package org.restheart.security.authorizers;

import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import com.mongodb.client.FindIterable;
import com.mongodb.client.MongoClient;
import com.mongodb.client.model.Filters;
import io.undertow.predicate.Predicate;
import io.undertow.security.idm.Account;
import io.undertow.server.HttpServerExchange;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.TreeMap;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import org.bson.BsonDocument;
import org.bson.BsonObjectId;
import org.restheart.ConfigurationException;
import org.restheart.cache.Cache;
import org.restheart.cache.CacheFactory;
import org.restheart.cache.LoadingCache;
import org.restheart.exchange.Request;
import org.restheart.mongodb.ConnectionChecker;
import org.restheart.plugins.ConfigurablePlugin;
import org.restheart.plugins.InjectConfiguration;
import org.restheart.plugins.InjectMongoClient;
import org.restheart.plugins.InjectPluginsRegistry;
import org.restheart.plugins.PluginsRegistry;
import org.restheart.plugins.RegisterPlugin;
import org.restheart.plugins.security.Authorizer;
import org.restheart.security.BaseAclPermission;
import org.restheart.security.MongoPermissions;
import org.restheart.security.utils.MongoUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RegisterPlugin(name = "mongoAclAuthorizer", description = "authorizes requests against acl stored in mongodb")
/* loaded from: input_file:org/restheart/security/authorizers/MongoAclAuthorizer.class */
public class MongoAclAuthorizer implements Authorizer {
    public static final String X_FORWARDED_ACCOUNT_ID = "rhAuthenticator";
    public static final String X_FORWARDED_ROLE = "RESTHeart";
    public static final String ACL_COLLECTION_NAME = "acl";
    public static final String $UNAUTHENTICATED = "$unauthenticated";
    String aclDb;
    String aclCollection;
    private String rootRole = null;
    private boolean cacheEnabled = false;
    private Integer cacheSize = 1000;
    private Integer cacheTTL = 60000;
    private Cache.EXPIRE_POLICY cacheExpirePolicy = Cache.EXPIRE_POLICY.AFTER_WRITE;
    private LoadingCache<String, LinkedHashSet<MongoAclPermission>> acl = null;
    private MongoClient mclient;
    private PluginsRegistry registry;
    private static final Logger LOGGER = LoggerFactory.getLogger(MongoAclAuthorizer.class);
    private static final BsonDocument PROJECTION = BsonDocument.parse("{\"_id\":1,\"roles\":1,\"predicate\":1,\"writeFilter\":1,\"readFilter\":1,\"priority\":1,\"mongo\":1}");
    private static final BsonDocument SORT = BsonDocument.parse("{\"priority\":-1,\"_id\":-1}");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/restheart/security/authorizers/MongoAclAuthorizer$NotAuthenticatedAccount.class */
    public static class NotAuthenticatedAccount implements Account {
        private static final long serialVersionUID = -5208703681313492952L;

        private NotAuthenticatedAccount() {
        }

        public Principal getPrincipal() {
            return null;
        }

        public Set<String> getRoles() {
            return Sets.newHashSet(new String[]{"$unauthenticated"});
        }
    }

    @InjectConfiguration
    public void initConfiguration(Map<String, Object> map) {
        this.aclDb = (String) ConfigurablePlugin.argValue(map, "acl-db");
        this.aclCollection = (String) ConfigurablePlugin.argValue(map, "acl-collection");
        this.rootRole = (String) ConfigurablePlugin.argValue(map, "root-role");
        if (map == null || !map.containsKey("cache-enabled")) {
            return;
        }
        this.cacheEnabled = ((Boolean) ConfigurablePlugin.argValue(map, "cache-enabled")).booleanValue();
        if (this.cacheEnabled) {
            this.cacheSize = (Integer) ConfigurablePlugin.argValue(map, "cache-size");
            this.cacheTTL = (Integer) ConfigurablePlugin.argValue(map, "cache-ttl");
            String str = (String) ConfigurablePlugin.argValue(map, "cache-expire-policy");
            if (str != null) {
                try {
                    this.cacheExpirePolicy = Cache.EXPIRE_POLICY.valueOf(str);
                } catch (IllegalArgumentException e) {
                    throw new ConfigurationException("wrong configuration file format. cache-expire-policy valid values are " + Arrays.toString(Cache.EXPIRE_POLICY.values()));
                }
            }
            this.acl = CacheFactory.createLocalLoadingCache(this.cacheSize.intValue(), this.cacheExpirePolicy, this.cacheTTL.intValue(), str2 -> {
                return findRolePermissions(str2);
            });
        }
    }

