService = resourceSecurityService;
        this.sessionSecurity = sessionService;
        this.defaultParameterNameDiscoverer = defaultParameterNameDiscoverer;
    }

    @Before("@annotation(ResourceSecured)")
    public void before(JoinPoint joinPoint) throws Throwable {
        ResourceSecured resourceSecured = (ResourceSecured) joinPoint.getSignature().getMethod().getAnnotation(ResourceSecured.class);
        switch (resourceSecured.action()) {
            case VALID:
                Optional<Object> targetFromJoinPoint = getTargetFromJoinPoint(joinPoint, resourceSecured);
                String jXPathFromTarget = getJXPathFromTarget(resourceSecured);
                if (targetFromJoinPoint.isPresent()) {
                    validate(resourceSecured, this.sessionSecurity.get(), jXPathFromTarget == null ? targetFromJoinPoint.get() : getObjectFromXPath(targetFromJoinPoint.get(), jXPathFromTarget));
                    return;
                }
                return;
            case FILTER:
                Optional<Object> targetFromJoinPoint2 = getTargetFromJoinPoint(joinPoint, resourceSecured);
                if (targetFromJoinPoint2.isPresent()) {
                    if (!(targetFromJoinPoint2.get() instanceof List)) {
                        throw new IllegalStateException("Input param object to filter should be a list");
                    }
                    filter(resourceSecured, this.sessionSecurity.get(), (List) targetFromJoinPoint2.get());
                    return;
                }
                return;
            default:
                return;
        }
    }

    private Optional<Object> getTargetFromJoinPoint(JoinPoint joinPoint, ResourceSecured resourceSecured) {
        String[] parameterNames = this.defaultParameterNameDiscoverer.getParameterNames(joinPoint.getSignature().getMethod());
        return IntStream.range(0, parameterNames.length).filter(i -> {
            return parameterNames[i].equals(getRootFromTarget(resourceSecured));
        }).mapToObj(i2 -> {
            return joinPoint.getArgs()[i2];
        }).findFirst();
    }

    private Object getTargetFromOutput(Object obj, ResourceSecured resourceSecured) {
        if (!resourceSecured.target().startsWith(TARGET_OUTPUT_PREFIX)) {
            throw new IllegalStateException("target should start with 'output'");
        }
        Object orElse = obj instanceof Optional ? ((Optional) obj).orElse(null) : obj;
        if (orElse == null) {
            return null;
        }
        String jXPathFromTarget = getJXPathFromTarget(resourceSecured);
        return jXPathFromTarget != null ? getObjectFromXPath(orElse, jXPathFromTarget) : orElse;
    }

    private Object getObjectFromXPath(Object obj, String str) {
        Object value = JXPathContext.newContext(obj).getValue(str);
        if (value == null) {
            throw new IllegalArgumentException("Property from JXPath " + str + " of " + obj.getClass().toString() + "'s instance is null");
        }
        return value;
    }

    @AfterReturning(pointcut = "@annotation(ResourceSecured)", returning = "objectReturned")
    public void after(JoinPoint joinPoint, Object obj) throws Throwable {
        ResourceSecured resourceSecured = (ResourceSecured) joinPoint.getSignature().getMethod().getAnnotation(ResourceSecured.class);
        SecurityContext securityContext = this.sessionSecurity.get();
        switch (resourceSecured.action()) {
            case VALID:
                if (!resourceSecured.target().startsWith(TARGET_OUTPUT_PREFIX) || getTargetFromJoinPoint(joinPoint, resourceSecured).isPresent()) {
                    return;
                }
                validate(resourceSecured, securityContext, getTargetFromOutput(obj, resourceSecured));
                return;
            case FILTER:
                if (!resourceSecured.target().startsWith(TARGET_OUTPUT_PREFIX) || getTargetFromJoinPoint(joinPoint, resourceSecured).isPresent()) {
                    return;
                }
                if (!(obj instanceof List)) {
                    throw new IllegalStateException("Input param object to filter should be a list");
                }
                filter(resourceSecured, this.sessionSecurity.get(), (List) obj);
                return;
            case REGISTER:
                Optional<Object> targetFromJoinPoint = getTargetFromJoinPoint(joinPoint, resourceSecured);
                if (!targetFromJoinPoint.isPresent() && resourceSecured.target().startsWith(TARGET_OUTPUT_PREFIX)) {
                    targetFromJoinPoint = Optional.of(obj);
                }
                if (targetFromJoinPoint.isPresent() && targetFromJoinPoint.get().getClass().isAssignableFrom(resourceSecured.clazz())) {
                    this.resourceSecurityService.grantAccess(securityContext, (Resource) targetFromJoinPoint.get(), resourceSecured.scopes());
                    return;
                }
                return;
            case UNREGISTER:
                Optional<Object> targetFromJoinPoint2 = getTargetFromJoinPoint(joinPoint, resourceSecured);
                if (!targetFromJoinPoint2.isPresent() && resourceSecured.target().startsWith(TARGET_OUTPUT_PREFIX)) {
                    targetFromJoinPoint2 = Optional.of(obj);
                }
                if (targetFromJoinPoint2.isPresent() && targetFromJoinPoint2.get().getClass().isAssignableFrom(resourceSecured.clazz())) {
                    this.resourceSecurityService.revokeAccess(securityContext, (Resource) targetFromJoinPoint2.get());
                    return;
                }
                return;
            default:
                return;
        }
    }

