package org.restheart.security.plugins.authorizers;

import com.google.common.collect.Sets;
import io.undertow.predicate.Predicate;
import io.undertow.predicate.PredicateParser;
import io.undertow.security.idm.Account;
import io.undertow.server.HttpServerExchange;
import java.io.FileNotFoundException;
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.function.Consumer;
import java.util.stream.Stream;
import org.restheart.ConfigurationException;
import org.restheart.exchange.Request;
import org.restheart.plugins.ConfigurablePlugin;
import org.restheart.plugins.FileConfigurablePlugin;
import org.restheart.plugins.InjectConfiguration;
import org.restheart.plugins.RegisterPlugin;
import org.restheart.plugins.security.Authorizer;
import org.restheart.utils.LambdaUtils;

@RegisterPlugin(name = "fileAclAuthorizer", description = "authorizes requests according to acl defined in a configuration file", enabledByDefault = false)
/* loaded from: input_file:org/restheart/security/plugins/authorizers/FileAclAuthorizer.class */
public class FileAclAuthorizer extends FileConfigurablePlugin implements Authorizer {
    private final HashMap<String, Set<Predicate>> acl = new HashMap<>();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/restheart/security/plugins/authorizers/FileAclAuthorizer$NotAuthenticatedAccount.class */
    public static class NotAuthenticatedAccount implements Account {
        private static final long serialVersionUID = 3124;

        private NotAuthenticatedAccount() {
        }

        public Principal getPrincipal() {
            return null;
        }

        public Set<String> getRoles() {
            return Sets.newHashSet(new String[]{MongoAclAuthorizer.$UNAUTHENTICATED});
        }
    }

    @InjectConfiguration
    public void init(Map<String, Object> map) throws FileNotFoundException, ConfigurationException {
        init(map, "permissions");
    }

    public Consumer<? super Map<String, Object>> consumeConfiguration() {
        return map -> {
            try {
                String str = (String) ConfigurablePlugin.argValue(map, "role");
                String str2 = (String) ConfigurablePlugin.argValue(map, "predicate");
                try {
                    aclForRole(str).add(PredicateParser.parse(str2, getClass().getClassLoader()));
                } catch (Throwable th) {
                    throw new ConfigurationException("wrong configuration: Invalid predicate " + str2, th);
                }
            } catch (ConfigurationException e) {
                LambdaUtils.throwsSneakyExcpetion(e);
            }
        };
    }

    public boolean isAllowed(Request request) {
        if (noAclDefined()) {
            return false;
        }
        HttpServerExchange exchange = request.getExchange();
        if (exchange.getAttachment(Predicate.PREDICATE_CONTEXT) == null) {
            exchange.putAttachment(Predicate.PREDICATE_CONTEXT, new TreeMap());
        }
        request.getExchange().setRelativePath(request.getExchange().getRequestPath());
        return roles(exchange).anyMatch(str -> {
            return aclForRole(str).stream().anyMatch(predicate -> {
                return predicate.resolve(exchange);
            });
        });
    }

    public boolean isAuthenticationRequired(Request request) {
        Set<Predicate> set;
        if (request.isOptions()) {
            return false;
        }
        if (getAcl() == null || (set = getAcl().get(MongoAclAuthorizer.$UNAUTHENTICATED)) == null) {
            return true;
        }
        HttpServerExchange exchange = request.getExchange();
        if (exchange.getAttachment(Predicate.PREDICATE_CONTEXT) == null) {
            exchange.putAttachment(Predicate.PREDICATE_CONTEXT, new TreeMap());
        }
        exchange.setRelativePath(exchange.getRequestPath());
        return !set.stream().anyMatch(predicate -> {
            return predicate.resolve(exchange);
        });
    }

    private Stream<String> roles(HttpServerExchange httpServerExchange) {
        return account(httpServerExchange).getRoles().stream();
    }

    private boolean noAclDefined() {
        return getAcl() == null;
    }

    private Set<Predicate> aclForRole(String str) {
        Set<Predicate> set = getAcl().get(str);
        if (set == null) {
            set = Sets.newHashSet();
            getAcl().put(str, set);
        }
        return set;
    }

    private Account account(HttpServerExchange httpServerExchange) {
        Account authenticatedAccount = httpServerExchange.getSecurityContext().getAuthenticatedAccount();
        return isAuthenticated(authenticatedAccount) ? authenticatedAccount : new NotAuthenticatedAccount();
    }

    private boolean isAuthenticated(Account account) {
        return account != null;
    }

    public HashMap<String, Set<Predicate>> getAcl() {
        return this.acl;
    }
}