    @InjectMongoClient
    public void initMongoClient(MongoClient mongoClient) {
        this.mclient = mongoClient;
        try {
            if (!checkAclCollection()) {
                LOGGER.error("ACL collection does not exist and could not be created");
            }
        } catch (IllegalStateException e) {
            LOGGER.error(e.getMessage());
        }
    }

    @InjectPluginsRegistry
    public void initRegistry(PluginsRegistry pluginsRegistry) {
        this.registry = pluginsRegistry;
    }

    public boolean isAllowed(Request<?> request) {
        if (request.isOptions()) {
            return true;
        }
        HttpServerExchange exchange = request.getExchange();
        if (this.rootRole != null && exchange.getSecurityContext() != null && exchange.getSecurityContext().getAuthenticatedAccount() != null && exchange.getSecurityContext().getAuthenticatedAccount().getRoles().contains(this.rootRole)) {
            LOGGER.debug("allow request for root user {}", exchange.getSecurityContext().getAuthenticatedAccount().getPrincipal().getName());
            HashSet newHashSet = Sets.newHashSet();
            newHashSet.add(this.rootRole);
            exchange.putAttachment(BaseAclPermission.MATCHING_ACL_PERMISSION, new MongoAclPermission(new BsonObjectId(), "path-prefix('/')", newHashSet, Integer.MAX_VALUE, new BsonDocument("mongo", MongoPermissions.ALLOW_ALL_MONGO_PERMISSIONS.asBson())));
            return true;
        }
        if (exchange.getAttachment(Predicate.PREDICATE_CONTEXT) == null) {
            exchange.putAttachment(Predicate.PREDICATE_CONTEXT, new TreeMap());
        }
        exchange.setRelativePath(exchange.getRequestPath());
        ArrayList arrayList = new ArrayList();
        if (LOGGER.isDebugEnabled()) {
            roles(exchange).forEachOrdered(str -> {
                ArrayList newArrayListWithCapacity = Lists.newArrayListWithCapacity(1);
                rolePermissions(str).stream().anyMatch(mongoAclPermission -> {
                    Object obj;
                    boolean allow = mongoAclPermission.allow(request);
                    if (allow && newArrayListWithCapacity.isEmpty()) {
                        newArrayListWithCapacity.add(mongoAclPermission);
                        obj = "<--";
                    } else {
                        obj = "";
                    }
                    LOGGER.debug("role {}, permission id {}, resolve {} {}", new Object[]{str, mongoAclPermission.getId(), Boolean.valueOf(allow), obj});
                    return false;
                });
            });
        }
        roles(exchange).forEachOrdered(str2 -> {
            rolePermissions(str2).stream().anyMatch(mongoAclPermission -> {
                if (!mongoAclPermission.allow(request)) {
                    return false;
                }
                arrayList.add(mongoAclPermission);
                return true;
            });
        });
        if (arrayList.isEmpty()) {
            return false;
        }
        exchange.putAttachment(BaseAclPermission.MATCHING_ACL_PERMISSION, (BaseAclPermission) arrayList.get(0));
        return true;
    }