    private void validate(ResourceSecured resourceSecured, SecurityContext securityContext, Object obj) throws Exception {
        if ((obj instanceof Resource) && obj.getClass().isAssignableFrom(resourceSecured.clazz())) {
            checkResource(resourceSecured, securityContext, (Resource) obj);
            return;
        }
        if (!(obj instanceof List)) {
            if (!(obj instanceof String)) {
                if (obj != null) {
                    throw new NotImplementedException("Not implemented ! ");
                }
                return;
            } else {
                Resource newInstance = resourceSecured.clazz().getConstructor(new Class[0]).newInstance(new Object[0]);
                newInstance.setId((String) obj);
                checkResource(resourceSecured, securityContext, newInstance);
                return;
            }
        }
        List<String> identifiersAuthorized = getIdentifiersAuthorized(securityContext, resourceSecured.scopes(), resourceSecured.clazz());
        for (Object obj2 : (List) obj) {
            if ((obj2 instanceof Resource) && obj2.getClass().isAssignableFrom(resourceSecured.clazz()) && !identifiersAuthorized.contains(((Resource) obj2).getId())) {
                throw new IllegalAccessException("Access denied for resource " + ((Resource) obj2).getId());
            }
        }
    }

    private String getRootFromTarget(ResourceSecured resourceSecured) {
        return resourceSecured.target().split(TARGET_SEPARATOR_JXPATH)[0];
    }

    private String getJXPathFromTarget(ResourceSecured resourceSecured) {
        String[] split = resourceSecured.target().split(TARGET_SEPARATOR_JXPATH);
        if (split.length > 1) {
            return String.join(".", (CharSequence[]) ArrayUtils.remove(split, 0));
        }
        return null;
    }

    private void filter(ResourceSecured resourceSecured, SecurityContext securityContext, List list) throws Exception {
        Resource newInstance;
        ArrayList arrayList = new ArrayList();
        String jXPathFromTarget = getJXPathFromTarget(resourceSecured);
        HashMap hashMap = new HashMap();
        for (Object obj : list) {
            Object objectFromXPath = jXPathFromTarget == null ? obj : getObjectFromXPath(obj, jXPathFromTarget);
            if (objectFromXPath instanceof String) {
                newInstance = resourceSecured.clazz().getConstructor(new Class[0]).newInstance(new Object[0]);
                newInstance.setId((String) objectFromXPath);
            } else if (objectFromXPath instanceof Resource) {
                newInstance = (Resource) objectFromXPath;
            }
            Class<? extends Resource> clazz = resourceSecured.clazz();
            if (!hashMap.containsKey(clazz)) {
                hashMap.put(clazz, getIdentifiersAuthorized(securityContext, resourceSecured.scopes(), clazz));
            }
            if (!((List) hashMap.get(clazz)).contains(newInstance.getId())) {
                arrayList.add(obj);
            }
        }
        list.removeAll(arrayList);
    }

    private List<String> getIdentifiersAuthorized(SecurityContext securityContext, Scope[] scopeArr, Class cls) throws Exception {
        ArrayList arrayList = new ArrayList();
        for (Scope scope : scopeArr) {
            List<String> idsAuthorized = this.resourceSecurityService.getIdsAuthorized(securityContext, cls, scope);
            if (arrayList.isEmpty()) {
                arrayList.addAll(idsAuthorized);
            } else {
                arrayList.removeAll((List) arrayList.parallelStream().filter(str -> {
                    return idsAuthorized.stream().noneMatch(str -> {
                        return str.equals(str);
                    });
                }).collect(Collectors.toList()));
            }
        }
        return arrayList;
    }

    private void checkResource(ResourceSecured resourceSecured, SecurityContext securityContext, Resource resource) throws Exception {
        for (Scope scope : resourceSecured.scopes()) {
            if (!this.resourceSecurityService.isAuthorized(securityContext, resource, scope)) {
                throw new IllegalAccessException("Access denied (scope:" + scope + ") for resource " + resource.getId());
            }
        }
    }
}