    public boolean isAuthenticationRequired(Request request) {
        if (request.isOptions()) {
            return false;
        }
        HttpServerExchange exchange = request.getExchange();
        LinkedHashSet<MongoAclPermission> rolePermissions = rolePermissions("$unauthenticated");
        if (rolePermissions == null) {
            return true;
        }
        if (exchange.getAttachment(Predicate.PREDICATE_CONTEXT) == null) {
            exchange.putAttachment(Predicate.PREDICATE_CONTEXT, new TreeMap());
        }
        exchange.setRelativePath(request.getPath());
        return !rolePermissions.stream().anyMatch(mongoAclPermission -> {
            return mongoAclPermission.allow(request);
        });
    }

    private Stream<String> roles(HttpServerExchange httpServerExchange) {
        return account(httpServerExchange).getRoles().stream();
    }

    private Account account(HttpServerExchange httpServerExchange) {
        Account authenticatedAccount = httpServerExchange.getSecurityContext().getAuthenticatedAccount();
        return isAuthenticated(authenticatedAccount) ? authenticatedAccount : new NotAuthenticatedAccount();
    }

    private boolean isAuthenticated(Account account) {
        return account != null;
    }

    public LinkedHashSet<MongoAclPermission> rolePermissions(String str) {
        if (!this.cacheEnabled) {
            return findRolePermissions(str);
        }
        Optional loading = this.acl.getLoading(str);
        if (loading == null || !loading.isPresent()) {
            return null;
        }
        return (LinkedHashSet) loading.get();
    }

    private LinkedHashSet<MongoAclPermission> findRolePermissions(String str) {
        if (this.mclient == null) {
            LOGGER.error("Cannot find acl: mongo service is not enabled.");
            return null;
        }
        FindIterable sort = this.mclient.getDatabase(this.aclDb).getCollection(this.aclCollection, BsonDocument.class).find(Filters.eq("roles", str)).projection(PROJECTION).sort(SORT);
        if (sort == null) {
            return new LinkedHashSet<>();
        }
        LinkedHashSet<MongoAclPermission> newLinkedHashSet = Sets.newLinkedHashSet();
        StreamSupport.stream(sort.spliterator(), true).filter(bsonDocument -> {
            return bsonDocument.isDocument();
        }).map(bsonDocument2 -> {
            return bsonDocument2.asDocument();
        }).filter(bsonDocument3 -> {
            try {
                MongoAclPermission.build(bsonDocument3);
                return true;
            } catch (IllegalArgumentException e) {
                LOGGER.warn("invalid permission _id={}: {}", bsonDocument3.get("_id"), e);
                return false;
            }
        }).map(bsonDocument4 -> {
            return MongoAclPermission.build(bsonDocument4);
        }).forEachOrdered(mongoAclPermission -> {
            this.registry.getPermissionTransformers().stream().forEach(baseAclPermissionTransformer -> {
                baseAclPermissionTransformer.transform(mongoAclPermission);
            });
            newLinkedHashSet.add(mongoAclPermission);
        });
        newLinkedHashSet.forEach(mongoAclPermission2 -> {
            this.registry.getPermissionTransformers().stream().forEach(baseAclPermissionTransformer -> {
                baseAclPermissionTransformer.transform(mongoAclPermission2);
            });
        });
        return newLinkedHashSet;
    }

    public boolean checkAclCollection() throws IllegalStateException {
        if (this.mclient == null) {
            throw new IllegalStateException("Cannot check acl collection: mongo service is not enabled.");
        }
        if (!ConnectionChecker.connected(this.mclient)) {
            throw new IllegalStateException("Cannot check acl collection: MongoDB not connected.");
        }
        try {
            MongoUtils mongoUtils = new MongoUtils(this.mclient);
            if (!mongoUtils.doesDbExist(this.aclDb)) {
                mongoUtils.createDb(this.aclDb);
            }
            if (!mongoUtils.doesCollectionExist(this.aclDb, this.aclCollection)) {
                mongoUtils.createCollection(this.aclDb, this.aclCollection);
            }
            return true;
        } catch (Throwable th) {
            LOGGER.error("Error creating acl collection", th);
            return false;
        }
    }
}
